Researchers Reveal Details Of Printer Tracking Dots, Develop Free Software To Defeat It

from the whistleblowers-of-the-world,-rejoice,-but-still-be-careful dept

As Techdirt has reported previously in the case of Reality Leigh Winner, most modern color laser printers place tiny yellow tracking dots on every page printed -- what Wikipedia calls "printer steganography". The Electronic Frontier Foundation (EFF) first started warning about this sneaky form of surveillance back in 2005. It published a list of printers and whether it was known that they used tracking dots. In 2017, the EFF stopped updating the list, and wrote:

It appears likely that all recent commercial color laser printers print some kind of forensic tracking codes, not necessarily using yellow dots. This is true whether or not those codes are visible to the eye and whether or not the printer models are listed here. This also includes the printers that are listed here as not producing yellow dots.

Despite the EFF's early work in exposing the practice, there has been limited information available about the various tracking systems. Two German researchers at the Technical University in Dresden, Timo Richter and Stephan Escher, have now greatly extended our knowledge about the yellow dot code (via Netzpolitik.org). As the published paper on the work explains, the researchers looked at 1286 printed pages from 141 printers, produced by 18 different manufacturers. They discovered four different encoding systems, including one that was hitherto unknown. The yellow dots formed grids with 48, 64, 69 or 98 points; using the grid to encode binary data, the hidden information was repeated multiple times across the printed page. In all cases the researchers were able to extract the manufacturer's name, the model's serial number, and for some printers the date and time of printing too.

It's obviously good to have all this new information about tracking dots, but arguably even more important is a software tool that the researchers have written, and made freely available. It can be used to obfuscate tracking information that a printer places in one of the four grid patterns, thus ensuring that the hard copy documents cannot easily be used to trace who printed them. Printer manufacturers will doubtless come up with new ways of tracking documents, and may already be using some we don't know about, but this latest work at least makes it harder with existing models.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Anonymous Anonymous Coward (profile), 2 Jul 2018 @ 6:08pm

    Or

    Assuming your document is something juicy that the government does not want revealed due to embarrassment, email your document, using the most current form of encrypted email, from a public computer (library, coffee shop, print center) to someone who does not have a printer and have them take that digital document to someone who has a used printer, bought at a flea market, or Goodwill, or other some such, print the document, then physically take it to a fourth party, who will then (wear gloves for all the physical aspects of this, of course) take it to a Mailboxes R Us location and send it on to a fifth party (no return address, I have been told that no return address is illegal but I have sent a whole lot of mail with no return address that was received by the sent to party), who will then swap the mailing envelope and return it to you via some sort of physical mail or messenger. Then you can submit your documents to whomever you want that doesn't have a printer. That makes 5 co-conspirators, which is pretty dangerous, even if they are hard to track.

    Or, you could just use a public library computer (wearing your Halloween costume, only on Halloween, which is the only date to do such things, except April 1st) and send it via encrypted email (no need for printers on your end) to someone like Wikileaks, or The Intercept, or the New York Times, or...well there are a lot of places who would love to receive it, and a lot of government types who would love to meet you. Up close and personal like.

    Any better methods?

    BTW, I have a serious complaint about printer manufacturers adding something I did not intend to my printed photographs. They are works of art, and I object to their trying to infringe upon my copyright by adding, surreptitiously their art to my art. Could we DMCA these dot?

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 2 Jul 2018 @ 7:03pm

      Re: Or

      Almost forgot, use a VPN for all computer related transactions. If you go the the library, make sure you take you logon information with you.

      reply to this | link to this | view in chronology ]

    • identicon
      teka, 2 Jul 2018 @ 11:35pm

      Re: Or

      Lots of co-conspirators. Or should I say... Terrorist cell members. Sounds like classic "conspiracy to be shot in a heroic gun battle where only another terrorist would dare point out that you were unarmed and cooperating" /s

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Jul 2018 @ 5:08am

      Re: Or

      no return address, I have been told that no return address is illegal but I have sent a whole lot of mail with no return address that was received by the sent to party

      Protip: putting a fake apartment number is an easy way to make a fake address. Ex: find a 4-story building in the city it will be mailed from, write "Apt. 503" at its address. Postal databases have lists of valid street addresses, but usually not apartment numbers.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Jul 2018 @ 6:21am

        Re: Re: Or

        It's not a "pro tip" unless you're actually a pro.

        reply to this | link to this | view in chronology ]

      • icon
        Bamboo Harvester (profile), 3 Jul 2018 @ 7:48am

        Re: Re: Or

        I always put an apartment number on any documents I'm forced to give a mailing address for.

        They still get delivered to me, but it lets me see who is selling my information to who.

        The most egregious was a Vermont hospital selling my info (in less than a week!) to a VT-based clothing company for pre-pubescent girls.

        reply to this | link to this | view in chronology ]

        • icon
          Toom1275 (profile), 4 Jul 2018 @ 6:18am

          Re: Re: Re: Or

          For gmail addresses, you can make custom valid variants of your address unique to the service you sign up for, so if you start seeing spam, you know who sold you out.

          For example:

          say you have your gmail accout BHarv@gmail.com

          Sign up for the hospital with BHarv+VTHosp@gmail.com
          Register for a one-time thing with BHarv+OneTime1234@gmail.com

          Messages sent to those two plus-addresses will still be received by the main email, but if you start getting spam from VT girl clothes company, then you'd likely see them being sent to BTHarv+VTHosp@gmail.com.

          reply to this | link to this | view in chronology ]

          • icon
            Toom1275 (profile), 4 Jul 2018 @ 1:07pm

            Re: Re: Re: Re: Or

            edit: I didn't expect the example email address I made up for that comment to become a clickable link. I don't know where, if anywhere, that link leads.

            reply to this | link to this | view in chronology ]

            • icon
              The Wanderer (profile), 5 Jul 2018 @ 4:37am

              Re: Re: Re: Re: Re: Or

              As mouseover of the link will reveal, it's a mailto: URL (instead of, e.g., a http: URL); it will open in the configured default mail client, to compose an E-mail to that E-mail address.

              (Which does mean that, if that's a valid E-mail address, you just exposed it to the bots which crawl the Web looking for addresses to spam.)

              reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Jul 2018 @ 7:59am

      Re: Or

      Also, check the document for any spelling errors, and inconsistent phrasing, and preferably several other peoples copies to look for text based copy marking.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Jul 2018 @ 8:38am

      Re: Or

      IME, the best way to get the goat of someone like you is to point out that you probably increasing the chance that they will put surveillance on you by doing all that. Especially since anyone speaking out like this almost certainly isn't really doing anything they would care about - not that this would stop them from collecting your info in their indiscriminate trawling of Internet data, but their algorithmic approach to detecting things of interest means that they only notice anomalies - like someone trying to spoof them.

      You might want to believe they are looking for what you are doing, but trust me, they aren't. Individual political agitators aren't on their radar, not because they are upholding some great ideals about democracy (no sane person actually believes popular government is, or has ever been, a real or even possible thing - governments and corporations are, by nature, headless bureaucracies in which the official leaders have no actual standing and no individual or specific group of individuals decide anything), but because you simply don't count (see immediately previous rant on the illusion of individual agency).

      Really, your best defense is to be as blatant as possible, all the time, getting them to watch you for a while before they write you off as a crank (the 'California Cocaine Smugglers Truck' ploy, a form of Kansas City Shuffle where you get the police to search your empty vehicle so often that they stop bothering). Do You Believe That?™

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 2 Jul 2018 @ 8:03pm

    Next you'll learn about the EXIF of digital cameras!

    "Reality" was a careless idiot, and worse because didn't actually have anything. -- There was NO "whistle-blowing", just an idiot who thought she'd damage Trump politically.

    reply to this | link to this | view in chronology ]

    • icon
      Madd the Sane (profile), 2 Jul 2018 @ 8:13pm

      Re: Next you'll learn about the EXIF of digital cameras!

      EXIF metadata can be scrubbed. It's a bit harder to scrub the same data from a printed document.

      And what does Trump and Hillary have to do with this article?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 2 Jul 2018 @ 9:47pm

        Re: Re: Next you'll learn about the EXIF of digital cameras!

        But...but...but...what about OBAMA?!

        reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 3 Jul 2018 @ 1:01am

        Re: Re: Next you'll learn about the EXIF of digital cameras!

        Nothing. But, he has to play team sports and pretend he knows more than anybody else, even though there's obvious and immediate differences!

        He really is the kind of fool who will gladly support mass surveillance and stripping of rights, so long as it's the right team doing it.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Jul 2018 @ 5:10am

        Re: Re: Next you'll learn about the EXIF of digital cameras!

        EXIF metadata can be scrubbed.

        Until governments pressure camera makers to encode the serial number in some other, hidden, way, like they did with printers. Maybe it's already happened-did anyone check?

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Jul 2018 @ 8:31pm

      Re: Next you'll learn about the EXIF of digital cameras!

      Trump's still not going to let you suck him off, blue.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Jul 2018 @ 10:04pm

      Re: Next you'll learn about the EXIF of digital cameras!

      Obama!

      Drink!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Jul 2018 @ 5:20am

    We need an OpenWRT for printers

    Printer firmware is awful, not just because of tracking dots. It's usually outdated, and likely totally insecure (as soon as someone cares to look - stay tuned!). The ideal solution is a firmware-replacement project like CHDK or OpenWRT. We could make sure these things all support TLS, SSH, IPv6, PostScript, PDF and printing status feedback, without vendor-specific drivers needed on the PC, and that they get security updates. "Enterprise" UI features, like swipe-card-based printing (it's crazy overpriced now), would be easy to add.

    reply to this | link to this | view in chronology ]

    • icon
      Gary (profile), 3 Jul 2018 @ 6:06am

      Re: We need an OpenWRT for printers

      That would be an IP minefield. Patents on the "inventions" you want to add, license on the psotscript, copyright on the existing firmware (it's encrypted!), and the hardware on printers varies radically.

      You don't own your printer any more than you own your farm tractor.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Jul 2018 @ 7:17am

        Re: Re: We need an OpenWRT for printers

        Patents on the "inventions" you want to add

        Maybe, but with that attitude we should just stop writing software. We could say the same about Linux, OpenWRT, and everything else. (None of the stuff I mentioned was an "invention" either; they were trivial combinations of existing technologies, not patentable under Alice.)

        license on the psotscript

        PostScript 3, the newest version, is 21 years old--so no patent concerns. We just need a free engine, like Ghostscript. (Trademark might apply... it may be why Brother calls theirs "BR Script".)

        copyright on the existing firmware (it's encrypted!),

        It wouldn't use copyrighted parts, so only DMCA-type laws would matter. The reverse-engineering could be done outside the USA, and/or anonymously. (Do all vendors encrypt it? Encrypted firmware is rare in other consumer electronics like routers.)

        the hardware on printers varies radically.

        That could be a huge problem. Although, things like paper-feeders can't be hugely complicated, and once we figure out the forward/reverse commands the same algorithms should apply everywhere. Linux might already run on the SoC, with support for GPIO, USB host, ...

        The imaging parts would be the main challenge. I'd start with a common model of black-and-white laser, ideally something available new and used with replacement parts (toners, drums) still current; and with a color version in the same product line.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 3 Jul 2018 @ 7:54am

          Re: Re: Re: We need an OpenWRT for printers

          Actually the low level hardware should be easy to drive, as it is number of steps per revolution, or encoder counts per revolution etc. or even just on/off control, along with optical or other presence sensors. What can be more tricky is figuring out how to drive any interface chips on the board, up to and including any FPGAs, which may provide functionality to generate pixel arrays.

          That is given the document, turning it into pixels is a well solved problem, as that is what is done to display it on screen. The motor and sensor level of controlling the machine is also a well solved problem, though time constraints on the software exists. The magic that needs figuring out is any and all hardware assists and ancillary processors on the board to help with those two tasks.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 3 Jul 2018 @ 8:11am

            Re: Re: Re: Re: We need an OpenWRT for printers

            That is given the document, turning it into pixels is a well solved problem

            Wikipedia says cheap printers don't even do it. (The printer driver sends pixels.)

            How about turning those into an electric charge on the drum? Apparently the laser hits it via a rotating mirror, and the laser needs to be switched on and off at up to 65 MHz to make an image, then it needs to be repeated for the next line. It doesn't sound easy (though any optics lab will be doing crazier stuff with lasers), and I'm not expecting a "standard" interface there.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 3 Jul 2018 @ 9:06am

              Re: Re: Re: Re: Re: We need an OpenWRT for printers

              Wikipedia says cheap printers don't even do it. (The printer driver sends pixels.)

              So, the document still needs to be turned into pixels, and it does not really matter where that is done, and you do not want to be using the proprietary drivers.

              and the laser needs to be switched on and off at up to 65 MHz

              And that is where what I call magic happens, probably an FPGA, fast memory and DMA into and out of its buffers. That is specialized hardware. These days it might be easier to build a new controller using FPGAs, and use the ARM libraries to implement your own processor on board. How to control micros and lasers is well known, and in principle standard control algorithms, doing it fast enough be a challenge.

              Thinking on it, you probably do not want to use any programmable device supplied by the printer manufacturer, as they are ideal places to hide the document marking. Interestingly these days, with the cheap board houses, and free software, even getting a multilayer board designed and made is possible for an individual to carry out.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 3 Jul 2018 @ 9:40am

                Re: Re: Re: Re: Re: Re: We need an OpenWRT for printers

                Thinking on it, you probably do not want to use any programmable device supplied by the printer manufacturer, as they are ideal places to hide the document marking.

                Maybe if your adversary is the NSA. This seems to be each printer manufacturer adding trackers (each is different), at government request. Worrying that the hardware itself will add trackers seems over-paranoid (and if we're this paranoid, can you trust "cheap board houses"?). It's almost certainly done in the firmware.

                Once you're creating your own boards, you might as well create a whole printer. There are open 3D printers, just not 2D.

                reply to this | link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 3 Jul 2018 @ 10:08am

                  Re: Re: Re: Re: Re: Re: Re: We need an OpenWRT for printers

                  When an FPGA is in use, it is programmable hardware, and that is where tracking can be implemented. As to the board houses, all you get them to do is make the circuit board. You get, solder on and program your own devices, so there is no need to trust the board house. Full surface mount assembly can be carried out in the home shop, just add a temperature controller to a toaster oven, and it helps if you get the board house to make the solder stencil for you.

                  The difficult to build parts of a laser printer are the optical system, and the paper transport mechanism, which are purely mechanical systems, and they come with a reasonable case as well. This can be much cheaper, and quicker than designing building and debugging several iterations of the hardware to get it right.

                  reply to this | link to this | view in chronology ]

                  • identicon
                    Anonymous Coward, 3 Jul 2018 @ 11:36am

                    Re: Re: Re: Re: Re: Re: Re: Re: We need an OpenWRT for printers

                    When an FPGA is in use, it is programmable hardware, and that is where tracking can be implemented.

                    Yeah, but why would you upload a tracking-enabled bitstream into it? For the attack to work, the FPGA would have to say it accepted your open-source bitstream, while actually leaving some tracking code active. That would have to be done in hardware--or by some persistent bitstream, but most FPGAs don't persist. Why would the manufacturer go to such lengths to stop you from avoiding tracking, when people aren't even replacing firmware now?

                    Full surface mount assembly can be carried out in the home shop

                    I forgot about that. Even pick-and-place machines aren't expensive now. You're right, if the board shop doesn't handle the chips, it will be hard for them to subvert the system.

                    Interestingly, it's not that difficult to etch boards at home either. It just takes some acid and... a laser printer (should we worry about the whole "trusting trust" thing?).

                    reply to this | link to this | view in chronology ]

                    • identicon
                      Anonymous Coward, 3 Jul 2018 @ 12:31pm

                      Re: Re: Re: Re: Re: Re: Re: Re: Re: We need an OpenWRT for printers

                      Home made boards are limited to single sided, or double sided without the plate through holes. Especially for surface mount chips, and very high speed operations, more layers are required to deal with the connection density, and transmission line aspects of high speed signals. Serial data transfers, using multiple serial channels for more capacity have become the norm because they make it much easier to build a working system, as they do not require tight timing tolerances between signal paths.

                      Yeah, but why would you upload a tracking-enabled bitstream into it?

                      Because you only option may be to upload the manufacturers bit stream, because you cannot identify the device in use, and because reverse engineering such bitstreams is even harder than reverse engineering machine code. A gate level description is not much use for recognizing larger scale functional blocks like processors. That is why I said build a new board.

                      reply to this | link to this | view in chronology ]

                      • identicon
                        Anonymous Coward, 3 Jul 2018 @ 2:02pm

                        Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: We need an OpenWRT for printers

                        Because you only option may be to upload the manufacturers bit stream, because you cannot identify the device in use, and because reverse engineering such bitstreams is even harder than reverse engineering machine code.

                        Ok, makes sense, but I hope we can avoid the wifi-firmware situation of having to work with binary blobs (only one chip family, ath9k, had open firmware—it's getting a bit old, but still obtainable and popular with RF researchers).

                        That said, you can extract the bitstream from multiple printers and make sure they're all identical. If so, and if the FPGA specifications don't list a serial numbering capability (and there are no i²c or other persistent devices attached), and all evidence of tracking disappears when we rasterize the image ourselves... then there's probably no tracking, at that level.

                        reply to this | link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 3 Jul 2018 @ 10:25am

                  Re: Re: Re: Re: Re: Re: Re: We need an OpenWRT for printers

                  To be fair, if you're a political activist then your opponents will always be those supporting the current government. In which case, you must do all you can to remain anonymous, or at least personally remain off TLA radar scopes. As once you become a nuisance, bringing down the attention and might of those agencies against individuals is like shooting fish in a barrel.

                  reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Jul 2018 @ 5:21am

    People still use printers?

    reply to this | link to this | view in chronology ]

  • icon
    Bamboo Harvester (profile), 3 Jul 2018 @ 7:51am

    Tech revealed

    Now that it's "in the wild", I can see this becoming a sticking point in court cases, just like Stingray use and Breathalyzer technical specs.

    Defense attorneys are going to start seeking full Discovery on all cases involving printed documents on the tracking method, system, and encryption methods.

    It'll be interesting to see what makes and models cause Dismissal - those will be the ones with currently undiscovered tracking systems.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Jul 2018 @ 8:39am

    Somebody Should Print a List...

    ...of all the classes of devices you don't really own, even tho' you thought you'd bought one.

    reply to this | link to this | view in chronology ]

  • icon
    lars626 (profile), 3 Jul 2018 @ 1:47pm

    Inkjet?

    Are they doing this with inkjet printers too, or is it just lasers?

    In any case; pickup a printer cheap at a garage sale.
    Wait six months to use it, nobody will remember you then.
    Print black and white and leave out the color cartridges if it has them.

    Maybe I should have kept that Epson dot-matrix printer.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.