We are very close to being able to have communication that is practically undetectable even by an aggressive censor like the CCP. Here's the basis of my claim: in order to be uncensorable, it's not only required that the data can't be readable (that's trivially achieved with end to end encryption), but also, the channel used to convey the messages needs to be 100% not suspicious. This is what we call steganography, and it's not only as hard as it seems, it's even harder. For example, you can embed data easily into low order bits of an image, but that doesn't successfully pass the "innocent" test. The pattern embedded in the binary file is statistically detectable with (not even very advanced) mathematics, so the censor will catch you. So you find yourself having to solve a strange problem: how to "mix" your secret message with some "innocent" message (called in the literature "cover text") in such a way that the innocent message is not suspicious. People have tried things like: embedding data in whitespace in text; this is obviously not good enough, though it's an amusing idea. Recently I started mulling over whether LLMs might be *the* solution to this problem, because an LLM's state evolution is governed by random choice, so if you embedded your data into that random stream, the output could be plausible innocent text while the hidden message was encoded in the randomness. (If you already see problems with that idea, well done, we'll get to it...)>
It turns out I am not even slightly original: Meteor

IACR Cryptology ePrint Archive
Meteor: Cryptographically Secure Steganography for Realistic Distributions
Despite a long history of research and wide-spread applications to censorship resistant systems, practical steganographic systems capable of embedd...
already had this idea in 2021 before LLMs had taken off, and moreover it tweaks the basic idea in the specific way needed to make it work. I won't bother expanding on the details rn. But I'll point out the limitations: for a receiver of the hidden message to actually receive it, they have to use exactly the same LLM, in exactly the same state, as the sender did (because it extracts the message from the random choices of token, which are stateful; the next token depends on the previous ones).
The upshot of this: if we had a scenario where a "decent" LLM could be loaded by users on both sides, and the sender generating output from that model is plausible innocent text (true for a decent model, not true for a really crappy small model), then you have a properly undetectable communication channel that no censor, even a suspicious one, would be able to see. But it'd be very stateful: Alice and Bob would need to set it up in advance with a key exchange. The idea of the model being *public* (which the paper discusses), could *kind of* work, again, if the model is very good. The bandwidth would still be fairly low (but much higher than bits in jpegs!). Not really clear, but we're a way off from this, but it could come in future. Plausible but difficult for communication that is extremely dangerous.
Notice again the pattern of how access to compute could be crucial for freedom.