‘Colour printers spy on you’: Barely visible yellow dots lead to arrest of Reality Winner, alleged NSA leaker
|National Post 06 Jun 2017 at 09:27|
Criminal investigations into national security leaks tend to be long, complicated and delicate affairs. Sources generally cover their tracks, especially in an era when even the most innocuous computer activity leaves an electronic trail.
Edward Snowden took extraordinary precautions when he leaked troves of classified information on surveillance activity by the National Security Agency to journalists, and was charged only after he publicly revealed himself to be the source. Thomas Drake, a former NSA executive, wasnt indicted for several years after he passed on details about fraud and waste at the agency to the Baltimore Sun. Originally accused of felony espionage, Drake pleaded guilty to a misdemeanor of exceeding authorized use of a computer.
In the case of Reality Leigh Winner, an NSA contractor accused of sending a top-secret document to a news outlet, federal authorities brought charges less than a week after being tipped off to the leak.
Winner, 25, was charged Monday with gathering, transmitting or losing defence information, as The Washington Post reported. Court documents did not identify the document that was leaked or the news outlet that received it, but the criminal complaint against Winner was unveiled shortly after the national security site the Intercept published a story containing an NSA report on Russian efforts to interfere with the 2016 election.
Reality Winner, arrested for alleged classified leak, is a former US Air Force linguist who speaks Pashto, Farsi & Dari, her mother tells me pic.twitter.com/SQjt13wRw6
A search warrant affidavit filed in federal court in Georgia reveals how it took just a few days for investigators to single out Winner as the alleged source of the leak.
It started on May 30, when the news outlet showed authorities the printed materials and asked them to comment, according to the affidavit.
The U.S. Government Agency examined the document shared by the News Outlet and determined the pages of the intelligence reporting appeared to be folded and/or creased, the affidavit reads, suggesting they had been printed and hand-carried out of a secured space.
An internal audit showed that six people had printed out the top-secret materials after they were published at the beginning of the month. One of them was Winner, who worked for Pluribus International at a facility in Georgia, the affidavit says.
Investigators said they searched Winners work computer and found that she had emailed the news outlet in March from a personal account. In her message, they said, she appeared to ask for transcripts of a podcast. In response, the news outlet confirmed Winners subscription to the service, according to the affidavit.
The review of Winners computer history also showed that on May 9 she searched the agencys classified system using search terms that led her to the report, the affidavit says. That day, it says, she printed the document.
The agency told the FBI about the leak on June 1. The same day, the affidavit says, an unidentified government contractor contacted the agency to say he had been in touch with a reporter from the news outlet, who had texted pictures of the document so he could verify their authenticity.
The Contractor informed the Reporter that he thought that the documents were fake, the affidavit reads. Nevertheless, the Contractor contacted the U.S. Government Agency on or about June 1, 2017, to inform the U.S. Government Agency of his interaction with the reporter.
The following day, FBI agents staked out Winners one-story red brick house near downtown Augusta, Georgia, where they saw her driving a light-colored Nissan Cube, according to the affidavit.
Winner was arrested Saturday. When FBI agents questioned her at her home, she admitted removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia, to the news outlet, court documents read. She remains in jail pending a detention hearing. Her lawyer declined to comment on the charges.
After the charges were announced Monday, some cybersecurity experts remarked on the apparent ease with which investigators were able to trace the leak back to Winner. Some went so far as to say the Intercept had outed her by posting copies of the document online. The Intercept said the materials were submitted anonymously.
Just a reminder, colour printers spy on you
According to Rob Graham, who writes for the blog Errata Security, the Intercepts scanned images of the intelligence report contained tracking dots small, barely visible yellow dots that show exactly when and where documents, any document, is printed. Nearly all modern color printers feature such tracking markers, which are used to identify a printers serial number and the date and time a page was printed.
Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document, Graham wrote Monday.
Grahams post gave a step-by-step demonstration of how investigators could have easily done just that. Using a tracking dot decoding tool from the Electronic Frontier Foundation, he said he determined that the document was from a printer with model number 54, serial number 29535218 and printed on May 9, 2017, at 6:20 a.m.
The NSA almost certainly has a record of who used the printer at that time, Graham wrote.
Others picked up on the same point.
Just a reminder, colour printers spy on you, tweeted data analyst Tim Bennett. This one embedded the exact time a U.S. government employee printed a subsequently leaked doc.