Billions Read His Code.Seven Days in Evin. No Regret.
The story of Behdad Esfahbod — creator of HarfBuzz, detained by Iran's Revolutionary Guards, and the invisible fragility of open-source infrastructure
Billions Read His Code.
Seven Days in Evin. No Regret.
The story of Behdad Esfahbod — creator of HarfBuzz, detained by Iran's Revolutionary Guards, and the invisible fragility of open-source infrastructure
─── ✦ ───
The Code You Never See
Every time you open a web browser, read a text message, or scroll through a document on your phone, something needs to turn raw Unicode characters into the correctly shaped glyphs you actually see on screen. For scripts like Arabic, Persian, Devanagari, and dozens of others, this is not a trivial task — characters change form depending on their neighbours, reorder themselves, and merge into ligatures governed by centuries-old calligraphic rules.
The engine that handles this, on virtually every platform in existence, is HarfBuzz — an open-source text-shaping library embedded in Google Chrome, Firefox, Android, LibreOffice, GNOME, and countless other systems. It ships on billions of devices. Its creator and principal maintainer is Behdad Esfahbod, an Iranian-Canadian software engineer.
In January 2020, the Islamic Revolutionary Guard Corps arrested him on a Tehran street.
─── ✦ ───
The Arrest
Esfahbod was visiting Iran to see his family. After lunch with his father, four plainclothes IRGC intelligence agents stopped him. He was taken to Evin Prison — Tehran's most notorious detention facility, operational since 1972 and internationally condemned for systematic human rights abuses including torture, mock executions, and prolonged solitary confinement.
He spent the next seven days in solitary confinement in Ward 2A, the section reserved for those the regime wants leverage over, not simply punishment. He was blindfolded even when outdoors. His phone was confiscated and raided. He endured daily interrogations lasting up to eight hours.
RISK: The IRGC's objective was not prosecution. It was recruitment. They wanted Esfahbod to become an informant — to spy on Iranian activists and diaspora networks across three countries.
─── ✦ ───
Why Him
Esfahbod's profile made him an ideal target for intelligence exploitation. He was not a political activist, but his social and professional networks intersected with exactly the communities Iran's security apparatus wanted to penetrate.
| Factor | Detail |
|---|---|
| Green Movement links | He had friendships with many people involved in Iran's 2009 post-election protest movement, including diaspora media figures. He had published photos with them on social media. |
| Technical expertise | The IRGC pays particular attention to software engineers with knowledge of content filtering and circumvention tools — capabilities directly relevant to Iran's internet censorship infrastructure. |
| Institutional access | As a senior engineer at Facebook (previously Google and Red Hat), he had connections across Silicon Valley's most strategically significant companies. |
| Dual nationality | As an Iranian-Canadian, he could be detained inside Iran but operate freely in Western networks — the classic profile for coerced intelligence assets. |
─── ✦ ───
The Deal He Made to Survive
Under sustained psychological pressure, Esfahbod did what many detainees in his position have done — he promised cooperation. This secured his release on bail, posted by his sister, without formal charges ever being filed.
He then left Iran immediately, flying first to Doha, then to Portugal. Upon attempting entry to the United States, he faced hours of additional questioning at Newark airport.
The IRGC's playbook was clear: arrest, isolate, pressure, extract a promise, release, then activate the asset later through encrypted communications.
─── ✦ ───
The Refusal
Months after his release, the IRGC attempted activation. They contacted his sister in Tehran, demanding that Esfahbod call them. A court summons was delivered to her home, giving him five days to report to Evin court for further interrogation.
Esfahbod refused. Instead, on 17 August 2020, he published a detailed account of his detention on his personal blog. He described the regime's agents as 'professional abusers' whose greatest fear was public exposure.
Like every abuser, their biggest fear is that I expose them. So that's what I'm doing.
— Behdad Esfahbod
His story was subsequently covered by The New York Times, The Guardian, CBC, and Arab News, among others.
─── ✦ ───
The Cost
Going public came at an enormous personal price. The trauma of his detention meant he could no longer work his position at Facebook — a role that reportedly paid $1.5 million per year. His relationship with his partner broke down. Isolated and consumed by anxiety, his mental health deteriorated into what he later described as full-blown mania.
He has since been recovering, and has channelled some of his experience into documentary filmmaking.
His code, meanwhile, continued shipping — silently rendering text on billions of screens, maintained by a man the world's most powerful technology companies depended on but could not protect.
─── ✦ ───
The Structural Lesson
Esfahbod's story is part of a broader pattern that Can Artuc's writing on Medium has been documenting with precision: the invisible fragility of open-source infrastructure.
HarfBuzz, like xz Utils (the compression library targeted by a likely nation-state supply chain attack in 2024) and curl (Daniel Stenberg's single-maintainer HTTP tool embedded in 10 billion installations), represents a critical single point of failure in the global software supply chain.
| Project | Maintainer(s) | Devices | Threat |
|---|---|---|---|
| HarfBuzz | Behdad Esfahbod | Billions | State coercion of maintainer |
| xz Utils | Lasse Collin (solo) | ~4 billion Linux systems | 849-day infiltration by state actor |
| curl | Daniel Stenberg (solo) | ~10 billion | AI-generated vulnerability spam |
WARN: These are not hypothetical risks. In each case, a single human being — unpaid or underpaid, often without institutional support — was the only thing standing between billions of users and compromise. The open-source ecosystem's greatest strength (transparency) is also its greatest vulnerability (exposure of the maintainer).
─── ✦ ───
Implications for the Region
For those of us tracking the current Iran-Gulf conflict theatre and the broader geopolitical dynamics of the region, Esfahbod's case is a reminder that the IRGC's intelligence operations extend far beyond military confrontation. The coercion of technical talent — particularly those with access to global infrastructure — is a deliberate and systematic strategy.
It also raises uncomfortable questions for the technology industry: if a Senior Staff Engineer at Google and then Facebook can be detained, interrogated, and psychologically broken by a state actor, what protections exist for the thousands of less-visible open-source contributors who travel internationally?
The answer, as of today, is: almost none.
─── ✦ ───
Closing Reflection
Behdad Esfahbod's code makes your phone render this text correctly. His shaping engine ensures that Arabic calligraphy flows properly in your browser, that Devanagari script stacks correctly in your documents, that the 139 writing systems of the Unicode standard are served faithfully on every platform.
He built this as a gift — open source, freely available, rooted in a desire to make Persian work beautifully in software.
The state that claims to represent Persian civilisation repaid him with a blindfold and a cell.
─── ✦ ───
Ilahi anta maqsudi wa ridhaka matlubi, a'tini mahabbataka wa ma'rifataka
Disclaimer: This analysis is prepared for informational and educational purposes. Views expressed are those of the author and do not represent institutional positions. Sources include publicly available reporting from The New York Times, The Guardian, CBC, Arab News, IranWire, Track Persia, and Wikipedia.