Gabor Szathmari, a security researcher for CryptoAUSTRALIA, is working on a method of improving the security of leaked documents by removing hidden dots left behind by laser printers, which are usually used to watermark documents and track down leakers.
Szathmari's work was inspired by the case of a 25-year-old woman, Reality Leigh Winner, who was recently charged with leaking top-secret NSA documents to a news outlet.
While the DOJ indictment didn't mention the news outlet by name, many said this is The Intercept, an online news portal that published a story based on top-secret NSA documents showing cyber-attacks against a US vendor of voting machines, perpetrated by Russia's GRU military intelligence agency.
The Intercept story included screenshots of scanned NSA documents, and the publication admitted to having contacted the NSA with copies of the scanned documents prior to publishing their story.
According to Errata Security researcher Rob Graham, it was these scanned documents that might have led to Winner's arrest.
Graham claims that the documents contained barely visible yellow dots left behind by the laser printer Winner used to print the documents that she later allegedly sent to journalists.
The problem of invisible dots left behind in printed documents has long been documented by the Electronic Frontier Foundation, who warned users against companies that use this technique to watermark documents printed inside their headquarters.
These markings are barely visible yellow dots arranged on a grid. Based on their alignment, these dots can reveal the time and date when the document was printed, and the printer's serial number. This allows companies to track leaks to printers installed in certain office spaces, departments, buildings, or others.
Graham says he found such dots on the documents published by The Intercept. The date encoded via those dots was May 9, the same day the DOJ said Winner printed and removed documents from NSA's network.
Here's where Szathmari wants to lend a helping hand. Following Winner's arrest and subsequent charging, the security researcher has submitted a pull request to the PDF Redact Tools, a project for securely redacting and stripping metadata from documents before publishing.
Ironically, the project is managed by First Look Media, the parent company behind The Intercept news outlet.
Szathmari's pull request adds a code routine to the PDF Redact Tools project that would allow app operators to convert documents to black & white before publishing.
"The black and white conversion will convert colors like the faded yellow dots to white," Szathmari told Bleeping Computer in an interview.
"The purpose of the new switch is to suppress the dots left by the laser printer," the expert added.
As proven in the screenshot above, Szathmari's updates yield the desired result of removing the printer dot watermarks. Nevertheless, the expert says his tool isn't perfect, and will not protect whistleblowers against other giveaway signs.
"It doesn't protect [against] other unique patterns or signs. So if the document was folded in half or it has creases, they will not disappear."
This means that if the alleged leaker still has the original document laying around his house, investigators can trace back the publicly leaked version to his copy based on folds and creases alone, even if the printer dots have been removed.
Szathmari also tells Bleeping Computer that he received plenty of feedback from people on social media that a better solution would be to use OCR (Optical Character Recognition) software to scan and convert the leaked document to a raw text version.
"However this is a compromise, as you will not be able to present the original document to your readers," the researcher says.
Currently, First Look Media hasn't responded to Szathmari's pull request, meaning it's not yet part of the official PDF Redact Tools project.
UPDATE [June 20, 2017]: Szathmari's pull request has been added to the official PDT Redact Tools project.