When Reality Leigh Winner allegedly sent classified documents detailing Russian hacking efforts during the U.S. election to The Intercept last month, she probably never thought the printer she used would give her away. But that’s exactly how the FBI says it was able to find and arrest her less than a month later.Winner, 25, was an independent NSA contractor working for the national security firm Pluribus International Corp. with top-secret security clearance at an unnamed U.S. government facility in Georgia. The document she allegedly printed and sent to The Intercept was created just four days before she printed it, on May 5. On June 1, The Intercept contacted the NSA and the Office of the Director of National Intelligence to try to verify the documents, as Winner had sent them anonymously through the mail.
Just 48 hours later, the FBI issued a warrant for Winner’s arrest. Three days after that, The Intercept published its article based on the documents. One hour after the report was published, the Department of Justice published its affidavit detailing the charges against Winner.So how was the FBI able to identify Winner so quickly?According to the bureau’s version of events, detailed in an arrest warrant issued for Winner, the NSA realized the documents had been printed out because the copies sent by The Intercept showed that the documents “appeared to be folded and/or creased, suggesting they had been printed and hand-carried out of a secured space.”The Intercept did not directly refute the details in the criminal complaint; however, the news outlet said in a statement released Tuesday that “these documents contain unproven assertions and speculation designed to serve the government’s agenda and as such warrant skepticism.”“The same is true of the FBI’s claims about how it came to arrest Winner.”Because The Intercept didn’t have the original PDFs, what it sent to the NSA and posted online were PDFs containing pictures of the printed documents, and it was these images that allowed the FBI to quickly identify Winner.Connecting invisible dotsUnbeknownst to most people, many new color laser printers secretly print all-but-invisible yellow dots on documents, which can then be decoded to identify when and where the documents were printed. This was the case with the memo that Winner printed.
The U.S. government has been able to convince a number of printer manufacturers to include these watermarks on all color documents, in a purported effort to prevent counterfeiting.As first spotted by Ted Han, who is the technology lead at DocumentCloud, an online tool that specializes in publishing secret files obtained by journalists, the first and last pages of the documents The Intercept posted online contained these microdots. As security expert Rob Graham outlined, it’s relatively easy to find the pattern embedded in the documents.Simply download them from The Intercept website, open them in a photo-editing app, highlight the top left-hand corner of the first page, invert the colors, and you can make out the roughly rectangular, checkerboard pattern.To decode the pattern, the Electronic Frontier Foundation has set up a handy tool to do just that, as part of its campaign to highlight the fact that this practice takes place. You can manually enter the code you found on the Intercept document to give you the following details about the document:The document was printed on a Xerox Docucolor printer on May 9, 2017, at 6:20, by a printer with model number 54, serial number 29535218.Of course the FBI already knew all this before The Intercept published its story, having received the documents on June 1.
A digital trailThe creases spotted in the documents would have alerted investigators to the possibility that the watermarks were embedded in the documents, and from these it would have been a relatively easy job to single out Winner as the culprit.
The printer she used would have been connected to an internal network known as Joint Worldwide Intelligence Communications System, which is operated by the Defense Intelligence Agency to transmit especially sensitive data. A quick audit of who was using that specific printer would have identified Winner.The thing is, if Winner had decided to print the documents in black and white rather than color, the watermarks would not have been included, as they would be too easily identifiable.
While some have criticized The Intercept for burning its source, others contend it had little choice considering that the documents were sent anonymously and it had to verify them. Some have pointed out that since the documents were printed on a device on the JWICS network, the NSA would have been able to identify Winner anyway, without having the watermarked documents.
And although the printer was a necessary piece of corroborating evidence for investigators, human intelligence gave them a big leg up on finding Winner. For one thing, she allegedly emailed The Intercept at one point from her work computer.Additionally, the government says it was tipped off about the leak by a separate contractor, who was contacted by The Intercept to verify the leaked memo. That contractor, according to the criminal complaint against Winner, was told the memo’s post office area of origin by the Intercept reporter, which was then relayed to investigators.Prior to joining Pluribus International, Winner served six years in the military including work as a linguist for the U.S. Air Force, her mother Billie Winner told CNN, adding she’d never expressed admiration for past leakers, such as Edward Snowden.“She’s never ever given me any kind of indication that she was in favor of that at all,” her mother said. “I don’t know how to explain it.”Noah Kulwin contributed to this report.