How tech sleuths cracked the mysterious code that turns your printer into a spying tool



by Derik Hawkins


You wouldn’t have noticed it unless you knew where — and how — to look, but the top-secret National Security Agency document leaked to the Intercept and published recently contained a clue that may have led authorities to its source.


Spread throughout the pages were barely visible yellow dots, each less than a millimeter in diameter, repeated over and over in the same rectangular pattern. You could see them by zooming in on the pages and adjusting the color. Or, if you had the original printed papers, you could have inspected them with a magnifying glass and a blue LED light.


They're called traking dots or microdots. Nearly every color printer on the market is equipped with a feature that covertly prints them. They encode any page that comes out of a printer with a serial number, date and time that can be interpreted using a simple cipher. Printer manufacturers are not required to tell customers the feature exists.


Although the FBI has signaled otherwise, some experts have speculated that such dots may have helped investigators track down and arrest Reality Leigh Winner, the government contractor who was charged this week with leaking the NSA’s highly classified report.


[The easy trail that led the feds to Reality Winner, alleged source of NSA leak]


Printer manufacturers have used the dots in some form or another for decades, but they were only revealed to the public fairly recently, when privacy advocates and cybersecurity researchers took notice. PC World was among the first publications to bring them to light.


In a 2004 article in the magazine, a senior researcher at Xerox named Peter Crean described the hidden markings in detail. The technology had been developed about 20 years before, he said, to allay government officials’ fears that copy machines could be used to counterfeit money or forge documents. Xerox created an in-house encoding system and agreed to share information about it with authorities. Other companies followed suit.


A counterfeiting specialist with the U.S. Secret Service told PC World at the time that authorities used the tracking dots only when investigating a criminal act.


But privacy advocates were not satisfied. “That type of assurance doesn’t really assure me at all, unless there’s some type of statute,” a lawyer for the Center for Democracy and Technology told PC World. “At a bare minimum, there needs to be a notice to consumers.”


The magazine added: “If the practice disturbs you, don’t bother trying to disable the encoding mechanism — you’ll probably just break your printer.”


People knew the dots were there, but how to read them remained a mystery.


Then, in October 2005, about a year after PC World’s story, a research team led by the Electronic Frontier Foundation cracked the code for one printer, the Xerox DocuColor. A technologist from the advocacy group, along with an intern and two volunteers, compared the dots on a series of test printouts submitted by supporters. They quickly deduced how to read the pattern.


As expected, the dots indicated the date and time a page was printed, as well as the printer’s serial number. The foundation then installed a decoder program on its website that the public could use, and started publishing running lists of printers that did or did not display the dots.


“It’s disturbing that something on this scale, with so many privacy implications, happened with such a tiny amount of publicity,” EFF staff technologist Seth Schoen told The Washington Post at the time.


Up to that point, EFF said, only the Secret Service and printer manufacturers had known how to decipher the code. The organization warned that the “anonymity of simple paper documents” could be eroded, saying no laws barred the government from abusing the information conveyed by the dots.


“This technology makes it easier for governments to find dissenters,” EFF Senior Staff Attorney Lee Tien said. “Even worse, it shows how the government and private industry make backroom deals to weaken our privacy by compromising everyday equipment like printers.”


After EFF made its announcement, the Secret Service again acknowledged the existence of the dots but dismissed privacy concerns.


“It’s strictly a countermeasure to prevent illegal activity specific to counterfeiting,” a spokesman told The Post. “It’s to protect our currency and to protect people’s hard-earned money.”


It soon became clear that hundreds of commercial printers used the tracking dots. By 2015, EFF said it learned through Freedom of Information Act requests that all major manufacturers of color laser printers had likely reached a “secret agreement with governments to ensure that the output of those printers is forensically traceable.”


Authorities have not said whether the yellow dots on the pages of the NSA document leaked to the Intercept helped lead them to Reality Winner. If anything, court documents suggest that the FBI traced the leak back to her using other means, including computer logs. But cybersecurity experts said finding whoever printed the document would have been an easy task using the tracking dots.


According to court records, the Intercept received a printed version of the NSA report in the mail. The Intercept said it came from an anonymous source. The document, which described Russian hacking efforts in the 2016 election, appeared on the Intercept website as a PDF.


The dot pattern from the leaked NSA document as it appears entered into the Electronic
Frontier Foundation’s decoder tool. (The Washington Post)


Ted Han, a developer at DocumentCloud, was one of the first people to post about the yellow dots on Twitter.


“Zooming in on the document, they were pretty obvious,” Han told the BBC this week. “It is interesting and notable that this stuff is out there.”


In a widely circulated post Monday on the blog Errata Security, Robert Graham demonstrated how to decode the dots on the NSA document by inverting the colors to make them more visible and flipping the document upside-down. Using the EFF’s decoder tool, he found that the document came from a printer with model number 54, serial number 29535218, and was printed on May 9, 2017, at 6:20 a.m.


Other observers tried it out and got the same result. So did The Post.


EFF responded to the sudden intrigue in a statement on its website Tuesday. The organization was careful to note that printer dots may not have played a role in the leak investigation but said the case offered something of a cautionary tale nevertheless.


“This technology is one way that governments secretly pressured industry to change products to undermine privacy and anonymous speech when the law did not require it,” EFF said. “This should make us all wonder how else the government is working in secret to undermine privacy and speech. We should insist that companies be transparent about how government requests have affected the design of the products we use, since those designs can have profound implications.”


Derek Hawkins is a reporter with The Washington Post's Morning Mix.