There is a French language article referenced in their post. Here is a translation:
The new method traffickers are using to communicate out of reach of law enforcement: the Google Pixel phone and the GrapheneOS operating system. That is the confidential information that judicial police shared with all other services on November 7. The anti-cybercrime office describes this new method being adopted by criminals, particularly drug traffickers. “In my cases, none of these devices has ever been successfully opened by the police,” says a lawyer who specializes in such matters.
A few months ago, while searching the suspected leader of the sprawling Île-de-France trafficking network known as Omar, investigators from the narcotics brigade seized a Google Pixel phone. The moment police IT specialists tried to extract data from it, the device mysteriously reset itself. The Paris judge handling the case will therefore have to proceed without the phone’s contents in the investigation against Bilel.
This suspected 27-year-old trafficker is believed to have run a drug-delivery phone platform which, between 2023 and 2024 in Paris, generated two million euros in revenue and allegedly caused three overdose deaths during chemsex parties.
Encrypted messaging apps such as WhatsApp or Telegram, and even dedicated encrypted phones, no longer pose a challenge for investigators. For years now, police have been able to break into phones and computers even when suspects refuse to give up their access codes. Criminals have previously used other technical solutions as well. EncroChat, an encrypted phone platform, and SkyECC, an encrypted messaging service, are the most notable examples. The former was hacked by French cyber-gendarmerie, and the latter by Belgian police. The data obtained led to the arrest of countless criminals worldwide, including hitmen and international traffickers.
GrapheneOS, on the other hand, is “an alternative mobile operating system running on the Android ecosystem and developed specifically to enhance the security of personal data stored on mobile phones,” explains an analyst from the judicial police. It promises users the highest level of privacy and protection against intrusions and violations of personal data currently available. The software is free and designed to run exclusively on Google Pixel phones. These devices incorporate a hardware security chip that protects communications by encrypting them.
“Initially presented as a legitimate solution meant to protect citizens from intrusions into their mobile phones—especially journalists, researchers, or activists—GrapheneOS has gradually spread to users seeking above all to avoid any form of data collection or analysis by authorities, including in a judicial context,” the police add.
One distinctive feature of GrapheneOS: you can get it both on the darknet and on mainstream websites. Police have also detected specialized forums, darknet chat rooms, and unlisted YouTube channels that promote it.
“When this system is present on a mobile phone, it is a clear indicator of technical sophistication and an intent to conceal,” adds one officer. The software can erase all data on the phone by displaying, for example, a fake Snapchat screen when a cyber-investigator tries to access its memory or decrypt it.
“We don’t sell anything; we have neither clients nor users,” representatives of GrapheneOS told Le Parisien–Aujourd’hui en France. “People can download our operating system for free onto their Pixel phones and use it. Our security and privacy work is highly appreciated by security professionals, and is regularly recommended and used by human-rights activists, journalists, and lawyers.”
The organization, which is not a company but a foundation, emphasizes that its solution is used by ordinary people who dislike how most apps and operating systems treat their data. It adds that if criminals use Google Pixels and GrapheneOS, it is simply because the solutions work well. But that does not make the developers complicit, they insist. “Criminals and traffickers also use knives, fast cars, and cash—things that are also widely used by honest citizens,” the representatives say.
GrapheneOS further notes that it protects users from hackers and from intrusions by the secret services of authoritarian states. “We consider privacy a human right, and we are concerned about projects like Chat Control (a European bill aimed at detecting child-abuse material in messaging apps, but heavily criticized), which the French government supports. The invasion of privacy enabled by such legislation would have alarming implications under an authoritarian-leaning government,” the foundation argues.
No idea why these articles always try and reference a criminal case to attempt to make us look bad and responsible, when the example is always someone caught red handed, arrested and being charged. We also can't know who any users are because it's an open source project anyone can change the code and run their own version of... Shocking! Doesn't sound like we are enabling any crime to me if theyre being caught. Maybe they should ask the same questions to the teams of Android, LLVM or Linux who make most of the code.
The moment police IT specialists tried to extract data from it, the device mysteriously reset itself.
There is no feature that just 'mysteriously' resets itself. The only feature is the duress password, which is an overt and well documented feature. This is not characteristic of GrapheneOS. If there is an app doing this, ANY Android device can do it.
“When this system is present on a mobile phone, it is a clear indicator of technical sophistication and an intent to conceal,”
Or that they are a important or at-risk individual with additional security needs other commercial off the shelf device and operating system setups aren't providing? Why do they make malicious assumptions?
Is enabling Lockdown Mode on your iPhone also an intent to conceal?
One distinctive feature of GrapheneOS: you can get it both on the darknet and on mainstream websites. Police have also detected specialized forums, darknet chat rooms, and unlisted YouTube channels that promote it.
Anyone getting GrapheneOS from "unlisted YouTube channels" and the "darknet" lacks reading comprehension. Whatever these are, they aren't by us and would be an infringement on our trademarks. We have a public chat bridged to many mainstream platforms and a surface web site... Not to mention we ban anybody suspected of being involved in anything universally considered criminal activity.
Note they kept talking about us like we are a business selling a product. We aren't a business and aren't selling anything.
The software can erase all data on the phone by displaying, for example, a fake Snapchat screen when a cyber-investigator tries to access its memory or decrypt it.
Not even a GrapheneOS feature. Completely made up attribution. If there's an app doing this, then again, any Android device applies.
GrapheneOS has gradually spread to users seeking above all to avoid any form of data collection or analysis by authorities, including in a judicial context,” the police add.
Perfect advertisement! Waiting for a version for Pixel 10 to buy it for next birthday.
First, if you're an open-source developer or organization and you're asked an interview by mainstream medias, this is fine to be a little careful. You're free to have few rounds of exchange with the journalists to scope the interview and ask under which the angle the article is expected to be. This is fine to exercise your right of correction and explicitly ask the media to insert your version of the facts.
Secondly, on cryptography at large, last year the European Court of Human Rights implicitly recognized the legitimacy of end-to-end encryption in a landmark decision (ECHR, Podchasov v. Russia, 13 February 2024) and underscoring the worthiness of end-to-end encryption in a democratic society in the era of Internet. As far as I know, no other similar decision has been yielded by a supreme court in any other worldwide jurisdictions. France is a state party to the European Convention on Human Rights, so ECHR decisions have to be followed by French courts in principle, minus the caveats.
Thirdly, on the question on the criminalization of intent for the simple usage of encryption tooling or data deletion tools like the alleged usage of GrapheneOS in the Parisien article under French law, this is a controversial legal question. There are series of cases pending in front of the highest French court for criminal matters on this topic of usage of those kind of tools and it's a controversial topic.
Most of the time, you have the law enforcement authorities doing the wider interpretation of the legal texts (I'm respecting their wish for efficiency but fundamental rights matters too...) and then after the facts, courts intervening to put a "calm down". This is a reason why France has effective separation of powers, and why separation of powers matters in any democratic society.
With all those caveats, let's be frank if you're working on privacy-first or human-rights first open-source softwares, and you have the choice to pick up the worldwide jurisdictions under which to operate, in my humble opinion you're better off to be based in Germany or Czech Republic rather than France, US or Canada. The former have known the URSS and its wide surveillance state, so culturally there are far more respectfully of privacy and human rights.
Really hope this all amounts to a big fat nothing. Despite the official GrapheneOS accounts across multiple platforms being somewhat confontational, the actual OS itself is spectacular. If criminals are deciding to use a free, openly available distribution on their phones, that's their prerogative. That's got nothing to do with the GrapheneOS project, and their name shouldn't be negatively attached to it.
This is just a crappy article from a crappy mainstream media.
Now, France is definitely not the best place in the world for privacy-minded fellas. AFAIK, we're one of the last remaining western countries to have laws governing the import/supply of cryptographic tools1 (basically, you have to declare it to the French cyber authority). We have a law that defines a presumption of guilt when the way money is handled "can only be justified by an attempt to conceal the origin of funds"2, which now includes the use of privacy techniques in the context of crypto-currencies.
So yes, this police fella saying that "when this system is present on a mobile phone, it is a clear indicator of technical sophistication and an intent to conceal" is very concerning. But it's mostly that:
loads of people feel unsafe
most people don't care about privacy, even when we now have weekly data breaches (incl. quite frequently public services).
We have contributors around the world as it is an open source project. GrapheneOS was founded by a Canadian and the non-profit GrapheneOS Foundation is registered in Canada.
Yes, but governments are the biggest criminals that want to know how much money they can steal from you when you become an enemy of the state. Right now, "drug dealers" and "CSAM" perverts are the enemy, but in the 1940's, Japanese people in the US and Jewish people in Germany were the enemies. Tools like graphene are important to protect people from government criminals who make identity a crime.
Footnotes