> France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed.
If this is true, it's a bit concerning for Ledger users. One state-mandated firmware update away from losing all your crypto?
Fortunately it's not true. GrapheneOS seem https://xcancel.com/GrapheneOS/status/1993061892324311480#m to be reacting to news coverage https://archive.ph/UrlvK saying that although legitimate uses exist, if GrapheneOS have connections to a criminal organization and refuse to cooperate with law enforcement, they could be prosecuted nonetheless:
« il existe pour une certaine partie des utilisateurs une réelle légitimité dans la volonté de protéger ses échanges. L’approche est donc différente. Mais ça ne nous empêchera pas de poursuivre les éditeurs, si des liens sont découverts avec une organisation criminelle et qu’ils ne coopèrent pas avec la justice. »
Charitably, GrapheneOS are not in fact a front for organized crime, but merely paranoid, assuming that the news coverage is laying the groundwork for prosecution on trumped-up charges. Notably, there doesn't appear to have been direct communication from law enforcement yet.
Of course if your organization have connections to a criminal organization, you are going to be in trouble. Same thing for refusing to cooperate with law enforcement, this is not some abstract thing, it is about following the law, for example relating to evidence tampering or search warrants.
I don't think France is anything special in that regard.
Paranoid? Telegram CEO was arrested and held for days, his movements out of France restricted for months. And he is a connected billionaire, not an open source developer.
Open source developers have been given jail sentences in the last months.
If you're a broke open source developer - even if you believe under the law you're not doing anything wrong - would you want to be exposed to law enforcement harassment (lawfare) for no reason?
Easy. They'll just demand major tech companies implement in Europe exactly what they did to comply with China's government surveillance request. They already have the blueprint of the apparatus, they just need to throw a blue coat of paint and a circle of gold stars over it to legitimize it and make it less scary looking.
And they don't give a damn about attracting eyeballs since the surveillance will be mandated by law and done legally by the book, and it will be done "for your own safety and protection against the boogieman", so that people will accept it.
I can't speak to the political or legal aspects, but technically, Ledger firmware updates are closed‑source binaries delivered from Ledger's servers. That centralization makes it possible for a state actor—or anyone with access to Ledger's signing keys and servers—to slip in a backdoor. Even if the firmware were fully open source, a backdoor could still be inserted during the build process and never appear in the repositories. Avoiding it would require building the firmware yourself, which most users don't do.
As a side note, Bitcoin Core mitigates this risk with deterministic builds and multiple independent developers verifying and signing releases. But this option isn't available for Ledger as most of the firmware is closed source.
When all the remaining freedom fighters will flee out of all the oppressive states into the last remaining citadel of human rights, which may well turn out to be some drifting icefield in Arctic, and the oppression finally catches them up there, is there any plan B for the humankind?
That's the point I implied! We absolutely should, and must. But the only viable way to do so seems to be by following Ghandi's principles of personal non-violent sabotage against the oppressor, which requires unity and cooperation between people, and that, alas, is very questionable these days. Half of us won't even admit they're oppressed! When a single shoemaker makes two left shoes instead of a normal pair the opressor orders, he's out to look for a new job. When every shoemaker out there makes only left shoes, the oppressor has to go f2k himself and learn some craft or manners.
Old ways that seemed to be working, like democratic elections? I don't think so. Not anymore.
> Shouldn't we stand up against Oppressive governments and Corporations.
How? Governments have the monopoly on violence through their control of the police and military, and corporations bribe the governments in power to do their bidding and also control the media apparatus via which the voting population makes their democratic decisions, so you get this corrupt symbiotic relationship between the first and second estate (the government and wealthy elite private sector) to keep the third estate (common population) oppressed.
So how do you actually coordinate hundreds of millions of people towards a single goal to "fight" against and apparatus of oppression with an order of magnitude more kinetic strike, intelligence gathering and propaganda capabilities than the common folk?
People keep fantasizing about the French revolution and guillotines, but King Louis XVI didn't have Air Force One, doomsday bunkers in New Zeeland, AC-130s, Predator, Reaper and Anduril drones to protect him. The force disparity between the ruling elite and peasantry is now like that meme of hydrogen bomb versus coughing baby.
Capitalism didn't corrupt privacy. Literally every major messaging and smartphone maker integrated e2e encryption because the user wants it. It is government regulations, that wants to kill privacy. Which is not free markets or capitalism, this is more socialism.
Satellite operators are still required to comply with the Federal Wiretap Act (and equivalent in every other country of the world).
The result is a less-than-optimal network that requires routing communications through a ground station (where it can be intercepted) even when it's technically feasible (and optimal) to use point-to-point communications.
The resulting technical solutions (at least) double the bandwidth and processing required by the network, and bandwidth/processing are critical resources for communications satellites. These requirements can make or break the economic feasibility of a proposed system.
"France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed. We don't feel safe using OVH for even a static website with servers in Canada/US via their Canada/US subsidiaries."
Would surprise me if they weren't moving out of France entirely.
” In Canada and the US, refusing to provide a PIN/password is protected as part of the right to avoid incriminating yourself. In France, they've criminalized this part of the right to remain silent.”
In theory. In practice there's a case where a defendant is being held in contempt (jailed) for years now, for refusing to provide her encryption passwords. At that point both the 5th and the idea of contempt are busted.
"We never demonized Europe and our server in France moved to Switzerland, not North America. Most of our servers with OVH were in Beauharnois, Canada. Multiple of those Canadian OVH servers are now retired and the remaining 5 are going to be moved elsewhere too."
Previous discussion:
https://news.ycombinator.com/item?id=46035977
> France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed.
If this is true, it's a bit concerning for Ledger users. One state-mandated firmware update away from losing all your crypto?
Fortunately it's not true. GrapheneOS seem https://xcancel.com/GrapheneOS/status/1993061892324311480#m to be reacting to news coverage https://archive.ph/UrlvK saying that although legitimate uses exist, if GrapheneOS have connections to a criminal organization and refuse to cooperate with law enforcement, they could be prosecuted nonetheless:
« il existe pour une certaine partie des utilisateurs une réelle légitimité dans la volonté de protéger ses échanges. L’approche est donc différente. Mais ça ne nous empêchera pas de poursuivre les éditeurs, si des liens sont découverts avec une organisation criminelle et qu’ils ne coopèrent pas avec la justice. »
Charitably, GrapheneOS are not in fact a front for organized crime, but merely paranoid, assuming that the news coverage is laying the groundwork for prosecution on trumped-up charges. Notably, there doesn't appear to have been direct communication from law enforcement yet.
Isn't it the same for every country?
Of course if your organization have connections to a criminal organization, you are going to be in trouble. Same thing for refusing to cooperate with law enforcement, this is not some abstract thing, it is about following the law, for example relating to evidence tampering or search warrants.
I don't think France is anything special in that regard.
Paranoid? Telegram CEO was arrested and held for days, his movements out of France restricted for months. And he is a connected billionaire, not an open source developer.
Open source developers have been given jail sentences in the last months.
If you're a broke open source developer - even if you believe under the law you're not doing anything wrong - would you want to be exposed to law enforcement harassment (lawfare) for no reason?
Also: chat control.
>Charitably, GrapheneOS are not in fact a front for organized crime, but merely paranoid
The difference between someone being paranoid and someone being right, is time.
1 reply →
How would the government mandate a backdoor of such a hardware/software system without attracting eyeballs?
Easy. They'll just demand major tech companies implement in Europe exactly what they did to comply with China's government surveillance request. They already have the blueprint of the apparatus, they just need to throw a blue coat of paint and a circle of gold stars over it to legitimize it and make it less scary looking.
And they don't give a damn about attracting eyeballs since the surveillance will be mandated by law and done legally by the book, and it will be done "for your own safety and protection against the boogieman", so that people will accept it.
I can't speak to the political or legal aspects, but technically, Ledger firmware updates are closed‑source binaries delivered from Ledger's servers. That centralization makes it possible for a state actor—or anyone with access to Ledger's signing keys and servers—to slip in a backdoor. Even if the firmware were fully open source, a backdoor could still be inserted during the build process and never appear in the repositories. Avoiding it would require building the firmware yourself, which most users don't do.
As a side note, Bitcoin Core mitigates this risk with deterministic builds and multiple independent developers verifying and signing releases. But this option isn't available for Ledger as most of the firmware is closed source.
The government just doesn't care.
1 reply →
When all the remaining freedom fighters will flee out of all the oppressive states into the last remaining citadel of human rights, which may well turn out to be some drifting icefield in Arctic, and the oppression finally catches them up there, is there any plan B for the humankind?
Why are we giving up. Shouldn't we stand up against Oppressive governments and Corporations.
That's the point I implied! We absolutely should, and must. But the only viable way to do so seems to be by following Ghandi's principles of personal non-violent sabotage against the oppressor, which requires unity and cooperation between people, and that, alas, is very questionable these days. Half of us won't even admit they're oppressed! When a single shoemaker makes two left shoes instead of a normal pair the opressor orders, he's out to look for a new job. When every shoemaker out there makes only left shoes, the oppressor has to go f2k himself and learn some craft or manners.
Old ways that seemed to be working, like democratic elections? I don't think so. Not anymore.
1 reply →
> Shouldn't we stand up against Oppressive governments and Corporations.
How? Governments have the monopoly on violence through their control of the police and military, and corporations bribe the governments in power to do their bidding and also control the media apparatus via which the voting population makes their democratic decisions, so you get this corrupt symbiotic relationship between the first and second estate (the government and wealthy elite private sector) to keep the third estate (common population) oppressed.
So how do you actually coordinate hundreds of millions of people towards a single goal to "fight" against and apparatus of oppression with an order of magnitude more kinetic strike, intelligence gathering and propaganda capabilities than the common folk?
People keep fantasizing about the French revolution and guillotines, but King Louis XVI didn't have Air Force One, doomsday bunkers in New Zeeland, AC-130s, Predator, Reaper and Anduril drones to protect him. The force disparity between the ruling elite and peasantry is now like that meme of hydrogen bomb versus coughing baby.
That'd be the textbook definition of hitting rock bottom, the last of the bottoms, and hitting rock bottom is a plan B in itself.
The One place that has not been corrupted by Capitalism… Space!
I can hear Tim Curry's delivery of that in my head. So good.
1 reply →
Looks like Musk and Bezos are going to beat you to it.
Capitalism didn't corrupt privacy. Literally every major messaging and smartphone maker integrated e2e encryption because the user wants it. It is government regulations, that wants to kill privacy. Which is not free markets or capitalism, this is more socialism.
5 replies →
Satellites?
Satellite operators are still required to comply with the Federal Wiretap Act (and equivalent in every other country of the world).
The result is a less-than-optimal network that requires routing communications through a ground station (where it can be intercepted) even when it's technically feasible (and optimal) to use point-to-point communications.
The resulting technical solutions (at least) double the bandwidth and processing required by the network, and bandwidth/processing are critical resources for communications satellites. These requirements can make or break the economic feasibility of a proposed system.
Can be jammed and/or destroyed.
If I read it correctly, they’re not physically “moving” out of France. They are merely switching servers away from OVH.
"France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed. We don't feel safe using OVH for even a static website with servers in Canada/US via their Canada/US subsidiaries."
Would surprise me if they weren't moving out of France entirely.
seems as physical as anything, this includes OVH servers in france
which is one of several server locations they operate on, including Germany and Switzerland
So France is basically using the latter method from https://xkcd.com/538/ but the violence is purely economic
” In Canada and the US, refusing to provide a PIN/password is protected as part of the right to avoid incriminating yourself. In France, they've criminalized this part of the right to remain silent.”
> refusing to provide a PIN/password is protected
In theory. In practice there's a case where a defendant is being held in contempt (jailed) for years now, for refusing to provide her encryption passwords. At that point both the 5th and the idea of contempt are busted.
> In practice there's a case where a defendant is being held in contempt (jailed) for years now, for refusing to provide her encryption passwords.
Link to story?
3 replies →
Does it mean they do not respect democratic values in France?
If by "democratic values" you mean US and Canadian law, they don't.
Could you say a few words on what you think democracy is?
2 replies →
Depends, did the people vote for it?
... to Canada.
Out of the frying pan, into the fire?
Canada does not restrict or ban encryption: https://www.gp-digital.org/world-map-of-encryption/
"We never demonized Europe and our server in France moved to Switzerland, not North America. Most of our servers with OVH were in Beauharnois, Canada. Multiple of those Canadian OVH servers are now retired and the remaining 5 are going to be moved elsewhere too."
https://xcancel.com/GrapheneOS/status/1994332742411022336#m