They didn't even need the yellow dots. She literally emailed the Intercept from her work email and was one of a trivial number of people who'd printed it in the first place.
This was a significant clue that The Intercept did not have to give up. The warrant says they looked at all people who had accessed the report, and because the document appeared to have been printed, then at those 6 who printed it.
The yellow dots might have not been a factor, but it's nevertheless the same type of carelessness which might have exposed a whistleblower otherwise.
(But yes, this whistleblower would have been discovered by other means as well).
2. The story about only six printouts and e-mail correspondence is the official cover to draw public attention away from the yellow dots.
3. The yellow dots is how they actually found her and why she had no reasonable choice but to admit leaking, which allowed 1 to happen without drawing attention to the yellow dots.
While I didn't make my first year of law school I feel like nearly every criminal defense attorney in this country would disagree with this statement.
If some random journalist was able to decode the dots, the NSA probably decoded them too because why not.
The fact that they know how many people printed this document shows that they keep detailed printing logs so they shouldn't have trouble finding out who exactly used this specific printer at this specific time. And if you think about it, this is exactly what they should be doing instead of relying solely on weaker evidence.
Then they searched her work computer and got some more evidence (the e-mail contact, maybe more they aren't sharing).
They presented whatever evidence was sufficient to convince her and the public that they know it was her, she doesn't seem very tech-savvy, freaked out, told everything and now it's done.
actually, since the dots are not at all a secret, #3 cant be right. #2 is a bold claim, obviously pure speculation. So #1, is this true? please link source.
I read another article that stated her admission came while the feds were raiding her home.
Assuming The Intercept detected the printer dot, how could they possibly know the printer dot wasn't some random one from a printer a library vs her work computer?
If I was The Intercept receiving a document from someone claiming to be an intelligence officer I would assume they used some very basic OPSEC - such as not printing the document out on a MONITORED WORK COMPUTER. This is basic stuff.
I don't see what more The Intercept could have done here to protect her.
She messed up, not them.
What matters is that if she had not made any mistakes the intercept made it trivially easy to reduce the pool of possible suspects. That´s fairly stupid if your whole reason for existence is to handle documents sent to you by vulnerable people.
If this is not the last article by the Intercept based on stuff leaked to them it would highly surprise me.
They totally messed this up.
Still I don't see how the Intercept could have handled this better. Maybe they should have been looking for printer dots in documents received in the mail and then block it out when they digitize it. But is this really a common practice among news orgs handling leaked docs?
I see people on Reddit attacking The Intercept because, they say, the printer dot thing is 'common knowledge'. But to me this seems like an easy thing to overlook. Especially if most other leaks were digital. News organizations and leakers will certainly all be looking for this going forward (I hope).
As far as I'm concerned all the 'common knowledge' stuff that was overlooked was all via the leaker.
The intercept could have handled this better by describing the article and maybe a citation or two, to pass the originals back in some form to the government is about as stupid as it gets.
If anything this article shows how easy it is to play 33 bits if you have help from the subject or some outsider that is just doing their job in a ham fisted way.
There's a hell of a lot of capability which comes about through opportunity, chance, and simple dumb luck or repeated attempts to do something. This tends to show up frequently in terror and mass-criminal activities. Simply wanting to accomplish some negative effect, and having general means to do so, is frequently enough, particularly if that threat is underappreciated and/or requires a high degree of vigelance.
There are numerous attacks (water, food, infrastructure) which have been highlighted for decades as potential attack vectors, though they appear not to have been undertaken.
Another possiblity, of course, is that there is constant low-level probing of such attacks, which are lost either at the internal or public-discourse level as noise or accidents. There remain cases -- the San Jose electrical power substation attack via small-arms fire, US military seeding of infectious agents over urban populations, the CIA's attacks on Soviet gas infrastructure via control equipment and Iranian nuclear material refining via stuxnet. In which case, much of the expressed concern of US intelligence agencies is an awareness of their own capabilities, and practices. Other foreign powers have their own history here -- Russian tea, Israeli hotel service, and Chinese messenger service come to mind.
Criticisms of The Intercept are validated, IMO, by the Intercept's own positioning of itself as a safe channel for such leaks, and specific in-house expertise on the matter, Micah Lee.
Even if The Intercept's actions didn't directly contribute to identification or confirmation of Ms. Winner as the source of these documents, the fact that they could have is absolutely material, and represents a massive failure on the part of Intercept staff and procedures.
Other points to consider: people's technological savviness is on general exceedingly poor, and even domain experts are generally only experts within that specific domain. At the level of the general population, only 5-8% of users have "advanced" skills -- which means ability to use such features as "sort" or "find and replace" within a word-processing tool.
This means that an organisation such as The Intercept should focus as a principle priority on protecting its sources against themselves.
Ms. Winner's OpSec was poor on multiple counts. The Intercept amplified those weaknesses.
Finally: Information isn't power, but is a force-multiplier. It may amplify either your strength's or your opponents'. In this case, the question (from the NSA's perspective) was to identify just who it was that might have provided the information in question. Any one individual can be uniquely identified by 33 bits of information. In the NSA's case, most of those bits are already defined by a simple basis of access to information. The documents here had only to discriminate amongst the much smaller set of people -- call it 3-6 bits -- who might have supplied them to The Intercept.
Other lessons are that in previous totalitarian societies, registration of typing and duplicating equipment was routinely used to identify a potential source of documents. Because those determinations were based on fixed characteristics, that was all they could divulge. Today's printers define not only the specific machine, but time, and potentially metadata of the document itself or submitting user.
You might want to reflect on that for a bit.
The Intercept did not encourage her to steal this information, nor did it give her any direction on how to do so. She chose her own method of exfiltrating the data, and in this case it turned out to be an quickly identifiable one. She knew this document was going to be published by the Intercept; that was the entire point of leaking it. Once published, regardless of form, you can bet that the FBI would have agents knocking on the Intercept's door asking to see the physical source material.
Furthermore, In order to prove the veracity of its published claims, the Intercept provides its source documents - if they do not, they simply open themselves up to accusations of fake news and falsified material. Any editing they do to the document will be ammunition for the FAKE NEWS crowd - so where is the compromise here?
Greenwald is not located in the United States for a reason (so good luck knocking on that door), and if they wanted to verify the documents they could have done so with a bit more care.
Assuming the text did not contain steganographic tricks (yes, that works) they could have cited back a few paragraphs and the document title. That would have been enough.
> Greenwald is not located in the United States for a reason (so good luck knocking on that door),
Greenwald has said he moved to Brazil because he wanted to be with his partner and that was the solution that they chose; at the time, one couldn't sponsor an immigrant visa for a same-sex partner in the United States.
This document wasn't reported by Glenn Greenwald, but rather by Matthew Cole, Richard Esposito, Sam Biddle, Ryan Grim, who all appear to live in the United States. Almost all of the Intercept's reporters who report on and publish leaked classified materials live and work in the U.S.
While you have some good points, I think hanging your argument on a 'would' is not really convincing :)
I am trying to come up with a suitable analogy to illustrate how stupid this is. I imagine a WWII intercept of an Enigma message being decoded and the clerk in charge then calling up the German High Command to verify the accuracy of the decoder. It is totally baffling to me that they did this in the way described without for one second thinking about how vulnerable their source was.
Corporate emails sometimes use this trick to catch company leakers.
If only there were like.... some group of people who cared about the privacy of others.
It isn't if they make blunders like this.
PDF page 12, paragraph 19
No, I'm not sure about that, and if they'd made the mistake after having claimed to be safe for whistleblowers I'd be gently complaining about them on an Internet message board too.
I have no idea why people are leaking to rinky-dink operations like the Intercept. If you want to leak, then leak to the Washington Post or New York Times. I can't imagine the Intercept having the expertise to handle such documents. This was a fairly obvious screw up.
I also question their methods of receiving and storing such documents and if they aren't compromised by one or more nation state intelligence services. Are these documents being stored through a third party email or web server? Is there end-to-end encryption?
The copier explanation may be a believable fiction as not to reveal other sources.
Personally I would trust them MUCH more than the New York Times. Well, unless the documents were specifically only damaging to Trump.
Snowden anonymously sent him an e-mail saying he had documents he wanted to share, and followed that up with a step-by-step guide on how to encrypt communications, which Greenwald ignored. Snowden then sent a link to an encryption video, also to no avail.
“It’s really annoying and complicated, the encryption software,” Greenwald said as we sat on his porch during a tropical drizzle. “He kept harassing me, but at some point he just got frustrated, so he went to Laura.”
From another source  I cited in another comment:
"it took Greenwald several more months and help from experts before he could learn relatively basic tools like PGP encryption."
That's not exactly trust-inspiring, I'd say.
2. It makes clear that providing better channels to enable legitimate whistleblowers to find a publication channel was critically important.
3. It's exceedingly easy for anyone to ignore a critical insight -- whether it's some annoying anonymous leaker, or an odd set of lab results, monitoring readings, etc. Those insights are critical in large part because they fall outside norms and expectations. (This is, generally, a major block to creativity.)
4. There are a lot of contacts which aren't of mind-blowing significance. Filtering the noise is another problem.
5. Greenwald and The Intercept were specifically created to address these shortcomings. Among The Intercept's staff is Micah Lee, technologist with the EFF. (I've pinged Lee on Mastodon over the Intercept's gross failure here -- it is a massive fuckup.)
It shows that Greenwald's association with the Intercept cannot be used to imply that it practices good security.
And, more broadly, citing his pre-Snowden behavior seems unreasonable. For literally all people, there was a point where they didn't know PGP, and another point where they were confused and just learning to use it. If you trust their current knowledge of it, that's hardly a serious criticism.
As I read you, you did not say that Greenwald's association with The Intercept implies it is insecure. You did say that Greenwald's delays in adopting PGP mean "that Greenwald's association with the Intercept cannot be used to imply that it practices good security".
I didn't miss that distinction, but I'm making a stronger assertion - I think his presence does (weakly) imply good security. I think that "Greenwald's association... cannot be used to imply" is false.
If we're resorting to logic for this, you're suggesting that Greenwald's presence should not raise our expectation of good security (which is, as you point out, different than saying it should lower our expectation). I'm saying that it should raise that expectation, so we really do disagree.
It's possible for someone, without a specific talent X, to create an institution to ensure proper application of some talent X, when the need for competent execution of X makes itself apparent.
Again: you're not arguing a relevant point, despite the truth value of your statements. This is an irrelevant discussion.
But that's how I, and apparently others, read the grandparent's argument.
The grandparent made a personal statement about trust in The Intercept, and did not really substantiate this trust other than by mentioning two key players.
> It's possible for someone, without a specific talent X, to create an institution to ensure proper application of some talent X
I fully agree -- one need only think of huge conglomerates who manufacture everything from light bulbs MRI machines to aircraft engines, to use GE as an example.
> when the need for competent execution of X makes itself apparent.
And therein lies one problem as I see it: it has to make itself apparent to the creator (resp. leader).
Because the converse is also true: It's possible for someone, without a specific talent X, to create an institution which fails ensure proper application of some talent X.
From another comment, we seem to agree that there should absolutely have been policies and procedures in place that should have prevented this mess in the first place.
I posit that this is one of the things that should have been apparent from the start (as preserving anonymity is crucial to The Intercept's cause), yet most probably weren't.
The following arguments you make, here, are actually pretty good. The one you you'd lead with was poor, as I've already addressed.
I'd especially like to emphasise your point on the failure of good intentions. That's highly salient, and something that should probably be kept generally in mind with tech startups -- many of which seem to sprout like mushrooms from the dark and ... fecund substrata of Silicon Valley and YC ... and yet fall short of their respective putative aiming points.
(That The Intercept can trace its roots to start-up culture may also be relevant here, through Omidyar.)
The interesting (and troubling) part of this story is that it involves four members of the staff, working together, none of whom is named "Glen Greenwald", and presumably with the technical support of Micah Lee. And yet we've still seen what we've seen.
Definitely room for improvement.
But it's still a bit rich to pin the fault on Greenwald specifically, and pre-Intercept Greenwald especially.
Uh, I suggest you read about how poorly he handled the Snowden materials and how he's about as tech savvy as my grandpa. This fuck-up alone is inexcusable.
That's a mistake I think most security-conscious, tech-savvy non-professionals would avoid. The printer steganography here is a substantially more subtle error than the one we already say the NYT commit.
This is something that can be learned with a few minutes research, so raising it as "questioning their methods" seems like FUD.
The answer is yes, there is end-to-end encryption handled via Tor. Using SecureDrop, the same tool as the Washington Post and New York Times. Treating that as some kind of distinction between these organizations is absurd.
Fourth possibility: that the NSA did use the forensic marks in question to identify her, and fabricated a parallel construction in order to avoid acknowledging the existence of said marks.
(But still, most likely this is Hanlon's Razor. What's there to be suspicious about?)
Not likely. It's been common knowledge for a long time.
The big Wikipedias have long articles on it with many sample images: https://de.wikipedia.org/wiki/Machine_Identification_Code https://en.wikipedia.org/wiki/Printer_steganography
If you need to fax one, you'll need to find a really old fax machine without color printer or scanner capability.
Secondly, often assuming just a tiny bit of malice can account for layers and layers of stupidity. Occam's razor is sharper :)
I think it is a good thing; truth is discovered in the clash of opposing forces.
Six: she was a weak security link and someone used her access details without permission.
This is a true story from the book Freakonomics . Reality Winner could be a real person.
The way politics are now I'd believe anything at this point.
so yes, there is at least circumstantial evidence this was not a "real" thing that happened. either a plant or make believe
The problem is inadequate access control to classified materials. There tends to be a lot of information that people can access without a need to know, that is not rigorously tracked and locked down. This means that someone looking to steal or leak can get their hands on a lot of stuff they shouldn't without raising suspicions if they're not stupid about it.
The reason we may be seeing a number of spillage incidents with contractors is simply because there a lot of contractors working at government agencies. In IT a lot of the time contractors outnumber government people by a significant margin.
> Some 1,271 government organizations and 1,931 private companies work on programs related to counterterrorism, homeland security and intelligence in about 10,000 locations across the United States.
> An estimated 854,000 people, nearly 1.5 times as many people as live in Washington, D.C., hold top-secret security clearances.
> Analysts who make sense of documents and conversations obtained by foreign and domestic spying share their judgment by publishing 50,000 intelligence reports each year - a volume so large that many are routinely ignored.
What is suspicious about it?
This isn't 4chan. Present some evidence but don't just make up random speculation that "could have happened".
I mean it's possible to come up with elaborate theories, but the most likely explanation is that she was just spectacularly stupid.
or she intended to become a martyr
I'm not sure being this dumb is going to get much sympathy from anyone.
Could she and should she have taken better precautions, without a doubt. Would the average intelligence analyst who is not being coached by a foreign power do a better job, I doubt it. In fact many foreign spies have done a far worst job and not been caught immediately. This is because the intelligence they stole was not published. Being a source of a journalist is much harder than being a source for a foreign power.
(Kind of annoyed that the derp became the story while the actual leak never made the front page.)
Send some xor-ed file out using a non-secure connection and sneak the key out somehow ?
Take photographs/video using the phone, cold-war style ?
Stray thought: You don't have to sneak a OTP out, you only need to sneak it in. Then you do your XORing, transmit the mangled data, and erase that copy of the key.
This said, it's been reported some contractors and employees routinely took home loads of external drives, so your expectation that IO ports are completely disabled might be unrealistic; the NSA is good but it's just another large org, just a bit more paranoid than average.
Hard drives labeled unclassified can be removed from those facilities with special permission but I think hard drives are under more scrutiny nowadays.
PDF Page 11, Paragraphs 15 and 16
Basically you can't believe any narrative, as the gov can legally put forth anything they can contrive after-the-fact as long as it's plausible.
Bonus points? Any mention of possible COINTEL tactic gets you labeled a conspiracy theorist. A lovely term invented by the CIA that readily dismisses anyone who points out that a COINTEL tactic might be in use. Lucky for them most the general public bought it hook, line, and sinker.
back in the last world war they managed to pull off creating an atom bomb with even the vast majority of people in office knowing about it, today every damn snowflake is looking for their five minutes of fame.
Surely, NSA contractors aren't this stupid ? Something smells.
I did something only somewhat less stupid when I was about that age: http://www.shub-internet.org/brad/cacm92nov.html
"FBI special agent Justin Garrick told a federal court that Winner – a cross-fit fan who graduated high school in 2011 and was in the US Air Force apparently as a linguist – confessed to reading and printing out the document, despite having no permission to do so. "
So, she joined the company 3 months prior, and it was 'permission' rather than enforced access rights that they relied on for new trainees not to color outside of the lines.
It's not about 'permission', it is all about 'capabilities'.
Or Facebook apps, "Yes apps can see your name, dob, email and your friends list, but they are not allowed to abuse this information"... Thanks, I feel secure now.
The NSA's statements aren't "we've lowered risk to an acceptable level, and put in safeguards for when leaks inevitable occur". They're "we're the only ones using this data, so there's no problem". That's provably false several times over.
To continue the metaphor, they didn't buy insurance because they trusted their home security so highly, and lately it's starting to look like they also forgot to lock the door.
So she would have been identified even if she or The Intercept had the sense to remove or alter the DocuColor dots.
"The U.S. Government Agency conducted an internal audit to determine who accessed the intelligence reporting since its publication. The U.S. Government Agency determined that six individuals printed this reporting. WINNER was one of these six individuals. A further audit of the six individuals' desk computers revealed that WINNER had e-mail contact with the News Outlet. The audit did not reveal that any of the other individuals had e-mail contact with the News Outlet"
> We’ve taken steps to make sure that people can leak to us as safely as possible. Our newsroom is staffed by reporters who have extensive experience working with whistleblowers, as well as some of the world’s foremost internet security specialists. Our pioneering use of the SecureDrop platform enables you to communicate with our reporters and send documents to us anonymously.
I think it's shocking that nobody at The Intercept was aware of the yellow dots, or other metadata (eg printer-specific output artifacts) that might facilitate the revelation of the anonymous source. This is so careless of them that I'm led to believe that they don't have a formal scrubbing step at all.
Of course, I might be biased a bit here because I dislike Greenwald so much for how he handled the Snowden leaks. The risks Snowden took and the sacrifices he made are incomparable, but "it took Greenwald several more months and help from experts before he could learn relatively basic tools like PGP encryption."
Edit: I think it's shocking because assisting whistleblowers and protecting their anonymity seems central to The Intercept (which I believe is commendable), so they, of all people, should know better -- if not best.
Screw-ups happen. Repeated screw-ups show a systemic failure.
This is actually a really good point. I've been rolling my eyes a bit at people smugly pretending they knew what DocuColor was last week, or equating it with things like EXIF data that are far more widely known.
But you don't have to know about DocuColor specifically to avoid this issue, you just have to suspect that printer outputs are a threat vector for something identifiable.
Snowden had to hand-hold the guy at Intercept to use GPG. Guardian leaked encryption keys in a book, before/after handing all of Wikileaks' stash to the Mossad.
At this point all we have left is 4chan, and anons like myself (who then get blocked by @dang after he's logged the IP addresses). /s
Also, many thanks to @dang for keeping 4chan out of HN.
The Intercept does have that duty. And at least some of their staff know it. But maybe they get overruled.
EDIT- checked the source:
It looks like imagemagick's 'threshold'  command is being used, so everything is max/min/black/white:
It turns out REALITY WINNER isn't an NSA exploit – it's her real name
Why did no one at the intercept check for them? Its trivial and they have to know about this kind of stuff?
Many of these can be circumvented through the use of tech like VPNs, Tor, or GPG, and through careful behavior such as scrubbing metadata and the use of burner phones/laptops, cash, and public internet connections. And we're not even getting to the level of wireless carrier, home ISP, or NSA web activity tracking, NSA Tor exploitation, or zero-day exploits. Furthermore, this assumes that the documents themselves are not themselves subject to punctuation, word replacement, typesetting, or other content steganography. Should The Intercept be responsible for ensuring that its sources adhere to safe leaking behaviors? They probably should, at some level.
But what if - as I'm reading here - The Intercept got an email from email@example.com, subject "NSA Report on Russia Spearphishing.pdf", body "Hey, I was browsing some stuff out of curiosity in our SCIF and thought this study might be useful to you. I printed it off and smuggled it out in my purse, then scanned it and attached it to this email. Please publish it so the American people can know what's really going on. Hope this helps! -- Reality". There's not really any point to worrying about printer steganography, protecting your IP address, or GPG at that point.
OR for enforcing fingerprinting! (It can help with fighting against corrupt governments)
As pointed out, probably there is more steganography being put into devices / software by the NSA/etc (tinfoil hat nonwithstanding); that will probably insert things like meaningful whitespace with information about the source.
The article is also very relevant because we do need tools free from such fingerprinting. It makes me want to use only and only open source for all my documents. Even for file storage!
They (the Intercept) are playing in a dangerous game, and they should be extra careful about such things. After all the drama about smashed hard drives, Greenwald's BF being detained in London, etc. etc. you'd think they'd know better.
I'm not in the security business, and even I knew about the dots (and circles in the $20 bills). It's been on HN several times: http://goo.gl/h1kqbu
So, shame on you, Intercept. Your callous disregard for your sources is now going to send one to prison for a looong time.
FYI: The 3rd Amendment reads as follows:
"No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law."
I don't see the connection. Why does this violate our 3rd amendment rights?
That said, this pretty obviously isn't a clear Third Amendment violation. There's virtually no caselaw around the 3rd, and what there is has held it pretty narrowly. The only successful Third Amendment defense I know of was Engblom v. Carey, which was about evicting prison guards to give their housing to National Guard troops.
So - I think they meant "right to privacy", but the 3rd is one of the smallest and least-cited components of that right.
I'm not convinced that would be sufficient, especially the latter option.
Also this is the NSA. If they're smart, they have backup fingerprinting that isn't publicly known.
And even when you mask them out so that they are no longer visible in the "all white" (paper) background, e.g. by messing with the white/black point of the image there's still the possibility that they could be recovered with correlation methods in grey areas where they aren't visible to the naked eye or just by increasing the contrast.
They didn't say "convert to greyscale".
Very good point. But even then, assume that one page of a leaked document contains a large picture with areas around the thrshold value: With the agency being able to recreate a perfect replica of the initially scanned paper version, but without yellow dots, it might be possible to extract the (very few) bits necessary to boil it down to a single printer serial number by statistical methods.
...and they focus on adding fonts of multiple sizes so it can't be shrunk without losing information.
Or do what Greenpeace did and retype them.
It's trivial to inject systematic, minor changes in whitespace or fonts that create a serial number in an image based document format. Every individual obtaining a TS document could be given their own numbered copy for traceability.
This will certainly make anybody thinking of leaking to the Intercept think twice.
I think we might also assume that other NSA leaks to MSM might have been done with some level of institutional approval.
IC twitter takes Louise Mensch's insane conspiracy theories seriously, and legitimately believes that every malicious packet on the Internet is attributable Fancy Bear.
Why not use OCR?
The fact of the arrest strongly suggests the documents themselves are accurate. If they don't reflect actual Russian activity, they appear to reflect US intelligence of such activity.
If accurate, the documents corroborate a general pattern of activity of election manipulation carried on from at least June of 2016 through November, which would be highly significant.
There is circumstantial evidence of vote tampering in at least North Carolina, based on unexpected vote-tally convergence differences based on precinct size (I'm not entirely sold on the story, though it seems to have some legs): http://www.votesleuth.org/north-carolina-2016-overview/
At a larger scale, this highlights weakensses in multiple elements of liberal democratic institutions, mechanisms, communications, and media, as well as, quite possibly, political bodies and individuals. Arguments which have been in large part theoretical of risks of voting machines, email, and end-to-end encryption are now looking to be substantial, actual, and potentially existential threats.
That's some prime meat in my register.
A theory that isn't going to satisfy many people. It is interesting, though, to ponder what would have happened at various points in history, had $state_actor at the time had access to this tech.
Whenever I hear of dubious 'features' like this, I dream of seeing them backfire on one of their supporters.
Say, next time there's a leak, the microdots show the source to be a printer in the White House.
If nothing else, it would make it trivial for the defense of a real leaker to show that forging the pattern is a very real possibility.
Well, here we are today with this NSA story.
I think it's possible that US-based printer manufacturers implemented watermarking on special request from the NSA. That would also explain why the printer manufacturer employees never needed to teach anyone how to decode them. It wasn't their specs in the first place.
Of course, as others have posted, she doesn't appear to have tried hard to cover her tracks at NSA so that doesn't seem too likely. But stating that she accidentally left in the printer dots is assuming several facts not in evidence.
So the dots don't look good in terms of The Intercept's opsec, but from what we know from the Justice Department's affidavit  and the search warrant , those dots were likely inconsequential as evidence compared to the audit trail that Winner left when she accessed and printed the file. It's not unreasonable to believe that the NSA and its contractors can track access activity by user, post-Snowden; I mean, it's a feature built into states' DMV systems, which is how cops get busted in the occasional scandal of unauthorized lookup of citizen info .
The warrant and affidavit allude to such a system when describing the audit that was done as soon as the NSA was made aware (because the Intercept reached out to them) that the document was out in the wild. At that point, it doesn't seem hard to query their own logs to find all users who accessed and/or printed out the document. Unfortunately for Winner, it seems that very few (1 in 6) NSA employees printed out the document, and I'm sure it didn't help that her background (former Air Force, fluent in several Middle Eastern languages) would indicate that her job did not require her to have a physical copy of this particular document.
The affidavit and warrant mention "physical" metadata that they say supports their case, but it's all circumstantial
1. The documents show evidence of creases/folding, which indicates that someone had to secret it out physically (i.e. they printed it first) from the NSA. But that folding/creasing could come from the reporters printing out their own copies of the document.
2. The affidavit says that of the 6 employees to have had printed out the document, Winner was the only one to have email contact with The intercept. But the warrant specifies that this email contact occurred using her private GMail address in March, and it was limited to 2 emails: her subscribing the The Intercept podcast, and a confirmation email. i.e. she didn't use email (that we know of) to talk to the Intercept.
There's no mention of the yellow dots, which, sure, we could argue that the NSA is just keeping that bit of tradecraft secret. But keep in mind that the NSA started their investigation last week, with the FBI interviewing Winner just a few days ago (on a Saturday no less).
The other key point is that, according to the warrant, the Intercept journalist sent along the leaked documents to a NSA source for confirmation using a smartphone, i.e. they texted smartphone photos of the documents. It seems possible that that kind of ad hoc scanning would make the yellow dots illegible, depending on how much care was taken to photograph the documents.
At any rate, it's kind of irrelevant. Assuming Winner used her own NSA credentials to peruse the system, the access control logs were all that were needed to out her as fast as the NSA and FBI were able to. However, it's worth noting that if the NSA had been clueless until the Intercept's published report, the actual published document apparently did reveal the yellow dots. This means that if even if Winner were one of many NSA employees to print out the documents, the yellow-dot timestamp would greatly help in narrowing the list of suspects.
So, it's wrong to say the Intercept outed her, because we don't know what would've happened in an alternative reality in which the NSA didn't start its investigation until after seeing the published report. It is OK, probably, to speculate that the Intercept was sloppy in handling the documents...but that's not what led to Winner being outed so quickly.
Printers have been using microdots since the 90's; their use isn't secret. And the NSA would use other forms of forensic fingerprinting. For example, there's some kerning variation in that document, which could easily be another form of steganography. There are numerous other textual/grammar variations they could use to watermark a document.
This is what I'm betting on. The 'creases' story may have some truth to it, but I suspect its primary goal is to take over the narrative and distract from the actual methods of identify the leak.
Or just retype it.
I don't understand why everyone seems obsessed with complex, automated, technical solutions when a simple manual procedure will do. Or are we talking about thousands of pages (sorry, haven't read the article, just responding to the comments)?
The dots could be based on the computer, currently logged in user, and timestamp.
Then later, if any screenshot or screen photo is leaked, you can decode the dots to identify the source.
It's used in GPS transmissions to allow decoding signals considerably weaker than the background noise. Because the receiver is aware what the signal should look like, it can extract it despite all the noise by averaging across all the samples.
It does require perfect alignment though, which might be tricky considering camera lens warping, etc.
Before they even meet, Snowden asked Greenwald to set-up PGP/GPG so they can securely talk/he can tell them what he has, Greenwald didn't manage to do that/ignored this "anonymous person", Snowden found that Laura had a GPG key, and knew Greenwald, so he asked her to help him set that up. This all happened pre-Intercept, Greenwald was working for The Guardian at that time.
Despite his technical ineptitude, Greenwald was the only journalist Snowden trusted with the info, he didn't go to NYTimes after the NYT delayed a story about surveillance during the Bush admin until after Bush's reelection, he was afraid the NYT would just go straight to the government before publication, asking "So is this story legit?"...
It was the Guardian who maintained opsec to stay in contact with Snowden, and even then it took plenty of handholding from Snowden himself.
Instead, it's more along the lines of "The Intercept should never be trusted, they need to shut down!" without any discussion of how or who or what to use to disseminate national security leaks going forward. Sounds an awful lot like cheap opportunism from people who didn't even like the Intercept to begin with.
2. There are people who'd like to see The Intercept shut down. Any excuse will serve a tyrant, as Aesop noted, some time ago. http://www.bartleby.com/17/1/2.html
3. My own view is very much "this was a massive fuck-up on the part of The Intercept, who have staff with opsec talent (Micah Lee) on board for specifically this purpose, and I hope to see a post-mortem on the situation, how the Intercept failed, and what it plans to change in future."
I'd pay close attention, for now, in #2, though.