The drama surrounding GrapheneOS has escalated from a debate over security patches to what looks like full-blown corporate and geopolitical warfare. Following heavy scrutiny in the French press, where the OS was branded a “tool for traffickers,” the GrapheneOS team has initiated a scorched-earth response.
They are pulling their server infrastructure out of France, openly naming the competitors they believe are orchestrating a smear campaign, and threatening to ruin the exploit market for everyone by contributing directly to Android (AOSP).
In a series of posts on X (formerly Twitter), the team explicitly named Murena and iodé (the team behind iodéOS) as the likely instigators of the recent negative press in France.
“It’s very possible Murena and/or iodé are involved. Both are French companies selling products with extraordinarily poor privacy/security. Both are useful to official state plans of locally hosted services with encryption backdoors.”
GrapheneOS announced it is moving all server infrastructure hosted by OVH (a major French cloud provider) out of the country.
While the project is a Canadian non-profit, they have historically used OVH for mirrors and discussion servers. That ends now. The team cited a specific passage in the Le Parisien coverage as a “direct threat” from French law enforcement leadership (OFAC), implying that tech providers who do not provide backdoors will face legal consequences.
The team is moving services to providers in Canada, Germany (Netcup), and the US. They also stated they will no longer travel to France for conferences or hire staff located in the country, citing the French government’s support for “Chat Control” (EU mass surveillance legislation) and “authoritarian” tendencies.
I am conflicted by this story. It seems to me GrapheneOS, as well intentioned as they are, manufactures some sort of drama every 6-12 months so, there is a bit of “cried wolf” aspect to this for me but…
I also think murena & iode are bad faith actors in the privacy space and would not be surprised if these allegations are true.
Interesting, but definitely the right move for them. I was just saying it was cool they are hopping on the actual self-hosting train more
I haven’t seen much evidence of this but I also don’t pay attention to these two, so who knows. I’d take it with a pinch of salt for sure.
It’s best to just focus on the things GrapheneOS does and not pay much mind to the accusations they make. Probably worth looking into deeper sometime, but historically GOS never has the receipts to back up these claims so they’re not worth stressing over.
Yeah, after they got embarrassed by Rossman (where he did have the receipts) its been hard for me take their claims to seriously, so I think its a fair approach to recommend.
Earlier this week, we reported that GrapheneOS slammed an unnamed “small company” for spreading libel and misinformation after a failed partnership. At the time, we speculated that Murena, the company behind /e/OS, might be the company in question.
This article also at least has some of the facts wrong, because we all know here that the “small company” is NovaCustom, so I would take this reporting with a pinch of salt as well.
They don’t manufacture any “drama”. They might be a bit reactive or premature in their comms but their decision to ditch OVH and limit other exposure to France is what anyone who uses GrapheneOS would expect them to do.
GrapheneOS just threatens both law enforcement and the cottage industry of “secure,” “privacy‑focused” bottom of the barrel devices peddled to unsuspecting buyers. I wouldn’t bet on it, but it sounds plausible, and competitors do it to each other all the time.
They’re also a great source of knowledge on security, privacy, and Android, and their (repackaged) X threads drive traffic to publications like the one above at no cost, hence all the noise.
I was reading this on their Mastodon instance, and it really is an example of “separate the creator from the creation.” I use GOS, I really like they add more security and privacy features than stock Android (and are currently using patches up to March 2026), but their lashing out really leaves a sour taste for potential users. They do have some receipts for Murena and iode in a forum post, where they show that those companies faked the level of their security patches while being several months behind. There have also been a few articles that misquoted or distorted their quotes, which they also have shown the receipts for (this latest article about them being used for criminals in France is an example of this happening). Is their tone unprofessional? Absolutely. Are they the most secure and private mobile OS, that has helped countless people? Also absolutely. I’m sure this will push some people off using GOS, but if you can ignore stuff like this, there really isn’t another choice for Android users who value their security and privacy.
I love GOS, I support them wholeheartedly and I am very active on their forums and networks.
But I feel like they spend every month complaining on social media as if the whole world is against them specifically, making allegations or wanting the GOS project to fail (I don’t understand why) and overreacting (the fact that they left the French market following a smear piece written by the newspaper Le Parisien).
I don’t understand why they don’t just ignore these allegations. It gives the impression that they are always trying to justify themselves, and I think that gives them a bad image.
I love GOS, and I use it for my private phone. But I think we all agree that they should be held accountable for these kinds of attacks. They’ve attacked Techlore, from what I remember. It is not best to let it go. But I do not know the best way to proceed with this in mind.
I don’t speak French so some of the meaning may have been lost after being run through translation software, but this article didn’t really seem that bad to me? Apart from the clickbait headline I suppose. The quotes from the police are pretty questionable, but it seems clear to me that that’s the police talking and not the author. They reached out to GrapheneOS for comment and represented their side of the story decently well I thought.
I think GrapheneOS’s (valid tbf) point is that when a Ford F-150 is used in a bank heist you don’t see Ford mentioned in the headlines, or when a ring of hackers is caught and they’re using MacBooks there aren’t stories about how Apple enabled them.
If true security and privacy are your focus as a project, you get a bad rap in the media. Unfortunately it is hard to take GrapheneOS seriously on this topic because they do the same to other security/privacy projects instead of uplifting the community, but it is a serious problem in general nonetheless.
Unpopular opinion:
GrapheneOS doesn’t do good marketing, but I imagine they simply don’t care. They only aim to tell the truth and defend their principles/philosophy. Their approach isn’t always optimal and could be more constructive, but I believe they already do enough with what they do (it’s too much to additionally demand that they should be empathetic and didactic). On the other hand, I find that level of paranoia logical: no one wants to be targeted by governments or by the largest oligopoly ever to exist (the tech giants) who maintain surveillance levels we’ve never seen before.
Therefore, they are neither a company nor politicians; their goal is not profit, so they are free to say whatever they want. And this is precisely what hurts most to those who seek profit at the expense of their users’ privacy and security (sometimes even lying). I can imagine, at times, the frustration caused by seeing certain projects marketed as something they are not.
I don’t think they gave adequate proof that Murena and Iode worked to sabotage/smear their image wrt to the France government. If they did, IDK. But the tweet they posted did not provide any from the looks of the article.
Their paranoia is justified wrt to oligarchic and government surveillance. I think that’s clear as day, since we are in a digital privacy forum. We all know that our privacy is in danger to some extent. The issue is that they claimed someone is smearing them. That may or may not be true, but they go a step further to give out specifics without good justification.
If GrapheneOS only told the truth then I don’t think anyone would have a problem with them. The problem is their constant speculation, not to mention the verifiable lies they tell to “defend their principles/philosophy.”
They need to do both of those things, not only the defense part. It’s fantastic when they actually do both things, which they do all the time, just not consistently enough. When they do both things we see an outpouring of support from this community and others for their statements, so it would be a huge improvement for them if that were the case every time they wanted to get a message out
They have never blanket-talked down other security and privacy projects without backing up their claims. It’s not their job to lift all boats with their tide just because other organizations purport to have the same mission. If something has merit, they’ll endorse it. If it doesn’t, they have a habit of shining a light on the issue. Moxie blocked them for criticizing features based on SGX, but they continue to endorse Signal. Proton has backed them financially and I believe even offered legal help at one time or another, but they criticize them for relying solely on FCM for push messaging and for unresolved memory corruption bugs uncovered by their MTE implementation.
Yes, they may not offer all the receipts vis-à-vis one drama or another, but that’s beside the point.
This is pretty much my takeaway. I don’t expect GOS wastes money on PR or marketing specialists. And I don’t doubt these statements come from an honest, well intentioned place. They’re just unpolished, occasionally reactionary
Perceive an external attack against GOS, throw some words online in response, get back to coding. This process doesn’t upset me
