A highly lauded privacy tool designed to help Iranian activists circumvent state spying and censorship has been disabled after an independent researcher discovered security vulnerabilities in the system that could potentially expose the identities of anonymous users.

Users have been instructed to destroy all copies of the software, known as Haystack, and the developers have now vowed to obtain a third-party audit of the code and release most of it as open source before distributing anything to activists again.

Haystack is designed to encrypt a user's traffic and also obfuscate it by using steganography-like techniques to hide it within innocuous or state-approved traffic, making it harder to filter and block the traffic. Despite its nascent status, Haystack got widespread media attention, including from Newsweek recently.

The tool is still in development, but an initial diagnostic version was being used by "a few dozen" activists in Iran when security researcher Jacob Appelbaum, a U.S. volunteer with WikiLeaks, discovered vulnerabilities in the source code and implementation of the system that could potentially place the lives of activists at risk.

Austin Heap, one of the tool's developers, has faced sharp criticism from Appelbaum and others for failing to vet the tool with security professionals before distributing it for use. The media have also been criticized for failing to properly examine the system before praising it as an option for activists.

"The more I have learned about the system, the worse it has gotten," Appelbaum said. "Even if they turn Haystack off, if people try to use it, it still presents a risk.... It would be possible for an adversary to specifically pinpoint individual users of Haystack."

Heap told Threat Level that distribution of the test program had been highly controlled among a small group of select users, and that all of the participants, except one, had been informed beforehand that there were potential risks in using software that was still in development.

"They are all people who are aware of the risks who use other anti-censor tools and had expressed a direct interest to me or others that they would like to be part of the test program," Heap said.

Nonetheless, he and colleagues decided to halt human testing of the program this week and use only machine testing going forward, in light of the criticism from Appelbaum and others. He said the group would open-source 90 percent of the code before releasing a version to users.

"All of the encryption routines, all the parts that are tantamount to protecting a user's privacy will be publicly released," he promised.

Appelbaum, a developer for the Tor Project, which developed and maintains the Tor anonymity and anti-censorship tool, disputed that distribution of Haystack was controlled. He said the tool was available for download from multiple sites on the internet, including Heap's own web site, which Threat Level confirmed.

Although Heap assured Appelbaum that the program had been disabled by Saturday, Appelbaum found he could still use it without problems as of Sunday evening. He decided to go public with his criticism out of concern that some users might still be unaware of the risks of using it.

Appelbaum said he reverse-engineered and broke the code in a couple of hours with friends on Sunday. He planned to release a paper later this week discussing the vulnerabilities.

He was reluctant to provide details of the problems, which he feared could give Iranian authorities a map to track users, but described two vulnerabilities in the way the system was implemented. The vulnerabilities could allow authorities to easily and quickly identify anyone who used the program.

The issue has caused a rift between Heap and his chief programmer Daniel Colascione, who only recently returned to the project after a hiatus. Colascione told Threat Level Monday evening that he was considering withdrawing from the project permanently due to Heap's implementation of it and Appelbaum's criticism.

"I [had taken] a hiatus with the project because I had become disillusioned with our opaque development style and our approach to the press, and I came back because I convinced myself that I could try to improve the situation," he said. "I wanted a policy of transparency and forthright disclosure of our progress. But after this has happened, I'm wavering with whether I want to continue with that direction."

By Tuesday morning, Colascione announced his decision to resign from the Censorship Research Center, the nonprofit established to support Haystack. In a note sent to the Liberation Tech mailing list, Colascione wrote that the organization's actions had done "irreparable" damage.

I would like to stress that I am not resigning in shame over the much-maligned test program. It is as bad as Appelbaum makes it out to be. But I maintain that it was a diagnostic tool never intended for dissemination, never mind hype. I did have a solid, reasonable design, and described it in our brief overture of transparency. _That_ is what Haystack would have been. It would have worked! What I am resigning over is the inability of my organization to operate effectively, maturely, and responsibly. We have been disgraced. I am resigning over dismissing pointed criticism as nonsense. I am resigning over hype trumping security. I am resigning over being misled, and over others being misled in my name.

Colascione acknowledged to Threat Level that in addition to the vulnerabilities, there had been mistakes in how distribution of the tool was controlled.

"That was the stated policy that everyone would be fully informed of the risks and that we would control distribution tightly, but unfortunately in this instance that policy broke down.... At least one of our testers distributed the copy without authorization and without our knowledge."

It was intentionally distributed to two dozen people and, based on traffic logs, it did get into other hands – though not many.

"If we had seen a vast spike in traffic, we would have been aware long ago that something amiss was going on," Colascione said.

The diagnostic tool was distributed to gather user experiences and to examine specific features, according to Colascione.

"It was never intended to be an early version of the tool, just a program that establishes some parameters for developing the tool," he said. "Frankly, this is a debacle, a disaster and an embarrassment, because this tool was not representative of our final plan for Haystack. It’s a separate lineage, and to be judged on the basis of that is immensely frustrating."

Heap and Colascione developed Haystack last year after the Iranian government clamped down on the internet activities of local citizens who were protesting the results of the country's national elections.

Heap told Newsweek last month that the tool would have advantages over other anti-censorship tools, such as Tor, Psiphon and Freegate – which could hide a user's identity but could not hide the fact that someone was using the privacy tool. Haystack hides a user's packets inside nondescript packets that aren't barred by censors or raise suspicions – such as packets sent from officially sanctioned government agencies themselves.

The tool and Heap quickly garnered a lot of media attention in the wake of growing interest over the Iranian government's efforts to censor and track protesters. But there was one obstacle in the way of Haystack being adopted by Iranian users – U.S. laws bar trading with Iran without a special government license. According to Newsweek, the State Department took a special interest in Heap's program and fast-tracked his application. Heap told Threat Level, however, that he got no special consideration and that it took nine months to get his license.

Appelbaum said he doesn't have confidence that Heap or anyone working with him will be able to put out a finished product that achieves the level of privacy and security they claim the tool will achieve.

"There are definitely possibilities for steganographic protocols," he said. "But I have zero confidence that they could do it. With the Iranian government doing deep-packet inspection and having a copy of their [Haystack] program and [Haystack developers] failing to do peer review, I believe they will never get it correct.... When charlatans make these claims, they should not be trusted."

Photo: Vito/Flickr