Friday, December 25, 2009


I’ve done a few posts in which I speculate about the state of the law in a particular area involving law and technology. This post, I’m afraid, is going to be even more inconclusive.

For a long time I’ve been looking for a good steganography case, by which I pretty much mean a reported (or unreported) decision in which a court addresses a stego issue. I still haven’t found one, so I’m going to base this post on comments in the U.S. Court of Appeals for the Ninth Circuit made in a decision that peripherally addressed steganography.

Before I proceed, I should probably generally describe what steganography is and why it might be a concern to lawyers and judges. Steganography is, as Wikipedia notes, “the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message”. Steganography is a little like cryptography, but unlike cryptography, steganography conceals the fact that there is a message, as well as the contents of the message.

Steganography is, as Wikipedia explains, an ancient device. As Wikipedia notes, in the fifth century B.C., Histiaeus, the tyrant of Miletus, used steganography to send a secret message to Aristagoras, his son-in-law and advisor. Histiaeus shaved the head of his favorite slave, tattooed a message on his head, waited for the hair to grow back and then sent the slave to Aristagoras, who knew to shave the slave’s head. Aristagoras read the message and attacked the Persians, as Histiaeus had instructed.

Computer technology makes steganography a lot easier to use. According to Wikipedia, the Steganography Analysis and Research Center has identified “[o]ver 725 digital steganography applications”. Digital steganography encompasses a variety of tactics, such as concealing messages in image or sound files.

Logically, then, digital steganography (which from here on I’m going to refer to as stego) seems to have the potential to create problems for law enforcement officers who are dealing with digital evidence. The Steganography Analysis and Research Center says it “presents a significant challenge . . . because detecting hidden information and then extracting that information is very difficult and may be impossible in some cases.” And both editions (2001 and 2008) of the National Institute of Justice’s Electronic Crime Scene Investigation: A Guide for First Responders mentions stego as something officers should be aware of when investigating crimes that involve digital evidence.

And yet, I can only find one reported case in which stego was an issue, and that was peripherally. That leads me to wonder if despite its potential as a means of hiding evidence, it simply isn’t being used, which means neither officers nor courts have had to deal with stego or the legal issues it at least potentially raises.

The one case that mentions stego is U.S. v. Comprehensive Drug Testing, Inc., 513 F.3d 1085 (U.S. Court of Appeals for the Ninth Circuit 2008). Actually, the issue came up several times in this course of this litigation.

As the court notes at the beginning of the opinion cited above, the case (which is really three consolidated cases) arose “from the federal investigation of the Bay Area Lab Cooperative (`Balco’) and its alleged distribution of illegal steroids to enhance the performance of professional baseball athletes.” U.S. v. Comprehensive Drug Testing, supra.

As part of the investigation, the government issued subpoenas to two companies that had tested urine samples from major league baseball players during the time period at issue: Comprehensive Drug Texting, Inc. (CDT) and Quest. U.S. v. Comprehensive Drug Testing, supra. The companies resisted producing the information sought by these subpoenas, so the government issued narrower subpoenas. The Major League Baseball Players’ Association (MLBPA) asked a federal judge to quash the subpoenas.

All of that was going on in federal court in San Francisco. When the government heard about the motion to quash, it applied for

a search warrant to search the CDT offices for the same information it was seeking in the grand jury subpoena. The search warrant application was made some 240 miles away in another federal judicial district, without notice to the Players Association or to the district court in the Northern District of California.

U.S. v. Comprehensive Drug Testing, supra. The application for the search warrant didn’t tell the judge to whom it was submitted that a motion to quash the CDT and Quest subpoenas had been filed. It said that “while not denying that they have the requested materials, CDT has declined to comply with the subpoena and has stated its intent to attempt to quash the subpoena.” U.S. v. Comprehensive Drug Testing, supra. In ruling later on the propriety of what the government did here, the Court of Appeals noted that

[t]he affidavit [submitted in support of the warrant] did not disclose that CDT had agreed in writing to keep the data . . . secured until the scope of the grand jury subpoena was settled, either through negotiation or a ruling on a motion to quash. Rather, the affidavit justified removing computer data and equipment from the searched premises on the basis that the computer data could be concealed, altered, or destroyed by the user.

U.S. v. Comprehensive Drug Testing, supra. The affidavit also justified the issuance of the search warrant on the grounds that

[c]omputer users can also. . . . conceal data within another seemingly unrelated and innocuous file in a process called `steganography.’ . . . [B]y using steganography, a computer user can conceal text in an image file which cannot be viewed when the image file is opened.

U.S. v. Comprehensive Drug Testing, supra. In fact, as the Court of Appeals later noted, the government did not have any evidence

or reason to believe that CDT had engaged in steganography . . . or any type of data destruction or alteration. To the contrary, it had accepted in writing CDT's assurances `that CDT will maintain and preserve all materials called for by the first subpoena as well as any materials called for by the new subpoena’ and that `CDT would not destroy or alter any of the materials called for by either of the subpoenas.’ However, the plain import of the application was that CDT was improperly resisting compliance with a valid grand jury subpoena and data was in jeopardy of being destroyed.

U.S. v. Comprehensive Drug Testing, supra. In its original opinion, the Court of Appeals held that this evidence justified the lower courts in finding that “the government made misleading statements in the search warrant applications.” U.S. v. Comprehensive Drug Testing, Inc., 473 F.3d 915 (U.S. Court of Appeals for the Ninth Circuit 2006) (opinion withdrawn and superseded by 513 F.3d 1085).

This observation doesn’t appear in the superseding opinion in the case, but that doesn’t matter to us. This post isn’t about what happened in the CDT case. It’s about stego and the legal issues it raises/might raise. I’m still wondering if there are any. According to a law review article, federal agents seeking computer search warrants “consider it standard practice to tell stories” in their search warrant affidavits about steganography and other “technology that can be used to hide data”. Paul Ohm, The Myth of the Superuser: Fear, Risk, and Harm Online, 41 University of California Davis Law Review 1327 (2008). That, of course, implies steganography isn’t being used which, if true, means there can’t be any live legal issues as to its use.

The legal issue I could see coming up with stego is whether, assuming we have effective tools to detect stego and stego-concealed data, a computer search warrant would have to specifically authorize the use to stego-detection tools or whether the use of such tools would be within the scope of the search generally authorized by the warrant. So, say the search warrant authorizes a search of a hard drive for child pornography. If the officer who gets the warrant suspects stego may have been used to hide data, does he/she have to include that in the affidavit for the warrant and request specific authorization to use stego-detection tools? Or is the use of stego-detection tools simply part of the general forensic examination process?

I raise that question because I can see an argument that the use of stego-detection tools implicates the Supreme Court’s holding in Kyllo v. United States. As I explained in an earlier post, the Kyllo Court held that it is a 4th Amendment “search” to use “technology that is not in general public use” to obtain information, especially from inside a home. As I’ve noted in other posts, a few courts have addressed the issue as to whether the use of forensic tools like EnCase is a search under Kyllo, i.e., whether the use of those tools requires some special authorization.

I can see a similar argument being made with regard to stego-detection techniques, if they exist and if and when there’s any reason to seek authorization to use them in analyzing digital evidence. But maybe I’m off base . . . maybe stego-detection is routinely being used as part of digital forensic examinations and the Kyllo issue hasn’t come up because defense attorneys haven’t keyed in on it or because it’s just not a live issue.

As I noted in an earlier post, in August of 2009 the Ninth Circuit revisited the issues in the Comprehensive Drug Testing litigation and issued an order that at least implicitly addressed the stego issue. As I noted in that post, in this decision the Ninth Circuit said that from that point on, “[w]arrants and subpoenas must disclose the actual risks of destruction” (and, I assume, concealment) of evidence. The purpose was to prevent the government from relying on general allegations that tools like stego “might” be used in conceal or destroy evidence. U.S. v. Comprehensive Drug Testing, Inc., 579 F.3d 989 (U.S. Court of Appeals for the Ninth Circuit 2009).

(On September 9, the U.S. Department of Justice moved to stay the decision pending the filing of a motion for certiorari, i.e., asking the U.S. Supreme Court to review this decision. See U.S. v. Comprehensive Drug Testing, Inc., Docket # 05-55354, (U.S. Court of Appeals for the Ninth Circuit). The Department later moved for rehearing, i.e., asked the Ninth Circuit to revisit the issues it addressed in this latest decision. And on December 18, the Ninth Circuit filed an order stating that it is considering whether it should grant rehearing in this case and “will issue an order granting or denying rehearing in due course.” So we’ll have to see what comes next; if the Ninth Circuit doesn’t grant rehearing, the Department of Justice will certainly try to get the U.S. Supreme Court to hear the case.)


Jim Wingate said...

I suggest the reason steganography has not come up in any legal cases is because CF examiners do not routinely conduct steganalysis in the course of their examinations. Another reason could be that they don't need to look for hidden evidence because they find enough in the clear in the course of conducting a traditional computer forensic examination.
I also suspect that even when use of steganography is revealed, prosecutors have their investigators and CF examiners find another way to get the evidence so they don't have to try to explain steganography to a jury ... which may be construed by some as potential evidence tampering because of the very nature of some steganography techniques to modify files. For example, the Least Significant Bit (LSB) image encoding technique modifies the LSBs of the carrier image in order to embed the hidden information.
Another reason steganography is not detected more frequently is because the general consensus among law enforcement computer forensics examiners seems to be that the "criminals we deal with are too stupid, too lazy, or both, to use steganography.
Finally, another reason steganograpghy is not detected more often is because no one believes anyone is using it, so why waste time looking for it. It's a classical paradox.

Susan Brenner said...

Thank you . . . that all makes a lot of sense.

I suspected it might, in part, be because there's usually no need to look for stego because my sense is run of the mill cybercriminals, and especially the child porn types, aren't using it. And if, as you say, there's lots of evidence in plain view, why bother with stego?

I wonder if it will become more of a problem in the future . . . as criminals become more sophisticated about all of this.

Jim Wingate said...

I believe it will become more of a problem in the future. There are already narco-traffickers like Juan Carlos Ramirez Abadia hiding information about his drug deals in pictures of Hello Kitty (Ref: Also, I believe insiders with access to sensitive information such as PHI and PII and Intellectual Property, etc. will be driven to find more technically sophisticated ways to hide information as network security tools such as Data Loss Prevention Systems and eDiscovery tools continue to get better. I think the fact there are 7,970,000 hits when you Google "information hiding" to be quite alarming. So my theory remains that use of steganography to steal information or otherwise conceal evidence of crminal activity is much more widespread than anyone knows and no one really knows because so few are even willing to try to look for it!

Kevin said...

It's a really interesting topic, since I've never really heard of any type of steganography coming up in court cases. But like Jim Wingate said, its probably because it's not often looked for. However, another problem with this exists because it is extremely difficult to even detect stego. While a few tools exist out there, like StegDetect, they are nowhere near perfect, and have many problems. They usually only return a percent of how likely stego has been used.