GrapheneOS has announced the complete shutdown of its infrastructure in France, accelerating its withdrawal from hosting provider OVH and citing growing threats to privacy-focused software in the country.
The project reports escalated harassment against its team and growing concerns about France’s legal climate for encryption.
The announcement outlines a series of infrastructure changes intended to distance GrapheneOS from French jurisdiction. According to the developers, the move involves decommissioning all active servers in France, rotating cryptographic keys used for TLS and DNSSEC, and preparing a short-term migration of core services, such as email, Matrix chat, forums, Mastodon, and attestation servers, from OVH Canada to German provider Netcup. The long-term goal is colocation in Toronto, Canada.
GrapheneOS is a hardened, security- and privacy-focused mobile operating system based on Android Open Source Project (AOSP), offering enhanced device security through features like secure app sandboxing, verified boot, and advanced update verification mechanisms. Its development has been closely followed by privacy advocates and security researchers due to its uncompromising stance on device sovereignty and its refusal to compromise on encryption.
The group claims that France is no longer safe for open-source privacy projects, referencing recent political pressure to introduce backdoors into encryption technologies and criminal penalties for refusing to unlock devices. While France’s controversial “Narcotrafic” bill, an aggressive surveillance proposal that included encryption backdoor mandates, was defeated in parliament earlier this year, GrapheneOS warns that the country remains hostile to privacy-respecting technologies.
GrapheneOS says team members have faced intensified harassment, libel campaigns, and disruption of development efforts, including a delayed rollout of experimental Pixel 10 support. The organization reports that law enforcement demands for access to encrypted devices are technically impossible to comply with, as protections are enforced by secure elements (SEs) that require signed firmware updates and user authentication. They emphasize that even if legally obligated, bypassing brute force protections is not technically feasible.
Unlike Canada or the US, where refusing to disclose a password is protected by rights against self-incrimination, France criminalizes such refusals, removing a core safeguard for individual privacy, explained the project leaders.
In response to the security and legal risks, GrapheneOS is reshaping its infrastructure as follows:
- Update mirrors are now hosted by sponsors in Los Angeles, Miami, and temporarily London, following an emergency migration.
- DNS infrastructure has been moved to Vultr and BuyVM, which allow BGP announcement of a custom IP space.
- Core services are transitioning to Netcup, with long-term plans for physical server colocation in Toronto.
- Cryptographic protections for updates, apps, and the boot process remain in place, with layered verification against tampering and downgrade attacks.
The organization assures users that all backups are encrypted and may remain temporarily on OVH systems during the transition.
Leave a Reply