How a Xerox DocuColor Printer Led to an NSA Contractor’s Arrest

On Monday, the Erratasecurity blog posted an interesting post showing how a contractor for the U.S. National Security Agency (NSA) contractor, Reality Leigh Winner, was arrested on charges of allegedly leaking NSA intelligence to The Intercept, with the intelligence detailing alleged Russian cyber-attacks directed at U.S. election officials and electronic voting equipment company VR Systems.

The U.S. Justice Department’s arrest warrant request stated that the classified information printed was tracked to Winner, one of six people who printed the report, and the only one who had e-mail contact with The Intercept. The printed report – which was scanned and then published by The Intercept – is said to have contained tracking information used to identify and arrest Winner. The warrant states:

“The U.S. Government Agency conducted an internal audit to determine who accessed the intelligence reporting since its publication. The U.S. Government Agency determined that six individuals printed this reporting. WINNER was one of these six individuals. A further audit of the six individuals’ desk computers revealed that WINNER had e-mail contact with the News Outlet.”

According to Erratasecurity: “…most new printers print nearly invisibly yellow dots that track down exactly when and where documents, any document, is printed. Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document.”

Using a process called steganography, the printer – in this case a  Xerox DocuColor printer – likely printed embedded information in the form of a grid of tiny yellow dots – indicating when and where the document was printed. In this case, the nearly imperceptible yellow dots, once interpreted with software, indicated when the report (later sent to The Intercept by the NSA contractor) was printed and on what printer. NSA administrators could presumably then quickly identify who printed the job to that printer by identifying the PC used to send the print job to the printer – and then identify who is registered to that PC. With the NSA documents, the printer had serial number 29535218, and the document was printed on May 9, 2017, at 6:20 pm.

According to the Electronic Frontier Foundation, various color laser printers – including various Xerox DocuColor printers – print yellow dots containing embedded information on printed documents. (Visit the EFF here to see a list of these printers.) The EFF also states that: “Some of the documents that we previously received through FOIA (Freedom of Information Act) suggested that all major manufacturers of color laser printers entered a secret agreement with governments to ensure that the output of those printers is forensically traceable.” However, it cannot confirm this.

We do recall Xerox actually previewing such technology several years ago – printers that printed tiny imperceptible yellow dots that could yield various bits of key information – and which were designed to deter currency counterfeiting.  And, in 2004, PC World interviewed Peter Crean, a senior research fellow at Xerox, who said that Xerox’s laser printers, copiers, and MFPs print the “serial number of each machine coded in little yellow dots” in every printed page. The millimeter-sized dots appear about every inch on a page, nestled within the printed words and margins. “It’s a trail back to you, like a license plate,” Crean said.

To see an interesting example of how the EFF decoded yellow-dot tracking data printed by a Xerox DocuColor printer, visit the EFF here.