March 2, 2015


Why did anybody believe Haystack?

Haystack, a hyped technology that claimed to help political dissidents hide their Internet traffic from their governments, has been pulled by its promoters after independent researchers got a chance to study it and found severe problems.

This should come as a surprise to nobody. Haystack exhibited the warning signs of security snake oil: the flamboyant, self-promoting front man; the extravagant security claims; the super-sophisticated secret formula that cannot be disclosed; the avoidance of independent evaluation. What’s most interesting to me is that many in the media, and some in Washington, believed the Haystack hype, despite the apparent lack of evidence that Haystack would actually protect dissidents.

Now come the recriminations.

Jillian York summarizes the depressing line of adulatory press stories about Haystack and its front man, Austin Heap.

Evgeny Morozov at Foreign Affairs, who has been skeptical of Haystack from the beginning, calls several Internet commentators (Zittrain, Palfrey, and Zuckerman) “irresponsible” for failing to criticize Haystack earlier. Certainly, Z, P, and Z could have raised questions about the rush to hype Haystack. But the tech policy world is brimming with overhyped claims, and it’s too much to expect pundits to denounce them all. Furthermore, although Z, P, and Z know a lot about the Internet, they don’t have the expertise to evaluate the technical question of whether Haystack users can be tracked — even assuming the evidence had been available.

Nancy Scola, at TechPresident, offers a more depressing take, implying that it’s virtually impossible for reporters to cover technology responsibly.

It takes real work for reporters and editors to vet tech stories; it’s not enough to fact check quotes, figures, and events. Even “seeing a copy [of the product],” as York puts it, isn’t enough. Projects like Haystack need to be checked-out by technologists in the know, and I’d argue the before the recent rise of techno-advocates like, say, Clay Johnson or Tom Lee, there weren’t obvious knowledgeable sources for even dedicated reporters to call to help them make sense of something like Haystack, on deadline and in English.

Note the weasel-word “obvious” in the last sentence — it’s not that qualified experts don’t exist, it’s just that, in Scola’s take, reporters can’t be bothered to find out who they are.

I don’t think things are as bad as Scola implies. We need to remember that the majority of tech reporters didn’t hype Haystack. Non-expert reporters should have known to be wary about Haystack, just based on healthy journalistic skepticism about bold claims made without evidence. I’ll bet that many of the more savvy reporters shied away from Haystack stories for just this reason. The problem is that the few who did not got undeserved attention.

[Update (Tue 14 Sept 2010): Nancy Scola responds, saying that her point was that reporters' incentives are to avoid checking up too much on enticing-if-true stories such as Haystack. Fair enough. I didn't mean to imply that she condoned this state of affairs, just that she was pointing out its existence.]


  1. The computer scientist / activists among us never believed it. Hell, we yelled as loud as we could to make others, including the media, hear that. But nobody wanted to listen. It took someone like Mozorov to finally let it out.

  2. If someone is on deadline, they’re going to call or write the people who are already in their address books, or at most ask those people for other names. And given the nature of advocacy on the intertubes, they’re going to be at least a little suspicious of people trashing a product out of the blue. So if you want to have an effect on what gets reported, you need to get known by reporters before something happens that you want to comment on.

  3. Wikileaks has some of the warning signs you describe, “the flamboyant, self-promoting front man; the extravagant security claims; the super-sophisticated secret formula that cannot be disclosed; the avoidance of independent evaluation” although perhaps they have had more peer review at some intenral process, but it seems they have the critical moral connectivity.

    So, do you believe wikileaks to be secure?

  4. The question with Wikileaks is this: What security claims does Wikileaks make that it is asking others to rely on?

    Given all of the circumstances, including the likelihood that the communications of Wikileaks people are being monitored, I would not trust that communications with Wikileaks are anonymous. So if I (hypothetically!) wanted to leak a document to them, I would take my own measures to ensure that my submission was not traceable, not even by Wikileaks.

    The other property that Wikileaks claims to provide is availability, i.e., making sure that the documents on the site are available despite efforts by various authorities to block them or take them down. This property is easily observable, in the sense that users who pay attention can tell how well Wikileaks has done thus far at preserving availability.

    Contrast this last point with the claim of Haystack, to prevent detection of communications, which is very difficult for users to observe or evaluate—which makes users especially dependent on the provider.

    Though Wikileaks is not very transparent, and has other organizational issues, it seems to ask its users for less of a leap of faith than Haystack did.

  5. “Note the weasel-word “obvious” in the last sentence”
    In a 54 word run-on sentence, no occurrence of “obvious” is obvious or easily noted.