HN title: "France threatens GrapheneOS with arrests / server seizure for refusing backdoors"
LQDN: "Dans ces articles, la cheffe de la section cybercriminalité du parquet de Paris – à l'origine de l'arrestation de Pavel Durov – menace également les développeurs·es de GrapheneOs. Interviewée, elle prévient qu'elle ne s'« empêchera pas de poursuivre les éditeurs, si des liens sont découverts avec une organisation criminelle et qu’ils ne coopèrent pas avec la justice »."
In the (very short) linked article: No mention of arrest, server seizure or backdoor, and a more nuanced take. Loosely translated summary: Some users have a legitimate need to protect their communications. IF we find links with criminal organizations AND there is no cooperation, then we might take action. They're specifically taking the approach of a case by case hack of single phones which might cost up to a million euros. Is this an issue if there's a warrant?
France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption. They've been saying that it's unacceptable not to have a backdoor in a bunch of these news stories they've gotten published by contacting the media. They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
Le Parisien has 2 articles about this, not only one, and https://news.ycombinator.com/item?id=46038241 explains lack of technical ability to compromise security after the fact. Titan M2 is specifically designed with insider attack resistance so that Google making an update disabling the brute force protection won't be accepted by the secure element without the Owner user successfully unlocking first. We don't have the signing key for the Titan M2 firmware anyway. This is part of our required hardware-based security features which we're working on providing in a Pixel alternative with a major Android OEM working with us right now. We talked to them about the France situation already and it does not negatively impact our partnership. It may be a good idea to speed up an official announcement with them to counter the narrative being pushed by France's law enforcement agencies now.
> France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption.
Note that "France" and "Johanna Brousse" (as the lead investigator lobbying for more agency data access) are not the same, by a couple million people.
Now's the time to get ahead of this. Communicate openly why Open Source matters, what's at stake, and try to ally with existing organizations like the EFF, IETF, Linux Foundation, CCC e.V. and others. They know how to deal with the media, and it's okay to ask for help.
Please let another person check the article from a non-technical perspective, because that's where journalists have a strategical bonus. If the blogpost/article/video/whatever contains too much technological lingo, the masses won't be able to understand it.
Wish you the best.
PS: I hope that you can see that not all people are as messed up as the kiwifarm doxxers. I've seen their "call to arms" to start new swatting attempts etc. Stay safe.
PPS: Don't engage with people that have anime avatars. Just block them. Your time is wasted trying to read or reply to them. Hate is a mind infiltration technique.
I appreciate the answer and the work on GrapheneOS! It seems there's a lot of work going on with the QPR1 release and this French matter doesn't make things easier for the team. Good luck!
> They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
No, they haven’t.
You are letting your paranoia talk by widely amplifying the content of two newspapers articles in media affiliated with the far right.
I’m quite surprised by your reactions to be fair because both SkyECC and Encrochat were actually affiliated with organised crimes. As far as I know, GrapheneOS isn’t.
France basically always had very good PR portraying the country as "romantic" and a champion of freedom but reality has almost always been very different.
It was very unfree in the 16th century, what led to the French revolution, which was a nightmare, then military dictatorship. The 20th century was not much better and never forget France collaborated very quickly with the third Reich. Then De Gaulle has some sort of soft military dictatorship with a secret police and a total control of the media.
Today their police is very aggressive, their justice system highly politicized.
And as always a dominating bureaucracy.
The state is getting more and more aggressive as drugs and violence are rampant.
It is by far the country in Europe I had the worst interactions with the police.
There are a lot of beautiful things to see there but today I try to avoid it for business and leisure.
When it comes to freedom, France definitely has it backwards.
Now that it is in deep trouble economically, the bureaucracy is claiming for even more soft communism in a very totalitarian way. One needs to understand that the system made some people quite rich, way more than they would have been able on merit alone, thanks to the politics of bureaucracy.
Funnily enough the "far-right" is brandished as a fascist boogeyman when it would be a challenge to actually become more totalitarian.
For those reasons the "state of rights" is losing its legitimacy and criminality is on the rise unsurprisingly. When what you can expect to get out of the system becomes too disconnect from merit, it doesn't make sense to participate as a good actor.
So we now get rising commissars that tries to police speech and behavior any way they can.
The police is basically a state militia that spends more time annoying mostly law-abiding citizens for minor offenses that just tow the line, in order to extract as much money out of them as possible. Meanwhile real criminals are out of control and receive laughable sentences from the corrupted justice system when they get caught. Following far-left ideals, criminals are victims that can be given more chances. One elected parliament member got caught buying drugs and basically nothing happened to him. Hard to not see some collusion.
What is cooperation? How are they supposed to unlock the phone?
Unless you're saying 'compelled to use their private keys to publish an update' or something along those lines, in which case I would say the original headline is correct.
There is no law allowing the police to do that in France so that can’t be what cooperation means.
In the case of Telegram, it was about providing meta data when subpoenaed and moderating the unencrypted part of the application.
There is little reason to believe it is about anything else here.
Edit: Happy to hear what the people downvoting actually disagree about as usual. At the moment I have read a ton of mud thrown of France here - including someone from GrapheneOS implying they won’t hire from France unless someone relocate which must one of the most hilarious take I have ever read coming from someone from North America - with very little actually substantial shared, which, to be fair, seems to be becoming the norm here.
I mean, Durov has been trying to push for Russian puppets to get elected in Romanian and Moldovan elections, by pushing to everyone (at least in Romania, he might've just posted on twitter for Moldova) that the French government is trying to interfere in the Romanian elections. I mean, it turns out, Russia was, on behalf of the candidate he was talking about... so take from that what you will.
Oh, yeah, and he calls himself DuRove now. Hats off for that one, but I hope he rots in prison for advancing the Russian agenda.
You know I didn't use to understand libertarians, but after years of watching boundaries being overstepped again and again I think I see the appeal of burning it all down and living in a cabin in the woods.
Like, in Europe we already live in a completely safe society in historical and geographic terms, what more do you fucking want? Security is beyond a laughable excuse for things like chat control. Power tripping elitists will never be happy until they have the entire population under 24/7 camera surveillance and can read every thought in our heads as it occurs. If you make crime impossible, you make free will impossible.
The same reason there's only more regulations being piled on top of previous ones. Sadly only wars and similar catastrophes work as reset buttons for these things historically. A peace as long as the current one is somewhat of an untested ground
"... the appeal of burning it all down and living in a cabin in the woods."
I hope that's not what you think libertarianism is about. I'm sure there are libertarians who DO feel that way, but it's not a core tenet to personally isolate and live off the land.
Libertarianism sees not left vs right, but instead the people against the government. Libertarians focus on personal liberty and solving problems together, voluntarily, as individuals cooperating. A libertarian would say, for example, that if I think a bridge should be built, then I should either build it myself or convince other people to help me out voluntarily - but not use government to force people to help (via taxes, etc).
Libertarians are against force/coercion, and see government as the ultimate expression of force.
There are some loony libertarians, as there are of any political party, but most of us have pretty ordinary and mainstream beliefs and priorities.
It’s important to defend libertarian values even when things are good. Small violations of civil rights have a tendency to stick around and snowball into something worse.
> We’ve been made to believe that the greatest fight of our generation is to destroy everything our forefathers left us: tradition, privacy, sovereignty, the free market, and free speech.
Read: "Hi, I'm a right-wing populist."
Tradition is virtue signalling to them. Sovereignty is to fuel this anti-EU trend (a Russian propaganda point).
Durov is a Russian asset, I'm sure of it. Why, cause he got ties with the underworld, that is why. He didn't want to act on warez, narcotics, criminals, scams, etc. None of that he took serious, because in the viewpoint of a Russian criminal (the Russian state is the head of the criminal enterprise) all of that is just business. Which is also why he gets along so well with Trump. But when he didn't want to act on child pornography, he went too far. Because approximately all adults oppose that sexual preference. That is when France got his ass handed on a silver plate.
If this guy would care about free speech he'd be a lot more vocal about Trump and Putin instead of France and EU. The EU is under attack by Russian trolls, ask anyone who works in SOC. It has become worse...
Is it safe to assume, then, that Google and Apple already have backdoors in their operating systems as likely requested by many governments around the world (not least of which the one from their home country)?
Or is GrapheneOS the only one built securely enough to need to be leaned upon?
Either way, makes Google and Apple look bad and/or incompetent and GrapheneOS look like some kind of beacon of user protection / privacy rights / other things that are the opposite of the direction the world seems to be moving.
> Is it safe to assume, then, that Google and Apple already have backdoors in their operating systems as likely requested by many governments around the world
I don't know whether it is safe to assume. But if they are complying with Australian law, specifically the Assistance and Access Bill (2018) [0], then they must write an undetectable backdoor for the Australia government if asked (that's the assistance the bill's name refers to), and push it any phone the government demands (that's the access bit).
The only way to avoid this as far as I can tell is to run a free open source distribution. Unlike the paid systems such Windows and iPhone, the free distributions do not have the "billing relationship" their customers the proprietary companies are so fond of. It's that billing relationship that allows them to target only the devices owned by a specific individual.
The Australian's must do that targeting because that law demands they don't introduce a systemic weakness into every phone. Any sort of backdoor is considered a systemic weakness. I dunno what laws other countries operate under, or how well they follow the laws they do have, but I'd be surprised if Australia wasn't following its own laws. That means if your device runs a true open source distro that doesn't track it's users, in Australia its truly your device.
The situation with Android security updates means that such a distro is either not based on Android (and likely less useful), or there are months-long delays to security updates for the non-GPL components.
Similarly, non-Google versions of Android can't run important apps that require attestation, including the Australian government app myGov.
Every time I travel internationally I immediately get notifications for Android OS updates. I'm pretty sure they are for satisfying local regulations about the phone's behavior, including the topic at hand.
Interesting. I have never seen anything like that in many years of frequent travelling while using Android. Which countries did you see this in? And are you using stock Android or some vendor's version?
Apple has already taken the US government to court and forced them to back down after the FBI demanded that they insert a backdoor into iOS.
> In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789.
This year, Apple took the UK to court and announced that they would strip encryption features from UK users before they would give in to UK demands for an encryption back door before the UK backed down.
If Graphene has the money to do so, they should fight it out in the courts.
It likely not due to any backdoors present, more so due to weak default setting plus alternate routes to the data. Things like backups being unencrypted either by default or when uploaded to the cloud. you don't need to ask for a backdoor if most users don't have encryption enabled.
I seem to remember the FBI attempting to compel Apple to decrypt a criminal's iPhone, only for Apple to refuse and claim that it wasn't possible. I'm not sure exactly what happened after that. I think it was suspected that the NSA was able to do it by exploiting an unpatched zero-day. So they didn't need Apple's help anymore and the issue was dropped from the public's eye.
1. Apple can and does comply with subpoenas for user information that it has access to. This includes tons of data from your phone unless you're enrolled in Advanced Data Protection, because Apple stores your data encrypted at rest but retains the ability to decrypt it so that users who lose their device/credentials can still restore their data.
2. Apple has refused on multiple occasions, publicly, to take advantage of their position in the supply chain to insert malicious code that expands the data they have access to. This would be things like shipping an updated iOS that lets them fetch end-to-end encrypted data off of a suspect's device.
I don't remember Apple ever saying that it was impossible for them to do it, just that they didn't want to.
It was always kind of assumed that they could, by eg signing a malicious OS update without PIN code retry limits, so the FBI could brute force it at their leisure, or something similar.
> Or is GrapheneOS the only one built securely enough to need to be leaned upon?
Probably has something to do with it, but GrapheneOS doesn't have the money or resources that Google/Apple/etc has to lobby/bribe/delay/obfuscate/navigate/drawout/etc such attempts.
Google and Apple were infamously official data providers[1] of the NSA's illegal and unconstitutional (as ruled by a federal judge[2]) warrant-less surveillance program (PRISM[3]) exposed by Edward Snowden.
It's safe to assume that software provided by every large, publicly-traded, for-profit technology company incorporated in the USA cooperates extensively with US intelligence agencies, and therefore by extension, the "Five Eyes" alliance, at a minimum if not also the "Nine Eyes" and "Fourteen Eyes" alliances [4].
Of course the likes of Apple and Google are complying with lawful orders from the governments of countries they do business in.
Businesses that don't generally cease operating in said country. LavaBit was a highly visible instance of a business shuttering itself instead of complying with such lawful orders.
That's also the ploy of basically every VPN provider out there. They say they don't store or give out data, but they still adhere to lawful requests. That necessarily includes requests from countries where they legally offer their service, even if their HQ is in some country with lax legal frameworks. It also means, if there is a legal way to coerce them into recording your data or handing it over, they will do so.
Additionally, I would assume/guess that if it's some kind of coordinated campaign involving media then there is no law to compel GrapheneOS to do this. If they're was a law then that would be the pressure, as opposed to media articles.
What that then implies is a campaign to convince the public a law is necessary, ie. they're already laying the ground work for support for the next version of a Chat Control bill.
Following the propaganda of the ministry of interior, several articles were published in press about GrapheneOS, which is described as a solution for criminals because it allows to hide things.
La Quadrature du Net [similar to the FSF with regard to defending users' rights] argues that the purpose is of course not cybercrime, but to secure and protect the privacy of its users.
The head of the anticybercrime brigade of Paris threatens of suing the developers of GrapheneOS if connections with organized crime were to be found.
The government has repeatedly tried to extend cyber-surveillance previously. They are trying to use a law designed to fight drug traffickers in order to enforce backdoors in services that use cryptography, such as Signal or WhatsApp, without any success for the moment.
---
So, it's a threat before having a proof. They also mention the arrest of Pavel Durov, who was arrested because Telegram failed to answer legal requests, which was then constructed as complicity with criminals using Telegram, but that's obviously a very different case.
But of course, if they succeed in forcing backdoors, criminals will just use other ways to communicate (doesn't matter if they are legal or not because, well, they are criminals...) or tricks; for instance, back in the day when (analog) phone calls could be wiretapped, they were already using code words. They could use e.g. steganography tomorrow.
But we will be left with backdoors that are an unacceptable compromise on security and privacy. This is a recipe for dystopia considering that far-right parties are getting stronger in Europe, including France.
Oh! It's about drug trafficking. Then I have nothing to hide. Please root and backdoor my phone. And also give the keys to all the hackers around the world...
I like grapheneOS. Their have a clear focus and that should be respected. However, all that drama about e/OS they are creating and claims about fascist law enforcement are a bit over the top IMHO.
> As of 2018 through an initiative sometimes termed "Five Eyes Plus 3", Five Eyes has agreements with France, Germany, and Japan to introduce an information-sharing framework to counter China and Russia.
Yep. That’s the implication, and it’s disturbing. It also implies the US government knows - otherwise why wouldn’t they use their influence to put an end to this?
I don't think they are highly concerned with people installing their own OS on desktop machines, that's still a fringe group. And most of us are using smartphones too. Also there are likely other trivial exploits like CUPS which was preinstalled and enabled by default on desktop linuxes.
Not really. It's one thing trying to bully a relatively small FOSS project, it's quite something else to take on one of the world's biggest companies that can afford a literal army of lawyers and that also has the power to have the US government intervene on their behalf.
Actually, in some ways, it is easier to bully large companies - because those companies are less flexible in avoiding confrontation with the authorities in a certain state. For Google to avoid having a legal presence in France is much harder than for the GrapheneOS project to do the same.
But - valid point regarding having the US government intervene.
you’re getting the logic wrong. i’m absolutely sure apple and google have direct cia backdoors. that’s what Snowden taught us and it would be delusional to think the world has changed. The bigger the company = tighter the link with power
I think your devices should have government-mandated backdoors if and only if you are a public servant. I don't understand why private citizens are held to higher standards of conduct than politicians and cops.
I've been saying this for years: the more power you have the higher standard you should be held in. In most societies on the planet it's the other way around.
Everyone agrees with this obviously but it's like saying that we should be able to levitate or live in utopia. It's almost a law of nature that the types that become powerful are not your most savory individuals and will use the power to reinforce their positions.
I've been saying this too but lately I think the fundamental notion of power is wrong. There's 2 perspectives which are 2 sides of the same coin:
---
All social relationships should be consensual.
This means based on _fully-informed_ consent which can be revoked at any time.
This already marks employment as exploitative because one side of the negotiation has more information and therefore more bargaining power. Not to mention having more money gives them more power in a myriad of other ways (can spend more on vetting you, can spend more on advertising the position than you can on advertising your skills). Just imagine if people actually had more power than corporations - you'd put up an ad listing your skills, companies would contact you with offers and you'd interview them.
Citizenship is also exploitative because you didn't willingly sign a contract exchanging money (taxes) for services (protection, healthcare, roads, ...), in most countries you can't even choose which services you want to pay for. And if you stop paying, they'll send people with guns to attack you. This sounds overdramatic (because it's so normalized) until you realize from first principles that is exactly what it is.
_If democracy is supposed to mean people rule themselves, than politicians should be servants which can be fired at any time._ In fact, in a real democracy, people would vote on important laws directly and only outsource the voting to their servants about laws which don't affect them much, or they'd simply abstain.
---
Power should come from the majority.
This should naturally be true because all real-world power comes from violence and more people can apply more violence (or threaten it, when violence is sufficiently probable to be effective, it usually does not need to be applied, the other side surrenders).
But people who are driven to power have been very good at putting together hierarchical power structures where at each level the power differential is sufficiently small that the lower side does not need to revolt against the upper side. But when you look at the ends, the power differential is huge.
Not just dictators, "presidents" or presidents but "owners" and "executives" too.
You don't truly own something you can't physically defend. When you as a worker finish a product, you literally have it in your hands. You could hand it over to a salesman and you'd both agree on how to split the money from selling it. But instead, you hand it over to the company (by proxy its owner) which sells it and gives you your monthly wage irrespective of how much the product made. The company being free to fire you or stop making the product obviously makes more money then you - it's an exploitative relationship.
But why do you hand it over? Because if you don't, they'll tell the state and it'll send people with guns to attack you.
---
Bottom line is if people had equal bargaining power ("equality"), then if they chose to temporarily give "power" to someone in one area, they'd obviously take away their "power" is some other area. Why? Because they'd know if they didn't, the more powerful person would use this power differential to get even more power, and so on, starting the runaway loop we have here now.
Even then the backdoor should be on their government device and not the personal devices.
Note that having their personal device when doing government work should be prohibited (that is you can't have it in your pocket when working). As is using your personal device for anything government (other than a formula check your government device call/text - employees should be regularly tested that they report any government communication that doesn't follow the formula)
> devices should have government-mandated backdoors if and only if you are a public servant
This would be an intelligence bonanza.
Better: mandatory, encrypted logging. Officials maintain the keys. When they leave office or are subpoenaed, they have the means to grant access. (If they can send and read their messages, they have the keys.)
And ideally an illustration to those in power why backdoors are never a good thing. They won't care if it's not happening to them. But if their devices are suddenly incredibly insecure due to their backdoors, they might just rethink the concept entirely.
We do have things like the Freedom of Information Act in the US, and I think a lot of European countries have similar laws. Yes it isn’t perfect and could be enforced more evenly.
But obviously, if you work for the military there is information that needs to be kept secure…
Backdoors exist for everyone or they exist for no one, this technology isn't one that has room for a gray area to debate. If it can be deployed to public servant devices, it can be deployed to your device.
Only if they're using the same devices everyone else uses. If they're required to use a certain kind of hardware, or they're required to submit their device for hardware modification, this stops being an issue, doesn't it?
That is totally not true. They can be forced to install an app on their device that creates the backdoors. Companies do that all the time. An OS doesn't need to have backdoors built into it for backdoors to be added to it. Kinda the point of an OS is that it is general purpose.
Politicians are routinely ordered to surrender their communication to justice to audit what they do. Missing texts from Von Der Leyen is at the heart of Pfizer-gate after all.
I don’t really know what to think about this to be honest. I don’t think it’s entirely black and white and I find it surprisingly easy to play devil advocate.
Remember that the US government has an insane level of access to private communications via all the post 9/11 laws, how cosy it is with the main tech companies and we know they do a lot of these spying unofficially and with little oversight since Snowden.
Meanwhile, France is struggling with an unprecedented level of organised crime activity with the amount of violent crimes reaching worrying level. We are talking murders involving automatic weapons in broad daylight in the middle of the streets of France second largest city. Two weeks ago, the young brother of a famous anti-drug activist was murdered by a hitman while shopping.
There has been a huge increase in the quantity of cocaine being smuggled from South America triggering intense gang competition for the control of deal points and the mean in place to tackle the issue increasingly look vastly undersized. Limiting the discussion to it being authoritarian measure is refusing to acknowledge the very real challenge police currently face.
The only problem with that train of thought is that you are advocating a lower standard. Backdoors are not a superior option in any circumstance whatsoever.
The standard of conduct we need (and are failing) to hold politicians and cops to is actual security and responsibility. Some of the most powerful politicians in the world are leaking private conversations, and no one is holding them accountable. Police are paying private corporations (notably Flock) to build giant monolithic datasets from stalking private citizens, yet neither party is held to any standard whatsoever.
Logistically, when you combine private citizenship with government you get corruption problems because incentives are so misaligned.
In fact private citizenship combined with government is the origin of corruption. Think about it, as a government official your incentive should be to preserve order, fairness and honor. As a private citizen your goal is to optimize the amount of money you make via business or employment through whatever means possible. That means exploiting loopholes and possibly when no one is looking, breaking the law.
The incentives are orthoganol and it does make sense to have a different set of rights and rules for government officials and private citizens. The minute you take the attitudes of private business/citizens into the world of government you get people creating rules that are corrupt.
I suppose that was irony to highlight they're usually exempt.
Also, they are paid by the people to work for the people, so during the exercise of their functions they could in theory be contractually obliged to use a company phone
> You cant understand why the people with a monopoly on violence and force have higher scrutiny? -- @retr0rocket
Replying here to this seemingly flagged/dead comment (not sure why it was flagged - a very reasonable question).
I fully support higher scrutiny of public officials & cops, but this frankly isn't that. First & foremost, the problems you're describing are systemic, not individual. Monitoring a cop's phone isn't going to reduce police violence if the system isn't accountable - this is essentially the "bad apple" argument. The entire system needs drastic reform: backdoors won't solve any real problems here.
Secondly, independently of the levels of reform needed, at an individual level we're talking workplace conduct, reporting, protocols & transparency -vs- dystopian privacy invasion. There's a very broad spectrum here long before we reach the need for extremes.
Lastly, you need to look at the systems doing the monitoring of politicians' & cops' phones in this hypothetical scenario: if those systems contain the same systemic corruptions (which they inevitably do), the entire argument for oversight is moot.
Who says they would? The point is the people would vote to have them held to this higher standard. They represent the people's will. They shouldnt get to choose other than their personal vote, the people choose. If they don't agree with what the people choose then they can leave politics.
As much as I want to agree with you, no, backdoors for them mean backdoors for everyone else. It's all or nothing. Now, they should be held to a higher standard, and face stiffer penalty than the regular prole because they should be the example-setters.
Do better policing (and that doesn't include trying to backdoor devices), but backdoors aren't the answer.
There's a top tier DEFCON talk by the Lavabit email guy. He explains where the line is for access to phones and other encrypted information. I'll try to summarize -
1 - Law enforcement have actual information about the probable contents of your phone (like an incriminating filename will do). They can reasonably expect to get a warrant and access to your stuff.
2 - They don't know what's there at all, and have no probable indication of the contents, and in this case they cannot expect access because they would just be going fishing.
The article is kind of interesting: on the one hand, you’ve got a tool that can be used by ordinary citizens and political dissidents for legitimate reasons. On the other, the French police were mildly inconvenienced during their arrest of a small-time drug dealer.
True freedom, of any kind, requires freedom to say things and think things in private. I sometimes think horrible things and even discuss them with my friends. I need that space to work out issues. Without a truly safe space I would eventually go mad as I suspect many people would. The other part of this is that a basic requirement of freedom is trust with accountability. It means we allow things that may be harmful but if things go bad we hold those responsible accountable after the fact. It also means we may not catch all the bad guys and that is OK because the alternative is that everyone turns into a bad guy when we prevent people from doing things in case they will be bad. There is a balance here but the position that a govt will always have access to all private individual (acting in a private capacity) communications is not anywhere near a reasonable balance.
I can understand you thinking that and there's probably some truth to it but do I consider Android and iOS compromised with government backdoors? No. What do I base this on? The lucrative black market for Android/iOS 0days.
And who's buying them? Generally, state actors, directly or indirectly. There is an entire ecosystem of Israeli "security" companies that exist to farm out these exploits. This is a big part of why Israel is such a key component of the American national security infrastructure. Israel is largely beyond the jurisdiction of American courts and any kind of direct scrutiny by the government.
It's a bit like how the US isn't (technically) allowed to spy on US citizens. How do they get around this? By farming out such activities to allied intelligence services, particularly Five Eyes members.
This entire ecosystem and marketplace just wouldn't exist if Android or iOS were fully backdoored.
I see your point, but this could also mean that the backdoors are there, just only a few organisations know it (let's say US army) and then they get found and found again
Larger companies are easier to influence than small ones, no intimidation is necessary.
Protecting user privacy delivers close to 0 shareholder value, being friendly with nations wins you billions of dollars in contracts, regulatory protection, and friendly courts, it's a win-win for big companies and surveillance states to be friendly with each other.
I don't think so; (but at the end of the day, you can never be 100% sure unless it's 100% OSS)
But with that being said both Apple and Google store a lot of data about you, and they are willing to "cooperate" with the government, and they did hand over data in various of cases Apple included [1]. For some reason, people think of as the "privacy company".
btw, big tech also get harassed for similar requests: The UK, for example, is still pressuring Apple to build an encryption backdoor [2].
The linked article from Le Parisien (a big French billionaire-owned newspaper) is quite nuanced.
It gives the police's view on narco-trafic crime, but also Graphene's take :
"Criminals and traffickers also use knives."
This organization, which is not a company but a foundation, emphasizes that its solution is used by ordinary people who dislike how apps and operating systems handle their data. It adds that if criminals use Google Pixel phones and GrapheneOS, it’s because these solutions work well. But that doesn’t make them accomplices, they assure. "Criminals and traffickers also use knives, fast cars, and cash—things that are also widely used by honest citizens," its representatives note.
And GrapheneOS adds that it protects users from hackers and intrusions by the secret services of totalitarian states. "We consider privacy a human right, and we are concerned about projects like Chat Control (a European bill aimed at detecting child sexual abuse material in messaging services, but which has faced significant criticism) that the French government supports. The invasion of privacy enabled by such legislation would have alarming implications under an authoritarian-leaning government," it argues.
I didn't read it[0] as being particularly nuanced. I thought it was a fact-loose, extremist hitpiece against FOSS, containing howlers such as
> "Particularité de GraphèneOS : on peut se le procurer autant sur le darknet que sur des sites grand public." ⇒ "A distinctive feature of GrapheneOS is that it can be obtained both on the darknet and on mainstream websites."
Quoting "both sides" (so to speak) doesn't automatically create a thoughtful dialog.
I'm unsure whether it's appropriate to trust Le Parisien's equivalencies.
Q: Do they have a track-record of intellectual honesty?
Equivalencies are powerful, and dangerous if mis-handled.
E.g. this is worrying [from the article]: "A unique feature of GrapheneOS is that it can be obtained both on the dark web and on mainstream websites." Le Parisien is calling out GrapheneOS's availability on the "Dark Web" as significant, in the context of "Drug Trafficker's Secret Weapon". Banned books can also be acquired on the Dark Web, and banned books are not illegal, yet, in mainstream democracies. So Le Parisien's equivalency, here, is misleading.
now now comrade, if the book is banned, how is it that you are in possession of it? you're clearly breaking the rules. I do believe it is time for you to start counting trees
This article is as absurdly biased as it could be! Of course they provided a quoted response from GrapheneOS devs: that's the only appeal to credibility they have.
A truly responsible journalist would explain to their audience what is actually at stake, not simply spout every available position as if it were equivalent.
> Le Parisien (a big French billionaire-owned newspaper)
They're all billionaire owned. As an example, left wing newspaper Liberation has Kretinsky among the owners
Yeah, "Le media" and "Mediapart" are "left wing" newspaper and not billionaire owned, there is right wing too, but they are smalls.
Libé isn't owned by Kretinsky but Patrick Drahi, Kretinsky owns Mariane (right to far-right now...).
But anyway yeah, in France (and in other countries too ) there is a media oligarchy.
One thing though is - knives, fast cars and cash aren't built with deliberate motivation of thwarting the law enforcement and criminal investigations.
GrapheneOS and its systems are - you can walk through history and see that they're deliberately working on systems that defeat law enforcements efforts of collecting data from seized devices and tracking criminal networks.
This is a massive difference - even for knives and cars, you'd get into some hot water (or outright illegal behaviour) if you build them with express purpose to make them hard to find and track by law enforcement. Try making a company that focuses on cars that hide its license plates from the police and you'll see how far that will go.
This is one thing that GrapheneOS, Signal and others will need to at some point reckon with - the fact that they deliberately work at making law enforcements work harder and provide effective cover for criminals will get them into hot water. And I don't think population will stand at their side when they find that they've been helping CSAM traffickers hide their loot.
Having all that anti-governmental rhethoric won't end well for longerm survivability of these projects - which sucks for all of us.
Graphene shouldn't have to reckon with the abuse of government, we should step in and speak up for them. If having a secure device becomes criminal, only the criminals will have secure devices.
Law enforcement is being lazy by trying to rely on mass surveillance rather than espionage tactics to catch criminals. Criminals learned long ago how to work around surveillance, so this doesn't really work on them. But it does subject the public citizen to undue scrutiny and violation of privacy, which history has shown is then used against the innocent. We don't need any more reminders of how popular authoritarianism has become. And it's often used to pin a crime on an innocent person (a common police controversy), or intimidate and harass them (see FBI).
> I don't think population will stand at their side when they find that they've been helping CSAM traffickers hide their loot.
This is just one of many examples of a false rhetoric used by politicians to manipulate the public into cow-towing to mass surveillance. We cannot stand for this and must fight it at every turn. "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
Genuinely curious: what did you see in GrapheneOS history that indicates that the OS is specifically designed to defeat law enforcement (as opposed to their stated goals of defeating ad surveillance and stalkerware)?
There is no way to have a completely secure operating system, safe from hackers and spy organizations and thieves, that is also accessible at the whim of law enforcement. Period.
If we can't trust hosted services to protect our data, and we can't trust our own computers to preserve our data, the right to privacy simply doesn't exist.
I think your point is that there is evidence that the intention of some or all of the developers and/or the organization as a whole is to make law enforcement more difficult. You go on to argue that this intention fundamentally alters how society, or at least law enforcement arms of government, should view this technology. Specifically, I take your argument to be that law enforcement should or will treat them as accomplices to some degree of the crimes they enable.
This is a very counter-productive distortion of privacy, and borders on a lie about Graphene.
Something designed to be private doesn't know the difference between a law enforcement officer trying to break into it and a criminal trying to break into it.
There is no special "anti-cop only code" that gets executed, any more than there are special "cop tools" that exist on some physical plane where criminals don't.
So which knife makers are serializing their kitchen knives so they can be traced back in case of a crime? How many knives come with a GPS tracking its position? Well too expensive, what about an Airtag. No? By your roundabout logic this qualifies as “deliberately working on systems that defeat law enforcements efforts”. It’s an absurd argument.
To actually do any crime with GrapheneOS you would also need at least a VPN and basic understanding of operational security. Just as you would need a lot more than just a knife and car to be a successful criminal.
A Pixel phone with GrapheneOS is not some magic device that let's you do crime without immunity, but that’s the story they want to sell you.
Are you livestreaming your face on Twitch right now? If not, why are you deliberately making it harder for police to catch criminals? It would be so much easier for police to catch criminals if everyone livestreamed on Twitch 24/7, it should be a crime not to do that.
In the end, wasn't EncroChat a larger problem for the criminals than the governments?
Once it became a big enough target it got taken down, and then quietly run by the police who collected everybody's messages for months before triggering a huge round of arrests, including quite a bit of major organized crime across Europe. The dangers of centralization. They'd love another EncroChat!
Doesn't apply so much to GrapheneOS of course since they're not in the messaging platform market, but it's definitely a cautionary tale.
I watched a fascinating documentary about EncroChat (https://www.channel4.com/programmes/operation-dark-phone-mur...). It was obvious the police absolutely loved having this real time feed into criminal communications, and thought "let's have more of that please". They don't realise the consequences are that criminals won't use such forms of communication once they know they're backdoored.
Probably something like this would be close to the same colloquial meaning (I'm not familiar with any pants-shitting slang in French):
EncroChat leur a foutu les jetons de ouf.
Given the fact that most protests are organized on facebook groups, how does one keep him/herself aware of eventual protests to come without Facebook/instagram? I d gladly join for a cause i support
Edit: I wonder why this is downvoted. The bureaucratic class holds enormous power in France, and has constantly acted against digital rights and privacy with impunity. The only institution that can somewhat restrain them is ECHR.
Russia is as European as France and certainly more European than the US or Canada. Most of Europe's problems stem from trying to keep Russia out and Germany down.
The latter has worked well because Germany is, to this day, occupied by the US & the UK. But the former has never worked out and is now bankrupting the EU!
Just to be clear about what is really happening right now;
There were three articles from newspapers (Le Figaro, Le Parisien) known for their rightist, pro-cops, opinions, and owned by billionaires (LVMH/Arnault, Dassault). In those articles, GrapheneOS is associated with bad actors purpotedly using it as a way to obfuscate their activities.
A comment was made by Johanna Brousse, Chief of French Cybercrime Unit, stating she would not refrain from pursuing the publishers if links were found with a criminal organization and they refused to cooperate with the justice system.
Another claim from a police investigator equates GrapheneOS usage to illegal activity.
” In Canada and the US, refusing to provide a PIN/password is protected as part of the right to avoid incriminating yourself. In France, they've criminalized this part of the right to remain silent.”
Everything about the exercise of power in the digital world is tilted away from the individual.
Windows 11 moved all my files into the cloud without even asking me! I was livid--those are documents that I deliberately DID NOT WANT in the cloud! It's crazy what malice we have to put up with and navigate these days. It just keeps getting worse and more convoluted, too.
> Two articles in Le Parisien yesterday, followed today by one in Le Figaro, have launched a shameful attack against GrapheneOS, a free and accessible open-source operating system for phones. At La Quadrature du Net, it's one of the tools we favor and regularly recommend for protecting against advertising tracking and spyware.
> Echoing the propaganda of the Ministry of the Interior, newspapers describe GrapheneOS as a "crime-related phone solution," and a police officer adds that its use is suspicious in itself because it indicates an "intention to conceal." By portraying GrapheneOS as a technology linked to drug trafficking, this attack aims to criminalize what is actually a secure privacy-preserving tool.
> In these articles, the head of the cybercrime section of the Paris prosecutor's office – who was behind the arrest of Pavel Durov – also threatens the developers of GrapheneOS. In an interview, she warns that she will "not hesitate to prosecute the publishers if links are discovered with a criminal organization and they do not cooperate with the justice system." https://archive.is/20251119110251/https://www.leparisien.fr/...
> The government regularly tries to link privacy technologies, particularly encryption, to criminal behavior in order to undermine them and justify surveillance policies. This was the case in the so-called "December 8th" case, where a police narrative was constructed around the (secure) digital practices of the accused to portray a "clandestine" and "conspiratorial" group. https://www.laquadrature.net/2023/06/05/affaire-du-8-decembr...
> Now, drug trafficking is being used to attack these technologies and justify the surveillance of communications. The so-called "Drug Trafficking" law was thus used as a pretext to try to legalize "backdoors" in encrypted applications like Signal or WhatsApp, without success. https://www.laquadrature.net/2025/03/18/le-gouvernement-pret...
> An article in Le Monde diplomatique from November extensively examines the history of the political exploitation of drug trafficking to justify security and surveillance policies. The police attack on GrapheneOS fits perfectly within this pattern. https://www.monde-diplomatique.fr/2025/11/BONELLI/68915
> In its response published yesterday, GrapheneOS points to the authoritarian tendencies of the French government, one of the most fervent supporters of the "ChatControl" regulation under discussion at the European level, one of whose goals is to put an end to end-to-end encryption. https://grapheneos.social/@GrapheneOS/115575997104456188
More graphic content needed to get folks to click through: This is excerpted from the result of G-translating the Parisien link:
"This 27-year-old alleged trafficker is suspected of having run this drug telephone platform which, between 2023 and 2024 in Paris, collected a turnover of two million euros and is said to have caused three overdose deaths during chemsex parties."
I think you meant https://mamot.fr/@LaQuadrature/115581775965025042 instead of a link to "Le Parisien", which is not a non profit, but a newspaper owned by LVMH/Bernard Arnault, and known for having rightist opinions.
At the end of the day, these attacks on privacy are always in reality for keeping incompetent politicians and bureaucrat's safe from meritocracy.
Built into the onslaught of demands of backdoors are two key ideas: A) That the backdoors will only be exploitable by the authorities and that B) they're even necessary to carry out their work in stopping trafficing.
I think most people know by now the first idea is preposterous. The second idea is too. The EU should focus on better police tools and tactics that detect and track the actual movement of goods.
Sadly, I don't think that that's true. I've been shocked by the lack of understanding there in groups of technical people who should know better. It's even worse in groups of non technical people. I'm afraid this is an ongoing battle, and every time ideas like this come up from government it's going to be an effort to inform the public.
> The EU should focus on better police tools and tactics that detect and track the actual movement of goods.
This is a point that doesn't get raised very often: the actual crimes occur in "meat space", not electronically on a device. Haven't police and intelligence been solving crimes like that since 'the beginning'?
The coordination of a crime may be done electronically 'on device', but the actual crime occurs somewhere physical, generally with physical objects and the presence of the criminals themselves.
Why is it suddenly so much more difficult for law enforcement to do their jobs that the privacy of every member of the public needs to be able to be invaded?
Are police forces under-resourced to take on the "how it's always been" approach to fighting crime? Are law enforcement being subject to inapplicable software engineering rules of efficiency to save money? (Ie. Too much focus on the metrics, not the outcomes).
Don't police have great physical surveillance tools? Yes, it may cost more in having to physically surveil targets, but that seems (to me, and this is where the rift lies) that's a good compromise opposed to surveiling the entire populace.
Anyone can say anything in a piece of correspondence that they think is private. If it's made public it completely changes the context. A joke between friends, criminals or not, can look like conspiracy to X, Y, or Z. Research for a crime novel could appear like preparation for a Louvre heist. And even if it is, it's not a crime until it occurs, until that point it's not 'real', the thing suspected of being planned hasn't actually taken place until it takes place. Are we implementing pre-crime without the three psychics?
And one thing I know for sure is that law enforcement do not understand context. They're bred to find guilt, not innocence, and having a larger haystack they'll find plenty of hay they think look like needles. Gotta hit those metrics.
There's plenty of nuance missing from what I've written here, but I fairly strongly feel it's leaning towards reality rather than liberal fantasy.
The police had the ability to intercept phone calls, mail, email and telegrams for a century now.
So yes, their work is now harder and they're pushing back against that and trying to enact laws that return the previous state (or give them even more power).
There were many decades where phones didn't have back doors. Now, it's the opposite case in the most dystopian way. It's concerning that all phones are required to have back doors for law enforcement and the enforcement is severe. I know several people who have a corrupt "cop they know" that they can regularly contact for favors. Why is it so out of the ordinary to distrust law enforcement when they have these tools?
> There were many decades where phones didn't have back doors.
Your cell phone provider almost certainly will respond to a valid warrant and wire tap your non e2e encrypted phone call.
I'd be very surprised if the most common mode of remote communication in any time period was not subject to government interception in some format within a short time of becoming such. That includes physical mail, telegrams, landlines, cell phone calls, txt messages, emails, etc.
Referring to "how things used to be" is not in fact helping the case for privacy.
I don't think people are arguing against complying with valid warrants. They object to blanket surveillance being done with tools available to any law officer that can be used at any time, warrant or not.
Of course they will respond to warrants, they have to, and nowadays they have the infrastructure to forward all traffic to law emforcement's servers in real-time.
Dear French: criminals would just use fake spam emails or bullshit trolling posts under fake Usenet groups in the clear. No encryption needed, and yet your would earn nothing by backdooring them
For contrast, you can imagine how this debate between a private OS developer and the government would go in a non-democratic country. Or, you don't even have to imagine, because examples are not hard to find.
But really, the point GP was trying to make (IMO) is that all western democracies are very obviously sliding towards authoritarianism. They are building tools which, even _if_ they don't abuse them now, will be available to any future government and with time, the probability of one of them being non-democratic is 1.
I believe this is the OS recommended to journalists that report on Palestine because freedom of speech doesn't apply without aggressive assertion of your rights.
France has threatened us with the same actions they took against SkyECC and Encrochat if we do not cooperate by providing law enforcement access into devices. This was published via Le Parisien in one of their articles and through French state media. They're absolutely threatening us that way.
> Interviewed, she warns that she will “not stop pursuing publishers if links are discovered with a criminal organization and they [GrapheneOS] do not cooperate with justice.”
France has threatened us with the same actions they took against SkyECC and Encrochat if we do not cooperate by providing law enforcement access into devices. The actions they took against those were mass arrests and seizure of servers. We don't have cloud infrastructure for builds/signing but regardless we don't want the French state taking over our website, etc. so we're leaving France and OVH.
This is not proven state action - this is hearsay. Maybe the GrapheneOS project should wait for the first warrant to arrive or police raid to happen before claiming what they currently do.
With the current evidence, its not ruled out that the french state is not doing anything at all.
> The FBI ran a sting operation in Europe where they created their own 'secure' phone and messaging platform. Their OS used portions of our code and was heavily marketed as being GrapheneOS or based on GrapheneOS.
So how do we know GrapheneOS itself isn't a honeypot? It's run by a mystery org and heavily marketed as being a secure platform.
They even have reproduceable builds so you can validate the source matches the distributed binaries. After that it's trusting in the OSS process to have caught any attempted backdoors which is more down to your individual evaluations.
Would be an interesting experiment actually: how long would it take for the community at large to discover a backdoor in graphene OS if added sneakily by generally trusted Devs, ie the org that maintains it.
Or, phrased differently, how much independent auditing is graphene OS subjected to?
> We've built relationships with security researchers and organizations interested in GrapheneOS or using it which results in a lot of this kind of collaboration.
HN title: "France threatens GrapheneOS with arrests / server seizure for refusing backdoors"
LQDN: "Dans ces articles, la cheffe de la section cybercriminalité du parquet de Paris – à l'origine de l'arrestation de Pavel Durov – menace également les développeurs·es de GrapheneOs. Interviewée, elle prévient qu'elle ne s'« empêchera pas de poursuivre les éditeurs, si des liens sont découverts avec une organisation criminelle et qu’ils ne coopèrent pas avec la justice »."
In the (very short) linked article: No mention of arrest, server seizure or backdoor, and a more nuanced take. Loosely translated summary: Some users have a legitimate need to protect their communications. IF we find links with criminal organizations AND there is no cooperation, then we might take action. They're specifically taking the approach of a case by case hack of single phones which might cost up to a million euros. Is this an issue if there's a warrant?
This seems blown out of proportion?
France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption. They've been saying that it's unacceptable not to have a backdoor in a bunch of these news stories they've gotten published by contacting the media. They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
Le Parisien has 2 articles about this, not only one, and https://news.ycombinator.com/item?id=46038241 explains lack of technical ability to compromise security after the fact. Titan M2 is specifically designed with insider attack resistance so that Google making an update disabling the brute force protection won't be accepted by the secure element without the Owner user successfully unlocking first. We don't have the signing key for the Titan M2 firmware anyway. This is part of our required hardware-based security features which we're working on providing in a Pixel alternative with a major Android OEM working with us right now. We talked to them about the France situation already and it does not negatively impact our partnership. It may be a good idea to speed up an official announcement with them to counter the narrative being pushed by France's law enforcement agencies now.
> France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption.
Note that "France" and "Johanna Brousse" (as the lead investigator lobbying for more agency data access) are not the same, by a couple million people.
Now's the time to get ahead of this. Communicate openly why Open Source matters, what's at stake, and try to ally with existing organizations like the EFF, IETF, Linux Foundation, CCC e.V. and others. They know how to deal with the media, and it's okay to ask for help.
Please let another person check the article from a non-technical perspective, because that's where journalists have a strategical bonus. If the blogpost/article/video/whatever contains too much technological lingo, the masses won't be able to understand it.
Wish you the best.
PS: I hope that you can see that not all people are as messed up as the kiwifarm doxxers. I've seen their "call to arms" to start new swatting attempts etc. Stay safe.
PPS: Don't engage with people that have anime avatars. Just block them. Your time is wasted trying to read or reply to them. Hate is a mind infiltration technique.
I appreciate the answer and the work on GrapheneOS! It seems there's a lot of work going on with the QPR1 release and this French matter doesn't make things easier for the team. Good luck!
Le Parisien is not the french state. I doubt you had any interaction with the french authorities at all.
You are unable to any legal recourse because none of your rights have been violated (yet).
8 replies →
> They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
No, they haven’t.
You are letting your paranoia talk by widely amplifying the content of two newspapers articles in media affiliated with the far right.
I’m quite surprised by your reactions to be fair because both SkyECC and Encrochat were actually affiliated with organised crimes. As far as I know, GrapheneOS isn’t.
France basically always had very good PR portraying the country as "romantic" and a champion of freedom but reality has almost always been very different.
It was very unfree in the 16th century, what led to the French revolution, which was a nightmare, then military dictatorship. The 20th century was not much better and never forget France collaborated very quickly with the third Reich. Then De Gaulle has some sort of soft military dictatorship with a secret police and a total control of the media.
Today their police is very aggressive, their justice system highly politicized. And as always a dominating bureaucracy.
The state is getting more and more aggressive as drugs and violence are rampant.
It is by far the country in Europe I had the worst interactions with the police.
There are a lot of beautiful things to see there but today I try to avoid it for business and leisure.
When it comes to freedom, France definitely has it backwards. Now that it is in deep trouble economically, the bureaucracy is claiming for even more soft communism in a very totalitarian way. One needs to understand that the system made some people quite rich, way more than they would have been able on merit alone, thanks to the politics of bureaucracy.
Funnily enough the "far-right" is brandished as a fascist boogeyman when it would be a challenge to actually become more totalitarian.
For those reasons the "state of rights" is losing its legitimacy and criminality is on the rise unsurprisingly. When what you can expect to get out of the system becomes too disconnect from merit, it doesn't make sense to participate as a good actor.
So we now get rising commissars that tries to police speech and behavior any way they can. The police is basically a state militia that spends more time annoying mostly law-abiding citizens for minor offenses that just tow the line, in order to extract as much money out of them as possible. Meanwhile real criminals are out of control and receive laughable sentences from the corrupted justice system when they get caught. Following far-left ideals, criminals are victims that can be given more chances. One elected parliament member got caught buying drugs and basically nothing happened to him. Hard to not see some collusion.
What is cooperation? How are they supposed to unlock the phone?
Unless you're saying 'compelled to use their private keys to publish an update' or something along those lines, in which case I would say the original headline is correct.
There is no law allowing the police to do that in France so that can’t be what cooperation means.
In the case of Telegram, it was about providing meta data when subpoenaed and moderating the unencrypted part of the application.
There is little reason to believe it is about anything else here.
Edit: Happy to hear what the people downvoting actually disagree about as usual. At the moment I have read a ton of mud thrown of France here - including someone from GrapheneOS implying they won’t hire from France unless someone relocate which must one of the most hilarious take I have ever read coming from someone from North America - with very little actually substantial shared, which, to be fair, seems to be becoming the norm here.
4 replies →
And how do you hack a single phone without a backdoor in every phone?
You use the signing keys for GrapheneOS to push an update to a single user.
12 replies →
With a know bug in a product that you didn't disclosed.
https://web.archive.org/web/20221124085649/https://www.washi...
I agree
The thread linked is much more balanced than the title given
> This seems blown out of proportion?
Par for the course on hacker news.
Remember when they arrested Pavel Durov? I don't buy their official reasoning.
Dear European friends, our leaders are tightening the screws. If we don't make our voices heard this is only going to get worse.
https://x.com/durov/status/1976420399970701543
I remember. It helped expose his lies about not traveling to russia and not collaborating with russian security services.
care to expand/provide some more info?
5 replies →
I mean, Durov has been trying to push for Russian puppets to get elected in Romanian and Moldovan elections, by pushing to everyone (at least in Romania, he might've just posted on twitter for Moldova) that the French government is trying to interfere in the Romanian elections. I mean, it turns out, Russia was, on behalf of the candidate he was talking about... so take from that what you will.
Oh, yeah, and he calls himself DuRove now. Hats off for that one, but I hope he rots in prison for advancing the Russian agenda.
I mean, sorry, but the EU essentially installed puppets in both Romania and Moldova, what are we even talking about here?
7 replies →
You know I didn't use to understand libertarians, but after years of watching boundaries being overstepped again and again I think I see the appeal of burning it all down and living in a cabin in the woods.
Like, in Europe we already live in a completely safe society in historical and geographic terms, what more do you fucking want? Security is beyond a laughable excuse for things like chat control. Power tripping elitists will never be happy until they have the entire population under 24/7 camera surveillance and can read every thought in our heads as it occurs. If you make crime impossible, you make free will impossible.
> I think I see the appeal of burning it all down and living in a cabin in the woods.
AFAIK, you're not allowed to live in a cabin in the woods in Europe.
2 replies →
The same reason there's only more regulations being piled on top of previous ones. Sadly only wars and similar catastrophes work as reset buttons for these things historically. A peace as long as the current one is somewhat of an untested ground
The libertarians that want to live in the woods have a point.
The problem is the libertarians that want to burn it all down and build a corpo-state.
"... the appeal of burning it all down and living in a cabin in the woods."
I hope that's not what you think libertarianism is about. I'm sure there are libertarians who DO feel that way, but it's not a core tenet to personally isolate and live off the land.
Libertarianism sees not left vs right, but instead the people against the government. Libertarians focus on personal liberty and solving problems together, voluntarily, as individuals cooperating. A libertarian would say, for example, that if I think a bridge should be built, then I should either build it myself or convince other people to help me out voluntarily - but not use government to force people to help (via taxes, etc).
Libertarians are against force/coercion, and see government as the ultimate expression of force.
There are some loony libertarians, as there are of any political party, but most of us have pretty ordinary and mainstream beliefs and priorities.
4 replies →
I agree with your overall sentiment, except:
"Like, in Europe we already live in a completely safe society in historical and geographic terms"
Russia. Putin.
9 replies →
try it, like these people https://www.youtube.com/shorts/7iJDMU43iUk
It’s important to defend libertarian values even when things are good. Small violations of civil rights have a tendency to stick around and snowball into something worse.
1 reply →
> in Europe we already live in a completely safe society in historical and geographic terms, what more do you fucking want?
For people not to get killed, abused, and exploited? You don't sound like a "libertarian" you sound like an anarchist.
You know who has a large part of the population under global 24/7 surveillance right now? Google, Facebook, Microsoft.
> We’ve been made to believe that the greatest fight of our generation is to destroy everything our forefathers left us: tradition, privacy, sovereignty, the free market, and free speech.
Read: "Hi, I'm a right-wing populist."
Tradition is virtue signalling to them. Sovereignty is to fuel this anti-EU trend (a Russian propaganda point).
Durov is a Russian asset, I'm sure of it. Why, cause he got ties with the underworld, that is why. He didn't want to act on warez, narcotics, criminals, scams, etc. None of that he took serious, because in the viewpoint of a Russian criminal (the Russian state is the head of the criminal enterprise) all of that is just business. Which is also why he gets along so well with Trump. But when he didn't want to act on child pornography, he went too far. Because approximately all adults oppose that sexual preference. That is when France got his ass handed on a silver plate.
If this guy would care about free speech he'd be a lot more vocal about Trump and Putin instead of France and EU. The EU is under attack by Russian trolls, ask anyone who works in SOC. It has become worse...
> I don't buy their official reasoning.
Why not? Have you used Telegram? Before Durov’s arrest there was open drug trade everywhere, afterwards they started to actively ban groups.
In the Pavel case, it involved child pornography groups on Telegram and the fact that they ignore a court order.
But I agree with you for the authoritarian logics in Europe (even America) with Chat Control and other actions like the French gov. just did....
Is it safe to assume, then, that Google and Apple already have backdoors in their operating systems as likely requested by many governments around the world (not least of which the one from their home country)?
Or is GrapheneOS the only one built securely enough to need to be leaned upon?
Either way, makes Google and Apple look bad and/or incompetent and GrapheneOS look like some kind of beacon of user protection / privacy rights / other things that are the opposite of the direction the world seems to be moving.
> Is it safe to assume, then, that Google and Apple already have backdoors in their operating systems as likely requested by many governments around the world
I don't know whether it is safe to assume. But if they are complying with Australian law, specifically the Assistance and Access Bill (2018) [0], then they must write an undetectable backdoor for the Australia government if asked (that's the assistance the bill's name refers to), and push it any phone the government demands (that's the access bit).
The only way to avoid this as far as I can tell is to run a free open source distribution. Unlike the paid systems such Windows and iPhone, the free distributions do not have the "billing relationship" their customers the proprietary companies are so fond of. It's that billing relationship that allows them to target only the devices owned by a specific individual.
The Australian's must do that targeting because that law demands they don't introduce a systemic weakness into every phone. Any sort of backdoor is considered a systemic weakness. I dunno what laws other countries operate under, or how well they follow the laws they do have, but I'd be surprised if Australia wasn't following its own laws. That means if your device runs a true open source distro that doesn't track it's users, in Australia its truly your device.
[0] https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...
> if your device runs a true open source distro
The situation with Android security updates means that such a distro is either not based on Android (and likely less useful), or there are months-long delays to security updates for the non-GPL components.
Similarly, non-Google versions of Android can't run important apps that require attestation, including the Australian government app myGov.
https://grapheneos.org/articles/attestation-compatibility-gu...
Viva FOSS!
Every time I travel internationally I immediately get notifications for Android OS updates. I'm pretty sure they are for satisfying local regulations about the phone's behavior, including the topic at hand.
Interesting. I have never seen anything like that in many years of frequent travelling while using Android. Which countries did you see this in? And are you using stock Android or some vendor's version?
1 reply →
I am not saying there are no backdoors, but this never happened to me.
And I am an Android user since the first G1 phone.
1 reply →
Anecdotal. Why wouldn't they deliver these via Play Services update? It's easy to dismiss an OS upgrade, background updates can't be really blocked.
This has never happened on my iPhone
4 replies →
Apple has already taken the US government to court and forced them to back down after the FBI demanded that they insert a backdoor into iOS.
> In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789.
https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
This year, Apple took the UK to court and announced that they would strip encryption features from UK users before they would give in to UK demands for an encryption back door before the UK backed down.
If Graphene has the money to do so, they should fight it out in the courts.
There's a reason why they haven't had issues since then, not even with Trump.
And it's not because they're hiding your data. See their disclosure report for data requests.
Or that GrapheneOS is small enough to bully.
The EU doesn't seem to shy about forcing Apple or Google to do things, so I don't think it's a size thing.
2 replies →
It likely not due to any backdoors present, more so due to weak default setting plus alternate routes to the data. Things like backups being unencrypted either by default or when uploaded to the cloud. you don't need to ask for a backdoor if most users don't have encryption enabled.
I seem to remember the FBI attempting to compel Apple to decrypt a criminal's iPhone, only for Apple to refuse and claim that it wasn't possible. I'm not sure exactly what happened after that. I think it was suspected that the NSA was able to do it by exploiting an unpatched zero-day. So they didn't need Apple's help anymore and the issue was dropped from the public's eye.
There's a couple overlapping things here:
1. Apple can and does comply with subpoenas for user information that it has access to. This includes tons of data from your phone unless you're enrolled in Advanced Data Protection, because Apple stores your data encrypted at rest but retains the ability to decrypt it so that users who lose their device/credentials can still restore their data.
2. Apple has refused on multiple occasions, publicly, to take advantage of their position in the supply chain to insert malicious code that expands the data they have access to. This would be things like shipping an updated iOS that lets them fetch end-to-end encrypted data off of a suspect's device.
2 replies →
> remember the FBI attempting to compel Apple to decrypt a criminal's iPhone, only for Apple to refuse and claim that it wasn't possible
Apple refused “to write new software that would let the government bypass these devices' security and unlock” suspects’ phones [1].
> not sure exactly what happened after that
Cupertino got a lot of vitriol and limited support for its efforts.
[1] https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
I always assume these public performances are merely performances and that no one hears about the actual dirty work.
1 reply →
I don't remember Apple ever saying that it was impossible for them to do it, just that they didn't want to.
It was always kind of assumed that they could, by eg signing a malicious OS update without PIN code retry limits, so the FBI could brute force it at their leisure, or something similar.
4 replies →
https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
Cellebrite did the job using a vulnerability..
1 reply →
That was show put on for the sole reason of the public seeing it.
2 replies →
> Or is GrapheneOS the only one built securely enough to need to be leaned upon?
Probably has something to do with it, but GrapheneOS doesn't have the money or resources that Google/Apple/etc has to lobby/bribe/delay/obfuscate/navigate/drawout/etc such attempts.
Google and Apple were infamously official data providers[1] of the NSA's illegal and unconstitutional (as ruled by a federal judge[2]) warrant-less surveillance program (PRISM[3]) exposed by Edward Snowden.
It's safe to assume that software provided by every large, publicly-traded, for-profit technology company incorporated in the USA cooperates extensively with US intelligence agencies, and therefore by extension, the "Five Eyes" alliance, at a minimum if not also the "Nine Eyes" and "Fourteen Eyes" alliances [4].
[1] Slide 6: https://www.eff.org/files/2013/11/21/20131022-monde-prism_ap...
[2] https://www.reuters.com/business/media-telecom/us-court-mass...
[3] https://en.wikipedia.org/wiki/PRISM
[4] https://en.wikipedia.org/wiki/Five_Eyes
Of course the likes of Apple and Google are complying with lawful orders from the governments of countries they do business in.
Businesses that don't generally cease operating in said country. LavaBit was a highly visible instance of a business shuttering itself instead of complying with such lawful orders.
That's also the ploy of basically every VPN provider out there. They say they don't store or give out data, but they still adhere to lawful requests. That necessarily includes requests from countries where they legally offer their service, even if their HQ is in some country with lax legal frameworks. It also means, if there is a legal way to coerce them into recording your data or handing it over, they will do so.
https://www.pcmag.com/news/nordvpn-actually-we-do-comply-wit...
4 replies →
Yes, it's safe to assume that companies follow the law in countries where they operate.
So we need GrapheneOS to stand their ground more than ever!
My country has this: https://www.schneier.com/blog/archives/2024/09/australia-thr...
Which kinda ruins it for everyone.
Additionally, I would assume/guess that if it's some kind of coordinated campaign involving media then there is no law to compel GrapheneOS to do this. If they're was a law then that would be the pressure, as opposed to media articles.
What that then implies is a campaign to convince the public a law is necessary, ie. they're already laying the ground work for support for the next version of a Chat Control bill.
Google Translate link:
https://translate.google.com/translate?tl=en&hl=en&u=https:/...
Additional context:
https://grapheneos.social/deck/@GrapheneOS/11557599710445618... https://grapheneos.social/@GrapheneOS/115583866253016416 https://grapheneos.social/@LaQuadrature@mamot.fr/11558177594... https://grapheneos.social/@GrapheneOS/115589833471347871 https://grapheneos.social/@GrapheneOS/115594002434998739
Summarized translation:
Following the propaganda of the ministry of interior, several articles were published in press about GrapheneOS, which is described as a solution for criminals because it allows to hide things.
La Quadrature du Net [similar to the FSF with regard to defending users' rights] argues that the purpose is of course not cybercrime, but to secure and protect the privacy of its users.
The head of the anticybercrime brigade of Paris threatens of suing the developers of GrapheneOS if connections with organized crime were to be found.
The government has repeatedly tried to extend cyber-surveillance previously. They are trying to use a law designed to fight drug traffickers in order to enforce backdoors in services that use cryptography, such as Signal or WhatsApp, without any success for the moment.
---
So, it's a threat before having a proof. They also mention the arrest of Pavel Durov, who was arrested because Telegram failed to answer legal requests, which was then constructed as complicity with criminals using Telegram, but that's obviously a very different case.
But of course, if they succeed in forcing backdoors, criminals will just use other ways to communicate (doesn't matter if they are legal or not because, well, they are criminals...) or tricks; for instance, back in the day when (analog) phone calls could be wiretapped, they were already using code words. They could use e.g. steganography tomorrow.
But we will be left with backdoors that are an unacceptable compromise on security and privacy. This is a recipe for dystopia considering that far-right parties are getting stronger in Europe, including France.
Too bad Google Translate doesn't have a subscription to Le Parisien.
https://archive.is/wW7N6
Oh! It's about drug trafficking. Then I have nothing to hide. Please root and backdoor my phone. And also give the keys to all the hackers around the world...
I like grapheneOS. Their have a clear focus and that should be respected. However, all that drama about e/OS they are creating and claims about fascist law enforcement are a bit over the top IMHO.
How so?
1 reply →
e/OS is a fucking joke
1 reply →
so, they are basically confirming Android and Apple have their backdoors as no arrests or seizures on that matter have taken place
That was my read on that too.
> As of 2018 through an initiative sometimes termed "Five Eyes Plus 3", Five Eyes has agreements with France, Germany, and Japan to introduce an information-sharing framework to counter China and Russia.
https://en.wikipedia.org/wiki/Five_Eyes#Five_Eyes_Plus
Yep. That’s the implication, and it’s disturbing. It also implies the US government knows - otherwise why wouldn’t they use their influence to put an end to this?
Does this apply to other Linux Distros?
I don't think they are highly concerned with people installing their own OS on desktop machines, that's still a fringe group. And most of us are using smartphones too. Also there are likely other trivial exploits like CUPS which was preinstalled and enabled by default on desktop linuxes.
Every smartphone has hardware backdoors controlled by BTS'.
Source?
Not really. It's one thing trying to bully a relatively small FOSS project, it's quite something else to take on one of the world's biggest companies that can afford a literal army of lawyers and that also has the power to have the US government intervene on their behalf.
Actually, in some ways, it is easier to bully large companies - because those companies are less flexible in avoiding confrontation with the authorities in a certain state. For Google to avoid having a legal presence in France is much harder than for the GrapheneOS project to do the same.
But - valid point regarding having the US government intervene.
> that also has the power to have the US government intervene on their behalf.
This would seem to be a weakness, if your goal is using American clout to persecute malware manufacturers: https://www.securityweek.com/apple-suddenly-drops-nso-group-...
you’re getting the logic wrong. i’m absolutely sure apple and google have direct cia backdoors. that’s what Snowden taught us and it would be delusional to think the world has changed. The bigger the company = tighter the link with power
that's my understanding as well. absolutely unsurprising btw.
absolutely yes
I think your devices should have government-mandated backdoors if and only if you are a public servant. I don't understand why private citizens are held to higher standards of conduct than politicians and cops.
I've been saying this for years: the more power you have the higher standard you should be held in. In most societies on the planet it's the other way around.
> In most societies on the planet it's the other way around.
Obviously, because the ones with power make the laws.
Everyone agrees with this obviously but it's like saying that we should be able to levitate or live in utopia. It's almost a law of nature that the types that become powerful are not your most savory individuals and will use the power to reinforce their positions.
6 replies →
I've been saying this too but lately I think the fundamental notion of power is wrong. There's 2 perspectives which are 2 sides of the same coin:
---
All social relationships should be consensual.
This means based on _fully-informed_ consent which can be revoked at any time.
This already marks employment as exploitative because one side of the negotiation has more information and therefore more bargaining power. Not to mention having more money gives them more power in a myriad of other ways (can spend more on vetting you, can spend more on advertising the position than you can on advertising your skills). Just imagine if people actually had more power than corporations - you'd put up an ad listing your skills, companies would contact you with offers and you'd interview them.
Citizenship is also exploitative because you didn't willingly sign a contract exchanging money (taxes) for services (protection, healthcare, roads, ...), in most countries you can't even choose which services you want to pay for. And if you stop paying, they'll send people with guns to attack you. This sounds overdramatic (because it's so normalized) until you realize from first principles that is exactly what it is.
_If democracy is supposed to mean people rule themselves, than politicians should be servants which can be fired at any time._ In fact, in a real democracy, people would vote on important laws directly and only outsource the voting to their servants about laws which don't affect them much, or they'd simply abstain.
---
Power should come from the majority.
This should naturally be true because all real-world power comes from violence and more people can apply more violence (or threaten it, when violence is sufficiently probable to be effective, it usually does not need to be applied, the other side surrenders).
But people who are driven to power have been very good at putting together hierarchical power structures where at each level the power differential is sufficiently small that the lower side does not need to revolt against the upper side. But when you look at the ends, the power differential is huge.
Not just dictators, "presidents" or presidents but "owners" and "executives" too.
You don't truly own something you can't physically defend. When you as a worker finish a product, you literally have it in your hands. You could hand it over to a salesman and you'd both agree on how to split the money from selling it. But instead, you hand it over to the company (by proxy its owner) which sells it and gives you your monthly wage irrespective of how much the product made. The company being free to fire you or stop making the product obviously makes more money then you - it's an exploitative relationship.
But why do you hand it over? Because if you don't, they'll tell the state and it'll send people with guns to attack you.
---
Bottom line is if people had equal bargaining power ("equality"), then if they chose to temporarily give "power" to someone in one area, they'd obviously take away their "power" is some other area. Why? Because they'd know if they didn't, the more powerful person would use this power differential to get even more power, and so on, starting the runaway loop we have here now.
3 replies →
Even then the backdoor should be on their government device and not the personal devices.
Note that having their personal device when doing government work should be prohibited (that is you can't have it in your pocket when working). As is using your personal device for anything government (other than a formula check your government device call/text - employees should be regularly tested that they report any government communication that doesn't follow the formula)
I mean, this already isn’t permitted in the US yet somehow I’ve read her emails and his signal chats.
1 reply →
> devices should have government-mandated backdoors if and only if you are a public servant
This would be an intelligence bonanza.
Better: mandatory, encrypted logging. Officials maintain the keys. When they leave office or are subpoenaed, they have the means to grant access. (If they can send and read their messages, they have the keys.)
This is how NARA in the U.S. is supposed to work.
> This would be an intelligence bonanza.
And ideally an illustration to those in power why backdoors are never a good thing. They won't care if it's not happening to them. But if their devices are suddenly incredibly insecure due to their backdoors, they might just rethink the concept entirely.
1 reply →
> This would be an intelligence bonanza.
If you're wanting to do it with all citizens, why not start with public officials? It's no worse than your desired end state
They'll just use a private device or off network server. I don't think we're going to "hack" our way into a just society.
1 reply →
It's even more of an intelligence bonanza when it's done to the private citizens! That's the point of trying to do it!
1 reply →
We do have things like the Freedom of Information Act in the US, and I think a lot of European countries have similar laws. Yes it isn’t perfect and could be enforced more evenly.
But obviously, if you work for the military there is information that needs to be kept secure…
Backdoors exist for everyone or they exist for no one, this technology isn't one that has room for a gray area to debate. If it can be deployed to public servant devices, it can be deployed to your device.
Not according to Chat Control at least where politicians are exempting themselves from State surveillance.
1 reply →
Only if they're using the same devices everyone else uses. If they're required to use a certain kind of hardware, or they're required to submit their device for hardware modification, this stops being an issue, doesn't it?
That is totally not true. They can be forced to install an app on their device that creates the backdoors. Companies do that all the time. An OS doesn't need to have backdoors built into it for backdoors to be added to it. Kinda the point of an OS is that it is general purpose.
Isn’t it already the case?
Politicians are routinely ordered to surrender their communication to justice to audit what they do. Missing texts from Von Der Leyen is at the heart of Pfizer-gate after all.
I don’t really know what to think about this to be honest. I don’t think it’s entirely black and white and I find it surprisingly easy to play devil advocate.
Remember that the US government has an insane level of access to private communications via all the post 9/11 laws, how cosy it is with the main tech companies and we know they do a lot of these spying unofficially and with little oversight since Snowden.
Meanwhile, France is struggling with an unprecedented level of organised crime activity with the amount of violent crimes reaching worrying level. We are talking murders involving automatic weapons in broad daylight in the middle of the streets of France second largest city. Two weeks ago, the young brother of a famous anti-drug activist was murdered by a hitman while shopping.
There has been a huge increase in the quantity of cocaine being smuggled from South America triggering intense gang competition for the control of deal points and the mean in place to tackle the issue increasingly look vastly undersized. Limiting the discussion to it being authoritarian measure is refusing to acknowledge the very real challenge police currently face.
The only problem with that train of thought is that you are advocating a lower standard. Backdoors are not a superior option in any circumstance whatsoever.
The standard of conduct we need (and are failing) to hold politicians and cops to is actual security and responsibility. Some of the most powerful politicians in the world are leaking private conversations, and no one is holding them accountable. Police are paying private corporations (notably Flock) to build giant monolithic datasets from stalking private citizens, yet neither party is held to any standard whatsoever.
> if you are a public servant. I don't understand why private citizens are held to higher standards of conduct than politicians and cops.
Last time I checked, politicians and cops are private citizens...
Wherever you stand on this, I can't understand the justification for this "one rule for thee" position.
Logistically, when you combine private citizenship with government you get corruption problems because incentives are so misaligned.
In fact private citizenship combined with government is the origin of corruption. Think about it, as a government official your incentive should be to preserve order, fairness and honor. As a private citizen your goal is to optimize the amount of money you make via business or employment through whatever means possible. That means exploiting loopholes and possibly when no one is looking, breaking the law.
The incentives are orthoganol and it does make sense to have a different set of rights and rules for government officials and private citizens. The minute you take the attitudes of private business/citizens into the world of government you get people creating rules that are corrupt.
6 replies →
I suppose that was irony to highlight they're usually exempt.
Also, they are paid by the people to work for the people, so during the exercise of their functions they could in theory be contractually obliged to use a company phone
> politicians and cops are private citizens
You may be confusing the civilian/military distinction with private citizens versus public officials. (A delineation American cops fuck with.)
They're actually public figures and have different standards since they're being paid by the public to represent their interests.
> You cant understand why the people with a monopoly on violence and force have higher scrutiny? -- @retr0rocket
Replying here to this seemingly flagged/dead comment (not sure why it was flagged - a very reasonable question).
I fully support higher scrutiny of public officials & cops, but this frankly isn't that. First & foremost, the problems you're describing are systemic, not individual. Monitoring a cop's phone isn't going to reduce police violence if the system isn't accountable - this is essentially the "bad apple" argument. The entire system needs drastic reform: backdoors won't solve any real problems here.
Secondly, independently of the levels of reform needed, at an individual level we're talking workplace conduct, reporting, protocols & transparency -vs- dystopian privacy invasion. There's a very broad spectrum here long before we reach the need for extremes.
Lastly, you need to look at the systems doing the monitoring of politicians' & cops' phones in this hypothetical scenario: if those systems contain the same systemic corruptions (which they inevitably do), the entire argument for oversight is moot.
You cant understand why the people with a monopoly on violence and force have higher scrutiny?
Why would politicians and cops want to be held (actually) to a higher standard?
Who says they would? The point is the people would vote to have them held to this higher standard. They represent the people's will. They shouldnt get to choose other than their personal vote, the people choose. If they don't agree with what the people choose then they can leave politics.
1 reply →
Even if you're a public servant, a backdoor is a big security risk.
exactly!
That is a terrible, terrible idea.
It would make it even easier to hack them, blackmail them, snoop on top secret information. The list goes on.
No, the correct answer is - no backdoors because crypto, because security, because of theft, because of France, or any other government or Uncle Sam.
If they want to protect the children, hunt crime, catch drug dealers, they are going to have to learn criminology.
As much as I want to agree with you, no, backdoors for them mean backdoors for everyone else. It's all or nothing. Now, they should be held to a higher standard, and face stiffer penalty than the regular prole because they should be the example-setters.
Do better policing (and that doesn't include trying to backdoor devices), but backdoors aren't the answer.
I'm torn. I don't want backdoors but I do think police with a warrant from a judge should be able to access your phone.
There's a top tier DEFCON talk by the Lavabit email guy. He explains where the line is for access to phones and other encrypted information. I'll try to summarize -
1 - Law enforcement have actual information about the probable contents of your phone (like an incriminating filename will do). They can reasonably expect to get a warrant and access to your stuff.
2 - They don't know what's there at all, and have no probable indication of the contents, and in this case they cannot expect access because they would just be going fishing.
Having said that - backdoors are bad.
1 reply →
Then you must provide access to your phone or be held in jail indefinitely / until you comply for violating that court order.
I'm reminded of Mr. Fart's Favorite Colors here - is it even possible to provide warranted exception, protected from abuse?
The article is kind of interesting: on the one hand, you’ve got a tool that can be used by ordinary citizens and political dissidents for legitimate reasons. On the other, the French police were mildly inconvenienced during their arrest of a small-time drug dealer.
Yes, really, that’s the argument.
It's about protecting kids/olds/fighting crime/drug dealer
`What would you like me to wrap the global surveillance in?'
IYKYK :D
https://pbs.twimg.com/media/Bz2FvX7IEAAZ7F4.jpg
True freedom, of any kind, requires freedom to say things and think things in private. I sometimes think horrible things and even discuss them with my friends. I need that space to work out issues. Without a truly safe space I would eventually go mad as I suspect many people would. The other part of this is that a basic requirement of freedom is trust with accountability. It means we allow things that may be harmful but if things go bad we hold those responsible accountable after the fact. It also means we may not catch all the bad guys and that is OK because the alternative is that everyone turns into a bad guy when we prevent people from doing things in case they will be bad. There is a balance here but the position that a govt will always have access to all private individual (acting in a private capacity) communications is not anywhere near a reasonable balance.
If the small guys are getting threats like this, one can only assume the big guys already have suitable backdoors...
I can understand you thinking that and there's probably some truth to it but do I consider Android and iOS compromised with government backdoors? No. What do I base this on? The lucrative black market for Android/iOS 0days.
And who's buying them? Generally, state actors, directly or indirectly. There is an entire ecosystem of Israeli "security" companies that exist to farm out these exploits. This is a big part of why Israel is such a key component of the American national security infrastructure. Israel is largely beyond the jurisdiction of American courts and any kind of direct scrutiny by the government.
It's a bit like how the US isn't (technically) allowed to spy on US citizens. How do they get around this? By farming out such activities to allied intelligence services, particularly Five Eyes members.
This entire ecosystem and marketplace just wouldn't exist if Android or iOS were fully backdoored.
I see your point, but this could also mean that the backdoors are there, just only a few organisations know it (let's say US army) and then they get found and found again
Perhaps, or perhaps they started with companies that are smaller and easier to intimidate.
Larger companies are easier to influence than small ones, no intimidation is necessary.
Protecting user privacy delivers close to 0 shareholder value, being friendly with nations wins you billions of dollars in contracts, regulatory protection, and friendly courts, it's a win-win for big companies and surveillance states to be friendly with each other.
2 replies →
I don't think so; (but at the end of the day, you can never be 100% sure unless it's 100% OSS)
But with that being said both Apple and Google store a lot of data about you, and they are willing to "cooperate" with the government, and they did hand over data in various of cases Apple included [1]. For some reason, people think of as the "privacy company".
btw, big tech also get harassed for similar requests: The UK, for example, is still pressuring Apple to build an encryption backdoor [2].
[1] https://www.apple.com/legal/transparency/ [2] https://www.eff.org/deeplinks/2025/10/uk-still-trying-backdo...
Some advocacy groups are denouncing the collusion and lobbying taking place between industrials, governments, and the media.
https://eu.boell.org/en/2024/04/25/press-freedom-france
https://ipi.media/france-media-freedom-threats-capture/
The linked article from Le Parisien (a big French billionaire-owned newspaper) is quite nuanced.
It gives the police's view on narco-trafic crime, but also Graphene's take :
"Criminals and traffickers also use knives." This organization, which is not a company but a foundation, emphasizes that its solution is used by ordinary people who dislike how apps and operating systems handle their data. It adds that if criminals use Google Pixel phones and GrapheneOS, it’s because these solutions work well. But that doesn’t make them accomplices, they assure. "Criminals and traffickers also use knives, fast cars, and cash—things that are also widely used by honest citizens," its representatives note.
And GrapheneOS adds that it protects users from hackers and intrusions by the secret services of totalitarian states. "We consider privacy a human right, and we are concerned about projects like Chat Control (a European bill aimed at detecting child sexual abuse material in messaging services, but which has faced significant criticism) that the French government supports. The invasion of privacy enabled by such legislation would have alarming implications under an authoritarian-leaning government," it argues.
I didn't read it[0] as being particularly nuanced. I thought it was a fact-loose, extremist hitpiece against FOSS, containing howlers such as
> "Particularité de GraphèneOS : on peut se le procurer autant sur le darknet que sur des sites grand public." ⇒ "A distinctive feature of GrapheneOS is that it can be obtained both on the darknet and on mainstream websites."
Quoting "both sides" (so to speak) doesn't automatically create a thoughtful dialog.
[0] https://archive.is/20251119082524/https://www.leparisien.fr/... (tr. "Google Pixel and GrapheneOS: drug traffickers' secret weapon for protecting their data from the police")
Ah, so it's kind of like saying "A distinctive feature of Renault vehicles is that they can be purchased both with cash or through regular financing."
I'm unsure whether it's appropriate to trust Le Parisien's equivalencies.
Q: Do they have a track-record of intellectual honesty?
Equivalencies are powerful, and dangerous if mis-handled.
E.g. this is worrying [from the article]: "A unique feature of GrapheneOS is that it can be obtained both on the dark web and on mainstream websites." Le Parisien is calling out GrapheneOS's availability on the "Dark Web" as significant, in the context of "Drug Trafficker's Secret Weapon". Banned books can also be acquired on the Dark Web, and banned books are not illegal, yet, in mainstream democracies. So Le Parisien's equivalency, here, is misleading.
> and banned books are not illegal, yet,
now now comrade, if the book is banned, how is it that you are in possession of it? you're clearly breaking the rules. I do believe it is time for you to start counting trees
1 reply →
"Criminals and traffickers also use knives."
London already did this
Not really? You can buy knives in London, and any laws regulating knife purchases are UK-wide, nothing to do with London specifically.
6 replies →
How could you be so naive?
This article is as absurdly biased as it could be! Of course they provided a quoted response from GrapheneOS devs: that's the only appeal to credibility they have.
A truly responsible journalist would explain to their audience what is actually at stake, not simply spout every available position as if it were equivalent.
>cash
this will be next step
> Le Parisien (a big French billionaire-owned newspaper) They're all billionaire owned. As an example, left wing newspaper Liberation has Kretinsky among the owners
Yeah, "Le media" and "Mediapart" are "left wing" newspaper and not billionaire owned, there is right wing too, but they are smalls. Libé isn't owned by Kretinsky but Patrick Drahi, Kretinsky owns Mariane (right to far-right now...).
But anyway yeah, in France (and in other countries too ) there is a media oligarchy.
Check the France problem: https://www.monde-diplomatique.fr/cartes/PPA https://www.monde-diplomatique.fr/IMG/png/poster_medias_fran...
Other countries with broken media ecosystem: - Australia: https://www.theguardian.com/commentisfree/2024/mar/17/the-br...
But also USA and Poland for example.
One thing though is - knives, fast cars and cash aren't built with deliberate motivation of thwarting the law enforcement and criminal investigations.
GrapheneOS and its systems are - you can walk through history and see that they're deliberately working on systems that defeat law enforcements efforts of collecting data from seized devices and tracking criminal networks.
This is a massive difference - even for knives and cars, you'd get into some hot water (or outright illegal behaviour) if you build them with express purpose to make them hard to find and track by law enforcement. Try making a company that focuses on cars that hide its license plates from the police and you'll see how far that will go.
This is one thing that GrapheneOS, Signal and others will need to at some point reckon with - the fact that they deliberately work at making law enforcements work harder and provide effective cover for criminals will get them into hot water. And I don't think population will stand at their side when they find that they've been helping CSAM traffickers hide their loot.
Having all that anti-governmental rhethoric won't end well for longerm survivability of these projects - which sucks for all of us.
Graphene shouldn't have to reckon with the abuse of government, we should step in and speak up for them. If having a secure device becomes criminal, only the criminals will have secure devices.
Law enforcement is being lazy by trying to rely on mass surveillance rather than espionage tactics to catch criminals. Criminals learned long ago how to work around surveillance, so this doesn't really work on them. But it does subject the public citizen to undue scrutiny and violation of privacy, which history has shown is then used against the innocent. We don't need any more reminders of how popular authoritarianism has become. And it's often used to pin a crime on an innocent person (a common police controversy), or intimidate and harass them (see FBI).
> I don't think population will stand at their side when they find that they've been helping CSAM traffickers hide their loot.
This is just one of many examples of a false rhetoric used by politicians to manipulate the public into cow-towing to mass surveillance. We cannot stand for this and must fight it at every turn. "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
4 replies →
Genuinely curious: what did you see in GrapheneOS history that indicates that the OS is specifically designed to defeat law enforcement (as opposed to their stated goals of defeating ad surveillance and stalkerware)?
To hell with the governments and law enforcement, privacy is a right and is not a weapon.
1 reply →
There is no way to have a completely secure operating system, safe from hackers and spy organizations and thieves, that is also accessible at the whim of law enforcement. Period.
If we can't trust hosted services to protect our data, and we can't trust our own computers to preserve our data, the right to privacy simply doesn't exist.
1 reply →
I think your point is that there is evidence that the intention of some or all of the developers and/or the organization as a whole is to make law enforcement more difficult. You go on to argue that this intention fundamentally alters how society, or at least law enforcement arms of government, should view this technology. Specifically, I take your argument to be that law enforcement should or will treat them as accomplices to some degree of the crimes they enable.
1 reply →
This is a very counter-productive distortion of privacy, and borders on a lie about Graphene.
Something designed to be private doesn't know the difference between a law enforcement officer trying to break into it and a criminal trying to break into it.
There is no special "anti-cop only code" that gets executed, any more than there are special "cop tools" that exist on some physical plane where criminals don't.
2 replies →
So which knife makers are serializing their kitchen knives so they can be traced back in case of a crime? How many knives come with a GPS tracking its position? Well too expensive, what about an Airtag. No? By your roundabout logic this qualifies as “deliberately working on systems that defeat law enforcements efforts”. It’s an absurd argument.
To actually do any crime with GrapheneOS you would also need at least a VPN and basic understanding of operational security. Just as you would need a lot more than just a knife and car to be a successful criminal.
A Pixel phone with GrapheneOS is not some magic device that let's you do crime without immunity, but that’s the story they want to sell you.
Are you livestreaming your face on Twitch right now? If not, why are you deliberately making it harder for police to catch criminals? It would be so much easier for police to catch criminals if everyone livestreamed on Twitch 24/7, it should be a crime not to do that.
The gloves are really off against the best interests of the public now aren't they?
In a sense, trajectory has not really changed, but, admittedly, the pace of change has accellerated tremendously. UK and now France.
I think EncroChat scared them pas-de-merde, and this may be an overreaction by untutored civil servants.
In the end, wasn't EncroChat a larger problem for the criminals than the governments?
Once it became a big enough target it got taken down, and then quietly run by the police who collected everybody's messages for months before triggering a huge round of arrests, including quite a bit of major organized crime across Europe. The dangers of centralization. They'd love another EncroChat!
Doesn't apply so much to GrapheneOS of course since they're not in the messaging platform market, but it's definitely a cautionary tale.
[dead]
I watched a fascinating documentary about EncroChat (https://www.channel4.com/programmes/operation-dark-phone-mur...). It was obvious the police absolutely loved having this real time feed into criminal communications, and thought "let's have more of that please". They don't realise the consequences are that criminals won't use such forms of communication once they know they're backdoored.
Of course they realise it, and they know it's irrelevant, because their job is to catch actual dissidents today, not hypothetical future dissidents.
> scared them pas-de-merde
Huh?
French for "shitless"
2 replies →
"without shit" translated...
"Scared them shitless" in faux franglais.
Probably something like this would be close to the same colloquial meaning (I'm not familiar with any pants-shitting slang in French): EncroChat leur a foutu les jetons de ouf.
(closer to "scared the hell out of them")
1 reply →
Is it a coincidence that this comes out on the same day that the Chat Control proposal got a green light from the EU member states?
Any actual source for the claim?
As a response to this situation, consider supporting GrapheneOS financially:
https://grapheneos.org/donate
The url is just redirecting to https://goingdark.social/@watchfulcitizen/115605398411708768
Maybe consider replacing the redirecting url to the destination url? Not very good not being able to see the actual url linked imo.
Given the fact that most protests are organized on facebook groups, how does one keep him/herself aware of eventual protests to come without Facebook/instagram? I d gladly join for a cause i support
Into jail with those officials. Clear violation of their constitution
It is France. The state is them.
Edit: I wonder why this is downvoted. The bureaucratic class holds enormous power in France, and has constantly acted against digital rights and privacy with impunity. The only institution that can somewhat restrain them is ECHR.
Well, other states are not much better. UK, Australia, USA come to my mind. But this is excessive
2 replies →
Americans do not understand the fact that their own government rates the top four intelligence threats as French, Israeli, Chinese, and Russian.
Where do you get that ‘fact’? Can you elaborate?
According to all the Annual Threat Assessment reports from the office of the Director of National Intelligence[1], the top four threats are
1. China
2. Russia
3. Iran
4. North Korea
[1]: https://www.intelligence.gov/annual-threat-assessment
Of course they would say that
1 reply →
Russia is as European as France and certainly more European than the US or Canada. Most of Europe's problems stem from trying to keep Russia out and Germany down.
The latter has worked well because Germany is, to this day, occupied by the US & the UK. But the former has never worked out and is now bankrupting the EU!
Just to be clear about what is really happening right now;
There were three articles from newspapers (Le Figaro, Le Parisien) known for their rightist, pro-cops, opinions, and owned by billionaires (LVMH/Arnault, Dassault). In those articles, GrapheneOS is associated with bad actors purpotedly using it as a way to obfuscate their activities.
A comment was made by Johanna Brousse, Chief of French Cybercrime Unit, stating she would not refrain from pursuing the publishers if links were found with a criminal organization and they refused to cooperate with the justice system.
Another claim from a police investigator equates GrapheneOS usage to illegal activity.
” In Canada and the US, refusing to provide a PIN/password is protected as part of the right to avoid incriminating yourself. In France, they've criminalized this part of the right to remain silent.”
Everything about the exercise of power in the digital world is tilted away from the individual.
Windows 11 moved all my files into the cloud without even asking me! I was livid--those are documents that I deliberately DID NOT WANT in the cloud! It's crazy what malice we have to put up with and navigate these days. It just keeps getting worse and more convoluted, too.
[dupe] https://news.ycombinator.com/item?id=45999024
It’s a much better link this time though.
Same referenced link as earlier. Same discussion.
1 reply →
the submitted URL makes HN show grapheneos.social as the domain. the actual URL is https://goingdark.social/@watchfulcitizen/115605398411708768
Perfect timing for moving hosting to Wyoming, USA.
Has anyone noticed the whole of the Western World has gone tyrannical paranoid police state?
The French goverment will be sued into oblivion for breaking licenses bound to Copyright.
This is a better link from a French privacy non-profit but I can't change it now: https://mamot.fr/@LaQuadrature/115581775965025042
@dang or other mods, could you change it?
Google Translated text:
> Two articles in Le Parisien yesterday, followed today by one in Le Figaro, have launched a shameful attack against GrapheneOS, a free and accessible open-source operating system for phones. At La Quadrature du Net, it's one of the tools we favor and regularly recommend for protecting against advertising tracking and spyware.
> Echoing the propaganda of the Ministry of the Interior, newspapers describe GrapheneOS as a "crime-related phone solution," and a police officer adds that its use is suspicious in itself because it indicates an "intention to conceal." By portraying GrapheneOS as a technology linked to drug trafficking, this attack aims to criminalize what is actually a secure privacy-preserving tool.
> In these articles, the head of the cybercrime section of the Paris prosecutor's office – who was behind the arrest of Pavel Durov – also threatens the developers of GrapheneOS. In an interview, she warns that she will "not hesitate to prosecute the publishers if links are discovered with a criminal organization and they do not cooperate with the justice system." https://archive.is/20251119110251/https://www.leparisien.fr/...
> The government regularly tries to link privacy technologies, particularly encryption, to criminal behavior in order to undermine them and justify surveillance policies. This was the case in the so-called "December 8th" case, where a police narrative was constructed around the (secure) digital practices of the accused to portray a "clandestine" and "conspiratorial" group. https://www.laquadrature.net/2023/06/05/affaire-du-8-decembr...
> Now, drug trafficking is being used to attack these technologies and justify the surveillance of communications. The so-called "Drug Trafficking" law was thus used as a pretext to try to legalize "backdoors" in encrypted applications like Signal or WhatsApp, without success. https://www.laquadrature.net/2025/03/18/le-gouvernement-pret...
> An article in Le Monde diplomatique from November extensively examines the history of the political exploitation of drug trafficking to justify security and surveillance policies. The police attack on GrapheneOS fits perfectly within this pattern. https://www.monde-diplomatique.fr/2025/11/BONELLI/68915
> In its response published yesterday, GrapheneOS points to the authoritarian tendencies of the French government, one of the most fervent supporters of the "ChatControl" regulation under discussion at the European level, one of whose goals is to put an end to end-to-end encryption. https://grapheneos.social/@GrapheneOS/115575997104456188
Additional context:
https://grapheneos.social/deck/@GrapheneOS/11557599710445618...
https://grapheneos.social/@GrapheneOS/115583866253016416
https://grapheneos.social/@LaQuadrature@mamot.fr/11558177594...
https://grapheneos.social/@GrapheneOS/115589833471347871
https://grapheneos.social/@GrapheneOS/115594002434998739
Ok, we've changed to that from https://grapheneos.social/@watchfulcitizen@goingdark.social/... above.
Fyi it doesn't look like this post is listed on the frontpage anymore, even with the points it has. Not sure if it's intentional
Ty!
More graphic content needed to get folks to click through: This is excerpted from the result of G-translating the Parisien link:
"This 27-year-old alleged trafficker is suspected of having run this drug telephone platform which, between 2023 and 2024 in Paris, collected a turnover of two million euros and is said to have caused three overdose deaths during chemsex parties."
I think you meant https://mamot.fr/@LaQuadrature/115581775965025042 instead of a link to "Le Parisien", which is not a non profit, but a newspaper owned by LVMH/Bernard Arnault, and known for having rightist opinions.
Oops, that's correct, ty
1 reply →
At the end of the day, these attacks on privacy are always in reality for keeping incompetent politicians and bureaucrat's safe from meritocracy.
Built into the onslaught of demands of backdoors are two key ideas: A) That the backdoors will only be exploitable by the authorities and that B) they're even necessary to carry out their work in stopping trafficing.
I think most people know by now the first idea is preposterous. The second idea is too. The EU should focus on better police tools and tactics that detect and track the actual movement of goods.
"I think most people know by now..."
Sadly, I don't think that that's true. I've been shocked by the lack of understanding there in groups of technical people who should know better. It's even worse in groups of non technical people. I'm afraid this is an ongoing battle, and every time ideas like this come up from government it's going to be an effort to inform the public.
All politicians and bureaucrats demanding backdoors should go straight into prison -- for endangering national security.
> The EU should focus on better police tools and tactics that detect and track the actual movement of goods.
This is a point that doesn't get raised very often: the actual crimes occur in "meat space", not electronically on a device. Haven't police and intelligence been solving crimes like that since 'the beginning'?
The coordination of a crime may be done electronically 'on device', but the actual crime occurs somewhere physical, generally with physical objects and the presence of the criminals themselves.
Why is it suddenly so much more difficult for law enforcement to do their jobs that the privacy of every member of the public needs to be able to be invaded?
Are police forces under-resourced to take on the "how it's always been" approach to fighting crime? Are law enforcement being subject to inapplicable software engineering rules of efficiency to save money? (Ie. Too much focus on the metrics, not the outcomes).
Don't police have great physical surveillance tools? Yes, it may cost more in having to physically surveil targets, but that seems (to me, and this is where the rift lies) that's a good compromise opposed to surveiling the entire populace.
Anyone can say anything in a piece of correspondence that they think is private. If it's made public it completely changes the context. A joke between friends, criminals or not, can look like conspiracy to X, Y, or Z. Research for a crime novel could appear like preparation for a Louvre heist. And even if it is, it's not a crime until it occurs, until that point it's not 'real', the thing suspected of being planned hasn't actually taken place until it takes place. Are we implementing pre-crime without the three psychics?
And one thing I know for sure is that law enforcement do not understand context. They're bred to find guilt, not innocence, and having a larger haystack they'll find plenty of hay they think look like needles. Gotta hit those metrics.
There's plenty of nuance missing from what I've written here, but I fairly strongly feel it's leaning towards reality rather than liberal fantasy.
The police had the ability to intercept phone calls, mail, email and telegrams for a century now.
So yes, their work is now harder and they're pushing back against that and trying to enact laws that return the previous state (or give them even more power).
There were many decades where phones didn't have back doors. Now, it's the opposite case in the most dystopian way. It's concerning that all phones are required to have back doors for law enforcement and the enforcement is severe. I know several people who have a corrupt "cop they know" that they can regularly contact for favors. Why is it so out of the ordinary to distrust law enforcement when they have these tools?
> There were many decades where phones didn't have back doors.
Your cell phone provider almost certainly will respond to a valid warrant and wire tap your non e2e encrypted phone call.
I'd be very surprised if the most common mode of remote communication in any time period was not subject to government interception in some format within a short time of becoming such. That includes physical mail, telegrams, landlines, cell phone calls, txt messages, emails, etc.
Referring to "how things used to be" is not in fact helping the case for privacy.
I don't think people are arguing against complying with valid warrants. They object to blanket surveillance being done with tools available to any law officer that can be used at any time, warrant or not.
2 replies →
Of course they will respond to warrants, they have to, and nowadays they have the infrastructure to forward all traffic to law emforcement's servers in real-time.
4 replies →
Before internet on phone, every communication was in plain text, so no need to have a backdoor in phone if you can tap directly into AT&T or Vodafone.
>There were many decades where phones didn't have back doors.
Yeah back then we just listened to the phone calls with scanners.
Do you remember the scene in Goodfellas where the neighborhood's head mobster would only communicate in person with his people?
What are you talking about? Wiretapping with warrant is a century old now.
>narcotrafiquants >police
yeah France doing France things. Like back when they forced Windows to store passwords in plaintext, with encryption outlawed. Sigh.
Link warns I'm leaving grapheneos.social and then when you click the redirect tried to download some .bin file, wtf?
Gotta love the Streisand effect that happens due to stuff like this!
Dear French: criminals would just use fake spam emails or bullshit trolling posts under fake Usenet groups in the clear. No encryption needed, and yet your would earn nothing by backdooring them
Should I worry about E/OS too?
(It'd be funny if French software was illegal to use in the EU for GDPR violations. )
[dead]
[dead]
[flagged]
[flagged]
For contrast, you can imagine how this debate between a private OS developer and the government would go in a non-democratic country. Or, you don't even have to imagine, because examples are not hard to find.
A threat is not a debate.
But really, the point GP was trying to make (IMO) is that all western democracies are very obviously sliding towards authoritarianism. They are building tools which, even _if_ they don't abuse them now, will be available to any future government and with time, the probability of one of them being non-democratic is 1.
> debate
> non-democratic country
My guess is there will be no debate... That said, we must acknowledge even having this debate is a positive step.
[flagged]
[flagged]
Statements like these show how little you truly know about North Korea.
That's the point, I don't want to find out.
[flagged]
I understand they are similar, but I think this post adds new information to the situation. Regardless, appreciate your help moderating the site.
[flagged]
This is not something that's actually happening.
Right?? The daily display of uncritical thinking is at least slightly amusing, though.
Yet.
When ChatControl will be in place, it'll only be a matter of time
I believe this is the OS recommended to journalists that report on Palestine because freedom of speech doesn't apply without aggressive assertion of your rights.
They always point to the criminals to get at the political opposants, just look at chatcontrol
The claim in the title of the post is not substantiated in any way.
The correct headline here would be ”GrapheneOS worried about France after negative press”
France has threatened us with the same actions they took against SkyECC and Encrochat if we do not cooperate by providing law enforcement access into devices. This was published via Le Parisien in one of their articles and through French state media. They're absolutely threatening us that way.
Can you link these publication containing threats here?
2 replies →
It is in third post in the thread: https://mamot.fr/@LaQuadrature/115581775986937247
> Interviewed, she warns that she will “not stop pursuing publishers if links are discovered with a criminal organization and they [GrapheneOS] do not cooperate with justice.”
France has threatened us with the same actions they took against SkyECC and Encrochat if we do not cooperate by providing law enforcement access into devices. The actions they took against those were mass arrests and seizure of servers. We don't have cloud infrastructure for builds/signing but regardless we don't want the French state taking over our website, etc. so we're leaving France and OVH.
Did "links" mean "a criminal organization is involved in the project" or "a criminal organization is using the technology"?
5 replies →
This is not proven state action - this is hearsay. Maybe the GrapheneOS project should wait for the first warrant to arrive or police raid to happen before claiming what they currently do.
With the current evidence, its not ruled out that the french state is not doing anything at all.
2 replies →
https://grapheneos.social/@GrapheneOS/115589833471347871
> The FBI ran a sting operation in Europe where they created their own 'secure' phone and messaging platform. Their OS used portions of our code and was heavily marketed as being GrapheneOS or based on GrapheneOS.
So how do we know GrapheneOS itself isn't a honeypot? It's run by a mystery org and heavily marketed as being a secure platform.
https://en.wikipedia.org/wiki/Crypto_AG was a CIA front for 50 years.
The honeypot run by the FBI was closed source and that's why they could do it. while this is open source, which would make it much harder.
They even have reproduceable builds so you can validate the source matches the distributed binaries. After that it's trusting in the OSS process to have caught any attempted backdoors which is more down to your individual evaluations.
https://grapheneos.org/build#reproducible-builds
Would be an interesting experiment actually: how long would it take for the community at large to discover a backdoor in graphene OS if added sneakily by generally trusted Devs, ie the org that maintains it.
Or, phrased differently, how much independent auditing is graphene OS subjected to?
For more on this subject, here's a book that documents it: https://www.amazon.com/Dark-Wire-Incredible-Largest-Operatio....
Wouldn't be hard to hide a backdoor in a multi million line codebase ...
2 replies →
> how do we know GrapheneOS itself isn't a honeypot? It's run by a mystery org
No, it's run by a non-profit foundation whose records are public, along with their board of directors who are real people with a paper trail.
It's not some LLC shell company with a fictitious agent listed.
https://ised-isde.canada.ca/cc/lgcy/fdrlCrpDtls.html?p=0&cor...
It's disappointing to see such blatant misinformation on HN. There has been a wave of these low quality trolls and it's increasing everyday
I'm not a troll. Everyone thinks we should trust GrapheneOS...why? Because they're loud and aggressive?
They claim they are audited... by whom? When? Where are the results?
https://grapheneos.org/faq#audit
https://discuss.grapheneos.org/d/5527-who-has-audited-graphe...
> We've built relationships with security researchers and organizations interested in GrapheneOS or using it which results in a lot of this kind of collaboration.
1 reply →