Dropsafe

by Alec Muffett

WTF? @evgenymorozov somehow blames inadequate US Government regulation for the #Haystack debacle

I’m right up there with Evgeny in Slate, until page 2:

[ed: Context: Heap blamed, Media Blamed … ]

But I don’t think that Heap’s deceptive advertising and the media’s poor watchdogging are the main culprits here. What made Haystack possible was the U.S. government’s urge to embrace the power of the Internet to democratize the world—and to do so as fast as possible, without first designing appropriate procedures and regulations to guide its digital operations.

Haystack had to leap several bureaucratic hurdles to become operational. Because of U.S. sanctions on Iran, any American entity—such as Heap’s Censorship Research Center—that wants to export goods to the country is supposed to go through a rigorous review process. The exporter also must be granted a special license by the Office of Foreign Assets Control at the U.S. Treasury Department, with the Departments of State and Commerce often having a part to play as well. According to that August Newsweek article, Haystack “caught the attention of the State Department, and it was fast-tracked for speedy approval.” While a State Department official told me no such “fast-tracking” took place, it seems impossible that any government agency examined Haystack’s claims closely or that anyone with knowledge of computer security scrutinized the software. […]

I find this statement appalling in two distinct ways:

  • The parochiality of “What made Haystack possible was the U.S. government’s urge…” – I haven’t seen such subtext of “all technology comes from America and for the good of the world the US Government should regulate it and only let the good stuff out” since the midst of the Crypto Wars, back when various three-letter-agencies were trying to foist Clipper and Skipjack upon the world. For sure you don’t want American (or any) companies sending thumbscrews to Tehran, but this is software and thus a form of “speech” – had Haystack been fully open-source and ideally hosted outside the USA there would not have been a regulatory issue in the first place.
  • Secondly – for me, more ominous – is that Evgeny seems to be suggesting that a Government department with some finite amount of resources and rigour is capable of distinguishing between good software and bad software. That’s not how it works – the metric applied is “is this something we’re willing to permit?”

For the sake of innovation a pro-regulation attitude is something of which the Internet needs to see less – regulation is a bad proposition for the software industry, especially for open-source; Haystack/Heap was foolish to embrace both closedness and regulatory oversight in pursuit of credibility, but having sought one that he was given a license should be irrelevant in so very many ways.

And I believe Evgeny would do well to do some background reading, starting with DJB vs USA.

Comments

5 responses to “WTF? @evgenymorozov somehow blames inadequate US Government regulation for the #Haystack debacle”

  1. Jillian C. York

    To me this doesn’t imply more regulation but fair licensing; Google Chrome is not licensed (by OFAC or BCIS, same restrictions as Haystack) for distribution in Syria. This is either a fail on the part of Google (in applying for a license) or a fail on the part of State (for not allowing Google to obtain one). What this says to me is that Haystack was possibly given preferential treatment because of its intent as a tool of “Internet freedom.”

    Do I think Haystack should have been given a license? That’s a moot point: I don’t agree with the export control restrictions on downloadable technologies. But I will say that Haystack was certainly no more deserving of a license than Google.

    Reply
  2. alecm

    @Jillian: I believe I understand what you’re saying, and I think I mostly agree with you.

    My experience of export control licensing comes from the practical end of writing crypto/security-related stuff at Sun Microsystems, and either hardwiring it into the operating system (bad for export licensing) or connecting it in via “generic interfaces” that were not necessarily crypto-related, permitting differential software distribution which was good for export licensing compliance.

    Oh, and the whole thing was complicated by Sun being simultaneously a software vendor, a hardware vendor, a vendor who sold hardware preinstalled with software, and a high-performance computing vendor whose top-end hardware could do faster cryptographic network throughput than was permitted to leave the USA except when destined for a handful of friendly countries.

    So I am in total agreement with you when you say “I don’t agree with the export control restrictions on downloadable technologies” because I have had painful experience of walking down that particular knife-edge. Thus if anyone is saying:

    It’s unfair that Haystack was granted a license when Google Chroome was not granted a license.

    …then although I will mentally remap that to:

    It’s ludicrous that Haystack was given a meaningless certificate that should not have any validity when Google Chroome was not given a meaningless certificate that should not have any validity.

    …and above and beyond that I will:

    1. Ask: how on earth does the granting of a meaningless certificate that should not have any validity mean that the Government is at fault for Haystack?
    2. Observe that if you clap your hands and say you believe in the license fairy, then it will get stronger. And then it will come for you. It’ll come for all of us.

    Re: (1) we could blame the media all over again, but we’re already doing that.

    [edit: update, typos fixed and a couple of missing words]

    Reply
  3. Jillian C. York

    Alec, to your latter points, I most certainly agree. I don’t think the government is TO BLAME for Haystack, but I do think that the alleged (whether true or not) “fast-tracking” of Haystack through the licensing process does contribute to the overblowing of the product, and subsequently, to putting Iranian lives in danger.

    The sheer fact that State purports to be all about Internet freedom (and let’s be honest here, a lot of folks are falling for it hook, line, and sinker) then simultaneously denies said freedom to Syrians, Iranians, etc (whether by denying a license, or making the process so ridiculously bureaucratic that companies err on the side of caution) is why we should be angry, and NOT because Haystack happened to get that meaningless certificate.

    Reply
  4. Jillian C. York

    Meant to add that…at that point it’s just semantics. Evgeny’s wording might not be ideal, but essentially, we’re all on the same side here.

    Reply
  5. alecm

    “fast-tracking” of Haystack through the licensing process does contribute to the overblowing of the product…

    Yes, I agree totally; I can completely buy the notion of some media-friendly flack pushing Haystack through the process on the grounds of it sounding like a cool thing to do, and not realising that this would further inflate the media bubble which made him/her aware of it in the first place.

    Your second paragraph I would print out and stick on my office door, if I had an office door.

    And I agree we’re likely on the same side… but being a professional security guy – you know, the OCD anally-retentive nerds who nitpick shit for a living because it occasionally becomes important – the one thing I would never do is cede ground to the concept that export control of ideas, concepts, speech, and software[1] in any way aids the United States of America, let alone humanity.

    Then I’ll repeat Evgeny’s words:

    “What made Haystack possible was the U.S. government’s urge to embrace the power of the Internet to democratize the world—and to do so as fast as possible, without first designing appropriate procedures and regulations to guide its digital operations.”

    I cannot see any perspective I can draw where that is not a statement in support of regulation, or at least blessing some form of state interference.

    [1] ie: speech and concept made tangible

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts