They Built a Legendary Privacy Tool. Now They’re Sworn Enemies | WIRED

Overview

They Built a Legendary Privacy Tool. Now They’re Sworn Enemies

It’s difficult to find much information about Daniel Micay online. Google him and you’ll turn up an impersonal X account and a barren Linked In page, plus some You Tube “exposés” and flame wars on Reddit and Hacker News that characterize him as everything from a privacy advocate to a cybersecurity visionary to a despot. Meanwhile, Claude refers to him as a “formidable independent mobile security researcher” who is “widely described as socially abrasive” (for whatever that’s worth). “All I can tell you about Daniel is that he lives in Canada,” says Dave Wilson, the community manager of Graphene OS, a world-famous privacy tool and Micay’s current project.

Details

Within the cybersecurity community, the mythology surrounding Micay goes beyond celebrity. He could be a ghost or a kind of egregore, like Satoshi Nakamoto or Ned Ludd. Fans pick apart scraps of biographical information; enemies take swipes at his technical achievements. Who is Daniel Micay? What does he really want? When I wrote to the email listed on the Graphene OS website, I heard back the same day: “The team as a whole would be happy to take questions and answer them together in a collective fashion. As such any responses would be from the ‘Graphene OS team’ and not directly Daniel Micay.” Interesting. Then I got in touch with Micay himself—via Linked In, of all places. He declined my request for an on-the-record interview, citing safety concerns. I’ve since learned he’s 28 years old.

I did talk to Micay’s former business partner, James Donaldson, at length and against the wishes of Donaldson’s lawyer. I also talked to associates of Micay’s. Over many months, a portrait emerged of something less than a myth but perhaps more than a man—and one who would go to extreme lengths to protect his legacy.

“He was a funny guy, ” said Donaldson. Note the past tense.

Donaldson claims he first met Micay sometime between 2011 and 2013, when Micay joined Toronto Crypto, a small group that occasionally got together to talk cryptography over beers. (Through his current team, Micay disputes this. He says he met Donaldson in 2014 and never officially joined the group.) At the time, Micay was a security researcher and open source developer with an interest in the fast-growing mobile space.

Micay could be, according to Donaldson, somewhat guarded. He had an off-kilter sense of humor and chimed in only when something technical came up. Donaldson recalled a time when a troll infiltrated the crypto group’s chat and gave them the seemingly impossible task of decrypting a series of messages. Micay did so eagerly and easily. “I have a knack for figuring out people very early on,” Donaldson said, “and I knew this guy was brilliant.” (Through his team, Micay claims to have no recollection of this event.)

Donaldson, now 42, is a self-taught hacker who never finished school, was briefly unhoused, and spent most of his twenties in a “positive hardcore punk band.” “It’s cool being smart,” he told me. “But if you can’t pay your bills, you’re a dumbass.” He saw an opportunity to make money in Android, which then controlled 80 percent of the smartphone user base. Because the operating system was a decentralized, open source ecosystem that seemed to prioritize commercial appeal and mass adoption over security, Android—with its plethora of vulnerabilities—had been likened to Swiss cheese. (This was in noteworthy contrast to the more secure walled garden of Apple’s i OS.) Donaldson didn’t know how to plug those holes himself, but now he knew someone who could.

The domain “Copperhead.co” was registered by Donaldson in 2014 and incorporated in 2015 under both Donaldson’s and Micay’s names. The idea was that shares would be split equally, with Donaldson as CEO and Micay as de facto chief technology officer. Their flagship product, Copperhead OS, was an open source operating system that focused on something called Android hardening. Like building a fortress and digging moats around a castle, “hardening” a piece of software makes it more difficult for hackers to gain access. In the case of Copperhead OS, this meant protecting mobile data by adding layers of security on top of the stock Android OS. (Micay has claimed in court filings that he was already working on Android hardening before meeting Donaldson and that he agreed to the partnership on the explicit understanding that he would retain control over the resulting OS.)

Copperhead OS was an instant hit and one of the first of its kind—few others were paying attention to mobile security at the time. A year after its launch, Chris Soghoian, then a principal technologist at the American Civil Liberties Union, called Copperhead OS “the most exciting thing happening in the world of Android security.” Open source advocacy groups like the Guardian Project, as well as the Google Play store alternative F-Droid, started inquiring about partnerships. In 2018, Copperhead OS was featured in 2600: The Hacker Quarterly.

In true startup fashion, Donaldson picked up all sorts of eclectic IT jobs in the company’s infancy—fixing printers, recovering hacked Word Press websites—to help fund Micay’s work on the operating system. “I keep Daniel away from the normal world so he can sit around and hack on Android,” Donaldson said in a 2017 interview with Crypto Tech Solutions. “I know when to get out of the way.” In the same interview, Donaldson jokingly compared himself to Erlich Bachman, the cavalier incubator from HBO’s Silicon Valley. He believed that his ability to bridge the gap between the technically versed and the business-minded was what would make Copperhead successful.

While Donaldson was out doing interviews as the face of the operation, Micay was often locked away in what Donaldson referred to as the “wizard tower,” hunting vulnerabilities in Android and patching them in Copperhead OS. Micay also spent time troubleshooting for the user base. As an open source purist—he was a longtime contributor to projects like Arch Linux and Mozilla’s Rust programming language—Micay seemed to feel a duty to support anyone interested in the project. Even if it was at the expense of his own well-being. It was critical to him that everyone had free access to mobile security.

But those values began to diverge from Donaldson’s. On the one hand, Donaldson still considered himself a kind of hacker rebel. At one point, he even sent me “The Conscience of a Hacker,” a poetic manifesto written in 1986 by someone called the Mentor. (“This is our world now … the world of the electron and the switch,” it reads. “Yes, I am a criminal. My crime is that of curiosity.”) On the other hand, he was running a business. “We were all hacker rebels trying to make money,” he said.

For the first year or so of Copperhead OS’s operation, everything you needed to download, install, or modify it was available online. The hope was to make money from selling tech support that prioritized paying users. But the proliferation of Copperhead OS dupes, combined with round-the-clock troubleshooting, meant that everyone but the Copperhead team was getting their fair share of the Android hardening pie. “We had to do something about it,” Donaldson said.

In October 2016, Copperhead moved from being open source to having a noncommercial license, a decision Donaldson insists he made with Micay. (Micay’s lawyer said that Micay merely “placated” Donaldson.) Now, most users would have to purchase a Copperhead phone to access the OS. “I don’t like begging for donations,” said Donaldson, and he felt it was about time the operating system started generating revenue. Once Copperhead relicensed, Donaldson said, the project immediately started signing agreements with Fortune 500 companies.

While Copperhead worked with nonprofits, Donaldson had his eye on defense contractors. “That’s the holy grail, to be honest,” he said. “The idea that I could work in the defense industry doing things Copperhead-related was awesome.” He clarified that Copperhead’s technology would only be used to protect these clients from adversaries, not for them to somehow weaponize it in turn. He assured me that Copperhead wasn’t selling out; it was being pragmatic, and security should go to those who value it. In a 2017 interview with Vice, Donaldson was asked whether he was ever tempted to use his powers for evil. “That depends,” he said, “on your definition of evil.”

Micay likely had a definition. Between licensing the OS and the possibility of doing business with defense contractors, he seemed to feel the integrity of his code was eroding as quickly as his agency in the Copperhead partnership. Not only was Copperhead OS no longer available to the masses, it was starting to serve the very people Micay wanted to protect users from. Above all else, his partner seemed to be determining the fate of the system he had built.

By the spring of 2018—two and a half years after officially launching Copperhead—the last bit of control Micay seemed to have left was Copperhead OS’s signing keys. If hardening is building a fortress, signing keys get you into the castle: They determine what software a device will trust and which changes can be made to every device running the operating system. At larger-scale institutions like Linux, elaborate safeguards are put in place to limit the influence that any one member can have over the operating system. But in Copperhead’s case, the company didn’t have a large network of developers. Micay was in sole possession of the keys.

And he was about to do something almost entirely unheard of in the world of cybersecurity.

Tensions went from passive to aggressive when Donaldson approached Micay about a compliance audit. Donaldson said he needed to know how the signing keys were stored—a request that Micay suspected was tied to a deal Donaldson was brokering with a large defense contractor. Micay believed this would put the entirety of Copperhead OS’s user base at risk and force him to give up what little control he had left.

Fearful of what Donaldson might do with unbridled access, Micay took to the internet to air his concerns. In a series of since-deleted tweets, he used the Copperhead OS X account—the same account he used to offer tech support—to accuse Donaldson of being untrustworthy. He thought users deserved to know.

Online forums soon became Micay and Donaldson’s main battleground, and public opinion fanned the flames. Micay accused Donaldson of spreading misinformation about Copperhead OS, while Donaldson accused Micay of impacting business opportunities. “He banned me off my own subreddit, ” Donaldson told me, explaining that he only wanted to know where the keys were stored and that he didn’t need access to them. He thought Micay was being “erratic” and “defamatory,” he said in a legal filing: “Simply put, Micay’s control over the keys was a liability.”

Donaldson’s lawyers sent Micay a letter on May 14, 2018, attempting to revise Micay’s role and gather information about the signing keys. The letter claimed that “there is no written shareholders’ agreement in place, nor any written employment agreements or job descriptions for either of you.” But because “Mr. Donaldson is the sole director of the Corporation and the Chief Executive Officer,” the letter continued, he had the authority to deem the status quo of the company “unsustainable” and mandate that Micay be demoted or resign. When I asked Micay’s lawyer about this, he told me that because Micay was never technically an employee of Copperhead, he couldn’t be fired.

A month later, when the situation had not been resolved, Donaldson’s lawyers sent another letter claiming to terminate Micay’s employment. They said Micay’s conduct had been “inconsistent with his ongoing obligations to Copperhead.” Donaldson said that this letter was the last link in the chain. He said he had previously given Micay multiple opportunities to take paid leaves and regroup, offers that Micay allegedly declined.

That left the issue of the keys. According to Donaldson, the keys were company property, and Micay, having refused to cooperate with revising their partnership terms, was no longer part of Copperhead OS. Donaldson told me what he remembers saying to Micay: “You have to give the keys up, bro. Like, if you don’t wanna give them to me, that’s fine. But our customers need to keep using their devices.”

“He threatened to seize Daniel’s workstations to recover what he claimed was property of Copperhead,” said Dave Wilson, who’d later work closely with Micay. Surely this was Donaldson’s last-ditch effort to cash in on his work before they parted ways, and Micay was, apparently, livid. He was being ousted from the project he had spent years building. There was no way he was giving up the keys.

So, he burned them. Destroyed them. In a since-deleted Reddit post, Micay wrote: “I consider the company and the infrastructure to be compromised.”

All that work, gone. Without the signing keys, changes to Copperhead OS were all but impossible to make. No updates could be pushed. No exploits could be patched. Micay had successfully eliminated any possibility of conduct he disagreed with by destroying access to the operating system. “It was a testament to the integrity of the project,” Wilson said.

But voiding access to Copperhead OS also left existing users vulnerable. As the golden rule of cybersecurity goes: Updates keep devices secure. “We have these devices in Iraq, Afghanistan, Ukraine, Russia, China. What’s gonna happen to them?” said Donaldson. “We cannot update them anymore.” The only practical option for most users was to switch to a different operating system.

Many of Copperhead OS’s partners and contractors quickly dropped out. “I did everything I could to make our customers happy,” Donaldson said, defeated. His fallout with Micay had left him in financial ruin, he added—“we had chargebacks on our bank account that was connected to my personal credit. I paid out of my pocket to have people’s devices sent over” for recovery. In March 2020, Donaldson filed a claim requesting nearly half a million Canadian dollars in damages. When I asked if he was still in touch with Micay, Donaldson let out a dry laugh: “We speak through lawyers now.” (According to a counterclaim filed by Micay, the two had met in person fewer than 10 times since Copperhead’s incorporation.)

In a kind of Zuckerberg-Winklevoss redux, there’s little question that Micay built the tech while Donaldson marketed it, but whether Micay was legally allowed to destroy the keys is central to ongoing litigation. Through Wilson, Micay insists that he wrote the code for Copperhead OS before meeting Donaldson and that Donaldson had agreed to let him keep ownership of the operating system. But in a legal filing, Donaldson stresses that porting hardening techniques to Android was his (and a former business partner’s) idea. He maintains that, as CTO, Micay had a fiduciary duty to Copperhead and that he violated that responsibility when he deleted the Copperhead OS signing keys.

“You’re going to get harassed for writing this,” Donaldson warned me. “No one understands my side of the story.” He told me that he can’t disclose the additional facts that he claims would guarantee his “100 percent win.” “My lawyers are very mad that I’m talking to you,” Donaldson said. “I have to hold my cards close to my chest.”

Although Micay did not agree to speak to WIRED, an email from his team accused Donaldson of directing “libelous harassment content towards me” and added, consistent with court documents: “Your questions are largely centered around false narratives by James Donaldson and his fabrications about Daniel.”

It wasn’t long before allegations and conspiracy theories started to push fans of Copperhead OS to choose sides. Almost as a pledge of allegiance, staunch defenders of Micay started spreading the gospel of a new operating system. It was called Graphene OS.

Turns out, before the dust settled on Copperhead OS, Micay had begun rebuilding the infrastructure of his code. Graphene OS was a direct continuation of his work at Copperhead, the company said, just under a new name. This time around, the project would be run entirely on donations and remain open source. It would “never again be closely tied to any particular sponsor or company,” said Wilson, who joined Micay as Graphene OS’s community manager. It would be a nonprofit. “In a way,” Wilson added, “I gotta give [Donaldson] credit to the degree that he did participate in the creation of Graphene OS in some weird shape or form.”

Graphene OS launched in April 2019. Like its predecessor, it was a success. Many notable tech influencers—The Hated One, Pew Die Pie, and, most recently, Linus Tech Tips—started reviewing the operating system and promoting its use. Jack Dorsey became one of Graphene OS’s biggest supporters, along with Ethereum cofounder Vitalik Buterin and Swiss privacy-focused company Proton AG. Edward Snowden weighed in: “If I were configuring a smartphone today,” he tweeted, “I’d use @Daniel Micay’s @Graphene OS as the base operating system.”

Whereas Copperhead OS broke ground for popularizing Android hardening, Graphene OS gained traction by giving users options to limit their device’s access to data. One of its flagship features is a sandboxed version of Google Play. Every Google Android phone—and they still constitute roughly 70 percent of the global smartphone user base—comes with Google Play. It cannot be deleted and requires extensive privileges to run, beyond what’s immediately necessary for each application. Why? For what? Even the Graphene OS team is unsure. On a Graphene OS-run device, however, these privileges are granted only on an app-by-app basis. Users are given the option to deny access to, for instance, their network and sensors. By building a vacuum-sealed, simulated environment for that app to run (“sandboxing”), Graphene OS compartmentalizes the data of that app and gives users control over how much of it is accessible by their devices. In essence, it de-Googles your Google phone.

By the early 2020s, the Graphene OS team had grown to about 20 people, and Micay was the lead developer. It must have felt vindicating.

Other opinions didn’t matter—but that didn’t stop them from coming. Graphene OS eventually hit 400,000 users, and each seemed to have their own unwavering take on how things should work. Having spent so much time fighting for the purity of Copperhead OS, it’s reasonable to assume that Micay felt especially protective of Graphene OS. Whenever someone would challenge his implementation—especially those who compared Graphene OS to Calyx OS, a competing Android OS—he would get into strongly worded debates about technical intricacies.

In turn, users fought back. A couple people made videos “exposing” their private conversations with Micay; others made a show of deleting Graphene OS. The Graphene OS team itself was accused of going after competing projects and dissenting parties. (Donaldson has called these “campaigns of harassment.”) Wilson told me that education and awareness are cornerstones of Graphene OS’s work. If you’re not up for the heated debates and lengthy discussion threads, he said, just “buy an i Phone.”

For all their intensity, the flame wars seemed contained to the internet. But on April 23, 2023, there was a knock on Micay’s door. Fully armed policemen were standing outside. They were told, according to Wilson, that “Daniel is armed and he’s gonna shoot everyone that will enter.” Micay had been swatted. It happened two more times, his lawyer said.

Seemingly shaken from the experience, Micay scaled back his responsibilities at Graphene OS. He continues to consult and occasionally contributes to the project but has relinquished control to his team members. Micay has also scrubbed much of his digital footprint from the internet, leaving a conspiracy-sized gap in the debris of his past battles.

It’s easy to boil the saga of Graphene OS down to a handful of tweets and internet hearsay, but the strength of its tech was—and remains—hard to ignore. Last year, 404 Media reported on leaked documents from Cellebrite, a software that helps retrieve data from locked phones. The documents, which detailed Cellebrite’s success rate across different Pixel generations, found that “every locked Pixel 9 running Graphene OS was inaccessible.”

“There are no real alternatives,” says Joe, a Graphene OS power user and “the most privacy-paranoid person in the room.” I got in touch with him through a Morke.org address, an email service known to operate on the dark web. Joe, a college student, submits his assignments in person to avoid portals and only pays in cash. He tells me about vibrant pockets of the dark web dedicated to evangelizing homebrew privacy solutions—an emergent movement of resistance at a time when Meta plans to remove end-to-end encryption on Instagram DMs, automakers are openly selling driving data to insurance companies, and gait system technology could soon be used to identify civilians from their walk on the streets of New York City. “They have warheads,” Joe says. “We have the inflatable hammer that squeaks.”

Graphene OS finds itself in the middle of this moment. In the six months I spent talking to its team members, Micay’s aura of mystery started to fade. The ghostly internet hero-villain who’d do whatever it took to make his point became just another guy passionate about security tech. But from Wilson—whom I was messaging with, at one point, for several hours a week—I got rare glimpses into the inner workings of the Graphene OS operation. It became, in some ways, more mysterious. “Dave Wilson,” for one thing, is not his real name. (Some suspect he’s actually Micay, though he denies this.) In fact, almost no one at the company seems to know where their colleagues live or what they look like. They are bound by a single mission: privacy, theirs and everyone else’s.

And Graphene OS still gets in trouble—with users, with competitors, with authorities. The company has recently raised eyebrows with functions like duress pins that, when entered, erase all data stored on your device. “Cops say criminals use a Google Pixel with Graphene OS,” noted a recent headline. The better the privacy tool, of course, the more it becomes associated with criminality.

It’s hard to win at cybersecurity. It’s also easy to get lost in the details. There are “vendors selling exploits to governments to attack people and literally kill journalists,” Donaldson told me. So why, he mused, are he and Micay—one of the most skilled security specialists he’s ever met, even if he does claim Micay “massively disrupted” his finances—still fighting? The real enemy, I think Donaldson was ultimately trying to tell me, is out there.

Let us know what you think about this article. Submit a letter to the editor at [email protected].

In your inbox: WIRED's most ambitious, future-defining stories

A week of following an RFK Jr.-approved high-protein diet

Big Story: The shocking secrets of Madison Square Garden’s surveillance machine

Livestream replay: Watch our experts discuss Big Tech and the military

Key Takeaways

They Built a Legendary Privacy Tool
It’s difficult to find much information about Daniel Micay online
Within the cybersecurity community, the mythology surrounding Micay goes beyond celebrity
I did talk to Micay’s former business partner, James Donaldson, at length and against the wishes of Donaldson’s lawyer
“He was a funny guy, ” said Donaldson