X

NSA's alleged leaker got tripped up by a secret printer feature

The Department of Justice is charging Reality Winner with leaking a classified NSA report -- investigators just had to follow the hidden prints.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
See full bio
Alfred Ng
2 min read
screen-shot-2017-06-06-at-9-08-08-am
Enlarge Image
screen-shot-2017-06-06-at-9-08-08-am

Security researchers found tracking codes in printed pages from the leaked NSA documents. Enlarge the image and try to spot the faint yellow dots.

Alfred Ng/CNET

Investigators rely on all kinds of prints to find suspects -- fingerprints, footprints and, in Reality Winner's arrest, invisible prints.

On Monday, the National Security Agency contractor was charged in a Georgia court with releasing classified material to a news outlet. The top-secret information was an NSA report from May 5, which was first released to The Intercept, detailing Russian hackers trying to compromise US officials less than two weeks before Election Day in November.

It was yet another twist on the trail of Russian meddling in US politics that stretches back well into last year, from the controversy over leaked emails from Hillary Clinton's campaign to ongoing investigations into meetings involving President Trump's advisers. Trump has disputed reports of Russian interference on his behalf.

The NSA leak came just three days ahead of former FBI director James Comey's expected testimony before a Senate committee looking into the matter.

A trail of printing slipups led the FBI on Saturday to Winner's home, where they arrested the former Air Force linguist. In the Department of Justice's criminal complaint, prosecutors said they saw the leaked documents had been printed, given folds and creases on the page. But it's what wasn't seen that outed Winner as the alleged leaker.

The pages from the NSA's printers came with invisible tracking dots. This is a common feature in modern printers for forensics investigations, according to the Electronic Frontier Foundation. They're nearly invisible to the naked eye, but if you invert the colors, like Rob Graham from Errata Security did, they're a lot more obvious. Take a look now:

invert

This is the document with inverted colors and increased brightness.The dots are a lot more obvious now.

 Alfred Ng/CNET

Those dots are part of a DocuColor pattern, a grid of 15 by 8 yellow dots repeated over the edges of printed pages. It's a code packed with tracking information, and can be translated to tell you the time, date and serial number of the printer it came from.

By using the code in the leaked documents, Errata Security saw that the pages were printed on May 9 at 6:20 p.m., on a printer with the serial number 29535218.

"This code the government forces into our printers is a violation of our 3rd Amendment rights," Graham wrote in a blog post.

The NSA also conducted an internal audit to find out that six people had printed out the secret report -- but only Winner had been in touch with The Intercept by email through her work computer.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Technically Literate: Original works of short fiction with unique perspectives on tech, exclusively on CNET.