Your printer might be putting an ID on all of your docs.
Alleged National Security Agency (NSA) leaker Reality Leigh Winner was reportedly identified after the FBI determined she had printed out a top secret report and shared it with The Intercept — but she might have been undone in part by a subtle code found on document itself, left by the printer.
By the time The Intercept published an explosive report on June 5 alleging Russian cyberattacks on the U.S. voting system, the FBI had already arrested Winner as the suspect. The affidavit supporting the application for a warrant revealed that the documents provided to the NSA by The Intercept were clearly "folded or creased," which led officials to believe that the docs had been printed and physically secreted out of a "secured space." Investigators were then able to narrow down the list of suspects to six people who had printed the doc before settling on Winner.
Security blogger Rob Graham laid out the process the FBI could have used to definitively pinpoint Winner as the leaker in a blog post, claiming laser color printers produce subtle "yellow dot patterns" every time they’re used. The patterns, which contain the distinct identifying information of the print job, can be easily decoded if you know how to look for them.
The document tracking wasn’t the only factor reportedly used to ID Winner — the contractor allegedly used her work email account to correspond with The Intercept, and a reporter allegedly provided identifying information in contacts with government sources.
Graham wrote that the document posted by The Intercept — which was presumably also the copy provided to the NSA for verification — is a PDF created from pictures of a printed version of the doc that was later scanned into the system. That’s important: because it was a physical copy printed by a laser color machine, it carries the identifying yellow dot patterns.
The Electronic Freedom Foundation (EFF) has been tracking the matter for some time now, and has compiled a list of manufacturers that make laser color printers that produce the yellow dots. Xerox admitted to providing the tracking dots to the Secret Service back in 2005 to combat counterfeiting — but as the EFF noted at the time, there were no laws to prevent the tracking from being used for other means.
Importantly, the tracking dots are only reportedly produced by laser color printers, which are more likely to be found in office settings for professional use. Your compact inkjet unit for home print jobs won’t be tagging all your documents with ID info.
The blog post proves just how simple it is to determine where and when the doc was printed — by downloading the NSA doc from The Intercept article and taking a screenshot of white space, anyone can use a simple photo editing program like Paintbrush to invert the colors to reveal the patterns. Then, by reproducing the pattern using an EFF tool, you can easily find its identifying features. Checking those against the printer’s log would easily show who was behind the job.
Other infosec experts proved Graham’s point on Twitter, sharing screenshots of their quick work with the tracking method.
oh wow, @knowtheory just pointed out the microdots on the first and late page of the intercept’s docs. printer dots kill puppies, folks. pic.twitter.com/w8qxJ9zvhf
— Quinn’s internet 👻 (@quinnnorton) June 6, 2017
The date in the microdots is 6:20 2017/05/09 from a printer with serial number #5429535218, according to https://t.co/PVVm7AAjlL pic.twitter.com/6BY7Y3MFhL
— Tim Bennett (@flashman) June 6, 2017
We contacted several of the printer companies named in the EFF catalogue, but hadn’t received comment at time of publish.
Graham claims that the yellow-dot trackers on docs can be thwarted by converting files to black-and-white with an image editor, which would conceivably prevent prying eyes from finding the identifying patterns, and clearly put the onus of the "outing" on The Intercept. It’s a simple step to take in such high pressure situations, but one that isn’t obvious to take without knowledge of the practice.
The yellow dots likely made it much easier to ID Winner, but there were other factors that led to her being tabbed; she reportedly had email contact with The Intercept from her work computer, too. The ultimate lesson here: Don’t leak from work.