Is it safe to assume, then, that Google and Apple already have backdoors in their operating systems as likely requested by many governments around the world (not least of which the one from their home country)?
Or is GrapheneOS the only one built securely enough to need to be leaned upon?
Either way, makes Google and Apple look bad and/or incompetent and GrapheneOS look like some kind of beacon of user protection / privacy rights / other things that are the opposite of the direction the world seems to be moving.
Every time I travel internationally I immediately get notifications for Android OS updates. I'm pretty sure they are for satisfying local regulations about the phone's behavior, including the topic at hand.
Interesting. I have never seen anything like that in many years of frequent travelling while using Android. Which countries did you see this in? And are you using stock Android or some vendor's version?
Stock android. Traveling between US, Europe, LATAM and China.
I am not saying there are no backdoors, but this never happened to me.
And I am an Android user since the first G1 phone.
I'm currently abroad with a notification for "November Pixel Drop update available" that appeared the day following my arrival. I believe I had already installed the November update back home earlier in the month. Every time I go back home, a couple of days later I get an update too.
I'm not claiming to know of any foul play, but it has happened several times, enough for me to notice. If it was related to time of the month, it wouldn't be as consistent. It might be that you need specific combination of phone, configuration and network provider for this to happen. Maybe I've been p0wnd, but I've noticed this behavior since at least the Nexus line.
Anecdotal. Why wouldn't they deliver these via Play Services update? It's easy to dismiss an OS upgrade, background updates can't be really blocked.
This has never happened on my iPhone
Apple charges a storage tax so why not ship all that data by default
Every other OEM charges a "storage tax" too?
They are just done in the background?
Apple has already taken the US government to court and forced them to back down after the FBI demanded that they insert a backdoor into iOS.
> In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789.
https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
This year, Apple took the UK to court and announced that they would strip encryption features from UK users before they would give in to UK demands for an encryption back door before the UK backed down.
If Graphene has the money to do so, they should fight it out in the courts.
There's a reason why they haven't had issues since then, not even with Trump.
And it's not because they're hiding your data. See their disclosure report for data requests.
> Is it safe to assume, then, that Google and Apple already have backdoors in their operating systems as likely requested by many governments around the world
I don't know whether it is safe to assume. But if they are complying with Australian law, specifically the Assistance and Access Bill (2018) [0], then they must write an undetectable backdoor for the Australia government if asked (that's the assistance the bill's name refers to), and push it any phone the government demands (that's the access bit).
The only way to avoid this as far as I can tell is to run a free open source distribution. Unlike the paid systems such Windows and iPhone, the free distributions do not have the "billing relationship" their customers the proprietary companies are so fond of. It's that billing relationship that allows them to target only the devices owned by a specific individual.
The Australian's must do that targeting because that law demands they don't introduce a systemic weakness into every phone. Any sort of backdoor is considered a systemic weakness. I dunno what laws other countries operate under, or how well they follow the laws they do have, but I'd be surprised if Australia wasn't following its own laws. That means if your device runs a true open source distro that doesn't track it's users, in Australia its truly your device.
[0] https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...
Viva FOSS!
Or that GrapheneOS is small enough to bully.
The EU doesn't seem to shy about forcing Apple or Google to do things, so I don't think it's a size thing.
France isn’t the EU though.
True, but from what I understand France and Germany quite often get their way in the EU.
> Or is GrapheneOS the only one built securely enough to need to be leaned upon?
Probably has something to do with it, but GrapheneOS doesn't have the money or resources that Google/Apple/etc has to lobby/bribe/delay/obfuscate/navigate/drawout/etc such attempts.
It likely not due to any backdoors present, more so due to weak default setting plus alternate routes to the data. Things like backups being unencrypted either by default or when uploaded to the cloud. you don't need to ask for a backdoor if most users don't have encryption enabled.
Of course the likes of Apple and Google are complying with lawful orders from the governments of countries they do business in.
Businesses that don't generally cease operating in said country. LavaBit was a highly visible instance of a business shuttering itself instead of complying with such lawful orders.
That's also the ploy of basically every VPN provider out there. They say they don't store or give out data, but they still adhere to lawful requests. That necessarily includes requests from countries where they legally offer their service, even if their HQ is in some country with lax legal frameworks. It also means, if there is a legal way to coerce them into recording your data or handing it over, they will do so.
https://www.pcmag.com/news/nordvpn-actually-we-do-comply-wit...
They also mentioned they only respond to court orders (ie. not just because the cops asked nicely), will try to appeal as well. That's better than most ISPs, who would either give up data without a court order, or won't bother appealing.
The problem is that there may be perfectly legal gag orders (issued by a court) that force them to comply to normal police requests - and you would never even know. NordVPN in particular removed their warrant canary without informing their users and only gave some retroactive PR answer when people rightly started to freak out.
The simple truth is that if a VPN provider hasn't been shut down by authorities after more than a year (like VPNLabs was), then they are basically guaranteed to be giving out your data to authorities at this point. The legal situation in most western countries does not allow complete online privacy for normal, law-abiding citizens.
>The problem is that there may be perfectly legal gag orders (issued by a court) that force them to comply to normal police requests - and you would never even know.
Are there any VPN providers that claim they'll take the metamorphic bullet for their clients? I feel like you're setting up unrealistically high expectations where a VPN is like "we don't log or sell your data!", and you retort with "yeah but what if you get a secret court order or the government threatens your family?". I think nordvpn's response is consistent with what reasonable people's expectations are. Otherwise you can apply this logic to all sorts of interactions and find it quickly breaks down, eg. talking to a friend:
>"do promise you won't tell anyone?"
>"yes"
>"yeah but what if government subpoenas you, and grants you immunity so you can't plead the fifth?"
Yes, it's safe to assume that companies follow the law in countries where they operate.
So we need GrapheneOS to stand their ground more than ever!
My country has this: https://www.schneier.com/blog/archives/2024/09/australia-thr...
Which kinda ruins it for everyone.
Additionally, I would assume/guess that if it's some kind of coordinated campaign involving media then there is no law to compel GrapheneOS to do this. If they're was a law then that would be the pressure, as opposed to media articles.
What that then implies is a campaign to convince the public a law is necessary, ie. they're already laying the ground work for support for the next version of a Chat Control bill.
I seem to remember the FBI attempting to compel Apple to decrypt a criminal's iPhone, only for Apple to refuse and claim that it wasn't possible. I'm not sure exactly what happened after that. I think it was suspected that the NSA was able to do it by exploiting an unpatched zero-day. So they didn't need Apple's help anymore and the issue was dropped from the public's eye.
There's a couple overlapping things here:
1. Apple can and does comply with subpoenas for user information that it has access to. This includes tons of data from your phone unless you're enrolled in Advanced Data Protection, because Apple stores your data encrypted at rest but retains the ability to decrypt it so that users who lose their device/credentials can still restore their data.
2. Apple has refused on multiple occasions, publicly, to take advantage of their position in the supply chain to insert malicious code that expands the data they have access to. This would be things like shipping an updated iOS that lets them fetch end-to-end encrypted data off of a suspect's device.
> Apple can and does comply with subpoenas for user information that it has access to.
When we are talking about data stored on a company server, you have no choice when you are served a valid warrant.
That's why Apple went all in on the concept of keeping sensitive data off their servers as much as possible.
For instance, Apple Maps never stored the driving routes you take on Apple's servers, but does remember them on your device.
Not to mention, while apple will publically deny it, there are government agents working undercover at every major tech firm. They may or may not know. They certainly exist.
> remember the FBI attempting to compel Apple to decrypt a criminal's iPhone, only for Apple to refuse and claim that it wasn't possible
Apple refused “to write new software that would let the government bypass these devices' security and unlock” suspects’ phones [1].
> not sure exactly what happened after that
Cupertino got a lot of vitriol and limited support for its efforts.
[1] https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
I always assume these public performances are merely performances and that no one hears about the actual dirty work.
And of course Apple is quite right not to miss the marketing opportunity, on behalf of the shareholders. While acquiescing to lawful demands of course.
I don't remember Apple ever saying that it was impossible for them to do it, just that they didn't want to.
It was always kind of assumed that they could, by eg signing a malicious OS update without PIN code retry limits, so the FBI could brute force it at their leisure, or something similar.
They said it was impossible for them to build a backdoor into iOS that would only be accessible to legal requests from law enforcement, which is true in the strict sense. So law enforcement bought a vulnerability exploit from a third party.
> they could, by eg signing a malicious OS update
They successfully argued in court that being forced to insert code the government wanted would be equivalent to compelled speech, in violation of the first amendment.
As the Feds often do, they dropped the case instead of allowing it to set a precedent they didn't want.
> They successfully argued in court that being forced to insert code the government wanted would be equivalent to compelled speech
This isn't true, they never "successfully argued in court". There was never any judgement, and no precedent. They resisted a court order briefly before the FBI withdrew the request after finding another way into the device.
There wasn't judgement because the Feds dropped a case that would set a precedent they wanted to avoid.
Since there is longstanding legal precedent that corporations are people and code is speech, forcing a corporation to insert code that the US government demands is a violation of the first amendment.
https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
That was show put on for the sole reason of the public seeing it.
If you follow the things that have been disclosed / leaked/ confirmed when they’re 20+ years out of date, then yes the probability this is true is significant.
I recall there being a little more substance to it at the time. But looking back from where we are now, that is a succinct way of describing its results.
Cellebrite did the job using a vulnerability..
That being JTAG debugging. Now there are greyhat groups discovering what they can do with it beyond bypassing the PIN at power-up. Honestly surprised phones are not being sold/marketed as having that disabled on both bluetooth and USB.
Google and Apple were infamously official data providers[1] of the NSA's illegal and unconstitutional (as ruled by a federal judge[2]) warrant-less surveillance program (PRISM[3]) exposed by Edward Snowden.
It's safe to assume that software provided by every large, publicly-traded, for-profit technology company incorporated in the USA cooperates extensively with US intelligence agencies, and therefore by extension, the "Five Eyes" alliance, at a minimum if not also the "Nine Eyes" and "Fourteen Eyes" alliances [4].
[1] Slide 6: https://www.eff.org/files/2013/11/21/20131022-monde-prism_ap...
[2] https://www.reuters.com/business/media-telecom/us-court-mass...
[3] https://en.wikipedia.org/wiki/PRISM
[4] https://en.wikipedia.org/wiki/Five_Eyes