Search Mailing List Archives
[liberationtech] Haystack and informed consent—A legal/philosophical response to Jacob's concenrs
bram.cohen at yahoo.com
Sat Sep 11 13:16:16 PDT 2010
In terms of what the potential risks are to users and whether those users
understand them, I think it's important to make clear what risks we're talking
about. There's the chances that the user will be caught with software in their
possession, which I think common end users understand just fine. Then there's
the potential consequences of being caught with the software, which I suspect
potential users understand reasonably, and in many cases better than we
Finally, there's the chances that an adversary will be able to track back to a
user based on their network traffic alone. That's the one which I think end
users don't understand at all, and where highly technical issues matter a lot. I
suspect that the best possible defense one can conduct here is fairly weak, but
it still be done as effectively as possible, which Haystack currently does not.
Going over my preliminary notes on the system as a whole, I think the biggest
mistake Haystack has made so far is actually a very high level one regarding
choice of users. By restricting the userbase to a small number of high-value
users, Haystack has potentially made it easy for Iranian authorities to identify
a small number of high-value users just by virtue of the fact that they're using
Haystack. A much more prudent approach would be to discourage the people who are
already very at risk from using the tool until there are a decent number of
people using whose primary legal risk is that they're using the tool at all, and
are otherwise uninteresting to the authorities. For example, Tor has thousands
of users in Iran right now, making running it at all reasonably non-suspicious.
It definitely is easy for the iranian firewall to identify tor users, because
they're all going through a relatively small number of IPs which bridges are on.
Whether those IPs aren't blocked out of incompetence or a desire to maintain the
ability to identify Tor users is very unclear.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech