
Secret Code in Color Printers Lets Government Track You (2005) - walterbell
https://www.eff.org/press/archives/2005/10/16
======
datashovel
um, looks like this is a repost of something by EFF 10 years ago?

[https://www.eff.org/press/archives/2005/10/16](https://www.eff.org/press/archives/2005/10/16)

~~~
dang
Wow, good catch. That's astonishingly bad.

Url changed from [http://www.net-
security.org/secworld.php?id=18995](http://www.net-
security.org/secworld.php?id=18995). Should we ban that site?

~~~
datashovel
My personal thought on that is I would. Especially for repeat offenders.
Though I can imagine something like that can quickly become a game of cat and
mouse. But what I bet those sorts of sites don't have is the resources to
compete against a crowd-sourced effort to keep those sorts of sites off HN.
Not that people would be looking for offenders while browsing stories, but
it's likely with awareness people would take time to verify unfamiliar sources
that are submitted to the site. At least it forces owners of sites like that
to scramble if they realize they can no longer get the clicks they used to get
from HN. Especially the ones who are just spamming content in order to
generate clicks.

It appears there have been a lot of submissions for that site in the past, so
if they're a repeat offender it would probably be easy to extract that info.

You guys probably have a treasure trove of data where you could probably
extract some of the more obvious offenders pretty easily. Cross referencing
submissions by specific individuals for specific domains, etc. Though I
imagine there would be plenty of false positives...

Also, just a thought, I would suggest that the warning message to submitter
(if they tried to submit new URLs from banned domains) would be that the site
has a history of plagiarism. That way they would probably do additional work
to find the original (or more original) link than the one on that site. Also
that way in case a site owner wanted to object they would know the reasoning
behind the ban.

I know HN has been around a long time so I am probably re-hashing some of the
things you've already got in place, but figured I'd put some thoughts out
there in case you guys didn't already have something in place.

Would you suggest reporting these sorts of things via email in general?

~~~
dang
Thanks for the input. Yes, please definitely report anything like this via
email. That's the only reason we found out about this—another user wrote and
suggested changing the link.

~~~
datashovel
I wasn't 100% sure of the etiquette when something like that comes up. I
posted to the thread earlier, but no one definitively told me that's how I
should handle it. I will make a note for future reference.

BTW, I've been going through a number of that domain's links here just a
little while ago and saw most of the stories from that site are cross-posted
on many other domains. It's almost as if there are so many cross-posts on some
of those stories Google can't easily point me to a more "definitive" source.
Instead there are just pages of links to unrecognizable domains that are all
probably doing the same thing.

------
narrator
There is an enormous amount of effort put into _pre-emptive_ control of the
capabilities of technology. Basically, banning or regulating technology based
on what someone _might_ do with it. If you start to look for examples of it,
they start popping up all over the place. The justification of invading
countries based on their potential access to WMDs is probably the most severe
example of this being a principal preoccupation of governments. Drone
regulations are the latest installment of this technological control
obsession. A large amount of the tangentially political stuff posted to Hacker
News is a variant on this theme. The encryption, drug, DRM and gun debate are
regular battlegrounds for this _pre-emptive_ technological control issue. It's
weird that people don't recognize the common thread running through all these
issues.

~~~
roel_v
Not sure what you're saying - should we wait until people start doing bad
things that will obviously happen, and then scramble to control it after the
fact?

~~~
jacquesm
In a word: yes. It's the basis of much of our law, innocent until proven
guilty and this applies on a personal level as well as it does on a larger
scale. When it comes to counterfeiting, nuclear weapons, terrorist attacks and
child pornography you could definitely make a case for prevention. And all
these are 'bad things that will obviously happen' given human nature being
what it is.

The problem is that once you do everything becomes couched in exactly those
terms and so you end up with a whole bunch of 'thoughtcrime' which otherwise
for the most part likely would not have come to harm, as well as artificial
limitations to technology because - insert favorite bogeyman here.

Policing is like being a janitor, bad stuff happens (anyway, no matter how
much you try to prevent it) and needs to be taken care of after the fact and
you can't make this easier without treading on the rights of the non-
criminals.

Another angle is that prevention can never be proven, you can _say_ that you
have prevented 1000 terrorist attacks last year but you can't prove that any
of them would have come to pass.

What you can prove is which ones you did not manage to prevent.

So the metric should be 'solved cases' rather than prevented cases.

~~~
mahranch
> It's the basis of much of our law, innocent until proven guilty and this
> applies on a personal level as well as it does on a larger scale.

It's also the basis for much of our laws to preemptively tackle many potential
problems and to stop them before they occur. Examples include everything from
environmental regulations to corporate anti-trust laws, to work-place &
consumer safety laws, food safety laws, and the list goes on...

 _People_ are innocent until proven guilty of a crime but that doesn't mean we
can't or shouldn't limit the most abused & risky offenses before they occur.
We can't trust people to do what's right - 6 thousand years of human history
has shown us that people will always, _always_ remain corruptible and
inherently selfish. Expecting people to do "the right thing" is one of the
most naive sentiments someone can hold. Some will, sure, but the system,
society itself relies on _everyone_ doing the right thing (all the time) and
that's just impossible. All it takes is one bad actor to spoil it for everyone
else, and I'm sorry, but there will always be a bad actor so that's why these
kinds of laws, regulations and protections are needed.

~~~
jacquesm
> It's also the basis for much of our laws to preemptively tackle many
> potential problems and to stop them before they occur.

Yes, we do this in most cases by declaring some kind of framework within which
we all at least should try to conform (assuming the framework makes sense, if
not there is always civil disobedience and ultimately things like
revolutions).

> Examples include everything from environmental regulations to corporate
> anti-trust laws, to work-place & consumer safety laws, food safety laws, and
> the list goes on...

Yes, those are all in terms of 'do's and don'ts', they're not in terms of
'every cook is legally required to sprinkle some DNA on the food so that it
can be traced back to the cook in case they mess up'. And that's roughly what
the technology under discussion here is doing.

> People are innocent until proven guilty of a crime but that doesn't mean we
> can't or shouldn't limit the most abused & risky offenses before they occur.

The most abused and risky offenses can't be limited before they occur. We can
try but as soon as it declares _everybody_ under suspicion before they've even
done anything wrong a line has been crossed that I personally believe should
not be crossed.

For instance: preventing murder is impossible, preventing robbery is
impossible, preventing terrorism is impossible. Any one of those can be
perpetrated by single individuals with relatively little in terms of education
or preparation. If you want to limit them effectively you're going to have to
drastically change the nature of our society, which is something I object to.

> We can't trust people to do what's right - 6 thousand years of human history
> has shown us that people will always, always remain corruptible and
> inherently selfish.

Precisely. And no amount of 'prevention' will change that.

> Expecting people to do "the right thing" is one of the most naive sentiments
> someone can hold.

I don't hold that sentiment at all, on the contrary, I think people will do
'wrong' no matter what and that preventing a few from doing wrong by imposing
measures on the rest is the wrong way to solve this problem.

> Some will, sure, but the system, society itself relies on everyone doing the
> right thing (all the time) and that's just impossible.

Precisely.

> All it takes is one bad actor to spoil it for everyone else, and I'm sorry,
> but there will always be a bad actor so that's why these kinds of laws,
> regulations and protections are needed.

No, that's exactly why they're _not_ needed. You can't prevent those things,
period, get used to it and adapt because no matter how many idiotic technical
measures are adapted there will (1) be ways around it and (2) it won't stop
those determined enough to go down that route in the first place but it _will_
inconvenience / trample rights / disenfranchise everybody else.

~~~
mahranch
> No, that's exactly why they're not needed. You can't prevent those things,
> period, get used to it and adapt because no matter how many idiotic
> technical measures

So your logic is that since people will do it anyways, we don't need the laws?
Do you have any idea how that sounds from a logic standpoint? "People will
always murder other people, so the laws on murder are useless. Let's get rid
of them".

What kind of logic is that?

> but it will inconvenience / trample rights / disenfranchise everybody else.

Yeah, just like the laws regarding food safety inconvenience the people in the
industry. " _Making sure our food doesn 't have salmonella before we ship it
to our retailers is such an inconvenience! We should do away with those
regulations._"

I'm sorry, but you're beginning to regurgitate libertarian nonsense. There's a
reason why libertarianism never made it out of the 1800s. It's because it's an
old-fashioned ideology for an old-fashioned world. It would never work in
today's globalized world. Hell, it never worked period ...the fact it hasn't
persisted is proof enough.

------
monopolemagnet
This has been known for over a decade.

[http://seeingyellow.com/](http://seeingyellow.com/)

[https://en.wikipedia.org/wiki/Printer_steganography](https://en.wikipedia.org/wiki/Printer_steganography)

Anything printed on most (but not all) color printer can be traced back to the
printer on which it was printed (serial number) and often date stamp as well.

[https://www.eff.org/pages/list-printers-which-do-or-do-
not-d...](https://www.eff.org/pages/list-printers-which-do-or-do-not-display-
tracking-dots)

Furthermore, most image editing programs and many scanners and copiers often
refuse to capture currency because of microprinted circles.

[https://freedom-to-tinker.com/blog/felten/photoshop-and-
curr...](https://freedom-to-tinker.com/blog/felten/photoshop-and-currency/)

[http://www.cl.cam.ac.uk/~mgk25/eurion.pdf](http://www.cl.cam.ac.uk/~mgk25/eurion.pdf)

[http://www.rulesforuse.org/pub/index.php?lang=en](http://www.rulesforuse.org/pub/index.php?lang=en)

(note: official US currency images have link-rotted away)

~~~
schoen
The EURion pattern, with the circles, isn't exactly "microprinting" \-- you
can see it quite clearly without magnification on a lot of currencies. But
there is also the later Digimarc system, and we don't know exactly how it
works. Maybe somebody will reverse engineer the detection software.

Edit: as I noted on the list of printers page, we think that newer printers
are also doing something that we can't see, possibly based on perturbing
dithering algorithms so that the dithering is different from printer to
printer in a distinctive way. So when we didn't see yellow dots from newer
printers, that doesn't necessarily mean that they aren't printing tracking
codes. The reasons for thinking that tracking codes became more pervasive in
newer printer models rather than being phased out are suggestions in documents
obtained via FOIA, and rumors from people who worked in the industry.

~~~
jacquesm
Sounds like it is time to buy a printer, rip it apart and document the
firmware after reverse assembling it.

~~~
davelnewton
"Reverse assembling" == "disassembling"

~~~
jacquesm
Reverse engineer, apologies. The idea is to gain understanding, not simply to
get a disassembly (that's an automated process and a 1:1 correspondence
between binary and assembly code remains).

The harder part is to figure out what it all does.

------
sliken
What's worse is that some printers won't print black and white because yellow
is missing. Can't have the tracking missing I guess. I guess you could fill
the yellow tank with black ink and them add some noise.

------
parent5446
The question I've been posing, but can't seem to find an answer: is there any
way around this? Are there brands we know don't have these? Do all types of
printers have them, or just some? Do we have to go back to dot matrix
printers? (Just kidding on the last one.)

------
MichaelMoser123
it was the same with typewriters; one could track the exact typewriter model
by patterns on the printed text.

In the Soviet Union and other communist countries the state security service
would have samples of the print on all typewriters in the country. So they had
the ability to track the typewriter if you would get an idea to write a flier
or manuscript against the government. (In the movie 'The lives of others' they
had a Stasi man who could identify all typewriters in east germany)

Now i thought that that was all due to the paranoid nature of Stalinism; it
never appeared to me that western typewriters could also be identified by
their type and that this was probably an intended feature, not just a bug. Now
the same principle was later applied to laser printers ...

~~~
numeromancer
Such tracking was famously used in the Alger Hiss case:

[https://en.wikipedia.org/wiki/Alger_Hiss#Fake_typewriter_hyp...](https://en.wikipedia.org/wiki/Alger_Hiss#Fake_typewriter_hypothesis)

------
waterlesscloud
I had a friend who got a visit from the Secret Service a couple decades ago
because of this. He's a friend, so I didn't press him on what happened, but
this sort of thing isn't at all new.

~~~
jjoonathan
Are you suggesting that lack of novelty is a reason why we shouldn't discuss
it or shouldn't be concerned about it?

~~~
jacquesm
He _is_ discussing it and contributes the fact that this has been going on for
some time without any push to shut down the discussion or to decrease your
concern. It's simply a fact added to the pile.

------
reustle
Can software add tiny random yellow dots to a page before printing to reduce
the ability to track the printer?

~~~
suneilp
I'm certain thats doable, but is there a guarantee that the watermark is in a
fixed location? I would think the software would adjust placement to avoid
being drowned out by blocks of yellow, etc.

~~~
soylentcola
Additionally, if the tracking dots use a specific shade of yellow, they could
identify others that aren't the same shade. Still, I guess you could test the
shading or placement theory easily with several printed examples.

------
suneilp
Does this count as a breach of contract in the sense that we're not getting
what we paid for in a product that doesn't do it's job as advertised?

~~~
schoen
The tracking mechanisms are often disclosed in product documentation, though
maybe not by all manufacturers.

These are a great example of what Benjamin Mako Hill has called
"antifeatures".

[http://wiki.mako.cc/Antifeatures](http://wiki.mako.cc/Antifeatures)

(The original definition is "functionality that a technology developer will
charge users to _not_ include", but that might suggest that a product version
without the antifeature is always available, which is not necessarily true,
especially for DRM and surveillance-related antifeatures. A more general
definition might be a product feature that required a deliberate effort on the
manufacturer's part to include and that users view as decreasing the product's
value.)

------
raincom
A serial killer was found based on the secret code on copied made by a copier
at some library in the states.

~~~
pibefision
is this true?

~~~
mikeyouse
There were rumors that they caught the BTK killer due to the hidden printer
dots at the church where he served, but it was actually meta data left on the
floppy disc that did him in...

[http://www.theatlantic.com/technology/archive/2014/01/the-
fl...](http://www.theatlantic.com/technology/archive/2014/01/the-floppy-did-
me-in/283132/)

~~~
z3t4
"They also found that the disk had been used at the Christ Lutheran Church and
the Park City library."

“It’s pretty basic stuff,” Landwehr says about the reconstruction of the
deleted information. “Anybody who knows anything about computers could figure
it out.”

So how did the disk save the church info??

~~~
mikeyouse
I did a few second search and it looks like he deleted a file (which is easily
recoverable if the disk wasn't intentionally rewritten several times to
prevent it) and it was a Microsoft Word file that had been edited by "Dennis"
on a computer belonging to "Christ Lutheran Church". There are dozens of
services that will recover lost data for you today on SD Cards or Hard
Drives.. the FBI surely had that capability.

------
strictnein
> "But we believe that other models from other manufacturers include the same
> personally identifiable information in their tracking dots"

Kind of a stretch to call that PII. It's not the user's name, address, phone
number, email address, or anything else normally identified as PII.

------
mirimir
Do inkjet printers do this?

