Software Uses Twitter, Flickr to Let Dissidents Send Secret Messages

In an attempt to make it easier for dissidents in countries such as China and North Korea to communicate without fear of government sanctions, researchers at Georgia Tech have developed software that can hide information inside messages posted to Twitter and other social networks, as well as in images that can be uploaded to photo-sharing sites such as Flickr and Picasa. The researchers plan to unveil the program — known as Collage — and a related research paper at the Usenix security conference next month.

Some dissidents in China and other countries communicate using external proxy servers and anonymous-proxy software such as the open-source Tor program. But these require administration of a server, and can be detected and disabled or blocked by governments and security forces. By hiding communications in Twitter messages and images uploaded to photo-sharing sites, the researchers — Sam Burnett, Nick Feamster and Santosh Vempala — say that they hope to get around some of these issues:

Oppressive regimes and even democratic governments restrict Internet access. Existing anti-censorship systems often require users to connect through proxies, but these systems are relatively easy for a censor to discover and block. This project offers a possible next step in the censorship arms race: rather than relying on a single system or set of proxies to circumvent censorship firewalls, we explore whether the vast deployment of sites that host user-generated content can breach these firewalls.

The software is made up of two distinct parts, according to a copy of the paper the research team plans to present at Usenix: there is a “message vector layer” that embeds the content in the Twitter message or photo — what the group calls a “cover traffic” — and a “rendezvous mechanism” that allows various parties to publish and retrieve the embedded messages once they are downloaded from Twitter or Flickr or some other social network. The researchers say their method won’t allow the sending of large files, but will allow the transmission of short text files or other communications.

Ironically, the software uses a data-encryption method called “steganography” to hide text inside images and other files, which is the same process that the Russian spy ring recently broken by U.S. authorities used to pass secret messages and files to each other while they were disguised as American citizens. Collage, which is written in Python, uses an image steganography tool called Outguess, and a text steganography tool called Snow. The program also makes use of web-browser automation software that allows Collage to simulate a user’s behavior in filling out forms, clicking buttons, etc., so that the content can be transmitted.

The researchers admit that it is likely the governments of various countries where the software might be used could discover the hidden messages and then block either specific users or social networking sites such as Twitter and Flickr (China has blocked access to Twitter on a number of occasions, including the recent anniversary of the Tiananmen Square riots). But they say in their paper that they hope most governments will be unwilling to block these services for very long, and that “the use of user-generated content to pass messages through censorship firewalls will survive, even as censorship techniques grow increasingly more sophisticated.”

While the software will make it easier for dissidents to disguise their communications and send information without being detected, however, it will also make it easier for others to smuggle information as well — including software pirates, child-porn distributors and other unsavory characters. But the downsides of the technology might be worth it if they help citizens evade persecution by repressive governments.

Related content from GigaOM Pro (sub. req’d.): As Cloud Computing Goes International, Whose Laws Matter?

Post and thumbnail photos courtesy of Flickr user Faithful Chant

loading

Comments have been disabled for this post