Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

A software tool designed to help dissidents circumvent government censorship of the Internet contains flaws so severe that it could endanger those who use it.

The tool, called Haystack, has won awards and praise for enabling political activists and ordinary citizens to beat government controls barring Internet content. But security expert Jacob Appelbaum warns that it leaves a trail of clues that could be used to find whoever’s using it, and what content they have accessed. Experts say this highlights the importance of having outside experts review technologies intended for this kind of use.

Haystack was created by the San Francisco-based Censorship Research Center, founded last year by two activists Austin Heap and Daniel Colascione. The software was intended to “provide unfiltered and undetectable Internet access to the people of Iran,” according to the project website. Its creators received much attention–Heap was declared Innovator of the Year by the Guardian newspaper, and also received the First Amendment Coalition Beacon award.

The tool was billed as a way to access restricted Internet pages while hiding this activity from the authorities. Haystack’s creators claimed that it could do this by exploiting problems with Iran’s firewall, by encrypting communications between users and Haystack’s servers, and by disguising traffic sent to and from the tool so that users would appear to be visiting innocuous websites. But in the past month, experts have expressed concern that there had been no independent review of its ability to function as promised.

Appelbaum, along with Evgeny Morozov, a visiting scholar in the program on liberation technology at Stanford University, and civil liberties activist Danny O’Brien in particular pressed for more details about how the software was built. They worried that vulnerabilities in its underlying code could allow protected messages to be decoded by government officials. After testing the software, their reaction was anger and dismay.

Appelbaum says that after hearing a description of how the tool functioned, he worried that it might not have been built correctly. But he became truly concerned once he tested it himself. Appelbaum and his colleagues broke the tool’s privacy protections in less than six hours. Appelbaum says it would be easy for government authorities to do the same.

“This is a system that’s so fragile, I can barely tell you how it operates without being extremely worried about the people who may have used it who had no idea that they were being put at risk,” says Appelbaum. “It’s incredible, and incredibly terrible.”

Appelbaum says he must be cautious about giving details of what’s wrong with Haystack for fear of further endangering those who might be at risk. But he says, “When you use the tool, it effectively alerts authorities that you are trying to use it.”

2 comments. Share your thoughts »

Credit: Technology Review

Tagged: Computing, security, censorship, Iran, censorship circumvention

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me