• Announcements

  • Response to dishonest attacks on the GrapheneOS project by Robert Braxman

Robert Braxman is a serial fabricator and scam artist. Braxman poorly parrots actual privacy and security information while mixing in lots of highly inaccurate information focused on promoting his insecure products and services. He also consistently attacks open source projects providing legitimate privacy and security tools including GrapheneOS, Signal and many others with false claims about both the technology and fabrications about the teams behind them. He's widely known to be a charlatan among actual privacy and security experts, but he has a significant following in privacy communities among non-technical people who don't know better. He poorly parrots actual privacy and security information while mixing in a bunch of misinformation. He tells people what they expect to hear and want to hear, while claiming he has the solutions to it through his products and services. The reality is that he's nothing but a scammer and is doing immense harm to the overall privacy movement. The misinformation he propagates directly harms people through them making bad choices and misunderstanding how privacy works. He creates a world full of fantasy issues and takes away attention from real problems.

Here's an example of the extreme level of scamming going on with his supposedly private/secure services:

https://www.reddit.com/r/privsec_dev/comments/132nb6b/fake_end_to_end_encryption_on_braxme/

Here's a recent example of him attacking GrapheneOS as part of spreading his usual fabrications about client side scanning:

https://x.com/rob_braxman/status/1892259882373431441

Here's a link to the accurate post Braxman is misrepresenting and spinning into us being shills trying to harm people's privacy:

https://x.com/GrapheneOS/status/1888280836426084502

He does this all the time and we rarely ever address the misinformation he spreads about GrapheneOS on a regular basis.

Braxman's main approach to selling his meritless products and services is focusing on AI because it's what so many people are talking about. The real meaning of hardware support for AI is having the ability to do a bunch of math in parallel to accelerate neural networks. Having a powerful GPU with support for standard APIs is hardware support for AI. In Braxman's fantasy world, it means computer hardware thinking for itself and reporting people to the authorities on their own which is not something that exists in any common hardware. He latches onto anything to do with AI and heavily misrepresents it, particularly by misrepresenting entirely local features not even storing persistent state about what they see as being privacy threats.

Braxman propagates massive amounts of misinformation about many topics and isn't at all limited to talking about AI. He does this full time and it's unrealistic for anyone to go through all of it and debunk all of the utter nonsense he puts out. It's unfortunate that there aren't more experts debunking it because it's genuinely harming a lot of people. He's directly responsible for a large portion of misconceptions and misunderstandings in privacy communities which cause harm to people through them making choices which reduce their privacy and security rather than improving it. People getting duped into buying Braxman's products/services with poor privacy and security is only one of the ways he harms people. He has a very large negative impact on the overall privacy community and many legitimate privacy tools.

For Braxman's insecure devices, he's partnered with the founder of "Secure Group", a company closely resembling Encrochat, SkyECC, ANOM, etc. which then transitioned into closely partnering with Braxman via "The Good Phone Foundation" and "LUNR". They're also partnered with iodéOS, yet another insecure OS based on forking LineageOS which is presenting itself as a highly private and secure OS.

The devices sold by Braxman are made in partnership with Dominic Gingras, a long term grifter in the world of private and secure devices. He's the founder of Secure Group and the Good Phone Foundation. Dominic Gingras is similarly focused on earning money from selling people insecure products with false privacy and security marketing. He's likely the leading expert at ripping people off selling them insecure devices misrepresented as hardened. He has been doing it for 2 decades. He repeatedly tried to convince us to partner with him but he has never been truly interested in making secure devices and began spreading misinformation about GrapheneOS with Robert Braxman. Everything from these companies should be avoided at all costs. They're blatant scammers and are attacking many legitimate privacy and security products, not only GrapheneOS. Simply helping to legitimize one of the biggest scammers in the whole privacy space (Braxman) does massive harm in itself, but they do plenty to harm people themselves.

Braxman's attacks on GrapheneOS aren't limited to spreading technical misinformation. He regularly focuses on attacking the team behind it including supporting harassment content and fabricated stories about us. That includes Braxman supporting harassment from Kiwi Farms members. It's completely unacceptable behavior which should not be tolerated in the privacy and open source communities any longer. We strongly recommend doing serious research on Robert Braxman based on what actual privacy and security experts have to say about him and his products/services. Do not fall for his scams and the scams of the people partnering with him. It's easy to find this if you look for it.

We'll be publishing a more detailed article on our site with many examples of Braxman's fabrications and scamming in the future because he's a growing problem causing an increasing amount of harm to privacy communities and to GrapheneOS which has become one of his main targets for inaccurate attacks.

    I want to express my full support for GrapheneOS as a project and my complete disdain for Robert Braxman’s fabrications and misleading claims regarding privacy and security.

    GrapheneOS is one of the most important projects in the realm of digital privacy and security. It is built by experts who understand the complex nature of modern security threats, and it consistently delivers robust, well-researched, and transparent solutions for users seeking true privacy. The developers behind GrapheneOS prioritize actual security over marketing gimmicks and have proven their commitment to transparency and open-source principles time and time again.

    On the other hand, Robert Braxman has built a following by spreading misinformation and promoting products that offer a false sense of security. His business model relies on fear-mongering and preying on those who are less technically inclined, misleading them into purchasing devices and services that are, in reality, insecure. His attacks on open-source projects like GrapheneOS, Signal, and other legitimate privacy tools are not only baseless but actively harmful to the privacy community.

    I was subscribed to his YouTube channel for a while and initially thought he had useful insights. However, after revisiting his content, it became abundantly clear that he is an absolute prick, constantly distorting facts and misleading his audience. His key tactic is taking real concerns about privacy and security and mixing them with wild, inaccurate claims. He portrays himself as a privacy expert while demonstrating a deep misunderstanding of the very concepts he discusses. His fear-driven narratives about AI and surveillance push people towards his insecure products, making them less safe rather than more secure.

    His recent misinformation about client-side scanning and GrapheneOS is yet another example of his consistent pattern of deceit. Instead of presenting facts, he distorts reality to fit his agenda, attacking those who actually work to improve privacy and security for everyone. The fact that he has partnered with individuals like Dominic Gingras—who has a long history of profiting from selling insecure devices under false pretenses—only further exposes the level of deception at play.

    Braxman’s harm extends beyond technical misinformation. His support for harassment campaigns, including content from Kiwi Farms and other toxic sources, shows a complete lack of ethics. No legitimate privacy advocate would engage in such behavior. The damage he does to the privacy community by spreading false claims and attacking trustworthy projects cannot be overstated.

    I strongly encourage anyone who values privacy and security to do their own research and listen to real experts. GrapheneOS has a solid track record of transparency, rigorous security practices, and commitment to user privacy. Braxman, on the other hand, has proven time and again that he is nothing more than a grifter looking to exploit fear for profit.

    The privacy community must reject misinformation and support projects that truly advance security. GrapheneOS is a vital tool for those who care about digital privacy, and it deserves our full backing against baseless attacks from individuals like Braxman.

      koyu And Rob Braxman is far from the only scam artist with a loyal following, in fact, a large part of the mainstream media, blogs, press, social networks, etc. is infected with misinformation and nonsense about security and privacy. Finding good sources takes research and hard work.

          Xtreix Fully agree. Unfortunately, trying to combat misinformation is a losing battle. It's quick and easy to think up misinformation and spread it around. It takes time to produce well-researched and verified information. By the time you've refuted the misinformation, they're already on to the next thing.

          I don't know what the solution is. This is all to say I feel for the GOS team. I'm sure it sucks hard to put so much work into something and have someone else tear into it for no good reason.

              Who are considered as reliable security & privacy experts?

                ejns Well, Mark Twain said that while lies can go around the world, truth is busy tying its shoes, so yes, it's complicated, especially as long as it's been going on. That said, I don't want to think that it's a losing battle, at least keep trying, get well informed and don't fall for scams.

                drtweakllc Who are considered as reliable security & privacy experts?

                In no particular order, I can mention Daniel Micay, Bruce Schneier, Brian Krebs, Moxie, Jason A. Donenfeld, Tavis Ormandy, Madaidan, Josh from Side of Burritos, Wladimir Palant, David Weston etc.

                Here some good sources :

                https://github.com/beerisgood
                https://netrunner.academy/
                https://palant.info/

                      I think such misinformation about GOS warrants either the first or both actions below:

                      • No comment
                      • Lawsuit

                      If a fictional living person Bob is delusional to a point of accusing someone that they killed Bob, while Bob is very much alive and making such insane accusations, then there is no need to respond to Bob due to the rest of people recognizing Bob is wrong. The same way GOS does not need to defend itself against ridiculous accusations because insanity of such accusations is too obvious. Be pro-active, not re-active.

                      GrapheneOS "It provides on-device machine learning models usable by applications to classify content as being spam, scams, malware, etc. This allows apps to check content locally without sharing it with a service and mark it with warnings for users."

                      Everyone has been saying its actually 1984 big brother digital data harvesting that checks all your nudes and uploads it to your Google Drive.

                      As much as I dislike data harvesting and similar practices, its also scary how much people lie on the practice... I feel like everyone is trying to sell you your privacy even when their products solve an issue that doesn't exist

                        GrapheneOS "That would greatly violate people's privacy in multiple ways and false positives would still exist."

                        Thank you for bringing this up! I work with a chat service that uses PhotoDNA to scan user uploaded photos. As far as I understand, because of false positives, if our image scanner ever catches something, we need to verify the report by hand before sending it to the NCMEC.

                        It makes no sense for the NCMEC to push PhotoDNA onto everyone's devices for offline scanning reports.

                        NCMEC is fairly closed off all things considered. As I said, working with them requires me to work with a separate child abuse prevention organization. I really doubt they would want millions of reports from offline devices with an API that could easily be exploitable.

                        This is why I imagine reports only start coming in AFTER its been uploaded to a google service like Drive or YouTube.

                            GrapheneOS reading up on brax.me

                            "Hope that the server doesn't store the encryption key."

                            Are they really saying that the 'end to end' encrypted chat uses a key exchange that exposes the private key to the server....alright then

                            Very bad shit, I agree. Thank you GOS <3

                              Well I 100% agree that Robert Braxman is a scam artist but damn you lossed me in the last part.

                                Sad that the team must make Statements for such clowns. Cant believe that people really believe the BS.

                                It doesn't have to be the intention of marketing their own product as a disguise; it could be intended to be the face or the influencer of online privacy, so whatever happens, people go to his channel for whatever purpose it may be.

                                GrapheneOS I guess it's Daniel speaking for GrapheneOS.

                                We the people who support and love the GrapheneOS project understand that you are tired of all this harassment.

                                Some people don't like the truth because it can reveal all the lies they're spreading around them.

                                As of today, GrapheneOS is the only serious hardening project based on AOSP after the retirement of the one-man behind DivestOS.

                                Michael Bazzell a former FBI agent believe that GrapheneOS is the optimal operating system for a mobile device, so do I.

                                In the Android support matrix from the leak of April 2024, Cellebrite the world leader in mobile phone data extraction specifically mentionned GrapheneOS and we know what it means.

                                You don't need to give a response to Braxman. Use your precious time to focus on GrapheneOS and the people you love.

                                By waisting your time with them, you are also worsening your health time after time and you don't want that, you don't need it.

                                  Xtreix Don't get me wrong - I certainly believe it's a fight worth fighting. Users like us amplifying the trustworthy sources is likely a big piece of the puzzle.

                                  Of your list, I only know of Daniel Micay and Brian Krebs - I'll give the others a look as well!

                                    The people who are getting worked up about the possible detrimental effects this kind of "reaction" posts can have to
                                    the image of GrapheneOS: well yes the ones responding will get tired and yes they can spend their time in better ways.
                                    But guess why they are the ones who have to write these responses time and again for all the misinformation going on?
                                    Guess?

                                    It is because we, the peanut gallery aren't doing anything ourselves except wring our hands when the team actually posts a rebuttal.

                                    "Daniel Daniel - Legal action, your health... yada-yada" is not helping anyone. Certainly not him.

                                    It has been our experience that leaving people to spread their misinformation doesn't help. If Mr. Braxman is seen
                                    as having the last word in any public space of discourse(or rather that cesspool called X) then your imagined gains
                                    in mental health and developer productivity actually don't exist. It means just more people consume their discourse
                                    and move on. Or worse bring those same talking points to our various community media. People like you who already
                                    probably are using GrapheneOS are different from those who aren't. Hell, I can't really tell whether i would have fallen for
                                    Mr. Braxmans lies years back. It is easy to forget our own naivety and imagine everyone knows the best. It is also easy to
                                    be complacent and forget that Mr. Braxman still posts video 'cause[drum rolls....]
                                    people still consume them.
                                    He has 560k subscribers, upwards of 30k views on his latest videos. That's more views than subscribers to the very sober, professional YouTube channel Side Of Burritos run by a friend of GrapheneOS.
                                    That is an awful lot of impact for someone like Mr. Braxman.

                                    If you really want the project to stop posting these, then I suggest to those of you who can do your due diligence
                                    and take them misinformation posts apart in your own time. It does not help when the man has to do all these posts and
                                    we watch and patronizingly give him advise on the problem while not doing much.

                                    that_guy I didn't know Nadim Kobeissi and I honestly don't really have an opinion on the debate because I don't use the desktop version of Signal and don't recommend it.

                                    Now, I'd say Molly and SimpleX are doing better, for me the days when Signal was necessarily number 1 are over, but it's still a very solid choice especially for the general public.

                                      I watched his video "Client Side Scanning" and it's terrible the harm he create on the privacy community.

                                      People literally telling him thank you for a lie and how they are excited to buy his brax phone in the comments lol

                                      All his marketing is on how big tech companies are bad and evil in everything they do. It's exactly what most of the people want to hear.

                                      I don't think there is much to do right now to prevent him to spread fake news. If 500k subscribers want to swallow his words depiste the false information he's providing then it's up to them.

                                      While you are angry because of him attacking the seriousness of the project and spreading fake news, he's enjoying his YouTube money and soon will sell his insecure phone to hundreds people if not thousands. This dude only care about making money, nothing less, nothing more.

                                      That's why I'm telling you, it's not worth it. Let people find the truth themselves.If they want it, they will find it.

                                      raccoondad Thank you for bringing this up! I work with a chat service that uses PhotoDNA to scan user uploaded photos. As far as I understand, because of false positives, if our image scanner ever catches something, we need to verify the report by hand before sending it to the NCMEC.

                                      It makes no sense for the NCMEC to push PhotoDNA onto everyone's devices for offline scanning reports.

                                      NCMEC is fairly closed off all things considered. As I said, working with them requires me to work with a separate child abuse prevention organization. I really doubt they would want millions of reports from offline devices with an API that could easily be exploitable.

                                      This is why I imagine reports only start coming in AFTER its been uploaded to a google service like Drive or YouTube.

                                      I am uncertain what you are trying to say here, but if you are an EU citizen you are probably familiar with the mandatory chat control provisions that was/are attempted to be added to the Child Sexual Abuse Reporting EU law, that mandates AI based client side scanning with automatic reporting on all end-to-end encrypted communication apps. Apple also voluntarily attempted to add something similar to iOS a few years ago, which also included scanning photos and videos stored locally on your device.

                                      This is what @GrapheneOS was referring to as greatly violating people's privacy. It is very different from an internet website using PhotoDNA or similar. PhotoDNA is basically just a moderation tool, that helps automating the moderation that all websites are legally and ethically obligated to carry out anyway. PhotoDNA does not pose any threat to privacy, just as a human moderator reviewing all publicly uploaded content manually instead also wouldn't do.

                                      But governments and even individual companies are trying to push these AI based CSAM scanners out to the individual devices, and start scanning content that actually is private, including content in private end-to-end encrypted chats, private end-to-end encrypted cloud storage, or even files stored locally on your device. These AI based scanning technologies are not just going to be used to scan content uploaded publicly to websites anymore. This is a huge threat to privacy, and a very real threat right now, which is why everyone are on their toes about this. Ironically it is even especially a threat to the privacy of the children these laws and technologies are supposed to protect, who now risk having their private sexual pictures sent to some random adult at some random government. There is also a huge worry about where it will stop. Governments weren't slow at starting to suggest other usages of this client side scanning, far beyond trying to detect online child abuse.

                                      In the end, and what I think the GrapheneOS account was also trying to get at, is that it isn't the AI based scanning or even that it happens on your device that is the problem, it is automatic reporting of illegal content that is the problem. Blurring unwanted nudity in messages sent to you is a feature I think many would want to have. And Apple changed their mind and instead choose to use their AI scanning to warn children when they are about to send a naked picture of themselves to someone about the risks that might pose to them, so they can make a better informed choice. These applications have absolutely zero privacy risks, and also does not risk violating the rights of any group, including children's.