I can’t run TfL Go, London’s public transport app, because my phone does not pass Google’s attestation. This is very annoying, but at least it’s only public transport. Most banks in the UK are less strict, perhaps complaining that their checks don’t work, but ultimately letting you in under protest.1 Not everyone is this lucky.
Apart from annoying me personally, this raises a question for those of us who care about software freedom: Are we trying to make it possible for people to use free software as a hobby, or are we trying to make depending on free software a viable way to live? Is it enough that someone can install a third-party OS on a spare phone that doesn’t do anything important, or do they need to be able to run whatever software they want to on their main (perhaps only) device without being locked out of chunks of society?
If it’s the former, I have good news: we won! You could download a bunch of free software today and sail to an uninhabited island and use a new free program every day for the rest of your life. Isn’t winning great?
If that doesn’t sound satisfying to you that’s probably because it’s missing the point completely. Software is now integral to our lives. The ability to exercise some control over that software is vital, both for protecting your privacy and security and for more down-to-earth reasons like squeezing a few more years out of obsolete devices.
So I find the software-oriented approach somewhat limiting. We need the ability to run free software in a lab environment, but equally importantly we need to be able to do things with it.
Here’s the problem: to have free software mediate your access to your own digital existence, it is all but inevitable that software will have to lie about its own nature. From banks to tube maps to instant messengers, all kinds of services have all kinds of incentives to restrict your software choices.2 The only realistic way around this is for third-party clients to impersonate official ones.3
A strong attestation system makes it impossible for third-party clients to impersonate official ones.
If Mullvad can prove to me that they’re running the server stack they say they are, great, but that implies you can prove to your bank that you’re running the client stack you say you are. I can’t prove that to my bank, so I’m living on borrowed time.
If you accept “doing online banking” and “checking train times” as purposes, attestation is an existential threat to software freedom. It has already divided phones into locked-down capitalism delivery vehicles and useless toys. Please stop trying to bring it to PCs.
-
According to a friend in the industry, this is because UK banks are required by their licence to let you access your money. But I’ve also heard of banks blocking rooted phones, so I’m not sure exactly what the deal is. ↩
-
And yes, those services are themselves not free software, and I don’t love that. But one problem at a time. It’s easier to replace non-free services when people aren’t locked in by non-free clients. ↩
-
One could put all one’s eggs in the regulatory basket, I guess, but I don’t think this is a problem regulators are motivated to solve. ↩