8 October 2001


Date: Mon, 08 Oct 2001 14:23:58 +0100
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
To: UK Cryptography Policy Discussion Group <ukcrypto.chiark.greenend.org.uk>

The Editor,
The Times,

Dear Sir:

In Friday's article, 'Secrets concealed by software' [1], you quoted me as saying that rather than using steganography, it was 'likely that they [al-Qaida] sent thousands of innocent messages along with their live orders, so that the secret information was missed.'

Your claim is untrue. I did not say that.

Your reporter called me and told me he had had a briefing from the security services that al-Qaida were using steganography, that is, hiding messages inside other objects such as MP3 files or images.  He asked me whether I thought this was plausible. I replied that although it was technically possible, it was unlikely; and that, according to the FBI, the hijackers had sent ordinary emails in English or Arabic. I explained that the main problem facing police communications intelligence is traffic selection -- knowing which of the billions of emails to look at -- rather than the possibility that the emails might be encrypted or otherwise camouflaged. A competent opponent is unlikely to draw attention to himself by being one of the few users of encryption or anonymity services.

For just the same reason, he is unlikely to draw attention to himself be sending unreasonably large numbers of messages as cover traffic. Instead, he will hide his messages among the huge numbers of quite innocuous messages that are sent anyway. Throwaway email accounts with service providers such as hotmail are the natural way to do this.

Unfortunately, the story that bin Laden hides his secret messages in pornographic images on the net appears to be too good for the tabloids to pass up. It appears to have arisen from work done by Niels Provos at the University of Michigan. In November last year, he wrote in a technical report that he could find no evidence that messages were being hidden in online images. By February this year, this had been been conflated by USA Today, an American popular paper, with an earlier FBI briefing on cryptography into a tale that terrorists could be using steganography to hide messages [2]. Similar material has surfaced in a number of the racier areas of the net [3], despite being criticised a number of times by more technically informed writers [4].

It is unclear what national interest is served by security agencies propagating this lurid urban myth. Perhaps the goal is to manufacture an excuse for the failure to anticipate the events of September 11th.  Perhaps it is preparing the ground for an attempt at bureaucratic empire-building via Internet regulation, as a diversionary activity from the much harder and less pleasant task of going after al-Qaida. Perhaps the vision of bin Laden as cryptic pornographer is being spun to create a subconscious link, in the public mind, with the scare stories about child pornography that were used before September 11th to justify government plans for greater Internet regulation.

Whatever the security services' motive, it is quite unclear to me why a 'quality newspaper' should have run this story, even after its technical and operational implausibility were explained to you in detail (see also 'Al-Qaeda hid coded messages on porn websites' [5]).

Could you kindly publish this letter as a correction.

Yours Faithfully

Ross Anderson
Reader in Security Engineering
University of Cambridge

[1] http://www.thetimes.co.uk/article/0,,2001340010-2001345085,00.html

[2] http://www.usatoday.com/life/cyber/tech/2001-02-05-binladen.htm

[3] http://www.feedmag.com/templates/printer.php3?a_id=1624

[4] http://www.wired.com/news/politics/0,1283,41658,00.html

[5] http://www.thetimes.co.uk/article/0,,2001340010-2001345211,00.html