Haystack had to leap several bureaucratic hurdles to become operational. Because of U.S. sanctions on Iran, any American entity—such as Heap's Censorship Research Center—that wants to export goods to the country is supposed to go through a rigorous review process. The exporter also must be granted a special license by the Office of Foreign Assets Control at the U.S. Treasury Department, with the Departments of State and Commerce often having a part to play as well. According to that August Newsweek article, Haystack "caught the attention of the State Department, and it was fast-tracked for speedy approval." While a State Department official told me no such "fast-tracking" took place, it seems impossible that any government agency examined Haystack's claims closely or that anyone with knowledge of computer security scrutinized the software. (My partner-in-crime, Jake Appelbaum, found faults in Haystack's code in just six hours, and he confessed to having done this "while suffering from a wicked hangover on a Sunday afternoon.") Given that Haystack was granted a valuable license—and given the fact that its intended users were vulnerable Iranian dissidents—this is shocking negligence.
Most likely, we'll never know the exact details of Haystack's review process, as anything related to Iranian sanctions is clouded in secrecy and ambiguity. (It doesn't help that OFAC is exempt from some crucial Freedom of Information Act regulations and is not obliged to release any information about the individual cases it reviews.) That's unfortunate, because it was the government licensing process that gave Haystack much of its legitimacy. As a Censorship Research Center press release explained: "Haystack is the first anti-censorship tool developed specifically for Iran and built to target the methods that Iran uses to filter the Internet. The CRC is the only organization licensed to export such software to Iran."
It didn't matter that there were other, more-advanced censorship-fighting tools on the market, or that Haystack was little more than a raw piece of code. Austin Heap had the license, and nobody else did. It's a good thing Haystack collapsed in such an embryonic stage, before it could grab even more of the spotlight—and, just as important, grab even more funding—from other, worthier tools.
Still, the government's shoddy review process has done damage that will be hard to reverse. In May, an Iranian state-owned newspaper wrote that the Censorship Research Center "supported by U.S. government and under direct supervision of Hillary Clinton, the U.S. secretary of state, has planned to ask the Iranian opposition to send information to the centre in which US is interested" (translation courtesy BBC Monitoring).
It's not surprising that the discourse about America in Iran would be infected by conspiracy theories. But this is what happens when you make an unthinking push to liberate the world one tweet and one Google search at a time. Buzzwords like "21st-century statecraft" and "Internet freedom" sound good in PowerPoint presentations, but the State Department can't just snap its fingers and fix everything for Iranians by creating a free Internet. The reality is that "digital diplomacy" requires just as much oversight and consideration as any other kind of diplomacy. Only when the U.S. government realizes this can we be assured that something like the Haystack affair won't happen again.