Original GrapheneOS responses to WIRED fact checker

WIRED has published an article about GrapheneOS with a history of the project nearly entirely based on fabrications from James Donaldson. Donaldson has spent the past 8 years trying to destroy GrapheneOS and the life of the project’s founder, Daniel Micay. Donaldson has heavily engaged in fabrications with an ever changing story about the history of the project. Copperhead was forced to drop nearly all of their claims in the ongoing lawsuit. Copperhead was also forced to discontinue their closed source fork of GrapheneOS and is a zombie company with no significant operations or revenue. Copperhead lacks any serious basis for the remaining claims in their lawsuit and it isn’t a major concern for us anymore. Their claims have been thoroughly debunked at this point and are primarily an issue in the form of an extreme level of fabrications and harassment they started which is carried on without them. James Donaldson has been thoroughly proven to be a serial fabricator, scammer and thief. Despite this, WIRED listened to his tall tales and presented it as a history of GrapheneOS. We weren’t given an opportunity to provide an actual history of the project based in fact as we were led to believe it wasn’t a major part of the article and were barely asked about it.

Copperhead was propped up by the open source project and heavily held it back. After the split with the company, the project quickly gained a lot more funding via donations and has become highly successful. Instead of having a single full time developer barely being paid anything, GrapheneOS now has around 10 full time developers and is in the process of expanding by hiring several more. It’s entirely funded by donations and is far more than simply being sustainable that way. Donaldson believes that his past ties to the project he burned down and then spent years trying to destroy entitle him to getting rich from it. That’s why he continues misleading people about his involvement and doubled down on a failed lawsuit. He continues causing harm to GrapheneOS and Daniel Micay to this day.

GrapheneOS Foundation is a non-profit and no one is getting rich from it. Daniel solely gets his income via GitHub Sponsors and hasn’t paid himself anything from the GrapheneOS Foundation. Donaldson has only ever cared about money. He spent years manipulating and exploiting Daniel with the goal of enriching himself. He eventually decided Daniel was a barrier to him getting rich due to his values and tried to coerce him into handing over ownership and control of his open source project with no basis for it.

As part of the split between the open source project and Copperhead back in 2018, Donaldson stole a large amount of donations from the project. He ultimately ended up stealing around $300,000 worth of Bitcoin donations made to the open source project. Prior to his theft of the donations followed by years of repeatedly forking our project to sell it while falsely claiming to have created it, Donaldson heavily depended on income created by the open source project. Donaldson never funded or supported the project as he claims but rather it was entirely the other way around. He depended on a massive amount of work done by Daniel Micay to provide him with income for a tiny amount of work he was doing himself. He received as much money from device sales and donations as Daniel Micay for a tiny amount of work in comparison. His work was unsuccessful in getting any substantial funding. It didn’t make any sense for the open source project to remain tied to a company holding it back. It was entirely the prerogative of the open source project to move on without it. Donaldson could not accept it continuing as an open source project.

Donaldson’s claims can be proven false by interviewing numerous people who were around at the time. WIRED made no attempt to verify if anything he said was true prior to publishing it. Copperhead was a company founded by 3 people, not 2, and WIRED could have interviewed Dan McGrady who was the 3rd co-founder. There were many other people around back then they could have interviewed including many people who can confirm they had their donations stolen by James Donaldson. Donaldson serially fabricates things about himself and others. Giving him such a huge platform to mislead people is extremely irresponsible. He has very little to do with the overall history of GrapheneOS. His involvement was as someone leeching off the project for years while failing to deliver what he repeatedly promised. He isn’t a hacker as he claims but rather is largely non-technical. GrapheneOS has been enormously successful through entirely funding the project with donations. It was entirely possible to create a successful business based around it but Donaldson was never the right person to do it.

Our community manager @spring-onion (Dave Wilson) handled nearly all of the communications with WIRED over months. He isn’t a developer and clearly isn’t the same person as Daniel Micay but yet the article makes a completely unsubstantiated claim that it could be the same person. @spring-onion knows languages Daniel doesn’t speak including German, has a completely different writing style and a different voice. @spring-onion spent a massive amount of time communicating with them including multiple interviews focused on the GrapheneOS feature set and much more. WIRED repeatedly told us the article would barely cover the history of the project and wouldn’t focus on Daniel Micay. Due to this, we weren’t given an opportunity to provide them with information and address the claims made by James Donaldson. Despite this, it ended up being the primary focus of the article. We were only given an opportunity to respond to the vast majority of it after the article was already fully written and therefore our response to Donaldson’s stories was nearly entirely omitted from the article.

The content below are the questions we were asked by a WIRED fact checker with the original responses we provided to them with no modifications. This is what WIRED received in response to us and should have much more heavily incorporated into the article.

1. Do you live in Canada?

Daniel Micay lives in Canada.

2. Did you meet James Donaldson between 2011 and 2013, when you joined Toronto Crypto?

Micay met Donaldson in late 2014 through Dan McGrady. McGrady knew Micay from his security work on Arch Linux and projects in Rust; McGrady and Micay initially connected via IRC.

Micay was not a member of Toronto Crypto. He did join the Toronto Crypto IRC channel while considering attending events, but did not attend any meetings before beginning the work that later became GrapheneOS.

3. At the time, were you a security researcher studying techniques used to protect banks and governments?

At that time, Micay was an open-source developer, security engineer, and security researcher; his work did not involve studying techniques used to protect banks or governments.

4. At the time, did you use your free time to experiment with applying the techniques you were studying to the fast-growing mobile space?

The idea of a hardened mobile OS was not novel; several projects existed or were being discussed. Micay chose to invest his free time in his own open-source implementation after discussions with McGrady. McGrady had a minor, short-lived involvement, but Micay built the initial project alone. This all occurred before Donaldson became involved.

5. Is it accurate that on one occasion, a troll infiltrated Toronto Crypto’s group chat and gave it what they called an “impossible” task of decrypting a series of messages? Did you eagerly accept the challenge and decrypt them with ease?

Micay has no recollection of that event / was not personally involved.

6. Around 2014, did Donaldson ask you to join him in a venture addressing Android’s security problems?

In late 2014, Donaldson and McGrady contacted Micay about forming a company around Micay’s existing hardened mobile OS project. While Micay’s work was open source, and thus available for anybody to use and improve upon, Donaldson wanted to sell support services around it, as well as telephone handsets with Micay’s OS pre-loaded. McGrady and Donaldson proposed calling the company Copperhead, and suggested that Micay market his work as CopperheadOS.

Micay agreed to participate only on the explicit understanding that he would retain control over the open source project’s development, licensing, copyrights, social/media accounts (GitHub, Twitter, Reddit), and donations.

Due to conflicts between McGrady and Donaldson between 2014-2015, McGrady stepped away before Copperhead was incorporated in November 2015. Prior to McGrady’s departure, Micay had very little contact with Donaldson. At that point Micay’s hardened mobile OS project had been launched (as “CopperheadOS”) and was using infrastructure which had been setup for the new company.

7. Was the plan to split everything equally, with Donaldson as CEO and you as chief technology officer?

The original plan called for the company to be split three ways between Micay, McGrady, and Donaldson. With McGrady’s departure, Donaldson appointed himself Copperhead’s Chief Executive Officer and sole director upon incorporation. Micay and Donaldson became co-equal 50% shareholders. 

Although Donaldson sometimes described Micay as Copperhead’s “Chief Technology Officer,” Micay never signed an employment agreement with Copperhead, never accepted a common-law offer of employment, was not paid a regular salary, and did not agree to serve as a fiduciary of the company.

8. Was your flagship product CopperheadOS? Was it an open source operating system focused on Android hardening? Did CopperheadOS protect mobile data by adding layers of security on top of the stock Android OS?

The project that took the name “CopperheadOS” existed prior to the company and was an open source hardened mobile OS. Eventually CopperheadOS was renamed to the Android Hardening Project, and then GrapheneOS. These were renames, not rewrites or forks – they are all the same project.

9. Did Donaldson take on a diverse array of IT jobs in the early years of the company? Are some examples of that work fixing printers and recovering hacked WordPress websites? Did this fund your work on the operating system?

Micay’s improvements to the underlying Android system influenced or were explicitly adopted by the AOSP, resulting in the payment of bounties from Google to Micay. 

More significantly though, Micay’s open source project began receiving substantial community donations. Micay intended those donations to fund additional contributors and necessary infrastructure, taking only a minimal amount for personal living expenses.

When the company failed to generate sufficient revenue, Micay agreed to temporarily share a portion of the project’s donations with Donaldson, so Donaldson could continue working on the company.

10. While Donaldson was face of the operation, were you spending most of your time hunting vulnerabilities in Android and patching them in CopperheadOS?

Donaldson was never the face of Micay’s open source project. He was only the face of the company towards businesses. Micay managed the social media account for the open source project and built a following for it. Micay did most of the talking to security engineers / researchers. Micay was also the one writing content about it, helping users and much more.

11. Did you also spend time troubleshooting for the userbase?

Micay spent a significant portion of his free time answering users’ questions and troubleshooting issues.

12. Did you feel it was your duty to support anyone interested in the project? Is this in part because you believe in the philosophy of open source and helping everyone have free access to mobile security? Did you spend time helping users even at the expense of your own well being?

Micay cares deeply about his open source project, which is why he put so much time and effort into it, often at the expense of his own health and well-being.

That being said, he did not necessarily feel a sense of duty – Micay also dedicated much time to helping people with Arch Linux and Rust.

13. Were you a longtime contributor to projects like Linux’s GRsecurity and Mozilla’s Rust programming language?

Micay only made minor contributions to Linux’s GRsecurity. His main work related to it was packaging and integrating it into Arch Linux, as well as testing and dealing with bugs.

Micay worked on Mozilla’s Rust programming language as a full-time volunteer for about a year.

14. For the first two years of Copperhead’s operation, was everything someone needed to download, install, or modify it available online?

Yes, for free, and for any purpose.

15. At this time, was the goal to make money from selling tech support that prioritized paying users?

The initial goal of the company was to engage in security consulting, with income generated from services unrelated to Micay’s open source project.

After those income streams failed to materialize, new approaches were explored, including selling devices preloaded with Micay’s OS, as well as offering paid support and contract work tied to it

16. Did the proliferation of CopperheadOS knockoffs, combined with your round-the-clock user support efforts, mean that everyone but the two of you were benefitting from the enterprise?

Micay’s open source project has been broadly successful and has generated substantial income through donations. It is reasonable to conclude that an open source project with that level of interest could also generate additional revenue through product and service sales or contract work. In fact, today’s ecosystem of companies offering products based on GrapheneOS illustrates that potential. Given that, the company’s inability to establish a sustainable business model appears to reflect shortcomings in its management and strategic direction under the stewardship of Donaldson.

17. Did your and Donaldson values begin to diverge? Was Donaldson more concerned with making money than you were?

Donaldson began to focus on the idea of changing the nature of CopperheadOS from an open source project to “closed source” software. In his view, this would allow Copperhead to sell licenses to CopperheadOS, since support contracts were not lucrative enough for Donaldson’s liking.

Micay consistently rejected these proposals. Donaldson’s plan had two fundamental flaws. First, the code had already been licensed to the public under open source licenses. There was no way to “claw back” the licenses under which they had already been released and were being used in the wider world. Moreover, Micay had no interest in writing proprietary software, or software for hire. Second, Donaldson’s proposal was fundamentally inconsistent with the collaborative, community-based work that had allowed CopperheadOS to develop in the first place. 

Despite these problems, to placate Donaldson, Micay temporarily adopted a “source available” license for his future work on CopperheadOS in September 2016. This license did not apply to previous code / work done, or any contributions to that code from third parties. It applied only to the code released under that “source available” license.

In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” – i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.

The keys had been in continuous use by Micay, in his personal capacity, since before the incorporation of Copperhead. However, more importantly, any party with the keys could mark malicious software as “authentic”, and thereby infiltrate devices using CopperheadOS.

Micay was unwilling to participate in that kind of security breach. Since Donaldson had control over certain infrastructure for the open source project, he would be able to incorporate (or hire others to incorporate) the privacy-damaging features described above for all future releases of CopperheadOS. Micay therefore deleted the keys permanently and severed ties with Copperhead and Donaldson.

Micay has since carried on his open source work as GrapheneOS, released under an open source license, incorporating all prior code except the aforementioned “source available” code.

18. Donaldson told Wired that you both made the decision to move Copperhead from being open source to having a noncommercial license. Is this accurate? Did that mean that users had to purchase a Copperhead phone to access the OS?

This decision was Micay’s alone, but was done to placate Donaldson after sustained pressure from Donaldson. 

Micay agreed to apply a temporary non‑commercial license. During that period, new users needed to purchase a phone with the OS or build the OS from source to use it; existing users continued to receive updates without paying. The change narrowed who could access the project, conflicted with Micay’s goals for broader adoption, and failed to generate sustainable income streams – very few phones were purchased.

19. Is it accurate that when Copperhead relicensed, the project immediately started hearing from Fortune 500 companies?

No, it’s not accurate.

20. Did Copperhead work with nonprofits?

Donaldson secured licensing agreements with several companies and nonprofits, but those agreements committed the project to far more work than it could deliver. Micay was the sole developer and the team lacked the capacity to fulfill many of Donaldson’s commitments. Ultimately many of the agreements never progressed beyond an early stage.

21. Were the most lucrative contracts from defense contractors? Was Copperhead’s technology only used to protect defense clients from adversaries, and not for mass surveillance?

No. There was an unsuccessful attempt to secure a large contract with a defense contractor, but the commitments made exceeded the project’s capacity. Deliverables discussed would have required dedicated builds and special hardware signing that the team could not realistically support given available resources. Donaldson’s proposed approach involved converting Micay’s public OS into a version tailored to those requirements, which would have required taking control of Micay’s project – something Micay retained authority over. Donaldson pursued deals that depended on restricting or monetizing the project in ways inconsistent with Micay’s commitment to returning the project to an open source model.

22. Between licensing the OS and doing business with defense contractors, did you feel the integrity of your code and your decisionmaking role in the partnership were eroding?

There was one defense contractor attempt that failed early. 

The larger issue was that Donaldson pursued revenue by promising deliverables the project couldn’t meet, which threatened the integrity of the project and undermined Micay’s role and values.

23. Were you bothered by both the facts that CopperheadOS was no longer available to the masses and that it was starting to serve the very people you wanted to protect users from?

Micay had always intended to go back to open source licensing, he had no interest in writing proprietary software, or software for hire.

24. In the spring of 2018, did you have sole possession of CopperheadOS’s signing keys?

Micay had sole possession of his open source project’s signing keys. The company had the option to make separate builds signed with separate keys but never did.

25. Did things between you and Donaldson devolve when he approached you about a compliance audit? Did he tell you that he needed to know how the signing keys were stored?

From Wired:

We understand that Daniel’s recollection was not that James wanted to know more information about how the signing keys were stored, but that he wanted direct access to them.

26. Did you suspect his request was tied to a deal he was brokering with a large defense contractor? Did you believe this would put the entirety of CopperheadOS’ user base at risk?

Yes and yes.

27. In response, did you post a series of tweets from the CopperheadOS X account—the same account you used to offer tech support—accusing Donaldson of being untrustworthy and “in business with criminals”? Did you say that it was your duty to expose this to the users?

The @CopperheadOS account belonged to Micay’s open-source project, not the company; a separate account had previously been created for the company. 

28. Did you accuse Donaldson of spreading misinformation about CopperheadOS, while Donaldson accused you of impacting business opportunities?

Yes.

29. Did you ban Donaldson from the CopperheadOS subreddit?

Yes.

30. Did Donaldson’s lawyers send you a letter on May 14, 2018 requesting your termination?

From Wired:

We understand that the May 14 letter was a request to revise Daniel’s role at Copperhead, either by demotion or resignation.
 

31. Did the letter claim that “there is no written shareholders’ agreement in place, nor any written employment agreements or job descriptions for either of you”? Did it say that because Donaldson was “the sole director of the Corporation and the Chief Executive Officer,” he had the authority to deem the status of the company “unsustainable” and mandate your demotion for or immediate termination?

No comment.

32. At this point, had Donaldson previously given you multiple opportunities to take paid leaves and regroup? Did you decline those offers?

Micay was never an employee of the company and was not offered a “leave”.

33. In June, 2018, did Donaldson file a claim against you to retrieve CopperheadOS’s signing keys and nearly half a million Canadian dollars’ worth in damages?

From Wired: 

We realize that this question is incorrect. We understand that the June 2018 letter was simply ending Daniel’s employment, and that after this, James demanded access to the keys. We understand that the suit demanding $400k in damages was filed later, in 2020.

34. Did Donaldson tell you at the time that you needed to give up the keys so that the customers could keep using their devices?

See the answer to question #17.

35. Did you view this as Donaldson’s last-ditch effort to cash in on your work before you parted ways?

See the answer to question #17.

36. Is it fair to say you were livid?

Micay was justifiably disappointed with how everything turned out.

37. Did you destroy the keys?

See the answer to question #17.

38. In a Reddit post, did you write: “I consider the company and the infrastructure to be compromised”?

Micay did consider the company and the infrastructure to be compromised.

39. Without the signing keys, could neither you nor Donaldson make changes to CopperheadOS?

Correct. The OS accepts only updates signed with the proper keys.

After Micay ended his relationship with the company and Donaldson, Donaldson hired contractors to fork Micay’s open-source project into a closed-source OS; those efforts repeatedly required new forks as they fell behind and did not produce substantial original work, leaving them dependent on Micay’s open source project.

40. Did this leave existing users vulnerable?

Micay’s actions prevented a takeover and preserved users’ safety from forced changes, but they also froze the existing CopperheadOS builds so vulnerabilities could no longer be patched. Micay judged this the least‑bad option under the circumstances.

Customers who purchased Donaldson’s closed‑source builds after Micay cut ties fared worse: some devices were effectively bricked when required update/activation servers were taken down, and certain builds included code that required monthly payments to receive updates or to use the device.

41. Do you only speak to Donaldson through lawyers now?

Micay only wants to speak to Donaldson through lawyers.

42. Is it fair to say that the question of who technically owned CopperheadOS (and therefore its keys) is central to ongoing litigation?

In addition to Wired’s comment below, there’s also Micay’s claims for the Bitcoin donations made to support the CopperheadOS open source project which James took and apparently liquidated without notice to Daniel.

Wired:

We understand that the central claim of ongoing litigation is not who owned the OS, but rather whether Daniel had a fiduciary duty to Copperhead.
 

43. Is it your position that you wrote the code for CopperheadOS before meeting Donaldson? Do you claim that Donaldson had agreed to let you keep ownership of the operating system?

Yes and yes, see the answer to question #6.

44. Donaldson stresses that the idea of porting hardening techniques to Android was his idea and maintains that Micay was hired as a contractor for CopperheadOS and that everything he built during your partnership was company property. Do you have a response to this?

See the answers to question #4 and 6.

45. Is it accurate that before CopperheadOS had hit the end of its lifetime, you had begun rebuilding the infrastructure of your code? Did that result in GrapheneOS?

See the answers to question #8 and 17.

46. Did you decide that this time around, the project would be run entirely on donations and remain open source?

Micay chose to stop pursuing a business‑led model and instead fund the existing project primarily through donations with all work fully open source.

47. Did you decide it would never again be closely tied to any particular sponsor or company?

Micay’s open source project aims to have a diverse group of donors, and not be closely tied or beholden to any single sponsor or company.
 

48. Is GrapheneOS a registered nonprofit?

GrapheneOS is an open source project with contributors from all over the world. 

The GrapheneOS Foundation is a non-profit incorporated in Canada in March 2023.

49. Is GrapheneOS’s flagship feature a sandboxed version of Google Play?

Micay’s open source project was launched in 2014 and includes many flagship features; sandboxed Google Play was added later, around mid‑2021. Many users run GrapheneOS without sandboxed Google Play.

50. Is it accurate that on Android devices, Google Play cannot be deleted and requires extensive privileges to run, beyond what’s necessary for each application? Do most people not fully understand why this is the case?

Google Play services are designed to run as a privileged operating system component, which cannot easily be removed via normal user-level uninstallation. Many popular apps – social media, finance, and online games – rely on Google Play libraries (for example, Firebase Cloud Messaging) so removing Play Services can cause those apps or key features to stop working. This dependence is often due to app developers locking themselves into Google Play APIs rather than an inherent shortcoming of alternatives; several widely used apps (for example, Signal) work without Play Services.
 
GrapheneOS demonstrates that most privileged access granted to Play Services is unnecessary, by providing an opt-in compatibility layer which receives absolutely no special access or privileges, and provides near complete compatibility with the app ecosystem depending on Google Play.

51. Is it accurate that on a GrapheneOS-run device, these privileges are granted only on an appby-app basis?

All user‑installed apps on GrapheneOS (including sandboxed Google Play) run in isolated app sandboxes with per‑app controls. Users grant permissions on an app‑by‑app basis. GrapheneOS expands Android’s permission model with additional toggles (network access, sensors, dynamic code loading, JIT for WebView, etc.) and finer‑grained controls for existing permissions (for example, allowing access to specific files or contacts while the app is presented with broader access), helping maintain compatibility without over‑privileging apps.

52. On Graphene devices, are users given the option to deny access to their location, network, contacts, sensors, and background activity?

Control of location and contact access per application are standard Android features. The controlling of background activity is also an Android feature, but it doesn’t prevent an application from starting on its own. Network and sensors permission controls are GrapheneOS features.

53. Does GrapheneOS run Google Play in an isolated, simulated environment? Is this called sandboxing? Does that allow GrapheneOS to compartmentalize the data of Google Play? Does it give users control over how much of the app is accessible by their devices?

See the answers to questions #50 and 51. To elaborate;
 
GrapheneOS allows users to run Google Play as a sandboxed application. A compatibility layer (named GmsCompat), provides all the required functionality in a privacy-preserving way. If a user wants to provide location, contacts, or other access to Google Play services for greater app compatibility, they can enable that themselves.

The Android operating system (and GrapheneOS) provides “user profiles” and “private spaces”, which are logically separated user environments with their own settings, applications, user data, credentials (+ encryption keys) and VPN configurations. Users can compartmentalize by e.g. having a user profile or private space specifically for apps which require Google Play Services.

54. By the early 2020s, did the GrapheneOS team have 15 people? Did you have the title of BDFL?

Micay did not have the title of BDFL. He was the lead developer until June 2023, and remains one of the foundation’s three directors. The number of active contributors to the project have varied over time, with around 20 today, of which around 10 are paid.

55. In the early 2020s did GrapheneOS have roughly 250,000 users?

Today GrapheneOS has around 350k to 400k users. 

56. The article notes that whenever someone would challenge your implementation—especially if they compared GrapheneOS to CalyxOS—you would get into strongly worded debates about technical intricacies, and sometimes accuse people of conspiring against the project. Do you have a comment on this?

Wired:

We understand that it is your position that what others view as GrapheneOS going after critics or competing projects is actually your efforts to combat misinformation and educate the public about your project.

57. The article notes that on multiple occasions, you removed open source contributions out of spite. Do you have a comment on this?

Wired: 

This has been removed from the article.

58. The article notes that people have videos “exposing” their private conversations with you, often advocating for a boycott of GrapheneOS in response to your conduct. It notes that the GrapheneOS team itself was criticized for “going after” competing projects and dissenting parties. Do you have a comment on this?

Wired:

We understand that it is your position that what others view as GrapheneOS going after critics or competing projects is actually your efforts to combat misinformation and educate the public about your project.

59. Were you swatted at one point? When was this?

Micay was swatted three times, starting in April 2023.

60. Did the police knock on your door? Were they fully armed? Did they tell you they had been told that you were armed and you were gonna shoot everyone that entered?

There were about 30 police officers – an ETF/SWAT deployment. Roughly a dozen officers had handguns and rifles aimed at Micay; they arrived around 12:40am.

There were two later, less severe events, and possibly other attempts that were not pursued.

61. Did this prompt you to resign as BDFL of GrapheneOS? Have you relinquished control to your team members?

See the answer to question #54.

It contributed to Micay stepping down as lead developer in June 2023. Another long-term GrapheneOS contributor took over as lead developer.

62. What date was your resignation?

Micay stepped down as lead developer in June 2023.

63. Do you continue to consult and occasionally contribute to the project?

Yes, Micay still contributes to the project.

64. Have you also scrubbed from the internet as much of your digital footprint as possible?

No he has not.

65. Has GrapheneOS gotten in trouble with European Union regulators? Does it have a comment on this?

No, GrapheneOS has not “gotten in trouble with European Union regulators”.

66. The article mentions a recent headline that read “Cops say criminals use a Google Pixel with GrapheneOS.” Do you have a comment on this?

That claim oversimplifies a complex issue. Device choice doesn’t determine criminality, and security-focused operating systems like GrapheneOS have legitimate privacy and safety uses. Law enforcement should focus on behaviors and evidence, not blanket tech assumptions.

FOLLOW UP QUESTIONS

67. Could you specify the names or any other details about the criminal organizations that Donaldson was attempting to do business with?

Donaldson tried to make a deal with Phantom Secure, which ultimately didnt work out. Micay suspected other counterparties were linked to organized crime, but we cannot confirm those identities or ties on short notice. Donaldson began pursuing such deals before Micay left and continued afterward.

68. Just trying to clarify—if the decision to change to a source-available license was made by Micay, are you saying that Donaldson was not involved? Or was it sort of like Donaldson was forcing Micay to press the button, so to speak?

Micay made this decision to placate Donaldson, after significant and continuous pressure to do so by Donaldson. It was a decision that Donaldson himself couldn’t have implemented directly, as Micay retained control over his open source project’s licensing.

69. Was the first swatting attempt April 22 2023? Were the other two also in April?

Our records indicate the first two swatting attempts occurred in the early mornings of April 23 and April 30, 2023. We cannot confirm the date of the third attempt on short notice.

70. Separately, just wanted to confirm that “Dave Wilson” is indeed a pseudonym?

Correct, it’s a pseudonym.

71. Has Daniel Micay been writing and communicating under the name “Dave Wilson”?

No, Daniel Micay has not been writing and communicating under the name “Dave Wilson”.