NSA Leak Disappeared Thanks to Modern Printing Technology
On Saturday, NSA contractor Reality Lee Winner was arrested for leaking classified documents to The Intercept . A leaked NSA intelligence report details Russian cyberattacks allegedly targeting election officials and VR Systems, a company that manufactures electronic voting equipment.
The Justice Department arrest request indicated that the classified information printed had been traced back to Winner, one of the six who printed the report and the only one who had contact with The Intercept via email. The scanned and published printed report contained the tracking information used to identify and arrest Winner.
A U.S. government agency conducted an internal audit to determine who had access to the intelligence reports since they were published. A US government agency determined that six people printed this report. The WINNER was one of the six. Further inspection of the desktops of six people revealed that WINNER had contacted News Outlet via email.
How steganography came out the winner
Security researcher Robert Graham showed how the NSA tracked Winner down using only a scanned report. It turns out that almost every printer is actually a sneaky dick that will fool you thanks to a little trick called printer steganography.
Similar to conventional steganography, which is the practice of hiding data (such as invisible ink or watermarks in a photograph) within another piece of data, printer steganography uses dots or lines printed throughout the document that follow a specific pattern. It is an invisible watermark containing metadata such as the date and time of printing and the printer used.
Your printer is probably talking about you
According to the Electronic Frontier Foundation , these steganographic dots appear on color laser printers and color laser copiers and are usually not available on pages printed on black and white or color inkjet printers. The ones on the Winner printed page were printed on a Xerox DocuColor printer and show the page was printed on May 9, 2017 at 6:20 am. The EFF has a DocuColor trackpoint decoder , so you can check its data yourself.
It’s safe to assume that the NSA just looked at the timestamp hidden in the scanned report and figured out who was typing what and when. Most newer printers come with this watermark feature preinstalled. You cannot exactly stop your printer from laced up your document with tracking information, and there is no reliable way to confuse it or anyone trying to read it if they know how to decipher the pattern.