Austin Heap, the 25 year old executive director of the US-based Censorship Research Center (CRC), has warned Iranians to stop using Haystack, which purportedly allowed web users to evade government censorship undetected.
"We have begun contacting users of Haystack to tell them to cease using the program," Heap wrote Monday.
The Censorship Research Center had previously claimed that Haystack users were protected from the prying eyes of government officials in a country where, since its 2009 election-rigging protests, the risk of participating in political activism, including on the web, have been extremely high.
Separately, the government had used lawful interception software provided by Nokia Siemens Networks which has since been alleged to have played a key role in the arrest and torture of an Iranian journalist.
CRC's Heap promised Haystack would make a user's web traffic appear as "perfectly normal, innocuous, and unencrypted web traffic", and claimed it would be "exceptionally difficult to detect and block automatically".
He had suggested users would be safe due to its so-called "elliptic curve cryptology" that the US National Security Agency trusted with its with "top-secret data".
The software gained some notoriety after the US Government's Treasury's Office of Foreign Assets Control (OFAC) in April authorised its export to Iran.
But Heap's confidence in Haystack waned following a 9th September report by Foreign Policy technology journalist, Evgeny Morozov, which questioned the software's claimed imperviousness. In a nutshell, Morozov's argued against its use because CRC had failed to provide any evidence that it could deliver that security it claimed, and it therefore put users at a greater risk.
"Recently, there has been a vigorous debate in the security community regarding Haystack's transparency and security," Heap said.
"We believe that many of the points made in this debate were valid. As a result, and in order to ensure Haystack's security, we have halted ongoing testing of Haystack in Iran pending a security review.
"We will not resume testing until this third party review is completed and security concerns are addressed in an open and transparent way."