Viewpoint: Criminals can hide data in plain sight

By Prof Alan Woodward
Department of Computing, University of Surrey

image captionIt may not look like it but this promotional image of James Bond has been treated to contain a message hidden within it

Is there a hidden threat right under our noses? Each day billions of messages are sent over the internet.

Not surprisingly, some contain very sensitive information and much effort goes into making sure these messages are unreadable by anyone other than the intended recipients.

This is the essence of cryptography. But, there is another option: hiding messages in plain sight, the electronic equivalent of invisible ink.

We can think of all messages as falling into one of three categories:

  • "Sense" - where the message is sent "in the clear" and anyone intercepting the data can read it as easily as a valid recipient.
  • "Nonsense" - where the intercepted data is turned into nonsense so that only someone with the right key can convert the message back from nonsense to sense. This is cryptography.
  • "Missense" - where the message is embedded in some innocuous looking data so that no one would suspect there was a hidden message. This is known as steganography.

Although you don't realise it, you are probably using steganography already in your everyday electronic lives as it is used extensively to "digitally watermark" electronic data with information such as the copyright owner.

New technologies have emerged that are capable of holding considerable amounts of information, whilst having no perceptible effect on the object being digitally watermarked. Photographs, music and even e-books all use forms of this technology, as a deterrent to bootleggers.

Missing missense

Whilst digital watermarks are intended to hold information such as copyright data, the techniques can also be used to embed hidden messages in digital objects, and this poses a problem for any law enforcement agencies trying to conduct surveillance.

If something is sent "in the clear", you can set up filters to look or words of interest and use those to trigger a closer look at the data in question.

Even better if something that looks like nonsense. It is quite likely to be of interest. After all if someone has gone to all the trouble of encrypting data to make it look like nonsense then you can assume that it is something the sender values, and hence something worth paying much closer attention to.

However, anything that is sent as "missense" is highly likely to be missed, as it will look to all the world like some innocent piece of data.

It is the classic conjuring trick of misdirection. This matters in the modern world as the volumes of data that any eavesdropper has to sift through are vast.

image captionSpotting "missense" might involve combing through a files' data rather than looking at what it appears to show

No-one can analyse every piece of data that could potentially be captured and so if a piece of data looks like, say, a picture but actually it contains a secret hidden document, no-one will know to conduct further analysis on that picture.

Governments and the military are not the only ones who want to pass messages securely.

Criminal code

Obvious candidates are terrorist groups and organised crime. Those who may have reason to think they may be under surveillance may find steganography very appealing, as such messages need not be passed using simple email.

Imagine, for example, someone posting apparently innocent photographs on a social media site, but the item actually contains the secret message.

The whole world can see it but only those who know where to look can see the intended message.

And what about a disgruntled employee using his/her work email to send a picture of the children to a friend but actually they are shipping out your most commercially sensitive information?

Your intellectual capital could be disappearing before your eyes and you'd never know it even if you read all of their emails.

Reading between the letters

It is sometimes difficult to know even what type of object can hide a message. Some very innovative forms have emerged in recent years.

One of those I found most impressive was where the spacing of letters on a web page varied very subtly but in such a way that it conveyed hidden messages. You could read the pages quite normally and learn all about the tourist spot or whatever was being described, but all along you were looking at hidden data that you didn't recognise as such.

There is also a way of having the best of both worlds: encrypt a secret and then embed it using steganography. In this way, even if the hidden message was detected, it could not be read.

However, whilst the research into digital watermarking continues to mature, the research into detection of hidden messages is still in its infancy.

Decoding encrypted messages (so called cryptanalysis) has long been studied, with efforts such as those at Bletchley Park during World War II being rightly celebrated.

Detection of hidden messages - known as steganalysis - has no such pedigree. In part this is because various studies of large data sets on the internet failed to detect the use of steganography, and so it is not considered a threat. But, if the hiding techniques used were advanced enough, the immaturity of the detection techniques means that these studies were fundamentally flawed.

So will message hiding ever be widely used? I think it inevitable that the bad guys on the internet are already using these techniques.

There are freely available tools to enable you to do all of what I have described above, and these tools continue to advance.

What is required is proper funding of the detection techniques, or at the minimum, some more reliable method of determining if steganography is being used for hiding messages en masse, if we are to have a proper understanding of the threat.

Alan Woodward is a visiting professor at the University of Surrey's department of computing. He has worked for the UK government and still provides advice on issues including cybersecurity, covert communications and forensic computing.

More on this story

Related Internet Links

The BBC is not responsible for the content of external sites.