top | item 46037482

(no title)

HN title: "France threatens GrapheneOS with arrests / server seizure for refusing backdoors"

LQDN: "Dans ces articles, la cheffe de la section cybercriminalité du parquet de Paris – à l'origine de l'arrestation de Pavel Durov – menace également les développeurs·es de GrapheneOs. Interviewée, elle prévient qu'elle ne s'« empêchera pas de poursuivre les éditeurs, si des liens sont découverts avec une organisation criminelle et qu’ils ne coopèrent pas avec la justice »."

In the (very short) linked article: No mention of arrest, server seizure or backdoor, and a more nuanced take. Loosely translated summary: Some users have a legitimate need to protect their communications. IF we find links with criminal organizations AND there is no cooperation, then we might take action. They're specifically taking the approach of a case by case hack of single phones which might cost up to a million euros. Is this an issue if there's a warrant?

This seems blown out of proportion?

discuss

Some comments were deferred for faster rendering.

strcat|3 months ago

France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption. They've been saying that it's unacceptable not to have a backdoor in a bunch of these news stories they've gotten published by contacting the media. They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.

Le Parisien has 2 articles about this, not only one, and https://archive.is/UrlvK is one of the places they talk about going after us if we don't cooperate with providing them access to devices. It's not possible for us to provide an update which bypasses the throttling for brute force protection so what they're asking isn't even helping them break into specific devices but helping them compromise security for everyone in anticipation of rare cases of criminals using devices. https://news.ycombinator.com/item?id=46038241 explains lack of technical ability to compromise security after the fact. Titan M2 is specifically designed with insider attack resistance so that Google making an update disabling the brute force protection won't be accepted by the secure element without the Owner user successfully unlocking first. We don't have the signing key for the Titan M2 firmware anyway. This is part of our required hardware-based security features which we're working on providing in a Pixel alternative with a major Android OEM working with us right now. We talked to them about the France situation already and it does not negatively impact our partnership. It may be a good idea to speed up an official announcement with them to counter the narrative being pushed by France's law enforcement agencies now.

cookiengineer|3 months ago

> France has made it clear they expect to have a backdoor in end-to-end encryption apps and disk encryption.

Note that "France" and "Johanna Brousse" (as the lead investigator lobbying for more agency data access) are not the same, by a couple million people.

Now's the time to get ahead of this. Communicate openly why Open Source matters, what's at stake, and try to ally with existing organizations like the EFF, IETF, Linux Foundation, CCC e.V. and others. They know how to deal with the media, and it's okay to ask for help.

Please let another person check the article from a non-technical perspective, because that's where journalists have a strategical bonus. If the blogpost/article/video/whatever contains too much technological lingo, the masses won't be able to understand it.

Wish you the best.

PS: I hope that you can see that not all people are as messed up as the kiwifarm doxxers. I've seen their "call to arms" to start new swatting attempts etc. Stay safe.

PPS: Don't engage with people that have anime avatars. Just block them. Your time is wasted trying to read or reply to them. Hate is a mind infiltration technique.

johnwayne666|3 months ago

I appreciate the answer and the work on GrapheneOS! It seems there's a lot of work going on with the QPR1 release and this French matter doesn't make things easier for the team. Good luck!

blueflow|3 months ago

Le Parisien is not the french state. I doubt you had any interaction with the french authorities at all.

You are unable to any legal recourse because none of your rights have been violated (yet).

StopDisinfo910|3 months ago

> They've said if we don't cooperate with that, they'll take similar actions against us as they did SkyECC and Encrochat meaning hijacking our servers and trying to have us arrested.

No, they haven’t.

You are letting your paranoia talk by widely amplifying the content of two newspapers articles in media affiliated with the far right.

I’m quite surprised by your reactions to be fair because both SkyECC and Encrochat were actually affiliated with organised crimes. As far as I know, GrapheneOS isn’t.

sunshine-o|3 months ago

France basically always had very good PR portraying the country as "romantic" and a champion of freedom but reality has almost always been very different.

It was very unfree in the 16th century, what led to the French revolution, which was a nightmare, then military dictatorship. The 20th century was not much better and never forget France collaborated very quickly with the third Reich. Then De Gaulle has some sort of soft military dictatorship with a secret police and a total control of the media.

Today their police is very aggressive, their justice system highly politicized. And as always a dominating bureaucracy.

The state is getting more and more aggressive as drugs and violence are rampant.

It is by far the country in Europe I had the worst interactions with the police.

There are a lot of beautiful things to see there but today I try to avoid it for business and leisure.

seec|3 months ago

When it comes to freedom, France definitely has it backwards. Now that it is in deep trouble economically, the bureaucracy is claiming for even more soft communism in a very totalitarian way. One needs to understand that the system made some people quite rich, way more than they would have been able on merit alone, thanks to the politics of bureaucracy.

Funnily enough the "far-right" is brandished as a fascist boogeyman when it would be a challenge to actually become more totalitarian.

For those reasons the "state of rights" is losing its legitimacy and criminality is on the rise unsurprisingly. When what you can expect to get out of the system becomes too disconnect from merit, it doesn't make sense to participate as a good actor.

So we now get rising commissars that tries to police speech and behavior any way they can. The police is basically a state militia that spends more time annoying mostly law-abiding citizens for minor offenses that just tow the line, in order to extract as much money out of them as possible. Meanwhile real criminals are out of control and receive laughable sentences from the corrupted justice system when they get caught. Following far-left ideals, criminals are victims that can be given more chances. One elected parliament member got caught buying drugs and basically nothing happened to him. Hard to not see some collusion.

whimsicalism|3 months ago

What is cooperation? How are they supposed to unlock the phone?

Unless you're saying 'compelled to use their private keys to publish an update' or something along those lines, in which case I would say the original headline is correct.

StopDisinfo910|3 months ago

There is no law allowing the police to do that in France so that can’t be what cooperation means.

In the case of Telegram, it was about providing meta data when subpoenaed and moderating the unencrypted part of the application.

There is little reason to believe it is about anything else here.

Edit: Happy to hear what the people downvoting actually disagree about as usual. At the moment I have read a ton of mud thrown of France here - including someone from GrapheneOS implying they won’t hire from France unless someone relocate which must one of the most hilarious take I have ever read coming from someone from North America - with very little actually substantial shared, which, to be fair, seems to be becoming the norm here.

miohtama|3 months ago

And how do you hack a single phone without a backdoor in every phone?

foxyv|3 months ago

You use the signing keys for GrapheneOS to push an update to a single user.

whynotmaybe|3 months ago

With a know bug in a product that you didn't disclosed.

https://web.archive.org/web/20221124085649/https://www.washi...

raverbashing|3 months ago

I agree

The thread linked is much more balanced than the title given

delusional|3 months ago

> This seems blown out of proportion?

Par for the course on hacker news.