I mean, Durov has been trying to push for Russian puppets to get elected in Romanian and Moldovan elections, by pushing to everyone (at least in Romania, he might've just posted on twitter for Moldova) that the French government is trying to interfere in the Romanian elections. I mean, it turns out, Russia was, on behalf of the candidate he was talking about... so take from that what you will.
Oh, yeah, and he calls himself DuRove now. Hats off for that one, but I hope he rots in prison for advancing the Russian agenda.
I'm sure you're very familiar with the politics of both countries, but tell me...
How is Nicusor Dan a puppet of the EU? More than Calin Georgescu? The guy who actively tried to stage a coup? More than George Simion? Granted, there's no PROOF he's a Russian puppet, but he's a far right twat that has views friendly to Russia.
How is Maia Sandu and PES a puppet of the EU? And... let's look at BEP. Voronin, Russia friendly ex President, he was very against Moldova trying to get closer to the West. And Dodon? The guy who is being indicted for treason, who's a friend of Plahotniuc (he stole 1 billion dollars from banks and fled the country)? Yeah, sure, puppets of the EU, vs corrupt fucking puppets of Russia.
I know it's easy to look at this stuff from the outside and say, oh, yeah, the EU is interfering in elections, but there's a lot of history here that you obviously don't have. I like Maia Sandu more than Nicusor Dan (his positions on gay rights were disgusting a while back, he now just stopped talking about them), but compared to the obviousness of the Russian support for their opposition, I think the fact that the EU supports them is just insignificant.
Durov had long claimed he was in exile from Russia and couldn’t return and that he was a UAE/French citizen. then records leaked that showed 120 border crossings from 2016-2021 and that he still held a Russian passport. One such border crossing was a flight from St Petersburg on June 18, 2020 which happens to be the same day that Telegram was unblocked in Russia… Lots and lots of smoke..
You know I didn't use to understand libertarians, but after years of watching boundaries being overstepped again and again I think I see the appeal of burning it all down and living in a cabin in the woods.
Like, in Europe we already live in a completely safe society in historical and geographic terms, what more do you fucking want? Security is beyond a laughable excuse for things like chat control. Power tripping elitists will never be happy until they have the entire population under 24/7 camera surveillance and can read every thought in our heads as it occurs. If you make crime impossible, you make free will impossible.
The same reason there's only more regulations being piled on top of previous ones. Sadly only wars and similar catastrophes work as reset buttons for these things historically. A peace as long as the current one is somewhat of an untested ground
It’s important to defend libertarian values even when things are good. Small violations of civil rights have a tendency to stick around and snowball into something worse.
I'm talking about our society internally, not potential external attacks on it. It's reasonably high trust and crime is rare outside a few outlier cities. We could not be further from warranting these sort of fascist style crackdowns. Ironically yes we could be spending funding used for domestic surveillance and bureaucracy on buying more Himars.
HN title: "France threatens GrapheneOS with arrests / server seizure for refusing backdoors"
LQDN: "Dans ces articles, la cheffe de la section cybercriminalité du parquet de Paris – à l'origine de l'arrestation de Pavel Durov – menace également les développeurs·es de GrapheneOs. Interviewée, elle prévient qu'elle ne s'« empêchera pas de poursuivre les éditeurs, si des liens sont découverts avec une organisation criminelle et qu’ils ne coopèrent pas avec la justice »."
In the (very short) linked article: No mention of arrest, server seizure or backdoor, and a more nuanced take. Loosely translated summary: Some users have a legitimate need to protect their communications. IF we find links with criminal organizations AND there is no cooperation, then we might take action. They're specifically taking the approach of a case by case hack of single phones which might cost up to a million euros. Is this an issue if there's a warrant?
France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption. They've been saying that it's unacceptable not to have a backdoor in a bunch of these news stories they've gotten published by contacting the media. They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
Le Parisien has 2 articles about this, not only one, and https://archive.is/UrlvK is one of the places they talk about going after us if we don't cooperate with providing them access to devices. It's not possible for us to provide an update which bypasses the throttling for brute force protection so what they're asking isn't even helping them break into specific devices but helping them compromise security for everyone in anticipation of rare cases of criminals using devices. https://news.ycombinator.com/item?id=46038241 explains lack of technical ability to compromise security after the fact. Titan M2 is specifically designed with insider attack resistance so that Google making an update disabling the brute force protection won't be accepted by the secure element without the Owner user successfully unlocking first. We don't have the signing key for the Titan M2 firmware anyway. This is part of our required hardware-based security features which we're working on providing in a Pixel alternative with a major Android OEM working with us right now. We talked to them about the France situation already and it does not negatively impact our partnership. It may be a good idea to speed up an official announcement with them to counter the narrative being pushed by France's law enforcement agencies now.
I appreciate the answer and the work on GrapheneOS! It seems there's a lot of work going on with the QPR1 release and this French matter doesn't make things easier for the team. Good luck!
To be fair, the quote in the second article is from Johanna Brousse who is behind the Durov arrest.
> "Mais ça ne nous empêchera pas de poursuivre les éditeurs, si des liens sont découverts avec une organisation criminelle et qu’ils ne coopèrent pas avec la justice."
> “But that won't stop us from prosecuting publishers if links to a criminal organization are discovered and they fail to cooperate with the justice system.” (DeepL)
I understand this can be seen as more threatening even if the whole quote softens this a bit.
What is cooperation? How are they supposed to unlock the phone?
Unless you're saying 'compelled to use their private keys to publish an update' or something along those lines, in which case I would say the original headline is correct.
It does appear to be what they want from us, but it's not possible to bypass the Weaver disk encryption throttling via compromised OS updates or even secure element updates. It's fully not possible to bypass the security of a strong passphrase, which we encourage via optional 2-factor authentication support for fingerprint+PIN as the main way people unlock to make using a passphrase as the primary lock method after booting or 48h timeout much more convenient.
That doesn't offer a way to bypass disk encryption for data protected by the per-profile lock method. GrapheneOS cannot bypass the brute force protection implemented by the secure element. Google cannot bypass the brute force protection either because they designed the Titan M2 to require the Owner user successfully unlocks in order to update it. Weaver + insider attack protection for the secure element are among our hardware security requirements (see https://grapheneos.org/faq#future-devices for a list) which are being implemented by an OEM we're working with to provide a Pixel alternative. Weaver has a table of user authentication tokens mapped to random tokens used as part of the final key derivation. The authentication token is made with a hash of the initial key derived from scrypt, then the final key derivation in TrustZone combines both with hardware-bound key derivation to get the key derivation key. Weaver implements very aggressive time-based throttling. We have the original delays documented at https://grapheneos.org/faq#encryption but it ramps up faster now.
Aside from that, people can use a strong diceware passphrase on GrapheneOS due to us massively raising the character limit from 16 to 128. This is far more usable on GrapheneOS because people can combine it with fingerprint+PIN secondary unlock instead of fingerprint-only secondary unlock. 5 attempts are allowed for fingerprint unlock and the 2nd factor PIN being entered incorrectly counts towards that so even a random 4 digit one works well. That's convenient to use with the passphrase only having to be entered 48h after the last successful passphrase unlock and after reboot.
We also won't do it and cannot be forced to do it under Canadian laws. France's laws are going to be as relevant to us as North Korean laws once we've finished replaced our OVH servers in Beauharnois, Canada with a Canadian provider. France could currently force OVH to mess with our static website or mail server but we haven't done anything illegal so it would be outrageous and a diplomatic incident due to violating Canadian sovereignty during a time period when foreign server hosting companies being subject to foreign law is already in a recent news cycle. We're not waiting around for them to hijack our website though.
Is it safe to assume, then, that Google and Apple already have backdoors in their operating systems as likely requested by many governments around the world (not least of which the one from their home country)?
Or is GrapheneOS the only one built securely enough to need to be leaned upon?
Either way, makes Google and Apple look bad and/or incompetent and GrapheneOS look like some kind of beacon of user protection / privacy rights / other things that are the opposite of the direction the world seems to be moving.
Every time I travel internationally I immediately get notifications for Android OS updates. I'm pretty sure they are for satisfying local regulations about the phone's behavior, including the topic at hand.
Interesting. I have never seen anything like that in many years of frequent travelling while using Android. Which countries did you see this in? And are you using stock Android or some vendor's version?
I'm currently abroad with a notification for "November Pixel Drop update available" that appeared the day following my arrival. I believe I had already installed the November update back home earlier in the month. Every time I go back home, a couple of days later I get an update too.
I'm not claiming to know of any foul play, but it has happened several times, enough for me to notice. If it was related to time of the month, it wouldn't be as consistent. It might be that you need specific combination of phone, configuration and network provider for this to happen. Maybe I've been p0wnd, but I've noticed this behavior since at least the Nexus line.
Apple has already taken the US government to court and forced them to back down after the FBI demanded that they insert a backdoor into iOS.
> In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789.
This year, Apple took the UK to court and announced that they would strip encryption features from UK users before they would give in to UK demands for an encryption back door before the UK backed down.
If Graphene has the money to do so, they should fight it out in the courts.
It likely not due to any backdoors present, more so due to weak default setting plus alternate routes to the data. Things like backups being unencrypted either by default or when uploaded to the cloud. you don't need to ask for a backdoor if most users don't have encryption enabled.
Additionally, I would assume/guess that if it's some kind of coordinated campaign involving media then there is no law to compel GrapheneOS to do this. If they're was a law then that would be the pressure, as opposed to media articles.
What that then implies is a campaign to convince the public a law is necessary, ie. they're already laying the ground work for support for the next version of a Chat Control bill.
Of course the likes of Apple and Google are complying with lawful orders from the governments of countries they do business in.
Businesses that don't generally cease operating in said country. LavaBit was a highly visible instance of a business shuttering itself instead of complying with such lawful orders.
That's also the ploy of basically every VPN provider out there. They say they don't store or give out data, but they still adhere to lawful requests. That necessarily includes requests from countries where they legally offer their service, even if their HQ is in some country with lax legal frameworks. It also means, if there is a legal way to coerce them into recording your data or handing it over, they will do so.
They also mentioned they only respond to court orders (ie. not just because the cops asked nicely), will try to appeal as well. That's better than most ISPs, who would either give up data without a court order, or won't bother appealing.
The problem is that there may be perfectly legal gag orders (issued by a court) that force them to comply to normal police requests - and you would never even know. NordVPN in particular removed their warrant canary without informing their users and only gave some retroactive PR answer when people rightly started to freak out.
The simple truth is that if a VPN provider hasn't been shut down by authorities after more than a year (like VPNLabs was), then they are basically guaranteed to be giving out your data to authorities at this point. The legal situation in most western countries does not allow complete online privacy for normal, law-abiding citizens.
I seem to remember the FBI attempting to compel Apple to decrypt a criminal's iPhone, only for Apple to refuse and claim that it wasn't possible. I'm not sure exactly what happened after that. I think it was suspected that the NSA was able to do it by exploiting an unpatched zero-day. So they didn't need Apple's help anymore and the issue was dropped from the public's eye.
1. Apple can and does comply with subpoenas for user information that it has access to. This includes tons of data from your phone unless you're enrolled in Advanced Data Protection, because Apple stores your data encrypted at rest but retains the ability to decrypt it so that users who lose their device/credentials can still restore their data.
2. Apple has refused on multiple occasions, publicly, to take advantage of their position in the supply chain to insert malicious code that expands the data they have access to. This would be things like shipping an updated iOS that lets them fetch end-to-end encrypted data off of a suspect's device.
Not to mention, while apple will publically deny it, there are government agents working undercover at every major tech firm. They may or may not know. They certainly exist.
And of course Apple is quite right not to miss the marketing opportunity, on behalf of the shareholders. While acquiescing to lawful demands of course.
I don't remember Apple ever saying that it was impossible for them to do it, just that they didn't want to.
It was always kind of assumed that they could, by eg signing a malicious OS update without PIN code retry limits, so the FBI could brute force it at their leisure, or something similar.
They said it was impossible for them to build a backdoor into iOS that would only be accessible to legal requests from law enforcement, which is true in the strict sense. So law enforcement bought a vulnerability exploit from a third party.
They successfully argued in court that being forced to insert code the government wanted would be equivalent to compelled speech, in violation of the first amendment.
As the Feds often do, they dropped the case instead of allowing it to set a precedent they didn't want.
> They successfully argued in court that being forced to insert code the government wanted would be equivalent to compelled speech
This isn't true, they never "successfully argued in court". There was never any judgement, and no precedent. They resisted a court order briefly before the FBI withdrew the request after finding another way into the device.
There wasn't judgement because the Feds dropped a case that would set a precedent they wanted to avoid.
Since there is longstanding legal precedent that corporations are people and code is speech, forcing a corporation to insert code that the US government demands is a violation of the first amendment.
If you follow the things that have been disclosed / leaked/ confirmed when they’re 20+ years out of date, then yes the probability this is true is significant.
I recall there being a little more substance to it at the time. But looking back from where we are now, that is a succinct way of describing its results.
That being JTAG debugging. Now there are greyhat groups discovering what they can do with it beyond bypassing the PIN at power-up. Honestly surprised phones are not being sold/marketed as having that disabled on both bluetooth and USB.
Google and Apple were infamously official data providers[1] of the NSA's illegal and unconstitutional (as ruled by a federal judge[2]) warrant-less surveillance program (PRISM[3]) exposed by Edward Snowden.
It's safe to assume that software provided by every large, publicly-traded, for-profit technology company incorporated in the USA cooperates extensively with US intelligence agencies, and therefore by extension, the "Five Eyes" alliance, at a minimum if not also the "Nine Eyes" and "Fourteen Eyes" alliances [4].
I don't think they are highly concerned with people installing their own OS on desktop machines, that's still a fringe group. And most of us are using smartphones too. Also there are likely other trivial exploits like CUPS which was preinstalled and enabled by default on desktop linuxes.
> As of 2018 through an initiative sometimes termed "Five Eyes Plus 3", Five Eyes has agreements with France, Germany, and Japan to introduce an information-sharing framework to counter China and Russia.
Yep. That’s the implication, and it’s disturbing. It also implies the US government knows - otherwise why wouldn’t they use their influence to put an end to this?
Not really. It's one thing trying to bully a relatively small FOSS project, it's quite something else to take on one of the world's biggest companies that can afford a literal army of lawyers and that also has the power to have the US government intervene on their behalf.
Actually, in some ways, it is easier to bully large companies - because those companies are less flexible in avoiding confrontation with the authorities in a certain state. For Google to avoid having a legal presence in France is much harder than for the GrapheneOS project to do the same.
But - valid point regarding having the US government intervene.
you’re getting the logic wrong. i’m absolutely sure apple and google have direct cia backdoors. that’s what Snowden taught us and it would be delusional to think the world has changed. The bigger the company = tighter the link with power
The article is kind of interesting: on the one hand, you’ve got a tool that can be used by ordinary citizens and political dissidents for legitimate reasons. On the other, the French police were mildly inconvenienced during their arrest of a small-time drug dealer.
Following the propaganda of the ministry of interior, several articles were published in press about GrapheneOS, which is described as a solution for criminals because it allows to hide things.
La Quadrature du Net [similar to the FSF with regard to defending users' rights] argues that the purpose is of course not cybercrime, but to secure and protect the privacy of its users.
The head of the anticybercrime brigade of Paris threatens of suing the developers of GrapheneOS if connections with organized crime were to be found.
The government has repeatedly tried to extend cyber-surveillance previously. They are trying to use a law designed to fight drug traffickers in order to enforce backdoors in services that use cryptography, such as Signal or WhatsApp, without any success for the moment.
---
So, it's a threat before having a proof. They also mention the arrest of Pavel Durov, who was arrested because Telegram failed to answer legal requests, which was then constructed as complicity with criminals using Telegram, but that's obviously a very different case.
But of course, if they succeed in forcing backdoors, criminals will just use other ways to communicate (doesn't matter if they are legal or not because, well, they are criminals...) or tricks; for instance, back in the day when (analog) phone calls could be wiretapped, they were already using code words. They could use e.g. steganography tomorrow.
But we will be left with backdoors that are an unacceptable compromise on security and privacy. This is a recipe for dystopia considering that far-right parties are getting stronger in Europe, including France.
Oh! It's about drug trafficking. Then I have nothing to hide. Please root and backdoor my phone. And also give the keys to all the hackers around the world...
I like grapheneOS. Their have a clear focus and that should be respected. However, all that drama about e/OS they are creating and claims about fascist law enforcement are a bit over the top IMHO.
I think your devices should have government-mandated backdoors if and only if you are a public servant. I don't understand why private citizens are held to higher standards of conduct than politicians and cops.
I've been saying this for years: the more power you have the higher standard you should be held in. In most societies on the planet it's the other way around.
Everyone agrees with this obviously but it's like saying that we should be able to levitate or live in utopia. It's almost a law of nature that the types that become powerful are not your most savory individuals and will use the power to reinforce their positions.
We have tons of different systems for accumulating power all over the world. Corporate structures, democracy vs autocracy, etc. In each of those societies, we see different types of leaders on a sliding scale of savoriness.
My point is that clearly there are some forms of governance which result in more savory people and so you can argue that it's the systems that define the outcomes rather than any "law of nature".
It's a law of nature that they will _try_.[0] That's why people should always have ways of defending themselves, whether it's with courts or guns.
[0]: This is not a figure of speech - many anti-social traits which result in NPD, ASPD and their subclinical versions[1] are genetic. There is literal evolutionary pressure to exploit others.
[1]: Meaning the trait is sufficiently pronounced to be harmful to others but not enough to be harmful to the person having it so it's not diagnosed as a disorder.
I've been saying this too but lately I think the fundamental notion of power is wrong. There's 2 perspectives which are 2 sides of the same coin:
---
All social relationships should be consensual.
This means based on _fully-informed_ consent which can be revoked at any time.
This already marks employment as exploitative because one side of the negotiation has more information and therefore more bargaining power. Not to mention having more money gives them more power in a myriad of other ways (can spend more on vetting you, can spend more on advertising the position than you can on advertising your skills). Just imagine if people actually had more power than corporations - you'd put up an ad listing your skills, companies would contact you with offers and you'd interview them.
Citizenship is also exploitative because you didn't willingly sign a contract exchanging money (taxes) for services (protection, healthcare, roads, ...), in most countries you can't even choose which services you want to pay for. And if you stop paying, they'll send people with guns to attack you. This sounds overdramatic (because it's so normalized) until you realize from first principles that is exactly what it is.
_If democracy is supposed to mean people rule themselves, than politicians should be servants which can be fired at any time._ In fact, in a real democracy, people would vote on important laws directly and only outsource the voting to their servants about laws which don't affect them much, or they'd simply abstain.
---
Power should come from the majority.
This should naturally be true because all real-world power comes from violence and more people can apply more violence (or threaten it, when violence is sufficiently probable to be effective, it usually does not need to be applied, the other side surrenders).
But people who are driven to power have been very good at putting together hierarchical power structures where at each level the power differential is sufficiently small that the lower side does not need to revolt against the upper side. But when you look at the ends, the power differential is huge.
Not just dictators, "presidents" or presidents but "owners" and "executives" too.
You don't truly own something you can't physically defend. When you as a worker finish a product, you literally have it in your hands. You could hand it over to a salesman and you'd both agree on how to split the money from selling it. But instead, you hand it over to the company (by proxy its owner) which sells it and gives you your monthly wage irrespective of how much the product made. The company being free to fire you or stop making the product obviously makes more money then you - it's an exploitative relationship.
But why do you hand it over? Because if you don't, they'll tell the state and it'll send people with guns to attack you.
---
Bottom line is if people had equal bargaining power ("equality"), then if they chose to temporarily give "power" to someone in one area, they'd obviously take away their "power" is some other area. Why? Because they'd know if they didn't, the more powerful person would use this power differential to get even more power, and so on, starting the runaway loop we have here now.
If someone claims to be "representing" me (whatever the fuck that means)...
...even more so if they are "representing" me alongside millions of others, i.e. in a very abstract sense (what do a million people have in common? everything and nothing)...
...and especially if the "representation" is concluded in "winning" a ritual bureaucratic gauntlet which gives you the right to send organized murderers after exactly the people whom you fail to "represent"...
...then it sure sounds like we all deserve instant access to a real-time sub-second, molecular-level feed of your entire present existence before it's anywhere near a fair bargain and not a totalizing coercive arrangement.
Granted, this sounds a little unfeasible from a technical or security perspective.
Although if the global media capacity was redirected to doing primarily this, instead of inventing ever fancier narratives to distract people from paying attention to the circumstances of their own lives, it just might be able to handle the full surveillance of a few thousand global volunteers: the real exemplary humans who set the real standards in real dialog with the entirety of sovereign society. Governance by inverse big brother. Sure gonna be cheaper than all the effort that goes into convincing every subsequent generation that "democracy" is what's going on...
Alternatively, that entire exercise can be sidestepped by Dunbar-compliant representation, i.e. let's introduce a pervasive social norm that dictates the following: (1) nobody has the right to represent more than their 100 closest people in the world (2) representation doesn't stack to form multi-tiered institutions - representatives only connect horizontally in a territory-spanning mesh. so if N * 100 people vibe with your idea you'll have to either split your personality N-wise (doesn't go very far with current theories of mind) or give N-1 people the right to their own interpretation of your idea to communicate with 100 others.
I think they tried that about 100 years ago and it worked well enough for organized metasubversive parasites to core it and wear its husk for the better part of a century. Maybe if it was started less overtly in the first place it would've worked better. But cosplaying German Idealistm to your pet serfs cosplaying worker's council doesn't really leave space for a whole lot of subtlety. If you're interested in the workings of power this is commendable, there is much to learn from just the last 150years (which are relatively well documented). They're such a cause-and-effect pinball; but like and subscribing to any of those ideologies just lets the ghost of the ball drag you along. Kinda sad that they're one of the things the Net died into, no?
Even then the backdoor should be on their government device and not the personal devices.
Note that having their personal device when doing government work should be prohibited (that is you can't have it in your pocket when working). As is using your personal device for anything government (other than a formula check your government device call/text - employees should be regularly tested that they report any government communication that doesn't follow the formula)
> devices should have government-mandated backdoors if and only if you are a public servant
This would be an intelligence bonanza.
Better: mandatory, encrypted logging. Officials maintain the keys. When they leave office or are subpoenaed, they have the means to grant access. (If they can send and read their messages, they have the keys.)
And ideally an illustration to those in power why backdoors are never a good thing. They won't care if it's not happening to them. But if their devices are suddenly incredibly insecure due to their backdoors, they might just rethink the concept entirely.
We do have things like the Freedom of Information Act in the US, and I think a lot of European countries have similar laws. Yes it isn’t perfect and could be enforced more evenly.
But obviously, if you work for the military there is information that needs to be kept secure…
Backdoors exist for everyone or they exist for no one, this technology isn't one that has room for a gray area to debate. If it can be deployed to public servant devices, it can be deployed to your device.
Only if they're using the same devices everyone else uses. If they're required to use a certain kind of hardware, or they're required to submit their device for hardware modification, this stops being an issue, doesn't it?
That is totally not true. They can be forced to install an app on their device that creates the backdoors. Companies do that all the time. An OS doesn't need to have backdoors built into it for backdoors to be added to it. Kinda the point of an OS is that it is general purpose.
Logistically, when you combine private citizenship with government you get corruption problems because incentives are so misaligned.
In fact private citizenship combined with government is the origin of corruption. Think about it, as a government official your incentive should be to preserve order, fairness and honor. As a private citizen your goal is to optimize the amount of money you make via business or employment through whatever means possible. That means exploiting loopholes and possibly when no one is looking, breaking the law.
The incentives are orthoganol and it does make sense to have a different set of rights and rules for government officials and private citizens. The minute you take the attitudes of private business/citizens into the world of government you get people creating rules that are corrupt.
> As a private citizen your goal is to optimize the amount of money you make
Ok.
I'm interested in why you think this is the goal of citizens (but not of government).
To be clear: I don't believe this should be the goal of government. I don't really understand why this should be the goal of citizens. I've emphasised the term "should" here, which is a somewhat odd moral term in general, but if we're applying a "should" to government to differentiate them from private citizens, there needs to be a symmetrical. Optimizing individual wealth is certainly an emergent goal of specific individuals, but I can't think of a reason to broadly apply a moral "should" to this goal. If we're optimising for positive outcomes at a system/global/community level (which is generally the intent of wanting a functional government), then encouraging citizens to hoard wealth has not tended to be (positively) contributory to such outcomes.
This is the definition of capitalism. The system is set up this way. Of course as a human you're not completely embodied by the system and you clearly have beliefs and philosophies different from the "system".
But you cannot deny that you as an individual are HEAVILY influenced by the system can culture you live in. Status is equated to those who have the most money. Regardless of yourself as an individual, in aggregate this is how people behave and a good basic universal model that predicts behavior. But additionally outside of culture, the logistical reality of the society we live in is that money is the basis of survival. All of our morals and philosophies are thrown out the window the minute when we are poor or if we have no money and we do need money to buy food to eat. So money and business is not only a status thing but it forms the basis of survival as well.
This is not about your beliefs or morality. This is about the practical reality. In addition to this, capitalism so far is the the only known effective system to create modern economies of scale. We tried to make things fair, ideal and utopian with communism, but, practically speaking, we haven't seen it work.
I'd argue the incentives of elected government and private citizens are even more misaligned than "private" ones.
Elected government official doesn't own or have perpetual interest. All he can do is plunder as fast as he can in his unowned fiefdom before it passes on to the next guy. Fully private government would have incentive at least to preserve the value of the "Kingdom" if nothing else for his own children and because he sees the Kingdom as his own and destroying it for short term gain would be irrational.
But then you have the tragedy of the commons. As a central dictator, yes you want to preserve your government, and you act in ways that do this because you are the direct owner.
But in a democracy where you are one government official among many many other officials, one small corruption change that benefits yourself individually hardly effects the overall government. It is rational for you to do small damage to the overall government and gain a reward that benefits you disproportionally. It is the MOST logical action.
But then every government official acting rationally in aggregate causes the overall government to become extremely corrupt and that is the tragedy of the commons. Rational action in aggregate becomes irrational. Government needs to be separate from private business.
I guess it's because it's so culturally ingrained that it's hard to separate. The chase for money and business is entirely cultural. Money is paper and it's all fantasy stuff and the reason why we value it is solely because of culture. Government ideally needs to be seperate from this culture and have a more militaristic based honor structure where the incentive is to guard the citizenry. Government needs it's own cultural values. Easier said than done, practically every government official IS a private citizen and they all face the same misaligned incentives.
> You cant understand why the people with a monopoly on violence and force have higher scrutiny? -- @retr0rocket
Replying here to this seemingly flagged/dead comment (not sure why it was flagged - a very reasonable question).
I fully support higher scrutiny of public officials & cops, but this frankly isn't that. First & foremost, the problems you're describing are systemic, not individual. Monitoring a cop's phone isn't going to reduce police violence if the system isn't accountable - this is essentially the "bad apple" argument. The entire system needs drastic reform: backdoors won't solve any real problems here.
Secondly, independently of the levels of reform needed, at an individual level we're talking workplace conduct, reporting, protocols & transparency -vs- dystopian privacy invasion. There's a very broad spectrum here long before we reach the need for extremes.
Lastly, you need to look at the systems doing the monitoring of politicians' & cops' phones in this hypothetical scenario: if those systems contain the same systemic corruptions (which they inevitably do), the entire argument for oversight is moot.
Politicians are routinely ordered to surrender their communication to justice to audit what they do. Missing texts from Von Der Leyen is at the heart of Pfizer-gate after all.
I don’t really know what to think about this to be honest. I don’t think it’s entirely black and white and I find it surprisingly easy to play devil advocate.
Remember that the US government has an insane level of access to private communications via all the post 9/11 laws, how cosy it is with the main tech companies and we know they do a lot of these spying unofficially and with little oversight since Snowden.
Meanwhile, France is struggling with an unprecedented level of organised crime activity with the amount of violent crimes reaching worrying level. We are talking murders involving automatic weapons in broad daylight in the middle of the streets of France second largest city. Two weeks ago, the young brother of a famous anti-drug activist was murdered by a hitman while shopping.
There has been a huge increase in the quantity of cocaine being smuggled from South America triggering intense gang competition for the control of deal points and the mean in place to tackle the issue increasingly look vastly undersized. Limiting the discussion to it being authoritarian measure is refusing to acknowledge the very real challenge police currently face.
The only problem with that train of thought is that you are advocating a lower standard. Backdoors are not a superior option in any circumstance whatsoever.
The standard of conduct we need (and are failing) to hold politicians and cops to is actual security and responsibility. Some of the most powerful politicians in the world are leaking private conversations, and no one is holding them accountable. Police are paying private corporations (notably Flock) to build giant monolithic datasets from stalking private citizens, yet neither party is held to any standard whatsoever.
Who says they would? The point is the people would vote to have them held to this higher standard. They represent the people's will. They shouldnt get to choose other than their personal vote, the people choose. If they don't agree with what the people choose then they can leave politics.
As much as I want to agree with you, no, backdoors for them mean backdoors for everyone else. It's all or nothing. Now, they should be held to a higher standard, and face stiffer penalty than the regular prole because they should be the example-setters.
Do better policing (and that doesn't include trying to backdoor devices), but backdoors aren't the answer.
There's a top tier DEFCON talk by the Lavabit email guy. He explains where the line is for access to phones and other encrypted information. I'll try to summarize -
1 - Law enforcement have actual information about the probable contents of your phone (like an incriminating filename will do). They can reasonably expect to get a warrant and access to your stuff.
2 - They don't know what's there at all, and have no probable indication of the contents, and in this case they cannot expect access because they would just be going fishing.
True freedom, of any kind, requires freedom to say things and think things in private. I sometimes think horrible things and even discuss them with my friends. I need that space to work out issues. Without a truly safe space I would eventually go mad as I suspect many people would. The other part of this is that a basic requirement of freedom is trust with accountability. It means we allow things that may be harmful but if things go bad we hold those responsible accountable after the fact. It also means we may not catch all the bad guys and that is OK because the alternative is that everyone turns into a bad guy when we prevent people from doing things in case they will be bad. There is a balance here but the position that a govt will always have access to all private individual (acting in a private capacity) communications is not anywhere near a reasonable balance.
Larger companies are easier to influence than small ones, no intimidation is necessary.
Protecting user privacy delivers close to 0 shareholder value, being friendly with nations wins you billions of dollars in contracts, regulatory protection, and friendly courts, it's a win-win for big companies and surveillance states to be friendly with each other.
I don't think so; (but at the end of the day, you can never be 100% sure unless it's 100% OSS)
But with that being said both Apple and Google store a lot of data about you, and they are willing to "cooperate" with the government, and they did hand over data in various of cases Apple included [1]. For some reason, people think of as the "privacy company".
btw, big tech also get harassed for similar requests: The UK, for example, is still pressuring Apple to build an encryption backdoor [2].
I can understand you thinking that and there's probably some truth to it but do I consider Android and iOS compromised with government backdoors? No. What do I base this on? The lucrative black market for Android/iOS 0days.
And who's buying them? Generally, state actors, directly or indirectly. There is an entire ecosystem of Israeli "security" companies that exist to farm out these exploits. This is a big part of why Israel is such a key component of the American national security infrastructure. Israel is largely beyond the jurisdiction of American courts and any kind of direct scrutiny by the government.
It's a bit like how the US isn't (technically) allowed to spy on US citizens. How do they get around this? By farming out such activities to allied intelligence services, particularly Five Eyes members.
This entire ecosystem and marketplace just wouldn't exist if Android or iOS were fully backdoored.
I see your point, but this could also mean that the backdoors are there, just only a few organisations know it (let's say US army) and then they get found and found again
The linked article from Le Parisien (a big French billionaire-owned newspaper) is quite nuanced.
It gives the police's view on narco-trafic crime, but also Graphene's take :
"Criminals and traffickers also use knives."
This organization, which is not a company but a foundation, emphasizes that its solution is used by ordinary people who dislike how apps and operating systems handle their data. It adds that if criminals use Google Pixel phones and GrapheneOS, it’s because these solutions work well. But that doesn’t make them accomplices, they assure. "Criminals and traffickers also use knives, fast cars, and cash—things that are also widely used by honest citizens," its representatives note.
And GrapheneOS adds that it protects users from hackers and intrusions by the secret services of totalitarian states. "We consider privacy a human right, and we are concerned about projects like Chat Control (a European bill aimed at detecting child sexual abuse material in messaging services, but which has faced significant criticism) that the French government supports. The invasion of privacy enabled by such legislation would have alarming implications under an authoritarian-leaning government," it argues.
I didn't read it[0] as being particularly nuanced. I thought it was a fact-loose, extremist hitpiece against FOSS, containing howlers such as
> "Particularité de GraphèneOS : on peut se le procurer autant sur le darknet que sur des sites grand public." ⇒ "A distinctive feature of GrapheneOS is that it can be obtained both on the darknet and on mainstream websites."
Quoting "both sides" (so to speak) doesn't automatically create a thoughtful dialog.
I'm unsure whether it's appropriate to trust Le Parisien's equivalencies.
Q: Do they have a track-record of intellectual honesty?
Equivalencies are powerful, and dangerous if mis-handled.
E.g. this is worrying [from the article]: "A unique feature of GrapheneOS is that it can be obtained both on the dark web and on mainstream websites." Le Parisien is calling out GrapheneOS's availability on the "Dark Web" as significant, in the context of "Drug Trafficker's Secret Weapon". Banned books can also be acquired on the Dark Web, and banned books are not illegal, yet, in mainstream democracies. So Le Parisien's equivalency, here, is misleading.
now now comrade, if the book is banned, how is it that you are in possession of it? you're clearly breaking the rules. I do believe it is time for you to start counting trees
<3 I do see this style of speech, which you're obviously playing with here, more and more coming from my US government. "What do you have to hide" kind of stuff. (From my individual perspective.)
It is disconcerting, as it's unclear whether the rule-of-law still stands, given the anti-Constitutionality of the current US Administration -- especially around due-process.
The trend of Democratic Decline seems provably real, along with a rise in Authoritarianism.
I think the post you’re replying to is alluding to the fact that London has a knife problem, despite carrying knives being illegal there. Meanwhile a number of places don’t have that problem, even though it’s legal there.
BTW As an outsider, this “knife” euphemism caught me off guard a while ago. When you read about these stories from London, it’s usually about machetes. It’s one of a number of euphemisms Brits use around the topic, making everything around the topic sound pretty mild if you’re not from there. Then you learn one more euphemism and think “oh wait, that guy/gal back then was talking about this? wtf?”
It’s not in general illegal to carry knives in London (or again, in the rest of the country, which has the same laws). Small knives are permitted generally and larger knives may be carried for specific reasons (e.g. religious). To say that it’s illegal to carry a knife in the UK is roughly as misleading as saying that it’s illegal to carry guns in Texas. In both cases there are applicable laws, but there is no blanket ban.
London has a knife crime problem in the important sense that any number of people being stabbed is a problem. However, it’s worth bearing in mind that cities like NYC have a slightly higher rate of fatal stabbings per capita. (Non-fatal robberies and assaults are tricky to compare across countries because of different data collection methodologies and different classifications.) Of course it would be good for fewer people to get stabbed, and knife crime is a serious problem for some specific communities, but the city as a whole is not experiencing the kind of knife crime epidemic that you might imagine if you get your news from alt right TikTok accounts.
Nah, you're right. They title it "knife ban" but they list specific "knifes" that you can't carry, such as a sword (lmao at it being considered a knife)
I used to own many butterfly knifes in Middle School. Feels weird that you could be arrested for that in London
Who are 'they'? There is no official thing called a 'knife ban', and again, there are no laws about knives specific to London. There aren't really any laws about anything that are specific to London, as there is no corresponding legislative body.
This article is as absurdly biased as it could be! Of course they provided a quoted response from GrapheneOS devs: that's the only appeal to credibility they have.
A truly responsible journalist would explain to their audience what is actually at stake, not simply spout every available position as if it were equivalent.
> Le Parisien (a big French billionaire-owned newspaper)
They're all billionaire owned. As an example, left wing newspaper Liberation has Kretinsky among the owners
One thing though is - knives, fast cars and cash aren't built with deliberate motivation of thwarting the law enforcement and criminal investigations.
GrapheneOS and its systems are - you can walk through history and see that they're deliberately working on systems that defeat law enforcements efforts of collecting data from seized devices and tracking criminal networks.
This is a massive difference - even for knives and cars, you'd get into some hot water (or outright illegal behaviour) if you build them with express purpose to make them hard to find and track by law enforcement. Try making a company that focuses on cars that hide its license plates from the police and you'll see how far that will go.
This is one thing that GrapheneOS, Signal and others will need to at some point reckon with - the fact that they deliberately work at making law enforcements work harder and provide effective cover for criminals will get them into hot water. And I don't think population will stand at their side when they find that they've been helping CSAM traffickers hide their loot.
Having all that anti-governmental rhethoric won't end well for longerm survivability of these projects - which sucks for all of us.
Graphene shouldn't have to reckon with the abuse of government, we should step in and speak up for them. If having a secure device becomes criminal, only the criminals will have secure devices.
Law enforcement is being lazy by trying to rely on mass surveillance rather than espionage tactics to catch criminals. Criminals learned long ago how to work around surveillance, so this doesn't really work on them. But it does subject the public citizen to undue scrutiny and violation of privacy, which history has shown is then used against the innocent. We don't need any more reminders of how popular authoritarianism has become. And it's often used to pin a crime on an innocent person (a common police controversy), or intimidate and harass them (see FBI).
> I don't think population will stand at their side when they find that they've been helping CSAM traffickers hide their loot.
This is just one of many examples of a false rhetoric used by politicians to manipulate the public into cow-towing to mass surveillance. We cannot stand for this and must fight it at every turn. "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
Beware, though, the key words in that quote are not "liberty" and "safety" but rather "temporary" and "essential". You can replace "liberty" and "safety" with any other nouns (including "safety" and "liberty") and it's still true.
Which is not to excuse the fascist actions of the French government. I just don't like that quote.
This is a very counter-productive distortion of privacy, and borders on a lie about Graphene.
Something designed to be private doesn't know the difference between a law enforcement officer trying to break into it and a criminal trying to break into it.
There is no special "anti-cop only code" that gets executed, any more than there are special "cop tools" that exist on some physical plane where criminals don't.
Genuinely curious: what did you see in GrapheneOS history that indicates that the OS is specifically designed to defeat law enforcement (as opposed to their stated goals of defeating ad surveillance and stalkerware)?
I think your point is that there is evidence that the intention of some or all of the developers and/or the organization as a whole is to make law enforcement more difficult. You go on to argue that this intention fundamentally alters how society, or at least law enforcement arms of government, should view this technology. Specifically, I take your argument to be that law enforcement should or will treat them as accomplices to some degree of the crimes they enable.
There is no way to have a completely secure operating system, safe from hackers and spy organizations and thieves, that is also accessible at the whim of law enforcement. Period.
If we can't trust hosted services to protect our data, and we can't trust our own computers to preserve our data, the right to privacy simply doesn't exist.
So which knife makers are serializing their kitchen knives so they can be traced back in case of a crime? How many knives come with a GPS tracking its position? Well too expensive, what about an Airtag. No? By your roundabout logic this qualifies as “deliberately working on systems that defeat law enforcements efforts”. It’s an absurd argument.
To actually do any crime with GrapheneOS you would also need at least a VPN and basic understanding of operational security. Just as you would need a lot more than just a knife and car to be a successful criminal.
A Pixel phone with GrapheneOS is not some magic device that let's you do crime without immunity, but that’s the story they want to sell you.
Are you livestreaming your face on Twitch right now? If not, why are you deliberately making it harder for police to catch criminals? It would be so much easier for police to catch criminals if everyone livestreamed on Twitch 24/7, it should be a crime not to do that.
In the end, wasn't EncroChat a larger problem for the criminals than the governments?
Once it became a big enough target it got taken down, and then quietly run by the police who collected everybody's messages for months before triggering a huge round of arrests, including quite a bit of major organized crime across Europe. The dangers of centralization. They'd love another EncroChat!
Doesn't apply so much to GrapheneOS of course since they're not in the messaging platform market, but it's definitely a cautionary tale.
I watched a fascinating documentary about EncroChat (https://www.channel4.com/programmes/operation-dark-phone-mur...). It was obvious the police absolutely loved having this real time feed into criminal communications, and thought "let's have more of that please". They don't realise the consequences are that criminals won't use such forms of communication once they know they're backdoored.
Probably something like this would be close to the same colloquial meaning (I'm not familiar with any pants-shitting slang in French):
EncroChat leur a foutu les jetons de ouf.
Given the fact that most protests are organized on facebook groups, how does one keep him/herself aware of eventual protests to come without Facebook/instagram? I d gladly join for a cause i support
Edit: I wonder why this is downvoted. The bureaucratic class holds enormous power in France, and has constantly acted against digital rights and privacy with impunity. The only institution that can somewhat restrain them is ECHR.
And I remember the longstanding argument why women should not be allowed to vote in France, because that's what brought Hitler to power. They were the third last European country to do so, only Greece and Switzerland were more backwards.
Just to be clear about what is really happening right now;
There were three articles from newspapers (Le Figaro, Le Parisien) known for their rightist, pro-cops, opinions, and owned by billionaires (LVMH/Arnault, Dassault). In those articles, GrapheneOS is associated with bad actors purpotedly using it as a way to obfuscate their activities.
A comment was made by Johanna Brousse, Chief of French Cybercrime Unit, stating she would not refrain from pursuing the publishers if links were found with a criminal organization and they refused to cooperate with the justice system.
Another claim from a police investigator equates GrapheneOS usage to illegal activity.
Russia is as European as France and certainly more European than the US or Canada. Most of Europe's problems stem from trying to keep Russia out and Germany down.
The latter has worked well because Germany is, to this day, occupied by the US & the UK. But the former has never worked out and is now bankrupting the EU!
> Two articles in Le Parisien yesterday, followed today by one in Le Figaro, have launched a shameful attack against GrapheneOS, a free and accessible open-source operating system for phones. At La Quadrature du Net, it's one of the tools we favor and regularly recommend for protecting against advertising tracking and spyware.
> Echoing the propaganda of the Ministry of the Interior, newspapers describe GrapheneOS as a "crime-related phone solution," and a police officer adds that its use is suspicious in itself because it indicates an "intention to conceal." By portraying GrapheneOS as a technology linked to drug trafficking, this attack aims to criminalize what is actually a secure privacy-preserving tool.
> In these articles, the head of the cybercrime section of the Paris prosecutor's office – who was behind the arrest of Pavel Durov – also threatens the developers of GrapheneOS. In an interview, she warns that she will "not hesitate to prosecute the publishers if links are discovered with a criminal organization and they do not cooperate with the justice system." https://archive.is/20251119110251/https://www.leparisien.fr/...
> The government regularly tries to link privacy technologies, particularly encryption, to criminal behavior in order to undermine them and justify surveillance policies. This was the case in the so-called "December 8th" case, where a police narrative was constructed around the (secure) digital practices of the accused to portray a "clandestine" and "conspiratorial" group. https://www.laquadrature.net/2023/06/05/affaire-du-8-decembr...
> Now, drug trafficking is being used to attack these technologies and justify the surveillance of communications. The so-called "Drug Trafficking" law was thus used as a pretext to try to legalize "backdoors" in encrypted applications like Signal or WhatsApp, without success. https://www.laquadrature.net/2025/03/18/le-gouvernement-pret...
> An article in Le Monde diplomatique from November extensively examines the history of the political exploitation of drug trafficking to justify security and surveillance policies. The police attack on GrapheneOS fits perfectly within this pattern. https://www.monde-diplomatique.fr/2025/11/BONELLI/68915
> In its response published yesterday, GrapheneOS points to the authoritarian tendencies of the French government, one of the most fervent supporters of the "ChatControl" regulation under discussion at the European level, one of whose goals is to put an end to end-to-end encryption. https://grapheneos.social/@GrapheneOS/115575997104456188
More graphic content needed to get folks to click through: This is excerpted from the result of G-translating the Parisien link:
"This 27-year-old alleged trafficker is suspected of having run this drug telephone platform which, between 2023 and 2024 in Paris, collected a turnover of two million euros and is said to have caused three overdose deaths during chemsex parties."
I think you meant https://mamot.fr/@LaQuadrature/115581775965025042 instead of a link to "Le Parisien", which is not a non profit, but a newspaper owned by LVMH/Bernard Arnault, and known for having rightist opinions.
Everything about the exercise of power in the digital world is tilted away from the individual.
Windows 11 moved all my files into the cloud without even asking me! I was livid--those are documents that I deliberately DID NOT WANT in the cloud! It's crazy what malice we have to put up with and navigate these days. It just keeps getting worse and more convoluted, too.
There were many decades where phones didn't have back doors. Now, it's the opposite case in the most dystopian way. It's concerning that all phones are required to have back doors for law enforcement and the enforcement is severe. I know several people who have a corrupt "cop they know" that they can regularly contact for favors. Why is it so out of the ordinary to distrust law enforcement when they have these tools?
> There were many decades where phones didn't have back doors.
Your cell phone provider almost certainly will respond to a valid warrant and wire tap your non e2e encrypted phone call.
I'd be very surprised if the most common mode of remote communication in any time period was not subject to government interception in some format within a short time of becoming such. That includes physical mail, telegrams, landlines, cell phone calls, txt messages, emails, etc.
Referring to "how things used to be" is not in fact helping the case for privacy.
I don't think people are arguing against complying with valid warrants. They object to blanket surveillance being done with tools available to any law officer that can be used at any time, warrant or not.
Of course they will respond to warrants, they have to, and nowadays they have the infrastructure to forward all traffic to law emforcement's servers in real-time.
We're discussing this in regards to an article where the obvious "solution" was found by the government to this very approach. You're free to build it that way and we're free to put you all in jail afterwards as a result. Rubber hose decryption at its finest.
Phone operators are heavily regulated and licensed, and this is a legal requirement and a requirement of their licence. Complying with lawful warrants is also obviously a legal obligatuon.
Dear French: criminals would just use fake spam emails or bullshit trolling posts under fake Usenet groups in the clear. No encryption needed, and yet your would earn nothing by backdooring them
At the end of the day, these attacks on privacy are always in reality for keeping incompetent politicians and bureaucrat's safe from meritocracy.
Built into the onslaught of demands of backdoors are two key ideas: A) That the backdoors will only be exploitable by the authorities and that B) they're even necessary to carry out their work in stopping trafficing.
I think most people know by now the first idea is preposterous. The second idea is too. The EU should focus on better police tools and tactics that detect and track the actual movement of goods.
Sadly, I don't think that that's true. I've been shocked by the lack of understanding there in groups of technical people who should know better. It's even worse in groups of non technical people. I'm afraid this is an ongoing battle, and every time ideas like this come up from government it's going to be an effort to inform the public.
> The EU should focus on better police tools and tactics that detect and track the actual movement of goods.
This is a point that doesn't get raised very often: the actual crimes occur in "meat space", not electronically on a device. Haven't police and intelligence been solving crimes like that since 'the beginning'?
The coordination of a crime may be done electronically 'on device', but the actual crime occurs somewhere physical, generally with physical objects and the presence of the criminals themselves.
Why is it suddenly so much more difficult for law enforcement to do their jobs that the privacy of every member of the public needs to be able to be invaded?
Are police forces under-resourced to take on the "how it's always been" approach to fighting crime? Are law enforcement being subject to inapplicable software engineering rules of efficiency to save money? (Ie. Too much focus on the metrics, not the outcomes).
Don't police have great physical surveillance tools? Yes, it may cost more in having to physically surveil targets, but that seems (to me, and this is where the rift lies) that's a good compromise opposed to surveiling the entire populace.
Anyone can say anything in a piece of correspondence that they think is private. If it's made public it completely changes the context. A joke between friends, criminals or not, can look like conspiracy to X, Y, or Z. Research for a crime novel could appear like preparation for a Louvre heist. And even if it is, it's not a crime until it occurs, until that point it's not 'real', the thing suspected of being planned hasn't actually taken place until it takes place. Are we implementing pre-crime without the three psychics?
And one thing I know for sure is that law enforcement do not understand context. They're bred to find guilt, not innocence, and having a larger haystack they'll find plenty of hay they think look like needles. Gotta hit those metrics.
There's plenty of nuance missing from what I've written here, but I fairly strongly feel it's leaning towards reality rather than liberal fantasy.
For contrast, you can imagine how this debate between a private OS developer and the government would go in a non-democratic country. Or, you don't even have to imagine, because examples are not hard to find.
But really, the point GP was trying to make (IMO) is that all western democracies are very obviously sliding towards authoritarianism. They are building tools which, even _if_ they don't abuse them now, will be available to any future government and with time, the probability of one of them being non-democratic is 1.
I believe this is the OS recommended to journalists that report on Palestine because freedom of speech doesn't apply without aggressive assertion of your rights.
> The FBI ran a sting operation in Europe where they created their own 'secure' phone and messaging platform. Their OS used portions of our code and was heavily marketed as being GrapheneOS or based on GrapheneOS.
So how do we know GrapheneOS itself isn't a honeypot? It's run by a mystery org and heavily marketed as being a secure platform.
They even have reproduceable builds so you can validate the source matches the distributed binaries. After that it's trusting in the OSS process to have caught any attempted backdoors which is more down to your individual evaluations.
Would be an interesting experiment actually: how long would it take for the community at large to discover a backdoor in graphene OS if added sneakily by generally trusted Devs, ie the org that maintains it.
Or, phrased differently, how much independent auditing is graphene OS subjected to?
> We've built relationships with security researchers and organizations interested in GrapheneOS or using it which results in a lot of this kind of collaboration.
France has threatened us with the same actions they took against SkyECC and Encrochat if we do not cooperate by providing law enforcement access into devices. This was published via Le Parisien in one of their articles and through French state media. They're absolutely threatening us that way.
> Interviewed, she warns that she will “not stop pursuing publishers if links are discovered with a criminal organization and they [GrapheneOS] do not cooperate with justice.”
France has threatened us with the same actions they took against SkyECC and Encrochat if we do not cooperate by providing law enforcement access into devices. The actions they took against those were mass arrests and seizure of servers. We don't have cloud infrastructure for builds/signing but regardless we don't want the French state taking over our website, etc. so we're leaving France and OVH.
This is not proven state action - this is hearsay. Maybe the GrapheneOS project should wait for the first warrant to arrive or police raid to happen before claiming what they currently do.
With the current evidence, its not ruled out that the french state is not doing anything at all.
It's not clear what they mean by that in the threats they've made in multiple places but it's clearly a threat, and they're already lying about us. Therefore, we're leaving France including leaving OVH and not hiring people in France without them relocating first. Our most sensitive infrastructure is local but we don't want a state taking over our website and network services. We don't trust France and OVH to respect rule of law and human rights at this point. It's not a safe country for open source privacy projects and French companies cannot be trusted to even host a static website without hijacking it for French law enforcement.
French law enforcement is conflating companies making products with GrapheneOS code with GrapheneOS itself. They're presenting it as if those companies are working with us and that we're responsible for their actions selling devices using our code. Most of those are using forks of GrapheneOS with features we don't have which are repeatedly incorrectly referred to as being GrapheneOS features. GrapheneOS users can read the many articles and see many references to non-existent features. They similarly refer to non-existent distribution methods and marketing which are actually about these products they're conflating with us. Since they're conflating products and actions by other people with ours, that makes their threats very concerning.
GrapheneOS doesn't even currently bundle an end-to-end encrypted messaging app as we don't have our own and leave choosing third party apps up to users. We plan to make an RCS app with MLS to replace people using Google Messages via sandboxed Google Play but that's no different than what Apple and Google are working towards providing earlier. Even if Chat Control was already the law, we don't have Signal or a similar app bundled with the OS and don't currently distribute a hardened build via our App Store despite plans for it. We do distribute the sandboxed Play Store and Accrescent via our App Store which have end-to-end encrypted messaging apps available...
Probably the former. SkyECC, Encrochat, etc, were found to be deliberately sold to nontechnical drug lords for large amounts of money - as in, the project leads went out searching for drug lords and selling phones to them individually and offered to sell them 100 phones for $200 per month per phone. Drug empires have that sort of money. And they didn't sell to anyone else since nobody else has that sort of money.
It seems unlikely that GrapheneOS is the same way, since it's free, but you never know - maybe it is made for drug lords, and giving it away to the rest of us is just for plausible deniability.
Remember when they arrested Pavel Durov? I don't buy their official reasoning.
Dear European friends, our leaders are tightening the screws. If we don't make our voices heard this is only going to get worse.
https://x.com/durov/status/1976420399970701543
I mean, Durov has been trying to push for Russian puppets to get elected in Romanian and Moldovan elections, by pushing to everyone (at least in Romania, he might've just posted on twitter for Moldova) that the French government is trying to interfere in the Romanian elections. I mean, it turns out, Russia was, on behalf of the candidate he was talking about... so take from that what you will.
Oh, yeah, and he calls himself DuRove now. Hats off for that one, but I hope he rots in prison for advancing the Russian agenda.
I mean, sorry, but the EU essentially installed puppets in both Romania and Moldova, what are we even talking about here?
I'm sure you're very familiar with the politics of both countries, but tell me...
How is Nicusor Dan a puppet of the EU? More than Calin Georgescu? The guy who actively tried to stage a coup? More than George Simion? Granted, there's no PROOF he's a Russian puppet, but he's a far right twat that has views friendly to Russia.
How is Maia Sandu and PES a puppet of the EU? And... let's look at BEP. Voronin, Russia friendly ex President, he was very against Moldova trying to get closer to the West. And Dodon? The guy who is being indicted for treason, who's a friend of Plahotniuc (he stole 1 billion dollars from banks and fled the country)? Yeah, sure, puppets of the EU, vs corrupt fucking puppets of Russia.
I know it's easy to look at this stuff from the outside and say, oh, yeah, the EU is interfering in elections, but there's a lot of history here that you obviously don't have. I like Maia Sandu more than Nicusor Dan (his positions on gay rights were disgusting a while back, he now just stopped talking about them), but compared to the obviousness of the Russian support for their opposition, I think the fact that the EU supports them is just insignificant.
Remember when they just annulled an election when they did not like the result?
I remember. It helped expose his lies about not traveling to russia and not collaborating with russian security services.
care to expand/provide some more info?
Durov had long claimed he was in exile from Russia and couldn’t return and that he was a UAE/French citizen. then records leaked that showed 120 border crossings from 2016-2021 and that he still held a Russian passport. One such border crossing was a flight from St Petersburg on June 18, 2020 which happens to be the same day that Telegram was unblocked in Russia… Lots and lots of smoke..
The Kyiv Independent article is a good summary.
https://kyivindependent.com/opinion-examining-telegram-found...
You know I didn't use to understand libertarians, but after years of watching boundaries being overstepped again and again I think I see the appeal of burning it all down and living in a cabin in the woods.
Like, in Europe we already live in a completely safe society in historical and geographic terms, what more do you fucking want? Security is beyond a laughable excuse for things like chat control. Power tripping elitists will never be happy until they have the entire population under 24/7 camera surveillance and can read every thought in our heads as it occurs. If you make crime impossible, you make free will impossible.
> I think I see the appeal of burning it all down and living in a cabin in the woods.
AFAIK, you're not allowed to live in a cabin in the woods in Europe.
Except in Finland :)
The same reason there's only more regulations being piled on top of previous ones. Sadly only wars and similar catastrophes work as reset buttons for these things historically. A peace as long as the current one is somewhat of an untested ground
The libertarians that want to live in the woods have a point.
The problem is the libertarians that want to burn it all down and build a corpo-state.
It’s important to defend libertarian values even when things are good. Small violations of civil rights have a tendency to stick around and snowball into something worse.
The katamari will grow until morale improves.
I agree with your overall sentiment, except:
"Like, in Europe we already live in a completely safe society in historical and geographic terms"
Russia. Putin.
I heard a funny joke once.
"How do you get a European to give you his wallet? Tell him that you're going to protect the wallet from Russia"
I'm talking about our society internally, not potential external attacks on it. It's reasonably high trust and crime is rare outside a few outlier cities. We could not be further from warranting these sort of fascist style crackdowns. Ironically yes we could be spending funding used for domestic surveillance and bureaucracy on buying more Himars.
> in Europe we already live in a completely safe society in historical and geographic terms, what more do you fucking want?
For people not to get killed, abused, and exploited? You don't sound like a "libertarian" you sound like an anarchist.
You know who has a large part of the population under global 24/7 surveillance right now? Google, Facebook, Microsoft.
> I don't buy their official reasoning.
Why not? Have you used Telegram? Before Durov’s arrest there was open drug trade everywhere, afterwards they started to actively ban groups.
In the Pavel case, it involved child pornography groups on Telegram and the fact that they ignore a court order.
But I agree with you for the authoritarian logics in Europe (even America) with Chat Control and other actions like the French gov. just did....
HN title: "France threatens GrapheneOS with arrests / server seizure for refusing backdoors"
LQDN: "Dans ces articles, la cheffe de la section cybercriminalité du parquet de Paris – à l'origine de l'arrestation de Pavel Durov – menace également les développeurs·es de GrapheneOs. Interviewée, elle prévient qu'elle ne s'« empêchera pas de poursuivre les éditeurs, si des liens sont découverts avec une organisation criminelle et qu’ils ne coopèrent pas avec la justice »."
In the (very short) linked article: No mention of arrest, server seizure or backdoor, and a more nuanced take. Loosely translated summary: Some users have a legitimate need to protect their communications. IF we find links with criminal organizations AND there is no cooperation, then we might take action. They're specifically taking the approach of a case by case hack of single phones which might cost up to a million euros. Is this an issue if there's a warrant?
This seems blown out of proportion?
France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption. They've been saying that it's unacceptable not to have a backdoor in a bunch of these news stories they've gotten published by contacting the media. They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
Le Parisien has 2 articles about this, not only one, and https://archive.is/UrlvK is one of the places they talk about going after us if we don't cooperate with providing them access to devices. It's not possible for us to provide an update which bypasses the throttling for brute force protection so what they're asking isn't even helping them break into specific devices but helping them compromise security for everyone in anticipation of rare cases of criminals using devices. https://news.ycombinator.com/item?id=46038241 explains lack of technical ability to compromise security after the fact. Titan M2 is specifically designed with insider attack resistance so that Google making an update disabling the brute force protection won't be accepted by the secure element without the Owner user successfully unlocking first. We don't have the signing key for the Titan M2 firmware anyway. This is part of our required hardware-based security features which we're working on providing in a Pixel alternative with a major Android OEM working with us right now. We talked to them about the France situation already and it does not negatively impact our partnership. It may be a good idea to speed up an official announcement with them to counter the narrative being pushed by France's law enforcement agencies now.
I appreciate the answer and the work on GrapheneOS! It seems there's a lot of work going on with the QPR1 release and this French matter doesn't make things easier for the team. Good luck!
Le Parisien is not the french state. I doubt you had any interaction with the french authorities at all.
You are unable to any legal recourse because none of your rights have been violated so far.
To be fair, the quote in the second article is from Johanna Brousse who is behind the Durov arrest.
> "Mais ça ne nous empêchera pas de poursuivre les éditeurs, si des liens sont découverts avec une organisation criminelle et qu’ils ne coopèrent pas avec la justice."
> “But that won't stop us from prosecuting publishers if links to a criminal organization are discovered and they fail to cooperate with the justice system.” (DeepL)
I understand this can be seen as more threatening even if the whole quote softens this a bit.
What is cooperation? How are they supposed to unlock the phone?
Unless you're saying 'compelled to use their private keys to publish an update' or something along those lines, in which case I would say the original headline is correct.
There is no law allowing the police to do that in France so that can’t be what cooperation means.
In the case of Telegram, it was about providing meta data when subpoenaed and moderating the unencrypted part of the application.
There is little reason to believe it is about anything else here.
Edit: Happy to hear what the people downvoting actually disagree about as usual.
And how do you hack a single phone without a backdoor in every phone?
You use the signing keys for GrapheneOS to push an update to a single user.
How is this different from a backdoor in every phone?
Some authority compels me to give them signing keys so now they can push anything they want, to any device they want?
They can't bypass disk encryption that way:
https://news.ycombinator.com/item?id=46038241
It does appear to be what they want from us, but it's not possible to bypass the Weaver disk encryption throttling via compromised OS updates or even secure element updates. It's fully not possible to bypass the security of a strong passphrase, which we encourage via optional 2-factor authentication support for fingerprint+PIN as the main way people unlock to make using a passphrase as the primary lock method after booting or 48h timeout much more convenient.
Well that's really good to know.
Been a happy user of Graphene since the Copperhead days. Thanks for all the work you do. I know you've endured a ton of shit.
That doesn't offer a way to bypass disk encryption for data protected by the per-profile lock method. GrapheneOS cannot bypass the brute force protection implemented by the secure element. Google cannot bypass the brute force protection either because they designed the Titan M2 to require the Owner user successfully unlocks in order to update it. Weaver + insider attack protection for the secure element are among our hardware security requirements (see https://grapheneos.org/faq#future-devices for a list) which are being implemented by an OEM we're working with to provide a Pixel alternative. Weaver has a table of user authentication tokens mapped to random tokens used as part of the final key derivation. The authentication token is made with a hash of the initial key derived from scrypt, then the final key derivation in TrustZone combines both with hardware-bound key derivation to get the key derivation key. Weaver implements very aggressive time-based throttling. We have the original delays documented at https://grapheneos.org/faq#encryption but it ramps up faster now.
Aside from that, people can use a strong diceware passphrase on GrapheneOS due to us massively raising the character limit from 16 to 128. This is far more usable on GrapheneOS because people can combine it with fingerprint+PIN secondary unlock instead of fingerprint-only secondary unlock. 5 attempts are allowed for fingerprint unlock and the 2nd factor PIN being entered incorrectly counts towards that so even a random 4 digit one works well. That's convenient to use with the passphrase only having to be entered 48h after the last successful passphrase unlock and after reboot.
We also won't do it and cannot be forced to do it under Canadian laws. France's laws are going to be as relevant to us as North Korean laws once we've finished replaced our OVH servers in Beauharnois, Canada with a Canadian provider. France could currently force OVH to mess with our static website or mail server but we haven't done anything illegal so it would be outrageous and a diplomatic incident due to violating Canadian sovereignty during a time period when foreign server hosting companies being subject to foreign law is already in a recent news cycle. We're not waiting around for them to hijack our website though.
With a know bug in a product that you didn't disclosed.
https://web.archive.org/web/20221124085649/https://www.washi...
I agree
The thread linked is much more balanced than the title given
> This seems blown out of proportion?
Par for the course on hacker news.
Is it safe to assume, then, that Google and Apple already have backdoors in their operating systems as likely requested by many governments around the world (not least of which the one from their home country)?
Or is GrapheneOS the only one built securely enough to need to be leaned upon?
Either way, makes Google and Apple look bad and/or incompetent and GrapheneOS look like some kind of beacon of user protection / privacy rights / other things that are the opposite of the direction the world seems to be moving.
Every time I travel internationally I immediately get notifications for Android OS updates. I'm pretty sure they are for satisfying local regulations about the phone's behavior, including the topic at hand.
Interesting. I have never seen anything like that in many years of frequent travelling while using Android. Which countries did you see this in? And are you using stock Android or some vendor's version?
Stock android. Traveling between US, Europe, LATAM and China.
Anecdotal. Why wouldn't they deliver these via Play Services update? It's easy to dismiss an OS upgrade, background updates can't be really blocked.
I am not saying there are no backdoors, but this never happened to me.
And I am an Android user since the first G1 phone.
I'm currently abroad with a notification for "November Pixel Drop update available" that appeared the day following my arrival. I believe I had already installed the November update back home earlier in the month. Every time I go back home, a couple of days later I get an update too.
I'm not claiming to know of any foul play, but it has happened several times, enough for me to notice. If it was related to time of the month, it wouldn't be as consistent. It might be that you need specific combination of phone, configuration and network provider for this to happen. Maybe I've been p0wnd, but I've noticed this behavior since at least the Nexus line.
This has never happened on my iPhone
Apple charges a storage tax so why not ship all that data by default
Every other OEM charges a "storage tax" too?
They are just done in the background?
Or that GrapheneOS is small enough to bully.
The EU doesn't seem to shy about forcing Apple or Google to do things, so I don't think it's a size thing.
France isn’t the EU though.
True, but from what I understand France and Germany quite often get their way in the EU.
Apple has already taken the US government to court and forced them to back down after the FBI demanded that they insert a backdoor into iOS.
> In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789.
https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
This year, Apple took the UK to court and announced that they would strip encryption features from UK users before they would give in to UK demands for an encryption back door before the UK backed down.
If Graphene has the money to do so, they should fight it out in the courts.
It likely not due to any backdoors present, more so due to weak default setting plus alternate routes to the data. Things like backups being unencrypted either by default or when uploaded to the cloud. you don't need to ask for a backdoor if most users don't have encryption enabled.
Yes, it's safe to assume that companies follow the law in countries where they operate.
So we need GrapheneOS to stand their ground more than ever!
My country has this: https://www.schneier.com/blog/archives/2024/09/australia-thr...
Which kinda ruins it for everyone.
Additionally, I would assume/guess that if it's some kind of coordinated campaign involving media then there is no law to compel GrapheneOS to do this. If they're was a law then that would be the pressure, as opposed to media articles.
What that then implies is a campaign to convince the public a law is necessary, ie. they're already laying the ground work for support for the next version of a Chat Control bill.
Of course the likes of Apple and Google are complying with lawful orders from the governments of countries they do business in.
Businesses that don't generally cease operating in said country. LavaBit was a highly visible instance of a business shuttering itself instead of complying with such lawful orders.
That's also the ploy of basically every VPN provider out there. They say they don't store or give out data, but they still adhere to lawful requests. That necessarily includes requests from countries where they legally offer their service, even if their HQ is in some country with lax legal frameworks. It also means, if there is a legal way to coerce them into recording your data or handing it over, they will do so.
https://www.pcmag.com/news/nordvpn-actually-we-do-comply-wit...
They also mentioned they only respond to court orders (ie. not just because the cops asked nicely), will try to appeal as well. That's better than most ISPs, who would either give up data without a court order, or won't bother appealing.
The problem is that there may be perfectly legal gag orders (issued by a court) that force them to comply to normal police requests - and you would never even know. NordVPN in particular removed their warrant canary without informing their users and only gave some retroactive PR answer when people rightly started to freak out.
The simple truth is that if a VPN provider hasn't been shut down by authorities after more than a year (like VPNLabs was), then they are basically guaranteed to be giving out your data to authorities at this point. The legal situation in most western countries does not allow complete online privacy for normal, law-abiding citizens.
I seem to remember the FBI attempting to compel Apple to decrypt a criminal's iPhone, only for Apple to refuse and claim that it wasn't possible. I'm not sure exactly what happened after that. I think it was suspected that the NSA was able to do it by exploiting an unpatched zero-day. So they didn't need Apple's help anymore and the issue was dropped from the public's eye.
There's a couple overlapping things here:
1. Apple can and does comply with subpoenas for user information that it has access to. This includes tons of data from your phone unless you're enrolled in Advanced Data Protection, because Apple stores your data encrypted at rest but retains the ability to decrypt it so that users who lose their device/credentials can still restore their data.
2. Apple has refused on multiple occasions, publicly, to take advantage of their position in the supply chain to insert malicious code that expands the data they have access to. This would be things like shipping an updated iOS that lets them fetch end-to-end encrypted data off of a suspect's device.
> Apple can and does comply with subpoenas for user information that it has access to.
When we are talking about data stored on a company server, you have no choice when you are served a valid warrant.
That's why Apple went all in on the concept of keeping sensitive data off their servers as much as possible.
For instance, Apple Maps never stored the driving routes you take on Apple's servers, but does remember them on your device.
Not to mention, while apple will publically deny it, there are government agents working undercover at every major tech firm. They may or may not know. They certainly exist.
> remember the FBI attempting to compel Apple to decrypt a criminal's iPhone, only for Apple to refuse and claim that it wasn't possible
Apple refused “to write new software that would let the government bypass these devices' security and unlock” suspects’ phones [1].
> not sure exactly what happened after that
Cupertino got a lot of vitriol and limited support for its efforts.
[1] https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
I always assume these public performances are merely performances and that no one hears about the actual dirty work.
And of course Apple is quite right not to miss the marketing opportunity, on behalf of the shareholders. While acquiescing to lawful demands of course.
I don't remember Apple ever saying that it was impossible for them to do it, just that they didn't want to.
It was always kind of assumed that they could, by eg signing a malicious OS update without PIN code retry limits, so the FBI could brute force it at their leisure, or something similar.
They said it was impossible for them to build a backdoor into iOS that would only be accessible to legal requests from law enforcement, which is true in the strict sense. So law enforcement bought a vulnerability exploit from a third party.
> they could, by eg signing a malicious OS update
They successfully argued in court that being forced to insert code the government wanted would be equivalent to compelled speech, in violation of the first amendment.
As the Feds often do, they dropped the case instead of allowing it to set a precedent they didn't want.
> They successfully argued in court that being forced to insert code the government wanted would be equivalent to compelled speech
This isn't true, they never "successfully argued in court". There was never any judgement, and no precedent. They resisted a court order briefly before the FBI withdrew the request after finding another way into the device.
There wasn't judgement because the Feds dropped a case that would set a precedent they wanted to avoid.
Since there is longstanding legal precedent that corporations are people and code is speech, forcing a corporation to insert code that the US government demands is a violation of the first amendment.
https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
That was show put on for the sole reason of the public seeing it.
If you follow the things that have been disclosed / leaked/ confirmed when they’re 20+ years out of date, then yes the probability this is true is significant.
I recall there being a little more substance to it at the time. But looking back from where we are now, that is a succinct way of describing its results.
Cellebrite did the job using a vulnerability..
That being JTAG debugging. Now there are greyhat groups discovering what they can do with it beyond bypassing the PIN at power-up. Honestly surprised phones are not being sold/marketed as having that disabled on both bluetooth and USB.
Google and Apple were infamously official data providers[1] of the NSA's illegal and unconstitutional (as ruled by a federal judge[2]) warrant-less surveillance program (PRISM[3]) exposed by Edward Snowden.
It's safe to assume that software provided by every large, publicly-traded, for-profit technology company incorporated in the USA cooperates extensively with US intelligence agencies, and therefore by extension, the "Five Eyes" alliance, at a minimum if not also the "Nine Eyes" and "Fourteen Eyes" alliances [4].
[1] Slide 6: https://www.eff.org/files/2013/11/21/20131022-monde-prism_ap...
[2] https://www.reuters.com/business/media-telecom/us-court-mass...
[3] https://en.wikipedia.org/wiki/PRISM
[4] https://en.wikipedia.org/wiki/Five_Eyes
so, they are basically confirming Android and Apple have their backdoors as no arrests or seizures on that matter have taken place
That was my read on that too.
Does this apply to other Linux Distros?
I don't think they are highly concerned with people installing their own OS on desktop machines, that's still a fringe group. And most of us are using smartphones too. Also there are likely other trivial exploits like CUPS which was preinstalled and enabled by default on desktop linuxes.
> As of 2018 through an initiative sometimes termed "Five Eyes Plus 3", Five Eyes has agreements with France, Germany, and Japan to introduce an information-sharing framework to counter China and Russia.
https://en.wikipedia.org/wiki/Five_Eyes#Five_Eyes_Plus
Yep. That’s the implication, and it’s disturbing. It also implies the US government knows - otherwise why wouldn’t they use their influence to put an end to this?
absolutely yes
that's my understanding as well. absolutely unsurprising btw.
Not really. It's one thing trying to bully a relatively small FOSS project, it's quite something else to take on one of the world's biggest companies that can afford a literal army of lawyers and that also has the power to have the US government intervene on their behalf.
Actually, in some ways, it is easier to bully large companies - because those companies are less flexible in avoiding confrontation with the authorities in a certain state. For Google to avoid having a legal presence in France is much harder than for the GrapheneOS project to do the same.
But - valid point regarding having the US government intervene.
> that also has the power to have the US government intervene on their behalf.
This would seem to be a weakness, if your goal is using American clout to persecute malware manufacturers: https://www.securityweek.com/apple-suddenly-drops-nso-group-...
you’re getting the logic wrong. i’m absolutely sure apple and google have direct cia backdoors. that’s what Snowden taught us and it would be delusional to think the world has changed. The bigger the company = tighter the link with power
The article is kind of interesting: on the one hand, you’ve got a tool that can be used by ordinary citizens and political dissidents for legitimate reasons. On the other, the French police were mildly inconvenienced during their arrest of a small-time drug dealer.
Yes, really, that’s the argument.
It's about protecting kids/olds/fighting crime/drug dealer
`What would you like me to wrap the global surveillance in?'
IYKYK :D
https://pbs.twimg.com/media/Bz2FvX7IEAAZ7F4.jpg
Google Translate link:
https://translate.google.com/translate?tl=en&hl=en&u=https:/...
Additional context:
https://grapheneos.social/deck/@GrapheneOS/11557599710445618... https://grapheneos.social/@GrapheneOS/115583866253016416 https://grapheneos.social/@LaQuadrature@mamot.fr/11558177594... https://grapheneos.social/@GrapheneOS/115589833471347871 https://grapheneos.social/@GrapheneOS/115594002434998739
Summarized translation:
Following the propaganda of the ministry of interior, several articles were published in press about GrapheneOS, which is described as a solution for criminals because it allows to hide things.
La Quadrature du Net [similar to the FSF with regard to defending users' rights] argues that the purpose is of course not cybercrime, but to secure and protect the privacy of its users.
The head of the anticybercrime brigade of Paris threatens of suing the developers of GrapheneOS if connections with organized crime were to be found.
The government has repeatedly tried to extend cyber-surveillance previously. They are trying to use a law designed to fight drug traffickers in order to enforce backdoors in services that use cryptography, such as Signal or WhatsApp, without any success for the moment.
---
So, it's a threat before having a proof. They also mention the arrest of Pavel Durov, who was arrested because Telegram failed to answer legal requests, which was then constructed as complicity with criminals using Telegram, but that's obviously a very different case.
But of course, if they succeed in forcing backdoors, criminals will just use other ways to communicate (doesn't matter if they are legal or not because, well, they are criminals...) or tricks; for instance, back in the day when (analog) phone calls could be wiretapped, they were already using code words. They could use e.g. steganography tomorrow.
But we will be left with backdoors that are an unacceptable compromise on security and privacy. This is a recipe for dystopia considering that far-right parties are getting stronger in Europe, including France.
Too bad Google Translate doesn't have a subscription to Le Parisien.
https://archive.is/wW7N6
Oh! It's about drug trafficking. Then I have nothing to hide. Please root and backdoor my phone. And also give the keys to all the hackers around the world...
I like grapheneOS. Their have a clear focus and that should be respected. However, all that drama about e/OS they are creating and claims about fascist law enforcement are a bit over the top IMHO.
How so?
e/OS is a fucking joke
I think your devices should have government-mandated backdoors if and only if you are a public servant. I don't understand why private citizens are held to higher standards of conduct than politicians and cops.
I've been saying this for years: the more power you have the higher standard you should be held in. In most societies on the planet it's the other way around.
> In most societies on the planet it's the other way around.
Obviously, because the ones with power make the laws.
Everyone agrees with this obviously but it's like saying that we should be able to levitate or live in utopia. It's almost a law of nature that the types that become powerful are not your most savory individuals and will use the power to reinforce their positions.
> It's almost a law of nature
We have tons of different systems for accumulating power all over the world. Corporate structures, democracy vs autocracy, etc. In each of those societies, we see different types of leaders on a sliding scale of savoriness.
My point is that clearly there are some forms of governance which result in more savory people and so you can argue that it's the systems that define the outcomes rather than any "law of nature".
You're talking like society hasn't changed power structures over the years. How things are is not some unchangeable physical law.
It's a law of nature that they will _try_.[0] That's why people should always have ways of defending themselves, whether it's with courts or guns.
[0]: This is not a figure of speech - many anti-social traits which result in NPD, ASPD and their subclinical versions[1] are genetic. There is literal evolutionary pressure to exploit others.
[1]: Meaning the trait is sufficiently pronounced to be harmful to others but not enough to be harmful to the person having it so it's not diagnosed as a disorder.
This is obviously true, but people will downvote it because they don't like it.
I've been saying this too but lately I think the fundamental notion of power is wrong. There's 2 perspectives which are 2 sides of the same coin:
---
All social relationships should be consensual.
This means based on _fully-informed_ consent which can be revoked at any time.
This already marks employment as exploitative because one side of the negotiation has more information and therefore more bargaining power. Not to mention having more money gives them more power in a myriad of other ways (can spend more on vetting you, can spend more on advertising the position than you can on advertising your skills). Just imagine if people actually had more power than corporations - you'd put up an ad listing your skills, companies would contact you with offers and you'd interview them.
Citizenship is also exploitative because you didn't willingly sign a contract exchanging money (taxes) for services (protection, healthcare, roads, ...), in most countries you can't even choose which services you want to pay for. And if you stop paying, they'll send people with guns to attack you. This sounds overdramatic (because it's so normalized) until you realize from first principles that is exactly what it is.
_If democracy is supposed to mean people rule themselves, than politicians should be servants which can be fired at any time._ In fact, in a real democracy, people would vote on important laws directly and only outsource the voting to their servants about laws which don't affect them much, or they'd simply abstain.
---
Power should come from the majority.
This should naturally be true because all real-world power comes from violence and more people can apply more violence (or threaten it, when violence is sufficiently probable to be effective, it usually does not need to be applied, the other side surrenders).
But people who are driven to power have been very good at putting together hierarchical power structures where at each level the power differential is sufficiently small that the lower side does not need to revolt against the upper side. But when you look at the ends, the power differential is huge.
Not just dictators, "presidents" or presidents but "owners" and "executives" too.
You don't truly own something you can't physically defend. When you as a worker finish a product, you literally have it in your hands. You could hand it over to a salesman and you'd both agree on how to split the money from selling it. But instead, you hand it over to the company (by proxy its owner) which sells it and gives you your monthly wage irrespective of how much the product made. The company being free to fire you or stop making the product obviously makes more money then you - it's an exploitative relationship.
But why do you hand it over? Because if you don't, they'll tell the state and it'll send people with guns to attack you.
---
Bottom line is if people had equal bargaining power ("equality"), then if they chose to temporarily give "power" to someone in one area, they'd obviously take away their "power" is some other area. Why? Because they'd know if they didn't, the more powerful person would use this power differential to get even more power, and so on, starting the runaway loop we have here now.
Fuck yeah preach.
If someone claims to be "representing" me (whatever the fuck that means)...
...even more so if they are "representing" me alongside millions of others, i.e. in a very abstract sense (what do a million people have in common? everything and nothing)...
...and especially if the "representation" is concluded in "winning" a ritual bureaucratic gauntlet which gives you the right to send organized murderers after exactly the people whom you fail to "represent"...
...then it sure sounds like we all deserve instant access to a real-time sub-second, molecular-level feed of your entire present existence before it's anywhere near a fair bargain and not a totalizing coercive arrangement.
Granted, this sounds a little unfeasible from a technical or security perspective.
Although if the global media capacity was redirected to doing primarily this, instead of inventing ever fancier narratives to distract people from paying attention to the circumstances of their own lives, it just might be able to handle the full surveillance of a few thousand global volunteers: the real exemplary humans who set the real standards in real dialog with the entirety of sovereign society. Governance by inverse big brother. Sure gonna be cheaper than all the effort that goes into convincing every subsequent generation that "democracy" is what's going on...
Alternatively, that entire exercise can be sidestepped by Dunbar-compliant representation, i.e. let's introduce a pervasive social norm that dictates the following: (1) nobody has the right to represent more than their 100 closest people in the world (2) representation doesn't stack to form multi-tiered institutions - representatives only connect horizontally in a territory-spanning mesh. so if N * 100 people vibe with your idea you'll have to either split your personality N-wise (doesn't go very far with current theories of mind) or give N-1 people the right to their own interpretation of your idea to communicate with 100 others.
[to the tune of https://www.youtube.com/watch?v=Xk4QLlV-WLQ :]
I think they tried that about 100 years ago and it worked well enough for organized metasubversive parasites to core it and wear its husk for the better part of a century. Maybe if it was started less overtly in the first place it would've worked better. But cosplaying German Idealistm to your pet serfs cosplaying worker's council doesn't really leave space for a whole lot of subtlety. If you're interested in the workings of power this is commendable, there is much to learn from just the last 150years (which are relatively well documented). They're such a cause-and-effect pinball; but like and subscribing to any of those ideologies just lets the ghost of the ball drag you along. Kinda sad that they're one of the things the Net died into, no?
Even then the backdoor should be on their government device and not the personal devices.
Note that having their personal device when doing government work should be prohibited (that is you can't have it in your pocket when working). As is using your personal device for anything government (other than a formula check your government device call/text - employees should be regularly tested that they report any government communication that doesn't follow the formula)
I mean, this already isn’t permitted in the US yet somehow I’ve read her emails and his signal chats.
Send those doing that to jail. We already do for lower ranked individuals.
> devices should have government-mandated backdoors if and only if you are a public servant
This would be an intelligence bonanza.
Better: mandatory, encrypted logging. Officials maintain the keys. When they leave office or are subpoenaed, they have the means to grant access. (If they can send and read their messages, they have the keys.)
This is how NARA in the U.S. is supposed to work.
> This would be an intelligence bonanza.
And ideally an illustration to those in power why backdoors are never a good thing. They won't care if it's not happening to them. But if their devices are suddenly incredibly insecure due to their backdoors, they might just rethink the concept entirely.
> if their devices are suddenly incredibly insecure due to their backdoors, they might just rethink the concept entirely
A hypothesis I would have bought until seeing our current White House's opsec.
> This would be an intelligence bonanza.
If you're wanting to do it with all citizens, why not start with public officials? It's no worse than your desired end state
They'll just use a private device or off network server. I don't think we're going to "hack" our way into a just society.
It's even more of an intelligence bonanza when it's done to the private citizens! That's the point of trying to do it!
We do have things like the Freedom of Information Act in the US, and I think a lot of European countries have similar laws. Yes it isn’t perfect and could be enforced more evenly.
But obviously, if you work for the military there is information that needs to be kept secure…
Backdoors exist for everyone or they exist for no one, this technology isn't one that has room for a gray area to debate. If it can be deployed to public servant devices, it can be deployed to your device.
Not according to Chat Control at least where politicians are exempting themselves from State surveillance.
Great way to fight the allegations that EU politicians are corrupt and unaccountable, there
Only if they're using the same devices everyone else uses. If they're required to use a certain kind of hardware, or they're required to submit their device for hardware modification, this stops being an issue, doesn't it?
That is totally not true. They can be forced to install an app on their device that creates the backdoors. Companies do that all the time. An OS doesn't need to have backdoors built into it for backdoors to be added to it. Kinda the point of an OS is that it is general purpose.
> if you are a public servant. I don't understand why private citizens are held to higher standards of conduct than politicians and cops.
Last time I checked, politicians and cops are private citizens...
Wherever you stand on this, I can't understand the justification for this "one rule for thee" position.
Logistically, when you combine private citizenship with government you get corruption problems because incentives are so misaligned.
In fact private citizenship combined with government is the origin of corruption. Think about it, as a government official your incentive should be to preserve order, fairness and honor. As a private citizen your goal is to optimize the amount of money you make via business or employment through whatever means possible. That means exploiting loopholes and possibly when no one is looking, breaking the law.
The incentives are orthoganol and it does make sense to have a different set of rights and rules for government officials and private citizens. The minute you take the attitudes of private business/citizens into the world of government you get people creating rules that are corrupt.
> As a private citizen your goal is to optimize the amount of money you make
Ok.
I'm interested in why you think this is the goal of citizens (but not of government).
To be clear: I don't believe this should be the goal of government. I don't really understand why this should be the goal of citizens. I've emphasised the term "should" here, which is a somewhat odd moral term in general, but if we're applying a "should" to government to differentiate them from private citizens, there needs to be a symmetrical. Optimizing individual wealth is certainly an emergent goal of specific individuals, but I can't think of a reason to broadly apply a moral "should" to this goal. If we're optimising for positive outcomes at a system/global/community level (which is generally the intent of wanting a functional government), then encouraging citizens to hoard wealth has not tended to be (positively) contributory to such outcomes.
This is the definition of capitalism. The system is set up this way. Of course as a human you're not completely embodied by the system and you clearly have beliefs and philosophies different from the "system".
But you cannot deny that you as an individual are HEAVILY influenced by the system can culture you live in. Status is equated to those who have the most money. Regardless of yourself as an individual, in aggregate this is how people behave and a good basic universal model that predicts behavior. But additionally outside of culture, the logistical reality of the society we live in is that money is the basis of survival. All of our morals and philosophies are thrown out the window the minute when we are poor or if we have no money and we do need money to buy food to eat. So money and business is not only a status thing but it forms the basis of survival as well.
This is not about your beliefs or morality. This is about the practical reality. In addition to this, capitalism so far is the the only known effective system to create modern economies of scale. We tried to make things fair, ideal and utopian with communism, but, practically speaking, we haven't seen it work.
I'd argue the incentives of elected government and private citizens are even more misaligned than "private" ones.
Elected government official doesn't own or have perpetual interest. All he can do is plunder as fast as he can in his unowned fiefdom before it passes on to the next guy. Fully private government would have incentive at least to preserve the value of the "Kingdom" if nothing else for his own children and because he sees the Kingdom as his own and destroying it for short term gain would be irrational.
But then you have the tragedy of the commons. As a central dictator, yes you want to preserve your government, and you act in ways that do this because you are the direct owner.
But in a democracy where you are one government official among many many other officials, one small corruption change that benefits yourself individually hardly effects the overall government. It is rational for you to do small damage to the overall government and gain a reward that benefits you disproportionally. It is the MOST logical action.
But then every government official acting rationally in aggregate causes the overall government to become extremely corrupt and that is the tragedy of the commons. Rational action in aggregate becomes irrational. Government needs to be separate from private business.
I guess it's because it's so culturally ingrained that it's hard to separate. The chase for money and business is entirely cultural. Money is paper and it's all fantasy stuff and the reason why we value it is solely because of culture. Government ideally needs to be seperate from this culture and have a more militaristic based honor structure where the incentive is to guard the citizenry. Government needs it's own cultural values. Easier said than done, practically every government official IS a private citizen and they all face the same misaligned incentives.
> politicians and cops are private citizens
You may be confusing the civilian/military distinction with private citizens versus public officials. (A delineation American cops fuck with.)
They're actually public figures and have different standards since they're being paid by the public to represent their interests.
> You cant understand why the people with a monopoly on violence and force have higher scrutiny? -- @retr0rocket
Replying here to this seemingly flagged/dead comment (not sure why it was flagged - a very reasonable question).
I fully support higher scrutiny of public officials & cops, but this frankly isn't that. First & foremost, the problems you're describing are systemic, not individual. Monitoring a cop's phone isn't going to reduce police violence if the system isn't accountable - this is essentially the "bad apple" argument. The entire system needs drastic reform: backdoors won't solve any real problems here.
Secondly, independently of the levels of reform needed, at an individual level we're talking workplace conduct, reporting, protocols & transparency -vs- dystopian privacy invasion. There's a very broad spectrum here long before we reach the need for extremes.
Lastly, you need to look at the systems doing the monitoring of politicians' & cops' phones in this hypothetical scenario: if those systems contain the same systemic corruptions (which they inevitably do), the entire argument for oversight is moot.
You cant understand why the people with a monopoly on violence and force have higher scrutiny?
That is a terrible, terrible idea.
It would make it even easier to hack them, blackmail them, snoop on top secret information. The list goes on.
No, the correct answer is - no backdoors because crypto, because security, because of theft, because of France, or any other government or Uncle Sam.
If they want to protect the children, hunt crime, catch drug dealers, they are going to have to learn criminology.
Isn’t it already the case?
Politicians are routinely ordered to surrender their communication to justice to audit what they do. Missing texts from Von Der Leyen is at the heart of Pfizer-gate after all.
I don’t really know what to think about this to be honest. I don’t think it’s entirely black and white and I find it surprisingly easy to play devil advocate.
Remember that the US government has an insane level of access to private communications via all the post 9/11 laws, how cosy it is with the main tech companies and we know they do a lot of these spying unofficially and with little oversight since Snowden.
Meanwhile, France is struggling with an unprecedented level of organised crime activity with the amount of violent crimes reaching worrying level. We are talking murders involving automatic weapons in broad daylight in the middle of the streets of France second largest city. Two weeks ago, the young brother of a famous anti-drug activist was murdered by a hitman while shopping.
There has been a huge increase in the quantity of cocaine being smuggled from South America triggering intense gang competition for the control of deal points and the mean in place to tackle the issue increasingly look vastly undersized. Limiting the discussion to it being authoritarian measure is refusing to acknowledge the very real challenge police currently face.
The only problem with that train of thought is that you are advocating a lower standard. Backdoors are not a superior option in any circumstance whatsoever.
The standard of conduct we need (and are failing) to hold politicians and cops to is actual security and responsibility. Some of the most powerful politicians in the world are leaking private conversations, and no one is holding them accountable. Police are paying private corporations (notably Flock) to build giant monolithic datasets from stalking private citizens, yet neither party is held to any standard whatsoever.
Why would politicians and cops want to be held (actually) to a higher standard?
Who says they would? The point is the people would vote to have them held to this higher standard. They represent the people's will. They shouldnt get to choose other than their personal vote, the people choose. If they don't agree with what the people choose then they can leave politics.
Sure, and how is that working out right now?
Even if you're a public servant, a backdoor is a big security risk.
exactly!
As much as I want to agree with you, no, backdoors for them mean backdoors for everyone else. It's all or nothing. Now, they should be held to a higher standard, and face stiffer penalty than the regular prole because they should be the example-setters.
Do better policing (and that doesn't include trying to backdoor devices), but backdoors aren't the answer.
I'm torn. I don't want backdoors but I do think police with a warrant from a judge should be able to access your phone.
There's a top tier DEFCON talk by the Lavabit email guy. He explains where the line is for access to phones and other encrypted information. I'll try to summarize -
1 - Law enforcement have actual information about the probable contents of your phone (like an incriminating filename will do). They can reasonably expect to get a warrant and access to your stuff.
2 - They don't know what's there at all, and have no probable indication of the contents, and in this case they cannot expect access because they would just be going fishing.
Having said that - backdoors are bad.
I assume if they were fishing the judge wouldn't sign a warrant.
Then you must provide access to your phone or be held in jail indefinitely / until you comply for violating that court order.
I'm reminded of Mr. Fart's Favorite Colors here - is it even possible to provide warranted exception, protected from abuse?
True freedom, of any kind, requires freedom to say things and think things in private. I sometimes think horrible things and even discuss them with my friends. I need that space to work out issues. Without a truly safe space I would eventually go mad as I suspect many people would. The other part of this is that a basic requirement of freedom is trust with accountability. It means we allow things that may be harmful but if things go bad we hold those responsible accountable after the fact. It also means we may not catch all the bad guys and that is OK because the alternative is that everyone turns into a bad guy when we prevent people from doing things in case they will be bad. There is a balance here but the position that a govt will always have access to all private individual (acting in a private capacity) communications is not anywhere near a reasonable balance.
If the small guys are getting threats like this, one can only assume the big guys already have suitable backdoors...
Perhaps, or perhaps they started with companies that are smaller and easier to intimidate.
Larger companies are easier to influence than small ones, no intimidation is necessary.
Protecting user privacy delivers close to 0 shareholder value, being friendly with nations wins you billions of dollars in contracts, regulatory protection, and friendly courts, it's a win-win for big companies and surveillance states to be friendly with each other.
Larger companies have more to lose if people lost faith in their platform and devices.
Monopolies are easy to influence as they don't even have to care about the optics.
I don't think so; (but at the end of the day, you can never be 100% sure unless it's 100% OSS)
But with that being said both Apple and Google store a lot of data about you, and they are willing to "cooperate" with the government, and they did hand over data in various of cases Apple included [1]. For some reason, people think of as the "privacy company".
btw, big tech also get harassed for similar requests: The UK, for example, is still pressuring Apple to build an encryption backdoor [2].
[1] https://www.apple.com/legal/transparency/ [2] https://www.eff.org/deeplinks/2025/10/uk-still-trying-backdo...
I can understand you thinking that and there's probably some truth to it but do I consider Android and iOS compromised with government backdoors? No. What do I base this on? The lucrative black market for Android/iOS 0days.
And who's buying them? Generally, state actors, directly or indirectly. There is an entire ecosystem of Israeli "security" companies that exist to farm out these exploits. This is a big part of why Israel is such a key component of the American national security infrastructure. Israel is largely beyond the jurisdiction of American courts and any kind of direct scrutiny by the government.
It's a bit like how the US isn't (technically) allowed to spy on US citizens. How do they get around this? By farming out such activities to allied intelligence services, particularly Five Eyes members.
This entire ecosystem and marketplace just wouldn't exist if Android or iOS were fully backdoored.
I see your point, but this could also mean that the backdoors are there, just only a few organisations know it (let's say US army) and then they get found and found again
Some advocacy groups are denouncing the collusion and lobbying taking place between industrials, governments, and the media.
https://eu.boell.org/en/2024/04/25/press-freedom-france
https://ipi.media/france-media-freedom-threats-capture/
The gloves are really off against the best interests of the public now aren't they?
In a sense, trajectory has not really changed, but, admittedly, the pace of change has accellerated tremendously. UK and now France.
The linked article from Le Parisien (a big French billionaire-owned newspaper) is quite nuanced.
It gives the police's view on narco-trafic crime, but also Graphene's take :
"Criminals and traffickers also use knives." This organization, which is not a company but a foundation, emphasizes that its solution is used by ordinary people who dislike how apps and operating systems handle their data. It adds that if criminals use Google Pixel phones and GrapheneOS, it’s because these solutions work well. But that doesn’t make them accomplices, they assure. "Criminals and traffickers also use knives, fast cars, and cash—things that are also widely used by honest citizens," its representatives note.
And GrapheneOS adds that it protects users from hackers and intrusions by the secret services of totalitarian states. "We consider privacy a human right, and we are concerned about projects like Chat Control (a European bill aimed at detecting child sexual abuse material in messaging services, but which has faced significant criticism) that the French government supports. The invasion of privacy enabled by such legislation would have alarming implications under an authoritarian-leaning government," it argues.
I didn't read it[0] as being particularly nuanced. I thought it was a fact-loose, extremist hitpiece against FOSS, containing howlers such as
> "Particularité de GraphèneOS : on peut se le procurer autant sur le darknet que sur des sites grand public." ⇒ "A distinctive feature of GrapheneOS is that it can be obtained both on the darknet and on mainstream websites."
Quoting "both sides" (so to speak) doesn't automatically create a thoughtful dialog.
[0] https://archive.is/20251119082524/https://www.leparisien.fr/... (tr. "Google Pixel and GrapheneOS: drug traffickers' secret weapon for protecting their data from the police")
Ah, so it's kind of like saying "A distinctive feature of Renault vehicles is that they can be purchased both with cash or through regular financing."
I'm unsure whether it's appropriate to trust Le Parisien's equivalencies.
Q: Do they have a track-record of intellectual honesty?
Equivalencies are powerful, and dangerous if mis-handled.
E.g. this is worrying [from the article]: "A unique feature of GrapheneOS is that it can be obtained both on the dark web and on mainstream websites." Le Parisien is calling out GrapheneOS's availability on the "Dark Web" as significant, in the context of "Drug Trafficker's Secret Weapon". Banned books can also be acquired on the Dark Web, and banned books are not illegal, yet, in mainstream democracies. So Le Parisien's equivalency, here, is misleading.
> and banned books are not illegal, yet,
now now comrade, if the book is banned, how is it that you are in possession of it? you're clearly breaking the rules. I do believe it is time for you to start counting trees
<3 I do see this style of speech, which you're obviously playing with here, more and more coming from my US government. "What do you have to hide" kind of stuff. (From my individual perspective.)
It is disconcerting, as it's unclear whether the rule-of-law still stands, given the anti-Constitutionality of the current US Administration -- especially around due-process.
The trend of Democratic Decline seems provably real, along with a rise in Authoritarianism.
"Criminals and traffickers also use knives."
London already did this
Not really? You can buy knives in London, and any laws regulating knife purchases are UK-wide, nothing to do with London specifically.
I think the post you’re replying to is alluding to the fact that London has a knife problem, despite carrying knives being illegal there. Meanwhile a number of places don’t have that problem, even though it’s legal there.
BTW As an outsider, this “knife” euphemism caught me off guard a while ago. When you read about these stories from London, it’s usually about machetes. It’s one of a number of euphemisms Brits use around the topic, making everything around the topic sound pretty mild if you’re not from there. Then you learn one more euphemism and think “oh wait, that guy/gal back then was talking about this? wtf?”
It’s not in general illegal to carry knives in London (or again, in the rest of the country, which has the same laws). Small knives are permitted generally and larger knives may be carried for specific reasons (e.g. religious). To say that it’s illegal to carry a knife in the UK is roughly as misleading as saying that it’s illegal to carry guns in Texas. In both cases there are applicable laws, but there is no blanket ban.
London has a knife crime problem in the important sense that any number of people being stabbed is a problem. However, it’s worth bearing in mind that cities like NYC have a slightly higher rate of fatal stabbings per capita. (Non-fatal robberies and assaults are tricky to compare across countries because of different data collection methodologies and different classifications.) Of course it would be good for fewer people to get stabbed, and knife crime is a serious problem for some specific communities, but the city as a whole is not experiencing the kind of knife crime epidemic that you might imagine if you get your news from alt right TikTok accounts.
Nah, you're right. They title it "knife ban" but they list specific "knifes" that you can't carry, such as a sword (lmao at it being considered a knife)
I used to own many butterfly knifes in Middle School. Feels weird that you could be arrested for that in London
Who are 'they'? There is no official thing called a 'knife ban', and again, there are no laws about knives specific to London. There aren't really any laws about anything that are specific to London, as there is no corresponding legislative body.
Swords aren't considered knives, they are considered (correctly) to be bladed, and thus to fall under the scope of various bits of legislation, like this: https://www.legislation.gov.uk/ukpga/2019/17/section/41
How could you be so naive?
This article is as absurdly biased as it could be! Of course they provided a quoted response from GrapheneOS devs: that's the only appeal to credibility they have.
A truly responsible journalist would explain to their audience what is actually at stake, not simply spout every available position as if it were equivalent.
> Le Parisien (a big French billionaire-owned newspaper) They're all billionaire owned. As an example, left wing newspaper Liberation has Kretinsky among the owners
One thing though is - knives, fast cars and cash aren't built with deliberate motivation of thwarting the law enforcement and criminal investigations.
GrapheneOS and its systems are - you can walk through history and see that they're deliberately working on systems that defeat law enforcements efforts of collecting data from seized devices and tracking criminal networks.
This is a massive difference - even for knives and cars, you'd get into some hot water (or outright illegal behaviour) if you build them with express purpose to make them hard to find and track by law enforcement. Try making a company that focuses on cars that hide its license plates from the police and you'll see how far that will go.
This is one thing that GrapheneOS, Signal and others will need to at some point reckon with - the fact that they deliberately work at making law enforcements work harder and provide effective cover for criminals will get them into hot water. And I don't think population will stand at their side when they find that they've been helping CSAM traffickers hide their loot.
Having all that anti-governmental rhethoric won't end well for longerm survivability of these projects - which sucks for all of us.
Graphene shouldn't have to reckon with the abuse of government, we should step in and speak up for them. If having a secure device becomes criminal, only the criminals will have secure devices.
Law enforcement is being lazy by trying to rely on mass surveillance rather than espionage tactics to catch criminals. Criminals learned long ago how to work around surveillance, so this doesn't really work on them. But it does subject the public citizen to undue scrutiny and violation of privacy, which history has shown is then used against the innocent. We don't need any more reminders of how popular authoritarianism has become. And it's often used to pin a crime on an innocent person (a common police controversy), or intimidate and harass them (see FBI).
> I don't think population will stand at their side when they find that they've been helping CSAM traffickers hide their loot.
This is just one of many examples of a false rhetoric used by politicians to manipulate the public into cow-towing to mass surveillance. We cannot stand for this and must fight it at every turn. "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
Beware, though, the key words in that quote are not "liberty" and "safety" but rather "temporary" and "essential". You can replace "liberty" and "safety" with any other nouns (including "safety" and "liberty") and it's still true.
Which is not to excuse the fascist actions of the French government. I just don't like that quote.
To hell with the governments and law enforcement, privacy is a right and is not a weapon.
This is a very counter-productive distortion of privacy, and borders on a lie about Graphene.
Something designed to be private doesn't know the difference between a law enforcement officer trying to break into it and a criminal trying to break into it.
There is no special "anti-cop only code" that gets executed, any more than there are special "cop tools" that exist on some physical plane where criminals don't.
Genuinely curious: what did you see in GrapheneOS history that indicates that the OS is specifically designed to defeat law enforcement (as opposed to their stated goals of defeating ad surveillance and stalkerware)?
I think your point is that there is evidence that the intention of some or all of the developers and/or the organization as a whole is to make law enforcement more difficult. You go on to argue that this intention fundamentally alters how society, or at least law enforcement arms of government, should view this technology. Specifically, I take your argument to be that law enforcement should or will treat them as accomplices to some degree of the crimes they enable.
There is no way to have a completely secure operating system, safe from hackers and spy organizations and thieves, that is also accessible at the whim of law enforcement. Period.
If we can't trust hosted services to protect our data, and we can't trust our own computers to preserve our data, the right to privacy simply doesn't exist.
So which knife makers are serializing their kitchen knives so they can be traced back in case of a crime? How many knives come with a GPS tracking its position? Well too expensive, what about an Airtag. No? By your roundabout logic this qualifies as “deliberately working on systems that defeat law enforcements efforts”. It’s an absurd argument.
To actually do any crime with GrapheneOS you would also need at least a VPN and basic understanding of operational security. Just as you would need a lot more than just a knife and car to be a successful criminal.
A Pixel phone with GrapheneOS is not some magic device that let's you do crime without immunity, but that’s the story they want to sell you.
Are you livestreaming your face on Twitch right now? If not, why are you deliberately making it harder for police to catch criminals? It would be so much easier for police to catch criminals if everyone livestreamed on Twitch 24/7, it should be a crime not to do that.
Is it a coincidence that this comes out on the same day that the Chat Control proposal got a green light from the EU member states?
I think EncroChat scared them pas-de-merde, and this may be an overreaction by untutored civil servants.
In the end, wasn't EncroChat a larger problem for the criminals than the governments?
Once it became a big enough target it got taken down, and then quietly run by the police who collected everybody's messages for months before triggering a huge round of arrests, including quite a bit of major organized crime across Europe. The dangers of centralization. They'd love another EncroChat!
Doesn't apply so much to GrapheneOS of course since they're not in the messaging platform market, but it's definitely a cautionary tale.
[dead]
I watched a fascinating documentary about EncroChat (https://www.channel4.com/programmes/operation-dark-phone-mur...). It was obvious the police absolutely loved having this real time feed into criminal communications, and thought "let's have more of that please". They don't realise the consequences are that criminals won't use such forms of communication once they know they're backdoored.
Of course they realise it, and they know it's irrelevant, because their job is to catch actual dissidents today, not hypothetical future dissidents.
> scared them pas-de-merde
Huh?
French for "shitless"
I think it may be a tongue in cheek semi-literal translation from English, I’ve not come across this as idiomatic French before.
No it's not
"without shit" translated...
"Scared them shitless" in faux franglais.
Probably something like this would be close to the same colloquial meaning (I'm not familiar with any pants-shitting slang in French): EncroChat leur a foutu les jetons de ouf.
(closer to "scared the hell out of them")
Ils en ont ch... dans leur culotte.
Any actual source for the claim?
Americans do not understand the fact that their own government rates the top four intelligence threats as French, Israeli, Chinese, and Russian.
Where do you get that ‘fact’? Can you elaborate?
According to all the Annual Threat Assessment reports from the office of the Director of National Intelligence[1], the top four threats are
1. China
2. Russia
3. Iran
4. North Korea
[1]: https://www.intelligence.gov/annual-threat-assessment
The url is just redirecting to https://goingdark.social/@watchfulcitizen/115605398411708768
Maybe consider replacing the redirecting url to the destination url? Not very good not being able to see the actual url linked imo.
Given the fact that most protests are organized on facebook groups, how does one keep him/herself aware of eventual protests to come without Facebook/instagram? I d gladly join for a cause i support
Into jail with those officials. Clear violation of their constitution
It is France. The state is them.
Edit: I wonder why this is downvoted. The bureaucratic class holds enormous power in France, and has constantly acted against digital rights and privacy with impunity. The only institution that can somewhat restrain them is ECHR.
Well, other states are not much better. UK, Australia, USA come to my mind. But this is excessive
We indeed seem to be in a race towards the bottom in this regard, but France was always a "forerunner".
Already 15 years ago it was illegal to use Wi-Fi outside buildings in France. I still remember the old Nokias plastered with those warnings.
And I remember the longstanding argument why women should not be allowed to vote in France, because that's what brought Hitler to power. They were the third last European country to do so, only Greece and Switzerland were more backwards.
Just to be clear about what is really happening right now;
There were three articles from newspapers (Le Figaro, Le Parisien) known for their rightist, pro-cops, opinions, and owned by billionaires (LVMH/Arnault, Dassault). In those articles, GrapheneOS is associated with bad actors purpotedly using it as a way to obfuscate their activities.
A comment was made by Johanna Brousse, Chief of French Cybercrime Unit, stating she would not refrain from pursuing the publishers if links were found with a criminal organization and they refused to cooperate with the justice system.
Another claim from a police investigator equates GrapheneOS usage to illegal activity.
Russia is as European as France and certainly more European than the US or Canada. Most of Europe's problems stem from trying to keep Russia out and Germany down.
The latter has worked well because Germany is, to this day, occupied by the US & the UK. But the former has never worked out and is now bankrupting the EU!
As a response to this situation, consider supporting GrapheneOS financially:
https://grapheneos.org/donate
the submitted URL makes HN show grapheneos.social as the domain. the actual URL is https://goingdark.social/@watchfulcitizen/115605398411708768
Should I worry about E/OS too?
(It'd be funny if French software was illegal to use in the EU for GDPR violations. )
Gotta love the Streisand effect that happens due to stuff like this!
This is a better link from a French privacy non-profit but I can't change it now: https://mamot.fr/@LaQuadrature/115581775965025042
@dang or other mods, could you change it?
Google Translated text:
> Two articles in Le Parisien yesterday, followed today by one in Le Figaro, have launched a shameful attack against GrapheneOS, a free and accessible open-source operating system for phones. At La Quadrature du Net, it's one of the tools we favor and regularly recommend for protecting against advertising tracking and spyware.
> Echoing the propaganda of the Ministry of the Interior, newspapers describe GrapheneOS as a "crime-related phone solution," and a police officer adds that its use is suspicious in itself because it indicates an "intention to conceal." By portraying GrapheneOS as a technology linked to drug trafficking, this attack aims to criminalize what is actually a secure privacy-preserving tool.
> In these articles, the head of the cybercrime section of the Paris prosecutor's office – who was behind the arrest of Pavel Durov – also threatens the developers of GrapheneOS. In an interview, she warns that she will "not hesitate to prosecute the publishers if links are discovered with a criminal organization and they do not cooperate with the justice system." https://archive.is/20251119110251/https://www.leparisien.fr/...
> The government regularly tries to link privacy technologies, particularly encryption, to criminal behavior in order to undermine them and justify surveillance policies. This was the case in the so-called "December 8th" case, where a police narrative was constructed around the (secure) digital practices of the accused to portray a "clandestine" and "conspiratorial" group. https://www.laquadrature.net/2023/06/05/affaire-du-8-decembr...
> Now, drug trafficking is being used to attack these technologies and justify the surveillance of communications. The so-called "Drug Trafficking" law was thus used as a pretext to try to legalize "backdoors" in encrypted applications like Signal or WhatsApp, without success. https://www.laquadrature.net/2025/03/18/le-gouvernement-pret...
> An article in Le Monde diplomatique from November extensively examines the history of the political exploitation of drug trafficking to justify security and surveillance policies. The police attack on GrapheneOS fits perfectly within this pattern. https://www.monde-diplomatique.fr/2025/11/BONELLI/68915
> In its response published yesterday, GrapheneOS points to the authoritarian tendencies of the French government, one of the most fervent supporters of the "ChatControl" regulation under discussion at the European level, one of whose goals is to put an end to end-to-end encryption. https://grapheneos.social/@GrapheneOS/115575997104456188
Additional context:
https://grapheneos.social/deck/@GrapheneOS/11557599710445618...
https://grapheneos.social/@GrapheneOS/115583866253016416
https://grapheneos.social/@LaQuadrature@mamot.fr/11558177594...
https://grapheneos.social/@GrapheneOS/115589833471347871
https://grapheneos.social/@GrapheneOS/115594002434998739
Ok, we've changed to that from https://grapheneos.social/@watchfulcitizen@goingdark.social/... above.
More graphic content needed to get folks to click through: This is excerpted from the result of G-translating the Parisien link:
"This 27-year-old alleged trafficker is suspected of having run this drug telephone platform which, between 2023 and 2024 in Paris, collected a turnover of two million euros and is said to have caused three overdose deaths during chemsex parties."
I think you meant https://mamot.fr/@LaQuadrature/115581775965025042 instead of a link to "Le Parisien", which is not a non profit, but a newspaper owned by LVMH/Bernard Arnault, and known for having rightist opinions.
Oops, that's correct, ty
No problems :) The full "Le parisien" article is available here FWIW:
https://archive.ph/20251124161701/https://www.leparisien.fr/...
Has anyone noticed the whole of the Western World has gone tyrannical paranoid police state?
Link warns I'm leaving grapheneos.social and then when you click the redirect tried to download some .bin file, wtf?
The French goverment will be sued into oblivion for breaking licenses bound to Copyright.
[dupe] https://news.ycombinator.com/item?id=45999024
It’s a much better link this time though.
Same referenced link as earlier. Same discussion.
Everything about the exercise of power in the digital world is tilted away from the individual.
Windows 11 moved all my files into the cloud without even asking me! I was livid--those are documents that I deliberately DID NOT WANT in the cloud! It's crazy what malice we have to put up with and navigate these days. It just keeps getting worse and more convoluted, too.
There were many decades where phones didn't have back doors. Now, it's the opposite case in the most dystopian way. It's concerning that all phones are required to have back doors for law enforcement and the enforcement is severe. I know several people who have a corrupt "cop they know" that they can regularly contact for favors. Why is it so out of the ordinary to distrust law enforcement when they have these tools?
> There were many decades where phones didn't have back doors.
Your cell phone provider almost certainly will respond to a valid warrant and wire tap your non e2e encrypted phone call.
I'd be very surprised if the most common mode of remote communication in any time period was not subject to government interception in some format within a short time of becoming such. That includes physical mail, telegrams, landlines, cell phone calls, txt messages, emails, etc.
Referring to "how things used to be" is not in fact helping the case for privacy.
I don't think people are arguing against complying with valid warrants. They object to blanket surveillance being done with tools available to any law officer that can be used at any time, warrant or not.
You cannot have true e2e encryption on a secure device and comply with a wiretap warrant without a backdoor of some kind somewhere.
Private companies are being used to hoover up massive amounts of data and circumvent legal protections such as warrants.
Of course they will respond to warrants, they have to, and nowadays they have the infrastructure to forward all traffic to law emforcement's servers in real-time.
> and nowadays they have the infrastructure to forward all traffic to law enforcement's servers in real-time.
The goal should be, designing your infrastructure in such a way they simply cannot forward this traffic to law enforcement.
We're discussing this in regards to an article where the obvious "solution" was found by the government to this very approach. You're free to build it that way and we're free to put you all in jail afterwards as a result. Rubber hose decryption at its finest.
Phone operators are heavily regulated and licensed, and this is a legal requirement and a requirement of their licence. Complying with lawful warrants is also obviously a legal obligatuon.
Which is evidently illegal in France.
>There were many decades where phones didn't have back doors.
Yeah back then we just listened to the phone calls with scanners.
Before internet on phone, every communication was in plain text, so no need to have a backdoor in phone if you can tap directly into AT&T or Vodafone.
Do you remember the scene in Goodfellas where the neighborhood's head mobster would only communicate in person with his people?
>narcotrafiquants >police
yeah France doing France things. Like back when they forced Windows to store passwords in plaintext, with encryption outlawed. Sigh.
Dear French: criminals would just use fake spam emails or bullshit trolling posts under fake Usenet groups in the clear. No encryption needed, and yet your would earn nothing by backdooring them
At the end of the day, these attacks on privacy are always in reality for keeping incompetent politicians and bureaucrat's safe from meritocracy.
Built into the onslaught of demands of backdoors are two key ideas: A) That the backdoors will only be exploitable by the authorities and that B) they're even necessary to carry out their work in stopping trafficing.
I think most people know by now the first idea is preposterous. The second idea is too. The EU should focus on better police tools and tactics that detect and track the actual movement of goods.
"I think most people know by now..."
Sadly, I don't think that that's true. I've been shocked by the lack of understanding there in groups of technical people who should know better. It's even worse in groups of non technical people. I'm afraid this is an ongoing battle, and every time ideas like this come up from government it's going to be an effort to inform the public.
All politicians and bureaucrats demanding backdoors should go straight into prison -- for endangering national security.
> The EU should focus on better police tools and tactics that detect and track the actual movement of goods.
This is a point that doesn't get raised very often: the actual crimes occur in "meat space", not electronically on a device. Haven't police and intelligence been solving crimes like that since 'the beginning'?
The coordination of a crime may be done electronically 'on device', but the actual crime occurs somewhere physical, generally with physical objects and the presence of the criminals themselves.
Why is it suddenly so much more difficult for law enforcement to do their jobs that the privacy of every member of the public needs to be able to be invaded?
Are police forces under-resourced to take on the "how it's always been" approach to fighting crime? Are law enforcement being subject to inapplicable software engineering rules of efficiency to save money? (Ie. Too much focus on the metrics, not the outcomes).
Don't police have great physical surveillance tools? Yes, it may cost more in having to physically surveil targets, but that seems (to me, and this is where the rift lies) that's a good compromise opposed to surveiling the entire populace.
Anyone can say anything in a piece of correspondence that they think is private. If it's made public it completely changes the context. A joke between friends, criminals or not, can look like conspiracy to X, Y, or Z. Research for a crime novel could appear like preparation for a Louvre heist. And even if it is, it's not a crime until it occurs, until that point it's not 'real', the thing suspected of being planned hasn't actually taken place until it takes place. Are we implementing pre-crime without the three psychics?
And one thing I know for sure is that law enforcement do not understand context. They're bred to find guilt, not innocence, and having a larger haystack they'll find plenty of hay they think look like needles. Gotta hit those metrics.
There's plenty of nuance missing from what I've written here, but I fairly strongly feel it's leaning towards reality rather than liberal fantasy.
[dead]
[dead]
[flagged]
[flagged]
For contrast, you can imagine how this debate between a private OS developer and the government would go in a non-democratic country. Or, you don't even have to imagine, because examples are not hard to find.
> debate
> non-democratic country
My guess is there will be no debate... That said, we must acknowledge even having this debate is a positive step.
A threat is not a debate.
But really, the point GP was trying to make (IMO) is that all western democracies are very obviously sliding towards authoritarianism. They are building tools which, even _if_ they don't abuse them now, will be available to any future government and with time, the probability of one of them being non-democratic is 1.
[flagged]
I understand they are similar, but I think this post adds new information to the situation. Regardless, appreciate your help moderating the site.
[flagged]
[flagged]
[flagged]
Statements like these show how little you truly know about North Korea.
That's the point, I don't want to find out.
I believe this is the OS recommended to journalists that report on Palestine because freedom of speech doesn't apply without aggressive assertion of your rights.
https://grapheneos.social/@GrapheneOS/115589833471347871
> The FBI ran a sting operation in Europe where they created their own 'secure' phone and messaging platform. Their OS used portions of our code and was heavily marketed as being GrapheneOS or based on GrapheneOS.
So how do we know GrapheneOS itself isn't a honeypot? It's run by a mystery org and heavily marketed as being a secure platform.
https://en.wikipedia.org/wiki/Crypto_AG was a CIA front for 50 years.
The honeypot run by the FBI was closed source and that's why they could do it. while this is open source, which would make it much harder.
They even have reproduceable builds so you can validate the source matches the distributed binaries. After that it's trusting in the OSS process to have caught any attempted backdoors which is more down to your individual evaluations.
https://grapheneos.org/build#reproducible-builds
For more on this subject, here's a book that documents it: https://www.amazon.com/Dark-Wire-Incredible-Largest-Operatio....
Would be an interesting experiment actually: how long would it take for the community at large to discover a backdoor in graphene OS if added sneakily by generally trusted Devs, ie the org that maintains it.
Or, phrased differently, how much independent auditing is graphene OS subjected to?
Wouldn't be hard to hide a backdoor in a multi million line codebase ...
Unless you think the same backdoor is hiding in AOSP, you can just check the diff and some extra lines for context.
People in this thread are very explicitly claiming that Android and iOS are backdoored, yes.
> how do we know GrapheneOS itself isn't a honeypot? It's run by a mystery org
No, it's run by a non-profit foundation whose records are public, along with their board of directors who are real people with a paper trail.
It's not some LLC shell company with a fictitious agent listed.
https://ised-isde.canada.ca/cc/lgcy/fdrlCrpDtls.html?p=0&cor...
It's disappointing to see such blatant misinformation on HN. There has been a wave of these low quality trolls and it's increasing everyday
I'm not a troll. Everyone thinks we should trust GrapheneOS...why? Because they're loud and aggressive?
They claim they are audited... by whom? When? Where are the results?
https://grapheneos.org/faq#audit
https://discuss.grapheneos.org/d/5527-who-has-audited-graphe...
> We've built relationships with security researchers and organizations interested in GrapheneOS or using it which results in a lot of this kind of collaboration.
This is not something that's actually happening.
Right?? The daily display of uncritical thinking is at least slightly amusing, though.
Yet.
When ChatControl will be in place, it'll only be a matter of time
The claim in the title of the post is not substantiated in any way.
The correct headline here would be ”GrapheneOS worried about France after negative press”
France has threatened us with the same actions they took against SkyECC and Encrochat if we do not cooperate by providing law enforcement access into devices. This was published via Le Parisien in one of their articles and through French state media. They're absolutely threatening us that way.
Can you link these publication containing threats here?
Might be under a gag order
Under gag order, but openly posting about the threats?
It is in third post in the thread: https://mamot.fr/@LaQuadrature/115581775986937247
> Interviewed, she warns that she will “not stop pursuing publishers if links are discovered with a criminal organization and they [GrapheneOS] do not cooperate with justice.”
France has threatened us with the same actions they took against SkyECC and Encrochat if we do not cooperate by providing law enforcement access into devices. The actions they took against those were mass arrests and seizure of servers. We don't have cloud infrastructure for builds/signing but regardless we don't want the French state taking over our website, etc. so we're leaving France and OVH.
This is not proven state action - this is hearsay. Maybe the GrapheneOS project should wait for the first warrant to arrive or police raid to happen before claiming what they currently do.
With the current evidence, its not ruled out that the french state is not doing anything at all.
Are you serious? A storm is heading towards you and you wanna just keep watching it until it hits you? Absolute bafoon
shouting that the situation is bad is not evidence, either.
Did "links" mean "a criminal organization is involved in the project" or "a criminal organization is using the technology"?
It's not clear what they mean by that in the threats they've made in multiple places but it's clearly a threat, and they're already lying about us. Therefore, we're leaving France including leaving OVH and not hiring people in France without them relocating first. Our most sensitive infrastructure is local but we don't want a state taking over our website and network services. We don't trust France and OVH to respect rule of law and human rights at this point. It's not a safe country for open source privacy projects and French companies cannot be trusted to even host a static website without hijacking it for French law enforcement.
French law enforcement is conflating companies making products with GrapheneOS code with GrapheneOS itself. They're presenting it as if those companies are working with us and that we're responsible for their actions selling devices using our code. Most of those are using forks of GrapheneOS with features we don't have which are repeatedly incorrectly referred to as being GrapheneOS features. GrapheneOS users can read the many articles and see many references to non-existent features. They similarly refer to non-existent distribution methods and marketing which are actually about these products they're conflating with us. Since they're conflating products and actions by other people with ours, that makes their threats very concerning.
GrapheneOS doesn't even currently bundle an end-to-end encrypted messaging app as we don't have our own and leave choosing third party apps up to users. We plan to make an RCS app with MLS to replace people using Google Messages via sandboxed Google Play but that's no different than what Apple and Google are working towards providing earlier. Even if Chat Control was already the law, we don't have Signal or a similar app bundled with the OS and don't currently distribute a hardened build via our App Store despite plans for it. We do distribute the sandboxed Play Store and Accrescent via our App Store which have end-to-end encrypted messaging apps available...
I wonder if say some drug cartel was found to be donating money to graphene?
... And what if a competing mobile OS (say iOS or android) received payments or donations from said organization :-)
Probably the former. SkyECC, Encrochat, etc, were found to be deliberately sold to nontechnical drug lords for large amounts of money - as in, the project leads went out searching for drug lords and selling phones to them individually and offered to sell them 100 phones for $200 per month per phone. Drug empires have that sort of money. And they didn't sell to anyone else since nobody else has that sort of money.
It seems unlikely that GrapheneOS is the same way, since it's free, but you never know - maybe it is made for drug lords, and giving it away to the rest of us is just for plausible deniability.