How Modern Printer Technology Outed An NSA Leaker

On Saturday National Security Agency (NSA) contractor Reality Leigh Winner, who leaked classified documents to The Intercept, was arrested. The leaked intelligence report from the NSA detailed Russian cyberattacks allegedly directed at US election officials and electronic voting equipment company VR Systems.

Image credit: Aaron Yoo/Flickr

The US Justice Department’s arrest warrant request stated the classified information printed was tracked to Winner, one of six who printed out the report, and the only one who had email contact with The Intercept. The printed report scanned and published by the publication contained tracking information used to identify and arrest Winner.

The US Government Agency conducted an internal audit to determine who accessed the intelligence reporting since its publication. The US Government Agency determined that six individuals printed this reporting. WINNER was one of these six individuals. A further audit of the six individuals’ desk computers revealed that WINNER had email contact with the News Outlet.

How Steganography Outed Winner

Security researcher Robert Graham showed how the NSA tracked Winner down using only the scanned report. Turns out, nearly every printer is actually a sneak that will out you, thanks to a little trick called printer steganography.

Like regular steganography, which is the practice of hiding data (think invisible ink or a watermark on a photo) inside another piece of data, printer steganography uses dots or lines printed throughout the document that correspond to a certain pattern. It’s an invisible watermark that contains metadata like the date and time of printing and the printer used.

Your Printer Is Probably Telling on You

According to the Electronic Frontier Foundation, these steganography dots appear on colour laser printers and colour laser photocopiers, and are usually unavailable on pages printed in black an white or on colour inkjet printers. The ones on Winner’s printed page were from a Xerox DocuColor printer, and show the page was printed on 9 May 2017 at 6:20AM. The EFF has a DocuColor tracking dot decoder so you can verify its data yourself.

It’s safe to assume the NSA just took a look at the timestamp hidden on the scanned report and found out who was printing what and when. Most new printers have this watermarking functionality preinstalled. You can’t exactly stop your printer from lacing your document with tracking information, and there’s no foolproof way to confound it or anyone attempting to read it if they know how to decipher the pattern.