Evgeny Morozov has been raising awareness of the need for a careful security review of Haystack, software developed by Austin Heap that the author describes as:
Haystack is not an ordinary proxy system. It employs a sophisticated mathematical formula to hide users’ real Internet traffic inside a continuous stream of innocuous-looking requests. In addition to providing anonymity, Haystack uses strong cryptography, ensuring that even if users’ traffic is detected, it cannot be read.
Last week I blogged about Haystack. That post, followed by reply from Austin Heap, Haystack’s founder, triggered an interesting and at times heated discussion on mailing lists, blogs, and Twitter.
Some of that discussion was more heat than light, and I am sorry if my original post contributed to that. These issues are of huge importance. And in the interest of focusing on what really matters—the promise of systems like Haystack in protecting dissidents—I would like now to express my understanding of Haystack both more cogently and in greater depth. To be clear: I am not a security specialist. But since my blog post went up I’ve had many conversations with security/cryptology experts as well as with Austin Heap. I am very grateful for the conversations. My conclusions about Haystack remain very skeptical, and I will explain the sources of that skepticism here as well as reflect on what the Haystack situation reveals about the state of play in the “Internet & democracy” space. Let me emphasize once again that this post is not meant as an attack on Haystack or Austin Heap.
Read more on Net.Effect.
According to messages on Twitter earlier today, Haystack may be temporarily shut down. Jacob Appelbaum (@ioerror) tweeted:
After talking with Austin Heap last night, I’m happy to hear that he shut down Haystack until it receives a proper security design/review.
Working around internet censorship is valuable. Protecting the anonymity of dissidents can be a matter of life and death. Ensuring that something that claims to protect anonymity really can live up to the promise is critical. Kudos to Evgeny and others who raised the level of discussion and awareness about this and to Austin Heap for reportedly being willing to suspend things until a security review is completed.
Image credit: “anonymity” by kitakitts, Flickr, used under Creative Commons License