> France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed.
If this is true, it's a bit concerning for Ledger users. One state-mandated firmware update away from losing all your crypto?
Fortunately it's not true. GrapheneOS seem https://xcancel.com/GrapheneOS/status/1993061892324311480#m to be reacting to news coverage https://archive.ph/UrlvK saying that although legitimate uses exist, if GrapheneOS have connections to a criminal organization and refuse to cooperate with law enforcement, they could be prosecuted nonetheless:
« il existe pour une certaine partie des utilisateurs une réelle légitimité dans la volonté de protéger ses échanges. L’approche est donc différente. Mais ça ne nous empêchera pas de poursuivre les éditeurs, si des liens sont découverts avec une organisation criminelle et qu’ils ne coopèrent pas avec la justice. »
Charitably, GrapheneOS are not in fact a front for organized crime, but merely paranoid, assuming that the news coverage is laying the groundwork for prosecution on trumped-up charges. Notably, there doesn't appear to have been direct communication from law enforcement yet.
Of course if your organization have connections to a criminal organization, you are going to be in trouble. Same thing for refusing to cooperate with law enforcement, this is not some abstract thing, it is about following the law, for example relating to evidence tampering or search warrants.
I don't think France is anything special in that regard.
Paranoid? Telegram CEO was arrested and held for days, his movements out of France restricted for months. And he is a connected billionaire, not an open source developer.
Open source developers have been given jail sentences in the last months.
If you're a broke open source developer - even if you believe under the law you're not doing anything wrong - would you want to be exposed to law enforcement harassment (lawfare) for no reason?
Easy. They'll just demand major tech companies implement in Europe exactly what they did to comply with China's government surveillance request. They already have the blueprint of the apparatus, they just need to throw a blue coat of paint and a circle of gold stars over it to legitimize it and make it less scary looking.
And they don't give a damn about attracting eyeballs since the surveillance will be mandated by law and done legally by the book, and it will be done "for your own safety and protection against the boogieman", so that people will accept it.
I can't speak to the political or legal aspects, but technically, Ledger firmware updates are closed‑source binaries delivered from Ledger's servers. That centralization makes it possible for a state actor—or anyone with access to Ledger's signing keys and servers—to slip in a backdoor. Even if the firmware were fully open source, a backdoor could still be inserted during the build process and never appear in the repositories. Avoiding it would require building the firmware yourself, which most users don't do.
As a side note, Bitcoin Core mitigates this risk with deterministic builds and multiple independent developers verifying and signing releases. But this option isn't available for Ledger as most of the firmware is closed source.
If there is a backdoor in an open-source system, and people know about it, then they will organize independently to patch it out. So it will be ineffective to the extent that the technology allows reprogrammability.
The only way you can beat it, as a governement trying to insert a backdoor, is through use of tivoization or some other technology that clinches control during manufacturing or other centralization weak points around economies of scale that the re-programmers don't have.
When all the remaining freedom fighters will flee out of all the oppressive states into the last remaining citadel of human rights, which may well turn out to be some drifting icefield in Arctic, and the oppression finally catches them up there, is there any plan B for the humankind?
That's the point I implied! We absolutely should, and must. But the only viable way to do so seems to be by following Ghandi's principles of personal non-violent sabotage against the oppressor, which requires unity and cooperation between people, and that, alas, is very questionable these days. Half of us won't even admit they're oppressed! When a single shoemaker makes two left shoes instead of a normal pair the opressor orders, he's out to look for a new job. When every shoemaker out there makes only left shoes, the oppressor has to go f2k himself and learn some craft or manners.
Old ways that seemed to be working, like democratic elections? I don't think so. Not anymore.
I don't think one thing will solve it, but everyone who knows better can contribute in their own. For example by teaching people about privacy, encryption and free software. Writing books, doing podcasts aimed at the general public to promote privacy tech. Talking to your local government and municipalities, become the local expert and proposing policies.
> Shouldn't we stand up against Oppressive governments and Corporations.
How? Governments have the monopoly on violence through their control of the police and military, and corporations bribe the governments in power to do their bidding and also control the media apparatus via which the voting population makes their democratic decisions, so you get this corrupt symbiotic relationship between the first and second estate (the government and wealthy elite private sector) to keep the third estate (common population) oppressed.
So how do you actually coordinate hundreds of millions of people towards a single goal to "fight" against and apparatus of oppression with an order of magnitude more kinetic strike, intelligence gathering and propaganda capabilities than the common folk?
People keep fantasizing about the French revolution and guillotines, but King Louis XVI didn't have Air Force One, doomsday bunkers in New Zeeland, AC-130s, Predator, Reaper and Anduril drones to protect him. The force disparity between the ruling elite and peasantry is now like that meme of hydrogen bomb versus coughing baby.
Capitalism didn't corrupt privacy. Literally every major messaging and smartphone maker integrated e2e encryption because the user wants it. It is government regulations, that wants to kill privacy. Which is not free markets or capitalism, this is more socialism.
Meta, Microsoft, Google, & Apple have a profit motive for scooping up everything they can.
Every government in the world wants to do the same scooping, but their motive is "security."
These are not separate activities either. Governments are mandating the collection by corporations, so they can use that channel for their own purposes.
You know, security is a nebulous concept until it suddenly isn't. I live in a country neighboring Russia. Russian infiltration, sabotage, and perhaps large scale political assassination by means of autonomous drones (like the ukrainian operation "spiderweb"), is a very real and frankly not entirely unrealistic worry of mine. This is in addition to the unfortunate reality of hybrid warfare, where an uneducated populace that gets their news from TikTok is a very real security risk, which has almost already crashed immature European democracies. And arguably it has already succeeded in crashing the US.
In practice, encrypted messaging, and more broadly the unregulated, anonymous nature of the internet is THE technology that enables this. Ukrainian refugees are essentially indistinguishable in practice from Russian operatives and pose a very real security risk. The loss of the US as a reliable ally, which in practice is the new reality, is felt here in a very real way.
I think this point is largely missed by hacker news. I am legitimately afraid that Russia might assassinate elected leaders and invade, and embroil my own country in a war that might lead to my death. And to be honest my worries are a bit overblown in my particular case, it is very unrealistic that this will happen to my particular country, but if I were to live in Poland they wouldn't be.
I raise this point in response to your quotation marks around "security". European countries have very real, and very pressing security concerns.
Thanks for the excellent reply/comment. Having supported the US IC for the majority of my career, I'm quite aware of the threats to/from, and the behaviors of nation states.
It's easy to justify snooping. The issue (for me) is when the snooping unjustifiably infringes on my personal privacy. Governments will argue that they don't know that I'm not a threat, so they must surveil me. Unfortunately, those who are doing the surveilling can also be a threat to the people, even when the people are behaving completely in compliance with the law. You need only look at some of the recent revelations in the US press for examples.
Satellite operators are still required to comply with the Federal Wiretap Act (and equivalent in every other country of the world).
The result is a less-than-optimal network that requires routing communications through a ground station (where it can be intercepted) even when it's technically feasible (and optimal) to use point-to-point communications.
The resulting technical solutions (at least) double the bandwidth and processing required by the network, and bandwidth/processing are critical resources for communications satellites. These requirements can make or break the economic feasibility of a proposed system.
"France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed. We don't feel safe using OVH for even a static website with servers in Canada/US via their Canada/US subsidiaries."
Would surprise me if they weren't moving out of France entirely.
” In Canada and the US, refusing to provide a PIN/password is protected as part of the right to avoid incriminating yourself. In France, they've criminalized this part of the right to remain silent.”
In theory. In practice there's a case where a defendant is being held in contempt (jailed) for years now, for refusing to provide her encryption passwords. At that point both the 5th and the idea of contempt are busted.
> Prosecutors were able to gain access to the laptop, and police say forensic analysis showed Rawls downloading child pornography and saving it to the external hard drives.
> In practice there's a case where a defendant is being held in contempt (jailed) for years now
They are not still being held due to contempt, they were released. Now if he was convicted then thats different and the correct reason to be imprisoned.
> she
It was not a she.
The ruling showed that you can only be held for 18 months in the US for refusal. They would need to actually charge them with a crime if the government wanted more than that.
democratic values maybe more, because that's what I said. I'd say that every person is equal in law, every one can defend themselves and is not punished for not incriminating themselves.
You know, I live in Poland, where up to 1989 when you were captured by police (which was called militia back then) they would beat the shit out of you or nag your family unless you incriminate yourself. And these were not democratic values. Basically the ruling system was authoritarian at that time. And I can see some similarities here between Poland pre 1989 and France nowadays.
-- EDIT --
Chat Control which was accepted by France is also really good connection to those times when your packages were being opened in the post office, if you were suspected by the one-party government. Also there was a time that all the phone calls were eavesdropped by security service.
I don't like chat control unless it opens up all government communications to the public at the same time - but to compare chat control with the secret police beating up your family seems a bit over the top.
"We never demonized Europe and our server in France moved to Switzerland, not North America. Most of our servers with OVH were in Beauharnois, Canada. Multiple of those Canadian OVH servers are now retired and the remaining 5 are going to be moved elsewhere too."
Previous discussion:
https://news.ycombinator.com/item?id=46037573
Related:
https://news.ycombinator.com/item?id=45999024
https://news.ycombinator.com/item?id=46035977
> France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed.
If this is true, it's a bit concerning for Ledger users. One state-mandated firmware update away from losing all your crypto?
Fortunately it's not true. GrapheneOS seem https://xcancel.com/GrapheneOS/status/1993061892324311480#m to be reacting to news coverage https://archive.ph/UrlvK saying that although legitimate uses exist, if GrapheneOS have connections to a criminal organization and refuse to cooperate with law enforcement, they could be prosecuted nonetheless:
« il existe pour une certaine partie des utilisateurs une réelle légitimité dans la volonté de protéger ses échanges. L’approche est donc différente. Mais ça ne nous empêchera pas de poursuivre les éditeurs, si des liens sont découverts avec une organisation criminelle et qu’ils ne coopèrent pas avec la justice. »
Charitably, GrapheneOS are not in fact a front for organized crime, but merely paranoid, assuming that the news coverage is laying the groundwork for prosecution on trumped-up charges. Notably, there doesn't appear to have been direct communication from law enforcement yet.
Isn't it the same for every country?
Of course if your organization have connections to a criminal organization, you are going to be in trouble. Same thing for refusing to cooperate with law enforcement, this is not some abstract thing, it is about following the law, for example relating to evidence tampering or search warrants.
I don't think France is anything special in that regard.
Paranoid? Telegram CEO was arrested and held for days, his movements out of France restricted for months. And he is a connected billionaire, not an open source developer.
Open source developers have been given jail sentences in the last months.
If you're a broke open source developer - even if you believe under the law you're not doing anything wrong - would you want to be exposed to law enforcement harassment (lawfare) for no reason?
Also: chat control.
>Charitably, GrapheneOS are not in fact a front for organized crime, but merely paranoid
The difference between someone being paranoid and someone being right, is time.
If that paranoia is related to their participation in organized crime... well, governments should be the least of their problems in a few years.
How would the government mandate a backdoor of such a hardware/software system without attracting eyeballs?
Easy. They'll just demand major tech companies implement in Europe exactly what they did to comply with China's government surveillance request. They already have the blueprint of the apparatus, they just need to throw a blue coat of paint and a circle of gold stars over it to legitimize it and make it less scary looking.
And they don't give a damn about attracting eyeballs since the surveillance will be mandated by law and done legally by the book, and it will be done "for your own safety and protection against the boogieman", so that people will accept it.
I can't speak to the political or legal aspects, but technically, Ledger firmware updates are closed‑source binaries delivered from Ledger's servers. That centralization makes it possible for a state actor—or anyone with access to Ledger's signing keys and servers—to slip in a backdoor. Even if the firmware were fully open source, a backdoor could still be inserted during the build process and never appear in the repositories. Avoiding it would require building the firmware yourself, which most users don't do.
As a side note, Bitcoin Core mitigates this risk with deterministic builds and multiple independent developers verifying and signing releases. But this option isn't available for Ledger as most of the firmware is closed source.
The government just doesn't care.
If there is a backdoor in an open-source system, and people know about it, then they will organize independently to patch it out. So it will be ineffective to the extent that the technology allows reprogrammability.
The only way you can beat it, as a governement trying to insert a backdoor, is through use of tivoization or some other technology that clinches control during manufacturing or other centralization weak points around economies of scale that the re-programmers don't have.
When all the remaining freedom fighters will flee out of all the oppressive states into the last remaining citadel of human rights, which may well turn out to be some drifting icefield in Arctic, and the oppression finally catches them up there, is there any plan B for the humankind?
Why are we giving up. Shouldn't we stand up against Oppressive governments and Corporations.
That's the point I implied! We absolutely should, and must. But the only viable way to do so seems to be by following Ghandi's principles of personal non-violent sabotage against the oppressor, which requires unity and cooperation between people, and that, alas, is very questionable these days. Half of us won't even admit they're oppressed! When a single shoemaker makes two left shoes instead of a normal pair the opressor orders, he's out to look for a new job. When every shoemaker out there makes only left shoes, the oppressor has to go f2k himself and learn some craft or manners.
Old ways that seemed to be working, like democratic elections? I don't think so. Not anymore.
I don't think one thing will solve it, but everyone who knows better can contribute in their own. For example by teaching people about privacy, encryption and free software. Writing books, doing podcasts aimed at the general public to promote privacy tech. Talking to your local government and municipalities, become the local expert and proposing policies.
> Shouldn't we stand up against Oppressive governments and Corporations.
How? Governments have the monopoly on violence through their control of the police and military, and corporations bribe the governments in power to do their bidding and also control the media apparatus via which the voting population makes their democratic decisions, so you get this corrupt symbiotic relationship between the first and second estate (the government and wealthy elite private sector) to keep the third estate (common population) oppressed.
So how do you actually coordinate hundreds of millions of people towards a single goal to "fight" against and apparatus of oppression with an order of magnitude more kinetic strike, intelligence gathering and propaganda capabilities than the common folk?
People keep fantasizing about the French revolution and guillotines, but King Louis XVI didn't have Air Force One, doomsday bunkers in New Zeeland, AC-130s, Predator, Reaper and Anduril drones to protect him. The force disparity between the ruling elite and peasantry is now like that meme of hydrogen bomb versus coughing baby.
That'd be the textbook definition of hitting rock bottom, the last of the bottoms, and hitting rock bottom is a plan B in itself.
The One place that has not been corrupted by Capitalism… Space!
I can hear Tim Curry's delivery of that in my head. So good.
Context, for the uninitiated: https://www.youtube.com/watch?v=g1Sq1Nr58hM
Looks like Musk and Bezos are going to beat you to it.
Capitalism didn't corrupt privacy. Literally every major messaging and smartphone maker integrated e2e encryption because the user wants it. It is government regulations, that wants to kill privacy. Which is not free markets or capitalism, this is more socialism.
Capitalism didn't corrupt privacy.
Meta, Microsoft, and Google's extensive user tracking beg to differ.
It's not either or.
Meta, Microsoft, Google, & Apple have a profit motive for scooping up everything they can.
Every government in the world wants to do the same scooping, but their motive is "security."
These are not separate activities either. Governments are mandating the collection by corporations, so they can use that channel for their own purposes.
You know, security is a nebulous concept until it suddenly isn't. I live in a country neighboring Russia. Russian infiltration, sabotage, and perhaps large scale political assassination by means of autonomous drones (like the ukrainian operation "spiderweb"), is a very real and frankly not entirely unrealistic worry of mine. This is in addition to the unfortunate reality of hybrid warfare, where an uneducated populace that gets their news from TikTok is a very real security risk, which has almost already crashed immature European democracies. And arguably it has already succeeded in crashing the US.
In practice, encrypted messaging, and more broadly the unregulated, anonymous nature of the internet is THE technology that enables this. Ukrainian refugees are essentially indistinguishable in practice from Russian operatives and pose a very real security risk. The loss of the US as a reliable ally, which in practice is the new reality, is felt here in a very real way.
I think this point is largely missed by hacker news. I am legitimately afraid that Russia might assassinate elected leaders and invade, and embroil my own country in a war that might lead to my death. And to be honest my worries are a bit overblown in my particular case, it is very unrealistic that this will happen to my particular country, but if I were to live in Poland they wouldn't be.
I raise this point in response to your quotation marks around "security". European countries have very real, and very pressing security concerns.
Thanks for the excellent reply/comment. Having supported the US IC for the majority of my career, I'm quite aware of the threats to/from, and the behaviors of nation states.
It's easy to justify snooping. The issue (for me) is when the snooping unjustifiably infringes on my personal privacy. Governments will argue that they don't know that I'm not a threat, so they must surveil me. Unfortunately, those who are doing the surveilling can also be a threat to the people, even when the people are behaving completely in compliance with the law. You need only look at some of the recent revelations in the US press for examples.
Knowledge is power, and power corrupts.
The original submission is about GrapheneOS, not Meta or Google though.
Satellites?
Satellite operators are still required to comply with the Federal Wiretap Act (and equivalent in every other country of the world).
The result is a less-than-optimal network that requires routing communications through a ground station (where it can be intercepted) even when it's technically feasible (and optimal) to use point-to-point communications.
The resulting technical solutions (at least) double the bandwidth and processing required by the network, and bandwidth/processing are critical resources for communications satellites. These requirements can make or break the economic feasibility of a proposed system.
Can be jammed and/or destroyed.
If I read it correctly, they’re not physically “moving” out of France. They are merely switching servers away from OVH.
"France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed. We don't feel safe using OVH for even a static website with servers in Canada/US via their Canada/US subsidiaries."
Would surprise me if they weren't moving out of France entirely.
seems as physical as anything, this includes OVH servers in france
which is one of several server locations they operate on, including Germany and Switzerland
So France is basically using the latter method from https://xkcd.com/538/ but the violence is purely economic
” In Canada and the US, refusing to provide a PIN/password is protected as part of the right to avoid incriminating yourself. In France, they've criminalized this part of the right to remain silent.”
> refusing to provide a PIN/password is protected
In theory. In practice there's a case where a defendant is being held in contempt (jailed) for years now, for refusing to provide her encryption passwords. At that point both the 5th and the idea of contempt are busted.
> In practice there's a case where a defendant is being held in contempt (jailed) for years now, for refusing to provide her encryption passwords.
Link to story?
The only one I know of was this
https://news.ycombinator.com/item?id=13629728
And he was freed after about 4 years.
https://arstechnica.com/tech-policy/2020/02/man-who-refused-...
> Prosecutors were able to gain access to the laptop, and police say forensic analysis showed Rawls downloading child pornography and saving it to the external hard drives.
My comment was more about this
> In practice there's a case where a defendant is being held in contempt (jailed) for years now
They are not still being held due to contempt, they were released. Now if he was convicted then thats different and the correct reason to be imprisoned.
> she
It was not a she.
The ruling showed that you can only be held for 18 months in the US for refusal. They would need to actually charge them with a crime if the government wanted more than that.
Does it mean they do not respect democratic values in France?
If by "democratic values" you mean US and Canadian law, they don't.
Could you say a few words on what you think democracy is?
democratic values maybe more, because that's what I said. I'd say that every person is equal in law, every one can defend themselves and is not punished for not incriminating themselves.
You know, I live in Poland, where up to 1989 when you were captured by police (which was called militia back then) they would beat the shit out of you or nag your family unless you incriminate yourself. And these were not democratic values. Basically the ruling system was authoritarian at that time. And I can see some similarities here between Poland pre 1989 and France nowadays.
-- EDIT --
Chat Control which was accepted by France is also really good connection to those times when your packages were being opened in the post office, if you were suspected by the one-party government. Also there was a time that all the phone calls were eavesdropped by security service.
I don't like chat control unless it opens up all government communications to the public at the same time - but to compare chat control with the secret police beating up your family seems a bit over the top.
Depends, did the people vote for it?
... to Canada.
Out of the frying pan, into the fire?
Canada does not restrict or ban encryption: https://www.gp-digital.org/world-map-of-encryption/
"We never demonized Europe and our server in France moved to Switzerland, not North America. Most of our servers with OVH were in Beauharnois, Canada. Multiple of those Canadian OVH servers are now retired and the remaining 5 are going to be moved elsewhere too."
https://xcancel.com/GrapheneOS/status/1994332742411022336#m