France threatens GrapheneOS with arrests / server seizure for refusing backdoors - https://news.ycombinator.com/item?id=46035977 - Nov 2025 (244 comments)
Recent and related:
France is taking state actions against GrapheneOS? - https://news.ycombinator.com/item?id=45999024 - Nov 2025 (108 comments)
First, it sends a message of inexperience in business, negotiation, and conflict resolution: 'I'm going to take my ball and leave' - it looks like an emotional overreaction without strategic thinking. These days you sometimes see powerful parties making similar threats - e.g., Uber threatening to leave certain markets. But those people have significant power and their tactic is really to demonstrate that in order to shift their negotiating position; usually they don't actually decamp, and GrapheneOS has relatively little power so that tactic doesn't apply.
As importantly, it sends the message that GrapheneOS can be pushed around and manipulated: A slight hint of a threat and they flee. Others will take note, and many will think the same of other FOSS projects, large and small - they are easily intimidated and dismissed.
Another reason people don't use these tactics is that they have other important interests besides the one under immediate threat. A requirement of anyone with significant investments that can't be easily abandoned - which is everyone doing anything of value - is to navigate in a way that upholds all those interests. You don't burn down the house to kill a rat. It can be hard and requires careful, deliberate thought and strategy.
One unmentioned interest that might appeal to GrapheneOS's leadership is the freedoms of people in France to create FOSS, and to individual privacy and security.
GrapheneOS is an open source project. They hand out great software for free. They have no obligations to do this. And they certainly have no obligation to try to "negotiate" with obviously hostile governments. They have nothing to gain from this.
> You don't burn down the house to kill a rat.
I don't see how this analogy applies here. France is the house.
If you do want to talk about obligations - yes, we all have obligations to our communities, societies, etc., whether we like it or not, whether we deny it or not. GrapheneOS has obligations to the open source community, to freedom, to their users and developers, etc. Defining those obligations is very difficult and I won't try, but if none of us have those obligations then who does? There's nobody else coming to the rescue, there is no authority that will take care of it for you (like parents caring for irresponsible children) - it's just you and me.
I am skeptical that there is any lesser step that they can take consistent with their goal of an uncompromised OS. Or that France would be satisfied with anything less than access. Security is not a side feature of GrapheneOS that they can compromise on, it's their core mission. It's like telling Frodo to see the sights in Mordor, but stay away from Mount Doom.
I get that people are outraged, etc. but it's actually damaging the cause. GOS looks like an unreliable partner.
Putting their project or contributors at risk does not serve their goals. You seem to be expecting a lot from a bunch of volunteer contributors.
And moving your servers out of jurisdictions that threaten them is not hyper-escalation; that's just being responsible.
That is a (minor) upside, imho.
Somehow I doubt France thinks they "won". What they wanted was a back door into the OS. Not only did they not get that but they lost what little bargaining power they had when gOS left France.
> it sends a message of inexperience in business, negotiation
You don't negotiate with terrorists. Obviously France isn't a terror organization but the point is the same: you don't play their game. You play your own.
Leaving the country is exactly that.
It's just a few cops who said "I don't like that we can't crack it", and a journalist who asked the prosecutor who got Durov arrested and she said "well sure if they break the law we could sue them".
The only party that is getting hurt about this whole thing is their French hosting company, OVH, who tried to calm down the situation and talk to explain him that they can still safely use OVH.
There is absolutely nothing pointing to France wanting a backdoor in GOS. The only thing we have is one prosecutor quoted in a far right journal saying she wouldn’t hesitate to charge them if they are linked to organised crimes and refuse to cooperate.
When France wants a backdoor in an open source project, they do it like every modern country with an intelligence service, sneakily.
They don't make GrapheneOS unavailable to French users, they just change "cloud provider".
There is no negotiation or conflict resolution there: they don't feel safe using a French provider, so they move to a non-French provider, period.
> didn't even compromise even a bit (negotiation is already a compromise) against a country who is notorious for advocating for privacy-invasive policies in recent years
> get lectured by yc high-horse rider on the obligation blah blah, even when by and large this move doesn't materially affect the end-users in any substantial way
I used 4chan style because most of the times 4chan commenters have more sense than yc these days. Many people here do live in glass houses.
When asked for details, he gets defensive and accusatory, then creates multiple sockpuppet accounts to argue the same points over and over.
There was a post on the GrapheneOS forums a while back, from Micay, claiming that a well-known YouTuber who had backtracked on recommending GrapheneOS (because of Micay's behavior, according to the YouTuber) had probably actually backtracked because the YouTuber was financially involved with a competing project. My initial reaction to the post was, "Oh, I guess this is that paranoia I've heard about with Micay." My thought was reenforced when it was further claimed, in that thread, that the YouTuber was active in a forum well known for online bullying of people they don't like. The whole thing definitely sounded paranoid.
In the thread, though, there was in fact linked paperwork where the YouTuber had registered the company in question, and also links to a verified account on the forums in question (using the YouTuber's real name).
So, yeah, just because you're paranoid, doesn't mean they're not out to get you.
And I also believe that he's actually been personally targeted for harassment, from multiple directions, over the years.
So he's learned and earned some... vigilance.
And overall, I suspect that GrapheneOS is much better for the vigilant mindset.
I donated money partly with this in mind.
I don't know whether the project has a PR expert working with them already, but if not, that would be a nice pairing with the very smart and vigilant people on the team.
But on the other hand, I have read a lot of "drama" between e.g. /e/OS and GrapheneOS, and more often than not, it looked like GrapheneOS was criticising actual limitations of /e/OS and /e/OS (a mix of the community and official comms) seemed to be the one being unfair.
GrapheneOS generally is pretty direct at saying stuff like "their approach is strictly less secure" or "they are often worse than Stock Android", and I understand that this is not good publicity for Murena. But I am yet to see one of these claims to be wrong: all I can say is that the tone is very direct and could offend the /e/OS people, even if the claims are true.
On the other hand, instead of just acknowledging and trying to explain why /e/OS may be a good choice (e.g. if you happen to own a phone that is not a Pixel and that is well supported by /e/OS), I have seen actually wrong claims from /e/OS against GrapheneOS (sometimes downright technically wrong about security/privacy). And while GrapheneOS is quite exemplary with their support (if your phone is supported, then it's best in class), I have run /e/OS on a couple of phones and I have seen by myself that some of the security updates were 3 years old while the Stock Android was actually up-to-date.
So yeah... I get that it's a sensitive topic, but I feel like there is more a long history of people accusing GrapheneOS of accusing people, and I'm not anymore convinced that this is actually true.
But it's been very quiet since he stepped down and I have more confidence in grapheneos now.
Multiple accounts have said the same thing in this thread, and I'll be honest here: given the Jia Tan situation, it could be true (in the way that he's being pushed by external forces). It could it be character assassination... Or it could be totally valid: idk.
But what I do know is that nobody is providing any citations.
I also know that progress depends on the tyranny of unreasonable people.
Yes, the intense idealism of the brainwashed and oblivious prompted the realistic Graphene creators to do something themselves instead of waiting for other realistic folks who happen to be few and far between.
Have you not seen what happened to Telegram CEO?
No matter your feelings about the creator, I think this was entirely the rational choice.
France is pro-Chat Control. For about a year now there's been an anti-drug trafficking fervor among legislators and government, in which they've pushed for encryption backdoors (separate from Chat Control at the EU level) and recently threatened GrapheneOS. The country is politically unstable so future politics are hard to predict, but anti-encryption politicians stand a good chance of winning the next election. Any rational project would move out.
I disagree about them essentially spreading misinformation about what actually happened. One prosecutor, that probably doesn't even know what GrapheneOS is, making boisterous claims to the press, is not the same as being contacted by the state about adding a backdoors.
Interviewed cop says they'll go after them if they don't cooperate, which would mean a) requesting assistance to law enforcement via means such as backdoors and server seizures and b) resulting in legal steps against the organization and its members by France. Who in their right mind wouldn't take this a threat? After Wikileaks, the Telegram CEO, pushes for chat control and other authoritarian techniques?
Sure, the cop might be a nobody in the grand scheme of things but they're representing a government agency publicly so they're probably not babbling out nonsense in a bar somewhere, being overheard by a reporter.
Yes. Yes they did.
Doubly funny as you seem to be implying Telegram has worthwhile encryption to start with.
In any case, the back door may be more of a Room 641A arrangement where all messages are intercepted by the host government, saving them the trouble of installing sockpuppet accounts in all the chatrooms they want to keep an eye on
between Durov and Sir Tim Berners-Lee?
You guys hurt your argument so much by straight up lying so you can feel self righteous anger over it
Especially since I guess they do not have the same kind of money and influence to fight it back.
If the GrapheneOS maintainers were being advised by a lawyer, they'd surely know that if French Authorities wanted them arrested and they were standing on a street corner in Stockholm, they could just as easily be picked up by police as if they were in a café in Paris. Making the whole France travel ban just a load of theatrics.
You're contradicting yourself. If "they haven't thought this through" they clearly haven't been paranoid enough but in that case they aren't overreacting, they're under-reacting. They need to transfer development out of the EU, not just out of France. That's one unexpected benefit of Brexit, btw.
I suspect they'd get told to calm down while the lawyer sends a letter to the authorities explaining what they're currently attempting to articulate via social media.
The lead developer seems to have a history of this style of communication in response to any minor critique of himself or GrapheneOS.
There is no contradiction between "being paranoid" and "not being rational".
Oh my mistake, you intentionally put "benefit" and "Brexit" in the same sentence; yes, there's absolutely a contradiction there, well done lad.
My comment wasn't an endorsement of Brexit, UK or EU. I was only thinking that if a quick change to a nearby jurisdiction was needed, the UK would be a place to consider, at least in the short term.
The UK doesn't even pretend the laws are for "child safety" they call it what it is - "snoopers charter".
Source?
Every few months a bad proposal comes out of somewhere in EU. The details of this case don’t matter, the tendency is big government control.
https://www.eff.org/deeplinks/2025/07/canadas-bill-c-2-opens...
Again, that requires a simple parliament majority and courts aren't allowed to really do anything about a law once that clause is invoked. That makes for one of the worst places to be in for something like grapheneOS in the long term. You're just a single election away from a PM like Legault deciding that encryption is against "Canadian values" or something.
(They wouldn't even need that to restrict encryption, but it still makes us unique in the west since it's just a "routine" clause that can be invoked to suspend almost every possible legal challenge against a law outside of any emergency situation or extraordinary circumstance, and is used almost on a yearly basis nowadays )
It is not unique in the West, or even specifically in those parts of the West that share the same head of state as Canada; in fact, Britain itself has a more extreme form of it given Parliamentary sovereignty.
But I agree that parliamentary sovereignty is an even bigger can of worms.
- Energy prices -> nope
- Science and technology -> not anymore plus the brain drain is accelerating
- Business environment and competitive taxes -> nope
Europe still had good living environment, safety, fair privacy and rule of law. But western Europe seems to be dedicated to destroy this too. In the meanwhile a lot of countries elsewhere are progressing rapidly in those domains.
Has any government agency or representative in France said anything else? Taken any actions? Contacted GOS directly?
Bender•2mo ago
anonymousiam•2mo ago
immibis•2mo ago
hacker_homie•2mo ago
The real issue is that the public wants a right to digital privacy.
The state would not like you to have that because they are lazy and want to be able to look at your messages.
Because they have convinced themselves that messages are a crime.
This is a political problem not a technical one.
ranger_danger•2mo ago
Legitimate question, is there any concrete evidence that the majority of the public actually does want this?
whatshisface•2mo ago
80% are concerned.
9dev•2mo ago
goku12•2mo ago
9dev•2mo ago
9dev•2mo ago
serial_dev•2mo ago
doubled112•2mo ago
blitzar•2mo ago
wakawaka28•2mo ago
Telaneo•2mo ago
9dev•2mo ago
It reminds me of Jamie Oliver (I think it was him) showing a group of pupils how Chicken Nuggets are made, in all its brutality; afterwards, when asking them if they would like to eat some nuggets now, guess what they said? "Yeeeeees!"
izacus•2mo ago
OuterVale•2mo ago
bfg_9k•2mo ago
port11•2mo ago
Privacy is a nebulous term, but what does it enable? The right to be yourself, to expose what you want, to take back mistakes, to keep for yourself somethings that you don't want to share.
Privacy is therefore the right to be yourself. You do have something to hide, you don't want everyone knowing your deepest thoughts, aspirations, all of your past mistakes, etc.
But instead we always explain it in ways that people don't connect with.
ranger_danger•2mo ago
How does privacy enable one to "not know your deepest thoughts" if you're aren't giving that information out in the first place?
xethos•2mo ago
I think you're right. I'm not hopeful the general population will change and suddenly say "E2EE matters, dammit!". Because the small scale consequences are boiling the frog, and the major ones "could never happen to me".
I'm sure we've all seen the Google account that got nuked [0, 1], but pointing that out to people is likely to garner responses ranging from "But I need Google for $thing" to "I don't have kids, so I'm fine". We unfortunately don't have any medium-scale fallout - just ghost stories of one guy, one time, being bitten.
[0] Costing the guy his phone number, photos, emails, contacts, any paid apps, documents in Google Drive, and presumably associating his credit card, address, and name with a banned account. Given how Google relies on automation for flagging and harassing accounts, I'd expect his troubles aren't over just yet should he make a new Google account.
[1] https://www.theverge.com/2022/8/21/23315513/google-photos-cs...
port11•2mo ago
Privacy-preserving options are also often not as easy/convenient/friendly to use.
People, perhaps, don't care. But that's a cynical assumption. They supposedly don't care about the environment and yet we're moving the needle on that.
xethos•2mo ago
Actually, good call, and nice analogy, thank you. That's a nice reminder that when cause and effect are far apart, it's easy for people to not conenct the dots; it actually makes for a nice explanation, and helps me be less cynical about it.
port11•2mo ago
And to your last point, plenty of people were shocked Google Chrome incognito wasn't really a private experience, or don't know that what they type into an LLM prompt gets collected, etc. People do give these out in the first place.
ranger_danger•2mo ago
port11•2mo ago
hacker_homie•2mo ago
The personalized ad economy is the most obvious and personally impacting symptom of this legislative failure.
immibis•2mo ago
undeveloper•2mo ago
That said, there are many forks of the projects DMCA'd still floating around.
immibis•2mo ago
undeveloper•2mo ago
zamadatix•2mo ago
The deeper problem for the Switch emulators was letting their personal life be linked to it so Nintendo could seek legal pressure against them directly.
immibis•2mo ago
zamadatix•2mo ago
It's the same thing as the original comment except in reverse. The only downside is you may lose the popular/easy distribution method if it gets taken down. The alternative is to just declare it lost day 1 though, so there is only a gain to be made in leeching a hosting site like GitHub while you can.
gruez•2mo ago
vbezhenar•2mo ago
Is it? Why not graphene-os.org? Why not graphene.org? Why not grapheneos.com? Why not grapheneos.io? How do you validate it, really?
Also who REALLY controls that domain in the end? Someone with access to `.org` nameservers. Do you trust that person? What's their name?
fragmede•2mo ago
vbezhenar•2mo ago
gruez•2mo ago
Same way you trust/verify that you got Tor Browser from the right domain, and the organization behind it hasn't backdoored it (didn't the tor project recieve government funding?).
1vuio0pswjnm7•2mo ago
https://allaboutcookies.org/ad-blocker-adoption
"Majority of Americans now use ad blockers"
https://www.theregister.com/2024/03/27/america_ad_blocker/
Was there "concrete evidence" that "the majority of Europeans wanted" the rights granted to them under the GDPR
If we examine each of the rights that the public possesses, perhaps many of them would be unfamiliar or unknown to a majority of the public
Is it reasonable to imply that for each and every one of those rights there is "concrete evidence" that "a majority of the public" wants them, even when they are not familiar with them or do not know of their existence