alt Hacker NewsOh I see your confusion. It is not trying to prove it's not cheating with the UI (or remote control, or ...) to the owner of the phone. It's proving to the owner of the website (or app, or SIM, or ...) that it's really the user agreeing to the contract on the screen. Or, more to the point, it's proving it to courts after the fact so they'll convict the owner of the phone rather than the business or government.
The scenario it would prevent is that a government gets a filled in form with someone requesting unemployment benefits, or reimbursement for a medical procedure on account X ... and then government finds out after payment, later, in court, that the owner of the phone never agreed to it and it needs to pay it out again (because the claim, true or not, that a scammer initiated the payment agreement in some way rather than the owner). Same for business and agreeing to a loan and ...
It is NOT to protect you, the owner of the phone, against scammers (it does not really do that at all), it is to protect companies and especially governments AGAINST the owner of the phone. It is a way to fire most EU government employees by allowing automation that currently can't work because you can't legally trust phone and internet automation to be binding in court.
Replies
Do you imply that google can prove such a thing or it's just a security theater for (((compliance)))? AFAIK attestation attests hardware, not software, but hardware attestation is self contained and doesn't require any remote cartel permission, cf yubikey attestation.
The argument here is kind of hard to follow. Who is the "owner" of the phone, "the user" is also mentioned and it is not clear if these two are the same. Is the owner of the phone in the controlling-software sense, Google, or is it the end user? Both fits, and both are commonly used.
Because if it is the end user, the strong version of the argument would be as follows: The end user signs a document, baked in is an attestation that Google guarantees that this device is an approved Android device with a clean boot chain and a Chrome web browser. Then the end user contests the signature in court, either because they didn't understand what they signed, or they did not sign it at all, or did it under threat. How could the attestation help here?
I do not have experience with all EU countries, of course, but more than one, and nowhere is this an issue today. Countries use a wide variety of electronic identification, from soft certificates and mobile phones to smart cards. But as far as I know, all countries accept signatures made even with normal Windows PCs. You can contest a signed document in court for a multitude of reasons, but that's not specific to electronic signatures.