The case of the most recent NSA leaker

We now have the case of 25-year old Reality Leigh Winner, like Snowden a contractor for the NSA, who is accused of leaking a document to The Intercept about Russian hacking efforts. She was taken into custody even before the contents of the leak were made public. The FBI claims that she left an easy trail to follow and track down.

The Intercept has been accused of not protecting a source properly and Jake Swearingen looks at how the FBI might have arrived at its conclusions, using such things as the markings known as ‘tracking dots’ on every pdf document, and not the ‘crease’ on the page that the media have focused on.

The “crease” has been bandied about in the press, but there’s good reason to believe that the Feds had a more sophisticated way of figuring out that the document had been printed out. The Intercept’s PDF of the document also contains “tracking dots,” barely visible yellow dots available on printed pages that allow anyone to determine the serial number, model date, and date and time of printed material. You can see these for yourself: Just screenshot the top-left corner of any page of the PDF and invert the colors in an image-editing tool. The dots should become immediately apparent. The tracking dots on the documents from the Intercept show a print date of May 9 at 6:20 from a printer with model number 54, serial number 29535218. (The last page of the PDF has a different set of tracking dots — it’s unclear why.)

If this is the copy that the Intercept also provided to the NSA, then the government likely knew enough to determine which employee had used that specific printer at that specific time — no need to see “creases” at all. In fact, the crease may be pretext to avoid mentioning tracking dots (or another forensic method) used to determine that the document was printed — a prosecutorial technique known as “parallel construction” that avoids revealing how evidence on a case was actually gathered.

The problem with apportioning blame in this case is that we don’t know if the Intercept handed over to the NSA the original copy of the report that they’d received — which would have been a grave security error — or if it was a photocopy or reprint that nonetheless betrayed some evidence.

It’s worth reiterating that the FBI has a strong incentive to cast the Intercept as incompetent handlers of sources. There’s a decent chance that the case was built against Winner in a completely different way — one that didn’t rely on mistakes by the journalists at all — and this particular parallel construction of the case is being put forward to cast aspersions on one of the most notorious investigative outfits online. But there’s no escaping that the mistakes made by the Intercept and Winner — small as they may have been — were enough to get a search warrant and indictment signed. If there’s any consolation for leakers and the journalists they rely on, it’s that the affidavit provides an object lesson in protecting sources.

The Intercept issued the following statement in response to the allegations.

On June 5 The Intercept published a story about a top-secret NSA document that was provided to us completely anonymously. Shortly after the article was posted, the Justice Department announced the arrest of Reality Leigh Winner, a 25-year-old government contractor in Augusta, Georgia, for transmitting defense information under the Espionage Act. Although we have no knowledge of the identity of the person who provided us with the document, the U.S. government has told news organizations that Winner was that individual.

While the FBI’s allegations against Winner have been made public through the release of an affidavit and search warrant, which were unsealed at the government’s request, it is important to keep in mind that these documents contain unproven assertions and speculation designed to serve the government’s agenda and as such warrant skepticism. Winner faces allegations that have not been proven. The same is true of the FBI’s claims about how it came to arrest Winner.

We take this matter with the utmost seriousness. However, because of the continued investigation, we will make no further comment on it at this time.

One thing we do know is that whether Winner is the leaker or not, the government will treat her very, very harshly so as to deter any other would-be leakers, and they will use the vast machinery at their disposal plus arguments of national security and secrecy to prevent her getting a fair and open trial.


  1. Chiroptera says

    I’m pretty sure I heard about printers and photocopiers leaving traceable markings on the paper output years ago. In fact, I assume that anything I print out can be traced to the printer I just used. Am I wrong?

  2. timberwoof says

    Color copiers and laser printers built in the past few years put little yellow dots on the pages that can be used to identify when and by what they were printed. The author of the article is confused about how this works: why would a pdf (a computer file) have markings that identify the printer it (a sheet of paper) came from? PDFs could be identified, but that would be in the metadata from the filesystem and what’s embedded in the file itself. Maybe someone scanned the paper documents with a very good scanner and saved the images in a PDF. It’s nt PDF that does this, but the printer.
    The lesson here is to scan hot documents as a 1-bit image; that wipes out any such printer traces. (Unfortunately it also wipes out contrast in images. Grayscale will probably also work; you may have to adjust the gamma in Photoshop to saturate the yellow dots.)
    The printer itself, or the printer queue you used, will probably also keep records of who printed what. Depending on the paranoia and dickishness of the It department or its bosses, they may even keep copies of everything printed. Don’t print stuff on the laser printer at work.
    None of this is secret knowledge.

Leave a Reply

Your email address will not be published. Required fields are marked *