Also want to talk about the blind watermark on some Chinese social medias, to track user across different platforms.
It's extremely dangerous when someone post those screenshots with their identity to something like twitter, since twitter is blocked in China, and the police can catch and charge you if they can proof you have the account on those platforms.
The best way to defeat that is turning screenshots into pure white and black, works with text, not work with pics.
... And it's too late, I'm on the bed. I'll keep talking this tomorrow (if I can remember).
I talked about this with my friends. This is not the first time that a blind watermark has been used to track the flow of info. They usually are used in enterprise situations, where you want to know who takes a screenshot of the internal IM app and sent on the internet, and I think this is acceptable.
However, tracking regular users is kind of crossing the line. After 30 minutes of diving into the steganography and blind watermark, I think most apps use the blind watermark when dealing with screenshots.
Steganography like LSB or jstep, or even 2D Fourier transform, is not practice. Thinking about LSB or jstep. I post a photo on qoto. No matter your client, it's a small picture on your device. You take a screenshot of what I said with that pic. With this significant scaling, I think most info is lost. With 2D Fourier transform (add high-frequency info to the pic), it would be hard for an app to do this, since they cannot change how Android or iOS render the button, etc. However, I think a modified ROM or hardware can output something secretly when taking screenshots or photos. A simple solution is to encode the Google/Xiaomi/Huawei account id, or IMEI in the screenshot or the photo, and considering this is not a massive amount of information, it shouldn't cause too much interference to the pic. And since it's system/hardware level, it's hard to notice.
The more common way is the blind watermark, aka, an invisible layer with graphical info, like text, on top of the app. The invisible layer tends to use 0.5% transparency, so it can't be detected by the naked eye. However, if you apply a random color map, aka map each color to a random color, the similar, hard-to-detected color will be mapped to a different color, which is likely to be easily detected.
As far as I (and other people on the internet) know, only the watermark is used to track people in public, based on how many things can the target platform control (mostly App).
So, how can I know if my Windows/Android/some social media platform is tracking me or not?
I don't know. You don't know. Only they know. Since it's a blind watermark or steganography, by design, no one should notice and know the existence of the hidden info, unless they know the mechanism beforehand. The LSB, 2D Fourier transform, jstep methods are old and known by the public. However, it would be easy to develop their way, maybe from scratch, or based on advanced research and paper.
The best way to defeat is turning your screenshots into only white and black, aka binarize. By doing so, all info in the pic will be significantly decreased, while the text on the picture can still be read. This method doesn't work with pictures. Another way to defeat it is taking a photo of your screen, but it's not 100% time working. People have tools to remove hidden info in the picture, and they released their code on GitHub. However, I want to warn you that they are not 100% working. They can only handle the watermark/steganography they know. Just like virus scanning, they can only find the patterns they have already known. You must develop your own methodology to keep yourself safe, like no login if not required, using proxy/vpn/tor, using a virtual machine, describing what you see instead of sending a screenshot, etc.
Automated tools can't solve everything. That's why we need security researchers and people at EEF to keep watching on all possible threats.
(This is the end of the thread)
@skyblond
Card carrying member too! ;-D
@marathon0
Oh, I typed the wrong letter. It should be EFF.
A fun coincidence is that I donated EFF recently, and the day after that day, people started reporting a Chinese social media uses blind watermark to track users.