anti-censorship software withdrawn over security concerns

guardian.co.uk

Decision follows concerns that system aiming to let people in Iran use internet anonymously could put users at risk

A piece of software called Haystack, which claimed to be an "anti-censorship" system to let people in Iran use the internet anonymously, has been withdrawn by its author after experts raised serious questions about its security.

The author, Austin Heap, a 26-year-old programmer from San Francisco, has been roundly criticised by professionals who complain that he has never allowed them access to the program's code – which they say is a necessity with security software to check whether it can do what it claims.

After having obtained access by other means, the experts now say that instead of making users anonymous, it could reveal key information about them to the Iranian authorities.

In a post on his blog on Monday, Heap says that in the "vigorous debate" about Haystack's security "many of the points made were valid" and that users have been asked to stop using it.

Daniel Colascione, who worked with Heap and says he came up with the "Haystack" name, tweeted on Tuesday that the Censorship Research Center (CRC) that he co-created with Heap to host Haystack is now being wound down. But he also maintained that the software that has been criticised was not intended for widespread use, and was only a test version.

In March the US government granted Haystack an export licence, required for "sensitive" cryptographic software, following a fast-track approval process which does not seem to have included independent verification of its security.

Haystack, and Heap, won plaudits from a number of organisations after the software's release last year. Its genesis followed the Iranian protests at the presidential election there in 2009, which was widely felt to have been rigged. Many people there tried to use mobile phones and services such as Twitter to organise protests, but there were also fears they could be traced by the authorities, using software in mobile transmission systems sold by western companies such as Nokia.

The idea of Haystack was to make communications by its users look like innocent – rather than sensitive – information. Heap developed it so that Iranian users could use email and web services such as Twitter without the Iranian authorities being able to trace them.

However suspicions about the software's robustness for anonymous use began to grow after people inside Iran started testing it. They reported that it could not get through the content-filtering firewall put up by the government there.

Evgeny Morozov, a technology journalist who has been critical of Heap's claims from the outset, says he eventually managed to get a copy of the software, and passed it on to a security professional, Jacob Appelbaum, who in turn concluded that Haystack did not provide the safety for users that had been claimed. On Twitter, Appelbaum said that "Haystack is the worst piece of software I have ever had the displeasure of ripping apart".

Soon afterwards Colascione, the leading developer on the Haystack program resigned, saying the program was an example of "hype trumping security".

But in a long message sent to a mailing list, Colascione added: "I would like to stress that I am not resigning in shame over the much-maligned test program. It is as bad as Appelbaum makes it out to be. But I maintain that it was a diagnostic tool never intended for dissemination, never mind hype. I did have a solid, reasonable design, and described it in our brief overture of transparency. That is what Haystack would have been. It would have worked!"

He continued: "What I am resigning over is the inability of my organisation to operate effectively, maturely, and responsibly. We have been disgraced. I am resigning over dismissing pointed criticism as nonsense. I am resigning over hype trumping security. I am resigning over being misled, and over others being misled in my name."

Colascione appears to take a lot of the blame for some flaws discovered by Appelbaum. "There was plenty of error on my part too, of course. I should never have allowed that damned "test" program to be distributed at all, and should never have added diagnostics to it; running it once in a controlled environment was a risk – arguably an acceptable one at the time. Multiplying that risk by users and by uses was what made it a catastrophe. I should have stuck my head out of the code and more strenuously objected to the hype.

"I regret that we exposed anyone to undue risk, and that we deprived citizens of the effective anti-censorship tool that might have been. I regret standing silently while I listened to empty promises — and I especially regret that this whole ordeal has scarred the anti-censorship landscape so badly that it may be years before anything grows there again."

Haystack, and Heap, had previously received extensive coverage from the BBC, US National Public Radio, the International Herald Tribune and The Guardian, which awarded Heap the title of "Innovator of the Year" in its MEGAS awards last March.

Asked to comment, Steve Busfield, head of media and technology for Guardian News & Media (GNM), who chaired the 2010 MEGAS judging panel, said: "The MediaGuardian Innovator of the Year award is presented each year to someone who the judges consider has had the greatest impact on innovation in the media in the past 12 months. Austin Heap was chosen as this year's winner as a result of his vision and unique approach to tackling a huge problem. It was his inventiveness and bravery which the judges sought to reward, rather than the Haystack software itself."

Earlier this week the Guardian sent a list of questions about Haystack and its security to Heap; he said he would respond but missed his own deadline to do so, and had not responded despite a reminder as this article was written. At the time of writing, Heap has not updated his Twitter feed since Tuesday.

Earlier this week he told the BBC that "all functional copies of the software had now been withdrawn" and that "it is absolutely reasonable for people to raise these concerns". He said the CRC would get a third party to review the Haystack source code, would make the code available for anyone to examine, and would stop people from testing it in the field. On his blog, he asks people to stop using the software until a security review can be carried out – although it is hard to see how that would differ from Appelbaum's review.

Previously on his blog, responding to Morozov, he wrote: "We don't *ever* want to put anyone at risk. The last thing I want is blood on our hands."

Claims made by Heap in March that roughly 5,000 people were using the service in Iran have not been backed up by evidence; a report in the Financial Times suggests that only a few dozen Iranians were using it.

Morozov, writing at the online magazine Slate, says: "I don't think that Heap's deceptive advertising and the media's poor watchdogging are the main culprits here. What made Haystack possible was the US government's urge to embrace the power of the internet to democratize the world –and to do so as fast as possible, without first designing appropriate procedures and regulations to guide its digital operations."