-
WAR OF IDEAS
Has the U.S. Reached Peak Car?
-
KILLER APPS
Cyberspies Are Using PRISM for Spearphishing
-
PASSPORT
Remembering Michael Hastings
Posted By Evgeny Morozov
Thursday, September 2, 2010 - 4:50 AM
Share
If the world of non-profit technology had its own stock exchange, I'd recommend buying lots of stock in Haystack, a censorship-circumvention software put together by California-based Censorship Research Center in order to help Iranians evade their government's control of the Internet.
Haystack's story makes for great Hollywood material: Bay Area technologists who serendipitiously discover that there is a bloody and violent world beyond Silicon Valley -- the one where people rebel, fight, and die for real and not just as part of some new Facebook game -- decide to dedicate themselves to the fight against authoritarian evil with the help of -- you guessed it! -- the Internet. They are the ones putting "Twitter" into the "Twitter Revolution"! And you too can abet their fight: they've got a whole two Donate buttons on their website!
Not surprisingly, Haystack has been all over the media in the last few months -- most recently in Newsweek -- with its founder Austin Heap getting quite a bit of attention from journalists and policymakers alike. This is, for example, what the ever-modest Heap told Newsweek: "Tomorrow I meet with [Sens. John] McCain, [Bob] Casey, maybe [Carl] Levin, but I don’t know if I will have enough time." (Apparently, the senators have become much more tech-savvy since I left town; perhaps, this comes with age.) And it's not just American media: The Guardian pronounced Heap to be "The Innovator of the Year" -- though personally I would have gone with "The Publicist of the Year," just check this photo -- but then who am I to judge? (Moi -- I am only invited to opine on the Snark of the Year Awards.)
I like Hollywood as much as the next guy -- and yet something just doesn't feel right about Haystack. What really bothers me is that one cannot download and examine their software; as far as the Internet is concerned, Haystack doesn't exist. In fact, Heap says that it is only distributed to trusted contacts inside Iran; putting it online would create a situation where the government could easily get hold of it as well and then reverse-engineer it or ban it or find a way to track its users.
So, in essence, the outside public -- including Iranians -- are asked to believe that a) Haystack software exists, b) Haystack software works, c) Haystack software rocks, and d) the Iranian government doesn't yet have a copy of it, nor do they know that Haystack rocks & works. (And who could fault them for not reading Newsweek? I certainly can't). For someone with my Eastern European sensibilities, that's a lot of stuff to believe in. Even Santa -- we call him Ded Moroz -- appears more plausible in comparison.
While I don't dispute Heap's right to do whatever he wants with his software, it still strikes me as a very dangerous approach to empowering ordinary Iranians. First of all, the fact that no one can download and test it means that its flaws and vulnerabilities may remain unexposed for a far longer period of time than otherwise (I'm not trying to pull a Bruce Schneier but it may be useful to check this, for example). I'm not a cryptologist, but I've yet to meet one who thinks that Heap's approach is justified. On the contrary -- I'm in the anecdotal mode -- plenty of cryptologists on the mailing lists I am on seem to be extremely cautious/skeptical of what Haystack has (or, as is the case, doesn't have) to offer.
While I don't doubt Austin Heap's noble intentions, the world is not exactly running short on well-meaning Americans wrecking havoc on everything they touch. I propose that Haystack should first be tested on some friendly people with a nice government -- say Canadians. They seem like a good bunch who won't imprison their dissidents; Iran, on the other hand, seems like the worst possible testing ground for Heap's new method -- even if it works. So I say -- Go Canada! -- or stay home.
To me, it seems like a no-brainer: if you want to distribute technology that may endanger lives, make sure that the technology is secure. The only good way that I know of to make sure that it's secure is to let outsiders test it. All this stuff about cats and mice quoted in the Newsweek piece -- I am yet to see Patrick Meier quoted in the context of authoritarian states without invoking that zoo-inspired analogy -- does not exactly sound very convincing, especially given that I like to define mice as "animals eaten by cats".
Second -- and here I'm only speaking from my own Belarusian experience -- it's naive to believe that the human networks that Haystack supposedly relies on to distribute the software won't be penetrated and compromised by the Iranian authorities. What are they -- a bunch of losers? Well-funded and powerful NGOs -- I'm not pointing any fingers here -- have their Iranian offices penetrated and their staff arrested, and here we have some guy from the Bay Area who is building the most secure -- even infalliable -- network in Iran. Yeah right. Maybe he should go work for the DOD -- they need such people to deal with all those (wicked-) leaks.
So, helping you cut through the cynicism, the argument that the software needs to be hidden from authorities at all costs strikes me as untenable; the only assumption I'm prepared to tolerate in the context of authoritarian states is that no software will remain hidden. Moreover, if the government does manage to get hold of Haystack and it is, indeed, so easy to break into that it needs to be guarded, then lives of Haystack users are at risk as well.
So my question to all those journalists penning admiring articles about Haystack: have you guys actually seen the software? Have you tested how it works? Are you sure that those who use it are not automatically getting a free holiday in Evin prison? Or have you all been sweet-talked into covering a fancy piece of code that -- drumroll here -- "undermines authoritarianism" -- without ever bothering to think of its downsides? This may seem like unnecessary moralizing, but it's hard to react otherwise when lives are at stake.
Now, there is no shortage of dumb and incompetent journalists writing about technology, and most politicians have no clue about encryption or censorship-circumvention technologies; expecting John McCain to show nuance and sophistication in discussing Haystack -- let alone Iran -- well, let's just say it's not going to happen.
But elected politicians and the media are one thing; bureaucrats are another. The latter are being paid to be experts rather than talking heads who think in tweets or sound bites. And so far, the bureaucrats have failed badly. In particular, what bothers me the most is the way in which the current process by which the U.S. government regulates the export of technologies like Haystack to Iran ends up confering indirect legitimacy to the software.
To recoup: American entities cannot export most censorship-circumvention technology to Iran without first obtaining a license from the government. Earlier this year Haystack was granted such a license -- something that was widely publicized by Haystack and something that even Hillary Clinton mentioned in one of her interviews (curiously, a monthly before Haystack announced it). Score one for Internet freedom.
Now, I'd very much like to imagine that Treasury officials who granted Haystack the license also happen to be uber-genius whitehat hackers who subjected the software to all sorts of security tests before making up their minds -- and yet, somehow I can't really believe that. Can you? And what kind of world do we live in if we expect technology expertise to be concentrated in the U.S. Treasury Department? Last time I checked they still didn't know why all those flash trades went berserk a few months ago...
Given how much noise Haystack has made in the media -- see this column by Roger Cohen as an example -- it's quite likely that the granting of any such license is a process marred by political pressure, especially from the hawkish part of the Washington establishment who would really like to use the Internet as a powerful weapon to be used against the Iranian regime.
Nothing new here -- except the fact that having such a license makes Haystack look like a tool that has been properly vetted by the U.S. government. My fear is that it hasn't been properly vetted at all -- not on its security merits anyway -- but I doubt that either journalists, who are all too quick to pen another admiring piece about Haystack, or politicians, who finally found a way -- they think! -- to put Ahmadinejad in the corner, get this big picture. The end result is that Haystack gets a very good platform to work in Iran, regardless of how insecure their technology might be. And who gets to pay for all these? Bingo: the Iranians.
I am even sure there are plenty of conservative -- and maybe even some liberal -- foundations who would be happy to fund Haystack's work right now without ever asking to test-drive the software. Good job, guys: it's like funding an automobile where the independent third-party mechanics are not allowed to inspect the brakes. Even the U.S. Treasury folks, patriotic as they are, won't ever drive this vehicle.
Now, I don't have anything against Austin Heap; for all I care, he may be just another nice guy -- apparently, there are many of them in the Bay Area -- who, in between shooting the dragons in his favorite game, just wants to help Iranians. He's not the first; he's not the last. God bless him. There will always be plenty of entrepreneurs eager to build a business of some kind -- whether it pays in reputation or big bucks is another matter -- around the needs and demands of U.S. foreign policy. I don't think even my powerful blog can ever end this practice, so I'm okay with the fact that Haystack will be around as long as Blackwater is around (or XE or whatever other new name they want to stick upon themselves today).
What I really want to know is this: who in the U.S. government was so smart as to grant Haystack this license? Can we actually see the name of that person somewhere on Treasury's website? Let me break the news: we can't -- there is nothing about Haystack on the site. Another victory for transparency in the Obama administration! But this is something that I do want to know -- for this person (along with a bunch of irresponsible journalists -- luckily those still have bylines) should and would be held responsible if some of Haystack's users are arrested by the Iranian police.
Once again: I've got nothing against Haystack or Austin Heap per se. What irks me is the way in which the limitations of the current discourse on Internet freedom -- and the bizarre, completely non-transparent policies it conceals -- end up conferring unneeded legitimacy to Haystack's flawed (for my taste, anyway) approach to fighting censorship. Some things, perhaps, are better left unfought -- especially if the fight makes everyone but the fighters considerably worse off.
p.s. The Newsweek piece also contains this gem of a quote from Austin Heap, which captures what's wrong with Haystack better than I ever could hope for:
“I hope we are ready to take on the next country... We will systematically take on each repressive country that censors its people. We have a list. Don’t piss off hackers who will have their way with you. A mischievous kid will show you how the Internet works."
How do I say "no, thanks"?
full formatted response is here: http://blog.austinheap.com/brain-dead-journalism/
It’s always fun when you take on something big, something you care about, and brain-dead “journalists” attack you. For full transparency, here’s what I sent to Evgeny after he had no spine to contact me before he penned his tabloid bullshit. Enjoy.
Hey Evgeny,
Completely fair article, I understand it’s frustrating for people outside our organization to figure out how we work. I also wish you would have reached out and I would gladly have clarified the misunderstandings you highlight in the article.
–
Haystack’s story makes for great Hollywood material: Bay Area technologists who serendipitiously discover that there is a bloody and violent world beyond Silicon Valley – the one where people rebel, fight, and die for real and not just as part of some new Facebook game - decide to dedicate themselves to the fight against authoritarian evil with the help of – you guessed it! – the Internet. They are the ones putting “Twitter” into the “Twitter Revolution”! And you too can abet their fight: they’ve got whole two Donate buttons on their web-site!
I agree with you that the media narrative is very “Hollywood” — go modern day press, right? I also agree a lot of media are quick to yell “TWITTER REVOLUTION” or other nonsense. I’m the first person to shoot this down, and do so at every opportunity.
The “Twitter Revolution” is a bullshit phrase used by Twitter and many others to boost the image of social media. I regret any role I had in furthering this completely empty notion.
–
This is, for example, what the ever-modest Heap told Newsweek: “Tomorrow I meet with [Sens. John] McCain, [Bob] Casey, maybe [Carl] Levin, but I don’t know if I will have enough time”.
(a) lol, (b) I work endless hours, I was tired, I was meeting with a reporter on my third dinner of the night. I know people like to yell “omg you think you’re so important” — I have a good friend who always says “omg i’m @austinheap” to me. I had a flight leaving that evening, it was a pure scheduling issue. Not the lols you’re trying to spin it into, but I applaud your attempt to do so and Newsweeks effort at making it seem like I’m the most in-demand person in DC.
I’m trying to raise awareness of Internet freedom in DC among our policy makers. As you may know, nothing happens in DC, so we can use all the support we can get. So can the Internet as a whole.
31% of those with access to the Internet live under some form of Government-imposed censorship. More people should get involved. One warning I’d give them, though, is: watch out, a whole bunch of people with blogs are going to bitch you out every step of the way no matter what you do.
–
And it’s not just American media: The Guardian pronounced Heap to be “The Innovator of the Year” – personally I would have gone with “The Publicist of the Year” though – just check this photo - but then who am I to judge?
I learned my lesson: turn down every award offered. Their photo guy suggested the mouse cable stuff, I just complied. Again, lesson learned.
Who are you to judge? Are you actually asking or just using that phrase to play the victim card? You tell me, because I’m still wondering that.
–
So, in essence, the outside public – including Iranians – are asked to believe that a) Haystack software exists b) Haystack software works c) Haystack software rocks d) the Iranian government doesn’t yet have a copy of it, nor do they know that Haystack rocks & works.
(a) I’ll gladly meet you in person and prove it. (b) See A. (c) No one said that — can you source it? Haystack is an *alternative* to Tor, Freegate, Ultrasurf, Psiphon, etc. (d) We would never expect Haystack to *not* fall in the hands of the Iranian regime. That would be stupid.
–
On the contrary – I’m in the anecdotal mode – plenty of cryptologists on the mailing lists I am seem to be extremely cautious/skeptical of what Haystack has (or, as is the case, doesn’t have) to offer.
Every smart person approaches every subject they don’t have full understanding about with cautious skepticism. I support that, it’s smart.
I have also reached out to multiple crypto/liberation technology mailing lists to try to answer questions they have about Haystack. If you would like to recommend others to reach out to, I’m all ears.
I’m also sad to know that you’re on the Standford libtech group which I *JUST* reached out to try to clear up questions out of a desire to be more transparent with people I respect. Instead of contacting me when you had my contact info, you just ran on assumptions. I appreciate how some members of libtech were mature enough to say things like:
“I was too hasty in drawing conclusions from the incomplete information I had access to at the time.”
I like how I ended my e-mail to the group soliciting feedback and questions re: Haystack with:
“For those individual(s) on this list who have a history of being confrontational in order to grab attention, I won’t be responding to your emails. Grow up.”
Didn’t even have you in mind at that point!
–
To me, it seems like a no-brainer: if you want to distribute technology that may endanger lives, make sure that the technology is secure.
It *is* a no-brainer. That’s why we’re taking our time to make sure we do things as safe as possible. We don’t *ever* want to put anyone at risk. The last thing I want is blood on our hands.
For what it’s worth, the most popular anti-censorship tool in the world, Freegate, is also closed source and does not invite outside experts to review their code. They’ve done a pretty amazing job in China. I look up to them on a lot of issues.
–
Second – and here I’m only speaking from my own Belarusian experience – it’s naive to believe that the human networks that Haystack supposedly relies on to distribute the software won’t be penetrated and compromised by the Iranian authorities.
No one said that — again, source? We don’t think Haystack’s security is based on a person-to-person trust network, we’re just using that to control growth and our network of testers. There’s no efficient way to test everything we’re doing with the general public. When Haystack moves to mass-market release, this will be different and we will not be relying on a human network. That’s just the stage we’re at in our growth plan — not a long term strategy like you’ve assumed/implied.
Again, I would like to know why you think our security plan is hinged on this or where you got that impression so I can correct it.
–
Yeah right. Maybe he should go work for the DOD – they need such people to deal with all those leaks.
For someone that bitches so much about trite press, you’ve mastered it.
–
the argument that the software needs to be hidden from authorities at all costs strikes me as untenable
As it should. And that’s why no one said that.
Haystack, as all intelligent anti-censorship tools, are built with *full knowledge* that it will one day fall into the hands of the opposition. We do not make that argument, so I’m confused as to why you’re insinuating I or someone involved in our organization did.
–
This may seem like unnecessary moralizing – but it’s hard to react otherwise when lives are at stake.
It’s the Nancy Grace approach! I was waiting to read “but what about the children” in your article.
–
And what kind of world are we living in when we expect technology expertise to be concentrated in US Treasury anyway?
You, sir, are the Fact Fairy. Where did you come up with just Treasury granted our entire license? It was Treasury Dept, State Dept and Commerce Dept. A little reading into sanction laws would have made that clear to anyone who can understand legalese. (Not that I could have 12 months ago, to be fair.)
–
And who gets to pay for all these? Bingo: the Iranians.
This, again, is why we’re taking our time to make sure we’ve crossed our Ts and dotted our Is — we don’t want to put people at risk. At this point, we’re not happy with the total state of the software, which is why we’re not putting *endless* people at risk.
So your point is well taken, but misguided and lacking understanding of how we’re moving the project forward.
–
…around the needs and demands of the US foreign policy.
Now you’ve got me pegged! I deal with all this bull shit because I want to push US foreign policy. My life has been taken over trying to make people like you happy. Trust me, I’d much rather go back to “fighting dragons” (I love how you make every dig you can, it’s really cute and shows tons of integrity) and not have to deal with this every damn day. But it’s something I believe in, and something I intend on seeing through.
–
Once again: I’ve got nothing against Haystack or Austin Heap per se.
So why didn’t you reach out and ask the questions you raised instead of babbling off factually incorrect nonsense? Just had a bad day and decided to do zero research?
–
What irks me is the way in which the limitations of the current discourse on Internet freedom - and the bizarre, completely non-transparent policies that it conceals – end up conferring unneeded legitimacy to Haystack’s flawed – for my taste, anyway – approach to fighting censorship.
Can you tell me or others what organizations you *do* support?
–
You can agree or disagree with how we run our project and our non-profit, that’s fine. What’s not okay is not having the facts and acting like you know what you’re talking about.
I don’t expect you to publish anything but your one side (because you clearly have no interest in doing that) but I thought it was at least worth it to respond directly to you out of professional courtesy.
I’d be glad to answer any questions you have about Haystack or Haystack conspiracies. Oh, did I tell you we have UFOs hidden in our basement? I also have Jesus Christ cryogenically frozen in my freezer; I keep him next to my Ben & Jerry’s. True story.
All bests,
Austin
Trolls, couldn’t exist without them.
I have always been a bit dubious about Haystack, simply because no independent review has been done of it's chief claims. That said I also find resources like https://www.sesawe.net which lists similar censorship circumvention tools & services.
It is not possible to download Haystack and this seems far from the suggestion that such software should be open source, which would facilitate peer review and analysis.
I am equally dubious about many of the items listed at sesawe.net - most require users to trust a third party that have access to all users activities in much the same way an ISP would and nearly all of the technologies are US based.
Iran's Forgotten Cyber Warrior http://is.gd/dLWSE STILL imprisoned in inhumane conditions and refusing to participate in televised "confessions" http://www.iranhumanrights.org/2010/08/son-pressured-confession/ Hossein Ronaghi Maleki's facebook page NOT forgotten by the people he helped. http://www.facebook.com/khorramdin#!/khorramdin?v=wall PLEASE don't be complicit in forgetting the real heroes too. Sign his petition http://bit.ly/avGxxp
1. Haystack is an innovative innovation of the year that is going to help poor Iranian out of hell and Austin Heap is Neo!
2. If people start using Haystack Iranian Gov/Regime will just kill it and it won't work any more!
Sorry it wasn't inconsistency, it was just a joke! So who is joker?!
I can't understand why dose media and gov believed his claim when there was nothing working at all!
It also reminds me another joke:
Father : I want you to marry a girl of my choice
Son : I will choose my own bride!
Father: But the girl is Bill Gates’s daughter.
Son : Well, in that case… ok!
Next Father approaches Bill Gates.
Father: I have a husband for your daughter.
Bill Gates: But my daughter is too young to marry!
Father: But this young man is a vice-president of the World Bank.
Bill Gates: Ah, in that case… ok
Finally Father goes to see the president of the World Bank.
Father: I have a young man to be recommended as a vice-president.
President: But I already have more vice-presidents than I need!
Father: But this young man is Bill Gates’s son-in-law.
President: Ah, in that case… ok!
Evgeny Morozov, originally from Belarus, is a visiting scholar at Stanford and a Schwartz Fellow at the New America Foundation.
Read More
May/June 2013
-
Profile
-
FP Power Map
-
Think Again
Follow us on Twitter | Visit us on Facebook | Follow us on RSS | Subscribe to Foreign Policy
About FP | Meet the Staff | Foreign Editions | Reprint Permissions | Advertising | Writers’ Guidelines | Press Room | Work at FP
Services:Subscription Services | Academic Program | FP Archive | Reprint Permissions | FP Reports and Merchandise | Special Reports | Buy Back Issues
Privacy Policy | Disclaimer | Contact Us
11 DUPONT CIRCLE NW, SUITE 600 | WASHINGTON, DC 20036 | Phone: 202-728-7300 | Fax: 202-728-7342
FOREIGN POLICY is published by the FP Group, a division of The Washington Post Company
All contents ©2013 The Foreign Policy Group, LLC. All rights reserved.
(4)
HIDE COMMENTS LOGIN OR REGISTER REPORT ABUSE