Recently, a NSA document detailing a Russian plan to hack US voting machines became public. A source in the NSA apparently shared the documents with online publication The Intercept, which scanned and printed these documents. Barely a few hours later, a defence intelligence contractor named Reality Winner was arrested for sharing classified information, having been unintentionally outed by the journalists she’d shared the document with. It was later revealed that the NSA traced the leak to Winner thanks to The Intercept’s report publishing digital scans of the documents she’d printed and shared.
Wait, what? A scan of a printout was traced back to an individual, how? Does the NSA use some special kind of printer that can be used to trace prints back to an individual? The answer is no, and the fact is this ‘tracing technology’ is present in everyday printers that is used by you at home and office.
Sounds crazy, right? It turns out that this is something pretty well known - just not to the general public. It turns out that almost all colour laser printers print a special pattern of "microdots" - a tiny grid of dots small and faint enough that you can't see them with the naked eye under normal lighting. The American digital privacy and free speech organisation the Electronic Frontier Foundation (EFF) maintains a list of printers that contain tracking dots, though as it warns on the page, it is probably safest to assume that all modern colour laser printers do include some form of tracking information.
Now, the tracking isn't going to identify the user, or the location of the printer, or something like that. Can you be tracked using this? Yes and no. What the microdots reveal - you can see for yourself using the EFF's decoder tool - is the model and serial number of the printer, and the exact date and time that the printout was taken.
To find out more, we reached out to various printer brands that are active in India. We contacted all the top companies, but most companies refused to talk about the subject on the record. Only one company offered an actual statement. "We have been instructed by international police authorities not to comment on this matter," said Epson India. We will update this article if any of the companies respond later.
In the NSA case, this allowed the agency to narrow down the leak to a single printer, so it would know when and where the printout was taken - from there, the agency was able to narrow it down to the actual whistleblower. All organisations can track timecode for printer requests, to see who is sending a document to be printed when. On the other hand, if you're taking colour laser printouts at home and distributing them, your neighbour won’t be able to trace them back to you by analysing microdots on the paper.
"The information encoded in the microdots includes the date and time the document was printed and the serial number of the printer that was used," John Shier, Senior Security Advisor, Sophos, told Gadgets 360. "This information can be used to correlate a printed document with a physical device possibly using logs of printer events or comparing the encoded serial number with those contained in an asset database.”
“The average user needs to know that this technology has existed for some time and is included in many popular brands of printers,” Sheir adds. “This capability was added voluntarily by certain printer manufacturers allegedly in response to government pressure to prevent counterfeiting when colour laser printers became widely available."
"The only way to avoiding having microdots printed on your documents is to either print in black and white or to use a printer that's not known to use this technology," Shier explains.
The printed yellow dots could be a hedge against counterfeiting - if the purported date of the document does not match up to the data confirmed by the dots, then you know it's a fake. But these dots can also be used to identify the printer a whistleblower uses, as happened with Reality Winner.
This kind of information is a type of metadata, and for most people, it isn't going to be a real issue. But whistleblowers, free speech activists, and others doing work where keeping one’ identity secret is of utmost importance, could find their privacy - and even their safety - compromised by these methods.
As noted on the Errata Security blog, published by cybersecurity experts, this kind of accidental disclosure of sources through metadata has a long history. It notes:
The situation is similar to how Vice outed the location of John McAfee, by publishing JPEG photographs of him with the EXIF GPS coordinates still hidden in the file. Or it's how PDFs are often redacted by adding a black bar on top of image, leaving the underlying contents still in the file for people to read, such as in this NYTime accident with a Snowden document. Or how opening a Microsoft Office document, then accidentally saving it, leaves fingerprints identifying you behind, as repeatedly happened with the Wikileaks election leaks.
So it's not likely that you personally are going to be tracked through this method - unless you're a whistleblower, or someone else who has reason to fear tracking from your organisation. On the other hand, if you are someone who has reason to avoid being tracked, apparently the workarounds are fairly simple: just use a black and white printer, a black and white scanner, or convert the scanned images into black and white - not greyscale - using an image editing software.