[liberationtech] New testing and disclosure policy

Daniel Colascione daniel at censorshipresearch.org
Mon Sep 13 07:23:37 PDT 2010 

Due to concerns raised in this forum, we have halted ongoing testing
of Haystack in Iran pending a security review. We have begun
contacting users of Haystack to tell them to cease using the program.
We will not resume testing unless security concerns are addressed in
an open and transparent way.

We have also reviewed communications concerning potential testers of
Haystack in order to determine whether our disclosures have been
sufficiently thorough. In all cases we informed our contact that the
program was a test version of Haystack. We also made it our policy to
inform each tester that the test program should not be used to access
or send sensitive information. On at least one occasion, we did not
make this point explicitly -- though we told our contact in that case,
multiple times over email and oral conversations, that what he or she
had was a prototype that still required months of work.

The reason for this variance was that our communications with contacts
were often informal, and were often oral. The primary weakness of our
disclosure process was that it relied on third parties who were in
direct contact with the testers. This is unacceptable. We should have
created a uniform risk disclosure message, ensured it reached each
user, and ensured that the test program displayed the risk disclosure
each time it ran.

As Jacob mentioned, we have halted the ongoing tests of Haystack in
Iran. We have always planned to submit Haystack to a third party
security review prior to a wider release. We will resume testing only
after this review verifies that Haystack provides the security
guarantees we've made.

If and when we resume testing, we will create a regular, formalized
notice, sent to each tester manually and embedded in the test program
itself, that informs each tester (in his or her native language) of 1)
the program’s status as an incomplete prototype, 2) the legal and
extralegal consequences he or she may face if found using the program,
and 3) the program’s unsuitability for sensitive information. We will
also solicit community feedback on the precise message we use.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20100913/21f0fe14/attachment.asc>

More information about the liberationtech mailing list