lbschenkel
Now my commentary as a citizen and not just as a developer.
Since we're talking about government apps here, should we really always choose what's easiest to the developers or what's easiest to the users? Who should the government agencies should be serving to, first and foremost: their employees, Google, or the citizens?
We all know and we all have seen it: the app starts as a nice add-on, completely optional. Citizens can still do the non-digital way, or use the website (some things can only be done online from day one). Then some services start showing up only on the app. At some point the old ways get removed, because the new way is more "modern" and "efficient".
Or then at some point they enforce 2FA authentication via the app, or require some "gold" level in your account, and now users are forced to use the app or no more gov.br for you.
And because of enforced Play Integrity, now they're forced to use a whitelisted mobile device, are forced to have a contract and account with a foreign entity (Google) in a foreign jurisdiction and accept their TOS, all this so you as a citizen can interact with your own government. And you pray to this foreign entity to never ban your account for life without any recourse (which can and does happen), or you become a de facto non-citizen.
It's even worse, because as a Brazilian citizen you have obligations such as paying taxes, voting, and all sorts of other things that are now requiring gov.br accounts. This is not optional. This is the government mandating that I have such an account, and by proxy mandating that I must have an account with a foreign entity since without one I cannot use the government app.
Plus I live abroad. Historically Brazil has been awful to accommodate who is a non-resident. From this perspective, the digital government services are many times a life-saver, because as you know yourself Brazil is a extremely bureaucratic country and there's all sorts of paperwork you must procure during certain points. Being able to do this digitally is a blessing.
Let me just give an example: assume you need your birth certificate. As a foreigner, I can use registrocivil.org.br to order a new copy and pay with card. I can only do that with a gov.br account. If I can't use gov.br for artificial restrictions, I can't use the website so now I need to contact the cartório (notary public) directly by phone or e-mail (assuming they respond, many don't) and somehow pay them (they only accept cash or pix or "boleto", if you're a non-resident none of these choices work for you) and pray they provide a digitally signed version over e-mail, otherwise you also need to find a way for someone to help you (because they don't ship abroad, so you have to ship to someone that will resend to you).
Why would you need a birth certificate? Well, many things, but without one you don't renew your passport, for once. And when you live abroad, it might not even be legal for you to be walking around in the street as a foreigner without your passport. Oh, and what else do you need to renew your passport? A gov.br account, of course, so you can fill the forms online and also to schedule the appointment with the consulate.
Scope creep will and does happen. Wait a bit and suddenly every single thing you must do requires the gov.br account, and by proxy the mobile device and the relationship with Google. You said yourself, everything developed by SERPRO (all the federal government services) will enforce Play Integrity because that's the policy.
This is not how the government should service the citizens, in my opinion. First of all, you must not be forced to deal with a foreign entity just to interact with your own government. It's just wrong.
This is stupid even from a geopolitical perspective. It's not even theoretical, it's happening right now: you're already seeing the US government abusing the Magnitsky Act and imposing restrictions to Brazilian citizens for political/ideological reasons (supreme court judges, government ministers) and adding them to the OFAC list. The US government is one request away from enforcing that US big tech also starts blocking accounts of those people, and now we're going to be in a situation in which the Brazilian government will deny services to Brazilian citizens because it mandates that a US company (following US law) give its blessing first. How that does make any sense?
And what's sad is that there's no technical reason to force that relationship to happen. Of course Play Integrity can be used as another signal, and will be a strong signal that will satisfy the 80-90% case, but it cannot be the only signal. There must always be a way for citizens to be able to via a website and open technologies, without forcing an ongoing and good standing relationship with a corporation (even worse: a foreign one).
We're talking about government services, many of those are not optional. And they must be inclusive and not exclusive. This is not a commercial enterprise that can pick and choose what clientele it wants to serve. It's the government. Doing even for the 99% and letting the 1% fall in the cracks results in services unavailable for 2 million people.
Speaking as a developer now, we have the moral obligation to do what it takes to make government services as inclusive as possible. It's not just picking the easiest road and saying "well done" and washing our hands. This is a public service. We must take all the steps to avoid imposing any artificial restrictions and avoid leaving anybody behind.
P.S.: To be fair, this analysis and criticism can be applied to many other countries, not just Brazil. It's a very disturbing trend.