HN title: "France threatens GrapheneOS with arrests / server seizure for refusing backdoors"
LQDN: "Dans ces articles, la cheffe de la section cybercriminalité du parquet de Paris – à l'origine de l'arrestation de Pavel Durov – menace également les développeurs·es de GrapheneOs. Interviewée, elle prévient qu'elle ne s'« empêchera pas de poursuivre les éditeurs, si des liens sont découverts avec une organisation criminelle et qu’ils ne coopèrent pas avec la justice »."
In the (very short) linked article: No mention of arrest, server seizure or backdoor, and a more nuanced take. Loosely translated summary: Some users have a legitimate need to protect their communications. IF we find links with criminal organizations AND there is no cooperation, then we might take action. They're specifically taking the approach of a case by case hack of single phones which might cost up to a million euros. Is this an issue if there's a warrant?
What is cooperation? How are they supposed to unlock the phone?
Unless you're saying 'compelled to use their private keys to publish an update' or something along those lines, in which case I would say the original headline is correct.
Durov had long claimed he was in exile from Russia and couldn’t return and that he was a UAE/French citizen. then records leaked that showed 120 border crossings from 2016-2021 and that he still held a Russian passport. One such border crossing was a flight from St Petersburg on June 18, 2020 which happens to be the same day that Telegram was unblocked in Russia… Lots and lots of smoke..
You know I didn't use to understand libertarians, but after years of watching boundaries being overstepped again and again I think I see the appeal of burning it all down and living in a cabin in the woods.
Like, in Europe we already live in a completely safe society in historical and geographic terms, what more do you fucking want? Security is beyond a laughable excuse for things like chat control. Power tripping elitists will never be happy until they have the entire population under 24/7 camera surveillance and can read every thought in our heads as it occurs. If you make crime impossible, you make free will impossible.
The same reason there's only more regulations being piled on top of previous ones. Sadly only wars and similar catastrophes work as reset buttons for these things historically. A peace as long as the current one is somewhat of an untested ground
It’s important to defend libertarian values even when things are good. Small violations of civil rights have a tendency to stick around and snowball into something worse.
I'm talking about our society internally, not potential external attacks on it. It's reasonably high trust and crime is rare outside a few outlier cities. We could not be further from warranting these sort of fascist style crackdowns. Ironically yes we could be spending funding used for domestic surveillance and bureaucracy on buying more Himars.
I mean, Durov has been trying to push for Russian puppets to get elected in Romanian and Moldovan elections, by pushing to everyone (at least in Romania, he might've just posted on twitter for Moldova) that the French government is trying to interfere in the Romanian elections. I mean, it turns out, Russia was, on behalf of the candidate he was talking about... so take from that what you will.
Oh, yeah, and he calls himself DuRove now. Hats off for that one, but I hope he rots in prison for advancing the Russian agenda.
I'm sure you're very familiar with the politics of both countries, but tell me...
How is Nicusor Dan a puppet of the EU? More than Calin Georgescu? The guy who actively tried to stage a coup? More than George Simion? Granted, there's no PROOF he's a Russian puppet, but he's a far right twat that has views friendly to Russia.
How is Maia Sandu and PES a puppet of the EU? And... let's look at BEP. Voronin, Russia friendly ex President, he was very against Moldova trying to get closer to the West. And Dodon? The guy who is being indicted for treason, who's a friend of Plahotniuc (he stole 1 billion dollars from banks and fled the country)? Yeah, sure, puppets of the EU, vs corrupt fucking puppets of Russia.
I know it's easy to look at this stuff from the outside and say, oh, yeah, the EU is interfering in elections, but there's a lot of history here that you obviously don't have. I like Maia Sandu more than Nicusor Dan (his positions on gay rights were disgusting a while back, he now just stopped talking about them), but compared to the obviousness of the Russian support for their opposition, I think the fact that the EU supports them is just insignificant.
> As of 2018 through an initiative sometimes termed "Five Eyes Plus 3", Five Eyes has agreements with France, Germany, and Japan to introduce an information-sharing framework to counter China and Russia.
Yep. That’s the implication, and it’s disturbing. It also implies the US government knows - otherwise why wouldn’t they use their influence to put an end to this?
Not really. It's one thing trying to bully a relatively small FOSS project, it's quite something else to take on one of the world's biggest companies that can afford a literal army of lawyers and that also has the power to have the US government intervene on their behalf.
Actually, in some ways, it is easier to bully large companies - because those companies are less flexible in avoiding confrontation with the authorities in a certain state. For Google to avoid having a legal presence in France is much harder than for the GrapheneOS project to do the same.
But - valid point regarding having the US government intervene.
you’re getting the logic wrong. i’m absolutely sure apple and google have direct cia backdoors. that’s what Snowden taught us and it would be delusional to think the world has changed. The bigger the company = tighter the link with power
True freedom, of any kind, requires freedom to say things and think things in private. I sometimes think horrible things and even discuss them with my friends. I need that space to work out issues. Without a truly safe space I would eventually go mad as I suspect many people would. The other part of this is that a basic requirement of freedom is trust with accountability. It means we allow things that may be harmful but if things go bad we hold those responsible accountable after the fact. It also means we may not catch all the bad guys and that is OK because the alternative is that everyone turns into a bad guy when we prevent people from doing things in case they will be bad. There is a balance here but the position that a govt will always have access to all private individual (acting in a private capacity) communications is not anywhere near a reasonable balance.
Is it safe to assume, then, that Google and Apple already have backdoors in their operating systems as likely requested by many governments around the world (not least of which the one from their home country)?
Or is GrapheneOS the only one built securely enough to need to be leaned upon?
Either way, makes Google and Apple look bad and/or incompetent and GrapheneOS look like some kind of beacon of user protection / privacy rights / other things that are the opposite of the direction the world seems to be moving.
Every time I travel internationally I immediately get notifications for Android OS updates. I'm pretty sure they are for satisfying local regulations about the phone's behavior, including the topic at hand.
Interesting. I have never seen anything like that in many years of frequent travelling while using Android. Which countries did you see this in? And are you using stock Android or some vendor's version?
I'm currently abroad with a notification for "November Pixel Drop update available" that appeared the day following my arrival. I believe I had already installed the November update back home earlier in the month. Every time I go back home, a couple of days later I get an update too.
I'm not claiming to know of any foul play, but it has happened several times, enough for me to notice. If it was related to time of the month, it wouldn't be as consistent. It might be that you need specific combination of phone, configuration and network provider for this to happen. Maybe I've been p0wnd, but I've noticed this behavior since at least the Nexus line.
Apple has already taken the US government to court and forced them to back down after the FBI demanded that they insert a backdoor into iOS.
> In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789.
This year, Apple took the UK to court and announced that they would strip encryption features from UK users before they would give in to UK demands for an encryption back door before the UK backed down.
If Graphene has the money to do so, they should fight it out in the courts.
It likely not due to any backdoors present, more so due to weak default setting plus alternate routes to the data. Things like backups being unencrypted either by default or when uploaded to the cloud. you don't need to ask for a backdoor if most users don't have encryption enabled.
Additionally, I would assume/guess that if it's some kind of coordinated campaign involving media then there is no law to compel GrapheneOS to do this. If they're was a law then that would be the pressure, as opposed to media articles.
What that then implies is a campaign to convince the public a law is necessary, ie. they're already laying the ground work for support for the next version of a Chat Control bill.
I seem to remember the FBI attempting to compel Apple to decrypt a criminal's iPhone, only for Apple to refuse and claim that it wasn't possible. I'm not sure exactly what happened after that. I think it was suspected that the NSA was able to do it by exploiting an unpatched zero-day. So they didn't need Apple's help anymore and the issue was dropped from the public's eye.
1. Apple can and does comply with subpoenas for user information that it has access to. This includes tons of data from your phone unless you're enrolled in Advanced Data Protection, because Apple stores your data encrypted at rest but retains the ability to decrypt it so that users who lose their device/credentials can still restore their data.
2. Apple has refused on multiple occasions, publicly, to take advantage of their position in the supply chain to insert malicious code that expands the data they have access to. This would be things like shipping an updated iOS that lets them fetch end-to-end encrypted data off of a suspect's device.
Not to mention, while apple will publically deny it, there are government agents working undercover at every major tech firm. They may or may not know. They certainly exist.
I don't remember Apple ever saying that it was impossible for them to do it, just that they didn't want to.
It was always kind of assumed that they could, by eg signing a malicious OS update without PIN code retry limits, so the FBI could brute force it at their leisure, or something similar.
They said it was impossible for them to build a backdoor into iOS that would only be accessible to legal requests from law enforcement, which is true in the strict sense. So law enforcement bought a vulnerability exploit from a third party.
They successfully argued in court that being forced to insert code the government wanted would be equivalent to compelled speech, in violation of the first amendment.
As the Feds often do, they dropped the case instead of allowing it to set a precedent they didn't want.
> They successfully argued in court that being forced to insert code the government wanted would be equivalent to compelled speech
This isn't true, they never "successfully argued in court". There was never any judgement, and no precedent. They resisted a court order briefly before the FBI withdrew the request after finding another way into the device.
And of course Apple is quite right not to miss the marketing opportunity, on behalf of the shareholders. While acquiescing to lawful demands of course.
If you follow the things that have been disclosed / leaked/ confirmed when they’re 20+ years out of date, then yes the probability this is true is significant.
I recall there being a little more substance to it at the time. But looking back from where we are now, that is a succinct way of describing its results.
That being JTAG debugging. Now there are greyhat groups discovering what they can do with it beyond bypassing the PIN at power-up. Honestly surprised phones are not being sold/marketed as having that disabled on both bluetooth and USB.
Of course the likes of Apple and Google are complying with lawful orders from the governments of countries they do business in.
Businesses that don't generally cease operating in said country. LavaBit was a highly visible instance of a business shuttering itself instead of complying with such lawful orders.
That's also the ploy of basically every VPN provider out there. They say they don't store or give out data, but they still adhere to lawful requests. That necessarily includes requests from countries where they legally offer their service, even if their HQ is in some country with lax legal frameworks. It also means, if there is a legal way to coerce them into recording your data or handing it over, they will do so.
They also mentioned they only respond to court orders (ie. not just because the cops asked nicely), will try to appeal as well. That's better than most ISPs, who would either give up data without a court order, or won't bother appealing.
Google and Apple were infamously official data providers[1] of the NSA's illegal and unconstitutional (as ruled by a federal judge[2]) warrant-less surveillance program (PRISM[3]) exposed by Edward Snowden.
It's safe to assume that software provided by every large, publicly-traded, for-profit technology company incorporated in the USA cooperates extensively with US intelligence agencies, and therefore by extension, the "Five Eyes" alliance, at a minimum if not also the "Nine Eyes" and "Fourteen Eyes" alliances [4].
The article is kind of interesting: on the one hand, you’ve got a tool that can be used by ordinary citizens and political dissidents for legitimate reasons. On the other, the French police were mildly inconvenienced during their arrest of a small-time drug dealer.
I think your devices should have government-mandated backdoors if and only if you are a public servant. I don't understand why private citizens are held to higher standards of conduct than politicians and cops.
I've been saying this for years: the more power you have the higher standard you should be held in. In most societies on the planet it's the other way around.
Everyone agrees with this obviously but it's like saying that we should be able to levitate or live in utopia. It's almost a law of nature that the types that become powerful are not your most savory individuals and will use the power to reinforce their positions.
We have tons of different systems for accumulating power all over the world. Corporate structures, democracy vs autocracy, etc. In each of those societies, we see different types of leaders on a sliding scale of savoriness.
My point is that clearly there are some forms of governance which result in more savory people and so you can argue that it's the systems that define the outcomes rather than any "law of nature".
It's a law of nature that they will _try_.[0] That's why people should always have ways of defending themselves, whether it's with courts or guns.
[0]: This is not a figure of speech - many anti-social traits which result in NPD, ASPD and their subclinical versions[1] are genetic. There is literal evolutionary pressure to exploit others.
[1]: Meaning the trait is sufficiently pronounced to be harmful to others but not enough to be harmful to the person having it so it's not diagnosed as a disorder.
I've been saying this too but lately I think the fundamental notion of power is wrong. There's 2 perspectives which are 2 sides of the same coin:
---
All social relationships should be consensual.
This means based on _fully-informed_ consent which can be revoked at any time.
This already marks employment as exploitative because one side of the negotiation has more information and therefore more bargaining power. Not to mention having more money gives them more power in a myriad of other ways (can spend more on vetting you, can spend more on advertising the position than you can on advertising your skills). Just imagine if people actually had more power than corporations - you'd put up an ad listing your skills, companies would contact you with offers and you'd interview them.
Citizenship is also exploitative because you didn't willingly sign a contract exchanging money (taxes) for services (protection, healthcare, roads, ...), in most countries you can't even choose which services you want to pay for. And if you stop paying, they'll send people with guns to attack you. This sounds overdramatic (because it's so normalized) until you realize from first principles that is exactly what it is.
_If democracy is supposed to mean people rule themselves, than politicians should be servants which can be fired at any time._ In fact, in a real democracy, people would vote on important laws directly and only outsource the voting to their servants about laws which don't affect them much, or they'd simply abstain.
---
Power should come from the majority.
This should naturally be true because all real-world power comes from violence and more people can apply more violence (or threaten it, when violence is sufficiently probable to be effective, it usually does not need to be applied, the other side surrenders).
But people who are driven to power have been very good at putting together hierarchical power structures where at each level the power differential is sufficiently small that the lower side does not need to revolt against the upper side. But when you look at the ends, the power differential is huge.
Not just dictators, "presidents" or presidents but "owners" and "executives" too.
You don't truly own something you can't physically defend. When you as a worker finish a product, you literally have it in your hands. You could hand it over to a salesman and you'd both agree on how to split the money from selling it. But instead, you hand it over to the company (by proxy its owner) which sells it and gives you your monthly wage irrespective of how much the product made. The company being free to fire you or stop making the product obviously makes more money then you - it's an exploitative relationship.
But why do you hand it over? Because if you don't, they'll tell the state and it'll send people with guns to attack you.
---
Bottom line is if people had equal bargaining power ("equality"), then if they chose to temporarily give "power" to someone in one area, they'd obviously take away their "power" is some other area. Why? Because they'd know if they didn't, the more powerful person would use this power differential to get even more power, and so on, starting the runaway loop we have here now.
Even then the backdoor should be on their government device and not the personal devices.
Note that having their personal device when doing government work should be prohibited (that is you can't have it in your pocket when working). As is using your personal device for anything government (other than a formula check your government device call/text - employees should be regularly tested that they report any government communication that doesn't follow the formula)
> devices should have government-mandated backdoors if and only if you are a public servant
This would be an intelligence bonanza.
Better: mandatory, encrypted logging. Officials maintain the keys. When they leave office or are subpoenaed, they have the means to grant access. (If they can send and read their messages, they have the keys.)
And ideally an illustration to those in power why backdoors are never a good thing. They won't care if it's not happening to them. But if their devices are suddenly incredibly insecure due to their backdoors, they might just rethink the concept entirely.
We do have things like the Freedom of Information Act in the US, and I think a lot of European countries have similar laws. Yes it isn’t perfect and could be enforced more evenly.
But obviously, if you work for the military there is information that needs to be kept secure…
Backdoors exist for everyone or they exist for no one, this technology isn't one that has room for a gray area to debate. If it can be deployed to public servant devices, it can be deployed to your device.
Only if they're using the same devices everyone else uses. If they're required to use a certain kind of hardware, or they're required to submit their device for hardware modification, this stops being an issue, doesn't it?
That is totally not true. They can be forced to install an app on their device that creates the backdoors. Companies do that all the time. An OS doesn't need to have backdoors built into it for backdoors to be added to it. Kinda the point of an OS is that it is general purpose.
Logistically, when you combine private citizenship with government you get corruption problems because incentives are so misaligned.
In fact private citizenship combined with government is the origin of corruption. Think about it, as a government official your incentive should be to preserve order, fairness and honor. As a private citizen your goal is to optimize the amount of money you make via business or employment through whatever means possible. That means exploiting loopholes and possibly when no one is looking, breaking the law.
The incentives are orthoganol and it does make sense to have a different set of rights and rules for government officials and private citizens. The minute you take the attitudes of private business/citizens into the world of government you get people creating rules that are corrupt.
> As a private citizen your goal is to optimize the amount of money you make
Ok.
I'm interested in why you think this is the goal of citizens (but not of government).
To be clear: I don't believe this should be the goal of government. I don't really understand why this should be the goal of citizens. I've emphasised the term "should" here, which is a somewhat odd moral term in general, but if we're applying a "should" to government to differentiate them from private citizens, there needs to be a symmetrical. Optimizing individual wealth is certainly an emergent goal of specific individuals, but I can't think of a reason to broadly apply a moral "should" to this goal. If we're optimising for positive outcomes at a system/global/community level (which is generally the intent of wanting a functional government), then encouraging citizens to hoard wealth has not tended to be (positively) contributory to such outcomes.
I'd argue the incentives of elected government and private citizens are even more misaligned than "private" ones.
Elected government official doesn't own or have perpetual interest. All he can do is plunder as fast as he can in his unowned fiefdom before it passes on to the next guy. Fully private government would have incentive at least to preserve the value of the "Kingdom" if nothing else for his own children and because he sees the Kingdom as his own and destroying it for short term gain would be irrational.
But then you have the tragedy of the commons. As a central dictator, yes you want to preserve your government, and you act in ways that do this because you are the direct owner.
But in a democracy where you are one government official among many many other officials, one small corruption change that benefits yourself individually hardly effects the overall government. It is rational for you to do small damage to the overall government and gain a reward that benefits you disproportionally. It is the MOST logical action.
But then every government official acting rationally in aggregate causes the overall government to become extremely corrupt and that is the tragedy of the commons. Rational action in aggregate becomes irrational. Government needs to be separate from private business.
I guess it's because it's so culturally ingrained that it's hard to separate. The chase for money and business is entirely cultural. Money is paper and it's all fantasy stuff and the reason why we value it is solely because of culture. Government ideally needs to be seperate from this culture and have a more militaristic based honor structure where the incentive is to guard the citizenry. Government needs it's own cultural values. Easier said than done, practically every government official IS a private citizen and they all face the same misaligned incentives.
> You cant understand why the people with a monopoly on violence and force have higher scrutiny? -- @retr0rocket
Replying here to this seemingly flagged/dead comment (not sure why it was flagged - a very reasonable question).
I fully support higher scrutiny of public officials & cops, but this frankly isn't that. First & foremost, the problems you're describing are systemic, not individual. Monitoring a cop's phone isn't going to reduce police violence if the system isn't accountable - this is essentially the "bad apple" argument. The entire system needs drastic reform: backdoors won't solve any real problems here.
Secondly, independently of the levels of reform needed, at an individual level we're talking workplace conduct, reporting, protocols & transparency -vs- dystopian privacy invasion. There's a very broad spectrum here long before we reach the need for extremes.
Lastly, you need to look at the systems doing the monitoring of politicians' & cops' phones in this hypothetical scenario: if those systems contain the same systemic corruptions (which they inevitably do), the entire argument for oversight is moot.
Politicians are routinely ordered to surrender their communication to justice to audit what they do. Missing texts from Von Der Leyen is at the heart of Pfizer-gate after all.
I don’t really know what to think about this to be honest. I don’t think it’s entirely black and white and I find it surprisingly easy to play devil advocate.
Remember that the US government has an insane level of access to private communications via all the post 9/11 laws, how cosy it is with the main tech companies and we know they do a lot of these spying unofficially and with little oversight since Snowden.
Meanwhile, France is struggling with an unprecedented level of organised crime activity with the amount of violent crimes reaching worrying level. There has been a huge increase in the quantity of cocaine being smuggled from South America and the mean in place to tackle the issue increasingly look vastly undersized. Limiting the discussion to it being authoritarian measure is refusing to acknowledge the very real challenge police currently face.
The only problem with that train of thought is that you are advocating a lower standard. Backdoors are not a superior option in any circumstance whatsoever.
The standard of conduct we need (and are failing) to hold politicians and cops to is actual security and responsibility. Some of the most powerful politicians in the world are leaking private conversations, and no one is holding them accountable. Police are paying private corporations (notably Flock) to build giant monolithic datasets from stalking private citizens, yet neither party is held to any standard whatsoever.
Who says they would? The point is the people would vote to have them held to this higher standard. They represent the people's will. They shouldnt get to choose other than their personal vote, the people choose. If they don't agree with what the people choose then they can leave politics.
As much as I want to agree with you, no, backdoors for them mean backdoors for everyone else. It's all or nothing. Now, they should be held to a higher standard, and face stiffer penalty than the regular prole because they should be the example-setters.
Do better policing (and that doesn't include trying to backdoor devices), but backdoors aren't the answer.
There's a top tier DEFCON talk by the Lavabit email guy. He explains where the line is for access to phones and other encrypted information. I'll try to summarize -
1 - Law enforcement have actual information about the probable contents of your phone (like an incriminating filename will do). They can reasonably expect to get a warrant and access to your stuff.
2 - They don't know what's there at all, and have no probable indication of the contents, and in this case they cannot expect access because they would just be going fishing.
Following the propaganda of the ministry of interior, several articles were published in press about GrapheneOS, which is described as a solution for criminals because it allows to hide things.
La Quadrature du Net [similar to the FSF with regard to defending users' rights] argues that the purpose is of course not cybercrime, but to secure and protect the privacy of its users.
The head of the anticybercrime brigade of Paris threatens of suing the developers of GrapheneOS if connections with organized crime were to be found.
The government has repeatedly tried to extend cyber-surveillance previously. They are trying to use a law designed to fight drug traffickers in order to enforce backdoors in services that use cryptography, such as Signal or WhatsApp, without any success for the moment.
---
So, it's a threat before having a proof. They also mention the arrest of Pavel Durov, who was arrested because Telegram failed to answer legal requests, which was then constructed as complicity with criminals using Telegram, but that's obviously a very different case.
But of course, if they succeed in forcing backdoors, criminals will just use other ways to communicate (doesn't matter if they are legal or not because, well, they are criminals...) or tricks; for instance, back in the day when (analog) phone calls could be wiretapped, they were already using code words. They could use e.g. steganography tomorrow.
But we will be left with backdoors that are an unacceptable compromise on security and privacy. This is a recipe for dystopia considering that far-right parties are getting stronger in Europe, including France.
Oh! It's about drug trafficking. Then I have nothing to hide. Please root and backdoor my phone. And also give the keys to all the hackers around the world...
I like grapheneOS. Their have a clear focus and that should be respected. However, all that drama about e/OS they are creating and claims about fascist law enforcement are a bit over the top IMHO.
Larger companies are easier to influence than small ones, no intimidation is necessary.
Protecting user privacy delivers close to 0 shareholder value, being friendly with nations wins you billions of dollars in contracts, regulatory protection, and friendly courts, it's a win-win for big companies and surveillance states to be friendly with each other.
I don't think so; (but at the end of the day, you can never be 100% sure unless it's 100% OSS)
But with that being said both Apple and Google store a lot of data about you, and they are willing to "cooperate" with the government, and they did hand over data in various of cases Apple included [1]. For some reason, people think of as the "privacy company".
btw, big tech also get harassed for similar requests: The UK, for example, is still pressuring Apple to build an encryption backdoor [2].
I can understand you thinking that and there's probably some truth to it but do I consider Android and iOS compromised with government backdoors? No. What do I base this on? The lucrative black market for Android/iOS 0days.
And who's buying them? Generally, state actors, directly or indirectly. There is an entire ecosystem of Israeli "security" companies that exist to farm out these exploits. This is a big part of why Israel is such a key component of the American national security infrastructure. Israel is largely beyond the jurisdiction of American courts and any kind of direct scrutiny by the government.
It's a bit like how the US isn't (technically) allowed to spy on US citizens. How do they get around this? By farming out such activities to allied intelligence services, particularly Five Eyes members.
This entire ecosystem and marketplace just wouldn't exist if Android or iOS were fully backdoored.
I see your point, but this could also mean that the backdoors are there, just only a few organisations know it (let's say US army) and then they get found and found again
In the end, wasn't EncroChat a larger problem for the criminals than the governments?
Once it became a big enough target it got taken down, and then quietly run by the police who collected everybody's messages for months before triggering a huge round of arrests, including quite a bit of major organized crime across Europe. The dangers of centralization. They'd love another EncroChat!
Doesn't apply so much to GrapheneOS of course since they're not in the messaging platform market, but it's definitely a cautionary tale.
I watched a fascinating documentary about EncroChat (https://www.channel4.com/programmes/operation-dark-phone-mur...). It was obvious the police absolutely loved having this real time feed into criminal communications, and thought "let's have more of that please". They don't realise the consequences are that criminals won't use such forms of communication once they know they're backdoored.
Probably something like this would be close to the same colloquial meaning (I'm not familiar with any pants-shitting slang in French):
EncroChat leur a foutu les jetons de ouf.
The linked article from Le Parisien (a big French billionaire-owned newspaper) is quite nuanced.
It gives the police's view on narco-trafic crime, but also Graphene's take :
"Criminals and traffickers also use knives."
This organization, which is not a company but a foundation, emphasizes that its solution is used by ordinary people who dislike how apps and operating systems handle their data. It adds that if criminals use Google Pixel phones and GrapheneOS, it’s because these solutions work well. But that doesn’t make them accomplices, they assure. "Criminals and traffickers also use knives, fast cars, and cash—things that are also widely used by honest citizens," its representatives note.
And GrapheneOS adds that it protects users from hackers and intrusions by the secret services of totalitarian states. "We consider privacy a human right, and we are concerned about projects like Chat Control (a European bill aimed at detecting child sexual abuse material in messaging services, but which has faced significant criticism) that the French government supports. The invasion of privacy enabled by such legislation would have alarming implications under an authoritarian-leaning government," it argues.
I didn't read it[0] as being particularly nuanced. I thought it was a fact-loose, extremist hitpiece against FOSS, containing howlers such as
> "Particularité de GraphèneOS : on peut se le procurer autant sur le darknet que sur des sites grand public." ⇒ "A distinctive feature of GrapheneOS is that it can be obtained both on the darknet and on mainstream websites."
Quoting "both sides" (so to speak) doesn't automatically create a thoughtful dialog.
I'm unsure whether it's appropriate to trust Le Parisien's equivalencies.
Q: Do they have a track-record of intellectual honesty?
Equivalencies are powerful, and dangerous if mis-handled.
E.g. this is worrying [from the article]: "A unique feature of GrapheneOS is that it can be obtained both on the dark web and on mainstream websites." Le Parisien is calling out GrapheneOS's availability on the "Dark Web" as significant, in the context of "Drug Trafficker's Secret Weapon". Banned books can also be acquired on the Dark Web, and banned books are not illegal, yet, in mainstream democracies. So Le Parisien's equivalency, here, is misleading.
now now comrade, if the book is banned, how is it that you are in possession of it? you're clearly breaking the rules. I do believe it is time for you to start counting trees
Nah, you're right. They title it "knife ban" but they list specific "knifes" that you can't carry, such as a sword (lmao at it being considered a knife)
I used to own many butterfly knifes in Middle School. Feels weird that you could be arrested for that in London
Who are 'they'? There is no official thing called a 'knife ban', and again, there are no laws about knives specific to London. There aren't really any laws about anything that are specific to London, as there is no corresponding legislative body.
I think the post you’re replying to is alluding to the fact that London has a knife problem, despite carrying knives being illegal there. Meanwhile a number of places don’t have that problem, even though it’s legal there.
BTW As an outsider, this “knife” euphemism caught me off guard a while ago. When you read about these stories from London, it’s usually about machetes. It’s one of a number of euphemisms Brits use around the topic, making everything around the topic sound pretty mild if you’re not from there. Then you learn one more euphemism and think “oh wait, that guy/gal back then was talking about this? wtf?”
It’s not in general illegal to carry knives in London (or again, in the rest of the country, which has the same laws). Small knives are permitted generally and larger knives may be carried for specific reasons (e.g. religious). To say that it’s illegal to carry a knife in the UK is roughly as misleading as saying that it’s illegal to carry guns in Texas. In both cases there are applicable laws, but there is no blanket ban.
London has a knife crime problem in the important sense that any number of people being stabbed is a problem. However, it’s worth bearing in mind that cities like NYC have a slightly higher rate of fatal stabbings per capita. (Non-fatal robberies and assaults are tricky to compare across countries because of different data collection methodologies and different classifications.) Of course it would be good for fewer people to get stabbed, and knife crime is a serious problem for some specific communities, but the city as a whole is not experiencing the kind of knife crime epidemic that you might imagine if you get your news from alt right TikTok accounts.
This article is as absurdly biased as it could be! Of course they provided a quoted response from GrapheneOS devs: that's the only appeal to credibility they have.
A truly responsible journalist would explain to their audience what is actually at stake, not simply spout every available position as if it were equivalent.
> Le Parisien (a big French billionaire-owned newspaper)
They're all billionaire owned. As an example, left wing newspaper Liberation has Kretinsky among the owners
One thing though is - knives, fast cars and cash aren't built with deliberate motivation of thwarting the law enforcement and criminal investigations.
GrapheneOS and its systems are - you can walk through history and see that they're deliberately working on systems that defeat law enforcements efforts of collecting data from seized devices and tracking criminal networks.
This is a massive difference - even for knives and cars, you'd get into some hot water (or outright illegal behaviour) if you build them with express purpose to make them hard to find and track by law enforcement. Try making a company that focuses on cars that hide its license plates from the police and you'll see how far that will go.
This is one thing that GrapheneOS, Signal and others will need to at some point reckon with - the fact that they deliberately work at making law enforcements work harder and provide effective cover for criminals will get them into hot water. And I don't think population will stand at their side when they find that they've been helping CSAM traffickers hide their loot.
Having all that anti-governmental rhethoric won't end well for longerm survivability of these projects - which sucks for all of us.
Graphene shouldn't have to reckon with the abuse of government, we should step in and speak up for them. If having a secure device becomes criminal, only the criminals will have secure devices.
Law enforcement is being lazy by trying to rely on mass surveillance rather than espionage tactics to catch criminals. Criminals learned long ago how to work around surveillance, so this doesn't really work on them. But it does subject the public citizen to undue scrutiny and violation of privacy, which history has shown is then used against the innocent. We don't need any more reminders of how popular authoritarianism has become. And it's often used to pin a crime on an innocent person (a common police controversy), or intimidate and harass them (see FBI).
> I don't think population will stand at their side when they find that they've been helping CSAM traffickers hide their loot.
This is just one of many examples of a false rhetoric used by politicians to manipulate the public into cow-towing to mass surveillance. We cannot stand for this and must fight it at every turn. "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
Beware, though, the key words in that quote are not "liberty" and "safety" but rather "temporary" and "essential". You can replace "liberty" and "safety" with any other nouns (including "safety" and "liberty") and it's still true.
Which is not to excuse the fascist actions of the French government. I just don't like that quote.
I think your point is that there is evidence that the intention of some or all of the developers and/or the organization as a whole is to make law enforcement more difficult. You go on to argue that this intention fundamentally alters how society, or at least law enforcement arms of government, should view this technology. Specifically, I take your argument to be that law enforcement should or will treat them as accomplices to some degree of the crimes they enable.
Genuinely curious: what did you see in GrapheneOS history that indicates that the OS is specifically designed to defeat law enforcement (as opposed to their stated goals of defeating ad surveillance and stalkerware)?
There is no way to have a completely secure operating system, safe from hackers and spy organizations and thieves, that is also accessible at the whim of law enforcement. Period.
If we can't trust hosted services to protect our data, and we can't trust our own computers to preserve our data, the right to privacy simply doesn't exist.
So which knife makers are serializing their kitchen knives so they can be traced back in case of a crime? How many knives come with a GPS tracking its position? Well too expensive, what about an Airtag. No? By your roundabout logic this qualifies as “deliberately working on systems that defeat law enforcements efforts”. It’s an absurd argument.
To actually do any crime with GrapheneOS you would also need at least a VPN and basic understanding of operational security. Just as you would need a lot more than just a knife and car to be a successful criminal.
A Pixel phone with GrapheneOS is not some magic device that let's you do crime without immunity, but that’s the story they want to sell you.
Are you livestreaming your face on Twitch right now? If not, why are you deliberately making it harder for police to catch criminals? It would be so much easier for police to catch criminals if everyone livestreamed on Twitch 24/7, it should be a crime not to do that.
Given the fact that most protests are organized on facebook groups, how does one keep him/herself aware of eventual protests to come without Facebook/instagram? I d gladly join for a cause i support
Edit: I wonder why this is downvoted. The bureaucratic class holds enormous power in France, and has constantly acted against digital rights and privacy with impunity. The only institution that can somewhat restrain them is ECHR.
Just to be clear about what is really happening right now;
There were three articles from newspapers (Le Figaro, Le Parisien) known for their rightist, pro-cops, opinions, and owned by billionaires (LVMH/Arnault, Dassault). In those articles, GrapheneOS is associated with bad actors purpotedly using it as a way to obfuscate their activities.
A comment was made by Johanna Brousse, Chief of French Cybercrime Unit, stating she would not refrain from pursuing the publishers if links were found with a criminal organization and they refused to cooperate with the justice system.
Another claim from a police investigator equates GrapheneOS usage to illegal activity.
> Two articles in Le Parisien yesterday, followed today by one in Le Figaro, have launched a shameful attack against GrapheneOS, a free and accessible open-source operating system for phones. At La Quadrature du Net, it's one of the tools we favor and regularly recommend for protecting against advertising tracking and spyware.
> Echoing the propaganda of the Ministry of the Interior, newspapers describe GrapheneOS as a "crime-related phone solution," and a police officer adds that its use is suspicious in itself because it indicates an "intention to conceal." By portraying GrapheneOS as a technology linked to drug trafficking, this attack aims to criminalize what is actually a secure privacy-preserving tool.
> In these articles, the head of the cybercrime section of the Paris prosecutor's office – who was behind the arrest of Pavel Durov – also threatens the developers of GrapheneOS. In an interview, she warns that she will "not hesitate to prosecute the publishers if links are discovered with a criminal organization and they do not cooperate with the justice system." https://archive.is/20251119110251/https://www.leparisien.fr/...
> The government regularly tries to link privacy technologies, particularly encryption, to criminal behavior in order to undermine them and justify surveillance policies. This was the case in the so-called "December 8th" case, where a police narrative was constructed around the (secure) digital practices of the accused to portray a "clandestine" and "conspiratorial" group. https://www.laquadrature.net/2023/06/05/affaire-du-8-decembr...
> Now, drug trafficking is being used to attack these technologies and justify the surveillance of communications. The so-called "Drug Trafficking" law was thus used as a pretext to try to legalize "backdoors" in encrypted applications like Signal or WhatsApp, without success. https://www.laquadrature.net/2025/03/18/le-gouvernement-pret...
> An article in Le Monde diplomatique from November extensively examines the history of the political exploitation of drug trafficking to justify security and surveillance policies. The police attack on GrapheneOS fits perfectly within this pattern. https://www.monde-diplomatique.fr/2025/11/BONELLI/68915
> In its response published yesterday, GrapheneOS points to the authoritarian tendencies of the French government, one of the most fervent supporters of the "ChatControl" regulation under discussion at the European level, one of whose goals is to put an end to end-to-end encryption. https://grapheneos.social/@GrapheneOS/115575997104456188
More graphic content needed to get folks to click through: This is excerpted from the result of G-translating the Parisien link:
"This 27-year-old alleged trafficker is suspected of having run this drug telephone platform which, between 2023 and 2024 in Paris, collected a turnover of two million euros and is said to have caused three overdose deaths during chemsex parties."
I think you meant https://mamot.fr/@LaQuadrature/115581775965025042 instead of a link to "Le Parisien", which is not a non profit, but a newspaper owned by LVMH/Bernard Arnault, and known for having rightist opinions.
Everything about the exercise of power in the digital world is tilted away from the individual.
Windows 11 moved all my files into the cloud without even asking me! I was livid--those are documents that I deliberately DID NOT WANT in the cloud! It's crazy what malice we have to put up with and navigate these days. It just keeps getting worse and more convoluted, too.
There were many decades where phones didn't have back doors. Now, it's the opposite case in the most dystopian way. It's concerning that all phones are required to have back doors for law enforcement and the enforcement is severe. I know several people who have a corrupt "cop they know" that they can regularly contact for favors. Why is it so out of the ordinary to distrust law enforcement when they have these tools?
> There were many decades where phones didn't have back doors.
Your cell phone provider almost certainly will respond to a valid warrant and wire tap your non e2e encrypted phone call.
I'd be very surprised if the most common mode of remote communication in any time period was not subject to government interception in some format within a short time of becoming such. That includes physical mail, telegrams, landlines, cell phone calls, txt messages, emails, etc.
Referring to "how things used to be" is not in fact helping the case for privacy.
I don't think people are arguing against complying with valid warrants. They object to blanket surveillance being done with tools available to any law officer that can be used at any time, warrant or not.
Of course they will respond to warrants, they have to, and nowadays they have the infrastructure to forward all traffic to law emforcement's servers in real-time.
We're discussing this in regards to an article where the obvious "solution" was found by the government to this very approach. You're free to build it that way and we're free to put you all in jail afterwards as a result. Rubber hose decryption at its finest.
Phone operators are heavily regulated and licensed, and this is a legal requirement and a requirement of their licence. Complying with lawful warrants is also obviously a legal obligatuon.
Dear French: criminals would just use fake spam emails or bullshit trolling posts under fake Usenet groups in the clear. No encryption needed, and yet your would earn nothing by backdooring them
At the end of the day, these attacks on privacy are always in reality for keeping incompetent politicians and bureaucrat's safe from meritocracy.
Built into the onslaught of demands of backdoors are two key ideas: A) That the backdoors will only be exploitable by the authorities and that B) they're even necessary to carry out their work in stopping trafficing.
I think most people know by now the first idea is preposterous. The second idea is too. The EU should focus on better police tools and tactics that detect and track the actual movement of goods.
Sadly, I don't think that that's true. I've been shocked by the lack of understanding there in groups of technical people who should know better. It's even worse in groups of non technical people. I'm afraid this is an ongoing battle, and every time ideas like this come up from government it's going to be an effort to inform the public.
> The EU should focus on better police tools and tactics that detect and track the actual movement of goods.
This is a point that doesn't get raised very often: the actual crimes occur in "meat space", not electronically on a device. Haven't police and intelligence been solving crimes like that since 'the beginning'?
The coordination of a crime may be done electronically 'on device', but the actual crime occurs somewhere physical, generally with physical objects and the presence of the criminals themselves.
Why is it suddenly so much more difficult for law enforcement to do their jobs that the privacy of every member of the public needs to be able to be invaded?
Are police forces under-resourced to take on the "how it's always been" approach to fighting crime? Are law enforcement being subject to inapplicable software engineering rules of efficiency to save money? (Ie. Too much focus on the metrics, not the outcomes).
Don't police have great physical surveillance tools? Yes, it may cost more in having to physically surveil targets, but that seems (to me, and this is where the rift lies) that's a good compromise opposed to surveiling the entire populace.
Anyone can say anything in a piece of correspondence that they think is private. If it's made public it completely changes the context. A joke between friends, criminals or not, can look like conspiracy to X, Y, or Z. Research for a crime novel could appear like preparation for a Louvre heist. And even if it is, it's not a crime until it occurs, until that point it's not 'real', the thing suspected of being planned hasn't actually taken place until it takes place. Are we implementing pre-crime without the three psychics?
And one thing I know for sure is that law enforcement do not understand context. They're bred to find guilt, not innocence, and having a larger haystack they'll find plenty of hay they think look like needles. Gotta hit those metrics.
There's plenty of nuance missing from what I've written here, but I fairly strongly feel it's leaning towards reality rather than liberal fantasy.
For contrast, you can imagine how this debate between a private OS developer and the government would go in a non-democratic country. Or, you don't even have to imagine, because examples are not hard to find.
But really, the point GP was trying to make (IMO) is that all western democracies are very obviously sliding towards authoritarianism. They are building tools which, even _if_ they don't abuse them now, will be available to any future government and with time, the probability of one of them being non-democratic is 1.
I believe this is the OS recommended to journalists that report on Palestine because freedom of speech doesn't apply without aggressive assertion of your rights.
> The FBI ran a sting operation in Europe where they created their own 'secure' phone and messaging platform. Their OS used portions of our code and was heavily marketed as being GrapheneOS or based on GrapheneOS.
So how do we know GrapheneOS itself isn't a honeypot? It's run by a mystery org and heavily marketed as being a secure platform.
They even have reproduceable builds so you can validate the source matches the distributed binaries. After that it's trusting in the OSS process to have caught any attempted backdoors which is more down to your individual evaluations.
Would be an interesting experiment actually: how long would it take for the community at large to discover a backdoor in graphene OS if added sneakily by generally trusted Devs, ie the org that maintains it.
Or, phrased differently, how much independent auditing is graphene OS subjected to?
France has threatened us with the same actions they took against SkyECC and Encrochat if we do not cooperate by providing law enforcement access into devices. This was published via Le Parisien in one of their articles and through French state media. They're absolutely threatening us that way.
> Interviewed, she warns that she will “not stop pursuing publishers if links are discovered with a criminal organization and they [GrapheneOS] do not cooperate with justice.”
France has threatened us with the same actions they took against SkyECC and Encrochat if we do not cooperate by providing law enforcement access into devices. The actions they took against those were mass arrests and seizure of servers. We don't have cloud infrastructure for builds/signing but regardless we don't want the French state taking over our website, etc. so we're leaving France and OVH.
This is not proven state action - this is hearsay. Maybe the GrapheneOS project should wait for the first warrant to arrive or police raid to happen before claiming what they currently do.
With the current evidence, its not ruled out that the french state is not doing anything at all.
It's not clear what they mean by that in the threats they've made in multiple places but it's clearly a threat, and they're already lying about us. Therefore, we're leaving France including leaving OVH and not hiring people in France without them relocating first. Our most sensitive infrastructure is local but we don't want a state taking over our website and network services. We don't trust France and OVH to respect rule of law and human rights at this point. It's not a safe country for open source privacy projects and French companies cannot be trusted to even host a static website without hijacking it for French law enforcement.
French law enforcement is conflating companies making products with GrapheneOS code with GrapheneOS itself. They're presenting it as if those companies are working with us and that we're responsible for their actions selling devices using our code. Most of those are using forks of GrapheneOS with features we don't have which are repeatedly incorrectly referred to as being GrapheneOS features. GrapheneOS users can read the many articles and see many references to non-existent features. They similarly refer to non-existent distribution methods and marketing which are actually about these products they're conflating with us. Since they're conflating products and actions by other people with ours, that makes their threats very concerning.
GrapheneOS doesn't even currently bundle an end-to-end encrypted messaging app as we don't have our own and leave choosing third party apps up to users. We plan to make an RCS app with MLS to replace people using Google Messages via sandboxed Google Play but that's no different than what Apple and Google are working towards providing earlier. Even if Chat Control was already the law, we don't have Signal or a similar app bundled with the OS and don't currently distribute a hardened build via our App Store despite plans for it. We do distribute the sandboxed Play Store and Accrescent via our App Store which have end-to-end encrypted messaging apps available...
Probably the former. SkyECC, Encrochat, etc, were found to be deliberately sold to nontechnical drug lords for large amounts of money - as in, the project leads went out searching for drug lords and selling phones to them individually and offered to sell them 100 phones for $200 per month per phone. Drug empires have that sort of money. And they didn't sell to anyone else since it wasn't worth it. It seems unlikely that GrapheneOS is the same way, since it's free, but you never know - maybe it is made for drug lords, and giving it away to the rest of us is just for plausible deniability.
LQDN: "Dans ces articles, la cheffe de la section cybercriminalité du parquet de Paris – à l'origine de l'arrestation de Pavel Durov – menace également les développeurs·es de GrapheneOs. Interviewée, elle prévient qu'elle ne s'« empêchera pas de poursuivre les éditeurs, si des liens sont découverts avec une organisation criminelle et qu’ils ne coopèrent pas avec la justice »."
In the (very short) linked article: No mention of arrest, server seizure or backdoor, and a more nuanced take. Loosely translated summary: Some users have a legitimate need to protect their communications. IF we find links with criminal organizations AND there is no cooperation, then we might take action. They're specifically taking the approach of a case by case hack of single phones which might cost up to a million euros. Is this an issue if there's a warrant?
This seems blown out of proportion?
reply