Hardware Attestation as Monopoly Enabler

Original Article ↗ Hacker News Discussion ↗

Attestation as Monopoly and Control Tool

  • Many see hardware attestation (Play Integrity, App Attest, Pluton, etc.) as turning general-purpose devices into gatekept platforms controlled by a few vendors.
  • Concern: banks, governments, and identity wallets are moving to require attested iOS/Android devices, effectively tying access to core services to US mobile duopoly and enabling hardware-based discrimination.
  • Attestation is viewed as “web DRM”: even if you can install other OSes, they become second-class citizens or completely blocked.

Security Value vs “Security Theater”

  • Critics argue “approved” ≠ “secure”: uncertified systems (e.g. hardened Android forks, desktop Linux) can be more secure than attestation-passing stock phones.
  • They note practical bypasses (physical attacks, malware gaining root after boot, fake banking apps) and that many insecure, unpatched devices still pass attestation.
  • Defenders argue institutions likely see strong fraud correlation with “unapproved” devices, analogous to fare-gate stats: blocking them is a cheap, high-ROI risk reduction.

Impact on Users and Open Alternatives

  • People report already being excluded (e.g. by reCAPTCHA loops, WhatsApp-only groups, app-only ordering, ID-wallet requirements), leading them to drop services or ride alone.
  • Network effects make “just build an alternative web/service” mostly unrealistic; clones lack users and vendor APIs.
  • Dual-boot or side OS ideas are criticized as breaking secure-boot chains and still failing attestation.

Government, Law, and Democracy

  • Strong sentiment that this is a political, not technical, problem: law is needed to outlaw hardware/software discrimination or mandatory DRM, rather than micromanaging silicon.
  • EU gets both praise (DMA/DSA, killing ChatControl—for now) and harsh criticism (EUDI wallet depending on Google/Apple attestation, age verification, perceived capture and lobbying).
  • Debate over whether democracy can effectively counter corporate power vs. systemic corruption/incompetence and voter apathy.

Cryptography, TPMs, and Identity

  • Dispute over whether asymmetric crypto is to blame; most say it’s neutral and foundational (HTTPS, SSH), misuse is the issue.
  • TPMs and secure enclaves are seen as valuable for user-held secrets and passkeys, but dangerous when the root keys and attestation are not under user control.
  • Various proposals: independent/non-profit attestation authorities, external smartcards, anonymous/blind-signature-based attestation, or state-backed “soul-bound” identity keys—often rejected as either impractical, centralizing, or easily subverted.

What To Do

  • Suggested responses: switch banks/services that don’t demand locked devices, support open OSes, push regulators (DMA complaints, letters to EU/US reps), join digital rights groups, and publicly frame the issue as property rights and anti-monopoly rather than niche “hacker” concerns.