How, exactly, did the FBI zero in on alleged NSA leaker Reality Leigh Winner? Winner, a contractor for the NSA, was quietly arrested on Sunday and charged with leaking top secret documents. According to the Justice Department, she confessed to printing out classified information while authorities were searching her home and vehicle. Those documents are now confirmed to be the same documents published by the Intercept on Monday afternoon about a Russian cyberattack on U.S. voting machines and officials. About an hour after the Intercept published the story, the Justice Department revealed to the press that it already had Winner in custody, and would be prosecuting her under the Espionage Act. It was an effective bit of showmanship.
The Intercept, for obvious reasons, is saying very little. A statement posted to the site describes the claims made in the government search affidavit and the criminal complaint as “unproven assertions and speculation designed to serve the government’s agenda and as such warrant skepticism.” Naturally, any specific details revealed by the publication could be used to build a case against its sources.
The understandable silence from the Intercept, combined with the fragmented details provided by the court documents, has led to a significant amount of back and forth on Twitter on how much culpability the Intercept has in Winner’s arrest — whether the Intercept’s bad “opsec” led to the government charging Winner, or if Winner’s own missteps led to her arrest. The discussion is more than just a journalistic pissing match: Not only does the site’s reputation as a safe place for anonymous leaks hang in the balance, but journalists and their sources at all publications are nervous about the capabilities of a Trump administration that has declared war on leakers everywhere.
If you go strictly by what’s contained in the FBI’s search affidavit, there were three important pieces of circumstantial evidence that led the Feds to Winner.
The first is that Winner had previous contact with the Intercept. It’s important to note here that — contra the assumptions of many on Twitter — her contact had nothing to do with the story, and occurred months before she even allegedly accessed the report that was leaked. She emailed the site on March 30 from her private Gmail account, asking for a transcript of a podcast. She emailed the site again on March 31, confirming “subscription to the service,” (likely one of the Intercept’s newsletters).
The second is that on May 24, a reporter from the Intercept reached out to an unnamed government contractor, trying to determine the validity of the leak. During the exchange, the Intercept revealed that the leak had been mailed with a postmark of Augusta, Georgia, where Winner lives. (Checking with other sources about the validity of a leak is not necessarily bad opsec; revealing specific information about the leak almost certainly is — though it’s also probably more common than journalists would like to admit.) The contractor told the Intercept that they believed the leak to be fake; when the Intercept returned on June 1, saying that the leak’s authenticity had been confirmed, the original anonymous government contractor turned around and alerted the NSA to the matter — including the key detail that the document had been mailed from Augusta.
The third, and most glaring, is that the Intercept provided a copy of the report itself to the NSA on May 30. It’s unclear if the Intercept gave the NSA a scanned copy of the printed material it had received, or a retyped or otherwise altered version, but the NSA then turned the report over to the FBI for further investigation. According to the FBI’s affidavit, Feds noticed that pages of the intelligence reporting appeared “folded and/or creased,” thus alerting them that the information had been printed. Per the affidavit, the government then found that only six people had printed that report, and Winner had no reason to do so — the report was outside of her job duties.
The “crease” has been bandied about in the press, but there’s good reason to believe that the Feds had a more sophisticated way of figuring out that the document had been printed out. The Intercept’s PDF of the document also contains “tracking dots,” barely visible yellow dots available on printed pages that allow anyone to determine the serial number, model date, and date and time of printed material. You can see these for yourself: Just screenshot the top-left corner of any page of the PDF and invert the colors in an image-editing tool. The dots should become immediately apparent. The tracking dots on the documents from the Intercept show a print date of May 9 at 6:20 from a printer with model number 54, serial number 29535218. (The last page of the PDF has a different set of tracking dots — it’s unclear why.)
If this is the copy that the Intercept also provided to the NSA, then the government likely knew enough to determine which employee had used that specific printer at that specific time — no need to see “creases” at all. In fact, the crease may be pretext to avoid mentioning tracking dots (or another forensic method) used to determine that the document was printed — a prosecutorial technique known as “parallel construction” that avoids revealing how evidence on a case was actually gathered.
The problem with apportioning blame in this case is that we don’t know if the Intercept handed over to the NSA the original copy of the report that they’d received — which would have been a grave security error — or if it was a photocopy or reprint that nonetheless betrayed some evidence.
And it’s important to note that the FBI and NSA didn’t need to know that the pages had even been printed. All material classified “top secret” (the highest security rating a document can receive) are stored in a massive government intranet known as the Joint Worldwide Intelligence Communications System, or JWICS. As detailed by New York Magazine contributer Yashar Ali on Twitter, this system logs everyone who accesses top secret documents, as well as what they do with them. Even if the Intercept had verified the document without alerting the NSA, and then paraphrased the entire report, after it published its story, the government would have quickly moved to determine who had accessed the document — and Winner would have, eventually, come under the same scrutiny.
Nonetheless, it’s clear that there were serious mistakes made by both the Intercept and its leaker. It’s quite reasonable for the Intercept to seek confirmation that the document in question was real with third-party sources, and eventually the NSA. But revealing the Augusta, Georgia, postmark to the third-party source clearly helped the government build its case. Providing a copy of the report seems to have, in some way, added to the government’s pile of evidence. And the decision to publish the PDF with the tracker dots unobscured — especially considering the Intercept likely had no knowledge that Winner was the leaker, and she was already in custody — is a baffling unforced error from a site that hinges on being a secure place to send documents.
Assuming Winner is the leaker, too, she made a mistake in contacting the Intercept at work — though given that it happened months before she allegedly sent the report, it’s hard to blame her. Still, Winner, as a contractor for the NSA and an Air Force veteran with top secret clearance, would have known as well as anyone that her traffic would be logged, and would also likely have known that accessing top secret documents — even without printing them out — would have thrown up red flags in the aftermath of a leak.
It’s worth reiterating that the FBI has a strong incentive to cast the Intercept as incompetent handlers of sources. There’s a decent chance that the case was built against Winner in a completely different way — one that didn’t rely on mistakes by the journalists at all — and this particular parallel construction of the case is being put forward to cast aspersions on one of the most notorious investigative outfits online. But there’s no escaping that the mistakes made by the Intercept and Winner — small as they may have been — were enough to get a search warrant and indictment signed. If there’s any consolation for leakers and the journalists they rely on, it’s that the affidavit provides an object lesson in protecting sources.