Haystack Plays With Fire, Gets Badly Burned

1 Comment

It sounded like such a heroic tale: A 25-year-old programmer decides to take on the despots in Iran and creates a miraculous software tool that allows dissidents in the country to surf anonymously by encrypting their activity and hiding it inside a stream of innocuous-looking Internet traffic. It even had a cool name: Haystack. Unfortunately, it appears to have been too good to be true. The project has been shut down, and one of the lead developers of the software has reportedly quit, after concerns were raised about the truth of the claims that Haystack was making, and founder Austin Heap is left battling the flames.

Just a few months ago, Heap was the subject of glowing profiles in Newsweek magazine and The Guardian, which described how his software was allowing Iranian dissidents to travel freely around the Internet — thanks in part to high-level encryption. The Haystack founder even received an award from The Guardian for his work in helping protect freedom of speech, and the software was fast-tracked for export by the U.S. State Department. What wasn’t clear from the stories about Haystack was that the software had only been used by a handful of people in Iran, and its ability to route traffic securely had not been independently tested by anyone with knowledge of security and encryption.

When the software was finally tested, security experts apparently found it to be severely lacking, and convinced Heap to shut down the project and tell people using the software to stop. Programmer Jacob Appelbaum, who is involved with an open-source security project called Tor, called the software “total garbage.” Part of the concern was that unauthorized copies of Haystack had reportedly been circulating in Iran — driven in part by the claims about its abilities — and therefore, people’s lives could be in danger if they continued using it. Danny O’Brien of the Committee to Protect Journalists said on Twitter: “I can’t actually describe how broken @haystacknetwork is, because to do so would put people at risk.”


Some of those who have been watching the Haystack affair, such as Jillian York of Harvard’s Berkman Center for the Internet and Society and Ed Felten of Princeton’s Center for Information Technology Policy, say they blame media outlets such as Newsweek for pumping up the software and contributing to the hype around it. Others seem to blame Heap himself for making claims that couldn’t be backed up, or at least not correcting journalists who made claims about the software. It’s not clear whether the Haystack founder will go ahead with the project, or whether it’s effectively dead, since the lead developer has apparently resigned. We’ve contacted Heap and will update this post with any response.

Ironically, while Newsweek was writing about Haystack’s claims, several researchers were presenting a software project at the USENIX security conference that appears to actually do what Heap said his did: namely, hide activity from dissidents in totalitarian states inside innocuous traffic from social networks such as Twitter and image-hosting sites like Flickr. Unlike Haystack, the creators of the software known as Collage have published their work (PDF link) for anyone to review (although it’s not clear whether anyone has done so).

Related content from GigaOM Pro (sub. req’d.): As Cloud Computing Goes International, Whose Laws Matter?

Post and thumbnail photos courtesy of Flickr users Mr. Theklan and Marc Smith

1 Comment


Daniel Colascione, the developer for Haystack, definitely resigned and posted a letter outlining his reasons to the Stanford Liberation Technologies list saying:

“It is with trepidation and regret that I say that I cannot, in good conscience, continue associating myself with the CRC. Effective immediately, I am cutting all ties.”

It is important to keep in mind too, that according to Daniel he wrote _every_ line of code. From the information I have seen, Austin took had a figurehead/spokesperson role for Haystack.

Also, I have yet to see evidence that “the software was fast-tracked for export by the U.S. State Department.” I’m not even sure that the State Department could do that. The copy of the license issued to CRC that I saw was issued by the Office for Foreign Assets Control (under the Treasury Department).

Comments are closed.