Steganography and E-Discovery

What will Courts and litigators do in E-Discovery when irrelevant spam email contains relevant hidden messages?

By Ira Rothken

Jul 24, 2015

From time to time issues will arise under the evolving e-discovery rules that seem pretty hard to resolve - the use of steganography is one of them. Steganography is the art and science of hiding or obscuring messages so as to engage in covert communications. In terms of e-discovery and evidence scenarios steganography involves placing a hidden encrypted message in other data, usually a digital photograph, video file, audio file, or yes even spam. The recipient of the steganographic data would use a steganography key to unlock and decrypt the message.

Steganography is a dual use technology which can be used for the important goal of protecting sensitive communications and improper goal of hiding otherwise discoverable legacy communications.

For example using an inexpensive steganographic program manipulative parties, who do not want their communications handed over in any upcoming case, can use a proxy server to send the appearance of spam back and forth which contain "carrier" images that have embedded encrypted steganographic messages. This creates a nightmare e-discovery scenario for litigators on both sides of the case. The nightmare multiples if the supposed irrelevant spam e-mails contain links to third party web sites that manifest steganographic images which contain relevant messages.

There are a lot of socially important uses for steganography. For example, in many contexts the right to privacy is protected and advanced by using steganographic messages and one can certainly appreciate using steganography to protect important personal information like passwords, trade secrets, and financial information.

In addition, steganography can be used to protect intellectual property such as embedding a secret message in photos, websites, and videos and thus proving that an alleged defendant copied your works. Steganography can also be used by intelligence and military services as a secure method of communication.

Steganography challenges both document preservation and production.The current mainstream thought under the revised e-discovery rules is that requests for e-discovery should be proportional in nature and reasonably tailored to the facts and issues in the case. In essence, litigators currently make widespread use of reasonable keyword and "soundex" searches to distill out responsive electronic documents and emails - emails that look like spam are considered irrelevant and generally not produced nor are they requested (unless the case is over unsolicited e-mail).

But no automated keyword search will be able to distill out relevant messages made using Steganography. No manual visual inspection will be able to detect messages in steganographic form - the photos look the same.

There are numerous inexpensive programs that help you to create steganographic messages such as Invisible Secrets. There are also some programs that help you to detect steganographic files in a mass automated manner such as StegoHunt from Wetstone. I suspect programs like the StegoHunt will become a more important part of the modern civil litigators e-discovery toolkit - especially if there is robust access during the case to hard drives and server drives for automated analysis.

The e-discovery case law will need to resolve very complex steganography issues.

How are litigators on both sides supposed to ensure the integrity and completeness of the e-discovery process in a world full of steganography?
What if seemingly irrelevant spam or emails contains relevant hidden messages?
When will the presence of a large amount of legacy steganographic messages be considered "not reasonably accessible" under the applicable e-discovery rules?

The only way to perform e-discovery in such a steganographic world would be to ask for and get all communications, all server drives, and all hard drives, and hope that you have evidence of prior steganography use to justify requesting seemingly irrelevant electronically stored information. Such a broad request that contains, on the surface, data that is not reasonably calculated to lead to the discovery of admissible evidence will be met with a lack of enthusiasm by the other side and most Judges. If you get broad discovery or data access then you would need to use automated steganography detection software with robust artificial intelligence like StegoHunt to possibly detect steganographic carrier files and then run your keyword search to see if the data is relevant to the case. The e-discovery effort, time, and cost from the possible use of steganography can become mind boggling.

It will be an interesting e-discovery evolution to see how the steganography related legal, policy, and technical issues will be handled.