mising emanations .
We have shown in  how software can hide informa- tion in video screen content in a form that is invisible to the user but that can easily be reconstructed with modified TV receivers. More sophisticated ways of broadcasting in- formation covertly from PC software use spread spectrum techniques to embed information in the video signal or CPU bus activity.
It is possible to write a virus that searches a computer’s hard disk for crypto-key material or other secrets, and proceeds to radiate them covertly. The same techniques could also be used in software copyright protection: soft- ware could transmit its license serial number while in use, and software trade associations could send detector vans round business districts and other neighbourhoods where piracy is suspected – just like the ‘TV detector vans’ used in countries with a mandatory TV license fee. If multiple sig- nals are then received simultaneously with the same serial number but with spreading sequences at different phases, this proves that software purchased under a single license is being used concurrently on different computers, and can provide the evidence to obtain a search warrant.
IV. Limitations of some information hiding systems
A number of broad claims have been made about the ‘robustness’ of various digital watermarking or fingerprint- ing methods. Unfortunately the robustness criteria and the sample pictures used to demonstrate it vary from one system to the other, and recent attacks , , , ,  show that the robustness criteria used so far are often inadequate. JPEG compression, additive Gaus- sian noise, low pass filtering, rescaling, and cropping have been addressed in most of the literature but specific distor- tions such as rotation have often been ignored , . In some cases the watermark is simply said to be ‘robust against common signal processing algorithms and geomet- ric distortions when used on some standard images’. This motivated the introduction of a fair benchmark for digital image watermarking in .
Similarly, various steganographic systems have shown se- rious limitations .
Craver et al.  identify at least three kinds of at- tacks: robustness attacks which aim to diminish or remove the presence of a digital watermark, presentation attacks which modify the content such that the detector cannot find the watermark anymore (e.g., the Mosaic attack, see section IV-C) and the interpretation attacks whereby an attacker can devise a situation which prevents assertion of ownership. The separation between these groups is not always very clear though; for instance, StirMark (see sec- tion IV-B.1) both diminishes the watermark and distort the content to fool the detector.
As examples of these, we present in this section sev- eral attacks which reveal significant limitations of various marking systems. We will develop a general attack based on simple signal processing, plus specialised techniques for some particular schemes, and show that even if a copyright
marking system were robust against signal processing, bad engineering can provide other avenues of attacks.
A. Basic attack
Most simple spread spectrum based techniques and some simple image stego software are subject to some kind of jit- ter attack . Indeed, although spread spectrum signals are very robust to amplitude distortion and to noise addi- tion, they do not survive timing errors: synchronisation of the chip signal is very important and simple systems fail to recover this synchronisation properly. There are more sub- tle distortions that can be applied. For instance, in , Hamdy et al. present a way to increase or decrease the length of a musical performance without changing its pitch; this was developed to enable radio broadcasters to slightly adjust the playing time of a musical track. As such tools become widely available, attacks involving sound manipu- lation will become easy.
After evaluating some watermarking software, it became clear to us that although most schemes could survive basic manipulations – that is, manipulations that can be done easily with standard tools, such as rotation, shearing, re- sampling, resizing and lossy compression – they would not cope with combinations of them or with random geometric distortions. This motivated the design of StirMark .
StirMark is a generic tool for basic robustness testing of image watermarking algorithms and has been freely avail- able since November 1997.3 It applies a minor unnotice- able geometric distortion: the image is slightly stretched, sheared, shifted, bent and rotated by an unnoticeable ran- dom amount. A slight random low frequency deviation, which is greatest at the centre of the picture, is applied to each pixel. A higher frequency displacement of the form λ sin(ωxx) sin(ωyy) + n(x, y) – where n(x, y) is a random number – is also added. Finally a transfer function that introduces a small and smoothly distributed error into all sample values is applied. This emulates the small non- linear analogue/digital converter imperfections typically found in scanners and display devices. Resampling uses the approximating quadratic B-spline algorithm . An example of these distortions is given in figure 7.
StirMark can also perform a default series of tests which serve as a benchmark for image watermarking . Digi- tal watermarking remains a largely untested field and very few authors have published extensive tests on their systems (e.g., ). A benchmark is needed to highlight promising areas of research by showing which techniques work better than others.
One might try to increase the robustness of a watermark- ing system by trying to foresee the possible transforms used by pirates; one might then use techniques such as embed- ding multiple versions of the mark under suitable inverse