France threatens GrapheneOS with arrests / server seizure for refusing backdoors

qbit15

https://news.ycombinator.com/item?id=46036217

Fubukibox

I think the French government is overly retarded. Too much of an overreach

Rubben

nuking france is always a possibility

matey0

France has threatened us with the same actions they took against SkyECC and Encrochat if we do not cooperate by providing law enforcement access into devices. The actions they took against those were mass arrests and seizure of servers. We don't have cloud infrastructure for builds/signing but regardless we don't want the French state taking over our website, etc. so we're leaving France and OVH.

And as another user pointed out, doesn't necessarily have to be a backdoor for everyone. They could simply push a malicious update to a subset of users.

GrapheneOS has automatic OTA updates by default and they could probably break the crypto of a specific device that way. Not unreasonable to think the government would issue a court order for something like that

384_cz

tHe eU Is hErE To pRoTeCt dEmOcRaCy, ThIs iS ReQuIrEd tO CaTcH TeRrOrIsTs/pEdOpHiLeS

Please, stop this manipulative bullshit. Nothing justifies totality

LowEndStalker

@qbit15 said:
https://news.ycombinator.com/item?id=46036217

Cool to know all the traffic from my dedicated server in Roubix France is probably being given to the French government for absolutely no reason other than because they're is just cool like that

(This is a joke, but I sure do hope the head of the French government dont put a bounty on my head!!)

jack2px

Comments moved to https://news.ycombinator.com/item?id=46035977

default

This makes me wonder: what backdoors did others accept?

Void

@Rubben said:
nuking france is always a possibility

France: No need, we surrender.

OpaqueRegistrant

... if GrapheneOS is found to be part of a drug cartel

default

@Void said:

@Rubben said:
nuking france is always a possibility

France: No need, we surrender.

No it won't. France has its own small nuclear arsenal. But there is no need to derail the topic into warfare.

Right now I believe this is done for population control. Governments tend to hate privacy and anonymity, in order to keep population under control and monitor any dissent that could spark big political changes.

jar

Fuck every government. Nothing has a higher body count than government.

CloudHopper

Right, but where's the bit about the French government demanding they insert backdoors?

The article claims GrapheneOS is the tool of choice for drug criminals, and the GrapheneOS team seem to be claiming the article refers to forks of their Open Source project and that they feel intimidated by the media reports about them, so they migrated some services away from OVH...but I don't see any claims of interference or demands from the French state. So what am I missing?

angstrom

Moved thread from General to News

matey0

@CloudHopper said:
Right, but where's the bit about the French government demanding they insert backdoors?

The article claims GrapheneOS is the tool of choice for drug criminals, and the GrapheneOS team seem to be claiming the article refers to forks of their Open Source project and that they feel intimidated by the media reports about them, so they migrated some services away from OVH...but I don't see any claims of interference or demands from the French state. So what am I missing?

Check the comments by strcat in the HN thread. He's the founder and lead dev of GrapheneOS. He's french and seems worried.
He's also the person I quoted in my previous comment.

CloudHopper

@matey0 said:

@CloudHopper said:
Right, but where's the bit about the French government demanding they insert backdoors?

The article claims GrapheneOS is the tool of choice for drug criminals, and the GrapheneOS team seem to be claiming the article refers to forks of their Open Source project and that they feel intimidated by the media reports about them, so they migrated some services away from OVH...but I don't see any claims of interference or demands from the French state. So what am I missing?

Check the comments by strcat in the HN thread. He's the founder and lead dev of GrapheneOS. He's french and seems worried.
He's also the person I quoted in my previous comment.

Yeah, I get that they're "worried" and that they've moved some services away from OVH, but where's the evidence for any demands that they insert backdoors from the French state?

matey0

@CloudHopper said:

@matey0 said:

@CloudHopper said:
Right, but where's the bit about the French government demanding they insert backdoors?

The article claims GrapheneOS is the tool of choice for drug criminals, and the GrapheneOS team seem to be claiming the article refers to forks of their Open Source project and that they feel intimidated by the media reports about them, so they migrated some services away from OVH...but I don't see any claims of interference or demands from the French state. So what am I missing?

Check the comments by strcat in the HN thread. He's the founder and lead dev of GrapheneOS. He's french and seems worried.
He's also the person I quoted in my previous comment.

Yeah, I get that they're "worried" and that they've moved some services away from OVH, but where's the evidence for any demands that they insert backdoors from the French state?

He thinks these news outlets are related to the state and the state has made its stance on encryption clear. From strcat:

France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption. They've been saying that it's unacceptable not to have a backdoor in a bunch of these news stories they've gotten published by contacting the media. They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
Le Parisien has 2 articles about this, not only one, and https://archive.is/UrlvK is one of the places they talk about going after us if we don't cooperate with providing them access to devices. It's not possible for us to provide an update which bypasses the throttling for brute force protection so what they're asking isn't even helping them break into specific devices but helping them compromise security for everyone in anticipation of rare cases of criminals using devices. https://news.ycombinator.com/item?id=46038241 explains lack of technical ability to compromise security after the fact. Titan M2 is specifically designed with insider attack resistance so that Google making an update disabling the brute force protection won't be accepted by the secure element without the Owner user successfully unlocking first. We don't have the signing key for the Titan M2 firmware anyway. This is part of our required hardware-based security features which we're working on providing in a Pixel alternative with a major Android OEM working with us right now. We talked to them about the France situation already and it does not negatively impact our partnership. It may be a good idea to speed up an official announcement with them to counter the narrative being pushed by France's law enforcement agencies now.

CloudHopper

The servers they've moved from OVH are their website, Mastodon and Matrix instances. I don't see how hacking them would have the same impact as the hacks on SkyECC or Encrochat, or how you'd even hide a backdoor in open source code anyway.

I've read what the developer has to say and they appear to be having a mental breakdown rather than there being any evidence that the French state is making demands of them specifically, (other than their more generic statements against end-to-end encryption).

So, once again, where is the evidence that the French state has demanded they insert backdoors in their product?

fredo1664

@matey0 said:

@CloudHopper said:

@matey0 said:

@CloudHopper said:
Right, but where's the bit about the French government demanding they insert backdoors?

The article claims GrapheneOS is the tool of choice for drug criminals, and the GrapheneOS team seem to be claiming the article refers to forks of their Open Source project and that they feel intimidated by the media reports about them, so they migrated some services away from OVH...but I don't see any claims of interference or demands from the French state. So what am I missing?

Check the comments by strcat in the HN thread. He's the founder and lead dev of GrapheneOS. He's french and seems worried.
He's also the person I quoted in my previous comment.

Yeah, I get that they're "worried" and that they've moved some services away from OVH, but where's the evidence for any demands that they insert backdoors from the French state?

He thinks these news outlets are related to the state and the state has made its stance on encryption clear. From strcat:

France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption. They've been saying that it's unacceptable not to have a backdoor in a bunch of these news stories they've gotten published by contacting the media. They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
Le Parisien has 2 articles about this, not only one, and https://archive.is/UrlvK is one of the places they talk about going after us if we don't cooperate with providing them access to devices. It's not possible for us to provide an update which bypasses the throttling for brute force protection so what they're asking isn't even helping them break into specific devices but helping them compromise security for everyone in anticipation of rare cases of criminals using devices. https://news.ycombinator.com/item?id=46038241 explains lack of technical ability to compromise security after the fact. Titan M2 is specifically designed with insider attack resistance so that Google making an update disabling the brute force protection won't be accepted by the secure element without the Owner user successfully unlocking first. We don't have the signing key for the Titan M2 firmware anyway. This is part of our required hardware-based security features which we're working on providing in a Pixel alternative with a major Android OEM working with us right now. We talked to them about the France situation already and it does not negatively impact our partnership. It may be a good idea to speed up an official announcement with them to counter the narrative being pushed by France's law enforcement agencies now.

The article they quote (https://archive.is/UrlvK) does not say at all that "they talk about going after us if we don't cooperate with providing them access to devices."
It says that if they find a link between a platform and a criminal organisation they will not hesitate to prosecute the platform.

matey0

@CloudHopper said: or how you'd even hide a backdoor in open source code anyway.

Now you're just being silly, or you're not a developer.

@fredo1664 said:

@matey0 said:

@CloudHopper said:

@matey0 said:

@CloudHopper said:
Right, but where's the bit about the French government demanding they insert backdoors?

The article claims GrapheneOS is the tool of choice for drug criminals, and the GrapheneOS team seem to be claiming the article refers to forks of their Open Source project and that they feel intimidated by the media reports about them, so they migrated some services away from OVH...but I don't see any claims of interference or demands from the French state. So what am I missing?

Check the comments by strcat in the HN thread. He's the founder and lead dev of GrapheneOS. He's french and seems worried.
He's also the person I quoted in my previous comment.

Yeah, I get that they're "worried" and that they've moved some services away from OVH, but where's the evidence for any demands that they insert backdoors from the French state?

He thinks these news outlets are related to the state and the state has made its stance on encryption clear. From strcat:

France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption. They've been saying that it's unacceptable not to have a backdoor in a bunch of these news stories they've gotten published by contacting the media. They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
Le Parisien has 2 articles about this, not only one, and https://archive.is/UrlvK is one of the places they talk about going after us if we don't cooperate with providing them access to devices. It's not possible for us to provide an update which bypasses the throttling for brute force protection so what they're asking isn't even helping them break into specific devices but helping them compromise security for everyone in anticipation of rare cases of criminals using devices. https://news.ycombinator.com/item?id=46038241 explains lack of technical ability to compromise security after the fact. Titan M2 is specifically designed with insider attack resistance so that Google making an update disabling the brute force protection won't be accepted by the secure element without the Owner user successfully unlocking first. We don't have the signing key for the Titan M2 firmware anyway. This is part of our required hardware-based security features which we're working on providing in a Pixel alternative with a major Android OEM working with us right now. We talked to them about the France situation already and it does not negatively impact our partnership. It may be a good idea to speed up an official announcement with them to counter the narrative being pushed by France's law enforcement agencies now.

The article they quote (https://archive.is/UrlvK) does not say at all that "they talk about going after us if we don't cooperate with providing them access to devices."
It says that if they find a link between a platform and a criminal organisation they will not hesitate to prosecute the platform.

From strcat:

French law enforcement is conflating companies making products with GrapheneOS code with GrapheneOS itself. They're presenting it as if those companies are working with us and that we're responsible for their actions selling devices using our code. Most of those are using forks of GrapheneOS with features we don't have which are repeatedly incorrectly referred to as being GrapheneOS features. GrapheneOS users can read the many articles and see many references to non-existent features. They similarly refer to non-existent distribution methods and marketing which are actually about these products they're conflating with us. Since they're conflating products and actions by other people with ours, that makes their threats very concerning.

fredo1664

@matey0 said:

@CloudHopper said: or how you'd even hide a backdoor in open source code anyway.

Now you're just being silly, or you're not a developer.

@fredo1664 said:

@matey0 said:

@CloudHopper said:

@matey0 said:

@CloudHopper said:
Right, but where's the bit about the French government demanding they insert backdoors?

The article claims GrapheneOS is the tool of choice for drug criminals, and the GrapheneOS team seem to be claiming the article refers to forks of their Open Source project and that they feel intimidated by the media reports about them, so they migrated some services away from OVH...but I don't see any claims of interference or demands from the French state. So what am I missing?

Check the comments by strcat in the HN thread. He's the founder and lead dev of GrapheneOS. He's french and seems worried.
He's also the person I quoted in my previous comment.

Yeah, I get that they're "worried" and that they've moved some services away from OVH, but where's the evidence for any demands that they insert backdoors from the French state?

He thinks these news outlets are related to the state and the state has made its stance on encryption clear. From strcat:

France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption. They've been saying that it's unacceptable not to have a backdoor in a bunch of these news stories they've gotten published by contacting the media. They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
Le Parisien has 2 articles about this, not only one, and https://archive.is/UrlvK is one of the places they talk about going after us if we don't cooperate with providing them access to devices. It's not possible for us to provide an update which bypasses the throttling for brute force protection so what they're asking isn't even helping them break into specific devices but helping them compromise security for everyone in anticipation of rare cases of criminals using devices. https://news.ycombinator.com/item?id=46038241 explains lack of technical ability to compromise security after the fact. Titan M2 is specifically designed with insider attack resistance so that Google making an update disabling the brute force protection won't be accepted by the secure element without the Owner user successfully unlocking first. We don't have the signing key for the Titan M2 firmware anyway. This is part of our required hardware-based security features which we're working on providing in a Pixel alternative with a major Android OEM working with us right now. We talked to them about the France situation already and it does not negatively impact our partnership. It may be a good idea to speed up an official announcement with them to counter the narrative being pushed by France's law enforcement agencies now.

The article they quote (https://archive.is/UrlvK) does not say at all that "they talk about going after us if we don't cooperate with providing them access to devices."
It says that if they find a link between a platform and a criminal organisation they will not hesitate to prosecute the platform.

From strcat:

French law enforcement is conflating companies making products with GrapheneOS code with GrapheneOS itself. They're presenting it as if those companies are working with us and that we're responsible for their actions selling devices using our code. Most of those are using forks of GrapheneOS with features we don't have which are repeatedly incorrectly referred to as being GrapheneOS features. GrapheneOS users can read the many articles and see many references to non-existent features. They similarly refer to non-existent distribution methods and marketing which are actually about these products they're conflating with us. Since they're conflating products and actions by other people with ours, that makes their threats very concerning.

This would maybe be GrapheneOS's answer to that bit: "if they find a link between a platform and a criminal organisation they will not hesitate to prosecute the platform."

The way I understand it, he says they have nothing to do with the people who make forks of grapheneOS which are then used by criminal organisations... but law enforcement is pushing to see if that's true. I am understanding this right?

CloudHopper

@matey0 said:
From strcat:

French law enforcement is conflating companies making products with GrapheneOS code with GrapheneOS itself. They're presenting it as if those companies are working with us and that we're responsible for their actions selling devices using our code. Most of those are using forks of GrapheneOS with features we don't have which are repeatedly incorrectly referred to as being GrapheneOS features. GrapheneOS users can read the many articles and see many references to non-existent features. They similarly refer to non-existent distribution methods and marketing which are actually about these products they're conflating with us. Since they're conflating products and actions by other people with ours, that makes their threats very concerning.

Exactly. The guy says that the article is factually incorrect...but then he assumes that it's the French state that's attacking him by planting the article rather than it just being written by a poorly informed journalist writing crap for clicks.

So, as I say, it sounds more like he's having a mental breakdown than he's actually being threatened for not cooperating with the French government.

matey0

@fredo1664 said:

@matey0 said:

@CloudHopper said: or how you'd even hide a backdoor in open source code anyway.

Now you're just being silly, or you're not a developer.

@fredo1664 said:

@matey0 said:

@CloudHopper said:

@matey0 said:

@CloudHopper said:
Right, but where's the bit about the French government demanding they insert backdoors?

The article claims GrapheneOS is the tool of choice for drug criminals, and the GrapheneOS team seem to be claiming the article refers to forks of their Open Source project and that they feel intimidated by the media reports about them, so they migrated some services away from OVH...but I don't see any claims of interference or demands from the French state. So what am I missing?

Check the comments by strcat in the HN thread. He's the founder and lead dev of GrapheneOS. He's french and seems worried.
He's also the person I quoted in my previous comment.

Yeah, I get that they're "worried" and that they've moved some services away from OVH, but where's the evidence for any demands that they insert backdoors from the French state?

He thinks these news outlets are related to the state and the state has made its stance on encryption clear. From strcat:

France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption. They've been saying that it's unacceptable not to have a backdoor in a bunch of these news stories they've gotten published by contacting the media. They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
Le Parisien has 2 articles about this, not only one, and https://archive.is/UrlvK is one of the places they talk about going after us if we don't cooperate with providing them access to devices. It's not possible for us to provide an update which bypasses the throttling for brute force protection so what they're asking isn't even helping them break into specific devices but helping them compromise security for everyone in anticipation of rare cases of criminals using devices. https://news.ycombinator.com/item?id=46038241 explains lack of technical ability to compromise security after the fact. Titan M2 is specifically designed with insider attack resistance so that Google making an update disabling the brute force protection won't be accepted by the secure element without the Owner user successfully unlocking first. We don't have the signing key for the Titan M2 firmware anyway. This is part of our required hardware-based security features which we're working on providing in a Pixel alternative with a major Android OEM working with us right now. We talked to them about the France situation already and it does not negatively impact our partnership. It may be a good idea to speed up an official announcement with them to counter the narrative being pushed by France's law enforcement agencies now.

The article they quote (https://archive.is/UrlvK) does not say at all that "they talk about going after us if we don't cooperate with providing them access to devices."
It says that if they find a link between a platform and a criminal organisation they will not hesitate to prosecute the platform.

From strcat:

French law enforcement is conflating companies making products with GrapheneOS code with GrapheneOS itself. They're presenting it as if those companies are working with us and that we're responsible for their actions selling devices using our code. Most of those are using forks of GrapheneOS with features we don't have which are repeatedly incorrectly referred to as being GrapheneOS features. GrapheneOS users can read the many articles and see many references to non-existent features. They similarly refer to non-existent distribution methods and marketing which are actually about these products they're conflating with us. Since they're conflating products and actions by other people with ours, that makes their threats very concerning.

This would maybe be GrapheneOS's answer to that bit: "if they find a link between a platform and a criminal organisation they will not hesitate to prosecute the platform."

The way I understand it, he says they have nothing to do with the people who make forks of grapheneOS which are then used by criminal organisations... but law enforcement is pushing to see if that's true. I am understanding this right?

Yeah. GrapheneOS is just an open-source project by some paranoid security/privacy nerds.

But probably, just like it used to be with EncroChat, there are people selling devices with pre-installed GrapheneOS, chat rooms, etc. directly to criminals for profit.

Fubukibox

https://x.com/GrapheneOS/status/1993035936800584103

We no longer have any active servers in France and are continuing the process of leaving OVH. We'll be rotating our TLS keys and Let's Encrypt account keys pinned via accounturi. DNSSEC keys may also be rotated. Our backups are encrypted and can remain on OVH for now.

Our App Store verifies the app store metadata with a cryptographic signature and downgrade protection along with verification of the packages. Android's package manager also has another layer of signature verification and downgrade protection.

Our System Updater verifies updates with a cryptographic signature and downgrade protection along with another layer of both in update_engine and a third layer of both via verified boot. Signing channel release channel names is planned too.

Our update mirrors are currently hosted on sponsored servers from ReliableSite (Los Angeles, Miami) and Tempest (London). London is a temporary location due to an emergency move from a provider which left the dedicated server business and will move. More sponsored update mirrors are coming.

Our ns1 anycast network is on Vultr and our ns2 anycast network is on BuyVM since both support BGP for announcing our own IP space. We're moving our main website/network servers used for default OS connections to a mix of Vultr+BuyVM locations.

We have 5 servers in Canada with OVH with more than static content and basic network services: email, Matrix, discussion forum, Mastodon and attestation. Our plan is to move these to Netcup root servers or a similar provider short term and then colocated servers in Toronto long term.

France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed. We don't feel safe using OVH for even a static website with servers in Canada/US via their Canada/US subsidiaries.

We were likely going to be able to release experimental Pixel 10 support very soon and it's getting disrupted. The attacks on our team with ongoing libel and harassment have escalated, raids on our chat rooms have escalated and more. It's rough right now and support is appreciated.

11:16 AM · Nov 24, 2025

CloudHopper

@matey0 said:

@fredo1664 said:

@matey0 said:

@CloudHopper said: or how you'd even hide a backdoor in open source code anyway.

Now you're just being silly, or you're not a developer.

@fredo1664 said:

@matey0 said:

@CloudHopper said:

@matey0 said:

@CloudHopper said:
Right, but where's the bit about the French government demanding they insert backdoors?

The article claims GrapheneOS is the tool of choice for drug criminals, and the GrapheneOS team seem to be claiming the article refers to forks of their Open Source project and that they feel intimidated by the media reports about them, so they migrated some services away from OVH...but I don't see any claims of interference or demands from the French state. So what am I missing?

Check the comments by strcat in the HN thread. He's the founder and lead dev of GrapheneOS. He's french and seems worried.
He's also the person I quoted in my previous comment.

Yeah, I get that they're "worried" and that they've moved some services away from OVH, but where's the evidence for any demands that they insert backdoors from the French state?

He thinks these news outlets are related to the state and the state has made its stance on encryption clear. From strcat:

France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption. They've been saying that it's unacceptable not to have a backdoor in a bunch of these news stories they've gotten published by contacting the media. They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
Le Parisien has 2 articles about this, not only one, and https://archive.is/UrlvK is one of the places they talk about going after us if we don't cooperate with providing them access to devices. It's not possible for us to provide an update which bypasses the throttling for brute force protection so what they're asking isn't even helping them break into specific devices but helping them compromise security for everyone in anticipation of rare cases of criminals using devices. https://news.ycombinator.com/item?id=46038241 explains lack of technical ability to compromise security after the fact. Titan M2 is specifically designed with insider attack resistance so that Google making an update disabling the brute force protection won't be accepted by the secure element without the Owner user successfully unlocking first. We don't have the signing key for the Titan M2 firmware anyway. This is part of our required hardware-based security features which we're working on providing in a Pixel alternative with a major Android OEM working with us right now. We talked to them about the France situation already and it does not negatively impact our partnership. It may be a good idea to speed up an official announcement with them to counter the narrative being pushed by France's law enforcement agencies now.

The article they quote (https://archive.is/UrlvK) does not say at all that "they talk about going after us if we don't cooperate with providing them access to devices."
It says that if they find a link between a platform and a criminal organisation they will not hesitate to prosecute the platform.

From strcat:

French law enforcement is conflating companies making products with GrapheneOS code with GrapheneOS itself. They're presenting it as if those companies are working with us and that we're responsible for their actions selling devices using our code. Most of those are using forks of GrapheneOS with features we don't have which are repeatedly incorrectly referred to as being GrapheneOS features. GrapheneOS users can read the many articles and see many references to non-existent features. They similarly refer to non-existent distribution methods and marketing which are actually about these products they're conflating with us. Since they're conflating products and actions by other people with ours, that makes their threats very concerning.

This would maybe be GrapheneOS's answer to that bit: "if they find a link between a platform and a criminal organisation they will not hesitate to prosecute the platform."

The way I understand it, he says they have nothing to do with the people who make forks of grapheneOS which are then used by criminal organisations... but law enforcement is pushing to see if that's true. I am understanding this right?

Yeah. GrapheneOS is just an open-source project by some paranoid security/privacy nerds.

But probably, just like it used to be with EncroChat, there are people selling devices with pre-installed GrapheneOS, chat rooms, etc. directly to criminals for profit.

Encrochat used centralized servers for encrypted messaging, allowing users to communicate with only usernames and not phone numbers. GrapheneOS doesn't do that. The two things aren't even remotely comparable so I don't understand your point.

The guy is blatantly having a mental breakdown if he thinks the French state is planting articles in newspapers to intimidate him, rather than just knocking on his door and having a private conversation, but I guess drama is drama and reality doesn't matter.

TheGreatOakley

GrapheneOS is a solid OS, however the founder/owner is shizo. He might have some type of disorder and I am not talking about this fr*ch incident.

matey0

@CloudHopper said:

@matey0 said:

@fredo1664 said:

@matey0 said:

@CloudHopper said: or how you'd even hide a backdoor in open source code anyway.

Now you're just being silly, or you're not a developer.

@fredo1664 said:

@matey0 said:

@CloudHopper said:

@matey0 said:

@CloudHopper said:
Right, but where's the bit about the French government demanding they insert backdoors?

The article claims GrapheneOS is the tool of choice for drug criminals, and the GrapheneOS team seem to be claiming the article refers to forks of their Open Source project and that they feel intimidated by the media reports about them, so they migrated some services away from OVH...but I don't see any claims of interference or demands from the French state. So what am I missing?

Check the comments by strcat in the HN thread. He's the founder and lead dev of GrapheneOS. He's french and seems worried.
He's also the person I quoted in my previous comment.

Yeah, I get that they're "worried" and that they've moved some services away from OVH, but where's the evidence for any demands that they insert backdoors from the French state?

He thinks these news outlets are related to the state and the state has made its stance on encryption clear. From strcat:

France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption. They've been saying that it's unacceptable not to have a backdoor in a bunch of these news stories they've gotten published by contacting the media. They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
Le Parisien has 2 articles about this, not only one, and https://archive.is/UrlvK is one of the places they talk about going after us if we don't cooperate with providing them access to devices. It's not possible for us to provide an update which bypasses the throttling for brute force protection so what they're asking isn't even helping them break into specific devices but helping them compromise security for everyone in anticipation of rare cases of criminals using devices. https://news.ycombinator.com/item?id=46038241 explains lack of technical ability to compromise security after the fact. Titan M2 is specifically designed with insider attack resistance so that Google making an update disabling the brute force protection won't be accepted by the secure element without the Owner user successfully unlocking first. We don't have the signing key for the Titan M2 firmware anyway. This is part of our required hardware-based security features which we're working on providing in a Pixel alternative with a major Android OEM working with us right now. We talked to them about the France situation already and it does not negatively impact our partnership. It may be a good idea to speed up an official announcement with them to counter the narrative being pushed by France's law enforcement agencies now.

The article they quote (https://archive.is/UrlvK) does not say at all that "they talk about going after us if we don't cooperate with providing them access to devices."
It says that if they find a link between a platform and a criminal organisation they will not hesitate to prosecute the platform.

From strcat:

French law enforcement is conflating companies making products with GrapheneOS code with GrapheneOS itself. They're presenting it as if those companies are working with us and that we're responsible for their actions selling devices using our code. Most of those are using forks of GrapheneOS with features we don't have which are repeatedly incorrectly referred to as being GrapheneOS features. GrapheneOS users can read the many articles and see many references to non-existent features. They similarly refer to non-existent distribution methods and marketing which are actually about these products they're conflating with us. Since they're conflating products and actions by other people with ours, that makes their threats very concerning.

This would maybe be GrapheneOS's answer to that bit: "if they find a link between a platform and a criminal organisation they will not hesitate to prosecute the platform."

The way I understand it, he says they have nothing to do with the people who make forks of grapheneOS which are then used by criminal organisations... but law enforcement is pushing to see if that's true. I am understanding this right?

Yeah. GrapheneOS is just an open-source project by some paranoid security/privacy nerds.

But probably, just like it used to be with EncroChat, there are people selling devices with pre-installed GrapheneOS, chat rooms, etc. directly to criminals for profit.

Encrochat used centralized servers for encrypted messaging, allowing users to communicate with only usernames and not phone numbers. GrapheneOS doesn't do that. The two things aren't even remotely comparable so I don't understand your point.

The guy is blatantly having a mental breakdown if he thinks the French state is planting articles in newspapers to intimidate him, rather than just knocking on his door and having a private conversation, but I guess drama is drama and reality doesn't matter.

EncroChat was sold directly to criminals. Criminals would go to a sketchy dealer who would set them up with an EncroChat device for 1500€. The app wasn't available otherwise.

GrapheneOS is used as the basis for such devices nowadays, and the developer sees them being conflated with these criminal entities.

matey0

@TheGreatOakley said:
GrapheneOS is a solid OS, however the founder/owner is shizo. He might have some type of disorder and I am not talking about this fr*ch incident.

Wait until you see Tor or I2P devs.
It's part of the trade I think.

At this point if you're in this niche and not a schizo then you're probably a fed.

sillycat

@Rubben said:
nuking france is always a possibility

If Rubben makes true on his threat, is it time to move Paris to Frankfurt, @layer7 ?

fredo1664

@matey0 said:

@CloudHopper said:

@matey0 said:

@fredo1664 said:

@matey0 said:

@CloudHopper said: or how you'd even hide a backdoor in open source code anyway.

Now you're just being silly, or you're not a developer.

@fredo1664 said:

@matey0 said:

@CloudHopper said:

@matey0 said:

@CloudHopper said:
Right, but where's the bit about the French government demanding they insert backdoors?

The article claims GrapheneOS is the tool of choice for drug criminals, and the GrapheneOS team seem to be claiming the article refers to forks of their Open Source project and that they feel intimidated by the media reports about them, so they migrated some services away from OVH...but I don't see any claims of interference or demands from the French state. So what am I missing?

Check the comments by strcat in the HN thread. He's the founder and lead dev of GrapheneOS. He's french and seems worried.
He's also the person I quoted in my previous comment.

Yeah, I get that they're "worried" and that they've moved some services away from OVH, but where's the evidence for any demands that they insert backdoors from the French state?

He thinks these news outlets are related to the state and the state has made its stance on encryption clear. From strcat:

France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption. They've been saying that it's unacceptable not to have a backdoor in a bunch of these news stories they've gotten published by contacting the media. They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.
Le Parisien has 2 articles about this, not only one, and https://archive.is/UrlvK is one of the places they talk about going after us if we don't cooperate with providing them access to devices. It's not possible for us to provide an update which bypasses the throttling for brute force protection so what they're asking isn't even helping them break into specific devices but helping them compromise security for everyone in anticipation of rare cases of criminals using devices. https://news.ycombinator.com/item?id=46038241 explains lack of technical ability to compromise security after the fact. Titan M2 is specifically designed with insider attack resistance so that Google making an update disabling the brute force protection won't be accepted by the secure element without the Owner user successfully unlocking first. We don't have the signing key for the Titan M2 firmware anyway. This is part of our required hardware-based security features which we're working on providing in a Pixel alternative with a major Android OEM working with us right now. We talked to them about the France situation already and it does not negatively impact our partnership. It may be a good idea to speed up an official announcement with them to counter the narrative being pushed by France's law enforcement agencies now.

The article they quote (https://archive.is/UrlvK) does not say at all that "they talk about going after us if we don't cooperate with providing them access to devices."
It says that if they find a link between a platform and a criminal organisation they will not hesitate to prosecute the platform.

From strcat:

French law enforcement is conflating companies making products with GrapheneOS code with GrapheneOS itself. They're presenting it as if those companies are working with us and that we're responsible for their actions selling devices using our code. Most of those are using forks of GrapheneOS with features we don't have which are repeatedly incorrectly referred to as being GrapheneOS features. GrapheneOS users can read the many articles and see many references to non-existent features. They similarly refer to non-existent distribution methods and marketing which are actually about these products they're conflating with us. Since they're conflating products and actions by other people with ours, that makes their threats very concerning.

This would maybe be GrapheneOS's answer to that bit: "if they find a link between a platform and a criminal organisation they will not hesitate to prosecute the platform."

The way I understand it, he says they have nothing to do with the people who make forks of grapheneOS which are then used by criminal organisations... but law enforcement is pushing to see if that's true. I am understanding this right?

Yeah. GrapheneOS is just an open-source project by some paranoid security/privacy nerds.

But probably, just like it used to be with EncroChat, there are people selling devices with pre-installed GrapheneOS, chat rooms, etc. directly to criminals for profit.

Encrochat used centralized servers for encrypted messaging, allowing users to communicate with only usernames and not phone numbers. GrapheneOS doesn't do that. The two things aren't even remotely comparable so I don't understand your point.

The guy is blatantly having a mental breakdown if he thinks the French state is planting articles in newspapers to intimidate him, rather than just knocking on his door and having a private conversation, but I guess drama is drama and reality doesn't matter.

EncroChat was sold directly to criminals. Criminals would go to a sketchy dealer who would set them up with an EncroChat device for 1500€. The app wasn't available otherwise.

GrapheneOS is used as the basis for such devices nowadays, and the developer sees them being conflated with these criminal entities.

They talked about grapheneOS just two days ago in the evening news on french public TV so I suspect the dev is in full panic mode now...

layer7

@sillycat said:

@Rubben said:
nuking france is always a possibility

If Rubben makes true on his threat, is it time to move Paris to Frankfurt, @layer7 ?

Hi,

yes in this case it would be nice if @Rubben could give some 24h prewarning so i will drive there to remove all servers and move them to a safe place... like maybe USA who do not threat anyone? Oh well, no, maybe bad idea. Russia? moeeeppp also bad choice.... china? Haha, nice try .... well i think the best we can do is to search for a nice cave in the woods and hope its not of strategic value... hopefully no rare earth there or oil or any other stuff that they are all looking for....

"Jokes" aside... is there actually a real source for this? I mean, i dont want to ycombinator.com is not a prooven, reliable source but... .... well i guess i just need more than a headline without reference to something more official, so that i can actually understand who wants what from whom and why. I also found

https://mamot.fr/@LaQuadrature/115581775965025042

but, even my french language skills sucks ... looks to me like some random guy/girl posting something on something similar to twitter? ^^;

Before i get in the handymarket the torches and fresh gasoline for the raid, i would like to make sure it hits the right one(s) -- not saying that there are anyway anyone innocent out there ^^;