Haystack and Heap were lauded by the press. Newsweek wrote about the pair in glowing terms in August and the BBC also reported the same story. Earlier in the year The Guardian made Heap Innovator of the Year and posted a cringeworthy video interview with him. They wrote one story under the subhead
Austin Heap, the programmer from California, explains how he created Haystack, the software that broke the grip of Iran's censors after the disputed 2009 election
All these stories are light on actual facts and opinions from anyone other than Heap himself. And Heap does seem to have skirted the truth (or at least done a good publicist's job of exaggerating). He allowed The Guardian to write "Heap is the creator of Haystack, a piece of software which was a key technology used by Iranians to disseminate information outside the country in the protests that followed the disputed election result in June 2009" (and say the same thing in the video interview) without correcting them.
We know today that Haystack doesn't yet exist. There's a test version that's been disseminated to a small number of people in Iran, and that test version doesn't live up to the hype (from the media and from Heap himself). But it's worth putting aside Heap's narcissism and looking at the media response. Journalists deal with people pushing stories and press releases every single day. Part of their job is to look through the claims and dig out the reality. That didn't happen for Haystack.
It's notable that the news stories around Haystack focus on interviews with Heap, and don't include quotes or opinions from any reputable computer security folks. Or anyone who's worked on the problem of hiding Internet traffic in the past. That's simply a failure to be a journalist. There's no excuse for not asking a computer security expert for an opinion before publishing.
Today the press is reporting the opinion of computer security experts, why didn't they ask when the story first broke?
The answer, I think comes in the form of The Myth of the Boy Wizard. For the media the David/Goliath story of a cocky kid who takes on a government is irresistible. The media loves these "14 year old writes winning iPhone app", "16 year old Indian boy invents solar panel" etc. The story is not the fact that Austin Heap took on Iran, the story is Austin Heap.
The Boy Wizard is a potent image for the media because tied up in it are our own fears of aging and our hopes for salvation. The idea that the young are smarter than the old, and that the young will somehow save the old from their own problems, makes a wonderful subtext that draws readers in. Who hasn't read a story about a youthful genius and shaken their head and thought: "He's so young!" or "I could never have done that" or even "I wish I had the free time to do that"?
And so the media ignored people like me with their greying hair and ran with the story. At the same time Heap was ignoring us also. We know now that many people who know something about computer security tried to contact him and offer help. They were ignored or rebuffed. When I first saw the story of Haystack in Newsweek my BS detector went wild and I blogged my response and I wrote directly to Newsweek saying:
In your article "Computer Programmer Takes On the World's Despots" you appear to have taken the author of the supposed Haystack program at his word. There are no quotes from people who've used the software, nor from people who've seen the software. How do we know that Austin Heap is telling the truth, and, more importantly, how do we know that the software works as advertised?
Surely, it's very basic journalism to have talked to more than one person about this subject.
I received no response.
Had I known about The Guardian's articles back in March I would have been banging on them as well. It's not just bad journalism to take someone at their word and publish glowing articles, in this case it's downright dangerous. Real people inside Iran could have been endangered by this over-hyped piece of software.
The Guardian, and others, need to think hard about their actions, and not simply publish "we were duped" stories in response. Any reputable computer security person would have told you of their doubts about Haystack, but it looks like many media outlets, The Guardian included, just didn't bother to ask.