The Intercept, a journalism website funded by eBay billionaire Pierre Omidyar and run by investigative journalists Glenn Greenwald and Jeremy Scahill, produced an important scoop Monday.
Its article, drawn from a classified National Security Agency document the Intercept said it received anonymously, exposed "a months-long Russian intelligence cyber effort against elements of the U.S. election and voting infrastructure." Absent the website's publication, we might never have learned about the Russian attack aimed at a U.S. vendor of voter registration systems.
But about an hour after the article was posted online, federal agents arrested a federal contractor named Reality Winner, 25, and charged her with violating government security laws, specifically "removing classified material from a government facility and mailing it to a news outlet." The Intercept isn't identified in the government's announcement of the arrest, but she appears to be the alleged leaker.
The question is how the government identified her so quickly, and the answer may be that she was inadvertently outed by the Intercept itself. That's because the website posted an image of the leaked document containing an almost-invisible code applied by the printer that produced the document sent to the Intercept. The digital watermark identified the printer model and serial number, along with the time and date then document was printed out.
"Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document," observes cybersecurity expert Rob Graham of Errata Security.
If that's so, it's a case of what John LeCarre would label "poor tradecraft" — an inadvertent exposure of your own source. It's also a reminder that documents produced or reproduced digitally often carry concealed fingerprints that can reveal to trained examiners a lot more than one might think.
That's a lesson warranting the attention of not only secret agents and investigative reporters, but businesses exchanging documents with clients, vendors, or competitors.
In a statement on its website Tuesday, the Intercept said the document was "provided to us completely anonymously. … Although we have no knowledge of the identity of the person who provided us with the document, the U.S. government has told news organizations that Winner was that individual." It declined further comment, including our question about why the authorities may have focused their investigation on Winner.
The Department of Justice has been cagey about how Winner was outed so promptly. In an affidavit filed with her arrest, the FBI says it examined the pages the Intercept shared with the government in seeking comment. The FBI says it determined that "the pages appeared to be folded and/or creased, suggesting they had been printed and carried out of a secured space."
The agency says it determined who at the NSA had access to the document, and that of that group of six, Winner had been in email contact with the "News Outlet."
Errata's analysis suggests the task might have been even easier.
The pattern of yellow dots left by the printer is visible on the image when displayed on any high-quality computer screen, especially if slightly tweaked for color. The pattern can be manually inserted in a matrix found on the Electronic Frontier Foundation's website here, which will produce the decoded information — printer model, serial number, and date and time of print.
Graham recommends reproducing sensitive documents on a black-and-white printer rather than color before posting, to obscure the yellow dots, though some commenters on his website say that's not good enough. A better option is not to reproduce the image at all, but retype it on a blank file. Sometimes the best security approach in the digital world is low-tech, for the same reason that if you're concerned that your computer password could be hacked, take the information you want to secure, lock it in a safe and pocket the key.