The USA Today article was the first to put a number on how many stego-messages were on eBay -- a number so high that many doubted it immediately. Kelley's was also the first story to suggest that the government is specifically watching eBay, as opposed to other public Web sites. The detail that the messages "have been sent from Internet cafes in Pakistan and public libraries throughout the world" suggested that the messages found inside the image files had been encrypted, and the only thing the government was able to determine about them was the IP address of their servers.

The story had Internet libertarians crying foul. Technology reporter Declan McCullagh's Politech mailing list, one of the last bastions of circa-1995 government wariness on the Net, featured dozens of messages from readers who were sure the piece was bogus. Politech even challenged readers to find and decode an al-Qaida missive hidden in an image file on the Web.

Libertarian skepticism does not appear to be misplaced; there are several reasons to question USA Today's story. Kevin Pursglove, an eBay spokesman, says that while it's possible that the company somehow missed Jack Kelley's phone call, Pursglove and his associates in P.R. don't recall hearing from the reporter. Moreover, eBay has never been contacted by any government agency regarding possible terrorist communications on its site. "I'm not saying what he's reporting is not true," Pursglove said, "but it's just that nobody from the federal government has contacted us. We've got an investigations team here that has extensive contacts with federal authorities, with the FBI, the State Department, the CIA, the military. We have not had any contact at all about this."

Salon called several federal agencies to see whether they were indeed watching eBay, but the calls went unanswered. Jack Kelley, too, did not return calls. But many security experts, even those who believe that terrorists use steganography, disputed the specifics of Kelley's report.

Chet Hosmer, the president of WetStone Technologies, the company that first reported the possibility of hidden messages on eBay and which makes what many people say is the most advanced publicly available steganographic-detection software, said that in his research, very few messages on eBay show signs of being infected by terrorists. About one in 100,000 pictures "appears suspicious," but a much smaller number -- "one in every 15 to 20 million files" -- is "something that we really believe is a real hidden message."

Under this standard, for the government to have found 100 stego files, it would have had to have analyzed something on the order of 1 or 2 billion images. According to eBay's first quarter financial results, the site hosted a record 138 million auctions last quarter. Extrapolating that number out for the 300 or so days since Sept. 11, we see that there have been less than half a billion eBay listings since the attacks -- simply not enough to account for "hundreds" of hidden messages.

Now, this back-of-the-envelope calculation rests on several assumptions; the most important is that the government isn't using a stego-detector more sophisticated than WetStone's. WetStone has received funding from the Department of Defense, but Hosmer says that the government could have much fancier technology, and so it could find stego-messages at rates much higher than one in 15 million. There's also a chance that the feds have information that allows them to narrow their search to specific sections of eBay, which would make their job considerably easier.

There's no question that tools to hide messages in image files are easily available on the Web, and most of them are point-and-click simple to use. But as these tools scramble the message into different parts of the image file, they add some discernible "pattern" of bits -- detecting stego is all about finding that anomalous statistical pattern in the code of what looks like an otherwise normal image.

Unfortunately, that process turns out to be what's known, in the jargon, as "computationally expensive." It's also somewhat buggy; there's a high false-positive rate. Consequently, when an image is suspected to have some hidden info inside it, it could take as much as 30 seconds, Hosmer said, to fully test it. That's why you wouldn't want to monitor all of eBay, as it would take quite some time to go through just one day's worth of images. "With our computer power, what we tend to look at is images that we may have sources saying are suspicious, and then test those. We would act like detectives in the real world," he said.

Acting like a real-world detective requires thinking like a terrorist, and asking yourself hard questions: If you were a terrorist, where on eBay would you hide your loot? To describe the difficulty of the task, Hosmer once coined a phrase that is often repeated by others who study steganography: "It's not like finding a needle in a haystack. It's like finding the right piece of straw in a haystack."

But the task is in fact more difficult than that, because after you find what you think is your piece of straw, there's really no way to know that you've got the right one. Earlier this year, Niels Provos, a graduate student at the University of Michigan, reported that after checking 2 million eBay listings, he'd found no suspect images. But when he described the study, he added, darkly, that "I can't answer the question of whether or not there is hidden content on the Internet. My negative result doesn't indicate that the hidden communications aren't there."

More recently, in response to the Politech challenge, Brian Ristuccia, a computer science student in Massachusetts, reported that he'd run some tests on Azzam.com, a pro-jihad site, and found that it had a very high positive rate for stego-images. Because these could be false positives, he's trying to use a brute-force "dictionary attack" to break into the messages -- but he doesn't hold out hopes that he'll find anything of substance. If he manages to crack open an image and find a message inside, Ristuccia says he's sure the message will be encrypted. Would that mean he's found the right straw in the haystack, the straw that hints at future terror? Short of cracking the encryption scheme -- a tremendously computationally expensive task -- he'll never know.

While the challenges in fingering steganography may cast some suspicion over the USA Today report, they also don't help make a case for the libertarian argument that the technology is relatively harmless. Neil Johnson, a steganography expert, says that he's aware that stego could be harmful, but he says much good can come of it, too. There are many scenarios "where the observation that you and I are communicating could cause a problem for one or both of us," he said, suggesting dictatorial regimes, military missions, that kind of thing. The argument has the flavor of a gun-rights rant -- secret messages can be used for evil, but if everyone used them, society would, on balance, be better. Steganography doesn't kill people, terrorists do.

For now, that argument doesn't seem especially crazy; but if, after the next terrorist attack, it's shown that the attackers used steganography to communicate with each other, governments are probably going to move against the technology.

To prevent disaster, Hosmer says that commercial sites and ISPs should take it upon themselves, now, to scrub their sites free of steganography. He suggests that sites that accept public images for posting scan each new image. He admitted that "there's no question that that certainly benefits us, but really there is no other way to police this. There's no way you can scan all the current information for the presence of this. It's too vast to police it any way, but these companies could detect it early and come up with information before it's too late."

EBay has no plans to do this, Pursglove said. "It would have such a negative impact on the site as a whole," he said, explaining that eBay doesn't host its own images, which would make such scans technically difficult. EBay already has many safeguards, including requiring sellers to provide a credit card and a physical address, which would leave a paper trail to any would-be terrorist. And, Pursglove added, if the government came to eBay and told the company about some suspicious material, "We would certainly cooperate with the authorities."

Recent Stories