Social and Ethical Issues of Steganography

A lot of the current controversy surrounding steganography can be characterized in terms of tension between government, industry and individuals. There are two main reasons for this. Firstly, the publishing and broadcasting industries have become interested in techniques for hiding encrypted copyright marks and serial numbers in digital films, audio recordings, books and multimedia products; an interest in new market opportunities created by digital distribution which is coupled with a fear that digital works could be too easy to copy.

Secondly, moves by various governments in the past and present to restrict the availability of encryption services has motivated people to study methods by which private messages can be embedded in seemingly innocuous cover messages. The ease with which this can be done may be an argument against imposing restrictions.

Powerful encryption tools are widely available to people all around the world, and there seems to be nothing that can stop these technologies from spreading, to innocent, security conscious individuals and criminals alike. From the government's point of view, the availability of strong encryption methods to the general public is a threat to public security and safety; terrorists and criminals can communicate freely, since the officials do not have any possibility of decrypting or, in the case of steganography, even detecting these digital messages. Therefore, there are initiatives in the U.S. and in Europe that intend to preserve the law-enforcement and signal-intelligence capabilities of governmental agencies by restricting the import, export and use of these powerful security tools, or by requiring that they include "back doors" that would allow law enforcement agencies to decrypt and read these encrypted messages at will.

One of the main drawbacks of using encryption is that when you see an encrypted message you know that it's an encrypted message. If someone captures a network data stream or an e-mail that is encrypted, the mere fact that the data is encrypted might raise suspicion. The person monitoring the traffic may investigate why and use various tools to try to figure out the message's contents. In other words, encryption provides confidentiality but not secrecy. With steganography, however, the information is hidden, and someone looking at a .jpg image, for instance, wouldn't be able to determine if there's any information within the image. So hidden information could be right in front of our eyes, and we wouldn't see it. It is possible to combine steganography and encryption by first encrypting the data and then using steganography to hide it. This two-step process adds additional security. If someone manages to figure out the steganographic system used, he wouldn't be able to read the data he extracted because it's encrypted.

This makes governments and law enforcement agencies very nervous. One of the disadvantages of using plain encryption was that it is relatively easy to monitor who is talking to whom, when, how and so forth. For example, if a known drug-dealer is sending encrypted messages to someone not yet under suspicion, the implications are pretty clear. But with steganography, law enforcement officials aren't even sure there are messages being passed back and forth. For example, if two people decided to communicate without alerting others that they were in fact communicating they might do so by mean of a public forum that allows postings of pictures, such as USENET. The entire public exchange between the two people is completely inconspicuous and virtually untraceable.

In the wake of 9/11, officials suspected that the terrorists may have been communicating using images of items that were put up for auction on eBay. With Ebay being such a high volume site, this made it an ideal medium of communication in that the ability to monitor who visited what page is very difficult. Also, due to the large number of images on the site it would be practically impossible to scan all images that are submitted to the site for steganographic content. And even then, there is no assurance that you have detected all the modified images.

During the Second World War, message detection was improved on while new technologies were developed which could pass more information and be even less conspicuous. The Germans developed microdot technology that FBI Director J. Edgar Hoover referred to as "the enemy's masterpiece of espionage." Microdots are photographs the size of a printed period having the clarity of standard-sized typewritten pages. The first microdots were discovered masquerading as a period on a typed envelope carried by a German agent in 1941. The message was not hidden, nor encrypted. It was just so small as to not draw attention to itself (for a while). Besides being so small, microdots permitted the transmission of large amounts of data including drawings and photographs.

With many methods being discovered and intercepted, the Office of Censorship took extreme actions such as banning flower deliveries which contained delivery dates, crossword puzzles and even report cards as they can all contain secret messages. Censors even went as far as rewording letters and replacing stamps on envelopes.

One might be tempted to think that such a thing would no longer happen in our free speech centered, liberal world, but consider this. After video tapes of Bin Laden were released to the media, the US government prohibited the public airing of the tapes out of fear that they would contain hidden messages to his followers.

Other applications for steganography include the automatic monitoring of radio advertisements, where it would be convenient to have an automated system to verify that adverts are played as contracted; indexing of video mail, where one may want to embed comments in the content; and medical safety, where current image formats such as DICOM separate image data from the text (such as the patient's name, date and physician), with the result that the link between image and patient occasionally gets mangled by protocol converters. Thus embedding the patient's name in the image could be a useful safety measure.

Where the application involves the protection of intellectual property, we may distinguish between watermarking and fingerprinting. In the former, all the instances of an object are marked in the same way, and the object of the exercise is either to signal that an object should not be copied, or to prove ownership in a later dispute. One may think of a watermark as one or more copyright marks that are hidden in the content. With fingerprinting, on the other hand, separate marks are embedded in the copies of the object that are supplied to different customers. The effect is somewhat like a hidden serial number: it enables the intellectual property owner to identify customers who break their license agreement by supplying the property to third parties.

In one system we encountered, a specially designed cipher enables an intellectual property owner to encrypt a film soundtrack or audio recording for broadcast, and issue each of his subscribers with a slightly different key; these slight variations cause imperceptible errors in the audio decrypted using that key, and the errors identify the customer. The system also has the property that more than four customers have to collude in order to completely remove all the evidence identifying them from either the keys in their possession or the audio that they decrypt. Using such a system, a subscriber to a music channel who posted audio tracks to the Internet, or who published his personal decryption key there, could be rapidly identified. The content owner could then either prosecute, revoke the key, or both.

With just these few examples we can see that the uses of steganography are wide and varied; ranging from legitimate personal privacy to product control, from patient confidentiality to corresponding between terrorist. It is easy to overlook the good in the face of the overwhelming fear that is aroused when faced with the possibility of yet another 9/11. However, that does not mean this tool should be banned or restricted. Indeed, with the rapid deployment of anything placed on the internet, any attempt to do so would be futile, perhaps detrimental, and would prevent those in industry and academia from perusing research in this field, research in such things as detection and extraction. That, seemingly, is the logical conclusion, but with government the logical conclusion isn't necessarily the one that is acted on.

[ Back ] [ Next ]