GrapheneOSPositon (https://positon.xyz/) is a geolocation service closely tied to a group of people targeting our team with harassment. We urge people to avoid submitting their sensitive location data to this service. People involved in it have supported doxxing and swatting attacks.
They intend to lock people in to the service by keeping a lot of the data proprietary. They've repeatedly talked about locking people into it and avoiding having alternatives to it. Their priority is having control and ownership of data while sabotaging decentralized approaches.
Having an open source client/server won't make up for having proprietary data requiring giving your location to a server. They want to lock people into streaming their location to them in real time. Replacing Apple or Google with far less trustworthy people isn't progress at all.
We're going to be supporting and funding an approach where the data is available for anyone to use local databases on their devices or host their own servers. For GrapheneOS, we plan to provide both a local database option and a GrapheneOS server option. We'll only use open data.
Don't contribute your data to a service trying to centralize control, particularly one from the folks behind the astounding insecure /e/OS.
We've published an initial article about it:
https://grapheneos.org/articles/positon-location-service
It's exactly what shouldn't be happening with a successor to Mozilla's retired location service. These folks already used harassment and other underhanded tactics such as false reports to deter competition.
⁂Krafty⁂ #NoKings@GrapheneOS do you have a recommendation for a service like this that works on iOS as well? I'm trying to get my friends/family to switch from Life360
@tkk13909 You can't use a non-Apple network location service or local alternative on iOS.
Murena - choose freedom!@GrapheneOS Maybe you should check your claims about /e/OS before spreading false information and your usual FUD against /e/OS & Murena.
Navi 
@GrapheneOS is there a particular reason why the edit on this post was made?
@navi It didn't end up being an open data service after all.
rock eater@GrapheneOS do you have a source for these doxxing, swatting, or lock in plans….?
@GrapheneOS or the security claims about eOS either? i cant find any information about it online
Look at the DivestOS site and particularly the posts by SkewedZeppelin (security researcher and lead developer of DivestOS) about /e/OS on their forum and elsewhere.
You can find lots of information about it online beyond that. You can easily confirm that they're consistently way behind on security patches for the OS and browser, set an inaccurate security patch level, downplay it / mislead users about it and massively roll back security beyond how much LineageOS already does.
@GrapheneOS yeah, no, sorry. This is not a source. I asked for a source and you basically responded with “look it up”.
Just because you’ve given me more instructions on what exactly to look up (in this case the security researcher) that doesn’t mean you’ve provided a source. That’s like if someone comes up to you and starts parroting some random political talking point and when you ask where they heard this they just say ‘Biden said it in 2023’.
That’s not a source, it’s a guide to find more information.
@kali We're speaking about it as a privacy and security research/development project with a long history of discovering vulnerabilities and working with upstream projects. Our statements are based on the /e/OS source code and their public statements including marketing. You can confirm which Android version it's based on which patch level is provided for different components, and how they present that to users. It's completely verifiable information. Do you want us to link to a bunch of it?
@kali This shows how quickly operating systems ship the Android Security Bulletin patches for the Android Open Source Project, which is a small portion of the overall security patches. Around half of the important patches are for firmware, drivers, HALs and the Linux kernel which are not automatically obtained by applying these patches:
https://divestos.org/pages/patch_history
This shows /e/OS consistently lags behind around 1.5 to 2 months on this easiest portion of the patches. That's one part of it.
@GrapheneOS This is useful. Thank you.
@kali There are also the firmware, driver, HAL and Linux kernel patches. This is where /e/OS lags far more behind even on devices where these are available. They're often quite literally years behind on these patches. They claim to have patch levels requiring these patches which are not included, misleading users. They downplay the impact of what's missing. They largely support end-of-life or badly maintained devices where patches are unavailable, but are bad at shipping them when they are.
@kali The full Android Open Source Project security patches require being on the latest release, which /e/OS is not. They lag at least a year behind on yearly OS updates, and the monthly/quarterly updates are only for the latest major yearly branch so they can't provide them in practice. Moderate and lower severity patches including most privacy patches are part of these releases. You can see the Android Security Bulletins only list High/Critical, which is what gets backported, not all of them.
@GrapheneOS my apologies if it wasn’t clear, but my previous post asking for sources was also referencing to your claims of doxxing and harassment- which would have required it’s own link.
It seems unnecessary to provide links to their source code because, as you said, it is already verifiable. Graphene and e/OS/ seem to share different visions. I am ending this conversation now, it’s late in the evening for me.
@kali They were just creating sockpuppet accounts on our forum today engaging in libel targeting our team and spreading misinformation in response to our post about this location service which they don't want people to know is tied to them. It's likely verifiable that it's Gael Duval himself doing it if mastodon.social cooperated and confirmed if the IP address used on our forum matches, if you can convince them to check that.
We have previous posts about their past attacks on our team members.
We've posted about the harassment from Gael Duval and people who work for him before, so that's available. It also partly happened on Twitter and is still available there.
The source for their lock in plans is their private chat room for discussing coordination on making a proprietary location service and getting all open source projects to adopt it.
F00F the elusive@GrapheneOS yikes. “for the open-source software community”, my ass!
Matija Nalis@GrapheneOS If I understand you correctly you claim that Positon.xyz have "repeatedly talked about locking people into it and avoiding having alternatives to it"? Could you provide URLs to several of those messages? I've tried DDG-ing SkewedZeppelin (that you mention later in the thread) and Positon, but apparently I'm not that good at searching...
> If I understand you correctly you claim that Positon.xyz have "repeatedly talked about locking people into it and avoiding having alternatives to it"? Could you provide URLs to several of those messages?
It's based on private chat logs.
> I've tried DDG-ing SkewedZeppelin (that you mention later in the thread) and Positon, but apparently I'm not that good at searching...
That was in reference to /e/OS, the major backer of this service and their upcoming "libre" rebrand of it.