
Zero-Width Characters: Invisibly fingerprinting text - based2
https://www.zachaysan.com/writing/2017-12-30-zero-width-characters
======
bsamuels
This is a pretty common method of watermarking sensitive content in EVE Online
alliances, however we've found it suffers from some serious drawbacks.

Zero-Width characters tend to cause lots of issues when they are copied and
pasted, which may alert a poorly equipped adversary that they're handling
watermarked content. In addition, entities that are aware that you're
watermarking text content in this way can just take screenshots of the text,
transcribe it, or strip it of all non-ASCII characters.

The best solution I've seen is something I like to call "content
transposition". The idea is that you take a paragraph of content and run it
through a program that will reorder parts of content and inject/manipulate
indefinite articles in order to create your watermark, while keeping the
content grammatically correct. That way even if an adversary is fully aware
that you're watermarking text content, they need two copies of the watermarked
text in order to identify and strip your watermark.

~~~
reichardt
What kind of content would be distribution that way? Something like battle
plans send to individual members? Would they not be able to just snitch the
important information without copying word for word the sensitive message?

~~~
bsamuels
There's two kinds of text-based data that counter intelligence ops try to
protect: Forum posts and 'fleet pings'.

For forum posts, an adversary can do exactly what you say - just take the
meaning of the forum post and write a cable on it.

Fleet pings are how massive fleets are formed in EVE. Basically they are a
@here ping on Discord, or a server announcement on XMPP or IRC. Fleet pings
are important because if you know when your enemy is pinging for fleets, you
know when and where to find their fleets to fight them.

For that reason, the value in fleet pings is very time sensitive, and cannot
be transcribed by a spy in real time. Usually orgs will set up a "ping relay"
channel for its top fleet commanders, with a bot that relays pings from enemy
alliances. This is a very common interception point for obtaining watermarked
pings and burning spies.

------
tacon
Back in the Usenet days, around the late '80s, I had read somewhere/somehow a
few years before about how classified information would be printed with tiny
differences in spacing to track leaks to foreign adversaries. In some
newsgroup, I happened to mention I had read about this technique, which while
obvious once you think of it was apparently not well known. Certainly by that
time, it was very well known to the KGB.

Months after my public comment, I got a phone call from an AT&T inventor who
was prosecuting a patent on the same technology. They were very interested
where I had read about the technique in the public literature. Alas, I could
not remember where I had read that little factoid so I wasn't much use to
them. It was disturbing to them that their patent claim was out in the open
literature somewhere, but they could not find it.

~~~
QAPereo
The general idea is called a Canary Trap, and IIRC it was popularized by Tom
Clancy. The most common form is to have some subtle variations in the content
or wording, which would give away the origin.

Edit here we go
[https://en.m.wikipedia.org/wiki/Canary_trap](https://en.m.wikipedia.org/wiki/Canary_trap)

The Canary Trap, aka The Barium Meal.

~~~
lojack
One of the alliances in Eve online used to do this type of counter
intelligence to assist in identifying spies releasing internal communications.
They’d also introduce invisible watermarks in any images they posted.

My understanding was their leadership had a tool to help them select a few
synonyms in anything they wrote, and a few synonyms was all it took to
identify the account releasing the communication.

~~~
abstractbeliefs
More than one. PL, Goons, Test, various Russian alliances, and some smaller
players all would. I really loved EvEs (counter)intelligence scene, it felt
like a great place to safely dabble in real tools and techniques like this.

------
jchw
Notably, some zero width characters tend to get removed, especially in systems
that try to remove excess whitespace. I made a very rudimentary PoC of
encoding data in zero width characters, but was hit by a few things:

\- Some characters affect word wrap in unexpected ways, depending on the
script of the text.

\- Some characters impact glyph rendering in minor ways. For example, the
ligature between f and l may be interrupted.

\- Some characters are outright stripped. For example, Twitter strips U+FEFF.

\- Zero width characters often trip up language detection systems. I noticed
that Twitter detected my English message as Italian with the presence of some
zero width characters.

So it's not necessarily as useful as it seems. If you pick specific characters
to strategically avoid these issues, it's hard to make the encoding very
efficient.

Still, it probably has it's uses.

------
nemo1618
Related: we built a homoglyph linter for Go source code, to help detect
potentially malicious homoglyph substitution:
[https://github.com/NebulousLabs/glyphcheck](https://github.com/NebulousLabs/glyphcheck)

UTF-8 source code is nice for i18n, but it also opens the door to these kinds
of attacks.

~~~
robin_reala
That’s a good start, but unless I’m misreading it[1] the range of homoglyphs
it checks for is rather small. You might be better off importing the Unicode
Consortium’s list of ‘confusables’[2] if you’re planned automated linting.

[1]
[https://github.com/NebulousLabs/glyphcheck/blob/f6483dd9e97a...](https://github.com/NebulousLabs/glyphcheck/blob/f6483dd9e97a95ad6bdbd783a5f7c416690e8225/main.go#L100)

[2]
[http://www.unicode.org/Public/security/latest/confusables.tx...](http://www.unicode.org/Public/security/latest/confusables.txt)

------
pdkl95
I've thought about using whitespace and/or zero-width characters to embed a
cryptographic signature. The goal was a was a browser extension that could
sign the contents of an arbitrary <textarea> like an invisible "gpg
--clearsign". The signature rules would have to be relaxed to accommodate
common transformations servers do to user comments.

Ideally, this would allow people to cryptographically sign comments and
automatically verify comments that were signed by the same author, all without
changing existing server software or adding ugly "\-----BEGIN PGP SIGNED
MESSAGE-----" banners.

~~~
suixo
This looks like an amazing idea, why didn't you proceed further? I would love
to see something like it, that could help certify messages :)

~~~
Faaak
Amazing idea but very ugly per se. The thought of mixing "human semantics"
with signature in an whole text sends shivers down my spine.

~~~
jandrese
It's pretty similar conceptually to how we sign email, except that the
signature would be invisible to humans.

Of course nobody ever said how we sign emails is beautiful.

------
jsnell
This isn't as new as the author thinks. Doesn't have to be new to be
interesting, of course :)

I know this was done at one large tech company around 2010 for an internal
announcement email. Different people got copies with slightly different
Unicode whitespace, despite the email having ostensibly gone directly to an
"all employees" alias.

The fingerprinting was noticed within half an hour or so. (Somebody pasted a
sentence to an internal IRC for discussion, and as is the case with Unicode
and IRC, it inevitably showed up as being garbled in exciting ways for some
people).

------
vog
Very good problem description and nice list of countermeasures!

However, the following countermeasure made be wonder:

 _> Manually retype excerpts to avoid invisible characters and homoglyphs._

Isn't this something you can automate? We should create linters for plain text
(rather than code)? For example, depending on the language, reduce the text to
a certain set of characters. Every character not in this whitelist is either
replaced, or causes an error message the user (journalist) needs to deal with
(i.e. remove it, or replace it with an innocent alternative, perhaps even
proposing this replacement back to the linter project).

Of course, there are multiple ways for linting, which might become a
fingerprint on it own. But then, if there are only 3 or 4 of such linter
styles actually used (ideally, standardize on exactly one linting style), you
can only tell which linter was used by the journalist, without any information
about their source.

~~~
3pt14159
Hi, I'm the author.

I was kinda on the fence, but I was considering my target: Journalists. A
journalist may not notice simple differences like an extra space here or there
when reading, but probably wouldn't _retype_ a double space. I agree that this
should be automated in some way, but it's a bit of an arms race.

~~~
nine_k
What kind of arms do you envision for normalizing text down to Latin-1, or
even ASCII, while normalizing any whitespace to single space characters?

There is a known variant when every subscriber of a confidential text receives
a slightly different copy with the same meaning. But it's _much_ harder to
implement, and does not scale.

~~~
laumars
Not that much harder to implement. You could automate that too with some basic
text substitution. Eg replacing various instances of "and" with ampasand or
plus sign. You could also vary joined words like "without" / "with out", and
alternative between the types of quotation marks used (as there are several in
unicode).

And this is without breaking into more intelligent heuristics where you swap
out synonyms ("more intelligent" because you'd need to be careful not to alter
passages that need to be kept verbatim, like quoted text or where a synonym
might alter the context of the sentence.but with a little care I think that is
achievable as well)

------
ajarmst
This has been a generally known technique for identifying leaks for at least
three decades (and certainly much longer---Tom Clancy described it in a novel
in 1987). The use of non-printing characters is an obvious extension of the
idea. Any journalist who has published copy/pasted material from a
confidential source since then is provably incompetent.
[https://en.wikipedia.org/wiki/Canary_trap](https://en.wikipedia.org/wiki/Canary_trap)

~~~
ajarmst
In case it wasn't obvious, that was at least partly aimed at The Intercept:
[http://heavy.com/news/2017/06/the-intercept-reality-
winner-s...](http://heavy.com/news/2017/06/the-intercept-reality-winner-
statement-nsa-leaker/)

------
userbinator
This reminds me of a time not too long ago when I was teaching programming
courses; at least one of the students would somehow manage to get one of these
or other weird characters into source code, resulting in much confusion. On
the bright side, I take advantage of the opportunity and an impromptu lesson
in data representation and character encoding soon follows.

It's also one of the things where a hex editor is extremely useful --- even if
you're not working on low-level, seeing the bits directly can be a great
confirmation of correctness.

~~~
niij
I had this happen to me once (and only once, I learned my lesson). Our
professor gave us a PDF with the problem description and it had a bit of code
in it we were to put into our final program. Well, when I copy and pasted it
some of the spaces copied as non-ASCII space.

~~~
chuckdries
Oh god pasting code from a PDF, that brings me back.

Doesn't your editor handle that? I don't exactly remember but I kinda remember
having a button to convert pasted characters to ascii (mostly used for those
annoying stylized unicode quotes)

~~~
niij
Apparently Atom didn't/doesn't have that feature, at least to automatically
display when problematic characters are present. I believe I ended up taking a
hex editor to my code to see what was wrong, since it was only a single loop
that appeared to stop the compilation.

------
peterburkimsher
Fingerprinting data to find when it's been copy-pasted is a neat application
for invisible characters!

I've also found a lot of identical characters when handling Chinese text. Note
that Google Translate does not handle these correctly.

[https://github.com/pingtype/pingtype.github.io/blob/master/r...](https://github.com/pingtype/pingtype.github.io/blob/master/radicals.txt)

It's about the Kangxi Radicals Unicode block, compared the CJK characters
block. If you want me to write a blog post about it, please comment and I'll
get around to it.

~~~
kurthr
It's interesting to me, because I've seen this effect (while copy pasting) and
wondered why... if I hadn't been translating I would never have noticed.

Even though some are noticeably different:

⿌ 黾

~~~
peterburkimsher
Thanks for the encouragement - I'll write that blog post when I get a chance!

黾 is the simplified version of ⿌.

(In [http://pingtype.github.io](http://pingtype.github.io) click Advanced >
Regional, paste into the Simplified text box, then click "Simplified to
Traditional")

------
evfanknitram
A fun fact is that the thumbprint text box in the certificate viewer in
Windows starts with an invisible character.

So if you have cert and just want to copy paste the thunbprint to some file or
application which needs to load it, then copying the full thumbprint probably
won't work.

When I said fun I meant frustrating.

~~~
hinkley
At one job I had to declare a moratorium on sending certain bits of
information through Outlook because the number of people who needed help
cutting and pasting it correctly was becoming a problem. Everything went into
the wiki or config files that were checked in or used as attachments.

And don’t get me started on Microsoft and their fucking smart quotes...

~~~
DonHopkins
The "smart" in "smart quotes" mean that they hurt, not that they're
intelligent.

------
3pt14159
Hi everyone, thanks for the feedback! I'm not sure if this deserves its own
submission or not, but I have a short update to this post available here:

[https://www.zachaysan.com/writing/2018-01-01-fingerprinting-...](https://www.zachaysan.com/writing/2018-01-01-fingerprinting-
update)

One very interesting comment from an editor of The Weekly Standard.

------
jeffwass
Elon Musk did this nearly a decade ago at Tesla to try to identify a source of
leaks. He sent many copies of a memo with slightly different versions to key
team members.

It backfired when one of the top executives forwarded his own copy to the rest
of the team.

[https://www.cbsnews.com/news/should-management-spy-on-
employ...](https://www.cbsnews.com/news/should-management-spy-on-employees/)

~~~
jwilk
How did it backfire? He forwarded his copy... and what?

~~~
ajryan
You wouldn't know who specifically leaked, just that it was either the exec or
someone who received the forward.

~~~
mikeash
It also revealed the existence of the trick, since people saw their copies
were different.

------
coffeedrinker
I use LibreOffice and these appear as grey characters (at least some of the
characters do). I've wondered what the grey characters were in the past and
now I know.

Copy and paste the examples into LibreOffice and you will immediately see
them.

------
Sir_Cmpwn
For what it's worth, there are genuine use-cases for these. My friends and I
use them for our IRC bots so they can mention people's names without notifying
them.

~~~
Coincoin
I sometimes use invisible white spaces to sort entries in lists I don't have
control over the comparator.

~~~
ateesdalejr
That's quite the interesting use.

------
jesperlang
This is so sneaky! I am trying to find a good black list and found this:

[http://kb.mozillazine.org/Network.IDN.blacklist_chars](http://kb.mozillazine.org/Network.IDN.blacklist_chars)

Or maybe black listing is not the best approach, maybe a mix of multiple
approaches. First strip out stuff and then view the text in a program that
displays "unconventional" characters? As a test I pasted the post's test
sentences in Vim and the invisible characters are replaced by blocks of <XXXX>
that are very hard not to notice. The more you think about it the more tricky
corner cases you find :O

------
WalterBright
The existence of homoglyphs in Unicode is a failure of Unicode's mission. Two
sequences of characters that render the same should _be_ the same. Encoding
invisible semantic information into Unicode is a huge mistake.

~~~
estebank
I disagree, if anything they didn't go far enough. Unifying Chinese and
Japanese characters making them locale dependent was, IMO, a mistake. The kind
of problem I have with this can be seen with the so called "Turkish I"
problem. The Turkish language has 4 'i's: i, I, ı and İ. Unicode decided to
encode the first two using the points for latin lower case i and upper case I.
In Turkish, the capitalization rules say that i and ı are lower case, and
their upper case counterparts are İ and I. You can see that if you have a byte
stream for which you don't know the locale, you cannot correctly apply
capitalization to it. That way all 'I's would be unambiguous in all contexts.
This is not as trivial a problem as it sounds[1]. This could have been avoided
if Unicode had a Turkish i and I. You can extrapolate this issue to entire
languages.

[1] [https://gizmodo.com/382026/a-cellphones-missing-dot-kills-
tw...](https://gizmodo.com/382026/a-cellphones-missing-dot-kills-two-people-
puts-three-more-in-jail)

~~~
WalterBright
This is beyond the scope of Unicode. Unicode should be how text is displayed.
If there is meaning that is not in the display of the character, then it is
outside the scope of Unicode.

After all, we have many uses for the letter 'a', such as a) a*b=c and b) a as
in apple. Should those 'a's have different Unicode code points?

Semantic meaning comes from context, and there is no context for a Unicode
code point. Trying to insert semantic meaning is both a mistake and a patently
impossible task. The article points out some of the wreckage attempting to do
this causes.

~~~
avian
> Should those 'a's have different Unicode code points?

Unicode does have separate code points for mathematical symbols. See for
instance U+1D44E MATHEMATICAL ITALIC SMALL A. They see little use in practice
though, apart from people using them for funky fonts on Reddit and such.

~~~
WalterBright
I didn't know that, thanks for the info. But the use of a) and b) remains, as
does ascii art, [a] for footnotes, it's just endless.

~~~
comex
> But the use of a) and b) remains, as does ascii art, [a] for footnotes, it's
> just endless.

You mean like ⒜ or ⓐ or ᵃ? Not to be confused with any of ªａ𝐚𝑎𝒂𝒶𝓪𝔞𝕒𝖆𝖺𝗮𝘢𝙖𝚊ₐ.
Unicode has a whole lot of stuff that nobody uses…

There's also a separate Cyrillic а.

~~~
khaled
I’ve seen all of these used quite extensively. It depends on what kind of
fields you are familiar with.

------
guidovranken
I've been wondering whether it could be possible to create a formal language
through which one is capable of expressing ideas and facts about the world
around us rather than values and variables as is the case for programming
language. For humorous effect people sometimes write things like if ( !food )
goToStore(); -- could it be possible to formalize such constructs? If the
language is formal, then the author's output can be run through a post-
processor that re-formulates the expression such that superfluous data, if
any, is removed to make stylographic characteristics disappear, akin to, and
maybe using the same foundations as the reduction of mathematical equations
into a bare minimal set of symbols. Furthermore, a mathematical approach to
reasoning about real-world concepts is interesting. Computational philosophy?

Tangentially related to this topic (ulterior fingerprinting), I wonder whether
websites like Twitter might be encoding your IP address or account ID in
pixels on your screen (so subtle that it's impossible to discern with the
naked eye) to make it easy to track screenshots back to you.

------
khendron
I just copied and pasted the example text in the OSX Text Editor app, and all
the zero-width characters got removed.

------
JepZ
Short anecdote:

A few years ago I had to fill in some translation keys within a ecommerce shop
gui. Eventually, I had to revert some key to it's default value and therefore
tried to copy and paste the displayed default value, but the system always
refused to take that value. It complained that the string contained invalid
characters, but I wondered because I just inserted the previous valid default
value and to my eye there where not special characters anyway?!?

So I called one of the devs and after a few minutes he told me, that the
output I copied contained a zero-width space and that character was not
allowed by the validation engine. So when I typed the string myself everything
went fine ;-)

Nowadays, I like to consult `hexdump -C` in such cases.

------
Sir_Substance
Zero width non-joiners are also a great way to bypass swearing filters in most
games and forums.

~~~
ateesdalejr
Yes, I've noticed this very often. Also people who use RTL override and type
text backwards.

------
tim333
I made a jsfiddle so you can see if there are funny characters in text like
the

""" We're​ not the​ same text, even though we look the same.

We're not the same​ text, even though we look the same. """ example by cutting
and pasting it:

[https://jsfiddle.net/tim333/bjL018k1/](https://jsfiddle.net/tim333/bjL018k1/)

(It took me a lot of googling how to handle unicode in javascript, that)

Slightly to my surprise the zero width spaces survived being posted into this
comment.

------
forapurpose
> it appears both homoglyph substitution and zero-width fingerprinting have
> been discovered by others

They were discovered a long time ago, and there are many other ways to hide
data in documents.

Remember that you only need to encode enough bits for a relatively unique ID
(and not unique for all files in the universe but only for files with the same
content - for a low-distribution file, even 2-5 bits might be enough). On the
application level, the most common applications and formats have a very large
number of features you can utilize to encode data or simply insert it (e.g.,
Word, Excel, the PDF standard). On the bit level, unless the application
vendor has invested in writing exceptionally tight, secure code, you probably
can find someplace to hide/encode a few bits in a file.

But I think the author is on the right track with the solutions ...

> Use a tool that strips non-whitelisted characters from text before sharing
> it with others.

A more general solution is needed: Something that normalizes data in many
formats, from text to Word to PDF to JPG to WAV to markup languages.

Personally, for non-security reasons, I'd love a utility that normalizes text
to 7-bit ASCII (e.g., from UTF-8 characters higher than 7 bits) and that fits
very efficiently into workflow (e.g., something that normalizes text in the
clipboard if I press a hotkey combination). Anybody know of one?

------
chiefalchemist
How might this effect accessibility (e.g., screen reader for the visually
impared)?

~~~
peterburkimsher
Microsoft Word still has the correct word count.

Using the Option-Right Arrow to move through the text a word at a time has a
problem though. The cursor appears to gets stuck at that point, and MS Word
shows the font changing.

------
aurizon
This was a common thing used when the first word processors came out. They
called it 'micro-kerning' and it involved slight adjustment of the letter and
word spacing. The fit of characters is called 'kerning' and it increases
readability - and also the ability to create pages with the copier's ID
findable. The document source would create a novel document for each person,
and if they leaked it and it was reproduced in a paper, the character spacings
could lead to the leaker. This was also used with synonym use as a guise. Most
spy types would sanitize their docs with a scanner and paraphrase many of the
words.

------
rurban
So please normalize your texts: unorm --help

[https://crashcourse.housegordon.org/coreutils-multibyte-
supp...](https://crashcourse.housegordon.org/coreutils-multibyte-support.html)

------
williamsmj
This blog post (from colleagues) covers the ideas in a little more detail
[http://blog.fastforwardlabs.com/2017/06/23/fingerprinting-
do...](http://blog.fastforwardlabs.com/2017/06/23/fingerprinting-documents-
with-steganography.html) and comes with proof-of-concept code
[https://github.com/fastforwardlabs/steganos](https://github.com/fastforwardlabs/steganos).

------
jancsika
Since I'm looking at what I assume are ASCII characters, I just typed this
into the console:

"We're not the same​ text, even though we look the
same.".split("").forEach(function(c, i){ if(c.charCodeAt(0) > 127)
{console.log("Danger: weird character detected: code " \+ c.charCodeAt(0) + "
at index " \+ i);} });

~~~
yorwba
For languages other than English (or even for English with some accented
characters), you'll need to do a bit better than just spotting non-ASCII
characters. Finding zero-width/not fully normalized characters would be a bit
more robust, but still not perfect. IIRC, the zero-width joiner/non-joiner are
important for rendering various Indian languages correctly. But I guess it
depends on your use case, and how many false positives you can tolerate.

~~~
jancsika
What I'd want for most cases is to "paste as printable ASCII." That covers a
large number of use cases (the article's example is printable ASCII ostensibly
to reach the largest audience).

I'm not sure what to do with more complicated language mixing, but I suppose a
script to tell you what languages are being used and where there might be
"out-of-place" character codes would help.

~~~
jraph
Solving this seems pretty similar to how browsers handle phishing related
issues with International Domain Names.

[https://en.wikipedia.org/wiki/IDN_homograph_attack](https://en.wikipedia.org/wiki/IDN_homograph_attack)

------
zamber
Recently I played around with zero-width chars to test some inputs. It's
awesome because big payloads can be just one innocuous line. The downside is
that navigating through text with arrows will also navigate through invisible
chars appearing stuck for a couple clicks in one place.

------
dreen
If you use Visual Studio Code or Sublime Text, there are extensions to
highlight characters like that:

[https://marketplace.visualstudio.com/items?itemName=nhoizey....](https://marketplace.visualstudio.com/items?itemName=nhoizey.gremlins)

------
blablabla123
As an add-on, a lot of characters can be represented in different ways. For
instance there is the character ä and then a with 2 horizontal dots. For the
"usual" cases a normalization solves this though.

------
qrbLPHiKpiux
This is hard to detect for the average user. Even for someone seasoned, like
me.

I dare you to inspect the html in Safari, Chrome, Firefox, and even curl, to
see if you can view the raw character encoding.

Some you can, some you can't.

~~~
bandrami
This is why I still swear by Lynx for most browsing

~~~
yorwba
The two different sentences do not look different for me in Lynx. I guess Lynx
just passes the raw characters on and any Unicode handling happens in the
terminal.

~~~
bandrami
I should have said, "Lynx and a fairly dumb terminal"

------
walshemj
Wouldn't any sensible journalist round trip any documents through 7 bit asci
to strip any possible watermarking.

~~~
NelsonMinar
an American journalist handling English text, maybe.

~~~
zokier
7b ASCII is so passé that “roundtripping” through it would be very naïve.

~~~
walshemj
so good opsec requires some trade-offs just as say MAC has some disadvantages
compered to DAC

------
markhahn
anyone else bothered by the (mis-) use of "fingerprint" instead of
"watermark"?

~~~
mikeash
The difference being that “fingerprint” means deriving a signature from some
existing data, and “watermark” means altering data to make it identifiable?

------
LyalinDotCom
Mind blown, so simple now that you explained it but boy did it never occur to
me. Thanks!

------
oldandtired
Interesting, when trying to access above site get security warning that site
is unsafe.

------
jmillikan
Also useful for pretending chat-bots are broken.

------
aaronduino
One interesting trick I found for clearing wierd characters from the clipboard
in running `pbpaste | pbcopy` in the (macos) terminal.

~~~
sverhagen
Just curious why that would do anything? Isn't it the same byte stream coming
out that then goes into the other one?

------
tzahola
ASCII-friendly alternatives for invisible fingerprinting:

\- replace quotation marks with two apostrophes

\- replace “I” with “l”

\- replace parentheses with slashes or square brackets

\- replace commas with semicolons

Each of these substitutions can communicate a single bit while being ASCII-
safe and likely won’t change word wrapping opposed to synonyms.

~~~
userbinator
All of those except the last one are pretty obvious, especially if you're
mixing them to "communicate a single bit".

Speaking of quotation marks, the non-ASCII quotes in your second item and
apostrophe in the last sentence stand out too.

~~~
Too
They are obvious if you have two copies and are actively looking for
differences, otherwise not. If someone sent me a document with square brackets
somewhere i wouldn't question their use of square brackets over parenthesis,
unless they don't match.

