Last summer, a circumvention tool was born, out of opportunity and a desire to help the Iranian people, who suffer from a rather pervasive form of Internet censorship. The tool, it was promised, was “encrypted at such a level it would take thousands of years to figure out what you’re saying.” As it turns out, it
only takes may only take a couple of hours.
If you haven’t been following the controversy surrounding Haystack, you should probably check out this article by Evgeny Morozov for Foreign Policy’s Net Effect blog, which explains the security and ideological objections some folks are making to the tool. Though Evgeny’s voice has perhaps been the loudest, it is also worth noting the important roles played by Danny O’Brien (and possibly others) in bringing this situation to light.
Enough has been said at this point–much of which I agree with–about the tool itself, as well as its founders. What I don’t think has been raised loudly enough is an objection to the manner in which the media handled the nascent tool.
Since last summer, plenty of people have raised questions about the media’s reporting on Haystack, and by extension, about the tool itself. A number of people attempted to contact the tool’s creator, Austin Heap, to clarify some of the statements made in media reports. As far as I’m aware, until very recently, he remained mostly unresponsive to such questions. Thus, I think that the calling out that has happened over the course of the past week–by Evgeny, Danny, and others, on private e-mail lists, and on Twitter, and in the media–is more than fair.
So what of the media’s role? Haystack has been billed by the media since last summer as a wonder tool, a silver bullet for the Iranians who need desperately to evade censorship. The truth is that, until this week, no one–neither the media nor the circumvention community–could actually vouch for Haystack one way or the other, because none of them actually saw a copy. No one was capable of speaking to the tool’s security or efficacy, and yet, a number of journalists did anyway. From the top:
- On June 16, 2009, a virtually unknown Austin Heap announced his intentions on Salon.com, stating that after 24 hours of offering relays to Iranians (whom he apparently found via Twitter), he was “receiving more than 2,000 simultaneous connections per second from Iran. When I woke up this morning, I had received more than 300 e-mails from volunteers trying to contribute and lighting the path forward for a movement that is both new and old.”
- By the next day, Heap was big news, hyped in the BBC as “being on the front lines” of the “Twitter revolution.”
- By August 6, 2009, Heap had made the following statement to the BBC regarding Haystack: “It’s completely secure for the user so the government can’t snoop on them. We use many anonymising steps so that identities are masked and it is as safe as possible so people have a safe way to communicate with the world”. Heap also referred to Iran as a “nutty government” and stated that he saw building the tool as a “good vs. evil” issue.
At that point, there was nothing stated to imply that Haystack was in beta testing, or had only been offered to a few users. The BBC’s implication, in reporting on Haystack alongside other circumvention tools such as Freegate, was that Haystack was in existence and actively helping Iranian users. It was around this time also that the Censorship Research Center, a companion to Haystack, was created. From its about page:
Traditional anti-censorship systems divert blocked traffic to servers located outside of the country. Haystack goes one step further: it uses innovative techniques to make blocked traffic look benign, rendering a user’s activity virtually undetectable. Haystack also has a cryptographic component which ensures that our users’ communications remain safe even if detected. The only way to block Haystack, we like to say, is to shut down the internet.
Journalists then began to announce that Haystack was nearly ready for a full launch:
- On August 3, 2009, Iranian-American tech journalist Cyrus Farivar reported that Haystack was a mere few weeks away from being released: “[Austin Heap is] currently testing with a “handful” of users in Iran and hopes to distribute it more widely for release in the coming weeks.”
It’s worth noting that Farivar also wrote about Haystack for PBS Frontline’s Tehran Bureau, whilst failing to disclose his relationship to Haystack staffer/board member Babak Siavoshy (he disclosed it only this week, after prodding). The relationship? Farivar introduced Siavoshy, his cousin, to Heap.
From that point on, the majority of media reports took the same line, allowing Haystack employees to make outlandish claims about their tool without ever question the truthfulness of such claims or subjecting the tool to more rigorous analysis:
- On February 18, 2010, in a New York Times op-ed, Roger Cohen made the case for Haystack to get an OFAC license and, to his credit, for a more general mass market license to become more readily available. In that piece, he quoted Haystack employee (or board member? it still remains unclear what the relationship is) Babak Siavoshy as saying, ““Double-click on Haystack and you browse the Internet anonymously and safely. It’s encrypted at such a level it would take thousands of years to figure out what you’re saying.”
- Shortly thereafter, on March 7, 2010, Mark Landler wrote in the New York Times that the State Department was considering applications for OFAC licenses, offering this line about Haystack: “Haystack uses mathematical formulas to disguise a user’s Internet traffic from official censors.”
The license was issued in March. Note that at this point, journalists stopped relying on quotes from Heap, Siavoshy and Daniel Colascione, and simply decided that Haystack’s outrageous claims were fact.
“directed requests from computers in Iran through servers elsewhere in the world, hidden in a stream of innocent-looking traffic. They also devised technology to protect the identities of Haystack’s users. All this made it possible for people on the ground in Iran to reach blocked sites safely and securely, to organise inside the country and communicate with the world.”
The article also credited Haystack with raising awareness of Internet censorship in Iran, though it’s worth noting that the OpenNet Initiative’s 2009 report on Iran was released on June 16, 2009, before Haystack was created, and received ample attention from media (The Atlantic, Salon.com, and Forbes, to name just a handful). The OpenNet Initiative* also released reports on Iranian Internet filtering in 2007, 2005, and 2004.
In a Guardian interview following the awards, in which the interviewer states that Haystack was “pretty important in opening up the Iranian Internet” in the aftermath of the 2009 elections (a statement we’ve established was patently false), Heap stated of the tool:
“It’s basically a piece of software that a user in Iran would run on their computer that does two primary things: the first thing is it encrypts all of the data, and the second thing is that it hides all of that data in what looks like normal traffic…like you’re visiting completely innocuous sites…”
Later in the interview, the interviewer says to Heap:
“What Haystack did in practice when it did find its way onto people’s computers was that it allowed them to load Twitter and Facebook and these blacklisted sites”
Heap then makes no attempt to correct the interviewer (who quite clearly stated Haystack as being used in 2009 post-elections), responding:
“Right, and I mean, it’s not just web traffic, it all of a sudden allowed people to make Skype calls back to their families securely…do basic things like send Gmail without worrying that someone’s doing a man-in-the-middle attack and steal their password or read their email…it allowed the random person to be a citizen journalist…”
Following the award, the media attention steadied, with brief articles and interviews occasionally making headlines, that is until a Newsweek profile of Heap emerged as the proverbial straw that broke the camel’s back. Strangely, in the article, Heap admits that he knew virtually nothing about Iran or its Internet censorship a year ago (which makes his rise in the media to apparent expert all the more outrageous).
The article wasn’t all bad, focusing more on Heap’s desire to make a difference (totally commendable) than his apparent “expertise”, until you get to page 2:
The anti-censorship software is built on a sophisticated mathematical formula that conceals someone’s real online destinations inside a stream of innocuous traffic. You may be browsing an opposition Web site, but to the censors it will appear you are visiting, say, weather.com. Heap tends to hide users in content that is popular in Tehran, sometimes the regime’s own government mouthpieces. Haystack is a step forward for activists working in repressive environments. Other anti-censorship programs—such as Tor, Psiphon, or Freegate—can successfully hide someone’s identity, but censors are able to detect that these programs are being run and then work to disable the communication. With Haystack, the censors aren’t even aware the software is in use.
All stated as fact, and yet–as we now know–not necessarily true at all.
I certainly blame Heap and his partners–for making outlandish claims about their product without it ever being subjected to an independent security review, and for all of the media whoring they’ve done over the past year.
But I also firmly place blame on the media, which elevated the status of a person who, at best was just trying to help, and a tool which very well could have been a great thing, to the level of a kid genius and his silver bullet, without so much as a call to circumvention experts.
Why was this allowed to go on for so long, for a year, in fact? While Heap and his partners were out pushing Haystack to the media, actual Iranian human beings were being used as lab rats, to test a product that could potentially put their very lives in danger. Lest that sound like a stretch, remember that Haystack’s creators never granted access to circumvention and security experts, thus the media never had any proof of the tool’s existence, let alone its safety.
I want to know why the media was so quick to push this tool. I want answers.
*Disclosure and disclaimer: I work at the Berkman Center (on various projects including the OpenNet Initiative), which is conducting research on various circumvention tools, and have done work for the Tor Project and Sesawe, but my views do not reflect the views of any of those organizations. I personally remain fairly neutral toward most circumvention tools, so long as they are clear about their objectives and transparent about their abilities. When I need to circumvent filtering, I use Tor, and occasionally Psiphon.