Software should be vetted before media coverage puts testers at risk

The Tartan editorial board has created the perfect encryption software. It can’t be broken. Its users can’t be tracked. We have proven algorithms. We have examined the code line by line. There are no bugs. Even better, it was approved by the United States government. Protesters and journalists everywhere will sing our praises.

What’s that? You want to see the code yourself? Absolutely not. It’s a secret.

It sounds naive and ridiculous to us, too. But that is what Austin Heap and his associates at the Censorship Research Center claimed to achieve over the last year. They created a protocol, named Haystack, that would allow dissidents to avoid government tracking and filtering software. They distributed it insecurely (either by flash drive or a shared Gmail account; there are conflicting stories) to testers in Iran. The media loved them — Newsweek covered Heap in depth on Aug. 6. Congress loved them — Senator John McCain (R–Ariz.) met with Heap as well. The Treasury Department authorized Haystack for international distribution. Heap was an American superhero, fighting oppressive regimes around the world.

There was only one problem with this magical technology that would bring Iran and North Korea to their knees. A month after the Newsweek feature, security researchers discovered that it didn’t work. Flaws in Haystack could allow governments to expose and track individual users. Furthermore, Heap lost control of his network. When asked, he was unsure how many users he had or how to protect them. These flaws are not typically qualities one wants in anonymizing software or its authors.

There are several lessons that we can take away from this event, which was an embarrassment for Heap and his associates and a potential crisis for his testers in Iran and elsewhere. The first is that open access to circumvention technologies is essential during testing. Haystack’s source code was not released, so it was not until after it had been deployed that its flaws were discovered. The second is that members of the media and the government have a responsibility to make sure they investigate before celebrating a new magical technology. If these figures lack the technical expertise to test it themselves (which is likely), they should go to a third party with access to the source code for confirmation. In our zeal for freedom, we cannot forget the importance of caution.