Is Steganography considered encryption and subject to USA export restrictions?

Question

I have written an application for Apple's iOS which embeds messages in JPEG files using steganography (see http://en.wikipedia.org/wiki/Steganography). For the purposes of this question lets assume that my steganography algorithm is well known, but I also use random embedding locations (meaning that a key is required to extract the payload).

In my mind this classifies as encryption, but what if I didn't use random embedding (anyone who detected the cover image could extract the payload using raster scan mode)?

This is more for my curiosity, and I will be filling out my application submission to claim encryption functionality regardless because I offer and additional layer of encryption in my application.

What country are you operating in? The US law no longer bans the export of cryptography. — , Apr 11 '11 at 17:59
However for the sake of discussion I am looking at exporting to all allowed countries. — Ben Holland, Apr 11 '11 at 18:32
The StackOverflow mods migrated the original question over, so I have merged the two to save confusion — Rory Alsop, Apr 12 '11 at 10:11
Simply publish it as free speech PGP style. https://secure.wikimedia.org/wikipedia/en/wiki/Pretty_Good_Privacy#Criminal_investigation — Incognito, Sep 16 '11 at 20:46

score 7 · Accepted Answer · answered Apr 11 '11 at 21:06

7

Encryption is about keeping some information confidential through a transform which requires knowledge of a "secret convention" to unravel. If there is a key and the key is needed to recover the data, then it is encryption.

In key-less steganography, there is still a "key" but a very short one. Steganography is about hiding data in an innocent-looking medium (e.g. a picture). The "secret convention" is then that your steganography method was applied, and the picture is not "just a picture". This can be viewed as a one-bit key...

I am not, in any way, a lawyer. My view is that of a scientist. In my view, your key-less steganography is not encryption per se, because a "one-bit key" stretches the definition of key a bit too far for my taste.

answered Apr 11 '11 at 21:06

Thomas Pornin

320,799
57
780
949

In every class dealing with cryptography that I've ever taken there is clear line drawn between stenography and cryptography. So I would be forced to agree with this answer. I'm curious if the law sees it differently. – Ormis Apr 11 '11 at 21:14
1

I also have to comment that even with (pseudo) random embedding, the data itself is fundamentally not being changed in any way, so i would not classify it as encryption. – Ormis Apr 11 '11 at 21:19
I would be inclined to agree with this response. I'm curious what side the law would take. http://www.bis.doc.gov/encryption/question1.htm has some interesting wording on the classification of cryptographic uses -> "Also note that Category 5, Part 2 includes certain items with Information Security functionality, whether or not the items have encryption functionality." – Ben Holland Apr 11 '11 at 23:30

score 5 · Answer 2 · answered Apr 11 '11 at 19:29

For the purposes of this document, your application uses encryption and should be looked at accordingly, starting with the section titled "Is my item classified under Category 5, Part 2 of the EAR?" - there are a lot of categories, but you'll be able to get through them pretty quickly.

If you pop this post over to security stackexchange you'll be likely to get input from some senior crypto folks on this!

score 1 · Answer 3 · answered Apr 11 '11 at 18:11

1

Steganography will classify as a means to encrypt messages. It actually would be more subject to export law as it is intended to get by without noticing it's an encryption. So yes, you are subject to export law both in the App store and in any software intended to be sold outside of your country. That is all providing your country actually has a cryptography export law

answered Apr 11 '11 at 18:11

justausr

483
3
6

I would have to agree that Stego is a sense worse than Crypto (at least from the perspective of the jail warden :P). Can you provide any sort of documentation that clearly classifies steganography under export restrictions? – Ben Holland Apr 11 '11 at 18:30
I don't think the EAR allows for value judgements of export control. There are controlled products and uncontrolled products, but no "more controlled" products. – Apr 12 '11 at 11:36

score 0 · Answer 4 · answered Sep 16 '11 at 16:26

Encryption is the act of rendering data unintelligible to unauthorised parties.

Steganography is the act of hiding data so that it's undetectable to the uninformed.

There is a very clear difference, from an academic point of view. You are not using encryption! However, export restrictions may nevertheless apply. As in all things of this nature, seek professional legal advice.

Is Steganography considered encryption and subject to USA export restrictions?

4 Answers4