Comment by danso

tl;dr: the dots may have exposed metadata of the printing, but from what we know officially, NSA's internal access control system was all that was needed to argue probable cause against Reality Winner.

So the dots don't look good in terms of The Intercept's opsec, but from what we know from the Justice Department's affidavit [0] and the search warrant [1], those dots were likely inconsequential as evidence compared to the audit trail that Winner left when she accessed and printed the file. It's not unreasonable to believe that the NSA and its contractors can track access activity by user, post-Snowden; I mean, it's a feature built into states' DMV systems, which is how cops get busted in the occasional scandal of unauthorized lookup of citizen info [2].

The warrant and affidavit allude to such a system when describing the audit that was done as soon as the NSA was made aware (because the Intercept reached out to them) that the document was out in the wild. At that point, it doesn't seem hard to query their own logs to find all users who accessed and/or printed out the document. Unfortunately for Winner, it seems that very few (1 in 6) NSA employees printed out the document, and I'm sure it didn't help that her background (former Air Force, fluent in several Middle Eastern languages) would indicate that her job did not require her to have a physical copy of this particular document.

The affidavit and warrant mention "physical" metadata that they say supports their case, but it's all circumstantial

1. The documents show evidence of creases/folding, which indicates that someone had to secret it out physically (i.e. they printed it first) from the NSA. But that folding/creasing could come from the reporters printing out their own copies of the document.

2. The affidavit says that of the 6 employees to have had printed out the document, Winner was the only one to have email contact with The intercept. But the warrant specifies that this email contact occurred using her private GMail address in March, and it was limited to 2 emails: her subscribing the The Intercept podcast, and a confirmation email. i.e. she didn't use email (that we know of) to talk to the Intercept.

There's no mention of the yellow dots, which, sure, we could argue that the NSA is just keeping that bit of tradecraft secret. But keep in mind that the NSA started their investigation last week, with the FBI interviewing Winner just a few days ago (on a Saturday no less).

The other key point is that, according to the warrant, the Intercept journalist sent along the leaked documents to a NSA source for confirmation using a smartphone, i.e. they texted smartphone photos of the documents. It seems possible that that kind of ad hoc scanning would make the yellow dots illegible, depending on how much care was taken to photograph the documents.

At any rate, it's kind of irrelevant. Assuming Winner used her own NSA credentials to peruse the system, the access control logs were all that were needed to out her as fast as the NSA and FBI were able to. However, it's worth noting that if the NSA had been clueless until the Intercept's published report, the actual published document apparently did reveal the yellow dots. This means that if even if Winner were one of many NSA employees to print out the documents, the yellow-dot timestamp would greatly help in narrowing the list of suspects.

So, it's wrong to say the Intercept outed her, because we don't know what would've happened in an alternative reality in which the NSA didn't start its investigation until after seeing the published report. It is OK, probably, to speculate that the Intercept was sloppy in handling the documents...but that's not what led to Winner being outed so quickly.

[0] https://www.justice.gov/opa/pr/federal-government-contractor...

[1] http://blog.erratasec.com/2017/06/how-intercept-outed-realit...

[2] https://apnews.com/699236946e3140659fff8a2362e16f43/ap-acros...