Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Fwd: Haystack

Gabe Gossett Gabe.Gossett at
Fri Aug 20 13:54:06 PDT 2010

I followed the link below to the story below about Haystack being granted a US license, which goes to Austin Heap's blog.  So I tried to find anything more substantial about this government license and found nothing, including nothing at the Treasury Dept. website.  In fact, the Office of Foreign Assets Control (cited in the post) has a page where they have listed all of the actions they have taken in the past year:

According to Heap's blog post, dated April 14, "Today, the Censorship Research Center ("CRC") announced that it has received critical United States Government authorizations required to export anti-filtering technology to Iran."   But CRC is listed nowhere.

Making this appear even more bogus is that, according to a NY Times story published more than a month before this blog post<>, the Treasury Department issued exemptions for "a general license for the export of free personal Internet services and software" in Iran, among other countries.  This is a general license for any company.  So when Austin's blog post claims that "The CRC is the only organization licensed to export such software to Iran,"  it is very misleading.  Basically, from what I can find at this point, there is no evidence that the US government has given Haystack any form of approval, much less vetting.

I sent Austin an email asking for proof that Haystack works.  We'll see if we hear anything.


From: liberationtech-bounces at [mailto:liberationtech-bounces at] On Behalf Of Evgeny Morozov
Sent: Thursday, August 19, 2010 11:47 PM
To: Liberation Technologies
Subject: Re: [liberationtech] Fwd: Haystack

I would like to add another thread to this fascinating discussion: as some of you may know, Haystack has also been granted a US government license<> to legally distribute their software in Iran (that is, they are not subject to the usual set of sanctions-related restrictions on the export of technology to the country). I also believe that Hillary Clinton mentioned Haystack - at least in passing - in one of her speeches.

Whatever the merits of Haystack's technology - and I must confess that I'm in with the most skeptical members of this thread - such endorsement by the US government may have also given Iranians a false sense of security and at least some nominal assurance that Haystack has been properly vetted on its technological merits. (Since it was US Treasury that granted them a license, one cannot be 100% sure that such vetting actually did take place).

This is not to necessarily bash Haystack, but to point out the inefficiencies of the current sanctions regime on Iran and the kind of unintended consequences it creates.
On Fri, Aug 20, 2010 at 12:59 AM, Gabe Gossett <Gabe.Gossett at<mailto:Gabe.Gossett at>> wrote:
I think that on the most important point we appear to agree:  developers should be aware that overinflated claims of security get people in lots of trouble, including killed and tortured.

I'm not sure if we agree that it is good for people to at least do something, though.  I get the impression that you would prefer the development of these technologies be abandoned entirely since they have the potential to lend people a false sense of security.  I don't want to put words in your mouth though, so if that is a mischaracterization, you have my apologies.  Clearly, you have technical expertise and years of experience in this area that I do not, and so I would allow that my perspective lacks some of ins and outs that might make me more wary.  But I remain convinced that it is better to do something than nothing.   I also think that developers making inflated claims and the media misrepresenting an issue are whole other problems entirely.

I also disagree that modern technologies entirely change the paradigm on issues like this.   Human memory of casual conversations decades past were enough to get plenty of Chinese "reeducated" during the Cultural Revolution.  In fact, I would suggest that journalists and intelligence officers have been grappling with this same ethical issue for decades, it just wasn't computerized.  Anyhow, I think you and I already had an exchange about that on this list and we don't need to restart that discussion if you would prefer not to.

My ultimate point is that what we are talking about here are tools, and any tool has its pluses and negatives.  Just because there are people engaging in inaccurate hype about what a tool can do does not mean that the rest of us should not make them or promote them within responsible limits.

Also, you have my kudos for a well-done rebuttal with limited time.


From: Jim Youll [mailto:jyoull at<mailto:jyoull at>]
Sent: Thursday, August 19, 2010 2:48 PM
To: Gabe Gossett

Cc: Liberation Technologies
Subject: Re: [liberationtech] Fwd: Haystack

I regret that I can't take the time now to write a proper rebuttal, but due to other constraints i have to answer this now or never, and never feels wrong.

I assume that ALL "users" of security technology are unqualified to evaluate the merits or non-merits, and particularly, the long-term risks of using such technology. There are stacks of CHI and other papers discussing this. Some of them take an orthogonal approach and you have to read it into them. THis has nothing to do with looking down at people in other places. I "trust" that my word processor is not sending my poetry to the FBI. that's about all I can do. At some point - and it comes pretty early when we're talking about software on a computer network - we can't do any more checking and have to "trust". The declaration that users are responsible for their own well-being forgets that they can't check out big claims because even the creators of the software can't really check out some of their own claims.

i just reviewed a conference paper that purported - yet again - to "fix" web site security through an enhanced browser display. That's a TRIVIAL problem compared to keeping noisy people safe from their angry governments, and we _do not_ even know how to do that correctly, despite 15+ years of trying.

Developers are not good at predicting the long-term implications of using their software. I've seen no disclosures yet that rise to the level of sober severity and disclaimers in which every one of these technologies should be wrapped.

I know why that is - because people at risk might not use them. As a developer, you don't want to discourage people from using your stuff.

Talking to the wrong person on the street carries a tiny fraction of the risk of talking to the wrong person online... in terms of detection after the fact (and forever), playback, "evidence against you," and the at-risk person's ability to perceive the real or possible risks of the action or to have any sense of who's watching either now or who's reviewing the records later. I might vary my walking routes and meeting habits to avoid pattern analysis, but online much of what might feel like "avoidance" is actually disclosure - encrypting e-mails? Uh oh...

If perhaps people don't use this software because it's too risky to use, then maybe that is correct. But I've never seen enough info from publishers about why people should "not" use a piece of software, only lots of talk about why they should.

I've seen others try to fault  these trusting, non-technical (or even somewhat technical) users for their "decision" to use the software, with the same claim that they are "accepting" some risks. I say that is absolutely unfair and a cheap dodge by developers who like publicity for "human rights software" but who really have not taken ownership of the consequences for others who may use the software as it was intended to be used.

As civilian users of software or any other complex machine, is it the case that we would look at a piece of software (or any other machinery) that seems to do something we want, and say "hmm... this software is endorsed by several organizations, and it's written up in the Wall Street Journal.... maybe it's completely unsuited for the task. I'll avoid it."

No. We don't do that.

The further risk is that people who believe they are "more safe" because of this software may take greater risks than they would if they were not using any software at all. The risk there is  very much wrapped up in our inability to estimate or compare abstract levels of risk or reward (that's why gambling works). The tragic downside is that when there is a failure, the user is in a much worse spot than they may have been, when they were afraid of being caught, because they've possibly been induced to send more messages , or reveal more damning information, than they might have otherwise - due to the illusion of safety.

- jim

On Aug 19, 2010, at 12:42 PM, Gabe Gossett wrote:

"How many of the people known to have been arrested or silenced were using, or thought they were using, some kind of 'safe' technology to subvert both technological blockades and national laws? Until we know that, should we be prescribing these cures to patients we've never met and can't watch over?"

At the risk of going into a similar debate that took place on this listserv within the last year . . .

Is there any way to know how many people have been arrested or silenced when using a "safe" technology?  Not really.   No doubt it has  happened many times.  But I don't see why that would mean these technologies shouldn't be developed and distributed by Westerners in safe societies with access to the means to do so.  There is a long history of cat and mouse government information blockade circumvention that predates computers.  In every instance that circumvention information circuit involved unknown degrees of risk.

As long as the developers are honest about the capabilities of their applications, and the users have as good an understanding of the risks as is possible, I don't see a problem.  I'm speaking on a theoretical level here, not about the implementation of any one technology.  Haystack may have inflated claims about its capabilities and lacks clarity on what they are offering (if anything at all), and that is wrong.  But, Haystack aside, if we waited until we knew for certain whether a technology was entirely safe from government prying eyes or not we would just do nothing.  If any circumvention technology developer is going around claiming that they have developed an entirely safe technology, that is wrong.  I have a problem, though, with implicitly assuming that users in repressive countries are too naïve to weigh the risks of trying to get around government barriers.  I see that implication in the statement above, though perhaps that was not intentional.

I think that there is generally a good point  in that statement, but it only goes so far.  Any user of these technologies is probably already putting themselves at risk with their government.  Just having a face to face conversation with the wrong person, after all, will get you in trouble.  So if a safe Westerner thinks they can develop something that might give people in these countries an edge against a government, then by all means let them do it and feel good about it.


From: liberationtech-bounces at<mailto:liberationtech-bounces at> [mailto:liberationtech-bounces at<mailto:liberationtech-bounces at>] On Behalf Of Jim Youll
Sent: Thursday, August 19, 2010 10:32 AM
To: Mahmood Enayat
Cc: Liberation Technologies
Subject: Re: [liberationtech] Fwd: Haystack

On Aug 19, 2010, at 6:42 AM, Mahmood Enayat wrote:

The big players of circumvention solutions, which have received less attention, are all available here:<> , Why Haystack is not available online like them?

Cat and mouse can be played, yes.
But this technology is looking more and more like merely a way for privileged, warm, well-fed, free, safe Westerners to feel good about themselves while putting already at-risk populations at even greater risk of trouble.

Laws, guns, and prisons trump technological finesse. Period. This is not negotiable.

Keep in mind that US companies providing equipment to Internet providers are also providing access and monitoring capabilities in that equipment... at full OC3 speeds...

How many of the people known to have been arrested or silenced were using, or thought they were using, some kind of 'safe' technology to subvert both technological blockades and national laws? Until we know that, should we be prescribing these cures to patients we've never met and can't watch over?

"...But Chinese surfers often use proxy servers - websites abroad that let surfers reach blocked sites - to evade the Great Red Firewall. Such techniques are routinely posted online or exchanged in chat rooms. But China's 45 million internet users face considerable penalties if they are found looking at banned sites. According to human rights activists, dozens of people have been arrested for their online activities on subversion charges."

... Those attempting to access these banned sites are automatically reported to the Public Security Bureau. Internet police in cities such as Xi'an and Chongqing can reportedly trace the activities of the users without their knowledge and monitor their online activities by various technical means."

"...Around 30 journalists were known to be in prison and at least 50 individuals were in prison for posting their views on the internet. People were often punished simply for accessing banned websites"

"... The ministry of public security said 5,394 people had been arrested and that over 9,000 websites had been deleted for having pornographic content. The ministry did not say how many people had subsequently been put on trial. The authorities released the figures with a warning that its policing of the internet would intensify in 2010 in order to preserve 'state security'. China maintains strict censorship of the internet in order to make sure that unhealthy content, including criticism of the Communist Party, does not reach a wide audience."

liberationtech mailing list
liberationtech at<mailto:liberationtech at>

Should you need to change your subscription options, please go to:

liberationtech mailing list
liberationtech at<mailto:liberationtech at>

Should you need to change your subscription options, please go to:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list