I should have mentioned this in my post last night, but I was caught in thinking about the civil liability issues surrounding Haystack’s security flaws. Nevertheless, Haystack, the software designed to help users circumvent government censorship measures on the web, has been shut down for the time being. Austin Heap, the executive director of the US-based Censorship Research Center (CRC), announced this on Monday while also issuing a warning to Iranians using the Haystack software to stop.

CRC has claimed over the last year or so that users of Haystack were protected from the prying eyes of government officials in Iran. A claim that if false could spell grave danger for its users who undergo extreme risk from government backlash against participation in political activism, including that taking place on the web. Some of CRC’s claims relate to Haystack’s purported ability to make a user’s web traffic appear normal, innocuous, and unencrypted. Further there were claims that Haystack would be “exceptionally difficult to detect and block automatically”. This safety was to be ensured by “elliptic curve cryptology”; the same technology that United States National Security Agency trusts with its with “top-secret data”.

The United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) authorized the export of Haystack to Iran via a specific license in April of this year. However, the aura of invincibility surrounding Haystack was recently tested by Foreign Policy technology journalist, Evgeny Morozov. Mr. Morozov claims that there are serious security flaws with the software and such flaws could put its users’ lives at great risk.

I spoke with Mr. Morozov recently. He made some excellent points about the lackadaisical manner in which this software was authorized for export and the problems with Haystack’s claims. While I do support what Austin Heap is trying to do with this software, Mr. Morozov has a point. If these security flaws do exist, then Haystack could do more harm than good. It all goes back to that old saying, “You’ve got to do the right thing in the right way or its wrong.”

The author of this blog is Erich Ferrari, an attorney specializing in OFAC litigation. If you have any questions please contact him at 202-280-6370 at 202-351-6161 or ferrari@ferrari-legal.com.