NSA's alleged leaker got tripped up by a secret printer feature
Investigators rely on all kinds of prints to find suspects — fingerprints, footprints and, in Reality Winner's arrest, invisible prints.
On Monday, the National Security Agency contractor was charged in a Georgia court with releasing classified material to a news outlet. The top-secret information was an NSA report from May 5, which was first released to The Intercept, detailing Russian hackers trying to compromise U.S. officials less than two weeks before Election Day in November.
It was yet another twist on the trail of Russian meddling in U.S. politics that stretches back well into last year, from the controversy over leaked emails from Hillary Clinton's campaign to ongoing investigations into meetings involving President Trump's advisers. Trump has disputed reports of Russian interference on his behalf.
The NSA leak came just three days ahead of former FBI director James Comey's expected testimony Thursday before a Senate committee looking into the matter.
A trail of printing slipups led the FBI on Saturday to Winner's home, where they arrested the former Air Force linguist. In the Department of Justice's criminal complaint, prosecutors said they saw the leaked documents had folds and creases on the page, suggesting they'd been printed out and then carried to another location. But it's what wasn't seen that outed Winner as the alleged leaker.
The pages from the NSA's printers came with invisible tracking dots. This is a common feature in modern printers for forensics investigations, according to the Electronic Frontier Foundation. They're nearly invisible to the naked eye, but if you invert the colors, like Rob Graham from Errata Security did, they're a lot more obvious. Take a look now:
Those dots are part of a DocuColor pattern, a grid of 15 by 8 yellow dots repeated over the edges of printed pages. It's a code packed with tracking information, and can be translated to tell you the time, date and serial number of the printer it came from.
By using the code in the leaked documents, Errata Security saw that the pages were printed on May 9 at 6:20 p.m., on a printer with the serial number 29535218.
"This code the government forces into our printers is a violation of our 3rd Amendment rights," Graham wrote in a blog post.
The NSA also conducted an internal audit to find out that six people had printed out the secret report — but only Winner had been in touch with The Intercept by email through her work computer.
CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.
Technically Literate: Original works of short fiction with unique perspectives on tech, exclusively on CNET.