The Canadian open-source organization behind the security-focused mobile operating system GrapheneOS announces it is ending all operations in France.
The background is an escalating conflict with French authorities, who according to the GrapheneOS team are spreading false accusations in the media and threatening arrests and server seizures.
GrapheneOS, a non-profit project that develops an operating system for Android phones with extra focus on privacy and security, has in recent days published a series of posts on the X platform about what they describe as a coordinated campaign by French police. According to the team, authorities have sent out internal messages to the country's police forces where all Google Pixel phones with GrapheneOS are labeled as suspicious. This has led to a wave of articles in French media, where claims that the system is used for criminal purposes are repeated without fact-checking or opportunity for GrapheneOS to respond.
"France's law enforcement are making outrageously false and unsubstantiated claims about GrapheneOS, which are being printed by both state and corporate media as facts when they're not", GrapheneOS writes in a post on X on November 23. The team emphasizes that they were not given any chance to review or respond to the accusations before publication. Instead, they have been forced into a defensive position, where they now plan to exercise their right of reply in French media.
Threats of intervention and demands for concessions
The conflict has escalated to direct threats, according to GrapheneOS. In contacts with French authorities, the team has been urged to assist with decryption of devices, something they technically cannot or will not do due to the system's design.
"They have made several quite direct threats of arrests and seizures of servers, just as they did with SkyECC and Encrochat", GrapheneOS emphasizes in an update on November 25. The reference refers to previous cases where French authorities intervened against encrypted communication networks.
The authorities are in practice demanding that GrapheneOS stop distributing functioning disk encryption, otherwise the project risks legal action. This is likened to the famous dispute between Apple and FBI in the United States, but with a twist: Google's hardware in Pixel phones is designed to resist such demands, and GrapheneOS builds further on that security. "They don't demand the same thing from Google for standard Pixel despite nearly identical encryption, because they are much less secure and can be exploited in advance". the team explains.
GrapheneOS emphasizes that their work is legal in countries like Canada, Germany, the United States, and the Netherlands. France, however, is pushing for laws that force backdoors in encryption, a policy that has not yet been implemented but which police are acting as if it already applies.
Dismantling of infrastructure and future plans
In response to the threats, GrapheneOS has initiated a rapid withdrawal of its presence in France. They are leaving the server provider OVH, a French company, and migrating their 15 servers – spread across Canada, Singapore, Germany, and the United States – to alternative locations.
"We are leaving France as a server location and OVH as a provider before they do anything", they announce in a post on Tuesday. Already now, ten servers have been replaced, including those used for standard updates. The remaining five, which handle email, forums, and other services in Beauharnois, Canada, are planned to be moved to colocation servers in Toronto.
For European users, GrapheneOS promises maintained performance through servers in Switzerland, Luxembourg, and the Netherlands – countries that do not support the EU's controversial "Chat Control" proposal on mass surveillance. "We can offer low latency and high throughput to users in France without servers there", the team assures. They also intend to avoid travel to France, including conferences, and discourage employees from working from the country.
The incident raises questions about the EU's future for open-source projects within privacy. GrapheneOS, which is financed through donations and sponsors, has built its reputation on open source and robust protections against exploits (security vulnerabilities that can be exploited). Now they see France as an "unsafe place for open-source privacy projects."
A spokesperson for the French Ministry of the Interior has not commented on the accusations, but previous statements from the government point to a harder line against encryption in the fight against organized crime.
Swedish company continues to invest in GrapheneOS despite conflict
In the midst of the ongoing conflict, the Swedish technology company Teuton Systems shows continued confidence in GrapheneOS. The company works exclusively with the system in its privacy-secure mobile phone, the Matrix phone, which is one of the first such products on the Nordic market. Teuton Systems emphasizes that the installation of GrapheneOS occurs only via the official source and with open-source tools like Aurora Store and F-Droid, to ensure transparency and maximum privacy without dependence on Google services.
The Matrix phone, based on Google Pixel phone hardware, is delivered with GrapheneOS pre-installed and prepared secure apps for everyday tasks. The product offers advanced features such as granular control over app permissions, sensor blocking, and automatic security updates. "GrapheneOS gives users full control over their data in a time of increasing surveillance, without compromising user-friendliness", Teuton Systems emphasizes on its website.
The company, which focuses on Nordic users, underscores the system's independent review and absence of backdoors, making it a reliable choice for privacy-conscious users.
