This story is over 5 years old.


How the New Suspected NSA Leaker Reality Winner Was Caught

From the characteristics of physical documents, to not using work computers, there’s plenty to learn from the recent bombshell leaking charge.
Facebook photo of suspected NSA leaker Reality Winner. Image: Reality Winner/Facebook

On Monday, The Intercept published a document and report detailing a Russian effort to hack a US voting infrastructure contractor as well as local government organizations. On the same day, the Department of Justice announced the arrest of a woman on suspicion of leaking classified material to a news outlet, and several outlets subsequently reported that the arrest was linked to The Intercept's report.


Reality Leigh Winner, 25, was identified as the suspected source because she and others seemingly made a selection of security missteps, from using work computers, to publishing documents with identifying information, and more. Now, the court filings give us a good opportunity to learn what went wrong.


When thinking of metadata, you may typically point to who sent an email and when, or who authored a Word file. But physical documents have metadata and other associated clues as well.

In this case, The Intercept provided a scanned copy of the document to the NSA, which noticed that the document was "folded and/or creased", suggesting someone had physically printed it, judging by the affidavit. From here, investigators checked who had recently printed that document, and Winner was one of the names that popped up. As a few people pointed out, since the document The Intercept published was a scan of a physical print-out, it included a series of dots that potentially all printers add to surreptitiously watermark documents, revealing when they were printed.

That said, the affidavit does not explicitly point to the print dots as the incriminating factor. Instead, it merely states that there was an "internal audit" which "determined that six individuals printed" the document, which were further narrowed to one suspect. There's a good chance investigators would have looked into who printed or simply accessed the file even if they didn't see the printed document's physical idiosyncrasies. Another court filing says investigators found that Winner allegedly used specific search terms to identify the to-be-leaked document.


The Intercept could have provided other parties, such as the agency the file was taken from, with only transcripts of the document; although this may make the journalist's job of verifying the document somewhat harder. When Wikileaks published alleged communication intercepts obtained from the NSA, the organization did not print the original documents. Instead, it published snippets they had seemingly typed up themselves, removing any metadata.


Although Winner allegedly posted the document in the mail, she also supposedly had email contact with The Intercept from her work desk computer, according to the affidavit. As a source, using your work computer, email, or network is typically not a good idea, as many government and private organizations are going to monitor how people use their facilities. Indeed, The Intercept makes this clear in its own guide to potential sources.

"Don't contact us from work. Most corporate and government networks log traffic. Even if you're using Tor, being the only Tor user at work could make you stand out," The Intercept's website reads.

It appears that the emails were nothing to do with the alleged leaking itself though. According to a court document, Winner contacted The Intercept asking for a transcript of the outlet's podcast. Nevertheless, investigators felt it was noteworthy for their warrant application.



In verifying the leaked document, The Intercept approached a US government contractor, sent them photos of the document, and said what part of the country the files had allegedly come from. Again, perhaps a transcript of the document contents rather than the file itself would have helped here, but as the point was to verify the document as a whole, striking that balance can be difficult.

It's not clear what exact relationship this contractor previously had to The Intercept, source or otherwise, but presumably the reporter trusted them enough to ask for help on a highly sensitive story. The contractor, however, reported their interaction to the NSA, according to court records.

Presumably, the contractor did this to ensure they wouldn't get in trouble themselves, or perhaps for another reason. They may not have intended for their report to be included in a leak affidavit, but sometimes the motivations, goals, and actions of sources and journalists, in the same way that they can converge, can also split. With that in mind, perhaps journalists should limit, to an absolute minimum, the information that they share with others—even if they are involved somehow in a story.

Winner is charged with gathering, transferring, or losing defense information. She allegedly told investigators that she did take the document, and provided it to the media.