Categories
Uncategorized

Haystack and Media Irresponsibility

Last summer, a circumvention tool was born, out of opportunity and a desire to help the Iranian people, who suffer from a rather pervasive form of Internet censorship.  The tool, it was promised, was “encrypted at such a level it would take thousands of years to figure out what you’re saying.”  As it turns out, it only takes may only take a couple of hours.

If you haven’t been following the controversy surrounding Haystack, you should probably check out this article by Evgeny Morozov for Foreign Policy’s Net Effect blog, which explains the security and ideological objections some folks are making to the tool.  Though Evgeny’s voice has perhaps been the loudest, it is also worth noting the important roles played by Danny O’Brien (and possibly others) in bringing this situation to light.

Enough has been said at this point–much of which I agree with–about the tool itself, as well as its founders.  What I don’t think has been raised loudly enough is an objection to the manner in which the media handled the nascent tool.

Since last summer, plenty of people have raised questions about the media’s reporting on Haystack, and by extension, about the tool itself.  A number of people attempted to contact the tool’s creator, Austin Heap, to clarify some of the statements made in media reports.  As far as I’m aware, until very recently, he remained mostly unresponsive to such questions.  Thus, I think that the calling out that has happened over the course of the past week–by Evgeny, Danny, and others, on private e-mail lists, and on Twitter, and in the media–is more than fair.

So what of the media’s role?  Haystack has been billed by the media since last summer as a wonder tool, a silver bullet for the Iranians who need desperately to evade censorship.  The truth is that, until this week, no one–neither the media nor the circumvention community–could actually vouch for Haystack one way or the other, because none of them actually saw a copy. No one was capable of speaking to the tool’s security or efficacy, and yet, a number of journalists did anyway.  From the top:

  • On June 16, 2009, a virtually unknown Austin Heap announced his intentions on Salon.com, stating that after 24 hours of offering relays to Iranians (whom he apparently found via Twitter), he was “receiving more than 2,000 simultaneous connections per second from Iran. When I woke up this morning, I had received more than 300 e-mails from volunteers trying to contribute and lighting the path forward for a movement that is both new and old.”
  • By the next day, Heap was big news, hyped in the BBC as “being on the front lines” of the “Twitter revolution.”
  • By August 6, 2009, Heap had made the following statement to the BBC regarding Haystack: “It’s completely secure for the user so the government can’t snoop on them. We use many anonymising steps so that identities are masked and it is as safe as possible so people have a safe way to communicate with the world”.  Heap also referred to Iran as a “nutty government” and stated that he saw building the tool as a “good vs. evil” issue.

At that point, there was nothing stated to imply that Haystack was in beta testing, or had only been offered to a few users.  The BBC’s implication, in reporting on Haystack alongside other circumvention tools such as Freegate, was that Haystack was in existence and actively helping Iranian users.  It was around this time also that the Censorship Research Center, a companion to Haystack, was created.  From its about page:

Traditional anti-censorship systems divert blocked traffic to servers located outside of the country. Haystack goes one step further: it uses innovative techniques to make blocked traffic look benign, rendering a user’s activity virtually undetectable. Haystack also has a cryptographic component which ensures that our users’ communications remain safe even if detected. The only way to block Haystack, we like to say, is to shut down the internet.

Journalists then began to announce that Haystack was nearly ready for a full launch:

  • On August 3, 2009, Iranian-American tech journalist Cyrus Farivar reported that Haystack was a mere few weeks away from being released: “[Austin Heap is] currently testing with a “handful” of users in Iran and hopes to distribute it more widely for release in the coming weeks.”

It’s worth noting that Farivar also wrote about Haystack for PBS Frontline’s Tehran Bureau, whilst failing to disclose his relationship to Haystack staffer/board member Babak Siavoshy (he disclosed it only this week, after prodding).  The relationship?  Farivar introduced Siavoshy, his cousin, to Heap.

From that point on, the majority of media reports took the same line, allowing Haystack employees to make outlandish claims about their tool without ever question the truthfulness of such claims or subjecting the tool to more rigorous analysis:

  • On February 18, 2010, in a New York Times op-ed, Roger Cohen made the case for Haystack to get an OFAC license and, to his credit, for a more general mass market license to become more readily available.  In that piece, he quoted Haystack employee (or board member?  it still remains unclear what the relationship is) Babak Siavoshy as saying, ““Double-click on Haystack and you browse the Internet anonymously and safely.  It’s encrypted at such a level it would take thousands of years to figure out what you’re saying.”
  • Shortly thereafter, on March 7, 2010, Mark Landler wrote in the New York Times that the State Department was considering applications for OFAC licenses, offering this line about Haystack: “Haystack uses mathematical formulas to disguise a user’s Internet traffic from official censors.”

The license was issued in March.  Note that at this point, journalists stopped relying on quotes from Heap, Siavoshy and Daniel Colascione, and simply decided that Haystack’s outrageous claims were fact.

Then came the Guardian’s Innovator of the Year Award, and a subsequent article in which it was claimed that Haystack:

“directed requests from computers in Iran through servers elsewhere in the world, hidden in a stream of innocent-looking traffic. They also devised technology to protect the identities of Haystack’s users. All this made it possible for people on the ground in Iran to reach blocked sites safely and securely, to organise inside the country and communicate with the world.”

The article also credited Haystack with raising awareness of Internet censorship in Iran, though it’s worth noting that the OpenNet Initiative’s 2009 report on Iran was released on June 16, 2009, before Haystack was created, and received ample attention from media (The Atlantic, Salon.com, and Forbes, to name just a handful).  The OpenNet Initiative* also released reports on Iranian Internet filtering in 2007, 2005, and 2004.

In a Guardian interview following the awards, in which the interviewer states that Haystack was “pretty important in opening up the Iranian Internet” in the aftermath of the 2009 elections (a statement we’ve established was patently false), Heap stated of the tool:

“It’s basically a piece of software that a user in Iran would run on their computer that does two primary things: the first thing is it encrypts all of the data, and the second thing is that it hides all of that data in what looks like normal traffic…like you’re visiting completely innocuous sites…”

Later in the interview, the interviewer says to Heap:

“What Haystack did in practice when it did find its way onto people’s computers was that it allowed them to load Twitter and Facebook and these blacklisted sites”

Heap then makes no attempt to correct the interviewer (who quite clearly stated Haystack as being used in 2009 post-elections), responding:

“Right, and I mean, it’s not just web traffic, it all of a sudden allowed people to make Skype calls back to their families securely…do basic things like send Gmail without worrying that someone’s doing a man-in-the-middle attack and steal their password or read their email…it allowed the random person to be a citizen journalist…”

Following the award, the media attention steadied, with brief articles and interviews occasionally making headlines, that is until a Newsweek profile of Heap emerged as the proverbial straw that broke the camel’s back.  Strangely, in the article, Heap admits that he knew virtually nothing about Iran or its Internet censorship a year ago (which makes his rise in the media to apparent expert all the more outrageous).

The article wasn’t all bad, focusing more on Heap’s desire to make a difference (totally commendable) than his apparent “expertise”, until you get to page 2:

The anti-censorship software is built on a sophisticated mathematical formula that conceals someone’s real online destinations inside a stream of innocuous traffic. You may be browsing an opposition Web site, but to the censors it will appear you are visiting, say, weather.com. Heap tends to hide users in content that is popular in Tehran, sometimes the regime’s own government mouthpieces. Haystack is a step forward for activists working in repressive environments. Other anti-censorship programs—such as Tor, Psiphon, or Freegate—can successfully hide someone’s identity, but censors are able to detect that these programs are being run and then work to disable the communication. With Haystack, the censors aren’t even aware the software is in use.

All stated as fact, and yet–as we now know–not necessarily true at all.

I certainly blame Heap and his partners–for making outlandish claims about their product without it ever being subjected to an independent security review, and for all of the media whoring they’ve done over the past year.

But I also firmly place blame on the media, which elevated the status of a person who, at best was just trying to help, and a tool which very well could have been a great thing, to the level of a kid genius and his silver bullet, without so much as a call to circumvention experts.

Why was this allowed to go on for so long, for a year, in fact?  While Heap and his partners were out pushing Haystack to the media, actual Iranian human beings were being used as lab rats, to test a product that could potentially put their very lives in danger.  Lest that sound like a stretch, remember that Haystack’s creators never granted access to circumvention and security experts, thus the media never had any proof of the tool’s existence, let alone its safety.

I want to know why the media was so quick to push this tool.  I want answers.

*Disclosure and disclaimer: I work at the Berkman Center (on various projects including the OpenNet Initiative), which is conducting research on various circumvention tools, and have done work for the Tor Project and Sesawe, but my views do not reflect the views of any of those organizations.  I personally remain fairly neutral toward most circumvention tools, so long as they are clear about their objectives and transparent about their abilities.  When I need to circumvent filtering, I use Tor, and occasionally Psiphon.

93 replies on “Haystack and Media Irresponsibility”

I want answers as to why you guys are so worked up about someone falsely promoted as a “hero” of the Iranian democratic movement’s activity on the web whilst forgetting to promote the ACTUAL heroes. Iran’s Forgotten Cyber Warrior http://is.gd/dLWSE STILL imprisoned in inhumane conditions and refusing to participate in televised “confessions” http://www.iranhumanrights.org/2010/08/son-pressured-confession/ Hossein Ronaghi Maleki’s facebook page http://www.facebook.com/khorramdin#!/khorramdin?v=wall Not forgotten by the people he helped. Please sign and spread his petition http://bit.ly/avGxxp MA BISHOMARIM (we are countless)

While I’ve admitted my mistake, with all due respect, Jillian, I’d like to point out a few things:

a) “As it turns out, it only takes a couple of hours.” The way you’ve written this implies that Haystack’s encryption mechanism has been cracked in a few hours. Is this the case?

b) Call me a Haystack apologist if you like, but don’t you think it’s a bit much to charge Heap/Haystack with “media whoring”? On what basis do you make this claim? As someone who was (and still is) very interested in what Heap is doing and having spent a lot of time with Heap, I can tell you that I don’t think Heap is trying to push his story to the media more so than that people who hear about it are intrigued. (I sure was.) Just because a lot of media outlets cover a story doesn’t make the subject a “media whore” nor makes him guilty of “pushing Haystack to the media.”

c) I disagree with your assessment that “neither the media nor the circumvention community–could actually vouch for Haystack one way or the other, because none of them actually saw a copy.” At least for my part, I did see one of the first copies of Haystack demonstrated, as I mentioned in my blog post. But as I also mentioned, I don’t have any way of proving or disproving that Haystack does what Heap claims that it does. I think that most journalists (myself included), even if they were given a copy of Haystack would have not had the knowledge nor ability to determine that Haystack does what Heap claims.

d) While I agree with your assessment that the media could have done a better job of raising questions about potential flaws and pointing out the fact that Haystack has not been reviewed independently by anyone in the security community, I don’t think that merely covering it constitutes “pushing this tool.”

Best,

-C

Hi Cyrus,

Thanks for your comment. I know you admitted your mistake, and I’m glad you did. At the same time, you’re the only journalist who has done so, thus I think it’s entirely fair to continue harping on this.

a) Bad hyperbole that I edited to say “may take only a few hours.” Certainly doesn’t take a thousand years, and definitely takes less than a week. My understanding at this point is that the tool is badly broken, but I’m sure we’ll hear more on that later. Neither you nor I have the abilities, as far as I know, to determine that for ourselves anyway.

b) I do think that what Heap has been doing is marketing, or as I prefer to call it “media whoring.” Heap’s first Salon.com piece appears to be the impetus for the later attention he was given by journalists. I also think it’s incredibly dangerous to hype up a tool with false sentiments when real human lives are involved.

c) As far as I’m aware, the tool was not made available to any expert technologists in the circumvention community, despite them asking to see it. Most journalists, as you mentioned, do not have the ability to assess the tool properly, therefore, they should not have made such outrageous claims about it without speaking with aforementioned security experts.

d) Giving Austin Heap the “Innovator of the Year” award is a clear instance of the media (the Guardian) pushing the tool. Stating Heap’s claims about Haystack as objective facts is pushing the tool. I have never seen another circumvention tool generate as much hyperbolic media coverage as Haystack has. I’m compelled to ask why.

Best,
Jillian

a) Where does this “understanding” come from?

b) I’m not convinced that the Salon piece set in motion an entire avalanche of stories about Heap. I know I first heard about Heap after I read a profile about him in the SF Chronicle in June 2009 and didn’t even see the Salon piece until much later. Also, just to be clear, that Salon piece wasn’t referring to Haystack at all, but rather Heap’s initial efforts to create proxy servers for people inside of Iran.

c) Agreed.

d) I highly doubt that those who gave him the award (probably the marketing deparment at The Guardian) were the same people who actually wrote the stories on him for that newspaper (editorial), even if they work for the same media outlet. But I realize that that distinction may not be as clear for people who don’t work in the media nor for the public at large.

Another question: have you contacted any of the journalists who penned some of these pieces directly and asked them about their approach to covering Haystack? If so, what has been their response? If not, why not?

Thanks,

-C

a) The understanding comes from Jacob Appelbaum and Danny O’Brien’s comments on the tool as they’ve reviewed it so far. I believe one or both will be writing more publicly on that soon. If I/they are wrong, great! But I somehow doubt it.

b) I realize that the original Salon piece did not refer to Haystack, however, it certainly brought Heap into the public/mainstream eye. Salon is a bit more global, or at least national, than the SF Chronicle.

d) I am aware of that, but agree with you that the public likely does not make that distinction. I didn’t, at first.

No, I have not contacted the journalists; this was intended as an initial media review of what has been said about Haystack. It is also a blog post, not deeply researched reporting for a newspaper (though I sense that it’s more deeply researched than most journalists’ writing on Haystack has been).

For the record: I was the one who got hold of Haystack’s code and passed it on to Jacob Appelbaum for review. It took me a few hours of investigative journalism – mostly on the phone – to get access to it. I don’t buy the argument that the code was hard to find/obtain. Just my two cents

I also think there should be someone contacting HBO for the role of Haystack in that video and the claims that are made in that documentary by Austin Heap so there can be a retraction or correction statement issued by HBO to set the record straight since that documentary is a part of history and now has some credibility issues due to his statements.

(1) Great post, and I’m broadly in agreement that media boosterism was out of hand here. In the longer term, I would like to see more context in the media about the risks to users of circumvention in heavily monitored environments. That might come from circumvention and global free speech experts pushing hard on the mixed bag that some of these methods present. Circumvention can be enabling, but organizers and activists are not absolved of risk. Berkman experts know this, but convincing journalists to write it is another job entirely.

(2) One quibble regarding the Guardian interview. As a former/recovering journalist, I would say that you can’t indict Heap for his “responses” to the “questions” in a Q&A format. Even if Heap was quoted verbatim, which one must always question, it is near universal practice in especially magazine Q&A formats to change the questions and cut the discussion dramatically. Surprisingly to me, this is considered acceptable by journo-ethicists and was even taught as the “right” way to go in my magazine writing course at a pretty famous journalism school. So, on the specific point of going along with an interviewer’s mistaken impression that Haystack played a role in 2009, Heap’s culpability would be in question.

Hi Graham,

Thank you for your comment; to your second point, however, I would like to clarify that the quotes from the Guardian interview were transcribed from the video, which I linked to in the post. There was no change of questions, it was a live, recorded interview.

Best,
Jillian

Jillian– Well, here’s admitting I didn’t click through to all the links. I stand corrected, and appreciate the effort to transcribe. And in _that_ case, those statements really do seem pretty damning in terms of integrity. –Graham

For anyone remotely interested in the area it was obvious from the start that this software is at best a ploy to get publicity or at worst a way to wiretap Iranians. Come on, software with no source code, no explanations how it works, very unclear what it would improve on existing software, and best of all this guy no one has heard about that in a stroke of genius solves everyone’s problems. Except he can’t talk about it.

There is simply no excuse what so ever that any media reported on this gimmick. Any one computer geek could have told you so. Censorship avoidance and cryptography is a very common interest shared in these circles and of lot of very smart people have given it a lot of thought. One phone call could have given you all the background you need. There’s no need to hide that facts are simply irrelevant when it comes to media reports, the story is all that matters.

Concerning the implication as to whether Haytack’s encryption is or has been broken, may also miss the point that it’s purpose may just have been compromised whilst leaving it’s underlying cryptography in tact. Such as the example discussed below:

Successful Attack Against a Quantum Cryptography System
Quantum cryptography is often touted as being perfectly secure.
http://www.schneier.com/blog/archives/2010/09/successful_atta.html

Therefore just as anyone can develop tools to circumvent online censorship, it is highly likely that it will also attract many to circumvent it’s advertised benefits just for sport or darker intent.

[…] From Jillian C. York: Last summer, a circumvention tool was born, out of opportunity and a desire to help the Iranian people, who suffer from a rather pervasive form of Internet censorship.  The tool, it was promised, was “encrypted at such a level it would take thousands of years to figure out what you’re saying.”  As it turns out, it may only take a couple of hours. […]

Thank you for the informative post jillian. I learned that there is such thing called Haytack’s encryption from you! Thank you once again for letting us all know :) Cheers!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.