GrapheneOS is leaving France over security and legal concerns, including government pressure for an encryption backdoor. Here’s what happened and why it matters.

What happened with GrapheneOS in France?

On November 24, 2025, GrapheneOS announced on X(new window) it has removed all active servers from France and is in the process of ending its relationship with hosting provider OVHcloud. “France isn’t a safe country for open source privacy projects,” the team said, pointing to what it describes as the expectations of French authorities for encryption backdoors.

This decision arrives as France becomes one of the most vocal supporters of proposed EU Chat Control legislation, which aims to force online platforms and messaging services to automatically scan private chats, images, and media for child-sexual-abuse material (CSAM) and grooming content. In March, the French National Assembly rejected a proposal(new window) that would have required secure communication services like Signal to weaken or remove their end-to-end encryption.

End-to-end encryption (E2EE) means that only the sender and recipient can read the contents of a message — not the service provider or other third parties, including government authorities or cybercriminals.

What is GrapheneOS and why do people use it?

GrapheneOS is a nonprofit, open-source, and Android-based operating system used by many people seeking better privacy, security, and control. Here are some of the reasons why people prefer it to Google’s Android:

  • No background data collection, built-in Google tracking or telemetry. This means your device doesn’t send usage data, diagnostics, or behavioral information to Google or its partners.
  • Disabled Advertising ID by default. Advertising ID is a unique identifier assigned to your device by Android that lets marketers track you for targeted ads.
  • No bloatware, such as manufacturer or carrier-installed apps.
  • No forced apps you can’t uninstall, such as Google Assistant or Gemini.
  • No Google lock-in prompts, such as persistent notifications encouraging Google services. You can also use GrapheneOS without an Google account.
  • No default cloud integration such as automatic Google Photos backup.
  • Advanced privacy permission controls, such as better protection against zero-day exploits.
  • Stricter security rules controlling how apps behave, such as sandboxing that prevents apps from accessing other apps’ data or system resources without explicit permission.

Why encryption backdoors are dangerous

GrapheneOS protects mobile devices using full-disk encryption to secure all data, including metadata like file names and timestamps. An encryption backdoor would mean adding a secret method that law enforcement could use to unlock encrypted data without your consent, PIN, or face.

The problem with an encryption backdoor is that, once it exists, it can be discovered, misused, or exploited by anyone who finds it, including cybercriminals. This puts everyone at risk, not just people targeted by an investigation, which is why privacy advocates consistently oppose it.

Why GrapheneOS says a backdoor is technically impossible

According to GrapheneOS, recent public comments and internal memos circulating among French law enforcement included warnings to treat Google Pixel devices as “highly suspicious” and what the project characterizes as misinformation about GrapheneOS.

GrapheneOS explains that, even if it wanted to, introducing an encryption backdoor is technically impossible due to the phone’s hardware secure element, which enforces a strict chain of trust. Only properly signed firmware is permitted to run, and any unauthorized modification would cause the device to fail verification. In addition, hardware-enforced protections limit the number of unlock attempts and introduce delays between them, preventing brute-force attacks.

GrapheneOS is not alone in refusing to create encryption backdoors

Major tech companies have also faced pressure to weaken encryption and have refused. Here are a couple of recent examples:

  • In 2023, when the UK was advancing the Online Safety Bill, Signal said(new window) that it would rather shut down its service in a jurisdiction that betrays the trust of its users than comply with a law that would introduce backdoors or surveillance-enabling features.
  • In 2025, the UK government effectively forced Apple to choose between creating an encryption backdoor and removing end-to-end encryption for certain services. Apple opted to withdraw Advanced Data Protection (ADP) — a feature that extends end-to-end encryption to several iCloud services, including backups, photos, notes, and files — rather than compromise its security model. Apple later filed a legal challenge against the UK government’s demand.

When governments weaken privacy, you pay the price

France’s stance against privacy-first companies and open-source projects sends a broader message: operate here and give us access to your data, or leave.

When secure platforms like GrapheneOS choose to stand strong with their security principles intact and pull their infrastructure out of the country, the very people they serve ultimately lose access to the tools designed to protect them from data breaches, identity theft, and state censorship.

At Proton, strong encryption and online privacy are foundational to our mission. We wouldn’t be able to provide our community secure email, V(new window)P(new window)N(new window), cloud storage, or password management without them.