Criminal investigations into national security leaks tend to be long, complicated and delicate affairs. Sources generally cover their tracks, especially in an era when even theÂ most innocuousÂ computer activity leaves an electronic trail. Leaks are common, butÂ prosecutions arenât.
Edward Snowden took extraordinary precautions when he leaked troves of classified information on surveillance activity by the National Security Agency to journalists and was charged only afterÂ he publicly revealed himself to be the source. Thomas Drake, a former NSA executive, wasnât indictedÂ for several years after he passed on details about fraud and waste at the agency to the Baltimore Sun. Originally accused of felony espionage, Drake pleadedÂ guilty to a misdemeanor of exceeding authorized use of a computer.
In the case of Reality Leigh Winner, a government contractor accused of sendingÂ a top-secret document to a news outlet, federal authorities brought charges less than a week after being tipped off.
Winner, 25, was charged Monday with gathering, transmitting or losing defense information, as The Washington Post reported. Court documents did not identify the document that was leaked or the news outlet that received it, but the criminal complaint against Winner was unveiled shortly after the national security site the InterceptÂ published a story containing an NSA report onÂ Russian efforts to interfere with the 2016 election.
The Post has reported thatÂ the chargesÂ are related to the ÂInterceptâs story, which describes how Russian military intelligenceÂ used hacking techniques against a U.S. voting software supplier andÂ more than 100 local election officials in the days before voters went to the polls. The Intercept called the classified document the âmost detailed U.S. government account of Russian interference in the election that has yet come to light,â saying itÂ indicated that Russian hacking may have gone deeper than previously known.
A search warrant affidavit filed and accessible to the public in federal court in Georgia reveals how it took just a few days for investigators to single out Winner as the alleged source of the leak.
It started on May 30, when the news outlet showed authorities the printed materials and asked them to comment, according to the affidavit.
âThe U.S. Government Agency examined the document shared by the News Outlet and determined the pages of the intelligence reporting appeared to be folded and/or creased,â the affidavit reads, âsuggesting they had been printed andÂ hand-carried out of a secured space.â
An internal audit showed that six people had printed out the top-secret materials after they were published at the beginning of the month. One of them was Winner, who worked for Pluribus International at a facility in Georgia, the affidavit says.
Investigators said they searched Winnerâs work computer and found that she hadÂ emailed the news outlet in March from a personal account. In her message, they said, she appeared toÂ askÂ for transcripts of a podcast. In response, the news outlet âconfirmed Winnerâs subscription to the service,â according to the affidavit.
The review of Winnerâs computer history also showed that on May 9 sheÂ searched the agencyâs classified system using search terms thatÂ led her to the report, the affidavit says. That day, it says, she printed the document.
The agency told the FBI about the leak on June 1. The same day, the affidavit says, an unidentified government contractor contacted the agency to say he had been in touch with a reporter from the news outlet, who had texted pictures of the document to verify their authenticity. The reporter told the contractor that the documents came through the mail and were postmarked âAugusta, Georgia,â according to the affidavit.
âThe Contractor informed the Reporter that he thought that the documents were fake,â the affidavit reads. âNevertheless, the Contractor contacted the U.S. Government Agency on or about June 1, 2017, to inform the U.S. Government Agency of his interaction with the reporter.â
The following day, FBI agents staked out Winnerâs one-story red brick house near downtown Augusta, Ga., where they saw her driving a light-colored Nissan Cube, according to the affidavit.
Winner was arrested Saturday. When FBI agents questioned her at her home, she admitted âremoving the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia, to the news outlet,â court documents read. She remains in jail pendingÂ a detention hearing. Her lawyerÂ declined to comment on the charges.
After the charges were announced Monday, some cybersecurity experts remarked on the apparent ease with which investigators were able toÂ trace the leak back to Winner. Some went so far as to say the Intercept had âoutedâ her by posting copies of the document online. The Intercept said the materials were submitted anonymously.
According to Rob Graham, who writesÂ for the blog Errata Security, the Interceptâs scanned images of the intelligence report contained tracking dotsÂ â small, barely visibleÂ yellow dots that show âexactly when and where documents, any document, is printed.â Nearly all modern color printers featureÂ such tracking markers, whichÂ are used to identify a printerâs serial number and the date and time a page was printed.
â Rob GrahamÙ©(âÌ®Ì®ÌâÌ) (@ErrataRob) June 6, 2017
âBecause the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document,âÂ Graham wroteÂ Monday.
Grahamâs post gave a step-by-step demonstrationÂ of how investigators could have easily done just that. Using a tracking dot decoding tool from the Electronic Frontier Foundation, he said he determined thatÂ he document âwas from a printer with model number 54, serial number 29535218â and was printed on May 9, 2017, at 6:20 a.m.
âThe NSA almost certainly has a record of who used the printer at that time,â Graham wrote.
Others picked up on the same point.
âJust a reminder, colour printers spy on you,â tweeted data analyst Tim Bennett. âThis one embedded the exact time a U.S. government employee printed a subsequently leaked doc.â
More from Morning Mix