It’s difficult to find much information about Daniel Micay online. Google him and you’ll turn up an impersonal X account and a barren LinkedIn page, plus some YouTube “exposés” and flame wars on Reddit and HackerNews that characterize him as everything from a privacy advocate to a cybersecurity visionary to a despot. Meanwhile, Claude refers to him as a “formidable independent mobile security researcher” who is “widely described as socially abrasive” (for whatever that’s worth). “All I can tell you about Daniel is that he lives in Canada,” says Dave Wilson, the community manager of GrapheneOS, a world-famous privacy tool and Micay’s current project.
Within the cybersecurity community, the mythology surrounding Micay goes beyond celebrity. He could be a ghost or a kind of egregore, like Satoshi Nakamoto or Ned Ludd. Fans pick apart scraps of biographical information; enemies take swipes at his technical achievements. Who is Daniel Micay? What does he really want? When I wrote to the email listed on the GrapheneOS website, I heard back the same day: “The team as a whole would be happy to take questions and answer them together in a collective fashion. As such any responses would be from the ‘GrapheneOS team’ and not directly Daniel Micay.” Interesting. Then I got in touch with Micay himself—via LinkedIn, of all places. He declined my request for an on-the-record interview, citing safety concerns. I’ve since learned he’s 28 years old.
I did talk to Micay’s former business partner, James Donaldson, at length and against the wishes of Donaldson’s lawyer. I also talked to associates of Micay’s. Over many months, a portrait emerged of something less than a myth but perhaps more than a man—and one who would go to extreme lengths to protect his legacy.
“He was a funny guy, ” said Donaldson. Note the past tense.
Donaldson claims he first met Micay sometime between 2011 and 2013, when Micay joined Toronto Crypto, a small group that occasionally got together to talk cryptography over beers. (Through his current team, Micay disputes this. He says he met Donaldson in 2014 and never officially joined the group.) At the time, Micay was a security researcher and open source developer with an interest in the fast-growing mobile space.
Micay could be, according to Donaldson, somewhat guarded. He had an off-kilter sense of humor and chimed in only when something technical came up. Donaldson recalled a time when a troll infiltrated the crypto group’s chat and gave them the seemingly impossible task of decrypting a series of messages. Micay did so eagerly and easily. “I have a knack for figuring out people very early on,” Donaldson said, “and I knew this guy was brilliant.” (Through his team, Micay claims to have no recollection of this event.)
Donaldson, now 42, is a self-taught hacker who never finished school, was briefly unhoused, and spent most of his twenties in a “positive hardcore punk band.” “It’s cool being smart,” he told me. “But if you can’t pay your bills, you’re a dumbass.” He saw an opportunity to make money in Android, which then controlled 80 percent of the smartphone user base. Because the operating system was a decentralized, open source ecosystem that seemed to prioritize commercial appeal and mass adoption over security, Android—with its plethora of vulnerabilities—had been likened to Swiss cheese. (This was in noteworthy contrast to the more secure walled garden of Apple’s iOS.) Donaldson didn’t know how to plug those holes himself, but now he knew someone who could.
The domain “Copperhead.co” was registered by Donaldson in 2014 and incorporated in 2015 under both Donaldson’s and Micay’s names. The idea was that shares would be split equally, with Donaldson as CEO and Micay as de facto chief technology officer. Their flagship product, CopperheadOS, was an open source operating system that focused on something called Android hardening. Like building a fortress and digging moats around a castle, “hardening” a piece of software makes it more difficult for hackers to gain access. In the case of CopperheadOS, this meant protecting mobile data by adding layers of security on top of the stock Android OS. (Micay has claimed in court filings that he was already working on Android hardening before meeting Donaldson and that he agreed to the partnership on the explicit understanding that he would retain control over the resulting OS.)
CopperheadOS was an instant hit and one of the first of its kind—few others were paying attention to mobile security at the time. A year after its launch, Chris Soghoian, then a principal technologist at the American Civil Liberties Union, called CopperheadOS “the most exciting thing happening in the world of Android security.” Open source advocacy groups like the Guardian Project, as well as the Google Play store alternative F-Droid, started inquiring about partnerships. In 2018, CopperheadOS was featured in 2600: The Hacker Quarterly.
In true startup fashion, Donaldson picked up all sorts of eclectic IT jobs in the company’s infancy—fixing printers, recovering hacked WordPress websites—to help fund Micay’s work on the operating system. “I keep Daniel away from the normal world so he can sit around and hack on Android,” Donaldson said in a 2017 interview with Crypto Tech Solutions. “I know when to get out of the way.” In the same interview, Donaldson jokingly compared himself to Erlich Bachman, the cavalier incubator from HBO’s Silicon Valley. He believed that his ability to bridge the gap between the technically versed and the business-minded was what would make Copperhead successful.
While Donaldson was out doing interviews as the face of the operation, Micay was often locked away in what Donaldson referred to as the “wizard tower,” hunting vulnerabilities in Android and patching them in CopperheadOS. Micay also spent time troubleshooting for the user base. As an open source purist—he was a longtime contributor to projects like Arch Linux and Mozilla’s Rust programming language—Micay seemed to feel a duty to support anyone interested in the project. Even if it was at the expense of his own well-being. It was critical to him that everyone had free access to mobile security.
But those values began to diverge from Donaldson’s. On the one hand, Donaldson still considered himself a kind of hacker rebel. At one point, he even sent me “The Conscience of a Hacker,” a poetic manifesto written in 1986 by someone called the Mentor. (“This is our world now … the world of the electron and the switch,” it reads. “Yes, I am a criminal. My crime is that of curiosity.”) On the other hand, he was running a business. “We were all hacker rebels trying to make money,” he said.
For the first year or so of CopperheadOS’s operation, everything you needed to download, install, or modify it was available online. The hope was to make money from selling tech support that prioritized paying users. But the proliferation of CopperheadOS dupes, combined with round-the-clock troubleshooting, meant that everyone but the Copperhead team was getting their fair share of the Android hardening pie. “We had to do something about it,” Donaldson said.
In October 2016, Copperhead moved from being open source to having a noncommercial license, a decision Donaldson insists he made with Micay. (Micay’s lawyer said that Micay merely “placated” Donaldson.) Now, most users would have to purchase a Copperhead phone to access the OS. “I don’t like begging for donations,” said Donaldson, and he felt it was about time the operating system started generating revenue. Once Copperhead relicensed, Donaldson said, the project immediately started signing agreements with Fortune 500 companies.
While Copperhead worked with nonprofits, Donaldson had his eye on defense contractors. “That’s the holy grail, to be honest,” he said. “The idea that I could work in the defense industry doing things Copperhead-related was awesome.” He clarified that Copperhead’s technology would only be used to protect these clients from adversaries, not for them to somehow weaponize it in turn. He assured me that Copperhead wasn’t selling out; it was being pragmatic, and security should go to those who value it. In a 2017 interview with Vice, Donaldson was asked whether he was ever tempted to use his powers for evil. “That depends,” he said, “on your definition of evil.”
Micay likely had a definition. Between licensing the OS and the possibility of doing business with defense contractors, he seemed to feel the integrity of his code was eroding as quickly as his agency in the Copperhead partnership. Not only was CopperheadOS no longer available to the masses, it was starting to serve the very people Micay wanted to protect users from. Above all else, his partner seemed to be determining the fate of the system he had built.
By the spring of 2018—two and a half years after officially launching Copperhead—the last bit of control Micay seemed to have left was CopperheadOS’s signing keys. If hardening is building a fortress, signing keys get you into the castle: They determine what software a device will trust and which changes can be made to every device running the operating system. At larger-scale institutions like Linux, elaborate safeguards are put in place to limit the influence that any one member can have over the operating system. But in Copperhead’s case, the company didn’t have a large network of developers. Micay was in sole possession of the keys.
And he was about to do something almost entirely unheard of in the world of cybersecurity.
ILLUSTRATION: Iain MacArthur
Tensions went from passive to aggressive when Donaldson approached Micay about a compliance audit. Donaldson said he needed to know how the signing keys were stored—a request that Micay suspected was tied to a deal Donaldson was brokering with a large defense contractor. Micay believed this would put the entirety of CopperheadOS’s user base at risk and force him to give up what little control he had left.
Fearful of what Donaldson might do with unbridled access, Micay took to the internet to air his concerns. In a series of since-deleted tweets, he used the CopperheadOS X account—the same account he used to offer tech support—to accuse Donaldson of being untrustworthy. He thought users deserved to know.
Online forums soon became Micay and Donaldson’s main battleground, and public opinion fanned the flames. Micay accused Donaldson of spreading misinformation about CopperheadOS, while Donaldson accused Micay of impacting business opportunities. “He banned me off my own subreddit, ” Donaldson told me, explaining that he only wanted to know where the keys were stored and that he didn’t need access to them. He thought Micay was being “erratic” and “defamatory,” he said in a legal filing: “Simply put, Micay’s control over the keys was a liability.”
Donaldson’s lawyers sent Micay a letter on May 14, 2018, attempting to revise Micay’s role and gather information about the signing keys. The letter claimed that “there is no written shareholders’ agreement in place, nor any written employment agreements or job descriptions for either of you.” But because “Mr. Donaldson is the sole director of the Corporation and the Chief Executive Officer,” the letter continued, he had the authority to deem the status quo of the company “unsustainable” and mandate that Micay be demoted or resign. When I asked Micay’s lawyer about this, he told me that because Micay was never technically an employee of Copperhead, he couldn’t be fired.
A month later, when the situation had not been resolved, Donaldson’s lawyers sent another letter claiming to terminate Micay’s employment. They said Micay’s conduct had been “inconsistent with his ongoing obligations to Copperhead.” Donaldson said that this letter was the last link in the chain. He said he had previously given Micay multiple opportunities to take paid leaves and regroup, offers that Micay allegedly declined.
That left the issue of the keys. According to Donaldson, the keys were company property, and Micay, having refused to cooperate with revising their partnership terms, was no longer part of CopperheadOS. Donaldson told me what he remembers saying to Micay: “You have to give the keys up, bro. Like, if you don’t wanna give them to me, that’s fine. But our customers need to keep using their devices.”
“He threatened to seize Daniel’s workstations to recover what he claimed was property of Copperhead,” said Dave Wilson, who’d later work closely with Micay. Surely this was Donaldson’s last-ditch effort to cash in on his work before they parted ways, and Micay was, apparently, livid. He was being ousted from the project he had spent years building. There was no way he was giving up the keys.
So, he burned them. Destroyed them. In a since-deleted Reddit post, Micay wrote: “I consider the company and the infrastructure to be compromised.”
All that work, gone. Without the signing keys, changes to CopperheadOS were all but impossible to make. No updates could be pushed. No exploits could be patched. Micay had successfully eliminated any possibility of conduct he disagreed with by destroying access to the operating system. “It was a testament to the integrity of the project,” Wilson said.
But voiding access to CopperheadOS also left existing users vulnerable. As the golden rule of cybersecurity goes: Updates keep devices secure. “We have these devices in Iraq, Afghanistan, Ukraine, Russia, China. What’s gonna happen to them?” said Donaldson. “We cannot update them anymore.” The only practical option for most users was to switch to a different operating system.
Many of CopperheadOS’s partners and contractors quickly dropped out. “I did everything I could to make our customers happy,” Donaldson said, defeated. His fallout with Micay had left him in financial ruin, he added—“we had chargebacks on our bank account that was connected to my personal credit. I paid out of my pocket to have people’s devices sent over” for recovery. In March 2020, Donaldson filed a claim requesting nearly half a million Canadian dollars in damages. When I asked if he was still in touch with Micay, Donaldson let out a dry laugh: “We speak through lawyers now.” (According to a counterclaim filed by Micay, the two had met in person fewer than 10 times since Copperhead’s incorporation.)
In a kind of Zuckerberg-Winklevoss redux, there’s little question that Micay built the tech while Donaldson marketed it, but whether Micay was legally allowed to destroy the keys is central to ongoing litigation. Through Wilson, Micay insists that he wrote the code for CopperheadOS before meeting Donaldson and that Donaldson had agreed to let him keep ownership of the operating system. But in a legal filing, Donaldson stresses that porting hardening techniques to Android was his (and a former business partner’s) idea. He maintains that, as CTO, Micay had a fiduciary duty to Copperhead and that he violated that responsibility when he deleted the CopperheadOS signing keys.
ILLUSTRATION: Iain MacArthur
“You’re going to get harassed for writing this,” Donaldson warned me. “No one understands my side of the story.” He told me that he can’t disclose the additional facts that he claims would guarantee his “100 percent win.” “My lawyers are very mad that I’m talking to you,” Donaldson said. “I have to hold my cards close to my chest.”
Although Micay did not agree to speak to WIRED, an email from his team accused Donaldson of directing “libelous harassment content towards me” and added, consistent with court documents: “Your questions are largely centered around false narratives by James Donaldson and his fabrications about Daniel.”
It wasn’t long before allegations and conspiracy theories started to push fans of CopperheadOS to choose sides. Almost as a pledge of allegiance, staunch defenders of Micay started spreading the gospel of a new operating system. It was called GrapheneOS.
Turns out, before the dust settled on CopperheadOS, Micay had begun rebuilding the infrastructure of his code. GrapheneOS was a direct continuation of his work at Copperhead, the company said, just under a new name. This time around, the project would be run entirely on donations and remain open source. It would “never again be closely tied to any particular sponsor or company,” said Wilson, who joined Micay as GrapheneOS’s community manager. It would be a nonprofit. “In a way,” Wilson added, “I gotta give [Donaldson] credit to the degree that he did participate in the creation of GrapheneOS in some weird shape or form.”
GrapheneOS launched in April 2019. Like its predecessor, it was a success. Many notable tech influencers—TheHatedOne, PewDiePie, and, most recently, Linus Tech Tips—started reviewing the operating system and promoting its use. Jack Dorsey became one of GrapheneOS’s biggest supporters, along with Ethereum cofounder Vitalik Buterin and Swiss privacy-focused company Proton AG. Edward Snowden weighed in: “If I were configuring a smartphone today,” he tweeted, “I’d use @DanielMicay’s @GrapheneOS as the base operating system.”
Whereas CopperheadOS broke ground for popularizing Android hardening, GrapheneOS gained traction by giving users options to limit their device’s access to data. One of its flagship features is a sandboxed version of Google Play. Every Google Android phone—and they still constitute roughly 70 percent of the global smartphone user base—comes with Google Play. It cannot be deleted and requires extensive privileges to run, beyond what’s immediately necessary for each application. Why? For what? Even the GrapheneOS team is unsure. On a GrapheneOS-run device, however, these privileges are granted only on an app-by-app basis. Users are given the option to deny access to, for instance, their network and sensors. By building a vacuum-sealed, simulated environment for that app to run (“sandboxing”), GrapheneOS compartmentalizes the data of that app and gives users control over how much of it is accessible by their devices. In essence, it de-Googles your Google phone.
By the early 2020s, the GrapheneOS team had grown to about 20 people, and Micay was the lead developer. It must have felt vindicating.
Other opinions didn’t matter—but that didn’t stop them from coming. GrapheneOS eventually hit 400,000 users, and each seemed to have their own unwavering take on how things should work. Having spent so much time fighting for the purity of CopperheadOS, it’s reasonable to assume that Micay felt especially protective of GrapheneOS. Whenever someone would challenge his implementation—especially those who compared GrapheneOS to CalyxOS, a competing Android OS—he would get into strongly worded debates about technical intricacies.
In turn, users fought back. A couple people made videos “exposing” their private conversations with Micay; others made a show of deleting GrapheneOS. The GrapheneOS team itself was accused of going after competing projects and dissenting parties. (Donaldson has called these “campaigns of harassment.”) Wilson told me that education and awareness are cornerstones of GrapheneOS’s work. If you’re not up for the heated debates and lengthy discussion threads, he said, just “buy an iPhone.”
For all their intensity, the flame wars seemed contained to the internet. But on April 23, 2023, there was a knock on Micay’s door. Fully armed policemen were standing outside. They were told, according to Wilson, that “Daniel is armed and he’s gonna shoot everyone that will enter.” Micay had been swatted. It happened two more times, his lawyer said.
Seemingly shaken from the experience, Micay scaled back his responsibilities at GrapheneOS. He continues to consult and occasionally contributes to the project but has relinquished control to his team members. Micay has also scrubbed much of his digital footprint from the internet, leaving a conspiracy-sized gap in the debris of his past battles.
It’s easy to boil the saga of GrapheneOS down to a handful of tweets and internet hearsay, but the strength of its tech was—and remains—hard to ignore. Last year, 404 Media reported on leaked documents from Cellebrite, a software that helps retrieve data from locked phones. The documents, which detailed Cellebrite’s success rate across different Pixel generations, found that “every locked Pixel 9 running GrapheneOS was inaccessible.”
“There are no real alternatives,” says Joe, a GrapheneOS power user and “the most privacy-paranoid person in the room.” I got in touch with him through a Morke.org address, an email service known to operate on the dark web. Joe, a college student, submits his assignments in person to avoid portals and only pays in cash. He tells me about vibrant pockets of the dark web dedicated to evangelizing homebrew privacy solutions—an emergent movement of resistance at a time when Meta plans to remove end-to-end encryption on Instagram DMs, automakers are openly selling driving data to insurance companies, and gait system technology could soon be used to identify civilians from their walk on the streets of New York City. “They have warheads,” Joe says. “We have the inflatable hammer that squeaks.”
GrapheneOS finds itself in the middle of this moment. In the six months I spent talking to its team members, Micay’s aura of mystery started to fade. The ghostly internet hero-villain who’d do whatever it took to make his point became just another guy passionate about security tech. But from Wilson—whom I was messaging with, at one point, for several hours a week—I got rare glimpses into the inner workings of the GrapheneOS operation. It became, in some ways, more mysterious. “Dave Wilson,” for one thing, is not his real name. (Some suspect he’s actually Micay, though he denies this.) In fact, almost no one at the company seems to know where their colleagues live or what they look like. They are bound by a single mission: privacy, theirs and everyone else’s.
And GrapheneOS still gets in trouble—with users, with competitors, with authorities. The company has recently raised eyebrows with functions like duress pins that, when entered, erase all data stored on your device. “Cops say criminals use a Google Pixel with GrapheneOS,” noted a recent headline. The better the privacy tool, of course, the more it becomes associated with criminality.
It’s hard to win at cybersecurity. It’s also easy to get lost in the details. There are “vendors selling exploits to governments to attack people and literally kill journalists,” Donaldson told me. So why, he mused, are he and Micay—one of the most skilled security specialists he’s ever met, even if he does claim Micay “massively disrupted” his finances—still fighting? The real enemy, I think Donaldson was ultimately trying to tell me, is out there.
Let us know what you think about this article. Submit a letter to the editor at [email protected].
.jpg?mbid=social_retweet)
English (US)