Helping Fernando Vera coordinate drug deals over Twitter

1. Note up front: As I don't have a blog or website, I wanted to post this to HN directly. However, it ended up having too many characters, so I had to move to pastebin.
2.  
3. In Mr. Robot season 1 Fernando Vera, one of Elliot's antagonists and a ruthless gang leader, has come up with a rather unconvential way of sharing information about future arms or drug deals with all involved parties: Twitter posts. The code is pretty simple: Replacing words such as "guns" with others, like "biscuits". As such, it takes our protagonist "half a brain cell" to decode it and report him to the police.
4. Now, whether or not sharing this information via Twitter might be a good idea shall not be scope of this post, but I was nevertheless curious if Vera could create a "Twitter code" that is both hidden and secure.
5.  
6. Encoding secret messages in text has been subject of research for thousands of years, however, the more difficult problem is its steganography aspect. In my view, the idea of mapping keywords is as weak as it is complicated to use (if you want to write coherent posts), so let's step back and look at the bigger picture.
7. We have 280 characters to transmit some data, the main requirement being that nobody should notice that we're doing so. If we see it that way, we can define the data as already encrypted (eg. AES, just note that we are size-limited). Through this, we trivially got rid of the "secure" part of the problem.
8.  
9. Now, what we are left with is encoding binary data in a 280 character string, which should look like any Twitter post. For this, let's turn to the part of UTF, that is often overlooked: zero-width characters!
10. I found the following four UTF-16 characters to work very well, because on all browsers I tested, they are not changing the rendering of latin text in any way:
11. Z​ero Width Whitespace (0x200B)
12. Zero Width Non-Join‌er (0x200C)
13. Z‍ero Width Joiner (0x200D)
14. Word Joi⁠ner (0x2060)
15. (Each of these names has the corresponding character hidden in between visible characters. As you can see, they are completely unnoticable.)
16.  
17. We have four different characters, thus we can represent - you guessed it - quaternary data!
18. Let's define:
19. 0 : 0x200B
20. 1 : 0x200C
21. 2 : 0x200D
22. 3 : 0x2060
23.  
24. Because Twitter counts UTF-16 characters as 1 character out of 280, we could theoretically pack 280 digits in one post, but as starting and trailing white spaces are trimmed, we need at least two visible characters.
25. This leaves us with a maximum of 278 quaternary digits. Each digit encodes two bits, so we could transmit at maximum 278*2 = 556 bits, thus 69 bytes (floored). Due to the steganography requirement, the actual size varies by visible message length so in reality, the ciphertext would be smaller.
26. Nevertheless, a message like "Out in the streets with my homies", which a guy like Vera could definitely post without raising suspicion, could still transmit roughly 500 bits or 61 bytes, which is more than enough to share simple information.
27. For example, a 32-bit UNIX-timestamp and two 64-bit doubles for longitude and latitude respectively, which would total to only 160 of those 500 bits, are already all it needs to set up a secret meeting. If you encrypt them properly, you would thus have a secure code which would likely elude even Mr. Robot's eyes.
28.  
29. Finally, let's go through a full example.
30. Say, we want to encode the world famous "Hello world!"
31. In UTF-8, this would be:
32. 01001000 01100101 01101100 01101100 01101111 00100000 01110111 01101111 01110010 01101100 01100100 00100001
33. Converted to quaternary (two adjacent bits = one quaternary digit):
34. 1020 1211 1230 1230 1233 0200 1313 1233 1302 1230 1210 0201
35. For the visible message, let's take the example from above:
36. Out in the streets with my homies
37. Lastly, convert the quaternary digits to their respective zero-width representation and inject them into the message. Whether to distribute the digits over the visible string or put them all in one spot is up to the sender, the only caveat is to not put anything at the start or end of the string, as Twitter will strip it upon posting. I'll let the curious reader find out, which option I chose.
38. The final message string: Out in the streets with m‌​‍​‌‍‌‌‌‍⁠​‌‍⁠​‌‍⁠⁠​‍​​‌⁠‌⁠‌‍⁠⁠‌⁠​‍‌‍⁠​‌‍‌​​‍​‌y homies
39.  
40. As a proof of concept, here is a Twitter post with the message and you can check that no data has been lost:
41. https://twitter.com/dummy0000000001/status/1375424940359495682
42.  
43. Now, all steganography relies on the premise, that nobody inspects your data in too much detail, because eventually they would realize something's off. The zero-width approach is no exception to this. People could, by chance or maybe through a browser add-on, notice the zero width characters and decode the data (if it is encrypted, they will have a hard time reverse engineering which zero-width character represents which digit. They would need to consider all 2^4=16 possibilites before even starting to crack the encryption cipher ...). However, I strongly believe that the average Twitter reader has a very low chance of ever noting even the existence of a hidden message.
44.  
45. In conclusion, if Fernando Vera (or rather, his brother Isaac, who actually came up with this "Twitter code" strategy) had gone a bit further, Elliot would have had a much harder time decoding his posts and Vera might no have ended up getting arrested. Whether or not this would have had a net positive impact on our protagonist is left to speculation ...