GrapheneOS Developers Announce Shutdown of Infrastructure in France Due to Government Pressure
GrapheneOS Developers Announce Shutdown of Infrastructure in France Due to Government Pressure
The GrapheneOS team reports that it is shutting down its infrastructure in France. The developers are accelerating their migration away from hosting provider OVH and accuse French authorities of creating a hostile climate for projects related to privacy and encryption.
Per the developers, they have faced increasing pressure from authorities and are implementing a series of changes to the project's infrastructure—all aimed at distancing themselves from French jurisdiction.
This involves decommissioning all active servers in France, rotating cryptographic keys for TLS and DNSSEC, and migrating core services (email, Matrix chat, forums, Mastodon, and attestation servers) from OVH Canada to German provider Netcup.
About GrapheneOS
GrapheneOS is an Android fork focused on security and privacy. The project is built on the Android Open Source Project (AOSP) and strengthens standard app isolation mechanisms, uses strict verified boot, and a more rigorous update process.
Reasons for Departure
The project team states that France has ceased to be a safe country for open-source projects focused on privacy. They cite political pressure from authorities to implement backdoors in encryption technologies, as well as criminal penalties for refusing to unlock devices.
Although a controversial bill proposing aggressive surveillance enhancement and a mandate for encryption backdoors was rejected by the country's parliament in early 2025, the GrapheneOS developers believe the country remains hostile to privacy-respecting technologies.
Members of the project team have been subjected to harassment and coordinated defamation campaigns. This is the reason for the delayed release of experimental support for the Pixel 10.
Technical and Legal Constraints
GrapheneOS notes that law enforcement demands to provide access to encrypted devices are technically impossible to fulfill—protection is ensured by secure elements, which require signed firmware updates and user authentication. Bypassing brute-force protection is not possible, even by court order.
Unlike in Canada or the USA, where refusal to disclose a password is protected by the right against self-incrimination, in France such refusal is criminalized, depriving citizens of basic protection in privacy matters, the developers explained.
Government Actions and Media Campaign
"France is taking action against GrapheneOS. France has actively pursued a number of companies selling phones marketed as private and secure. Authorities justified this by linking such companies to criminals. In some cases, this appears to have been true. In others, it was unsubstantiated. They are now spreading defamatory statements in the media about GrapheneOS, inventing non-existent features and project distribution methods, conflating us with completely different things," project representatives stated on Mastodon.
"They confuse dubious companies using our code to create their own products with our open-source project and organization. When high-ranking officials from French government agencies actively defame us and spread lies about GrapheneOS, attempting to equate us with companies they have previously raided, seized infrastructure from, and prosecuted, it means the country is not safe for us. We are completely leaving France and abandoning French services."
Infrastructure Migration
GrapheneOS is now rebuilding its infrastructure. Update mirrors have moved to sponsors in Los Angeles, Miami, and temporarily in London. DNS infrastructure has migrated to Vultr and BuyVM. Core services are transitioning to Netcup, and the long-term plan involves physically collocating servers in Toronto.
Cryptographic protection for updates, applications, and the boot process remains unchanged.