While in this current 'manic' article writing stage I thought I'd share a sensitive project I built for a charity during COVID. This is a very sensitive topic so I have gotten all applicable permissions and agreed to ONLY share the concepts which diverge and are a lot more trivial than the real system.
It's part of a long history of hiding messages in plain sight and it's still as critical as ever from passing messages in school to massive multinational corporate espionage and world powers spying on each other.
Throughout human history, the need to communicate secretly has driven remarkable innovations. From ancient tyrants to Cold War spymasters to modern developers solving safety challenges, hiding information in plain sight has been both an art and a science. This post explores the fascinating evolution of covert communication systems, from messages tattooed on scalps to a JavaScript-based secure chat system I built that was so subtle, even active monitoring wouldn't reveal its existence.
Our story begins around 500 BCE with Histiaeus of Miletus, a Greek tyrant held captive in Susa by the Persian king Darius I. Desperate to communicate with his son-in-law Aristagoras back in Miletus without arousing Persian suspicion, Histiaeus devised an ingenious solution.
He selected his most trusted slave, shaved the man's head, and tattooed a message directly onto his scalp. After waiting for the hair to grow back, he sent the slave to Miletus with simple instructions: "Tell Aristagoras to shave your head."
The message, urging rebellion against Persian rule, was literally hidden beneath the surface. The Persians, accustomed to intercepting conventional messages, never suspected that the messenger himself carried the intelligence. This triggered the Ionian Revolt, a pivotal moment in Greek-Persian relations.
The key principle: The communication channel itself appeared completely innocuous. The slave was just... a travelling slave. No suspicious scrolls, no coded letters, nothing to intercept.
By John Steeple Davis - The story of the greatest nations, from the dawn of history to the twentieth century (published in 1900), Public Domain, Link
Histiaeus's technique exemplifies steganography - the practice of concealing messages within non-secret media. Unlike cryptography, which makes messages unreadable, steganography hides the very existence of communication.
During the Revolutionary War, the Continental Army used invisible inks extensively. The most sophisticated was "Agent 711's" (aka George Washington) stain, developed by physician and spymaster James Jay. Written with a chemical reagent and revealed only with a specific counteragent, these messages appeared as blank pages - perfect for sending through British checkpoints.
In World War II, invisible inks evolved further. The British used everything from lemon juice (heat-activated) to sophisticated chemical compounds and yes, human (I presume!) semen... The Germans developed microdots - photographs reduced to the size of a printed period that could be hidden in plain correspondence. The British even smuggled maps into POW camps to aid escape in everything from playing cards, buttons (which were also often magnetised for use in compasses) and even Red Cross chocolate wrappers.
Cold War espionage perfected the "dead drop" - a location where materials can be left by one party and retrieved by another without direct contact. A loose brick in a wall, a hollowed-out coin, a fake rock in a park - each concealed messages, film, or money.
The genius wasn't just the physical concealment, but the signaling system. A chalk mark on a mailbox, a specific flower pot position on a windowsill - these indicated that a dead drop was ready. To observers, these were meaningless details in the urban landscape.
There were even special devices like a spike that could be concealed under the soil until the message was retrieved (also great for wet conditions / open areas).
By The Central Intelligence Agency - “Dead” Drop Spike, Public Domain, https://commons.wikimedia.org/w/index.php?curid=29197364
sequenceDiagram
participant Agent as Field Agent
participant Location as Dead Drop Location
participant Signal as Public Signal Spot
participant Handler as Handler
Agent->>Location: Place material in dead drop
Agent->>Signal: Leave innocuous mark (chalk, flower pot)
Handler->>Signal: Checks for signal during routine
Handler->>Location: Retrieves material
Handler->>Signal: Leaves confirmation mark
Agent->>Signal: Confirms retrieval
Note over Agent,Handler: No direct contact between parties
From the Cold War through today, mysterious radio broadcasts have fascinated listeners worldwide. These "numbers stations" transmit strings of numbers, words, or tones - apparent gibberish to casual listeners.
But to the agent with the proper one-time pad? These are instructions, intelligence updates, or mission-critical data. The broadcasts are:
The broadcast itself hides in plain sight among thousands of radio transmissions, distinguishable only to those who know to listen.
Modern computing has revolutionized steganography. Information can be hidden in:
Digital images store color values for millions of pixels. By subtly modifying the least significant bits of pixel values, you can embed data without visible changes to the image.
For example, in a 24-bit color image, changing the last bit of RGB values creates imperceptible color shifts but can store significant data:
Original pixel: RGB(11010110, 10110101, 01011010)
Modified pixel: RGB(11010111, 10110100, 01011011)
↑changed ↑changed ↑changed
To the eye, these pixels are identical. To someone with the extraction algorithm, it's a hidden message.
Here's an example (not GREAT but from here )
which has:
Hidden in it...kinda...sorta. Extra compression makes it useless.
In reality this image would be an encrypted message / other encrypted data up to about 10% of the image's size (modern neural techniques can even get 50% or more without it being detectable).
The ability to hide messages in seemingly normal text. Techniques include:
Hiding data in network traffic patterns:
This brings us to a contemporary problem that required all the lessons of historical steganography: How do you provide secure, private communication to someone whose digital life is being monitored by someone physically present in their home?
During COVID-19 lockdowns, this wasn't a theoretical problem. For victims of domestic abuse, being confined with their abuser while simultaneously losing access to external support networks created a dangerous situation. Traditional "secure" communication methods had fatal flaws:
Even if the victim could communicate, any record of that communication - even the knowledge that communication occurred - could trigger violence.
What was needed was something that would leave absolutely no trace that anything unusual had happened, even to someone actively monitoring the computer (even if they then visited the same url).
The solution I developed drew on every principle of historical steganography, adapted for the web era. Here's how it might have worked.
NOTE: This isn't the greatest stealth-support app in the world, this is just a tribute.
The real one was built for a very real few charities and is still there for any similar situations, however it's been MASSIVELY modified and works in an even sneakier way I came up with; for that one even screen snapshotting won't detect it (using a form of temporal steganography...you can have a guess what that means 😜 ).
The core was a tiny JavaScript file with an innocuous name like compatibility-shim1.js or polyfill-helpers.js. Organizations would add it to their website alongside their legitimate scripts:
<script src="https://cdn.example.org/compatibility-shim1.js"></script>
To anyone inspecting the page source, this looked like one of dozens of helper libraries modern websites include. The file itself was:
The script monitored for a specific URL query parameter - something like ?ref=newsletter_2021_march. This looked completely innocuous:
// Heavily simplified example - actual implementation was obfuscated and encrypted
const params = new URLSearchParams(window.location.search);
if (params.has('ref') && params.get('ref').match(/newsletter_\d{4}_[a-z]+/)) {
// Trigger secure chat initialization
}
When triggered, a chat window would appear - looking identical to the standard support chat many websites have. But it would prompt for a "verification code" or "service reference number." (again and I won't keep repeating it but NOT ACTUALLY it was and is a LOT sneakier than this)
This is where the elegance emerged:
With the correct codeword (sent via a separate, innocuous channel - perhaps a phone call mentioning "reference number 7B2X" for scheduling):
Without the codeword or from wrong URL:
The actual secure chat traffic was disguised:
sequenceDiagram
participant User as User Browser
participant Site as Organization Website
participant CDN as CDN (Shim Script)
participant Secure as Secure Chat Backend
participant Real as Real Support System
User->>Site: Visit with ?ref=newsletter_2021_march
Site->>CDN: Load compatibility-shim1.js
CDN->>User: Script with hidden trigger
User->>User: Script detects parameter
User->>User: Chat window appears
alt Correct codeword entered
User->>Secure: Authenticate with codeword
Secure->>User: Establish encrypted channel
Note over User,Secure: Secure communication session
else Wrong codeword or no codeword
User->>Real: Forward to real support
Real->>User: "Please describe your issue"
Note over User,Real: Appears as normal support contact
end
After the session:
If someone checked the computer afterward:
This system implemented several key security principles:
Like numbers stations, the system was designed so that:
Following Cold War dead drop principles:
Like Histiaeus's traveling slave, the system had genuine utility:
If something went wrong:
The actual implementation involved several clever techniques:
The secure chat code wasn't visible in the script source. Instead:
// Simplified example of the pattern
const encryptedPayload = "U2FsdGVkX1+xYz... [encrypted data]";
const decryptionKey = deriveKeyFromContext(window.location, document.referrer);
if (validTriggerDetected()) {
const chatModule = decryptPayload(encryptedPayload, decryptionKey);
chatModule.initialize();
}
The decryption key was derived from environmental factors, meaning:
To prevent timing analysis that might reveal when the special code path executed:
// Simplified example
async function processInput(userInput) {
// Always perform both operations
const secureResult = await checkSecureAuth(userInput);
const normalResult = await checkNormalAuth(userInput);
// Add random delay to normalize timing
await randomDelay(100, 300);
// Return appropriate result
return secureResult.valid ? secureResult : normalResult;
}
Both code paths executed, making timing analysis useless.
The codeword wasn't transmitted directly. Instead:
// Hash the codeword with environmental factors
const authToken = await hashWithContext(
userInput,
window.navigator.userAgent,
currentTimestamp,
siteIdentifier
);
This meant:
This system was deployed for a support organization during COVID-19 lockdowns. The technical requirements were absolute:
The system handled hundreds of secure sessions (and a very advanced version still does). For some users, it was literally a lifeline - enabling them to coordinate safety plans, access resources, and maintain contact with support services without alerting their abuser.
The principles that made Histiaeus's tattooed messenger effective in 500 BCE applied directly:
Similarly, Cold War dead drops informed the design:
This technology exists in an ethically complex space. The same techniques enabling safety for abuse victims could facilitate:
This is the eternal dilemma of dual-use technology. The techniques described here are not inherently good or evil - they are tools. Histiaeus used steganography to foment rebellion. Allied spies used invisible ink to defeat fascism. The technology is neutral; the application determines morality.
For this project, the ethical calculus was clear:
But anyone building similar systems must grapple with these questions seriously.
How would you detect such a system if you suspected it existed?
However, detection faces severe challenges:
The defender's advantage in steganography remains: proving communication occurred requires proving the encoding system exists, which requires either inside knowledge or exhaustive analysis.
The techniques explored here have broader applications:
In countries with heavy internet censorship, similar approaches enable:
Organizations might use comparable techniques for:
General applications include:
As surveillance capabilities grow, so will the sophistication of hiding techniques:
Machine learning could generate perfectly realistic decoy traffic:
Decentralized systems could provide:
Quantum computing and communications offer new possibilities:
For developers considering building similar systems, critical considerations include:
// Never store sensitive data in localStorage
// Use sessionStorage with expiry, or pure memory
class SecureSession {
constructor() {
this.data = new Map(); // Memory only
this.expiry = Date.now() + (30 * 60 * 1000); // 30 min
// Clear on page unload
window.addEventListener('beforeunload', () => this.destroy());
// Auto-expire
setTimeout(() => this.destroy(), 30 * 60 * 1000);
}
destroy() {
this.data.clear();
// Overwrite memory (best effort)
this.data = null;
}
}
Steganographic systems must not degrade performance noticeably, both for adoption (these are big companies, screw up their site at your peril) and security. You don't want some JS dev noticing oddness.
// Lazy loading of secure components
async function initializeSecureChat() {
// Only load if triggered
if (!shouldInitialize()) return;
// Dynamic import to keep main bundle small
const { SecureChat } = await import('./secure-chat.encrypted.js');
// Initialize asynchronously
requestIdleCallback(() => {
new SecureChat().initialize();
});
}
Hidden systems require careful documentation (stored securely, separately). Transmission of the 'keys' has to be done very carefully - and like data, not stored with the 'codeword'. I won't go into the mechanisms of how that's done but again it's hidden in plain sight.
## Secure Chat System - Operator Manual
### Activation
- URL pattern: `?ref=newsletter_YYYY_month`
- Current codewords: See separate secure document
- Rotation schedule: Monthly
### Incident Response
- If system discovered: Immediate codeword rotation
- If user identity compromised: Emergency protocol Alpha
- If backend compromised: Failover to backup, investigate
### Audit Trail
- Log only: Connection timestamp, session duration
- Never log: User identity, message content, codewords
From Histiaeus's tattooed messenger to JavaScript shims on modern websites, the fundamental challenge remains unchanged: how to communicate secretly when under observation.
The techniques evolve - tattoos become microdots become steganographic images become hidden JavaScript payloads - but the principles persist:
The project described here represents a practical application of 2,500 years of steganographic evolution. It used cutting-edge web technology to implement ancient principles for a critical modern need.
As developers, we wield powerful tools. We can build systems that protect privacy, enable safety, and preserve human dignity even in hostile environments. But we must also recognize the dual nature of these capabilities and deploy them thoughtfully, ethically, and responsibly.
The next time you see an innocuous-looking script on a website or a seemingly meaningless URL parameter, remember: sometimes the most important systems are the ones you never notice at all.
This post describes the concepts and principles behind the system, but this is NOT the actual implementation used in production.
The real system deployed for safety-critical use had significantly more sophisticated security measures:
The code examples in this post are simplified illustrations of the concepts and do not share any code with the production system. They demonstrate the principles of steganographic communication but lack the hardening, redundancy, and defense-in-depth approaches necessary for protecting vulnerable individuals.
This was done with the full knowledge of the technical team at the charity I built this for (I own the IP, the charity got this for free). They agree that the CONCEPT is useful to share for similarly purposed systems.
If you're building a similar system for safety-critical applications:
The upcoming demo app in the next post will show a proof-of-concept implementation for educational purposes only. It demonstrates the core ideas but should not be used for protecting real people in dangerous situations without significant additional security engineering.
Note: Organizations requiring similar safety-focused systems should consult with security professionals and ensure compliance with relevant laws and regulations. The techniques discussed here have educational value but require substantial additional work for production deployment in high-stakes environments.
© 2025 Scott Galloway — Unlicense — All content and source code on this site is free to use, copy, modify, and sell.