Hay-what?

If the world of non-profit technology had its own stock exchange, I'd recommend buying lots of stock in Haystack, a censorship-circumvention software put together by California-based Censorship Research Center in order to help Iranians evade their government's control of the Internet.

Haystack's story makes for great Hollywood material: Bay Area technologists who serendipitiously discover that there is a bloody and violent world beyond Silicon Valley -- the one where people rebel, fight, and die for real and not just as part of some new Facebook game -- decide to dedicate themselves to the fight against authoritarian evil with the help of -- you guessed it! -- the Internet. They are the ones putting "Twitter" into the "Twitter Revolution"! And you too can abet their fight: they've got a whole two Donate buttons on their website!

Not surprisingly, Haystack has been all over the media in the last few months -- most recently in Newsweek -- with its founder Austin Heap getting quite a bit of attention from journalists and policymakers alike. This is, for example, what the ever-modest Heap told Newsweek: "Tomorrow I meet with [Sens. John] McCain, [Bob] Casey, maybe [Carl] Levin, but I don’t know if I will have enough time." (Apparently, the senators have become much more tech-savvy since I left town; perhaps, this comes with age.) And it's not just American media: The Guardian pronounced Heap to be "The Innovator of the Year" -- though personally I would have gone with "The Publicist of the Year," just check this photo -- but then who am I to judge? (Moi -- I am only invited to opine on the Snark of the Year Awards.)

I like Hollywood as much as the next guy -- and yet something just doesn't feel right about Haystack. What really bothers me is that one cannot download and examine their software; as far as the Internet is concerned, Haystack doesn't exist. In fact, Heap says that it is only distributed to trusted contacts inside Iran; putting it online would create a situation where the government could easily get hold of it as well and then reverse-engineer it or ban it or find a way to track its users.

So, in essence, the outside public -- including Iranians -- are asked to believe that a) Haystack software exists, b) Haystack software works, c) Haystack software rocks, and d) the Iranian government doesn't yet have a copy of it, nor do they know that Haystack rocks & works. (And who could fault them for not reading Newsweek? I certainly can't). For someone with my Eastern European sensibilities, that's a lot of stuff to believe in. Even Santa -- we call him Ded Moroz -- appears more plausible in comparison. 

While I don't dispute Heap's right to do whatever he wants with his software, it still strikes me as a very dangerous approach to empowering ordinary Iranians. First of all, the fact that no one can download and test it means that its flaws and vulnerabilities may remain unexposed for a far longer period of time than otherwise (I'm not trying to pull a Bruce Schneier but it may be useful to check this, for example). I'm not a cryptologist, but I've yet to meet one who thinks that Heap's approach is justified. On the contrary -- I'm in the anecdotal mode -- plenty of cryptologists on the mailing lists I am on seem to be extremely cautious/skeptical of what Haystack has (or, as is the case, doesn't have) to offer. 

While I don't doubt Austin Heap's noble intentions, the world is not exactly running short on well-meaning Americans wrecking havoc on everything they touch. I propose that Haystack should first be tested on some friendly people with a nice government -- say Canadians. They seem like a good bunch who won't imprison their dissidents; Iran, on the other hand, seems like the worst possible testing ground for Heap's new method -- even if it works. So I say -- Go Canada! -- or stay home.

To me, it seems like a no-brainer: if you want to distribute technology that may endanger lives, make sure that the technology is secure. The only good way that I know of to make sure that it's secure is to let outsiders test it. All this stuff about cats and mice quoted in the Newsweek piece -- I am yet to see Patrick Meier quoted in the context of authoritarian states without invoking that zoo-inspired analogy -- does not exactly sound very convincing, especially given that I like to define mice as "animals eaten by cats".

Second -- and here I'm only speaking from my own Belarusian experience -- it's naive to believe that the human networks that Haystack supposedly relies on to distribute the software won't be penetrated and compromised by the Iranian authorities. What are they -- a bunch of losers? Well-funded and powerful NGOs -- I'm not pointing any fingers here -- have their Iranian offices penetrated and their staff arrested, and here we have some guy from the Bay Area who is building the most secure -- even infalliable -- network in Iran. Yeah right. Maybe he should go work for the DOD -- they need such people to deal with all those (wicked-) leaks. 

So, helping you cut through the cynicism, the argument that the software needs to be hidden from authorities at all costs strikes me as untenable; the only assumption I'm prepared to tolerate in the context of authoritarian states is that no software will remain hidden. Moreover, if the government does manage to get hold of Haystack and it is, indeed, so easy to break into that it needs to be guarded, then lives of Haystack users are at risk as well.

So my question to all those journalists penning admiring articles about Haystack: have you guys actually seen the software? Have you tested how it works? Are you sure that those who use it are not automatically getting a free holiday in Evin prison? Or have you all been sweet-talked into covering a fancy piece of code that -- drumroll here -- "undermines authoritarianism" -- without ever bothering to think of its downsides? This may seem like unnecessary moralizing, but it's hard to react otherwise when lives are at stake.

Now, there is no shortage of dumb and incompetent journalists writing about technology, and most politicians have no clue about encryption or censorship-circumvention technologies; expecting John McCain to show nuance and sophistication in discussing Haystack -- let alone Iran -- well, let's just say it's not going to happen.

But elected politicians and the media are one thing; bureaucrats are another. The latter are being paid to be experts rather than talking heads who think in tweets or sound bites. And so far, the bureaucrats have failed badly. In particular, what bothers me the most is the way in which the current process by which the U.S. government regulates the export of technologies like Haystack to Iran ends up confering indirect legitimacy to the software.

To recoup: American entities cannot export most censorship-circumvention technology to Iran without first obtaining a license from the government. Earlier this year Haystack was granted such a license -- something that was widely publicized by Haystack and something that even Hillary Clinton mentioned in one of her interviews (curiously, a monthly before Haystack announced it). Score one for Internet freedom.

Now, I'd very much like to imagine that Treasury officials who granted Haystack the license also happen to be uber-genius whitehat hackers who subjected the software to all sorts of security tests before making up their minds -- and yet, somehow I can't really believe that. Can you? And what kind of world do we live in if we expect technology expertise to be concentrated in the U.S. Treasury Department? Last time I checked they still didn't know why all those flash trades went berserk a few months ago...

Given how much noise Haystack has made in the media -- see this column by Roger Cohen as an example -- it's quite likely that the granting of any such license is a process marred by political pressure, especially from the hawkish part of the Washington establishment who would really like to use the Internet as a powerful weapon to be used against the Iranian regime. 

Nothing new here -- except the fact that having such a license makes Haystack look like a tool that has been properly vetted by the U.S. government. My fear is that it hasn't been properly vetted at all -- not on its security merits anyway -- but I doubt that either journalists, who are all too quick to pen another admiring piece about Haystack, or politicians, who finally found a way -- they think! -- to put Ahmadinejad in the corner, get this big picture. The end result is that Haystack gets a very good platform to work in Iran, regardless of how insecure their technology might be. And who gets to pay for all these? Bingo: the Iranians. 

I am even sure there are plenty of conservative -- and maybe even some liberal -- foundations who would be happy to fund Haystack's work right now without ever asking to test-drive the software. Good job, guys: it's like funding an automobile where the independent third-party mechanics are not allowed to inspect the brakes. Even the U.S. Treasury folks, patriotic as they are, won't ever drive this vehicle.

Now, I don't have anything against Austin Heap; for all I care, he may be just another nice guy -- apparently, there are many of them in the Bay Area -- who, in between shooting the dragons in his favorite game, just wants to help Iranians. He's not the first; he's not the last. God bless him. There will always be plenty of entrepreneurs eager to build a business of some kind -- whether it pays in reputation or big bucks is another matter -- around the needs and demands of U.S. foreign policy. I don't think even my powerful blog can ever end this practice, so I'm okay with the fact that Haystack will be around as long as Blackwater is around (or XE or whatever other new name they want to stick upon themselves today). 

What I really want to know is this: who in the U.S. government was so smart as to grant Haystack this license? Can we actually see the name of that person somewhere on Treasury's website? Let me break the news: we can't -- there is nothing about Haystack on the site. Another victory for transparency in the Obama administration! But this is something that I do want to know -- for this person (along with a bunch of irresponsible journalists -- luckily those still have bylines) should and would be held responsible if some of Haystack's users are arrested by the Iranian police.

Once again: I've got nothing against Haystack or Austin Heap per se. What irks me is the way in which the limitations of the current discourse on Internet freedom -- and the bizarre, completely non-transparent policies it conceals -- end up conferring unneeded legitimacy to Haystack's flawed (for my taste, anyway) approach to fighting censorship. Some things, perhaps, are better left unfought -- especially if the fight makes everyone but the fighters considerably worse off. 

p.s. The Newsweek piece also contains this gem of a quote from Austin Heap, which captures what's wrong with Haystack better than I ever could hope for:

“I hope we are ready to take on the next country... We will systematically take on each repressive country that censors its people. We have a list. Don’t piss off hackers who will have their way with you. A mischievous kid will show you how the Internet works."

How do I say "no, thanks"? 

Jeff T. Green/Getty Images