GrapheneOS, one of the most respected security-focused mobile operating systems in the Android world, has decided to sever ties with France. The project announces it will cease operations in the country and migrate the small portion of its infrastructure hosted there after a French report linked it to alleged “spy phones” capable of remotely wiping devices.
For the tech community, this case is more than just a one-off controversy: it raises questions about how secure open-source projects focused on privacy truly are within certain European jurisdictions.
From the report to “fearmongering”
It all begins with a French news article, which, according to the GrapheneOS team, blurs the lines by mixing closed products from European companies with the operating system they develop. In a public response, the project openly describes this as “alarmism” and “unfounded and demonstrably false claims.”
The article supposedly described phones with GrapheneOS that allow, among other things:
- running a Snapchat-like app capable of wiping the device,
- remote control of the device,
- or managing subscription licenses directly from the system.
GrapheneOS denies this description point by point. They emphasize that the system does not include any remote management functions, nor remote wipe mechanisms, nor a licensing or payment model within the firmware itself. Any commercial product incorporating such capabilities would be an independent development, even if it reuses portions of GrapheneOS code.
Additionally, the project claims that it was not given a fair chance to respond within the report, despite being the main subject mentioned.
What is (and isn’t) GrapheneOS
From a technical perspective, GrapheneOS is a fork of the Android Open Source Project (AOSP) that focuses on hardening the system: protected memory, advanced exploit mitigations, stricter permissions, and a reduced attack surface. It is designed to run officially on Google Pixel devices, which users can flash following a public guide.
The project:
- does not sell phones,
- does not provide cloud backup services,
- and does not store sensitive user data.
Its role is to develop and publish verified images of the operating system. From there, anyone can buy compatible phones, install GrapheneOS, and resell them—something several European privacy-focused vendors have been doing for years. The team insists it has no commercial relationship or direct income from these sales.
This leads to a key nuance for understanding the conflict:
In the open-source world, reusing code does not make a product “official”, nor does it make the original project responsible for decisions made by private companies. Just as Android uses the Linux kernel without Linus Torvalds being accountable for everything Google does, a fork based partly on GrapheneOS is, in practice, a different system altogether.
An open project amidst the security battle
The developers also point out that most of the code used by these systems isn’t theirs: it comes from AOSP, Linux kernel, Chromium, LLVM, and other widely used projects. GrapheneOS contributes only a small but critical part: additional security layers that make exploiting vulnerabilities more difficult.
Both Android and iOS aim to protect users from similar attack vectors. The difference is that GrapheneOS goes further in system hardening and publishes this work as open source. They contend that this has also limited some state actors’ ability to exploit flaws in certain Android devices that do not run their system.
In a public post on social media, the project provides a concrete example of how one of its mitigations complicates the work of persistent exploit providers. They believe this is the true reason behind the discomfort of certain agencies: not the existence of private phones, but the reduction of attack surfaces.
Goodbye France: OVH shutdown and event bans
The consequences of the controversy aren’t just statements. GrapheneOS announces it will end its limited operations linked to France and will move services out of OVH’s infrastructure.
In practice, the plan involves:
- migrating the main website and discussion server to other data centers,
- moving forums, Matrix instances, Mastodon, and other services from an OVH data center in Beauharnois (Canada) to local servers or hosted in Toronto,
- and relying on other European providers, like Netcup (owned by German company Anexia), for parts of its network services.
The team emphasizes that their servers do not host sensitive user data but rather distribution infrastructure (updates, authoritative DNS) and community spaces. Still, the message is clear: they no longer consider France a safe place to operate.
The move also carries a symbolic element: the project will prevent its members from traveling to France— including tech conferences—and will ensure no contribution to development occurs from French territory.
Chat Control and distrust of certain EU states
This French case fits into a broader context: the European debate on encryption and communication scanning. GrapheneOS cites the so-called “Chat Control,” an initiative aiming to force services to analyze private messages for illegal content. Various digital rights groups see it as a direct attack on end-to-end encryption.
The project uses a simple criterion for choosing where to operate: avoid countries supporting such measures. France, in their view, crosses that line. Coupled with the political climate, regulatory pressure, and reports linking privacy to crime, they conclude that leaving France is the best option.
A warning for Europe’s privacy ecosystem
For technically inclined readers, the clash between GrapheneOS and France raises an uncomfortable question: what message do other security and encryption projects receive when deploying infrastructure in the European Union?
If independent initiatives perceive that operating in certain countries can lead to public accusations, legal pressure, or targeted misinformation, their logical reaction will be to migrate servers and staff to jurisdictions perceived as safer.
In an era where the EU advocates for “digital sovereignty” and technological independence from large platforms and outside powers, losing to privacy projects would be a hard contradiction to justify.
For now, GrapheneOS will continue evolving from other countries. But the break with France clearly shows that the fight for security and privacy isn’t only about code: it also involves legal frameworks, media narratives, and public perception of who genuinely protects the user.
Frequently Asked Questions
Is it still safe to use GrapheneOS in Europe after this conflict with France?
Yes. The project continues distributing its official images and publishing cryptographically signed updates. The decision affects where they host their servers and where their collaborators operate, not the technical security of the OS itself.
How is GrapheneOS officially installed on a Pixel device?
The only recommended method is using the installation tools available on their official website and the images published there. Any other method or firmware offered by third parties could be a fork or an unverified variant.
What liability does GrapheneOS have for phones sold by European companies with their system?
Legally and technically, those companies sell their own products that incorporate open-source code from multiple projects, including GrapheneOS. The GrapheneOS team does not participate in designing those devices, does not earn revenue from their sales, and does not control any additional functionalities they include.
Why do some states distrust projects like GrapheneOS?
Because system hardening and strong encryption make it harder for cybercriminals and certain mass surveillance methods to succeed. When a project limits the effectiveness of exploits or backdoors, it becomes an unwelcome actor for those relying on these techniques, even if their publicly stated goal is to improve user security.
via: opensecurity