Jump to content
Sign in to follow this  
Goddess Relief Office

Net Effect: Were Haystack's Iranian testers at risk?

Recommended Posts

First I was thinking of offering myreaders an apology for overloading this blog with Haystack-relatedobservations. Then I changed my mind and decided that I should makeno such apologies whatsoever: Haystack is the Internet's equivalentof the Bay of Pigs Invasion. It is the epitome of everything that iswrong with Washington's push to promote Internet Freedom withoutthinking through the consequences and risks involved;  thus, the more we learn about the Haystack Affair while it's still fresh in everyone's memory, the better. (On that note, all readers of my blog should check thisexcellent new essay by my good friend Sami ben Gharbia, whodiscusses what the Internet Freedom Crusade means for digital activists in the MiddleEast – I'm still digesting many of the good points he makes).

Since so many of good discussions aboutHaystack happen on Stanford'sLiberation Technology mailing list and thus may not reach thewide audience, I take it upon myself to periodically report on someof the news/revelations reported there on this blog.

The most interesting Haystack-relateddevelopment on the list in the last few days was that we heard fromMehdi Yahyanejad,who disclosed that he had been contacted by one of the CRC's former advisory membersand asked to test Haystack a few weeks before I started bloggingabout them. (I spoke to Mehdi several times during my investigationinto Haystack and knew him from before.)

Here is the short version of Mehdi'sargument as I understand it:

First, Mehdi had known that Haystackdidn't have the goods much earlier than the rest of us and hadevidence to prove it

Second, Mehdi thinks that the use ofcircumvention tools – even if the latter are insecure – presentsno major risks to users in Iran and that the use of Haystack, despiteits design flaws, wouldn't be seen as different from the use Tor orFreegate. (According to Mehdi, the use of circumvention tool is not illegal in Iran and is widely tolerated by the authorities.) Some of these tools are better than others - and Haystackhappened to be somewhere on the lower end of the range.

Third, unlike me and Jake Appelbaum,Mehdi chose not to take his concerns public for fear that a scandalmay ensue, thus jeopardizing future funding/support of circumventionin general. Here is a telling quote from one of his messages to thegroup:

...I know that circumvention tool projects, commercial or non-profit, are by in large dependent on the government funding. The government funding is highly policy driven. If Iran's nuclear issue is on the top of the news, this translates to various sorts of "democracy funds" and some of those funds end up in the hand of circumvention community. There is pretty much no other easy way of funding these projects for their service to countries like Iran.

When I was following Evgeny Morozov's blog posts, once he changed the narrative of "Austin Heap misled people" to "Haystack puts people at risk", I exactly knew where he was going with this. The first narrative would have been enough to take down Austin Heap but not necessarily Haystack as an organization. Evgeny wanted to bring down Haystack in a way that he could take the battle to the next step: going after the State Department and other potential government players (his latest article in Slate confirms my suspicion). I believe this can be very damaging and would appeal to Evgeny to consider all the intended or unintended consequences before moving further with this.

Going after the US government can scare away all sort government players from touching circumvention tools projects and would damage the level of funding for all circumvention tools. Of course, people who created Haystack, particularly Austin Heap, and the hype around it are primarily responsible for what has happened but I care less about them or for that matter who gets the blame. I care about what the damage would be to the fundings for circumvention tools projects.

I think Mehdi's is a very importantargument that most organizations and actors in the freedom ofexpression/Internet freedom communities need to grapple with, 

The debate that Mehdi has broached doesrisk pushing us towards engaging in a bit of Iran-inspiredKremlinology – e.g. statements like “I can predict the Iraniangovernment's reaction to Haystack better than you ever can!” areprobably inevitable – but I think it's a price worth paying forhaving such a debate.

So, assuming that Haystack did havemajor security risks – a fact that no one seems to dispute anymore– were Iranian testers at risk or not? In other words, even if thegovernment could track down Haystack's testers – why should anyoneworry, given that they don't have a long history of arresting usersof such tools? Were concerns about Haystack overblown?

Here is my best attempt to elucidatefour main arguments as to why Haystack's Iranian testers were atrisk:

Number 1. Austin Heap made more claimsabout Haystack's awesome capabilities than all other circumventiontools put together, presenting Haystack as something genuinely newand dangerous. Were one to treat all those statements seriously, itwould appear that Haystack is something that the Superman and Batmanproduced in their garage in their spare time and thus needs bewatched very closely. On top of this, Haystack never released itscode, making it impossible for the Iranian government – or anyoneelse – to verify how well Austin's claims matched the reality.

Given the well-known tendency of theIranian government to see conspiracy theories even in basic laws ofphysics, I don't think it was so unreasonable for us to assume thatthey would treat Austin's claims much more seriously than theydeserved. Given everything the government did since June 2009 –including crackdowns on bloggers, arrests and intimidation of peopleworking on proxies, and so forth – I don't think we made the wrongcall by assuming the government's reaction to Haystack would beharsh. And that Austin marketed Haystack as a tool for high-valuedissidents put its testers at risk regardless of whether they weredissidents. I think it only makes things worse.

Number 2. Whatever the originalintentions of its founders, Haystack was presented/interpreted as anideological project rather than just yet anothercensorship-circumvention tool. Austin did like to highlight the factthat the tool got a US government license and even some fast-trackingfrom the State Department and in many of his interviews – mostnotably inthe now infamous 20-minute video interview with Aleks Krotoski ofthe Guardian – he almost seems to imply that it was instrumentalduring the June 2009 protests. (There is also an implied associationwith the Neda video there as well – note the bit about citizenjournalists using Haystack: “"[Haystack] gave [iranians] alayer of protection that allowed a random person to be a citizenjournalist without the risk of persecution, jail, torture, you know,whatever happens next.").

My research into the government'sresponse to the claims of a “Twitter Revolution” in Iranconvinced me that any remote associations with facilitating it couldbe extremely damaging to one's safety. In Haystack's case Austin waswillingly jumping on the Twitter Revolution bandwagon, trying topresent Haystack as a tool that made it possible. (That he had awell-publicized gig running proxies for Iran before Haystack –anyone remembers ProxyHeap,that other unique brand from the Heap Marketing Labs? - certainly didnot help to dispel the myths).

I am sure that if we conduct a globalpoll asking people: “Name one anti-censorship technology thatwas crucial to the Green Movement in 2009” - Haystack would come ontop, if only because it got so much free publicity for doing solittle. (BBC's TheVirtual Revolution documentary, HBO's ForNeda documentary, all the mediamentions...) I know that this is not what the logs of the GreenMovement's web-sites would say – but the Guardian et al neverbothered to see those logs – and based on my own experience in theformer Soviet Union, paranoid authoritarian governments tend to placemuch more faith in the professionalism of the Western media thananyone in the West. “If the Guardian said Haystack mattered inIran, how could it be otherwise? In fact, Haystack probably matteredeven more and the government-controlled Guardian is just covering itall up” - this is the kind of government logic I'm very familiarwith.

Number 3: CensorshipResearch Center, the entity behind Haystack, had a board ofadvisers that can hardly be classified as dear friends of the Iranianregime. KarimSadjadpour and AbbasMilani are both well-known to the Iranian authorities and itwould be silly to believe that their involvement with Haystack didn'thelp to confirm the government's fears that Haystack was more thanjust a circumvention tool. In fact, their involvement did make itseem that Haystack was part of some foreign ploy to subvert theregime by means of the Internet. The quote below from a May 2010article in a state-controlled Iranian newspaper  does build itsanti-Haystack argument based on the involvement by Milani andSadjadpour: 

 

It is interesting to note that two Iranian opponents of the Islamic Republic in America are assisting the Censorship Research Centre in programming the software. Abbas Milani and Karim Sajjadpur, advisers of Austin Hype [as published], have offered their knowledge to design this anti-Iranian software to the American government. In addition to the Iranian assistants, the Censorship Research Centre has also established connection with some anti-state elements and the so-called Green Movement inside. 

GarySick – the third member of the advisory board – is alsohardly a neutral figure when it comes to Iran. Not only did he domultiple stints on the US National Security Council and write OctoberSurprise, but he also runs Gulf/2000Project, an academic mailing list that the Iranian governmentclearly sees as subversive and revolutionary. In fact, one of theludicrous accusations made against KianTajbakhsh during his 2009 trial was that hismembership in Gary Sick's ACADEMIC mailing list – which is run outof that traditional hotbed of revolutionary activity, ColumbiaUniversity – was enough to prove his connections to the CIA.

 

Maybe it'sjust me but putting Gary Sick on Haystack's board and TWEETINGABOUT IT while a bunch of Iranians were supposed to be testingthis extremely insecure and incomplete piece of software in Iranseems extremely ill-thought. Nothing against Gary Sick– he's agreat scholar – but we should also be fair: tools like Tor havesuccessfully avoided the kind of politicization that Haystack deliberately created around itself.

Are mailing lists illegal in Iran? Idoubt it – and yet Kian has been locked up nevertheless. Thus,Mehdi's argument that circumvention tools are legal in Iran fails toconvince me; some are clearly more legal than others. And as much asI'd like to believe in the ultimate perfection of Iran's legalsystem, I somehow can't, especially given the developments of thelast 15 months. While circumvention tools may be legal, espionage forthe US clearly isn't – and I think that this is the charge thatHaystack's testers were (are?) most likely to face. It's extremelysad but everything Austin did/said since June 2009 made Haystacktesters appear much more like American spies rather than cluelesstesters of circumvention software and the composition of CRC'sadvisory board helped to legitimize Austin's outrageous “we'll takethis regime down!” claims.

 

Haystack is actually a perfect case-studyof how one could start with what seems like a purely technological project that hasnoble objectives and end up with an extremely politicized and mostly socially constructed phenomenon that presents far more danger as an ideology than as a piece ofcode.

 

At the risk of dragging this discussion into the darkest theoretical alleys in the philosophy of technology and science and technology studies, let me just say that the main problem with Haystack was not how it was designed but how it was socially constructed and subsequently interprepted, not least by the Iranian government.

Here one needs to look at Haystack's position in the "let's liberate Iran!" and "let's liberate the world through technology!" discourses and how that position may compromise its effectivenss as a censorship-circumvention tool. As such, one needs to go beyond the discussion of how secure or insecure Haystack's protocols are - and we know conclusively that much of Haystack's prototype design was, in fact, insecure - and look at the broader socio-political context in which Haystack was supposed to be used. (Tricia Wang offers some more Haystack-related thoughts along these lines on her blog.  I'd be curious to see more philosophers of technology and scholars working in STS take on the Haystack issue but the odds of that happening in the near future, well, are probably nil - not until 2015, I guess.

 

Number 4: What has been completelyignored in the discussions about Haystack's security until now isthat it's their on-the-ground distribution method – at least as itapplied to one group of their testers – was as unsafe as itsdesign. I'm curious as to why almost nobody has asked how Haystackwas actually distributed to the Iranian testers: it certainly didn'tdrop from the sky in those 976USB sticks that Austin Heap collected from the trustinginhabitants of the Interwebs.

So let me shed some light on this here,for in my investigation I found how at least one group of testers gotaccess to it. Here is how it worked. Together with their intermediarybased outside of Iran, the Haystack team had set up a Gmail accountand created a draft message there, where they storedinstructions/executable files for download by others. The log-indetails were then distributed to the testers – and eventuallyreached me last week. Even though I personally did not log into thataccount as it would probably have been illegal, a person authorizedto use the Gmail account confirmed that the password still worked andsent me the screenshots.

There are many reasons why I think itwas a bad idea to distribute Haystack that way – but the main oneis that Gmail allows anyone with access to the inbox to track the IPaddresses from which the account has been accessed in the past. Thatvery Gmail account was accessed by NUMEROUS testers and I'm 100% surethat the Haystack team doesn't even know all of them, in part becausethey lost control over the distribution.

Even though the feature was turned offwhen my source accessed it last week, I believe it's impossible tosay conclusively if it always stayed that way (based on some internalcorrespondence between Austin and the testers, I've come to believethat this feature was on at least once.) Obviously, if there wereeven one compromised individual inside Haystack's testing network,that person would be able to track down the IP addresses of everyonewho has ever logged into that inbox – ironically, with Google'shelp. Even assuming that this did not happen, it seems obvious thatthere are many better ways to distribute Haystack while protectingthe security of other testers. My point here is that if we reallywant to start comparing Haystack to Tor or any other tools, we needto look beyond architecture and start looking at many other parts ofthe chain – and those parts so far have not been made transparentby Haystack...

***

Given all this, I don't think that Jakeand I made the wrong call in publicizing our concerns about the risksthat using Haystack posed to the testers. I'm much more perturbed bythe fact that Mehdi had a chance to test Haystack a few weeks beforeus, had deep reservations about it, and chose not to go public withthem – as it seems because of some macro-level concerns about theshifts in the US government's approach to funding circumvention thatthe Haystack scandal may trigger.

Frankly, this makes me even moreconcerned about the perverse incentives and disincentives that theUS government's push towards promoting Internet Freedom at all costs creates. Iunderstand that Mehdi had a conflicting set of moral concerns –exposing Haystack for the fraud that it was on the one hand and notharming the funding prospects for such tools in general on the otherhand. However, given the four arguments above, I think that conflictwas not so hard to resolve: he should have gone public about hisconcerns with Haystack and – maybe – even send a copy to independent reviewers as soon as he began having “serious concerns”about Haystack.

Up until he sent several longmessages to the Stanord mailing list, I was under the impression that Mehdi simplydidn't grasp the fact that Haystack was insecure – which is what hehimself told me on the phone when I interviewed him. In hissubsequent correspondence with the list, however, Mehdi clearlystates that he DID know that Haystack had major problems withsecurity and even informed Austin and Daniel about them...

To say that I'm confused at this pointwould be an understatement. Essentially we are asked to believe thatMehdi – who knows the Iranian political context far better thanJake or me (and has a PhD from MIT – okay, I know it's in physicsbut still) – did not see how Haystack and everything related to it–its advisory board, Heap's claims, crackdown on proxies andeverything connected to the mostly imaginary “Twitter Revolution”– might be perceived/interpreted by the Iranian authorities... AmI the only one who finds this hard to believe?

So what are the odds that Haystacktesters will be pigeonholed into “enemies of the state/Americanagents” category rather than “circumvention geeks” categorywhere Mehdi thinks they clearly reside? Everything I've seen/readabout Iran in the last 15 months has convinced me that the odds thatthe former interpretation would become dominant are considerablyhigher – especially given the media image that Austin managed tobuild around Haystack. (E.g. Heap's meeting with John McCainmentioned in the Newsweekpiece – I'm just curious if McCain sang “Bomb,bomb Iran” at that meeting? Sorry for the snark: butpublicizing Heap's meetings with the likes of McCain is just anotherway to get Haystack testers in trouble...).

I'd very very much like to be wrong onthis one and hope that both me and Jake are very poor students ofKremlinology as well as its application to the Iranian context...Sofar, unfortunately, I haven't seen many arguments that would convinceme that we somehow overstated the risks...

P.S. This is a slightly edited versionof my post to the Liberation Technology mailing list. And for the record, Mehdi is correct to identify a shift in this blog's narrative - but it happened naturally, as we discovered holes in Haystack's design. 

View the full article

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×