How Document-Tracking Dots Helped The FBI Track Down Russian Hacking Doc Leaker

from the just-metadata-things dept

The surprising story that quickly followed the somewhat-less-surprising Intercept leak was the arrest of Reality Leigh Winner for the leak of the document. It was an incredibly fast leak investigation that apparently began when The Intercept reached out for comment after obtaining the document on May 30th.

There’s been a lot of talk that The Intercept acted carelessly when speaking to government officials and burned its source. But the evidence trail laid down by the FBI’s affidavit suggests Winner did most of the burning herself. The document given to The Intercept was either an original printout or a scan of it. It showed telltale creases where it had been folded and placed into an envelope by the leaker.

More importantly, the document contained something else: data that indicated where and when the document had been printed. This made it much easier to link Winner to the posted document. Rob Graham of Errata Security walks through the steps he took to decipher the physical metadata created by the NSA printer used by Winner. Printers — and not just those owned by secretive government agencies — can help rat out leakers.

The problem is that most new printers print nearly invisibly yellow dots that track down exactly when and where documents, any document, is printed. Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document.

Using a paint program to invert the document’s color scheme and the EFF’s handy spy-in-the-printer tool, Graham obtained the following information using only the auto-printed dots on the Intercept document:

The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017 at 6:20. The NSA almost certainly has a record of who used the printer at that time.

Very definitely it does have such records, as do a great many entities not heavily involved in national security. Many documents in many companies are considered “uncontrolled” if printed, and built-in document tracking allows them to track down employees who may have jeopardized nothing more than their own employment.

However, this does bring everything back around to the “just metadata” argument. The government has often claimed the wholesale collection of metadata is harmless, because it’s nothing more than transactional records. Obviously, metadata can be quite damaging. Winner’s decision to print the document ended her very short stint as a leaker.

Conversely, the government also claims — when raising the “going dark” specter — that metadata and other transactional records aren’t nearly as useful as intercepted communications and/or device contents. To some extent, that’s true. But it’s obvious that metadata/transactional records aren’t nearly as useless as they’re portrayed by law enforcement handwringers. Either way the government spins the metadata argument, it’s insulting the intelligence of Americans.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “How Document-Tracking Dots Helped The FBI Track Down Russian Hacking Doc Leaker”

Subscribe: RSS Leave a comment
Mike Masnicksays:

Re: Wikileaks would have scrubbed the documents properly.

/always have someone who understand technology and security on staff

For what it’s worth, the Intercept employs two of the most well-respected security experts in the world : Morgan Marquis-Boire and Micah Lee. This wasn’t for lack of having people on staff who know this stuff. Those guys know. It’s not clear what happened here exactly.


Re: Re: Wikileaks would have scrubbed the documents properly.

I think she screwed up multiple times in the process. Left too many footprints that could be traced back to her. I personally didn’t know about those fingerprints. I wonder if every printer out there has this ‘feature’ and if their security experts were aware of it. How long has it been known in the wild?

Machin Shinsays:

Re: Re: Re: Wikileaks would have scrubbed the documents properly.

I also think that is the case. If another story I read about all this is true then it sounds like she would have been caught pretty quick anyways. From what I saw they narrowed it down to about 6 people just by looking at who accessed the documents recently. She was then the only one out of the 6 who printed it.

Re: Re: Re: Re: Wikileaks would have scrubbed the documents properly.

Yeah, the Intercept was sloppy, but ultimately it probably didn’t change anything.

I almost wonder if Winner knew that. If she knew she’d get caught more or less immediately and so prioritized getting as much as she could over trying to cover her tracks. I mean, if she knew covering her tracks was never going to work anyway…


Re: Wikileaks would have scrubbed the documents properly.

I doubt Winner trusted Wikileaks to even report on this.

Wikileaks has been accused of being in Russia’s pockets for over a year, and they’ve clearly been in Trump’s pocket for ages. That doesn’t sound like the kind of a person to leak something damaging to both to.

Wikileaks burned a lot of their credibly to half the country in the election.


That is one reason to pay for printers with cash, no checks or credit cards.

I do this when buying a printer, so that if it is ever stolen, and someone decides to do something illegal like that, ownership of that printer cannot be traced back to me and I avoid going to jail for something I did not do.

This is why you want to pay for any and all printers you buy with cash, no checks or credit cards, so that ownership of that printer cannot be traced back to you. All anyone will know is that someone purchased that printer by plunking down a few Bejamins, and the trail will run cold after that.

Roger Strongsays:


Apparently the tracking dots originated with worries about people using their color printers to counterfeit money.

Given that the printer’s serial number is encoded on the document – how certain are you that your anonymously purchased printer isn’t sending that serial number back to the manufacturer when you install or update your driver? Or to Microsoft/Apple/Commodore when you update your OS?

Even if that were the ONLY thing they sent back, no owner information – it would tie the serial number to your IP address.


Re: Re:

Simple don’t buy a printer that has an IP address. Buy one that is hard-wired to the computer using a USB cable is the way to go. Doing that, and paying with cash will guarantee that nothing will trace back to you if your printer is stolen and someone does something illegal with it.

My issue with these dots is what will happen is the printer is stolen, and someone does something nafarious with it. Having no bank trail leading back to me keeps me out of trouble, if that happens.

That is why you want to buy a that is wired to the computer and not connected directly to the network, and always pay with cash

Roger Strongsays:

Re: Re: Re:

Simple don’t buy a printer that has an IP address. Buy one that is hard-wired to the computer using a USB cable is the way to go.

That doesn’t help.

When you install a driver on your PC/Mac/PET for your USB-connected printer, your computer fetches the printer details including the serial number. You can find it in Devices & Printers – if the driver is still installed – even when the printer is long gone.

So when your driver is automatically updated – again, even when the printer is long gone – that serial number could be sent to the manufacturer. When you update your OS, it could be sent to Microsoft/Apple/Commodore. Coming from your IP address. Which Prenda, let alone police, have had no problems tracing back to the user’s location if not identity.


Re: Re: Re: Re:

That doesn’t help.
When you install a driver on your PC/Mac/PET for your USB-connected printer, your computer fetches the printer details including the serial number.

Right, except that not all OSes will auto-install drivers like that. USB printers communicate with a standard low-level interface, and if they also support a standard higher-level data format like PJL+Postscript you won’t need any driver. You might still get one on Windows if you’re not very careful, but Linux would be fine for example. Before obtaining a printer:

  • Browse EFF’s site and make sure it doesn’t print tracking dots. As far as people know, only color printers do it, and only some brands.
  • Make sure it directly supports PostScript or PDF with no vendor-supplied driver.
  • Make sure it has no network support, or that any support can be disabled. Network support isn’t necessarily a tracking feature but it will be a security hole unless you and the manufacturer keep on top of firmware updates until the printer is discarded. You can still network-print via a USB cable from your router or another computer, as long as it’s getting security updates.

And if you’re a programmer:

  • Consider creating an OpenWRT-like project for printer firmware. Even if manufacturers like Xerox weren’t adding user-hostile features, they don’t have great security records and they like to keep "high-end" features out of their cheap printers.
  • If you work for a company that asks you to add tracking/"metadata" features, remember these may be used to imprison people–or even torture/kill them.

Re: Re: Re: Re: Re:

If you work for a company that asks you to add tracking/"metadata" features

If it’s a government demand, consider talking to an EFF lawyer under attorney/client privilege. (NOT FROM A WORK EMAIL/COMPUTER!) There are 3rd-amendment implications in the US, as Rob noted. Think about becoming a whistleblower/witness/plaintiff.

Consider creating an OpenWRT-like project for printer firmware

Secret software to operate laser printers was what caused RMS to start the Free Software movement, so it’s strange this doesn’t exist.


Re: Re: Re:

Simple don’t buy a printer that has an IP address. Buy one that is hard-wired to the computer using a USB cable is the way to go.

It’s not the IP address of the printer Roger Strong was referring to (I believe), but the IP address of the premises (the internet connection) of where the printer is.

If you install drivers or firmware from the manufacturer, as part of the installation process on the computer attached to the printer could be a ‘phone home’ step. Or even in the O/S itself, e.g. one of the things Windows 10 (and 7/8 if various telemetry options are enabled) does is send information about installed (i.e. attached via USB) devices to MS – supposedly anonymised.

Auto-updates for installed drivers could, when checking for updates, provide printer details to the update service along with the IP address used to check for the updates, along with anything else the process wants to provide.


Re: Re: Re: Re: Re:

When installing the driver, just connect your PC to a VPN

And keep using that VPN until the driver has been uninstalled, and you can confirm there’s nothing left over. The "phone home" step isn’t necessarily going to happen at installation, or only at installation. (And of course a driver has enough privilege to bypass the VPN if it really wants to.)

Jeff Greensays:


How cold?
The shop where you bought it has CCTV, their stock control system says when that serial number printer was sold, at which check-out etc.
The till could well autocheck the notes aren’t counterfeit a process that involves them reading the serial numbers. Where did you get those notes? ATM machines are also entirely capable of recording your face, your bank details and the serial numbers.
Meta data is everywhere, most of it isn’t collected, but I wouldn’t like to bet how much of it actually is!


Re: Re:

The shop where you bought it has CCTV, their stock control system says when that serial number printer was sold, at which check-out etc.

Not all stores scan the serial numbers of things they sell. I’d expect that at an electronics store, but maybe not the electronic department of a grocery store. CCTV recordings have traditionally been deleted after some time, which could be a few years by now.

To be safe, buy a printer at a garage sale or thrift store, or pick one up at the kerb (I come across a decent laser printer every year or so without even looking for them). Try to get a black-and-white printer to avoid the tracking dots.

Re: Re: Re:

I used to work at a small computer store at a large university. It’s been 12 years but my recollection is that we only scanned serial numbers for things that cost over $100. So yes for the high-dollar office printers, no for the cheap inkjets students were buying.

Obviously that policy is going to vary from store to store, but that at least illustrates some of the thinking that goes into it, on the retailer’s side.


Re: Re:

CCTV cameras are probably wireless. Just have a jammer that will prevent the CCTV cameras from being able to record your face. To the security detail in the store, it will simply appear to be malfunction, and they will have no idea the camera was being jammed. CCTV cameras use the same frequencies as WiFI, so a Wifi jammer would suffice for this. This would prevent your face from being recorded at the checkout counter. Security would never be the wiser.

Anonymous Howard IIsays:


If your printer gets stolen, report the theft to the police as soon as possible. If it is insured, make a claim.

If your printer (technically now your insurer’s printer) is then found to be used for criminal activity after the earliest date at which it could have been stolen, you surely have a valid defense.

Michael Psays:

"Uncontrolled if printed" is not about access control!

Many documents in many companies are considered "uncontrolled" if printed

The term "uncontrolled if printed", along with similar forms, is about revision control rather than access control. It indicates that a printed copy might not be the latest version, and that anyone relying on it should beware of the risks of using outdated information. It is totally unrelated to whether the document is classified, proprietary, covered by HIPAA, or whatever.

My acquaintance with the term is in the context of corporate policy documents. At a previous job, the manufacturing side of the company brought in ISO 9000 quality control processes, and all those documents were labeled "uncontrolled if printed". That was to make sure people did not blindly trust a copy of a policy or procedure that might be years out of date (but happened to be in hard copy).

Given that it has nothing to do with classification level or other distribution controls, why mention it at all? It seems likely to mislead people.


Re: "Uncontrolled if printed" is not about access control!

Given that it has nothing to do with classification level or other distribution controls, why mention it at all? It seems likely to mislead people.

Perhaps it misled the authors into thinking that it was important to mention this. While your post makes perfect sense to me, prior to reading it, I too was thinking in terms of access control.

Michael Psays:

Re: Re: "Uncontrolled if printed" is not about access control!

Maybe, but that is why people who want to be taken seriously should check their facts before making them significant parts of their claims. It took me about 60 seconds with a Google search to confirm that my understanding was far and away the most common one, even though a lot of people had questions about what it meant.



There’s nothing wrong with using a color laser printer for this. When printing a black-and-white document, they’ll use black toner only, just like any other printer?except for a tiny bit of yellow toner to add the tracking information. But that’s an antifeature Xerox decided to add; nobody’s aware of any law requiring it, and not all printer makers do it.



That’s not the only metadata assigned to a file print, check your document reader. Who what where time unit etc…all listed. Unsupervised contractor in a secure location? Really unsupervised? There are other devices watching. Plus, other companies looking. They want their contractor there. So, was it really her?


One nit:

Either way the government spins the metadata argument, it’s insulting the intelligence of Americans.

How do you insult the intelligence of a country electing Trump? I mean, this is like the "considering himself to be a worthless failure of a human being is not necessarily a sign of depression: maybe he is just right." adage.

The government clearly considers the American public abysmally stupid regarding the garbage they are willing by and large to gobble up without signs of critical thinking.

But it’s not as much an insult to the intelligence of Americans as it is an accurate appraisal.


Re: she mailed it via postal service, which spies for nsa too

One way is to not put a return address on, and always type, instead of write the address

One cousin of mine, who was divorced, did this to avoid having his child support obligation raised, whenever he made more money. He just simply paid for with a money order, using cash only, then mailed that to his ex-wife, putting no return address on the envelope, so his ex-wife could not track him and demand more monthly child support payments. As long as he paid the current amount, which he did, law enforcement had no reason to track him down.

So leaving no return address on the enevelope and/or typing the address where it is supposed to go can make it harder to trace,

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ┬╗

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it