NSA Leaker Identified Thanks to Hidden Watermarks from Xerox Printer
Reality Leigh Winner is in hot water thanks to a Xerox DocuColor printer, according to ars Technica, part of the Wired Digital Group, Vice News and other news sites. In May, Winner — an independent NSA contractor with high-security clearance — anonymously sent classified documents to The Intercept about the Russian hacks during the 2016 U.S. presidential election. The documents were printed on a Xerox DocuColor and sent to The Intercept. What Winner didn't know is that many printers use encoded watermarks — called steganography according to Lifehacker — that work as a way to track printed documents back to a specific device.
Vice News reports that after Winner's documents were received, The Intercept approached the NSA to verify the documents' authenticity, and 48 hours later the FBI issued a warrant for the young woman's arrest. The news site goes on to report that the NSA knew the documents had been printed because they “appeared to be folded and/or creased, suggesting they had been printed and hand-carried out of a secured space.”
How Did the NSA and FBI Connect the Dots?
The Washington Times reports that the government conducted an internal audit that was able to narrow the investigation down to six people who had accessed the report after it was released in May. Winner was among those six individuals and apparently admitted to printing the classified documents when interviewed by the FBI.
Steganography works by printing small yellow dots in a pattern that can be decoded to reveal exactly what day and at what time a document was printed, as well as the serial number of the printer that was used. The Electronic Frontier Foundation even created a tool to decode the dots printed by the DocuColor. However, as Vice News reports, if Winner had printed in black-and- white and not color, the watermark would not have been revealed, although she still would have been one of the six suspects.
The Post also cites a blog posted on June 5 by Errata Security Founder Robert Graham who reviewed the file. He wrote:
The document leaked by The Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017 at 6:20. The NSA almost certainly has a record of who used the printer at that time.
If convicted, Winner could face up to 10 years in prison for her indiscretion. She is scheduled to have a detention hearing on June 8 in Augusta, Georgia. Winner's lawyer told NPR she will enter a plea of not guilty.