Yellow Microdots Outs NSA Contractor

ByCharles Bunn

Yellow Microdots Outs NSA Contractor

The website “” released documents on election tampering from an NSA leaker. Online, an arrest warrant for “Reality Winner”, an NSA contractor, appeared shortly after her arrest. The documents she printed contained tiny yellow Microdots, and the warrant showed how the NSA tracked her down via the documents she sent to the Intercept. The published Intercept document was not the original scanned PDF file but a PDF containing pictures of the printed document.

Several decades ago when the advent of the color printer came about, and the technology approached near photo perfect, the Treasury Department realized they had a major problem. Color copiers could copy currency and create counterfeit notes. Mitigating the threat, at least partially, the Government requested color printers include methods to track the source of any color copies. The creation of the nearly invisible yellow microdots was one industry answer to the counterfeit problem.

Every color printed document, printed by a modern printer, contains nearly invisible yellow tracking dots. The arrangement of yellow dots encodes Metadata about the printed document. These Microdots can track down exactly when and where documents are printed. The NSA logs all printing jobs on its printers so it can precisely match up who printed the document. I am going to show you how the NSA decoded where and when “Reality Winner” printed the offending documents.

The Doubled Edged Sword of Microdots

You can download the document from The Intercept here. Using an open source image editor such as Gimp, we can illuminate these hidden microdots. Open Gimp and then open the document you downloaded from the Intercept. Importing the document as a PDF requires you to set several parameters. The defaults will make interpreting the dots very difficult, so make sure you set the Resolution to at least 900 pixels/in or higher. Also, make sure to check the box in front of Anti-aliasing so that all dots are visible. Select just the first page and the click on Import.

Import_From_PDF Yellow Microdots Outs NSA Contractor

Import from PDF – Settings

Now you have the original document open in GIMP. Click on Select and then All or Ctrl + A to select the whole document.

GIMP_Document-1024x560 Yellow Microdots Outs NSA Contractor

Imported GIMP Document.

Now Select Colors and then Invert, the document will appear as below.

GIMP_Document_Invert-1024x560 Yellow Microdots Outs NSA Contractor

GIMP Document with Inverted Colors.

Zoom in to any white space or in this case dark space. Enlarging the image below you will see what appears to be groups of blue (the inverse of yellow) dots arranged in a rectangular pattern.

GIMP_Document_Zoom-1024x560 Yellow Microdots Outs NSA Contractor

GIMP Document – Zoom In

All That Is Hidden Can Now Be Seen

Select one of these patterns and make sure you have a 15 wide by 8 dot tall block.

GIMP_Document_Dots-1024x560 Yellow Microdots Outs NSA Contractor

GIMP Document – Microdots

If we go to the Electronic Frontier Foundation (EFF) – DocuColor Tracking Dot Decoding Guide WEB page we immediately notice that column one, row one does not have a dot in it and we must rotate the image 180 degrees to properly orient the pattern for decoding. In GIMP, under the Image tab, select Transform, and Rotate 180 degrees. Once done we can use the EFF page to decode the dots.

GIMP_Document_Rotate-1024x560 Yellow Microdots Outs NSA Contractor

GIMP Document – Rotated 180

Now we can match the dot pattern to the import form for decoding.

EFF_Dot_Pattern Yellow Microdots Outs NSA Contractor

EFF Microdot Pattern

After matching the dot to its corresponding row and column we can fill in the code above, click on the Submit button to return the results.

EFF_Dot_Decode Yellow Microdots Outs NSA Contractor

EFF Microdot Pattern Decoded

The document leaked by the Intercept was from a printer with model number 54 and the serial number 29535218. We can see that on May 9, 2017, at 6:20, the document was printed. The NSA knows which computer sent the print job, at the exact time and date revealed by the Metadata, since the NSA logs all print jobs. The logs probably also contained the user logged into the computer at the time the print job. The Intercept handed “Reality Winner” to the NSA on a silver platter.

This Has Happened Before

The situation is similar to how Vice revealed the location of John McAfee accidentally by publishing a JPEG photograph of him with the EXIF GPS coordinates still hidden in the file. Yes, that is correct; JPEG and other image files embed GPS and other information in the electronic file. Every time you open a Microsoft Office document, you leave fingerprints identifying yourself behind.

I have seen suggestions that switching to a black and white printer or black and white scanner, or converting the image to black-and-white with an image editor can fix the problem. I would not trust such a conversion because there are too many variables. A black-and-white conversion should throw the yellow microdots away as being below a threshold contrast, but the mere process of such a conversion means there may still be an electronic footprint somewhere. The only way to be sure would be to hand type the document onto another document.

Despite this, the microdot tracking technology may save you one day. Tracking, such as this, may disprove that you printed and distributed a nasty memo about your boss or perhaps something more nefarious perpetrated by an unscrupulous competitor.  As with any technology, there is good and bad to come from it depending on whose hands you put it in.

About the author

Charles Bunn administrator

Chuck is the founder and Owner of Zypath LLC. With over two decades of experience in computer and networking systems, he specializes in small business communication design, setup, troubleshooting and maintenance.