Cops say criminals use a Google Pixel with GrapheneOS – I say that's freedom

I have never been to Spain, and I have only slight familiarity with issues in Barcelona and greater Catalonia, but this gives me pause:

"There’s a bitter irony here, too, as GrapheneOS recently pointed out in a tweet. The Spanish region of Catalonia was at the center of the massive Pegasus spyware scandal in 2019.

"Pegasus, a sophisticated surveillance tool sold exclusively to governments, was reportedly used to hack phones belonging to Members of the European Parliament and eavesdrop on their communications. Yet, police in this very region are now scrutinizing savvy Pixel and GrapheneOS users for hardening their devices against unlawful surveillance and other attack vectors."

And at the same time:

> GrapheneOS is not immune to exploitation, but the fearmongering done in these ongoing attacks on it is very clearly fabricated. They feel threatened enough by GrapheneOS to engage in coordinated attempts at convincing people that it's unable to protect their privacy and security.

So... they (cops and friends) are saying that GrapheneOS is for criminals, AND that it does not work at protecting anyone's privacy and is not for security. Amazing.

See: https://grapheneos.social/@GrapheneOS/114784553445461948 and the rest.

[flagged]

"being criminals is a state sponsored attack on the GrapheneOS project."

Yes, I know, age of hyperbole, but a state sponsored attack on the project is mass arrests, blocking of funds etc.

Graphene does their PR, the police does their PR. Both have different views on the world.

You don't even have to go that far. Just ask them for their banking information, passwords, and maybe some naked photos of them to top it off.

Everyone has something to hide... unless there's something utterly wrong with them.

Agreed, I once read someone put it like this: Saying you have nothing to hide, so you don't care about privacy is like saying you have nothing to say, so you don't care about freedom of speech. In both cases the ramifications are far reaching.

Not just in Europe, in the US too - Roman Storm is on trial as of last week for building a privacy tool that ended up getting used by criminals.

Not much good coverage on it out there apart from the great work by The Rage journalists.

> In particular as general population don't really care about it

> if some lobbies are pulling the strings

Sure looks like it. Many people don't understand the consequences of the ChatControl proposition (backdoors for governments into all messaging apps) [1].

Politicians insists it is only about protecting kids from predators online, but see for example Sweden:

* Police and secret police will have this access for swedish citizens.

* Secret police have an agreement with NSA about data sharing (see Snowden).

* NSA will end up storing all my DM:s.

* Another country also have an agreement with NSA about data sharing.

* This other country will find out about my sexual orientation or political beliefs the moment I board a plane to their country.

All of this will be outside of control from my country or the laws of my country (Sweden), that is supposed to protect my free speech [2] and anti discrimination laws [3].

1: https://en.wikipedia.org/wiki/Regulation_to_Prevent_and_Comb...

2: https://www.riksdagen.se/sv/dokument-och-lagar/dokument/sven...

3: https://www.riksdagen.se/sv/dokument-och-lagar/dokument/sven...

F*k Ylva Johansson:

> Research by several newspapers led to allegations of questionable connections between Johansson and her staff and companies that would benefit financially from her proposal, including Thorn and WeProtect.

> Johansson rejected the accusations as being untrue, true but not illegal and as not even being accusations.

> Her claim to have given data protection organizations the same access as to the backers of her proposal was rejected as untrue by several organizations and members of the EU parliament. Johansson reacted to growing rejection of her proposal by ordering commercial advertisement on Twitter paid for with EU funds. The advertisement was criticized as being misleading and illegal according to the EU's rules for targeted advertisement. [4]

4: https://en.wikipedia.org/wiki/Ylva_Johansson#Surveillance_of...

Also to add to this discussion, to me, it makes zero sense that you would deploy such a system that could be weaponized by a rogue government to hunt down political opponents.

One could argue that they may very well think that this sort of thing could never happen, that the center will always prevail etc... but then again I remember seeing this video compilation of a lot of very confident people in the US saying that Trump would never be president a few months before the 2016 election, let alone be elected for a second term.

So that makes me think, how can they so confident that "the good guys" will always be in charge?

Because from where I am standing there is a massive chance that Reform will win in the UK and that the National Rally will win in France in 2027.

Nobody can say that they did not know.

Of course lobbies are pulling the strings. That is a given.

But the more nefarious issue is that countries that use to uphold human rights and the rights to privacy for their citizens up until 10 to 15 years ago have made a complete U-turn.

And before someone says that this is due to the far-right getting into power, this has really nothing to do with it.

It simply is blatant attempt at muzzling the population. The worst part is that you still have European governments who feel the need to give lessons of democracy to China et al.

I could see how Hungary would want to get this passed because they are well on their way to authoritarianism but this proposal coming from the EU who is supposedly politically in the center, that makes zero sense.

> The main point is that police are profiling people using Pixel phones. Nothing about making it illegal, or trying to remove encryption.

I had to click through several links to get to this part.

It’s an off-hand comment from a single police person who was trying to make some point.

The android news sites are getting a lot of mileage out of that single comment from a single person.

It is about running a false campaign to say using Graphene OS is the same as being a criminal.

I'll take it even farther - this should be a discussion about what constitutes crime, and how a system that didn't criminalize common, victimless acts would have such a small pool of criminals to deal with that widespread demonization of this or that technology wouldn't be neccesary.

> This should be a discussion on how valid it is for police to profile people.

Exactly - though in this case I'm not sure what that means - if they 'feel more alert and suspicious' - that's just going on in their head ( pretty difficult to control that ). If on the other hand it means you are constantly getting stopped and searched that's another issue - but then you could argue that's then argument about the stop and search rules in whatever country.

ie what counts as reasonable grounds for the police to take concrete action.

>The main point is that police are profiling people using Pixel phones. Nothing about making it illegal, or trying to remove encryption.

How can you think that profiling people based on their phones is not harmful to privacy?

In most western countries surveillance requires prior evidence of wrongdoing, if your phone brand or phone OS can be used as evidence that you might be engaging in criminal activity, that is of course a danger to privacy. It should be normal that people use Software and Hardware that respects their privacy and desiring privacy should never, by itself, be allowed to be evidence of criminal intentions.

> This should be a discussion on how valid it is for police to profile people. Or maybe if it's actually true that drug dealers are using GrapheneOS.

Why can't it be a discussion about how valid it is for police to use the desire for privacy as a basis for profiling? Is that not allowed?

Are you saying that we're required to either talk about:

1) whether the police should profile anyone at all for any reason (why not this particular reason again?), or

2) whether Spanish criminals desire privacy, and therefore more often choose GrapheneOS than other groups of people (is this controversial? Is it worth discussing? Can't we just take the Spanish police's word for such an unsurprising data point?)

Those are our only two choices? If so, than the conclusion is foregone. Police will be allowed to profile criminals and suspicious people, and criminals will attempt to refuse monitoring and searches.

I'd rather talk about whether refusing to be monitored or searched can be allowed to become official grounds for state suspicion, though. Even without your support.

It seems they're profiling based on specific local conditions. Not many folks are installing graphene in their area, but there are lots of criminal gangs that do.

The situation would be different in, say, Silicon Valley. But they're dealing with the world they're in.

Is disparagement of GrapheneOS good or bad for privacy?

Sorry I'd rather just read the title and then start arguing against my fantasy

> I don't like how much control Google has (it's ironic I had to buy a google phone) on android phones even from other manufacturers and the targeted marketing and information that I would be giving out.

To a normie non-tech person, buying a several hundred dollar Google phone, only to delete Google from it sounds stupid, like you've set your money on fire.

Yes, I recently bought a Pixel and immediately installed GrapheneOS.

the fact that they refuse to consider other phones ie fairphone or nothing phones that have the bootloader relockable is the reason that i do not use graphene.

it seems like a great os but i am not giving google money to get away from google.

You also do it to protect your friend and family, by for example sandboxing your contacts to prevent them from being shared with the messaging app you need to use to keep in touch with a specific group.

I maintain that if the NSA ever really needs to know something, if I somehow possess critical knowledge in a legitimate matter of national security, they are welcome to visit. (They'll have to settle for coffee, I'm not much of a tea drinker.) In this way, I really do have nothing to hide. But I do insist on knowing about it in the moment.

Outside of that very narrow context, they may kindly deal with my communications being secured by default, because if there is a path they can use to decrypt my data, the criminals can also find, exploit, and use that same path. Rather easily, as it turns out. (See: various data breaches, password leaks, company after company getting caught with unsecured S3 buckets containing encryption keys, etc etc.) It's not the law I'm hiding from, but those individuals who would steal every one of my digital assets given the opportunity.

In the specific context of Android, the thing I'm trying to dodge isn't even legal snooping or criminal activity, but specifically marketing. Google is terribly interested in my browsing habits, and so having my smartphone not run their services at all is an excellent way to reduce that flow of information from my device to a third party that I don't particularly trust.

I would go further and say that even if these things are for criminals, that is okay; and allowing some amount of criminal activity is necessitated by the basic humility of conceding that we might not have figured out the best set of rules for humanity to live under.

It might be appealing to fantasise about catching all the criminals and stopping all their dastardly deeds, but where would we be now if our governments had this capability 30 years ago? ...90? ...270? Would we be happier today if the last 1000 years had passed completely free of theft, murder, pederasty, and also free of blasphemy, heresy and challenges to the divine right of kings? Today, we are grateful for the actions of many a disgusting criminal that would have been condemned by any respectable and well-adjusted member of society (including you, had you lived then) at the time. Who knows which ones of today's criminals we will be thanking 30 years into the future?

If I am not a criminal you should not need to tap my phone

The idea that privacy is only for those doing something evil is so brain damaged, I cannot understand how anyone took that seriously.

No, privacy is for protecting good things from evil people. And frankly, it's more than that. Privacy is necessary even when no evil intent exists in either the observer or the observed. It is necessary for various relationships to flourish and for human beings to flourish. It isn't good for your neighbors to watch you making love with your wife, or for you to watch them doing so. Social boundaries are important. Failing to respect them is to claim an authority you do not have.

It's similar to the principle of subsidiarity: you want the right people involved in the right things at the right times. Removing privacy smushes everything together, and I claim that this flattening effect is one of the reasons for the mental illness that's catalyzed by social media.

[flagged]

FWIW I think its good to elaborate on how other projects are doing things incorrectly (though I agree the GOS people could use some diplomacy and decorum). For example, with the fairphones for the longest time the only answer you could get on why grapheneos doesn't support it is that the phone is not secure. That answer doesn't leave me informed, all it leaves me with is "someone on the internet told me it wasn't secure". For the newest fairphone 6 they actually elaborated and covered things like the lack of a secure element. That leaves me informed, so now I can look up what a secure element is, why I want it, and then make an informed decision for my next cellphone purchase.

I looked it up (as in spent a last few weeks going through the forum and PRs) and when they say "slander", it's backed up.

When they say other projects are insecure, this is for example because of the claims /e/OS based on the utterly insecure hardware and two major versions of AOSP, unpatched, is touting itself as a leading project in the privacy landscape.

I don't think they talk down any security - related project and I've never seen the generalised "they talk down on (...) open-source projects in general" - this is what I would myself call slander, because tbh it's dogs bollocks.

"Slander" or "attack" is said when there are baseless accusations (like above about attacking, quote, "any and every security-- and privacy-related project") because they don't have outlets or big money behind them which would simply state the facts and call out the accusations.

If you have examples of theese words "thrown" without basis (ie without sustained prior attacks on GOS), I'm sure every interested person would like to see it. If you wanted to show the examples of the innumerable privacy- or security-related projects that are _attacked_ by GOS, please share examples.

There are multiple so-called privacy and security related projects which are known for the sustained and baseless bad messages, and these don't get a pass, because it's clear it's intentional and in the bad faith.

Valuable projects and services are promoted and recommended based on merit and not favours (eg: they can argue based on facts why installing apps from accrescent or Google play store is generally safer than from the F-droid).

They don't hate the "custom ROM", they explain why it's a misnomer - and you using it here after saying they hate it (and either not knowing or not caring why it's wrong) is clearly an act in the bad faith :)

I struggle to see an attempt in the factual reporting in your post. The only thing I could connect over is their attitude in certain situations, but..... the rest of your post is just.... incorrect?

I don't need PR from my free mobile OS developer. I just need regular secure updates, which they seem to do a good job providing.

Next, as countries are requiring more and more age verification online, the EU accidentally outlaws GrapheneOS by introducing an age verification system that requires an OS certified by Google or Apple. https://chaos.social/@luc/114860815364169550

You're free to run GrapheneOS or Windows or whatever, so long as you also have a device that is attested to be untampered by Google Play or Apple's equivalent

Graphene replied in that thread (just ctrl+f for them), saying "Unfortunately, the EU is adopting the Play Integrity API enforcing having a Google Mobile Services device instead. We've repeatedly raised this issue with the EU Commission and many apps including ones tied to this specific project. We've never been given reasoning why they can't use the hardware attestation API instead."

I'm personally not so keen on that lesser DRM requirement either, since it's just another level of gatekeeping: ok now it's not only Google/Apple but also a few OSes that meet ?some? requirements, but e.g. GrapheneOS also doesn't unilaterally let me access data on my device, maintaining that full access is dangerous and cannot be allowed -- yeah, I'll agree data is safer when I can't even access it myself, seeing how much malware goes around for NT/Linux distributions where you can have root, but I'd still much rather live in a world where I'm the root on my systems. But anyway, that's maybe another discussion, the broader point is that even GrapheneOS can't talk sense into the EU with their lesser-but-still-DRM option

I do like that the government has entities that thwart attacks, and I'm not sure full transparency for these entities works well for everything.

Of course, I don't want this to be used as an argument to mass spy on the people.

Throughout history one of the most popular things people want government to do is oppress and police other people.

If the will of the people is to be trampled, then the people is to be trampled. True democracy is not mass democracy.

Agreed. It's wild to realize that the current US administration campaigned on the promise that they would provide transparency regarding certain matters. Yet now they're doing everything they can to combat transparency for those same matters.