Which Was a More Sensitive Open Secret Revealed as a Result of the Reality Winner Story: Details on Russian Hacks of Voting Equipment, or Invisible Printer Dots?

Mr. EW doesn’t follow my work all that closely. He’s most apt to read something I wrote if it gets cited in TechDirt, a fact that occasionally makes me fantasize about getting Mike Masnick to publish secret messages about fixing leaky toilets or broken screen doors.

So I was pretty interested in Mr. EW’s take on the Reality Winner story. He believes, as many people do, that Winner was caught using the printer dot technology that Rob Graham laid out here.

I don’t doubt that the FBI or NSA used the printer dot technology to confirm that they had gotten the right person before they charged Winner. But it’s not mentioned at all in DOJ’s narrative of how they caught Winner (who, remember, pled not guilty even though she confessed to the FBI). They cite the following steps (search warrant affidavit, complaint affidavit):

  1. May 30: The Intercept contacts NSA and provides a copy of the document. NSA confirms for itself that it is real and classified.
  2. June 1: NSA makes a leak referral to the FBI.
  3. Undated:
    1. NSA notes that the document has been folded, suggested it was printed off.
    2. NSA checks who has accessed and printed the document.
    3. NSA checks the work computers of the six people who have printed the document, including Winner.
    4. NSA finds a direct email, from March, from Winner’s work computer to The Intercept using her personal Gmail account pertaining to TI’s podcast.
  4. June 1: For the second time, The Intercept contacts a contractor to validate the document (he or she had told them it was fake on May 24), telling the contractor that the NSA has confirmed its authenticity. The contractor provided a document number to The Intercept, and on the same day, the contractor informed the NSA about the May 24 and June 1 interactions, probably also passing on the detail that the document had been sent from Augusta, GA.
  5. June 2: FBI verifies Winner’s residence for a search warrant.
  6. June 3: FBI interviews Winner, who admits to “removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia.”

Winner was arrested on June 3; her arrest was unsealed on June 5, just after The Intercept published the document.

On June 5, Graham posted a piece explaining how the hidden dots on the hard copy of the document would have told NSA that the document had been printed out on May 9, making it even easier for the NSA to pinpoint who had printed out the document.

The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017 at 6:20. The NSA almost certainly has a record of who used the printer at that time.

As I explained to Mr. EW last night, nothing in the official record says the NSA used this hidden dot technology in its hunt for the leaker. I explained that while my friends started talking about the hidden dots almost immediately, there was nothing in the public record about it.

Clearly, the government didn’t exactly want that (and no doubt a number of other investigative methods, presumably including at a minimum checks on the non-government computer communications of the six people who printed out the document, and potentially also a check of postal records) detail to become public.

Yet, as a result of the reporting on this, people like Mr. EW not only know about the dot technology, but believe it was the key factor in identifying Winner. If they follow Rob Graham closely, they’ll also know that (in response to my question) another presumed leaker to The Intercept had managed to pass on a printed (and frankly far more important leaked) document — FBI’s Domestic Investigations and Operations Guidewithout including the telltale dots (I told Mr. EW about the follow-up but he’s more likely to read it if TechDirt links so…) So they would have learned that the dots are an operational security issue, but there are as yet unknown ways to mitigate that problem.

As I’ve stated several times, while the document Winner leaked to The Intercept provides new details about Russian attempts to hack the election, it simply adds to the widely known narrative already in the public (though the redacted details would no doubt be even more interesting). The secret dots though! — that was news to most people (including me).

Which secret do you think the government is most grumpy about having been made public?

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

26 replies
  1. jerryy says:

    The dot technology has been known to the ‘public’ for a while, it has been an irritant to photographers and graphic designers, etc., it just did not get a lot of notice in the press because who really would care to read about printers putting a few extra dots on a photo.

    If you check, you can find the EFF cracked the code some time back. For extra kicks, look at what happens if you try to print photos of US currency.

    p.s. I guess that casts my vote in answering the headline’s question.

    • emptywheel says:

      Oh, it’s public. Just not widely known. If it had been the Intercept would have been more careful.

  2. greengiant says:

    Parallel construction of hacking is what they are most pissed about. Guessing the Winner document was made not by the A team, nor B, C, or D teams or at least I would hope so, “available in April” ? What fig leaf was available in April to maintain the fairy tale that only data covered by FISA or public EOs is captured and retained? Google and Facebook were already selling all your clicks and emails, your internet service provider as well soon if not then. The 2016 election tells us that mal actors have caught on that it is cheaper to buy and hack this than the NSA costs to do it. Technology has no morals. The next story will be where the dark money is being hacked.
    Printer/scanner stenography “we”, “many people” already knew about so it is in the public record. Paranoia would say they are messing with your search engine, Orcam would say you just need the right search string. Mr. EW is in a world where he does not worry about someone tracking him down.

    • bmaz says:

      For my money, “parallel construction” has become a far too over broad and over used term over the last few years. Frankly, back in the day, we simply called it whitewashing. The question is whether the manipulation transforms patently unconstitutionally and/or illegally obtained evidence into “clean” evidence that masks the critical initial unconstitutionality/illegality. The DEA as done this since well before I started practicing law, and that was many decades ago.

      It does NOT mean, however, simply moving between secret, but entirely appropriate, methods to public ones. As appears to be the case here.

      • greengiant says:

        Thinking the document Winner found was the secret and entirely appropriate output based on what was made available in April that someone was tasked with investigating after a whole bunch of AI or people knew about it happening in 2016.  So looking for a FISA court order,  a business change,  or someone tasked in April that makes this document happen.   The “unclean” would be there before this report was made.  Doubt if the purpose of the document generation was just for “clean” judicial evidence. It speaks to some energy being spent doing “clean” reports or make work in a “clean” room.   That is what Winner reveals,  not just the content of the report.

  3. lefty665 says:

    Remember EW, when you ask a man to fix something there is no need to remind him about it every six months. At least that’s what the note on our refrigerator says.

    Seems most of the recent dot commentary has been about yellow dots (reminds me of don’t go where the huskies go…). My understanding is that printer id marking has been part of monochrome printer technology for a long, long time. Think I read about it in IT trade rags as long ago as the last millennium.

  4. earlofhuntingdon says:

    Forensic tracking technology has been part of print and photocopier technology for some time.  But it’s important to get the word out to more people, along with guides for how to deal with information that it might be vital to disclose to the general public.

    Someone in the business, that means Ms. Winner and all the folks at The Intercept, should already have been fully conversant with this stuff.

     

    • earlofhuntingdon says:

      In light of the highlighted information in the Quartz article, below, it’s possible other technology entirely was used to mark and to identify the documents Ms. Winner is alleged to have released, technology that, say, she and The Intercept might know nothing about and have no ability to detect or guard against.

      • SpaceLifeForm says:

        That likely could be the scan to PDF problem.

        G(remove metadata from PDF)

        Also note the 6:20 timestamp.
        Not likely Winner at work.
        But could be a correct ts for gg.

  5. earlofhuntingdon says:

    Sadly, Ms. Winner seems to have more passion than street smarts for a role as challenging as disclosing information that the government would prefer be kept secret.  This is from a 10 Jun 17 article in Quartz (emphasis added):

    The technology meant to track our paper documents back to us has been hidden in plain sight for more than 30 years….

    Although the code behind the yellow-dot patterns was cracked, there is likely other steganography still in use that has yet to be discovered. In addition to the various implementations Crean mentioned, Schoen said there is at least one newer version that is even more difficult to find in a document.

    “What we’ve learned is that there is a second generation of the technology that some of the manufacturers have switched over to,” Schoen said. “We’ve never cracked that or even had a way to detect it.

    • greengiant says:

      Hmm “phishes” from a French address just went to 0 May 14th and have not returned.   In other news I saw for the first time a cloudflare 502 error, emptywheel.net host error for the first time today.

      • RickR says:

        Got blockage via Tor a few minutes ago. Security blockage by EW’s hosting provider. Was an “area block”. I had drawn a circuit with a Russian exit. Makes sense. New circuit with German exit no problem.
        Same thing typically works if you hit Cloudflare captcha somewhere; get a new circuit and try again.
        AFAIK, EW access remains read-only even with scripts enabled.

        • SpaceLifeForm says:

          More tech details please. You basically have confirmed my theory. I do not use tor by my own violition.

  6. SpaceLifeForm says:

    Sessions to testify in open session tomorrow to Senate Intelligence Committee. 14:00 EDT.

  7. greengiant says:

    SLF: Bad Gateway, Cloudflare working, Cloudflare ray ID, nothing about ng-ignx, May 14th was when French took down TOR nodes.
    Back to comment reply not responding so went to Post reply.

    • SpaceLifeForm says:

      Thank you for the info.
      502 errors are as clear as mud.
      Based on your info, the problem exists somewhere between the Cloudflare front-end reverse proxies and the emptywheel.net server.

      Really useless. Could be CF net, could be out of CF control. But it is not directly due to the CF front-end reverse proxies.

      That is all we can determine at this point.
      Basically, we scraped up some mud, only to find more mud underneath.

      As to comment reply vs post reply, I can always make comment reply work if I Right-click/Long press and open in new tab.
      Suspect a javascript problem.

      • lefty665 says:

        Reply vs post reply switches on for me if I allow emptywheel.net I have grumbled a couple of times over the years about what access EW requires for full functionality to no avail.

        • SpaceLifeForm says:

          Note EW changed website less than a year ago. Then started using Cloudflare. So, need to disregard old problems (old WordPress).

  8. LeMoyne says:

    Considering that the ‘dot code’ was not offered up by the USG, the answer is ‘invisible printer dots’.  I propose to give the NSA credit and say that the report was intentionally offered up for leaking by RW as another quarter-turn of the screw on our POTUS who acts like a bellicose yet squirmy perp.  Perhaps they have succeeded in creating a win-win-win-win: Tighten screws-Catch a leaker-Burn the Intercept-Warn the states (again).

    All public systems should scrap the crappy WinDoze with its self-reaming PowerShell and move to Linux.  Not yesterday… years ago.

  9. scribe says:

    Last week the Suddeutsche Zeitung (beneficiary of many huge leaks in recent history, not least the Panama Papers and a lot of the NSA In Europe stuff) had a nice, large article on the yellow dots.  “The secret of the invisible yellow dots”  http://www.sueddeutsche.de/digital/whistleblower-das-geheimnis-der-unsichtbaren-gelben-punkte-1.3536060

    Not that they judged Reality Winner’s winning to be Charlie Sheen-level Winning, but….

    Sort of a warning to their contributors….

Comments are closed.