pith. sign in

arxiv: 2601.09056 · v4 · submitted 2026-01-14 · 💻 cs.CR · cs.CL· cs.IR

StegoStylo: Squelching Stylometric Scrutiny through Steganographic Stitching

Robert Dilworth This is my paper

Pith reviewed 2026-05-16 15:19 UTC · model grok-4.3

classification 💻 cs.CR cs.CLcs.IR
keywords steganographystylometryauthorship obfuscationadversarial stylometryprivacyzero-width characterstext steganographyauthorship attribution
0
0 comments X

The pith

Steganographic coverage of 33 percent or higher defeats stylometric authorship identification.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that steganographic insertion of zero-width Unicode characters can mask an author's stylistic fingerprint when combined with adversarial stylometry. By altering at least 33 percent of words in this invisible manner, attribution and verification accuracy from stylometric systems drops to ineffective levels. This addresses privacy risks from stylometry being used for de-anonymization, tracking, and censorship. The work first strengthens the TraceTarnish adversarial attack and then quantifies the obfuscation threshold as a function of the proportion of modified text.

Core claim

Through enhancements to the TraceTarnish adversarial attack and fine-tuned steganographic embedding of zero-width Unicode characters, the paper shows that steganographic coverage of 33% or higher ensures authorship obfuscation by masking stylistic fingerprints.

What carries the argument

Steganographic stitching via zero-width Unicode characters, which invisibly alters word sequences to disrupt stylometric feature extraction without changing visible text.

If this is right

  • Stylometric attribution and verification become unreliable once 33% or more of words receive steganographic treatment.
  • Adversarial stylometry gains measurable strength when paired with this form of steganographic modification.
  • Quantifiable coverage thresholds can guide practical deployment of authorship-hiding tools.
  • Defensive methods are required to counter stylometry's use in privacy-invasive applications such as profiling.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Wider testing across additional stylometric models and text domains could reveal whether the 33% threshold holds more generally.
  • Detection methods trained specifically on zero-width character patterns might serve as a countermeasure.
  • The technique could be layered with other text transformations to raise the modification cost for attackers.

Load-bearing premise

The stylometric systems evaluated are representative of real-world attackers and the steganographic modifications do not create new detectable artifacts exploitable by future systems.

What would settle it

A stylometric system that maintains high attribution accuracy on texts modified with 33% or greater zero-width character coverage would falsify the claim.

Figures

Figures reproduced from arXiv: 2601.09056 by Robert Dilworth.

Figure 1
Figure 1. Figure 1: The structure of our paper, wherein the text has been compromised [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: A screenshot of our IDE showing the scenario’s corpus alongside the [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: The output of the stylo package’s imposters() function showing the inverse setting–here the clean sample is used as the test text, whereas in the previous figure the adversarial sample served that role. 4 Optimally Injecting Zero-Width Steganographic Payloads to Disturb Authorship Verification The. . . body persists although the component cells may change. Brave New World Aldous Huxley Within the context o… view at source ↗
Figure 4
Figure 4. Figure 4: The sample texts comprising our new corpus assess injection optimality, [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: The imposters()’s results for our injection-optimality experiment [PITH_FULL_IMAGE:figures/full_fig_p011_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: The relationship between injection percentage (x-axis) and authorship [PITH_FULL_IMAGE:figures/full_fig_p011_6.png] view at source ↗
read the original abstract

Stylometry--the identification of an author through analysis of a text's style (i.e., authorship attribution)--serves many constructive purposes: it supports copyright and plagiarism investigations, aids detection of harmful content, offers exploratory cues for certain medical conditions (e.g., early signs of dementia or depression), provides historical context for literary works, and helps uncover misinformation and disinformation. In contrast, when stylometry is employed as a tool for authorship verification--confirming whether a text truly originates from a claimed author--it can also be weaponized for malicious purposes. Techniques such as de-anonymization, re-identification, tracking, profiling, and downstream effects like censorship illustrate the privacy threats that stylometric analysis can enable. Building on these concerns, this paper further explores how adversarial stylometry combined with steganography can counteract stylometric analysis. We first present enhancements to our adversarial attack, $\textit{TraceTarnish}$, providing stronger evidence of its capacity to confound stylometric systems and reduce their attribution and verification accuracy. Next, we examine how steganographic embedding can be fine-tuned to mask an author's stylistic fingerprint, quantifying the level of authorship obfuscation achievable as a function of the proportion of words altered with zero-width Unicode characters. Based on our findings, steganographic coverage of 33% or higher seemingly ensures authorship obfuscation. Finally, we reflect on the ways stylometry can be used to undermine privacy and argue for the necessity of defensive tools like $\textit{TraceTarnish}$.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper presents StegoStylo, which augments the TraceTarnish adversarial stylometry attack by embedding zero-width Unicode characters (e.g., U+200B) into selected words. It reports that steganographic coverage of 33% or higher reduces stylometric attribution and verification accuracy to levels that constitute effective authorship obfuscation. The work also discusses privacy risks of stylometry and calls for defensive tools.

Significance. If the 33% threshold proves robust, the technique would supply a lightweight, practical countermeasure against stylometric de-anonymization, extending prior adversarial stylometry work. The combination of adversarial perturbation with steganography is a natural direction, yet the current evaluation leaves the result's real-world applicability open because it does not address detectors that can simply scan for the inserted markers.

major comments (2)
  1. [Experimental results / 33% threshold claim] The experimental results (implicitly referenced in the abstract and the section describing the 33% threshold) evaluate only unmodified stylometric classifiers. No trials are reported against systems that first detect or strip zero-width Unicode characters, which is a trivial and effective countermeasure. This gap directly affects the central claim that 33% coverage 'ensures' obfuscation, because an aware adversary can neutralize the steganographic signal before stylometric analysis.
  2. [Abstract and results] The abstract states that 'steganographic coverage of 33% or higher seemingly ensures authorship obfuscation' without supplying the underlying dataset sizes, number of authors, baseline accuracies, or statistical tests. Because the threshold appears to be an empirical observation rather than a derived bound, the lack of these details makes it impossible to judge whether the result is robust or post-hoc.
minor comments (2)
  1. [Experimental setup] The paper should explicitly list the stylometric tools, feature sets, and corpora used in the TraceTarnish and StegoStylo experiments so that the 33% figure can be reproduced or challenged.
  2. [Throughout] Notation for the steganographic coverage metric (proportion of words altered) should be defined once and used consistently; the abstract and later sections appear to switch between 'coverage' and 'proportion of words altered' without a formal definition.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments, which highlight important considerations for the robustness and clarity of our evaluation. We address each major comment below and describe the planned revisions.

read point-by-point responses

  1. Referee: [Experimental results / 33% threshold claim] The experimental results (implicitly referenced in the abstract and the section describing the 33% threshold) evaluate only unmodified stylometric classifiers. No trials are reported against systems that first detect or strip zero-width Unicode characters, which is a trivial and effective countermeasure. This gap directly affects the central claim that 33% coverage 'ensures' obfuscation, because an aware adversary can neutralize the steganographic signal before stylometric analysis.

    Authors: We agree that the absence of experiments against zero-width character detectors represents a limitation in assessing real-world applicability. Our evaluation targeted standard stylometric pipelines without preprocessing for such markers, as these reflect the typical threat model for stylometric de-anonymization. In the revised manuscript we will add a dedicated subsection on countermeasures, including detection and stripping of zero-width characters, and report new experimental results quantifying the residual obfuscation effect (if any) after stripping. We will also revise the abstract and results sections to qualify the 33% threshold as applying to unmodified classifiers. revision: yes

  2. Referee: [Abstract and results] The abstract states that 'steganographic coverage of 33% or higher seemingly ensures authorship obfuscation' without supplying the underlying dataset sizes, number of authors, baseline accuracies, or statistical tests. Because the threshold appears to be an empirical observation rather than a derived bound, the lack of these details makes it impossible to judge whether the result is robust or post-hoc.

    Authors: The full manuscript reports the experimental configuration (dataset sizes, author counts, baseline accuracies, and statistical tests) in the results section; the abstract employs 'seemingly' precisely to signal that the threshold is an empirical observation. To address the concern, we will revise the abstract to include concise quantitative anchors (e.g., number of authors and baseline accuracy ranges) while preserving brevity, and we will explicitly label the 33% figure as an empirical finding rather than a theoretical guarantee in both the abstract and the results discussion. revision: yes

Circularity Check

1 steps flagged

Minor self-citation to prior TraceTarnish work; central claim remains empirical

specific steps
  1. other [Abstract]
    "We first present enhancements to our adversarial attack, TraceTarnish, providing stronger evidence of its capacity to confound stylometric systems and reduce their attribution and verification accuracy. Next, we examine how steganographic embedding can be fine-tuned to mask an author's stylistic fingerprint, quantifying the level of authorship obfuscation achievable as a function of the proportion of words altered with zero-width Unicode characters. Based on our findings, steganographic coverage of 33% or higher seemingly ensures authorship obfuscation."

    This is a minor self-citation to the authors' own prior attack method. The central 33% threshold claim is presented as a new experimental outcome rather than being forced by or equivalent to the cited prior work, so the self-reference does not create circularity in the reported findings.

full rationale

The paper's core result is an empirical observation that steganographic coverage of 33% or higher reduces stylometric accuracy, derived from experiments on word alterations using zero-width Unicode characters. No equations, fitted parameters, or derivations are presented that reduce the threshold to inputs by construction. The sole self-reference is to the authors' prior TraceTarnish attack as the base being enhanced; this citation supports the method description but does not bear the load of the new quantitative finding or create a self-referential loop. The evaluation limitations noted by the skeptic (e.g., lack of testing against Unicode-aware detectors) represent a potential robustness gap but do not constitute circularity in the derivation chain.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The 33% threshold functions as an empirically fitted parameter; the approach assumes stylometric features are reliably disrupted by invisible character insertions without introducing new signals.

free parameters (1)
  • 33% steganographic coverage threshold
    Determined experimentally as the minimum level that ensures obfuscation; appears fitted to observed results rather than derived from first principles.
axioms (1)
  • domain assumption Stylometric classifiers depend on surface-level stylistic features that can be masked by zero-width character insertions without creating detectable artifacts.
    Invoked to justify the steganographic masking approach.

pith-pipeline@v0.9.0 · 5573 in / 1170 out tokens · 73277 ms · 2026-05-16T15:19:57.640346+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Hijacking Text Heritage: Hiding the Human Signature through Homoglyphic Substitution

    cs.CR 2026-04 unverdicted novelty 5.0

    Homoglyph substitution on text degrades stylometric systems to hide author signatures and personal information.

Reference graph

Works this paper leans on

22 extracted references · 22 canonical work pages · cited by 1 Pith paper · 2 internal anchors

  1. [1]

    R Documenta- tionhttps://search.r-project.org/CRAN/refmans/stylo/html/imposters.h tml

    Authorship verification classifier known as the imposters method. R Documenta- tionhttps://search.r-project.org/CRAN/refmans/stylo/html/imposters.h tml

    work page

  2. [2]

    Linux Bash (3 2025),https://www.linuxbash.sh/post/match-invisible-unicode-c haracters-eg-zero-width-spaces-using-grep--p

    Match invisible unicode characters (eg, zero-width spaces) using ‘grep -p’. Linux Bash (3 2025),https://www.linuxbash.sh/post/match-invisible-unicode-c haracters-eg-zero-width-spaces-using-grep--p

    work page 2025

  3. [3]

    Abrosimov, K., Grebennikov, A., Tzanetakis, G., Sidorova, A.: Linguistic tools in musical stylometry. Anthology of Computers and the Humanities3, 641–652 (11 StegoStylo 15 2025).https://doi.org/10.63744/Av1c2rVmcj0N,https://anthology.ach.or g/volumes/vol0003/linguistic-tools-in-musical-stylometry/

    work page doi:10.63744/av1c2rvmcj0n 2025

  4. [4]

    Albaqami, H., Ayub, M.A., Ahmad, N., Ahmad, Y., Alqahtani, M.M., Algamdi, A.M., Owaidah, A.A., Ahmad, K.: Stylometry analysis of human and machine text for academic integrity (1 2026),https://arxiv.org/abs/2601.01225

    work page arXiv 2026

  5. [5]

    DataSentinel: A Game-Theoretic Detection of Prompt Injection Attacks

    Ali Meerza, S.I., Sun, L., Liu, J.: Harmonycloak: Making music unlearnable for generative ai. In: 2025 IEEE Symposium on Security and Privacy (SP). pp. 430– 448 (2025).https://doi.org/10.1109/SP61157.2025.00085,https://ieeexplo re.ieee.org/document/11023354

    work page doi:10.1109/sp61157.2025.00085 2025

  6. [6]

    Barrios, J., Gabay, S., Cafiero, F., Debbané, M.: Detecting psychological disorders with stylometry: the case of adhd in adolescent autobiographical narratives (10 2023).https://doi.org/10.31234/osf.io/s5cm3,https://osf.io/preprints /psyarxiv/s5cm3_v1

    work page doi:10.31234/osf.io/s5cm3 2023

  7. [7]

    Review of Contemporary Philosophy10, 44–79 (2010),https://nickbostrom.co m/information-hazards.pdf

    Bostrom, N.: Information hazards: A typology of potential harms from knowledge. Review of Contemporary Philosophy10, 44–79 (2010),https://nickbostrom.co m/information-hazards.pdf

    work page 2010

  8. [8]

    legal experts say easy fixes could amplify people’s voices

    Dilworth, G.: Constituents are seldom heard in the mississippi legislature. legal experts say easy fixes could amplify people’s voices. Mississippi Today (1 2026), https://mississippitoday.org/2026/01/01/constituents-mississippi-leg islature/

    work page 2026

  9. [9]

    Dilworth, R.: Tuning for tracetarnish: Techniques, trends, and testing tangible traits (12 2025),https://arxiv.org/abs/2512.03465

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  10. [10]

    Dilworth, R.: Unveiling unicode’s unseen underpinnings in undermining authorship attribution (10 2025),https://arxiv.org/abs/2508.15840

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  11. [11]

    Eder,M.:Authorshipverificationwiththepackage‘stylo’.ComputationalStylistics Group (5 2018),https://computationalstylistics.github.io/blog/imposte rs/

    work page 2018

  12. [12]

    GitHub (2021),https://github.com/XapaJIaMnu/translateLocally,https://private

    Heafield, K., Bogoychev, N., Nail, G., van der Linde, J.: translatelocally. GitHub (2021),https://github.com/XapaJIaMnu/translateLocally,https://private. mt/

    work page 2021

  13. [13]

    YouTube (4 2025),https://yout u.be/xMYm2d9bmEA?si=oYNZZBI0cw6-z9W0

    Jordan, B.: The art of poison-pilling music files. YouTube (4 2025),https://yout u.be/xMYm2d9bmEA?si=oYNZZBI0cw6-z9W0

    work page 2025

  14. [14]

    Digital Scholarship in the Humanities33, 72–81 (12 2017).https: //doi.org/10.1093/llc/fqx011,https://doi.org/10.1093/llc/fqx011

    Koppel, M., Seidman, S.: Detecting pseudepigraphic texts using novel similarity measures. Digital Scholarship in the Humanities33, 72–81 (12 2017).https: //doi.org/10.1093/llc/fqx011,https://doi.org/10.1093/llc/fqx011

    work page doi:10.1093/llc/fqx011 2017

  15. [15]

    Lerner, R.: How to cyberstalk – a conversation about adversarial stylometry (7 2025),https://robert-lerner.com/how-to-cyberstalk-a-conversation-abo ut-adversarial-stylometry/

    work page 2025

  16. [16]

    Mikros, G.: Large language models and forensic linguistics: Navigating opportuni- ties and threats in the age of generative ai (12 2025),https://arxiv.org/abs/25 12.06922

    work page 2025

  17. [17]

    Expert Systems with Applications276, 127044 (6 2025).https://doi.org/10.1016/j.eswa.2025.127044,https: //www.sciencedirect.com/science/article/pii/S0957417425006669

    Opara, C., Modesti, P., Golightly, L.: Evaluating spam filters and stylometric de- tection of ai-generated phishing emails. Expert Systems with Applications276, 127044 (6 2025).https://doi.org/10.1016/j.eswa.2025.127044,https: //www.sciencedirect.com/science/article/pii/S0957417425006669

    work page doi:10.1016/j.eswa.2025.127044 2025

  18. [18]

    Cryp- tography6, 17 (4 2022).https://doi.org/10.3390/cryptography6020017, https://www.mdpi.com/2410-387X/6/2/17

    Patergianakis, A., Limniotis, K.: Privacy issues in stylometric methods. Cryp- tography6, 17 (4 2022).https://doi.org/10.3390/cryptography6020017, https://www.mdpi.com/2410-387X/6/2/17

    work page doi:10.3390/cryptography6020017 2022

  19. [19]

    Artificial Intelligence in Medicine132, 102380 (10 2022)

    Pérez, A., Parapar, J., Barreiro, A.: Automatic depression score estimation with word embedding models. Artificial Intelligence in Medicine132, 102380 (10 2022). 16 Robert Dilworth https://doi.org/10.1016/j.artmed.2022.102380,https://www.sciencedirec t.com/science/article/pii/S093336572200135X

    work page doi:10.1016/j.artmed.2022.102380 2022

  20. [20]

    npj Schizophre- nia5, 9 (6 2019).https://doi.org/10.1038/s41537- 019- 0077-9,https: //www.nature.com/articles/s41537-019-0077-9

    Rezaii, N., Walker, E., Wolff, P.: A machine learning approach to predicting psychosis using semantic density and latent content analysis. npj Schizophre- nia5, 9 (6 2019).https://doi.org/10.1038/s41537- 019- 0077-9,https: //www.nature.com/articles/s41537-019-0077-9

    work page doi:10.1038/s41537- 2019

  21. [21]

    GitHub (2024),https://github.com/top-on/llmask

    top-on: Llmask. GitHub (2024),https://github.com/top-on/llmask

    work page 2024

  22. [22]

    In: Proceedings of the 2024 11th Multidisciplinary International Social Networks Conference

    Yang, H.C., Hung, Y.L., Wang, L.C.: Stylometry-based fake news classification using text mining techniques. In: Proceedings of the 2024 11th Multidisciplinary International Social Networks Conference. pp. 85–94. ACM (8 2024).https://do i.org/10.1145/3675669.3675682,https://dl.acm.org/doi/10.1145/3675669 .3675682

    work page doi:10.1145/3675669.3675682 2024