I think that this is an attack on the understanding of the LLM _potentially_ but it doesn't seem like it's likely to standup to legal scrutiny?

Seems like this is pretty clearly a case of fraudulent misrepresentation (https://www.law.cornell.edu/wex/fraudulent_misrepresentation) which kinda nullifies the contract, if I understand correctly:

  Fraudulent misrepresentation is a tort claim, typically arising in the field of contract law, that occurs when a defendant makes a intentional or reckless misrepresentation of fact or opinion with the intention to coerce a party into action or inaction on the basis of that misrepresentation.
  To determine whether fraudulent misrepresentation occurred, the court will look for six factors:
    A representation was made
    The representation was false 
    That when made, the defendant knew that the representation was false or that the defendant made the statement recklessly without knowledge of its truth
    That the fraudulent misrepresentation was made with the intention that the plaintiff rely on it
    That the plaintiff did rely on the fraudulent misrepresentation
    That the plaintiff suffered harm as a result of the fraudulent misrepresentation
  Like most claims under contract law, the standard remedy for fraudulent misrepresentation is damages.

Wouldn't ligatures be a more effective attack vector for the "Maryland -> Delaware" case? That's all that ligatures do -- render a specific sequence of characters as something else.

At that point you can just paste a screenshot of your doc into word and celebrate.

Also, the mitigation can probably be fooled with ligatures since they are only verifying the letters alone as far as I skimmed.

I don’t even understand the threat model. Is my opponent in a court case going to use this on the PDF they give the court? Surely the judge will be pretty annoyed since you can’t even ctrl+f in the files then.

I also had this idea a few month ago: https://czterycztery.pl/blog/show.php?f=1763873614-EN https://czterycztery.pl/inne/zmylkowy_pdf/#english

Wouldn't it also work just to render the visible text as an image/path, then put invisible text objects over it?

I've heard suggestions like having white/invisible text in resumes for tricking applicant tracking systems,[0] but it's apparently mitigated by showing recruiters the plain text version of the resume.

[0] example: https://news.ycombinator.com/item?id=36857909

The compile-time vs runtime safety tradeoff is worth calling out. For infrastructure tooling where correctness matters more than iteration speed, the upfront cost pays dividends in reduced production incidents.

Someone could also just make a font file that swaps all of the characters around. So like an A looks like a Z, and a Z looks like an A.