[liberationtech] Fwd: Haystack

[Gabe Gossett]

I just had a an email exchange and phone conversation with Austin.  He will is in the process of joining the list (waiting on approval) and shared proof with me that he is indeed licensed by  Office for Foreign Assets Control.  I felt like he made a good case for what he is doing and why he is doing it that way.  I am not a programmer (distance librarian here), though, so some others on this list might want to address other questions to him once he joins.   I believe that he would like to make an effort to clear up some of the questions with Haystack and perhaps once he is on the list we can all address our concerns to him at the same time (I guess a number of us have emailed him today).  He told me that he feels like he is in a rough spot on this, so let's give him a fair chance to discuss our concerns.

-Gabe



From: Jim Youll [mailto:jyoull at alum.mit.edu]
Sent: Friday, August 20, 2010 3:44 PM
To: Gabe Gossett
Cc: Liberation Technologies
Subject: Re: [liberationtech] Fwd: Haystack

opinion: not much to debate about Haystack. A reason to periodically review, going forward, is to propagate concerns until its promoter and those with concerns* can publicly square up questions and answers. There is nothing special about the questions that need to be asked. Otherwise, the product gets a free pass.

No security product should get a free pass. Every security product in use today - and taken seriously - has been subjected to significant open review. "Effective... as far as we know" is the strongest claim you will hear from respected crypto/privacy/security professionals.

- - -

* "Critics" implies "cranks" sometimes in this context so I won't use the word. There exists a large, well-qualified audience of concerned experts for all crypto/privacy/security technologies.  I'm not one of them, just an admirer. They deserve to be heard, and their words given serious weight.

On Aug 20, 2010, at 1:54 PM, Gabe Gossett wrote:


I followed the link below to the story below about Haystack being granted a US license, which goes to Austin Heap's blog.  So I tried to find anything more substantial about this government license and found nothing, including nothing at the Treasury Dept. website.  In fact, the Office of Foreign Assets Control (cited in the post) has a page where they have listed all of the actions they have taken in the past year: http://www.ustreas.gov/offices/enforcement/ofac/actions/index.shtml

According to Heap's blog post, dated April 14, "Today, the Censorship Research Center ("CRC") announced that it has received critical United States Government authorizations required to export anti-filtering technology to Iran."   But CRC is listed nowhere.

Making this appear even more bogus is that, according to a NY Times story published more than a month before this blog post<http://www.nytimes.com/2010/03/08/world/08export.html>, the Treasury Department issued exemptions for "a general license for the export of free personal Internet services and software" in Iran, among other countries.  This is a general license for any company.  So when Austin's blog post claims that "The CRC is the only organization licensed to export such software to Iran,"  it is very misleading.  Basically, from what I can find at this point, there is no evidence that the US government has given Haystack any form of approval, much less vetting.

I sent Austin an email asking for proof that Haystack works.  We'll see if we hear anything.

-Gabe

From: liberationtech-bounces at lists.stanford.edu<mailto:liberationtech-bounces at lists.stanford.edu> [mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Evgeny Morozov
Sent: Thursday, August 19, 2010 11:47 PM
To: Liberation Technologies
Subject: Re: [liberationtech] Fwd: Haystack

I would like to add another thread to this fascinating discussion: as some of you may know, Haystack has also been granted a US government license<http://blog.austinheap.com/anti-censorship-software-licensed-by-us-government-for-export-to-iran/> to legally distribute their software in Iran (that is, they are not subject to the usual set of sanctions-related restrictions on the export of technology to the country). I also believe that Hillary Clinton mentioned Haystack - at least in passing - in one of her speeches.

Whatever the merits of Haystack's technology - and I must confess that I'm in with the most skeptical members of this thread - such endorsement by the US government may have also given Iranians a false sense of security and at least some nominal assurance that Haystack has been properly vetted on its technological merits. (Since it was US Treasury that granted them a license, one cannot be 100% sure that such vetting actually did take place).

This is not to necessarily bash Haystack, but to point out the inefficiencies of the current sanctions regime on Iran and the kind of unintended consequences it creates.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20100820/29374951/attachment.html>