< Is Haystack Too Good To Be True?


Friday, September 10, 2010

BROOKE GLADSTONE: The idea was so appealing, a simple bit of software passed around Samizdat-style in Iran that would allow activists to get online and do three things under the noses of Iranian authorities – first, send tightly encrypted messages, second, access any website, even censored ones, and third, and most important, hide their activities within perfectly innocuous material, like family photos or the homepage of Weather.com. Well, last summer, that idea seemed to have become a reality when software designer Austin Heap, inspired by the unfolding post-election Iranian protests, set about to solve the problems plaguing Internet-savvy Iranians. He named his creation Haystack, and it quickly became a made-for-media story of ingenuity made manifest. We spoke to Heap in May, shortly after he got fast-tracked U.S. government permission to distribute Haystack within Iran. This is what he told us.

AUSTIN HEAP: It’s always going to be a cat-and-mouse game. Haystack is the first anti-censorship tool to a) encrypt and protect the data and b) hide it. I do expect them to attempt to reverse-engineer the software and try to come up with ways to block it. And what we have done is come up with a roadmap for a next series of steps, so once there is something that potentially could block Haystack we're ready to move to the next strategy and the next one.

BROOKE GLADSTONE: The strategy seemed to be working, according to the many articles and profiles of Heap and Haystack. But in the last few weeks, Foreign Policy contributing Editor Evgeny Morozov has raised serious questions about Haystack, arguing that Heap has beguiled the press with a story that was too good to check.

EVGENY MOROZOV: So far it has only been used by 100 people in Iran. And the Iranian government has no incentive to track its users, and it has no incentive to do anything about Haystack because it’s only used by 100 people.

BROOKE GLADSTONE: Which it's interesting, because you were first worried that an insufficiently tested or peer-reviewed system was in wide use in Iran, and then you were relieved to learn that it’s really just a small group of beta testers who can protect themselves. But you still feel like the press was led down a garden path.

EVGENY MOROZOV: The claims that are posted on Haystack’s website, that it’s a secure technology which uses state-of-the-art encryption, are still there, you know, so it’s either that Haystack provides its testers with a completely different set of answers to questions about security or that the testers may actually be misled into thinking that the technology is more secure than it really is.

BROOKE GLADSTONE: How sure are you that Haystack doesn't work?

EVGENY MOROZOV: No independent third party has managed to come up with an opinion that would assure us of Haystack’s ability to do what it claims. You know, it’s like me saying that, you know, the brakes on this car work but I won't let any third party engineers test it, and you have to take me at my word, and why don't you drive it?

BROOKE GLADSTONE: You have talked to some experts who have had direct experience with Haystack, right?

EVGENY MOROZOV: Well, I did. Some people actually managed to test it in Iran. They were not extremely impressed with how it managed to circumvent censorship. They did not manage to test how exactly secure it is. I spoke to a few people who have seen Haystack in the United States. Again, their conclusion was that it’s a technology that needs further review and has a lot of room for improvement.

BROOKE GLADSTONE: The Guardian newspaper gave Austin Heap the Innovator of the Year Award. You think you should gotten the Publicist of the Year Award. And, besides Heap, you basically hold two parties responsible for the uncritical touting of Haystack. The first, you say, is the U.S. government, which granted Heap permission to distribute Haystack within Iran, and you say this confers on Haystack a degree of legitimacy that it hasn't earned. That’s not Heap’s fault, or is it?

EVGENY MOROZOV: That’s not Heap’s fault. That’s why I'm blaming the U.S. government.

[LAUGHTER] But, you know, there are several government agencies involved. So there is the U.S. Treasury Department, Department of Commerce. There was also involvement from the U.S. State Department. The U.S. Department of Treasury and Commerce assessed whether it may end up being used by the government of Ahmadinejad, how much damage it can cost to American interests.

BROOKE GLADSTONE: Not a Good Housekeeping seal, merely a sign that it isn't going to hurt us.

EVGENY MOROZOV: Yes, and I would also like to add that the decision by the U.S. State Department, on the other hand, to somehow fast-track Haystack’s application and to publicize it, including in one of Hillary Clinton’s speeches, is something that I find a little bit more dubious because indirectly it would hurt Haystack’s users in a country as sensitive as Iran.

BROOKE GLADSTONE: The other guilty party here is us, and by us, you do mean us, among everybody else [LAUGHS] in the media. We aired an interview with Heap back in May, and we were quite impressed with his story. You say that Heap has proved to be catnip for the media. Why do you think his narrative is so appealing?

EVGENY MOROZOV: There is a lot of enthusiasm – you know, I would even call it some kind of irrational exuberance over –

[BROOKE LAUGHS] - the role that technology played in the Iranian protests in 2009. The media were full of stories about Iran’s three-day revolution. It really made for a very catchy narrative. I am 99 percent sure that no journalist who wrote about Haystack ever even saw a copy of Haystack. So far, most of the stories in the media seem to imply that this is a piece of software which exists, that is functioning, that’s already being used by Iranians, while, in fact, it was a very raw piece of code.

BROOKE GLADSTONE: Do you think the mainstream media’s major problem with covering this new communications technology, in all of its manifestations, is that the mainstream media are just too starry-eyed or just too incompetent to assess it?

EVGENY MOROZOV: Well, I'll shock you, but I'll say both.


EVGENY MOROZOV: [LAUGHS] The competence issue I think is obvious. This particular case of Haystack, you know, requires not only a very deep knowledge of technology and how encryption works and, you know, how you can actually break encryption, it also requires a very deep knowledge of law, of regulations, how expert sanctions work. That said, there is definitely a degree of what I call cyber-utopianism in the mainstream media coverage of technology. There is just too much unthinking admiration of what Facebook or what Twitter, those technologies do without necessarily paying close scrutiny to how they can also endanger their users, put them at risk, and about the long-term effects on political activism and dissent altogether.

BROOKE GLADSTONE: Evgeny, thank you very much.

EVGENY MOROZOV: Thanks so much for having me.

BROOKE GLADSTONE: Evgeny Morozov is a contributing editor to Foreign Policy and a visiting scholar in the program on Liberation Technology at Stanford University. We made numerous attempts to reach Austin Heap to invite us to speak with us. He didn't respond.