Hiding from eDiscovery in Plain Sight


QR or “quick response” Codes have been showing up a lot more in the last year. A QR code is a matrix barcode (or two-dimensional code), readable by QR scanners, also readable by mobile phones with a camera, tablet computers with built-in camera including iPads, and smartphones including iPhones. The code consists of black modules arranged in a square pattern on white background. The information encoded can be a text message, a SMS message, a URL, an email reply or several other types of data. The QR code in the top left corner of this blog is the QR code for the URL for the eDiscovery101.net blog site.

QR codes are increasingly gaining acceptance in United States business and end user mind share, though they have been popular in some Asian countries for many years.

So what do QR codes have to do with eDiscovery? A friend of mine was telling me about a new business he had started using QR codes in a very unique way and it occurred to me to wonder if eDiscovery collection and review applications would be able to recognize data encoded into QR codes and if not, how could custodians use QR codes to pass information they didn’t want to be found in an eDiscovery process. For example, could you email information to others without calling attention to yourself by using encryption or have the content indexed and flagged by eDiscovery applications?

The answer is absolutely…

Look at the following email example:

The QR code embedded in the email message is simply a link to the URL for this blog site. To connect to this site you would start up your free QR code scanner on your iPhone and it would automatically link you to the site. If the above email was part of the email corpus in an energy price manipulation case, would it be flagged for any suspicious activity?

But the main point is when collecting and running millions of emails through eDiscovery software, QR codes, as far as I can tell, would not be readable and index-able by any known eDiscovery software.

Now take a look at the email message again:

If you were to scan the above QR code with your free QR code scanner, you would see the following:

As you can see, a great deal of text can be embed in a QR code that is readable by a free QR scanner pointed at a printout or even your computer display.

Is the above example a reasonable way to pass information that you don’t want caught by eDiscovery processes? Not really…an easier way would be to call someone and give them the message verbally but I wanted to point out that eDiscovery search and review applications are not 100% effective and custodians can beat them if they really try. eDiscovery vendors need to be constantly on the lookout for these new techniques of sending and receiving ESI.

Advertisements

15 thoughts on “Hiding from eDiscovery in Plain Sight

  1. Nice article, Bill, and quite revealing. I was aware of the use of QR codes (though you just taught me the name) to send URL information, but I was not aware of how they could be used to embed text messages or other information. Fascinating stuff. Thanks.

    • Thanks Dennis. It was surprising to me as well. In my research I discovered you could pack up to 4096 characters of text into a QR code… It would just need to be large so the resolution of the individual squares could be picked up by the scanner. Thanks again

  2. Interesting article. Are you aware of any vendors working on enhancing their e-discovery processing software to pick up this type of information?

  3. Bill you bring up a very good topic in which data is right in front of our eyes and technology is fooled. Just when we think we have seen it all technology advances and poses new challanges.

  4. Couldn’t the same thing be achieved by attaching the text as an image (e.g., JPG or GIF)? Do ediscovery tools bother to OCR the content of image attachments?

  5. I saw a news feature where QR codes are being tattooed on people. The code draws up a URL, and since you would own the webpage/domain, you are in total control of what gets displayed. Very innovative. And quite useful when you break up with Sheila and are now seeing Megan: just change the splash page of the website!

  6. Good stuff here. My only concern are that there are many different flavors of “QR codes”. I have to wonder if eDiscovery technology (or forensic investigative technology, for that matter) can ever hope to keep up with the ingenuity of exceptionally creative, exceptionally unethical individuals …

  7. As pointed out elsewhere, practically speaking, QR codes can contain a limited amount of text data and still produce a standard size graphic. Putting more text in then results in a significantly large image, which would then possibly stand out and also would be harder to read with a QR reader. QR codes are better suited for URLs, contact data as used in vCards, etc. Another current issue with generating QR codes is that they are limited stand alone applications out there for generating the codes and most users are required to generate the codes using public websites.

    In terms of concealing data in images, steganographic capability – hiding dating in computer graphic files – predates QR codes by many years. For those intent on being covert, it offers a few advantages over QR codes. Much more text can be contained in the a jpeg or gif file because the resolution or format of the image are critical, as it is with QR codes. With a QR code the layout of the blocks within the image is the code itself and therefore resolution and distortion are important qualities. With steganographic concealment the data is hidden within the digital file and not the graphic representation. But more challenging for eDiscovery purposes, it is easier to hide the jpeg or gif or png image as an attachment in plain sight, because it will likely not arouse suspicion in the same way that QR codes will once such codes become more prevalent.

    To the unknowing eye, the stegnographic file embedded in a holiday photo or a product photo would not raise an alarm. Moreover, that graphic might require specific software to decode the hidden data. QR codes, on the other hand, are designed by specification to be read by a wide variety of QR reader software.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s