There's been much speculation on exactly how NSA leaker Reality Winner was exposed after giving The Intercept documents that showed the extent to which the security agency suspects Russian meddling (previously) in last year's general election. On one hand, the filing against her talks of the "creases" seen in the scans The Intercept posted, tipping them off to it being a workplace printout from an insider–an insinuation of casual sloppiness on the reporters' part. On the other hand, it seemed clear Winner did everything at a work computer anyway and was surely doomed once the story came out and internal investigations began.
The truth is all of the above, but with a cherry on top: the printouts contained invisible dot patterns added by the printer to identify the worker who sent the print job. All surviving photocopying, scanning and PDF compression to be published, plain as day, on the world-wide web. Errata Security explains how, in detail.
The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017 at 6:20. The NSA almost certainly has a record of who used the printer at that time.
The situation is similar to how Vice outed the location of John McAfee, by publishing JPEG photographs of him with the EXIF GPS coordinates still hidden in the file. Or it's how PDFs are often redacted by adding a black bar on top of image, leaving the underlying contents still in the file for people to read, such as in this NYTime accident with a Snowden document. Or how opening a Microsoft Office document, then accidentally saving it, leaves fingerprints identifying you behind, as repeatedly happened with the Wikileaks election leaks. These sorts of failures are common with leaks. To fix this yellow-dot problem, use a black-and-white printer, black-and-white scanner, or convert to black-and-white with an image editor.
It seems to me that media simply should not post replicas of the documents they are sent, even at the cost of foregoing the credibility this establishes. You just never know what might be quietly revealed (or surreptitiously encoded), even in a crop or excerpt.
It's not even an NSA thing: most new printers add these dots to every job.. The EFF has a list of printers that identify you, but it looks rather out of date.
UPDATE: Joseph Cox links to more coverage of the various ways Winner was exposed, among which the dots are just one particularly fascinating trap: "It seems though authorities would have identified Winner regardless of the print dots or the second contractor. … Judging by court docs, print dots and paper crease really make little difference."
New: here's what journalists and sources can learn from the new NSA contractor document leak/The Intercept report https://t.co/Trz8PRfTH6 pic.twitter.com/J1hCRtnHic
— Joseph Cox (@josephfcox) June 6, 2017
There are shades here of parallel construction, the law enforcement technique whereby a crime is solved through questionable or legally unreliable evidence, and investigators have to search for something more robust to take to court. But in this case, there's a more complex game of appearances in play, with prosecutors wanting to highlight the media's failings over those of the NSA or even the alleged criminal's.
