[liberationtech] Deconstructing the security risks narrative of Haystack

Greg Broiles gbroiles at gmail.com
Sat Sep 18 18:36:56 PDT 2010 

On Sat, Sep 18, 2010 at 1:48 PM, Gabe Gossett <Gabe.Gossett at wwu.edu> wrote:
> I agree that questioning the US government's role in this is worthwhile, but for a different reason than funding (though that is important).  While there was no open peer review of Haystack there was some sort of unpublicized government review.  The extent of that review is an important question.  When I spoke with Austin about this issue he assured me that there had been some sort of rigorous testing and review of Haystack that preceded issuing the OFAC license.  What would be valuable to know is how extensive the review really was.  Whatever may be the case, Haystack received a stamp of approval, and was lent authority, when the license was issued.  I have no idea what the reality of the review process was, but according to the OFAC license there was an application of some sort that CRC submitted.  Knowing contents of that application might help us better understand government policy, and how sound it is, on issues like this.

Export licenses from BXA and OFAC are granted because of policy
reasons, not technical merit. Anyone who believes or implies that an
export license is a guarantee of quality is, to be generous, mistaken.

If you look at the last approximately 20 years of cryptographic export
control in the US and US policy generally regarding cryptography and
privacy, you'll find that US government approval and export licensing
typically implies that a given system is weak, breakable, or known to
be broken. This is not a conjecture or a conspiracy theory - it was a
deliberate, explicit policy choice that only software which was
vulnerable to analysis by US intelligence agencies should be made
available from US sources to non-US citizens.

They finally gave up and created an export license category for strong
crypto software which is basically already available without
restriction globally anyway, so that US crypto export control policy
isn't explicitly laughable on its face; but beyond that, the US
government is *not* in the business of creating greater freedom or
privacy.

If (and that's a big "IF") any technical review was undertaken of the
Bullseye/Haystack source code, its was intended to make sure that the
US and its allies would not be prevented from tracing communications
sent through Haystack.

The US government doesn't care about the safety of Iranian activists.
Seriously. Not at all. Zero.

Systems like Bullseye/Haystack present the US government with a
no-lose proposition. Consider the possibilites:

Haystack is effective: Iranian government looks weak.
Haystack is effective, Iranian government responds with repression:
Iranian government looks like totalitarian monsters.
Haystack is effective, Iranian government does not repress: Iranian
anti-government actors are emboldened, make more trouble or regime
change.
Haystack is ineffective: Iranian government looks like totalitarian monsters.

And, in case it's not obvious, "Iranian government looks like
totalitarian monsters" leads directly to State Department pressure for
international ostracism/sanctions, and eventually "liberation" similar
to Iraq or Afghanistan.

So they don't care at all if the system actually provides effective
privacy or circumvention to users - that's not the goal. The goal is
to make Iran's position worse and the US' position better, and
Bullseye/Haystack does that no matter what its technical performance
is.

> Interestingly, the government has never publicly explicitly connected itself to Haystack, or at least not that I have seen.  They might be partially responsible for the claims CRC was making, primarily by giving them a stamp of credibility, but there is not much solid evidence available.  I understand that there are freedom of information requests pending on Haystack's OFAC license, but I think it would be surprising if they actually made it somewhere.

Export licenses and applications are exempt from FOIA disclosure. See
Times Publishing v. Dept of Commerce, 236 F.3d 1286 (11th Cir. 2001);
Lessner v. Dept. of Commerce 827 F.2d 1333 (9th Circ. 1987).

-- 
Greg Broiles, JD, LLM Tax, EA
gbroiles at gmail.com (Lists only. Not for confidential communications.)
Legacy Planning Law Group
San Jose, CA
California Estate Planning Blog: http://www.estateplanblog.com
Certified Specialist- Estate Planning, Trust & Probate Law, California
Board of Legal Specialization

More information about the liberationtech mailing list