Press communication in France about GrapheneOS

dc32f0cfe84def651e0e

fid03 Also Holland.

https://discuss.grapheneos.org/d/7658-potential-appearances-of-grapheneos-in-mobile-forensic-reports/41

jasejok

If you've read how law enforcement "deals" with privacy-focused projects over the years (specifically sky, encro, phantom, etc.) you'd know that they first start with a request to collaborate, then press and threaten. And it's not just one country doing it, it's done in collaboration - uk, france, netherlands, canada, usa, australia.

What's the most concerning to me is the possibility to infiltrate the project from within, as has happened with a lot of projects that were "not convenient" for the governement.
I think graphene leadership owes it to the community to explain how they are ensuring that they won't be compromised from an insider if pressed (imagine being a developer and law enforcement is threatening you with jail time if you don't collaborate).

And I disagree with the argument that sky, encro and such were designed to spy. They were not spying, until law enforcement infiltrated the project and pushed spyware to users. Anom is a different story as it was originally designed with a spyware. Open source helps in the case of GrapheneOS to identify a spyware being pushed, but considering there are so many updates and changes in the code on a daily basis, it's not reasonable to expect for a spyware to be identified fast enough before it may be too late.

Maketrades

de0u Each GrapheneOS device contains the public half of the GrapheneOS release signing key, and uses that to check that each OS release is signed by the private half of the key. If somebody corrupts a GrapheneOS update server and installs an update that is not signed by that key, GrapheneOS devices will download the update and delete it when the signature check fails.

Thanks that's already a bit less concerning but what about this?

jasejok What's the most concerning to me is the possibility to infiltrate the project from within, as has happened with a lot of projects that were "not convenient" for the governement.
I think graphene leadership owes it to the community to explain how they are ensuring that they won't be compromised from an insider if pressed (imagine being a developer and law enforcement is threatening you with jail time if you don't collaborate).

Asswell a legit question he or she actually took the words out of my brains.

de0u

jasejok Maketrades What's the most concerning to me is the possibility to infiltrate the project from within, as has happened with a lot of projects that were "not convenient" for the governement.

A lot of projects? Is a list available?

The same question applies to Google, Apple, also any other security/privacy project: how can one know for sure that nobody is compromised, ever?

de0u

jasejok Maketrades I think graphene leadership owes it to the community to explain how they are ensuring that they won't be compromised from an insider if pressed (imagine being a developer and law enforcement is threatening you with jail time if you don't collaborate).

I am curious as to what forms of assurance might be deemed credible. "I promise that if I am threatened with execution if I reveal that I was forced to ship a back door I will reveal it anyway"? Would that be believed? If not, what would be?
I do not speak for the GrapheneOS project, but I don't see what they "owe" to whom. Is it possible to explain what obligation was incurred, and how?
https://discuss.grapheneos.org/d/18927-on-open-source-and-complaining-to-the-manager

Maketrades

fid03 What action has the Norwegian state taken against GrapheneOS? It's the first I've heard Norway being mentioned on this topic. Also Holland.

I didn't mention a state! I was referring to the negative attention GOS got in that countries regarding the use of criminals mostly giving by police and people in politics to news outlets and media..

fid03 Has any evidence for this statement been presented?

Anybody who has a bit of insight in court cases and police files or just observe the crime news in Europe will see and or hear that almost all the serious organized crime related arrests grapheneos devices are involved accompanied with complains from law enforcement that they unable to get access to the information inside the phone..

I am not here to make a bad and bold statement about the users of grapheneos, me myself I am a satisfied user for many years who has nothing to do with crime by mean of doing it but it isn't that much of a surprise for me that they are going against the project simply because of the things above.. That said I think the majority of the users have nothing to do with crime or misbehavior but that is not the way how law enforcement and politics look at it.. Fact is that all over the globe they fighting there battles against privacy and or security and trying to have a full control over our lives and that's why they also go against GOS and this fact of most criminals who use the system is just in there eyes legit reason for them to attack it one way of the other.

I don't have any technical background but the likelihood they will try everything in there power legal or illegal to find a way is 100%!! Does the server location play a part? Why not keeping servers or any infrastructure in French if it is impossible? Is the Signature Verification impossible to tamper with for them to be able to update malware on a update to have route access on devices? Again people underestimate the weight GOS gives at obstruction investigations and more prosecution of drugs related crimes. I thing I have said enough right now. I hope to get some serious answers instead of bashing other peoples concerns

That said I still didn't got any serious response of the likelihood they be able to get any malware or any insight in the users phone by attacking the servers 1 way or the other!!

Maketrades

I saw this statement on the net...

For European users, GrapheneOS promises maintained performance through servers in Switzerland, Luxembourg, and the Netherlands – countries that do not support the EU's controversial "Chat Control"

I wouldn't be that sure about the Netherlands because there is where it all started with ennetcom sky ecc and encrochat!! Dutch law enforcement had the leading role in all this action against them seen in all the documentation exposing the lies that it was french. They are the ones with the most skills and the most ignorance to heat up the conversations behind the scenes to find a way to attack.. ONE WAY OR THE OTHER!

Maketrades

Letts add something positive!!

https://www.cryptotimes.io/2025/07/08/vitalik-buterin-embraces-grapheneos-what-is-it-and-why-its-trending/

simplenot

Maketrades I guess even bad press is good press :)
This will definitely make GOS more visible.

Eirikr70

simplenot That was my first feeling, but it also presents drawbacks!

de0u

Maketrades I have a question regarding the functionality of the servers.. How big or how small is the chance that they be able to attack the servers of GOS to add or to modify something to add on a update pushed from the server like they did in the case of encrochat?

Each GrapheneOS device contains the public half of the GrapheneOS release signing key, and uses that to check that each OS release is signed by the private half of the key. If somebody corrupts a GrapheneOS update server and installs an update that is not signed by that key, GrapheneOS devices will download the update and delete it when the signature check fails.

Eirikr70

Xtreix Thanks for your good job about the Wikipedia page. I am in the process of revising it and there is one aspect I would like to share. While introducing the history of the GrapheneOS, you enter in very technical details with concepts that the lay-person I am doesn't understand (Malloc, Bionic libc library, PaX kernel). As much as I understand the interest of giving technical precisions, I think it makes the article harder to read for the non-techie, which would - to my eyes - be a pity because any user can benefit from GrapheneOS even though you can't enter into these details. So I think that tayloring the paragraph to a more common public would be useful. I might help if you explain to me what are the benefits of these technical choices of course.

Xtreix

Eirikr70 This is the source comes from the official GOS website translated into French. I can see if it is possible to provide external links for technical terms such as hardened_malloc, which is a hardened replacement for glibc's malloc.

I see that improvements have been made. I think the screenshots should also be replaced with more recent ones. Thank you for your feedback and contribution.

Blank

GrapheneOS Hello, I juste want to clarify something. Since GrapheneOs won't operate in France anymore, does it mean that French people won't be able to use GrapheneOs anymore ? What about people who already has grapheneOs installed ?

M_2_Sade

__Blank__ you will be able to use graphene juste fine

Eirikr70

__Blank__ No, it doesn't change anything for the French residents. "GrapheneOS not operating in France anymore" means that they will operate with infrastructure abroad and not depending from French companies. Unless contradicted.

Blank

M_2_Sade thanks

Blank

Eirikr70 okay fine ! Thanks a lot... I was really worried.
I sincerely regret that France is likely to turn into a dictatorship hiding its true intentions behind lies...

Maketrades

de0u

de0u A lot of projects? Is a list available?

Did you read the last 10-15 messages of this topic or you just come in here bashing people who having a serious question and point out there concerns here? They been mentioned a couple times here above!!

de0u I do not speak for the GrapheneOS project, but I don't see what they "owe" to whom. Is it possible to explain what obligation was incurred, and how?

They don't owe nothing to nobady!!

The thing what bother me the most is that everybody here on the forum who has a bit of technical know how or at least Lett it appears they have by jumping on all kind of topics with answers and solutions when it comes to this kind of questions stay quite or start attacking or bashing the once with the concerns. I am not here to get in endless discussions just asked a serious question and also explained why they concern. Peace out!!

de0u

de0u A lot of projects? Is a list available?

Maketrades Did you read the last 10-15 messages of this topic or you just come in here bashing people who having a serious question and point out there concerns here? They been mentioned a couple times here above!!

I'd prefer to avoid jumping to conclusions. By "a lot of projects", do you mean:

Wikipedia has a list of projects "similar" to EncroChat. I wouldn't want to put words into other people's mouths, but if that is similar to what is meant by "a lot of projects", to my eyes that list looks like businesses (not open-source free software), and businesses that were focused on proprietary messaging apps. That seems potentially different from an open-source operating system that doesn't ship with a proprietary messaging app. We'll see what plays out, I guess.

jasejok

de0u

The assurance can come first from acknowledging the seriousness of the threat, and explaining what sort of measures are taken to mitigate the risk. Sounds pretty normal to me, considering there is a threat looming that threatens the integrity of the product.

The grapheneos is a community project. It is as successful as is to a big part because of the effort of the community. People are spending resources to help the project (money, time, promotion, etc.). There has to be some level of obligation towards the community, no?

de0u

jasejok The assurance can come first from acknowledging the seriousness of the threat, and explaining what sort of measures are taken to mitigate the risk. Sounds pretty normal to me, considering there is a threat looming that threatens the integrity of the product.

I think I'm aware of one case of a project describing a specific measure for mitigating "insider attack": Google built a very specific "insider attack resistance" measure into the firmware-upgrade path. That measure is inherently deployed on GrapheneOS devices. I am not personally aware of Google, Apple, etc., documenting what measures they take against government coercion of individual developers.

But, again, it's also -- honestly -- not clear what assurances people would find credible. It's difficult for me to imagine anything that the GrapheneOS team could say that wouldn't cause people to respond with things like:

Maybe you're being paid to say that,
Maybe you say that now, but what about when you're threatened with jail,
etc.

Perhaps it might make sense for concerned individuals to join together to hire independent auditors?

Eirikr70

Xtreix This is the source comes from the official GOS website translated into French.

Oops, my bad!

« Previous Page Next Page »