Scribbles: the CIA Document Tracking Program that Uncovers Leakers

Nobody disputes the fact that there have been a lot of leaks making the news recently, and nobody disputes that many of them emanated from the intelligence community.


But there is one question that needs to be answered: How is this possible? We’re talking about agencies that have the power of universal surveillance. How is it possible that they cannot see what’s going on in the next office?

This is even more confusing when one realizes that they have, and have had, programs in place to identify leakers for years. The leak collector site, Wikileaks, has just released information on a CIA program called. “Scribbles”, which puts digital watermarks on documents to allow their movements to be traced. With this program, the government can identify whistleblowers, those leaking documents to whistleblower sites, those leaking documents to news media, and foreign agents who may steal these documents.

Scribbles takes advantage of Word to put tracking beacons into any documents created on a computer or network. Word allows for images to be put into a document and this is the same vector that Scribbles uses. It is a sort of pixel-based tracking program. Such tracking has been around for years and allows for one transparent pixel in an image or document to contain a program that allows for tracking. The pixel sends out a beacon to its control center with information. Tracking will not only identify the IP address of the person receiving the document, but when the document was opened, what operating system the possessors of the document used, and what they did with the file. If the file is forwarded to others in the network, an entire network could be mapped out.

But with this ability to track documents, why are the leaks continuing? This could occur for a number of reasons. Scribbles will not work if documents are encoded or come with a password. If the document is opened in a non-Microsoft Office program, it may make the tracking program visible. In other words, any potential, document-leaking staff member who knew about the program would be able to easily circumvent it.

As I mentioned above, there is nothing new about pixel tracking programs. Such tracking programs are widely used by marketers to learn about potential customers. Facebook even has its own pixel tracking system for anyone with a business on Facebook. If you have a Facebook account, information on what you do online is collected so that you can be targeted with ads wherever you go and, your browsing patterns can be handed over to its business partners. Such surveillance can be good for people who are interested in purchasing certain items but others may view this as an infringement on their privacy. If you are in the latter group, you can opt out of this surveillance. It’s a bit of a convoluted process that begins with you clicking on the small triangle next to the question mark in the upper right hand cornet of your Facebook page.

fb triangle

You then go to “Settings”, “Ads”, and “Ads based on my use of websites and apps”. Eventually, you will have navigated to a page that looks like the one below. In the “Show online interest-based ads:” setting, make sure it is set to “Off”.

fb ad settings

You can also tweak other advertising preferences on this page. I found the “Advertisers you’ve interacted with” interesting because I only found two that I remember interacting with. Keep in mind this only disables Facebook tracking. Other marketing companies will still be able to present you with targeted ads. In short, your browser habits are under continuous surveillance. I’ll write more about how to avoid this surveillance in a future post.

Although Scribbles has its shortcomings, it does have a place in the anti-leaking arsenal. However, if the intelligence agencies want to control online-enabled leaking, they have far more powerful cyber tools at their disposal. In fact, if you were an intelligence agency employee attempting to leak information via online channels, you would have to be insane, suicidal, or simply ignorant to try this route. The only way to do so without getting caught would be to work in collusion with a hacker or with those in control of the network.

In a previous article, I pointed out that employees could, in cooperation with a hacker, ‘accidentally’ open a bad attachment, click on a bad link, or visit a compromised website. All of these could allow a hacker onto a network where they could just happen to find documents that they could leak to the media or other agencies.

Those in control of securing a network could be in a position to leak information by circumventing the very safeguards they have put in place. They could do this either directly or by allowing certain individuals on a network to leak documents undetected. I’m not saying that anyone would do this, only that this is the only way that a leak could occur without being detected by the wealth of cyber tools the intelligence agencies have at their disposal.

Still, the best way to leak is by smuggling the information out on a USB or SD card a la Snowden. This would require the leaker to disconnect from the network in order to download sensitive data without raising suspicion. Again, collusion with network administrators could help in this endeavor.

However, there is another angle to using programs like Scribbles which cannot be overlooked. Imagine that an intelligence agency wanted to infiltrate a whistleblower network. They could pose as a leaker and send tracking documents to that site. The documents could be used to map the network and find potential vulnerabilities that could be used in a more sophisticated malware attack later on. The agencies could set up spyware on the whistleblower site that would let them see where leaks are coming from and who the leakers within their agencies were.

In short, it would be difficult to believe that the intelligence agencies could not identify most leak attempts. Leakers are usually motivated to do so for three basic reasons:  to achieve financial gain (such as selling secrets to foreign governments or competitors), to affect the political landscape (such as the DNC leaks), or to gain emotional satisfaction (revenge  of disgruntled employees or indignation of whistleblowers who feel their employer is engaged in immoral or unethical behavior). For these reasons, I would suspect that most intelligence agency employees are subject to surveillance in their personal lives as well as their working lives. Such a project, known as the ACES project, was proposed by James Clapper in 2014. “What we need is a system of continuous evaluation where when someone is in the system and they’re cleared initially, then we have a way of monitoring their behavior, both their electronic behavior on the job as well as off the job.” I’m not sure if this system has been formally put in place but, informally…who knows. So do the intelligence agencies know the source of their leaks? You be the judge.

3 thoughts on “Scribbles: the CIA Document Tracking Program that Uncovers Leakers

  1. Any leaker should know that blue dye can be embedded not just in the embedded pictures (which can be removed through graphic editing programs, etc) but into the text itself (I bet Three Letter Agencies employ quite a bunch of linguists who help them to develop invisible watermarks through specific placement of words, syllables and letters into classified texts). So by leaking a particular version of a document a mole had access to, he or she can leave fingerprints just by presenting her very own version of the document. There are more than one way to protect secrets, or at least find the traitors…


    1. True, my guess is the original watermark is totally invisible to anyone wanting to leak a document. There may be formatting protocols within an agency that force the document creator to unwittingly add the tracker, such as requiring that all agency documents include the agency logo.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s