In March of this year, Hillary Clinton announced that the U.S. government had granted a license to a company whose software would "help information continue to flow freely into and out of Iran." That software was called Haystack, an anti-censorship tool that received glowing coverage from the BBC, NPR, the Christian Science Monitor, the International Herald Tribune, and many other news sources. Perhaps it was Haystack's teasing, provocative slogan—"Good luck finding that needle"—that so intrigued the reporters. Or maybe it was the story of its founder Austin Heap, the twentysomething IT specialist from San Francisco who, prior to founding Haystack in June 2009, spent much of his time killing dragons in World of Warcraft. Just nine months later, Heap was given the Innovator of the Year award by the Guardian. Soon after, Heap claimed that he was headed to Washington, D.C., to meet with Sen. John McCain.
Heap came up with the idea for Haystack during the 2009 Iranian protests, when the country's draconian censorship system prevented communication with the outside world. Haystack, Heap promised, would not only allow Iranians access to e-mail and Twitter; it would do so while offering them full anonymity. "It's completely secure for the user so the government can't snoop on them," Heap told the BBC in August 2009.
There are plenty of other tools that can help circumvent censorship. While government censors in Iran, China, and elsewhere can easily block access to, say, Google, Web users can bypass such blocks by connecting to some other computer on the Internet and using that computer's connection to access Google. Most of these tools, however, suffer from one major problem: While they may succeed in hiding the exact Web sites browsed by their users, the censors may still get a hint that you've got something to hide. Haystack claimed to have solved this important problem: It could both circumvent censorship and trick the Iranian police into thinking that nothing suspicious was going on, making it look as if its users were just browsing innocuous Web sites.
It all sounded great in theory, until security professionals began asking Austin Heap for a copy of Haystack's code. (The program was never made available for download.) Every time someone would ask for a copy of Haystack, Heap would demur, explaining that releasing a copy of the program would imperil the project's security. As the code stayed under wraps, the admiring reviews of Haystack—a program that no one in the media had ever seen—continued to pour in, and the project continued to raise money. While the funding details remain murky, Haystack did get at least one sizable grant—$15,000 from the global advocacy group Avaaz.org. *
Heap's ambitious plans for Haystack went far beyond Iran. In May, he told NPR that he was already working on exporting the program to at least two other countries. As Heap explained to Newsweek in August, "We will systematically take on each repressive country that censors its people. We have a list. Don't piss off hackers who will have their way with you. A mischievous kid will show you how the Internet works."
As Heap promised to tear down censorship worldwide, a group of Iranians began to test Haystack inside the country. It didn't work. On top of the fact that it couldn't pierce the Iranian firewall, Haystack was extremely insecure. The program's security holes are so severe, in fact, that describing them here could help the Iranian government retroactively hunt down anyone who ever tested Haystack in Iran. In essence, Heap's haystack was very, very small and the needle buried within carried GPS coordinates. (On the bright side, despite Heap's earlier claims that 5,000 people were using Haystack by March 2010, it now seems that only a few dozen Iranians were actually recruited to test it.)
Full disclosure is due at this point: I was one of the skeptics who was not convinced by Heap's original claims, and I publicly challenged them in a series of posts on my blog. After almost two weeks of investigation, I managed to obtain a copy of Haystack and passed it on to a fellow Haystack skeptic—security professional Jacob Appelbaum—for testing and review. It was Appelbaum's conclusions about the software's violation of basic safety principles that led Heap to disable the program. A few days later, Haystack's leading developer, Daniel Colascione, resigned, claiming that the program was a case of "hype trumping security." The program's high-profile advisory board soon disbanded as well.
I'm not a security professional and my interest in Haystack was not technological. The question that intrigues me is why, to use Colascione's words, it was so easy in this case for hype to trump security. What made the Haystack affair possible?
Obviously, Austin Heap deserves much of the blame. He made plenty of overblown claims, and then used the fact that he was distributing Haystack in a highly sensitive environment like Iran to avoid disclosing details about his software. And the media, of course, could have done a much better job of asking questions: Was Haystack really being used in Iran? How might all this extra publicity in the Western media affect its users?
But I don't think that Heap's deceptive advertising and the media's poor watchdogging are the main culprits here. What made Haystack possible was the U.S. government's urge to embrace the power of the Internet to democratize the world—and to do so as fast as possible, without first designing appropriate procedures and regulations to guide its digital operations.
Haystack had to leap several bureaucratic hurdles to become operational. Because of U.S. sanctions on Iran, any American entity—such as Heap's Censorship Research Center—that wants to export goods to the country is supposed to go through a rigorous review process. The exporter also must be granted a special license by the Office of Foreign Assets Control at the U.S. Treasury Department, with the Departments of State and Commerce often having a part to play as well. According to that August Newsweek article, Haystack "caught the attention of the State Department, and it was fast-tracked for speedy approval." While a State Department official told me no such "fast-tracking" took place, it seems impossible that any government agency examined Haystack's claims closely or that anyone with knowledge of computer security scrutinized the software. (My partner-in-crime, Jake Appelbaum, found faults in Haystack's code in just six hours, and he confessed to having done this "while suffering from a wicked hangover on a Sunday afternoon.") Given that Haystack was granted a valuable license—and given the fact that its intended users were vulnerable Iranian dissidents—this is shocking negligence.
Most likely, we'll never know the exact details of Haystack's review process, as anything related to Iranian sanctions is clouded in secrecy and ambiguity. (It doesn't help that OFAC is exempt from some crucial Freedom of Information Act regulations and is not obliged to release any information about the individual cases it reviews.) That's unfortunate, because it was the government licensing process that gave Haystack much of its legitimacy. As a Censorship Research Center press release explained: "Haystack is the first anti-censorship tool developed specifically for Iran and built to target the methods that Iran uses to filter the Internet. The CRC is the only organization licensed to export such software to Iran."
It didn't matter that there were other, more-advanced censorship-fighting tools on the market, or that Haystack was little more than a raw piece of code. Austin Heap had the license, and nobody else did. It's a good thing Haystack collapsed in such an embryonic stage, before it could grab even more of the spotlight—and, just as important, grab even more funding—from other, worthier tools.
Still, the government's shoddy review process has done damage that will be hard to reverse. In May, an Iranian state-owned newspaper wrote that the Censorship Research Center "supported by U.S. government and under direct supervision of Hillary Clinton, the U.S. secretary of state, has planned to ask the Iranian opposition to send information to the centre in which US is interested" (translation courtesy BBC Monitoring).
It's not surprising that the discourse about America in Iran would be infected by conspiracy theories. But this is what happens when you make an unthinking push to liberate the world one tweet and one Google search at a time. Buzzwords like "21st-century statecraft" and "Internet freedom" sound good in PowerPoint presentations, but the State Department can't just snap its fingers and fix everything for Iranians by creating a free Internet. The reality is that "digital diplomacy" requires just as much oversight and consideration as any other kind of diplomacy. Only when the U.S. government realizes this can we be assured that something like the Haystack affair won't happen again.