Were Haystack’s Iranian testers at risk?
First I was thinking of offering my readers an apology for overloading this blog with Haystack-related observations. Then I changed my mind and decided that I should make no such apologies whatsoever: Haystack is the Internet’s equivalent of the Bay of Pigs Invasion. It is the epitome of everything that is wrong with Washington’s push ...
First I was thinking of offering my readers an apology for overloading this blog with Haystack-related observations. Then I changed my mind and decided that I should make no such apologies whatsoever: Haystack is the Internet’s equivalent of the Bay of Pigs Invasion. It is the epitome of everything that is wrong with Washington’s push to promote Internet Freedom without thinking through the consequences and risks involved; thus, the more we learn about the Haystack Affair while it’s still fresh in everyone’s memory, the better. (On that note, all readers of my blog should check this excellent new essay by my good friend Sami ben Gharbia, who discusses what the Internet Freedom Crusade means for digital activists in the Middle East – I’m still digesting many of the good points he makes).
Since so many of good discussions about Haystack happen on Stanford’s Liberation Technology mailing list and thus may not reach the wide audience, I take it upon myself to periodically report on some of the news/revelations reported there on this blog.
The most interesting Haystack-related development on the list in the last few days was that we heard from Mehdi Yahyanejad, who disclosed that he had been contacted by one of the CRC’s former advisory members and asked to test Haystack a few weeks before I started blogging about them. (I spoke to Mehdi several times during my investigation into Haystack and knew him from before.)
Here is the short version of Mehdi’s argument as I understand it:
First, Mehdi had known that Haystack didn’t have the goods much earlier than the rest of us and had evidence to prove it
Second, Mehdi thinks that the use of circumvention tools – even if the latter are insecure – presents no major risks to users in Iran and that the use of Haystack, despite its design flaws, wouldn’t be seen as different from the use Tor or Freegate. (According to Mehdi, the use of circumvention tool is not illegal in Iran and is widely tolerated by the authorities.) Some of these tools are better than others – and Haystack happened to be somewhere on the lower end of the range.
Third, unlike me and Jake Appelbaum, Mehdi chose not to take his concerns public for fear that a scandal may ensue, thus jeopardizing future funding/support of circumvention in general. Here is a telling quote from one of his messages to the group:
…I know that circumvention tool projects, commercial or non-profit, are by in large dependent on the government funding. The government funding is highly policy driven. If Iran’s nuclear issue is on the top of the news, this translates to various sorts of "democracy funds" and some of those funds end up in the hand of circumvention community. There is pretty much no other easy way of funding these projects for their service to countries like Iran.
When I was following Evgeny Morozov’s blog posts, once he changed the narrative of "Austin Heap misled people" to "Haystack puts people at risk", I exactly knew where he was going with this. The first narrative would have been enough to take down Austin Heap but not necessarily Haystack as an organization. Evgeny wanted to bring down Haystack in a way that he could take the battle to the next step: going after the State Department and other potential government players (his latest article in Slate confirms my suspicion). I believe this can be very damaging and would appeal to Evgeny to consider all the intended or unintended consequences before moving further with this.
Going after the US government can scare away all sort government players from touching circumvention tools projects and would damage the level of funding for all circumvention tools. Of course, people who created Haystack, particularly Austin Heap, and the hype around it are primarily responsible for what has happened but I care less about them or for that matter who gets the blame. I care about what the damage would be to the fundings for circumvention tools projects.
I think Mehdi’s is a very important argument that most organizations and actors in the freedom of expression/Internet freedom communities need to grapple with,
The debate that Mehdi has broached does risk pushing us towards engaging in a bit of Iran-inspired Kremlinology – e.g. statements like “I can predict the Iranian government’s reaction to Haystack better than you ever can!” are probably inevitable – but I think it’s a price worth paying for having such a debate.
So, assuming that Haystack did have major security risks – a fact that no one seems to dispute anymore – were Iranian testers at risk or not? In other words, even if the government could track down Haystack’s testers – why should anyone worry, given that they don’t have a long history of arresting users of such tools? Were concerns about Haystack overblown?
Here is my best attempt to elucidate four main arguments as to why Haystack’s Iranian testers were at risk:
Number 1. Austin Heap made more claims about Haystack’s awesome capabilities than all other circumvention tools put together, presenting Haystack as something genuinely new and dangerous. Were one to treat all those statements seriously, it would appear that Haystack is something that the Superman and Batman produced in their garage in their spare time and thus needs be watched very closely. On top of this, Haystack never released its code, making it impossible for the Iranian government – or anyone else – to verify how well Austin’s claims matched the reality.
Given the well-known tendency of the Iranian government to see conspiracy theories even in basic laws of physics, I don’t think it was so unreasonable for us to assume that they would treat Austin’s claims much more seriously than they deserved. Given everything the government did since June 2009 – including crackdowns on bloggers, arrests and intimidation of people working on proxies, and so forth – I don’t think we made the wrong call by assuming the government’s reaction to Haystack would be harsh. And that Austin marketed Haystack as a tool for high-value dissidents put its testers at risk regardless of whether they were dissidents. I think it only makes things worse.
Number 2. Whatever the original intentions of its founders, Haystack was presented/interpreted as an ideological project rather than just yet another censorship-circumvention tool. Austin did like to highlight the fact that the tool got a US government license and even some fast-tracking from
the State Department and in many of his interviews – most notably in the now infamous 20-minute video interview with Aleks Krotoski of the Guardian – he almost seems to imply that it was instrumental during the June 2009 protests. (There is also an implied association with the Neda video there as well – note the bit about citizen journalists using Haystack: “"[Haystack] gave [Iranians] a layer of protection that allowed a random person to be a citizen journalist without the risk of persecution, jail, torture, you know, whatever happens next.").
My research into the government’s response to the claims of a “Twitter Revolution” in Iran convinced me that any remote associations with facilitating it could be extremely damaging to one’s safety. In Haystack’s case Austin was willingly jumping on the Twitter Revolution bandwagon, trying to present Haystack as a tool that made it possible. (That he had a well-publicized gig running proxies for Iran before Haystack – anyone remembers ProxyHeap, that other unique brand from the Heap Marketing Labs? – certainly did not help to dispel the myths).
I am sure that if we conduct a global poll asking people: “Name one anti-censorship technology that was crucial to the Green Movement in 2009” – Haystack would come on top, if only because it got so much free publicity for doing so little. (BBC’s The Virtual Revolution documentary, HBO’s For Neda documentary, all the media mentions…) I know that this is not what the logs of the Green Movement’s web-sites would say – but the Guardian et al never bothered to see those logs – and based on my own experience in the former Soviet Union, paranoid authoritarian governments tend to place much more faith in the professionalism of the Western media than anyone in the West. “If the Guardian said Haystack mattered in Iran, how could it be otherwise? In fact, Haystack probably mattered even more and the government-controlled Guardian is just covering it all up” – this is the kind of government logic I’m very familiar with.
Number 3: Censorship Research Center, the entity behind Haystack, had a board of advisers that can hardly be classified as dear friends of the Iranian regime. Karim Sadjadpour and Abbas Milani are both well-known to the Iranian authorities and it would be silly to believe that their involvement with Haystack didn’t help to confirm the government’s fears that Haystack was more than just a circumvention tool. In fact, their involvement did make it seem that Haystack was part of some foreign ploy to subvert the regime by means of the Internet. The quote below from a May 2010 article in a state-controlled Iranian newspaper does build its anti-Haystack argument based on the involvement by Milani and Sadjadpour:
It is interesting to note that two Iranian opponents of the Islamic Republic in America are assisting the Censorship Research Centre in programming the software. Abbas Milani and Karim Sajjadpur, advisers of Austin Hype [as published], have offered their knowledge to design this anti-Iranian software to the American government. In addition to the Iranian assistants, the Censorship Research Centre has also established connection with some anti-state elements and the so-called Green Movement inside.
Gary Sick – the third member of the advisory board – is also hardly a neutral figure when it comes to Iran. Not only did he do multiple stints on the US National Security Council and write October Surprise, but he also runs Gulf/2000 Project, an academic mailing list that the Iranian government clearly sees as subversive and revolutionary. In fact, one of the ludicrous accusations made against Kian Tajbakhsh during his 2009 trial was that his membership in Gary Sick’s ACADEMIC mailing list – which is run out of that traditional hotbed of revolutionary activity, Columbia University – was enough to prove his connections to the CIA.
Maybe it’s just me but putting Gary Sick on Haystack’s board and TWEETING ABOUT IT while a bunch of Iranians were supposed to be testing this extremely insecure and incomplete piece of software in Iran seems extremely ill-thought. Nothing against Gary Sick– he’s a great scholar – but we should also be fair: tools like Tor have successfully avoided the kind of politicization that Haystack deliberately created around itself.
Are mailing lists illegal in Iran? I doubt it – and yet Kian has been locked up nevertheless. Thus, Mehdi’s argument that circumvention tools are legal in Iran fails to convince me; some are clearly more legal than others. And as much as I’d like to believe in the ultimate perfection of Iran’s legal system, I somehow can’t, especially given the developments of the last 15 months. While circumvention tools may be legal, espionage for the US clearly isn’t – and I think that this is the charge that Haystack’s testers were (are?) most likely to face. It’s extremely sad but everything Austin did/said since June 2009 made Haystack testers appear much more like American spies rather than clueless testers of circumvention software and the composition of CRC’s advisory board helped to legitimize Austin’s outrageous “we’ll take this regime down!” claims.
Haystack is actually a perfect case-study of how one could start with what seems like a purely technological project that has noble objectives and end up with an extremely politicized and mostly socially constructed phenomenon that presents far more danger as an ideology than as a piece of code.
At the risk of dragging this discussion into the darkest theoretical alleys in the philosophy of technology and science and technology studies, let me just say that the main problem with Haystack was not how it was designed but how it was socially constructed and subsequently interprepted, not least by the Iranian government.
Here one needs to look at Haystack’s position in the "let’s liberate Iran!" and "let’s liberate the world through technology!" discourses and how that position may compromise its effectivenss as a censorship-circumvention tool. As such, one needs to go beyond the discussion of how secure or insecure Haystack’s protocols are – and we know conclusively th
at much of Haystack’s prototype design was, in fact, insecure – and look at the broader socio-political context in which Haystack was supposed to be used. (Tricia Wang offers some more Haystack-related thoughts along these lines on her blog. I’d be curious to see more philosophers of technology and scholars working in STS take on the Haystack issue but the odds of that happening in the near future, well, are probably nil – not until 2015, I guess.
Number 4: What has been completely ignored in the discussions about Haystack’s security until now is that it’s their on-the-ground distribution method – at least as it applied to one group of their testers – was as unsafe as its design. I’m curious as to why almost nobody has asked how Haystack was actually distributed to the Iranian testers: it certainly didn’t drop from the sky in those 976 USB sticks that Austin Heap collected from the trusting inhabitants of the Interwebs.
So let me shed some light on this here, for in my investigation I found how at least one group of testers got access to it. Here is how it worked. Together with their intermediary based outside of Iran, the Haystack team had set up a Gmail account and created a draft message there, where they stored instructions/executable files for download by others. The log-in details were then distributed to the testers – and eventually reached me last week. Even though I personally did not log into that account as it would probably have been illegal, a person authorized to use the Gmail account confirmed that the password still worked and sent me the screenshots.
There are many reasons why I think it was a bad idea to distribute Haystack that way – but the main one is that Gmail allows anyone with access to the inbox to track the IP addresses from which the account has been accessed in the past. That very Gmail account was accessed by NUMEROUS testers and I’m 100% sure that the Haystack team doesn’t even know all of them, in part because they lost control over the distribution.
Even though the feature was turned off when my source accessed it last week, I believe it’s impossible to say conclusively if it always stayed that way (based on some internal correspondence between Austin and the testers, I’ve come to believe that this feature was on at least once.) Obviously, if there were even one compromised individual inside Haystack’s testing network, that person would be able to track down the IP addresses of everyone who has ever logged into that inbox – ironically, with Google’s help. Even assuming that this did not happen, it seems obvious that there are many better ways to distribute Haystack while protecting the security of other testers. My point here is that if we really want to start comparing Haystack to Tor or any other tools, we need to look beyond architecture and start looking at many other parts of the chain – and those parts so far have not been made transparent by Haystack…
Given all this, I don’t think that Jake and I made the wrong call in publicizing our concerns about the risks that using Haystack posed to the testers. I’m much more perturbed by the fact that Mehdi had a chance to test Haystack a few weeks before us, had deep reservations about it, and chose not to go public with them – as it seems because of some macro-level concerns about the shifts in the US government’s approach to funding circumvention that the Haystack scandal may trigger.
Frankly, this makes me even more concerned about the perverse incentives and disincentives that the US government’s push towards promoting Internet Freedom at all costs creates. I understand that Mehdi had a conflicting set of moral concerns – exposing Haystack for the fraud that it was on the one hand and not harming the funding prospects for such tools in general on the other hand. However, given the four arguments above, I think that conflict was not so hard to resolve: he should have gone public about his concerns with Haystack and – maybe – even send a copy to independent reviewers as soon as he began having “serious concerns” about Haystack.
Up until he sent several long messages to the Stanord mailing list, I was under the impression that Mehdi simply didn’t grasp the fact that Haystack was insecure – which is what he himself told me on the phone when I interviewed him. In his subsequent correspondence with the list, however, Mehdi clearly states that he DID know that Haystack had major problems with security and even informed Austin and Daniel about them…
To say that I’m confused at this point would be an understatement. Essentially we are asked to believe that Mehdi – who knows the Iranian political context far better than Jake or me (and has a PhD from MIT – okay, I know it’s in physics but still) – did not see how Haystack and everything related to it– its advisory board, Heap’s claims, crackdown on proxies and everything connected to the mostly imaginary “Twitter Revolution” – might be perceived/interpreted by the Iranian authorities… Am I the only one who finds this hard to believe?
So what are the odds that Haystack testers will be pigeonholed into “enemies of the state/American agents” category rather than “circumvention geeks” category where Mehdi thinks they clearly reside? Everything I’ve seen/read about Iran in the last 15 months has convinced me that the odds that the former interpretation would become dominant are considerably higher – especially given the media image that Austin managed to build around Haystack. (E.g. Heap’s meeting with John McCain mentioned in the Newsweek piece – I’m just curious if McCain sang “Bomb, bomb Iran” at that meeting? Sorry for the snark: but publicizing Heap’s meetings with the likes of McCain is just another way to get Haystack testers in trouble…).
I’d very very much like to be wrong on this one and hope that both me and Jake are very poor students of Kremlinology as well as its application to the Iranian context…So far, unfortunately, I haven’t seen many arguments that would convince me that we somehow overstated the risks…
P.S. This is a slightly edited version of my post to the Liberation Technology mailing list. And for the record, Mehdi is correct to identify a shift in this blog’s narrative – but it happened naturally, as we discovered holes in Haystack’s design.