For anybody who writes about web censorship and finding ways around it, the lesson in this story is that skepticism towards new-found tools is vital. We’ve all been guilty of celebrating prematurely a piece of software that may help a dissident in Iran or China. Beware:
A piece of software called Haystack, which claimed to be an “anti-censorship” system to let people in Iran use the internet anonymously, has been withdrawn by its author after experts raised serious questions about its security.
The author, Austin Heap, a 26-year-old programmer from San Francisco, has been roundly criticised by professionals who complain that he has never allowed them access to the program’s code – which they say is a necessity with security software to check whether it can do what it claims.
After having obtained access by other means, the experts now say that instead of making users anonymous, it could reveal key information about them to the Iranian authorities.
In a post on his blog on Monday, Heap says that in the “vigorous debate” about Haystack’s security “many of the points made were valid” and that users have been asked to stop using it.
Daniel Colascione, who worked with Heap and says he came up with the “Haystack” name, tweeted on Tuesday that the Censorship Research Center (CRC) that he co-created with Heap to host Haystack is now being wound down. But he also maintained that the software that has been criticised was not intended for widespread use, and was only a test version.
In March the US government granted Haystack an export licence, required for “sensitive” cryptographic software, following a fast-track approval process which does not seem to have included independent verification of its security.
Haystack, and Heap, won plaudits from a number of organisations after the software’s release last year. Its genesis followed the Iranian protests at the presidential election there in 2009, which was widely felt to have been rigged. Many people there tried to use mobile phones and services such as Twitter to organise protests, but there were also fears they could be traced by the authorities, using software in mobile transmission systems sold by western companies such as Nokia.
The idea of Haystack was to make communications by its users look like innocent – rather than sensitive – information. Heap developed it so that Iranian users could use email and web services such as Twitter without the Iranian authorities being able to trace them.
However suspicions about the software’s robustness for anonymous use began to grow after people inside Iran started testing it. They reported that it could not get through the content-filtering firewall put up by the government there.