9

I'm moderating a closed section of a forum - think 'covered by NDA' (not actually, but it's a good equivalent of the situation), with restricted access.

Sometimes we find screenshots from that forum posted by some rogue user anonymously in places where they definitely shouldn't appear. And the screenshots being anonymous, with no discernable features, don't let us find the rogue and draw consequences.

I'd like to learn of some way to affect page appearance so that a screenshot of it could be traced to the author of the screenshot - maybe some kind of steganography that can survive lightweight compression, or other inconspicious elements that would allow to identify, whose account these screenshots were made from? Specifically, possible to appear broadly enough that even a relatively small part of the screen (say, one post) is sufficient to identify the culprit?

I tried "cooking my own" embedding something akin to low-contrast barcode in borders around posts, but it was neither inconspicious enough nor durable enough to survive 85% quality JPEG compression.

SF.
  • 211
  • 1
  • 5

4 Answers4

7

This looks like a classical Canary Trap. Basicly I would suggest to hide encrypted information about the user in different ways:

  • obvious QR-Code (as suggested by slugster)
  • different colors (as suggested by Nick Wilde)
  • page viewed as username - footer on each page
  • replacing certain words with synonyms
  • code information in spaces and interpunction within the text

If the user compresses/reduces the size of the screenshot, you can still guess / measure the different interpunction of the text - combined with another measurement the user might "forget" to remove all of them.

Regardless of the stenographical method I would suggest to encrypt the data with an public/private-key meachnism to ensure that if someone reads out or assumes that there is data and tries to read it out, the person isn't able to find it easily.

jwacalex
  • 186
  • 2
2

There is no way that you can ensure that. There are a couple of other methods you can use to attempt to fingerprint it but any reasonably adept user can easily avoid it really.

  • (as slugster said) QR Code.
  • Use a unique sequence of colours on a border - Better than text since tiny text is often not legible in a compressed jpeg even when a colour sequence is. Also better than something that looks like a QRCode as it doesn't look to everyone like identifying data so less likely to have it stripped.

Any method can easily be avoided really for a screenshot within seconds for someone with my skills.

The important factors are:

  • Due to compression/small image size legibility is crucial even after those. This makes tiny text borders not ideal.
  • If it is not 100% apparent that it is identifying information it is less likely to be stripped. This also makes tiny text borders not ideal - same for QRCode or a barcode that looks like a barcode.
1

Would embedding user specific information into a discrete QR code using two different colours that produce enough contrast but are still complementary to your page theme do the trick?

I would use CSS to place it behind the text of any post so that it's difficult to remove from a screenshot. If the dots are chunky enough you should still be able to read it even with text across it. Or if the image was tiled across the critical area then you should always be able to reconstruct a complete image whatever the content you had overlaying it.

Generating the QR image would be a once-off operation when a user creates an account, the image can then be cached on the user's machine to reduce bandwidth.

Of course this is not totally foolproof, but you've made it more difficult for the rogue user to hide their identity. Of course this also doesn't preclude a login being hacked (or shared), so that the account holder is not necessarily the infringer. It may help prevent photos of the screen being shared provided the QR code is still discernible.

slugster
  • 171
  • 1
  • 3
0

As you appear to be talking about a forum, an easy option would be to change the usernames of other users, or possibly join dates, or some element that can be used to subtly alter the screen in a way they couldn't correct for. Note that this doesn't help any if they simply start copy/pasting the content out of the site though, since they could strip that information.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110