Jillian C. York

Jillian C. York is a writer and activist.

Tag: Haystack

Journalistic Verification, Amina Arraf, and Haystack

How did a Syrian blogger, who told beautiful and heartwrenching stories of life as a lesbian in Damascus, manage to trick so many people? How did an American software engineer, whose passion for the Iranian cause led him to build what he dubbed the safest of circumvention tools, do the same? The stories of Amina Arraf and Haystack contain odd parallels: Both took advantage of fervor around Middle Eastern uprisings, both had a grassroots formation of followers…and both thrived on the promotion of professional journalists, whose praise helped garner them support. Both were also absolutely sensational stories that may have caused journalists, otherwise scrutinizing, to discard their usual standards.

I’ve written extensively on the Haystack story, but to quickly re-cap: Circumvention tool comes out of nowhere, built by young, outspoken engineer. Wild claims about efficacy. Media picks up on the hype, young engineer wins awards, media builds the hype even further. Circumvention and censorship experts begin to raise doubts about the tool itself, eventually get ahold of it, tear it apart. Turns out it’s not as secure as the engineer–and by extension, the media–had hyped it to be.

In the case of Amina Arraf, her blog–Gay Girl in Damascus–gained a following amongst bloggers and Middle East enthusiasts, then was quickly catapulted into relative blogger stardom after a series of articles in prominent publications profiled her. Therefore, when on June 6, her “cousin Rania” posted to her blog that she had been kidnapped, the public was quick to believe it. It wasn’t until the next day, when Andy Carvin and others began to question the story, that the details started unraveling as the public quickly jumped in to sleuth the story.

So what made journalists cast aside their usual levels of scrutiny? Or, is it perhaps that journalists are not as careful as we trust them to be?

I would argue that the journalistic treatment of the Haystack story was far more problematic, not least because it was easier to verify: After all, the product’s engineer was based in the US. He was reachable by phone and traveled for several interviews and awards. Numerous journalists met him, and yet not one after questioned the security of the tool. In the case of Amina, the journalists (the pseudonymous “Kathryn Marsh” and Shira Lazar) who first profiled her should have seen red flags when they couldn’t get her on the phone, but they were also dealing with a situation in which digging too much could’ve put an already endangered woman in far more danger.

The Facebook page of "Amina Arraf", before it was removed

Nevertheless, the details laid out on Amina’s blog (parents’ and siblings’ names, place of birth) and her now-defunct Facebook account (over 100 photographs, numerous comments about her life) could have been checked up on. And the details in her blog that numerous Syrians have now picked apart (her father standing up to the mokhabarat, her spotting a Syrian woman in the Umayyad mosque wearing a Star of David) could have been scrutinized early on.

I asked Zeynep Tufekci, a colleague and friend who has written about both cases, for her take: “Arguably, Haystack was verifiable whereas it is never possible to completely verify Amina’s identity without somewhat endangering her. Haystack can and should be avoided and journalists should have done much better job re: Amina. But I’m not sure they can completely avoid a future Amina.”

Now, this is where I need to insert my own role in all of this: While I did not fall for the Haystack story (and was one of the earliest to question its veracity), I very much fell for Amina Arraf. Why? Well, first of all, I had spoken with her numerous times. Her knowledge of Syria stood up to my tests. Her personality in private conversation was consistent with her personality on the public blog. Friends claimed to know her (one even suggested she knew her “in real life” – looking back, the suggestion was rather vague, the boastfulness of someone who wants to get close to a story).

I was also late to believe she wasn’t real, and that, for me, is both easier and more painful to explain. It is also a story I hesitate to share, but one which continues to haunt me, as well as remind me every single day why I do what I do.

In 2009, I wrote a piece for the HuffPost entitled “Blogging in Iran: A Dangerous Prospect.” After writing the story, a young Iranian blogger named Omidreza Mirsayafi emailed me to tell me his story. He wrote:

When I see your post on the mentioned website, I became so happy that a journalist in other corner of world writes about the situations of Iranians journalist & bloggers and is concerned about us.

I don’t want talk about my past experiences because it saddens me. these days I’m so sad and I don’t know what to do. I was sentenced two years and six months in prison just for the contents of my blog. just for explain my ideas. many of journalist and bloggers and human rights activists got into trouble specially in last 4 years.Iran GOV heap scorn on the people of Iran specially the journalists, students, human rights & woman activists. We wish one day write in our blogs & papers trouble-free.

After this initial email, Omidreza and I exchanged a few more emails, and had a few chats. He even called me once. But new as I was to this scene, and owing to my own personal circumstances at the time, I didn’t do as much as I should, as much as he asked. On March 18, 2009, he died in Tehran’s Evin Prison. I wrote about it three days later, confessing my own guilt over having not said enough.

It is very much because of this story that I had–no, have–difficulty letting Amina’s story go. While her story has unraveled almost completely at this point, there’s still a small chance that the girl behind the blog was kidnapped. And even if she wasn’t, there is no doubt that thousands of Syrians have been imprisoned these past few months, hundreds killed. While Amina, if entirely fake, should not be the face of those Syrians, it’s so easy to ascribe her that role. We wanted to believe in her. We saw the beauty and tragedy in her stories and put her on a pedestal. Some have suggested it was because she was a lesbian, others have suggested it was her purported dual American citizenship. I don’t really believe it was either. Rather, it was the sense of courage we saw in her, to tell her story so loudly, that made us believe.

Guardian Award for Audacity, Not Innovation

The Guardian has finally spoken up about its awarding of “Innovator of the Year” to Austin Heap. Much credit to Charles Arthur for getting this story up, but I can’t say I’m all too impressed with Guardian News & Media’s head of media and tech:

Asked to comment, Steve Busfield, head of media and technology for Guardian News & Media (GNM), who chaired the 2010 MEGAS judging panel, said: “The MediaGuardian Innovator of the Year award is presented each year to someone who the judges consider has had the greatest impact on innovation in the media in the past 12 months. Austin Heap was chosen as this year’s winner as a result of his vision and unique approach to tackling a huge problem. It was his inventiveness and bravery which the judges sought to reward, rather than the Haystack software itself.”

As my friend Rebekah Heacock puts it, Austin Heap was awarded for his audacity, not for any actual innovation on his part.

The rest of the piece is quite good, touching on some of the most scathing criticism of Haystack by Appelbaum and Morozov. Interestingly, Arthur also notes:

Earlier this week the Guardian sent a list of questions about Haystack and its security to Heap; he said he would respond but missed his own deadline to do so, and had not responded despite a reminder as this article was written. At the time of writing, Heap has not updated his Twitter feed since Tuesday.

I’m sure Heap is being bombarded from numerous angles, but it’s interesting to me that he wouldn’t respond to the Guardian, arguably the magazine that brought him the most attention in the first place.

Haystack and Media Irresponsibility

Last summer, a circumvention tool was born, out of opportunity and a desire to help the Iranian people, who suffer from a rather pervasive form of Internet censorship.  The tool, it was promised, was “encrypted at such a level it would take thousands of years to figure out what you’re saying.”  As it turns out, it only takes may only take a couple of hours.

If you haven’t been following the controversy surrounding Haystack, you should probably check out this article by Evgeny Morozov for Foreign Policy’s Net Effect blog, which explains the security and ideological objections some folks are making to the tool.  Though Evgeny’s voice has perhaps been the loudest, it is also worth noting the important roles played by Jacob Appelbaum and Danny O’Brien (and possibly others) in bringing this situation to light.

Enough has been said at this point–much of which I agree with–about the tool itself, as well as its founders.  What I don’t think has been raised loudly enough is an objection to the manner in which the media handled the nascent tool.

Since last summer, plenty of people have raised questions about the media’s reporting on Haystack, and by extension, about the tool itself.  A number of people attempted to contact the tool’s creator, Austin Heap, to clarify some of the statements made in media reports.  As far as I’m aware, until very recently, he remained mostly unresponsive to such questions.  Thus, I think that the calling out that has happened over the course of the past week–by Evgeny, Jacob, Danny, and others, on private e-mail lists, and on Twitter, and in the media–is more than fair.

So what of the media’s role?  Haystack has been billed by the media since last summer as a wonder tool, a silver bullet for the Iranians who need desperately to evade censorship.  The truth is that, until this week, no one–neither the media nor the circumvention community–could actually vouch for Haystack one way or the other, because none of them actually saw a copy. No one was capable of speaking to the tool’s security or efficacy, and yet, a number of journalists did anyway.  From the top:

  • On June 16, 2009, a virtually unknown Austin Heap announced his intentions on Salon.com, stating that after 24 hours of offering relays to Iranians (whom he apparently found via Twitter), he was “receiving more than 2,000 simultaneous connections per second from Iran. When I woke up this morning, I had received more than 300 e-mails from volunteers trying to contribute and lighting the path forward for a movement that is both new and old.”
  • By the next day, Heap was big news, hyped in the BBC as “being on the front lines” of the “Twitter revolution.”
  • By August 6, 2009, Heap had made the following statement to the BBC regarding Haystack: “It’s completely secure for the user so the government can’t snoop on them. We use many anonymising steps so that identities are masked and it is as safe as possible so people have a safe way to communicate with the world”.  Heap also referred to Iran as a “nutty government” and stated that he saw building the tool as a “good vs. evil” issue.

At that point, there was nothing stated to imply that Haystack was in beta testing, or had only been offered to a few users.  The BBC’s implication, in reporting on Haystack alongside other circumvention tools such as Freegate, was that Haystack was in existence and actively helping Iranian users.  It was around this time also that the Censorship Research Center, a companion to Haystack, was created.  From its about page:

Traditional anti-censorship systems divert blocked traffic to servers located outside of the country. Haystack goes one step further: it uses innovative techniques to make blocked traffic look benign, rendering a user’s activity virtually undetectable. Haystack also has a cryptographic component which ensures that our users’ communications remain safe even if detected. The only way to block Haystack, we like to say, is to shut down the internet.

Journalists then began to announce that Haystack was nearly ready for a full launch:

  • On August 3, 2009, Iranian-American tech journalist Cyrus Farivar reported that Haystack was a mere few weeks away from being released: “[Austin Heap is] currently testing with a “handful” of users in Iran and hopes to distribute it more widely for release in the coming weeks.”

It’s worth noting that Farivar also wrote about Haystack for PBS Frontline’s Tehran Bureau, whilst failing to disclose his relationship to Haystack staffer/board member Babak Siavoshy (he disclosed it only this week, after prodding).  The relationship?  Farivar introduced Siavoshy, his cousin, to Heap.

From that point on, the majority of media reports took the same line, allowing Haystack employees to make outlandish claims about their tool without ever question the truthfulness of such claims or subjecting the tool to more rigorous analysis:

  • On February 18, 2010, in a New York Times op-ed, Roger Cohen made the case for Haystack to get an OFAC license and, to his credit, for a more general mass market license to become more readily available.  In that piece, he quoted Haystack employee (or board member?  it still remains unclear what the relationship is) Babak Siavoshy as saying, ““Double-click on Haystack and you browse the Internet anonymously and safely.  It’s encrypted at such a level it would take thousands of years to figure out what you’re saying.”
  • Shortly thereafter, on March 7, 2010, Mark Landler wrote in the New York Times that the State Department was considering applications for OFAC licenses, offering this line about Haystack: “Haystack uses mathematical formulas to disguise a user’s Internet traffic from official censors.”

The license was issued in March.  Note that at this point, journalists stopped relying on quotes from Heap, Siavoshy and Daniel Colascione, and simply decided that Haystack’s outrageous claims were fact.

Then came the Guardian’s Innovator of the Year Award, and a subsequent article in which it was claimed that Haystack:

“directed requests from computers in Iran through servers elsewhere in the world, hidden in a stream of innocent-looking traffic. They also devised technology to protect the identities of Haystack’s users. All this made it possible for people on the ground in Iran to reach blocked sites safely and securely, to organise inside the country and communicate with the world.”

The article also credited Haystack with raising awareness of Internet censorship in Iran, though it’s worth noting that the OpenNet Initiative’s 2009 report on Iran was released on June 16, 2009, before Haystack was created, and received ample attention from media (The Atlantic, Salon.com, and Forbes, to name just a handful).  The OpenNet Initiative* also released reports on Iranian Internet filtering in 2007, 2005, and 2004.

In a Guardian interview following the awards, in which the interviewer states that Haystack was “pretty important in opening up the Iranian Internet” in the aftermath of the 2009 elections (a statement we’ve established was patently false), Heap stated of the tool:

“It’s basically a piece of software that a user in Iran would run on their computer that does two primary things: the first thing is it encrypts all of the data, and the second thing is that it hides all of that data in what looks like normal traffic…like you’re visiting completely innocuous sites…”

Later in the interview, the interviewer says to Heap:

“What Haystack did in practice when it did find its way onto people’s computers was that it allowed them to load Twitter and Facebook and these blacklisted sites”

Heap then makes no attempt to correct the interviewer (who quite clearly stated Haystack as being used in 2009 post-elections), responding:

“Right, and I mean, it’s not just web traffic, it all of a sudden allowed people to make Skype calls back to their families securely…do basic things like send Gmail without worrying that someone’s doing a man-in-the-middle attack and steal their password or read their email…it allowed the random person to be a citizen journalist…”

Following the award, the media attention steadied, with brief articles and interviews occasionally making headlines, that is until a Newsweek profile of Heap emerged as the proverbial straw that broke the camel’s back.  Strangely, in the article, Heap admits that he knew virtually nothing about Iran or its Internet censorship a year ago (which makes his rise in the media to apparent expert all the more outrageous).

The article wasn’t all bad, focusing more on Heap’s desire to make a difference (totally commendable) than his apparent “expertise”, until you get to page 2:

The anti-censorship software is built on a sophisticated mathematical formula that conceals someone’s real online destinations inside a stream of innocuous traffic. You may be browsing an opposition Web site, but to the censors it will appear you are visiting, say, weather.com. Heap tends to hide users in content that is popular in Tehran, sometimes the regime’s own government mouthpieces. Haystack is a step forward for activists working in repressive environments. Other anti-censorship programs—such as Tor, Psiphon, or Freegate—can successfully hide someone’s identity, but censors are able to detect that these programs are being run and then work to disable the communication. With Haystack, the censors aren’t even aware the software is in use.

All stated as fact, and yet–as we now know–not necessarily true at all.

I certainly blame Heap and his partners–for making outlandish claims about their product without it ever being subjected to an independent security review, and for all of the media whoring they’ve done over the past year.

But I also firmly place blame on the media, which elevated the status of a person who, at best was just trying to help, and a tool which very well could have been a great thing, to the level of a kid genius and his silver bullet, without so much as a call to circumvention experts.

Why was this allowed to go on for so long, for a year, in fact?  While Heap and his partners were out pushing Haystack to the media, actual Iranian human beings were being used as lab rats, to test a product that could potentially put their very lives in danger.  Lest that sound like a stretch, remember that Haystack’s creators never granted access to circumvention and security experts, thus the media never had any proof of the tool’s existence, let alone its safety.

I want to know why the media was so quick to push this tool.  I want answers.

*Disclosure and disclaimer: I work at the Berkman Center (on various projects including the OpenNet Initiative), which is conducting research on various circumvention tools, and have done work for the Tor Project and Sesawe, but my views do not reflect the views of any of those organizations.  I personally remain fairly neutral toward most circumvention tools, so long as they are clear about their objectives and transparent about their abilities.  When I need to circumvent filtering, I use Tor, and occasionally Psiphon.

© 2018 Jillian C. York

Theme by Anders NorenUp ↑