How Xerox, Google, and The Intercept Exposed an Anonymous NSA Document Leaker

The ironically named Reality Winner was not one. Reality bites. It bites any anonymous leaker from any government agency who may be naïve enough to believe that their anonymity will be guaranteed. Likely motivated by her desire to expose Russian connections to “a soulless, ginger orangutan” (a.k.a. Donald Trump), Reality Winner sought out and leaked a document that she probably thought would achieve this end. Sadly for her, she only exposed her connections to the leaked document.

Winner began working for NSA contractor, Pluribus International Corporation, shortly after Trump was inaugurated. Winner is a vegetarian weightlifter and an environmental activist who supported Bernie Sanders.


When Trump approved construction of the Keystone/Dakota Pipelines, Winner wrote on Twitter, “Repeat after me: In the United States of America, in the year 2017, access to clean, fresh, water is not a right, but a privilege based off one’s socio-economic status. If that didn’t feel good to say aloud, contact your senators today and tell them those exact words as to why the Keystone XL and Dakota Access pipelines cannot be built on American soil. Let’s fix the pipes meant to bring water, sans lead or pollutants, to our citizens before we build pipes meant to benefit big oil and poison the land.”

No doubt Trump’s June 1st withdrawal from the Paris Climate Accord further fueled Reality’s pro-environmental flames. Coincidentally, it was on that same day that the FBI was notified by the NSA that someone had leaked a top secret document to the online news outlet, The Intercept.  The Intercept had informed the NSA that it was in possession of a top secret document that they were going to release. They gave the NSA a copy of this report in order for them to verify its authenticity. The Intercept seems to have naively believed that they were not compromising the anonymity of the leaker by doing this. That was a mistake.

Many new printers print nearly invisible yellow dots on any document it prints. The dots and the pattern they create can be used to identify the type of printer, the model number, the serial number of the actual printer used, and the precise time the document was printed. Any scanned document, like the one Winner sent to The Intercept and The Intercept sent the NSA, would contain these dots.

Here are a series of pictures which show these dots on the leaked NSA document and the pattern they created. To show what these dots are like and how they can be used, I created the images below. The first image shows the upper left hand corner of the original document, which is already magnified to some degree; yet, no obvious yellow dots (or pixels) are evident, at least to my eye. (The encircled area shows where the dots exist and indicates the area which will be subsequently magnified.)

the yellow dots


I then magnified the above image to 600% and, perhaps, some sharp-eyed readers can begin to see a few faint yellow areas.

dots 600x

However, to really see these dots, I had to increase color saturation. So, at 600% magnification, with color saturation, here is what the dots looked like on the NSA document.

dots saturation

The complete pattern with the decoded information it includes is shown in the following image. (For more information on hidden document codes visit the EFF website.)

leaked document pattern

I have since confirmed that the pattern persists even when the document is copied into another program, such as Word, or onto other websites.

So The Intercept, in effect, told the FBI that one of the 4,000 employees at Pluribus International Corporation, Georgia, printed this document on a specific printer with the above serial number at 6:20am on May 9th. At 6:20am? That, in itself, should limit the number of people who could have done this. In the end, it was found that only six people had printed out this report. This pretty much outed poor Reality.

This top secret report was first published four days earlier on May 5th, so Reality was, in my opinion, either tipped off on its existence or was diligently conducting ongoing searches for incriminating documents. In short, she had an agenda. In any event, according to the affidavit, the six people who printed this document had their company computers investigated. Among them, only one, Winner, had had email contact with The Intercept.

Interestingly, Winner did not use the company email for this contact but her Gmail account. She probably thought that this would be safer. This was a mistake. The company likely monitors all emails going through its systems. It was simply a matter of searching their database for any communication with The Intercept. Yes, the communication was innocent, (she wanted a transcript of a podcast) but it showed she was at least aware of the news outlet’s existence.

However, this alone would not be enough to arrest her. It is possible the company had a keylogger installed on all of its computers, so they may have had a record of her Gmail password which they could use to access her account. This would allow them to see if she had any other further correspondence with The Intercept from computers outside the company.  However, if they did this, the company would be in danger of committing a criminal act.

Thus, it is likely that the FBI will have to ask Google for access to Winner’s Gmail account. Will Google give this information to them? If you have to ask this question, see my last post on Google tracking and privacy. Google will almost always give access to user accounts when government agencies request it.  Although Google claims that it carefully reviews all such requests before allowing government agencies to access an account, in truth, they will only rarely refuse to do so. If it is found that Winner had further correspondence with The Intercept via her Gmail account, this would be the conclusive evidence that the government would need to convict her. It will be interesting to see how this aspect of the case develops.

The Intercept further implicated Winner when one of its reporters contacted an inside informant at the NSA who later contacted the FBI. So much for trusted sources. The affidavit states the belief that Winner may have communicated with The Intercept in other ways and that evidence of such communication, or of the documents themselves, may be found on her home computer or other devices.

When contacted on June 3rd, “Winner admitted intentionally identifying and printing the classified intelligence reporting at issue despite not having a ‘need to know,’ and with knowledge that the intelligence reporting was classified. Winner further admitted removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia, to the News Outlet, which she knew was not authorized to receive or possess the documents. Winner further acknowledged that she was aware of the contents of the intelligence reporting and that she knew the contents of the reporting could be used to the injury of the United States and to the advantage of a foreign nation.”

It is no surprise that Winner confessed when she was confronted with the above evidence. However, she has subsequently pleaded not guilty, which is somewhat baffling. More baffling is the fact that the government did not interfere with The Intercept publishing this top secret document two days later on June 5th. Interestingly, the announcement of Winner’s arrest followed within hours of the document’s publication. This made it  appear, perhaps intentionally, that The Intercept was not a viable outlet to send a leak to. Wikileak’s Julian Assange lambasted the unprofessional conduct of the outlet and offered a $10,000 reward for information “leading to the public exposure & termination” of the reporter. Assange had no choice but to take this action because those publishers who do not protect their sources cast a shadow on all leak platforms.

The bottom line here is that Winner will be made an example of to deter potential leakers from misusing their access to secret information in the hope of affecting the political landscape. Making leaking platforms look unstable will also make those with access to sensitive information think twice before giving this information to leak publishing organizations. In short, leakers should only do so with the full expectation that they will likely be caught. If they truly believe that their actions have a moral value that supersedes any penalty they may have to pay, then nothing the government does to Reality will stop them.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s