https://discuss.grapheneos.org/d/5235-stepping-down-as-project-leader-of-grapheneos

Will this effect future development?

Mod note: Just adding a post quote here so people can respond to it more easily:

I’ve stepped down as lead developer of GrapheneOS and will be replaced as a GrapheneOS Foundation director. I’ll be ending my use of public social media. I’m unable to handle the escalating level of harassment including recent swatting attacks. There will be a smooth migration.

I’m confident the project will be in good hands with the rest of the development team. I’ll be training them to handle everything I used to do myself. I haven’t been a particularly active developer for a while now and there will be little impact on ongoing feature development.

One of our veteran developers will be taking over administration of the server infrastructure. Local infrastructure for official builds, signing and testing will be replicated in multiple locations and verified against each other to reduce trust in any particular location.

I’m going to focus on recovery from everything that has transpired since 2018. I have not been doing well, particularly in the past few weeks, but there has been no break from it since 2018. The police know about the swatting situation and are preventing it happening again.

Probably. If most of the feature set came from this particular dev then yes.

Will the quality go downhill? Probably not. It was said that the lead dev did not participate much in the recent months and Graphene seems to be doing fine at the moment. We are probably more concerned with stagnation, but this is a future issue that could still be resolved. If Mikay returns with a healthier outlook I wish he would still come back.

And if Mikay (or anyone else for that matter) became a better dev of Graphene because of a less sound mind, then it should not be desirable. It speaks volumes to the kind of a privacy and security community we are in if we still demand that blood sacrifices be made.

Although he may not have been very active in the development itself, his retirement is a great loss. His contribution to security has been very important. Beyond GrapheneOS, he often answered questions in great detail on twitter and elsewhere. It’s sad to see it end like this.
However, there are also other very competent developers on GOS. So I’m not worried about the future, especially as there is now a solid structure under the project

We are just going to have to wait and see how the actual GrapheneOS project handles the near future. I think it will be a big blow to trust if they end up replacing Daniel Micay with some pseudonymous developer. I know they now claim that Micay was barely involved with development—a claim I’ve never really heard from anyone before Micay leaving made it convenient—of GrapheneOS, but honestly from an outside perspective it’s hard to believe that’s actually the case. Micay was a prolific contributor to GrapheneOS on GitHub. Perhaps they simply do not properly assign authorship to commits and everything was run through him, but that practice would be virtually unheard of in the open source community.

Micay and GrapheneOS currently acting like a change in ownership is no big deal and people won’t notice an impact at all is, to me, a massive red flag. If we think about Moxie departing from Signal as a comparison, there was a huge amount of work and communication on their end via their blog etc. to make sure that transition went smoothly, and they had a clear team ready to take the reins. Moxie wasn’t even the main guy at Signal, sure he was the CEO, but they had multiple actual verifiable people doing the technical work. Signal was clearly a team project with a transition plan in place, in a way which GrapheneOS doesn’t portray itself as.

Contrast this with GrapheneOS, where Micay ruled as project dictator and near-sole Git contributor for years, and now they claim the project will be exactly the same if he just leaves? This does not add up, and needs to be scrutinized by the community in the coming months to make sure they actually live up to this promise.

It would not surprise me if the replacement they do find is just a Micay sockpuppet, tbqh.

Edit: After looking at their GitHub further, I have found lots of work recently done by other accounts, such as @muhomorr, but it doesn’t really change my overall point.

I don’t think so. There are countless examples of fantastic, constructive, and brilliant projects and leaders in the privacy space. Micay is really the only example that comes to mind of someone who constantly lashed out against and actively hindered nearly everybody he came into contact with, unless they enabled his harassment against others 100% of the time. I’m glad the community finally does generally see this behavior as unacceptable, and it only took a video from Louis Rossmann to do so (despite there being so much prior evidence of this for the past few years lol). I hope this was a wake-up call for Micay, and he actually sees this video as constructive criticism about change that he needs to make, and not yet another “personal attack” against him.

The main reason he stepped down was because of these videos from Techlore and Rossmann. They are seriously harming the project’s reputation simply because the lead developer is suffering from mental illness and needs help, despite the fact that this has no technical implications for GrapheneOS. The guy is a genius developer who has done a lot of amazing things in the privacy and security space. He created this incredible project while improving privacy and security for billions of Android users. Despite knowing that these videos would harm the project’s image and increase hatred for Daniel Micay and the project in general, Techlore and Rossmann chose to upload these videos to their whole audience. Anyone that I would choose to respect and trust wouldn’t make such videos and would base their recommendations on technical privacy and security aspects and not the communication of the lead developer, who has issues with mental health despite still being a genius developer and very trustworthy.

Whatever happens next, I hope that Daniel gets his well-earned rest and gets the mental support he needs. GrapheneOS is such a cool project, but I just don’t want a “cool project” when the cost is that someone else is struggling hard with his life, whether wrong or right. He definitely experiences many negative feelings. But eventually, I do hope to see him back some time soon in good health and mental clarity, continuing this remarkable project because it helps so many people have more control of their devices and privacy.

I think that is what Louis Rossmann and Techlore both did, before Micay went and attacked them directly and personally. Rossmann said on Reddit that he set aside Micay’s behavior and kept quiet about it to support the project, and Micay chose to accuse him of attempted murder anyways. At a certain point, actions have consequences.

I saw this on his Twitter if anyone was confused:
https://twitter.com/DanielMicay/status/1662558442458955777

It appears the wording above was unclear. I’m stepping down as a GrapheneOS Foundation director and as lead developer. I won’t have any leadership role in the GrapheneOS project. It will take time/work to transfer my responsibilities to others, especially non-development roles.

Very depressing to see he’s doubling down on Twitter today instead of taking the time off social media he mentioned yesterday, and once again deflecting the blame onto others instead of reflecting on his own behavior. The guy needs to log off, and frankly apologize to Rossmann, Techlore, and Calyx

Preface

1. I believe swatting and any kind of online harassment is wrong. Anyone who has dealt with that is a victim and I don’t believe there is any situation which justifies that kind of behavior. Bullying is wrong. We should treat people with respect.

2. I am genuinely sorry for any harassment that Daniel Micay has gotten in the past. It was wrong for him to deal with that and I hope that this break will help to get those folks off his back and off his case. No one deserves that.

3. As far as I know, GrapheneOS (the project) remains the best privacy focused Android ROM you can get. Any limitations or issues I have ever heard of have been addressed or are being address, and I have never heard of a security related complaint about it. Most of it has been user experience focused and has improved over time.

4. Transparency is a virtue, especially in the digital privacy world. I believe that also extends to GrapheneOS and valid criticisms that it may engender.

5. This is all my opinion. It’s basically an argumentative essay at this point. While I am coming at this from a certain point of view, this is not mean to invalidate your opinion or experience.

Behavior from leadership should not be ignored

This kind of behavior is important to talk about. Micay wasn’t just a spokesperson for an open source project or in charge of marketing and PR. He was the lead developer and project leader. He was the person who wrote a lot of the code that runs on probably the most important device in our lives, with the ability to access more information on an individual than any other device or service. It is very important that this person be trustworthy.

Yes, a project can confirm their trustworthiness through being open source, transparent, and being careful with how their governance works. However, it’s also possible to contradict those efforts with your behavior, especially when it’s coming from the person with the most influence over the development of a project.

One of the simplest principles in security is that if you don’t trust a developer, you shouldn’t trust their software. People give Proton, Mullvad, Mozilla, Calyx, DuckDuckGo, Bitwarden, Brave, Element, Signal, and others so much flack over anything from technical details to how information is disclosed. Even in the face of evidence some will continue to harp on issues (valid or not) from the past. Yet GrapheneOS has openly and repeatedly shown hostile behavior to other people and projects while scrubbing any notion of criticism, and no one says anything. If any other project started behaving like Micay has, there would be immediate pushback and hesitation at using that tool.

Why should we care how a developer behaves if the project is technically sound?

First, their mind can change. We have seen instances of a significant member of a project changing their mind about who should be included or what should ship with the project in ways that spook members of their communities.

One example which I personally followed because it affected me was the hostile ouster of most of the PolyMC team in an effort to make the project less liberal. PolyMC was a popular Minecraft launcher that you could find in Flathub. That action exposed all PolyMC users to the whims of a dev who could not be stopped. He could push out whatever he wanted to all their users - all of us were at risk out of nowhere. Thankfully the devs that were kicked out got the word out and were able to save a lot of people from that risk. They went on to make Prism Launcher. But the risk was real and came from an app as unassuming as a Minecraft launcher.

Protestware more broadly is an example of the potential bait-and-switch that can happen with a project. It’s important to see stability and security not just in the processes an organization implements, but in the people running it themselves.

I’ll mention now that I expect GrapheneOS was set up in such a way that Micay couldn’t just push out whatever he wanted without oversight from the rest of the team. However, based on how much Micay was able to get away with in the form of harassment within his own community, it seems like he had a lot of control, so I’m not confident in how safe that governance was.

Second, toxic and harassing online behavior is literally one of the the most likely things people are defending against in their threat models. Many people value privacy and security specifically to make sure they don’t expose themselves to this kind of behavior.

That’s especially the case for me. I value participating in online communities but don’t want to expose myself to people who are willing to take harassment to an extreme level. When the internet makes me accessible to anyone with an internet connection in the whole world, and threats as haunting as swatting can also be done remotely, it’s pretty important that I preserve my privacy and give myself an exit strategy if things get hairy.

How is someone like me supposed to trust their phone operating system to someone who exhibits the same behavior as the threat actors I’m trying to avoid? How can I recommend or discuss this project without giving the full picture of its pros and cons so that others with similar threat models to mine can make an informed decision?

Silencing is usually a bad thing

The main accusations against Micay are that he lies about other people and organizations to harm their reputations, harasses them, and hides behind his mental health to justify his own behavior. He has also aggressively cut ties with projects he no longer agreed with and threatened legal action against those who would attempt to speak out further while continuing his own accusations. In response, Micay does himself no favors by claiming they have been running a harassment campaign against him for years, spreading misinformation about the project, and are complicit in his recent swatting (which he will also refer to as an attempted murder).

This is important to keep in mind because it is the backdrop that has likely infected public discussion of GrapheneOS. After Techlore spoke out about the toxicity they encountered from Micay, he was silenced through more harassment and legal threats. In the face of that, what other content creator would want to share their experience? Who would put themselves on the chopping block? I’m not going to pretend to know how often these folks talk between each other, but I figure some probably learned what happened and chose to avoid that.

What makes it worse in a funny way is that GrapheneOS on its own is a great product! As far as I can remember the most common compliment for GrapheneOS was that it was the most secure and private Android ROM you could get. That never changed. CalyxOS for a time had the better user experience at the expense of privacy, but they were overtaken with the implementation of Sandboxed Google Play Services.

In that environment, why would someone bother with sharing a fair and valid criticism? The things you could mention would be relatively minor and wouldn’t impact the general recommendation of GrapheneOS being the best. If you did try to mention it anyway for the sake of informed decision-making, you risk getting accused of spreading misinformation for the explicit purpose of harming the project - a situation that could potentially evolve into legal threats based on what has happened to others.

The result? The average person interested in privacy only ever hears good things (of which there are many), but rarely comes across the few and sometimes outdated points of technical criticism. Even less frequently will they see the behavior of the lead dev they’re considering to trust with the keys to their kingdom.

To me that sounds like silencing, which is ironic for a privacy-preserving tool. One of the main arguments for the importance of privacy is being able to blow the whistle on things going wrong. In this case the tremendous quality of GrapheneOS has provided cover for Micay’s actions. Hopefully now that someone with a bigger platform on the outside has been fed up with it, more people can acknowledge the problem and we can move into a better situation for all involved.

I said it at the top and I’ll end with this too. GrapheneOS remains the best privacy focused Android ROM you can get.

Also, I do genuinely and seriously hope that Micay can benefit from his time away, that the GrapheneOS community can continue to see success after the fact, and that people who have been negatively affected can feel comfortable talking about this again just like we would for any other tool.

Just gonna leave my thoughts.

I do believe the project itself will be fine. It doesn’t make too much sense that Micay himself was doing all of the work in GOS, simply looking at the number of repositories and commits in them. As for commit authorship, I’m not too sure how they have that set up, but it does seem like most of their commits go through the thestinger account.

It’s possible that they have a transition plan set up internally, that maybe they’re not willing to fully disclose to everyone else. Since all of their commits were going through one account anyway, I don’t really see why that would change after he leaves. Also, I don’t think the GrapheneOS Foundation is set up in quite the same way as the Signal Foundation.

I don’t believe any amount of mental health issues can justify behaving the way that he does. This isn’t something that’s happened just with Techlore and Rossman, it’s something we’ve seen happening with other projects like Bromite and Florisboard, that don’t have nearly as big of an influence as GOS does.

As for this, there is no doubt that Micay is a great developer. However, being the lead developer also means that he is effectively the face of the project. For instance, if Jonah were to start behaving as Micay online, that would impact the entire Privacy Guides project, not just Jonah, even if there’s a whole team behind it. Being the face of the project means that you have to maintain a certain level of composure and professionalism, regardless of what may be going on in your personal life.

And to add to all of this, not only does Micay not separate himself from GOS in all of his arguments online, he claims that everyone that criticises him, is criticising the whole project, which simply isn’t true. I don’t think I’ve ever heard criticism of GrapheneOS, technically speaking, because there isn’t much to criticise, if anything. So clearly Micay sees himself as the face of the GOS, and perhaps the entirety of it.

This comment from earlier in the thread: Daniel Micay publicly steps down as project leader of GrapheneOS - #10 by pCrQgGq99boQCr highlights my point exactly.

Like I said before, no mental health issues justify the behavior that Micay has. I don’t think any of them bullied Micay, at least not in the way that he claims. In both Techlore’s and Rossman’s situation, chats and proof were provided, and you can find similar interactions with Micay from many other people online. I’ve linked 2 of them above. People have been banned from GrapheneOS communities simply because they were associated with someone that Micay didn’t like. I used to see that happen very often with people being banned just for being in the Techlore Matrix room.

I don’t think any of these videos criticised the GrapheneOS project as a whole. And if that was a concern, then maybe it’s not such a good idea for the person representing the project to behave in the way that he does. Imagine if Jonah, or Meredith Whitaker, or Andy Yen, behaved in the way that Micay does. Would you still hold Privacy Guides, Signal or Proton in the same light? I don’t see why Micay gets excused from that.

As for trolls, every community I’ve been in faces that. I’ve seen plenty of trolls in the Privacy Guides room, which I’m sure other community and team members will confirm. The difference is that I haven’t seen any of the team members lash out at other people and projects for sending those trolls and intentionally causing harm to the project.

Neither of those show a direct attack on GOS, both seem to be a comment on his character. A comment that seems to be reflected by pretty much everyone else that he dislikes for whatever reason. You’ll see a similar opinion in Louis Rossman’s video too. Also, Micay claims that the F-Droid developers are:

organizing raids

yet the screenshot he shares implies nothing of the sort. Neither screenshot implies anything to do with the GrapheneOS project, both are direct comments on his character.

I haven’t seen any proof from Micay for all of the claims he makes about Techlore, Calyx, Rossman and others attacking GrapheneOS. If he wants to make a point, he’s not exactly making a strong one. If you do have a link to all his proof, please let me know.

I respect his contribution as a developer, but I don’t agree that he isn’t deserving of the criticism he has received regarding his behavior. You doing so much good doesn’t mean that you can’t ever behave poorly, and won’t receive criticism or face consequences for that. Most, if not all of the negative attention I’ve seen about Micay seems to come from Micay himself.

It’s not about wanting bloodshed, it’s about wanting it to gain people’s attention. Rossman reiterated that GOS is an amazing project, which is something that I don’t think anyone is willing to contest.

This comment might get me banned from GOS, and I’m fine with that. I haven’t been part of their community in a while, and I don’t even use GOS anymore, nor do I plan to do so again anytime in the near future.

I really hope Micay gets the time off that he needs, and that he stays safe. I also hope that the next person to take over GOS development will do as good of a job maintaining its privacy and security as Micay did, or hopefully even better so that the project can grow.

Look how the issue ended with FlorisBoard; they decided to go and talk privately. Instead of saying GrapheneOS is bad and Daniel Micay is bad and making posts, videos, and decisions that would harm both projects.

Again, no one ever said GrapheneOS was bad. But also notice how Micay was behaving throughout that whole discussion before offering to communicate with Patrick on Matrix. Also, we don’t know how their dicussion went behind closed doors, but seeing Louis Rossman’s video, I’m not sure how well it would have gone.

You can also see that behavior in the Bromite thread.

I’m not sure if my previous comment made it unclear, but I have a lot of respect for Daniel Micay. There’s very few people in the world that could achieve what he has. But I’m also not willing to let my respect for him overlook the mistakes he’s made. I have similar criticisms for other projects and people that I trust, like Signal and Proton.

I can’t find any full comment I can agree with. Therefore a bit of a different voice.

“I can acknowledge that I approached it poorly, that it was stupid to threaten him with a bad or making his support for Techlore public, etc. and I did neither of those things. I don’t think I deserved the extremely disproportionate response, and I even mentioned it as part of it.”

I cannot agree more with Daniel’s tweet. It wasn’t right but I also don’t think he deserved this. Everyone knows how Daniel can be. I experienced it myself quite some times. People should show some tolerance and don’t act like childs. He definitely isn’t the best in communication, we all know that. I thought he was working well in getting this solved with the foundation and hiring people for communication. This is just a sad thing to happen.

And from the looks, just stop the FUD. So far there is nothing factual to be worried about the future. There are several different accounts contributing to the project. Putting that in question is just insane. Of course you should be vigilant as always. I actually think this all is going quite transparent given how much time went over it. They are probably working of their asses to make a smooth transition. Just be a bit patient.

This is exactly the problem I’m pointing out, I’m pretty sure. There is actually a significant trust factor when you’re choosing your operating system, the base of everything running on your device. If GrapheneOS can’t communicate why they can still be trusted after they choose a new lead developer and hand signing keys and other critical infrastructure over to new leadership, that will absolutely be a problem for many people.

I’m not saying they won’t handle this properly, I’m just saying that we need to monitor this situation and make sure that they do.

I am just saying this is all a really really short timeframe man. Just give them some time to work it out.

Yes, I worry that he is going down a bad path. He wants people to stop harassing him but doesn’t realize that his reactions that are making it worse even when he can’t take it anymore, and he’s learning the wrong lessons. He’s also unwilling to admit that he has even slightly been in the wrong. It’s not his involvement with the project that is the issue, but his involvement with the community.

https://twitter.com/DanielMicay/status/1662652874529157120

I don’t need a break. I need people to stop harassing me and pushing baseless claims that I’m insane, delusional, etc. paired with victim blaming. It’s not going to happen. It’s only getting worse and people join in on it over small arguments and disagreements since it’s easy.

My take as someone who’s been active in the Gos community for awhile and also someone who’s been banned from the rooms a fair few times
There are 4 kinds of “harrasment” that daniel faces/perceives as harrasment:

1- The most aggresive kind, irl harrasment. Swatting, calling an ambulence, sending packges, etc. This may be from the same individual who’s active on spreading misinformation on reddit or the individual who’s spamming cp, impossible to know.

2- The extreme haters online. This involves the user(s) who’ve spammed CP, raided the rooms, and spread deliberate misinformation across social media. As for the CP, impossible to know who it was. As for misinformation, the 2 main perpatrators are u/secureos, and u/1MxtaL6FHK.

3- Negative comments about him. This is by far the most common, and sadly the most weaponized. There are different levels, like with a calyx member saying some insulting comments, vs TL and Rossman pointing out micay’s behavior. It’s likely that level 1 & 2 trolls manipulate daniel into thinking TL or Calyx are involved substantially, by pinging them in tweets, saying they come from those communitues, etc. This is the most damaging level imo, NOT because of the actual content, but because level 1 and 2 trolls weaponize it. They know if they appear to come from those communities they can get daniel to turn against them, and can destroy his reputation as he lashes out against them

4- People inadvertently spreading some misinformation, or saying neutral comments that are misinterpreted. Examples? Most people who don’t side on either side of the conflict and come into the chat rooms inadvertantely misinformed

So from my POV, daniels only really being targetted by a few L1 and 2 trolls (that manipulate him into thinking L3 people are actually part of L1 and 2, thus helping him make even more enemies. Finally, L4 people are caught in the crossfire of micay trying to deal with all of this, and becoming far stricter because of it.

This is a pretty loose definition of “attack” to be honest. In those screenshots F-Droid seems to be talking about compiling all the instances where GrapheneOS/PrivSec were acting negatively online, which is definitely a legitimate topic. Criticism is not harassment, as Micay needs to learn.

Whatever was going on with r/Android and “Graphmeme” is clearly more of an actual prejudice against GrapheneOS on their end, for whatever reason.

This is the saddest thing to me, that he’s falling for this obvious ploy to turn him against his own supporters. These internet trolls turned him against CalyxOS, when they previously were fine collaborating on projects under the AOSPAlliance banner; they turned him against Techlore, who had only posted positive coverage of GrapheneOS before he lashed out against the channel; and they turned him against Rossmann, who made almost ridiculously positive content about GrapheneOS and assisted them in getting a $40K grant for development. It’s still crazy to me how such a supportive community was able to be poisoned this quickly, but the internet trolls were effective at using him in this case.

You made a good point abt Fdroid, and upon rereading the screenshots, I’ll edit my post to exclude that part. I think the r/android mod thing goes a bit deeper, as there were also DMs and false bans between him and a certain mod. I was personally in micay’s “counter misinformation” group, and he did share screenshots of his convo with this mod that do substantiate some claims against that mod. Now, I’m in no way saying there’s some big r/android conspiracy against him, just that there appears to be a bad mod on the team. I didn’t save the screenshots and no longer have access to the account, so that all is a huge trust me bro, so believe what you will.

As for the last part I totally agree, and I honestly believe that micay stepping down is the best possible thing that could happen for the project. He was a great dev, however undoubtely the biggest reason people were unwilling to switch was him. Beef with you, TL, a lot of other open sauce projects scared people away. Misinformation is also a big reason, but I believe him stepping down will hopefully allow the project to unburn some bridges and be seen in a much more positive light in the community.