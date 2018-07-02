NY Times, Winner Of A Key 1st Amendment Case... >>
(Mis)Uses of Technology

by Glyn Moody

Mon, Jul 2nd 2018 7:48pm


Researchers Reveal Details Of Printer Tracking Dots, Develop Free Software To Defeat It

As Techdirt has reported previously in the case of Reality Leigh Winner, most modern color laser printers place tiny yellow tracking dots on every page printed -- what Wikipedia calls "printer steganography". The Electronic Frontier Foundation (EFF) first started warning about this sneaky form of surveillance back in 2005. It published a list of printers and whether it was known that they used tracking dots. In 2017, the EFF stopped updating the list, and wrote:

It appears likely that all recent commercial color laser printers print some kind of forensic tracking codes, not necessarily using yellow dots. This is true whether or not those codes are visible to the eye and whether or not the printer models are listed here. This also includes the printers that are listed here as not producing yellow dots.

Despite the EFF's early work in exposing the practice, there has been limited information available about the various tracking systems. Two German researchers at the Technical University in Dresden, Timo Richter and Stephan Escher, have now greatly extended our knowledge about the yellow dot code (via Netzpolitik.org). As the published paper on the work explains, the researchers looked at 1286 printed pages from 141 printers, produced by 18 different manufacturers. They discovered four different encoding systems, including one that was hitherto unknown. The yellow dots formed grids with 48, 64, 69 or 98 points; using the grid to encode binary data, the hidden information was repeated multiple times across the printed page. In all cases the researchers were able to extract the manufacturer's name, the model's serial number, and for some printers the date and time of printing too.

It's obviously good to have all this new information about tracking dots, but arguably even more important is a software tool that the researchers have written, and made freely available. It can be used to obfuscate tracking information that a printer places in one of the four grid patterns, thus ensuring that the hard copy documents cannot easily be used to trace who printed them. Printer manufacturers will doubtless come up with new ways of tracking documents, and may already be using some we don't know about, but this latest work at least makes it harder with existing models.

  • icon
    Anonymous Anonymous Coward (profile), 2 Jul 2018 @ 6:08pm

    Or

    Assuming your document is something juicy that the government does not want revealed due to embarrassment, email your document, using the most current form of encrypted email, from a public computer (library, coffee shop, print center) to someone who does not have a printer and have them take that digital document to someone who has a used printer, bought at a flea market, or Goodwill, or other some such, print the document, then physically take it to a fourth party, who will then (wear gloves for all the physical aspects of this, of course) take it to a Mailboxes R Us location and send it on to a fifth party (no return address, I have been told that no return address is illegal but I have sent a whole lot of mail with no return address that was received by the sent to party), who will then swap the mailing envelope and return it to you via some sort of physical mail or messenger. Then you can submit your documents to whomever you want that doesn't have a printer. That makes 5 co-conspirators, which is pretty dangerous, even if they are hard to track.

    Or, you could just use a public library computer (wearing your Halloween costume, only on Halloween, which is the only date to do such things, except April 1st) and send it via encrypted email (no need for printers on your end) to someone like Wikileaks, or The Intercept, or the New York Times, or...well there are a lot of places who would love to receive it, and a lot of government types who would love to meet you. Up close and personal like.

    Any better methods?

    BTW, I have a serious complaint about printer manufacturers adding something I did not intend to my printed photographs. They are works of art, and I object to their trying to infringe upon my copyright by adding, surreptitiously their art to my art. Could we DMCA these dot?

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 2 Jul 2018 @ 7:03pm

      Re: Or

      Almost forgot, use a VPN for all computer related transactions. If you go the the library, make sure you take you logon information with you.

      reply to this | link to this | view in chronology ]

    • identicon
      teka, 2 Jul 2018 @ 11:35pm

      Re: Or

      Lots of co-conspirators. Or should I say... Terrorist cell members. Sounds like classic "conspiracy to be shot in a heroic gun battle where only another terrorist would dare point out that you were unarmed and cooperating" /s

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Jul 2018 @ 5:08am

      Re: Or

      no return address, I have been told that no return address is illegal but I have sent a whole lot of mail with no return address that was received by the sent to party

      Protip: putting a fake apartment number is an easy way to make a fake address. Ex: find a 4-story building in the city it will be mailed from, write "Apt. 503" at its address. Postal databases have lists of valid street addresses, but usually not apartment numbers.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Jul 2018 @ 6:21am

        Re: Re: Or

        It's not a "pro tip" unless you're actually a pro.

        reply to this | link to this | view in chronology ]

      • icon
        Bamboo Harvester (profile), 3 Jul 2018 @ 7:48am

        Re: Re: Or

        I always put an apartment number on any documents I'm forced to give a mailing address for.

        They still get delivered to me, but it lets me see who is selling my information to who.

        The most egregious was a Vermont hospital selling my info (in less than a week!) to a VT-based clothing company for pre-pubescent girls.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Jul 2018 @ 7:59am

      Re: Or

      Also, check the document for any spelling errors, and inconsistent phrasing, and preferably several other peoples copies to look for text based copy marking.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Jul 2018 @ 8:38am

      Re: Or

      IME, the best way to get the goat of someone like you is to point out that you probably increasing the chance that they will put surveillance on you by doing all that. Especially since anyone speaking out like this almost certainly isn't really doing anything they would care about - not that this would stop them from collecting your info in their indiscriminate trawling of Internet data, but their algorithmic approach to detecting things of interest means that they only notice anomalies - like someone trying to spoof them.

      You might want to believe they are looking for what you are doing, but trust me, they aren't. Individual political agitators aren't on their radar, not because they are upholding some great ideals about democracy (no sane person actually believes popular government is, or has ever been, a real or even possible thing - governments and corporations are, by nature, headless bureaucracies in which the official leaders have no actual standing and no individual or specific group of individuals decide anything), but because you simply don't count (see immediately previous rant on the illusion of individual agency).

      Really, your best defense is to be as blatant as possible, all the time, getting them to watch you for a while before they write you off as a crank (the 'California Cocaine Smugglers Truck' ploy, a form of Kansas City Shuffle where you get the police to search your empty vehicle so often that they stop bothering). Do You Believe That?™

      reply to this | link to this | view in chronology ]

    identicon
    Anonymous Coward, 2 Jul 2018 @ 8:03pm

    Next you'll learn about the EXIF of digital cameras!

    "Reality" was a careless idiot, and worse because didn't actually have anything. -- There was NO "whistle-blowing", just an idiot who thought she'd damage Trump politically.

    reply to this | link to this | view in chronology ]

    • icon
      Madd the Sane (profile), 2 Jul 2018 @ 8:13pm

      Re: Next you'll learn about the EXIF of digital cameras!

      EXIF metadata can be scrubbed. It's a bit harder to scrub the same data from a printed document.

      And what does Trump and Hillary have to do with this article?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 2 Jul 2018 @ 9:47pm

        Re: Re: Next you'll learn about the EXIF of digital cameras!

        But...but...but...what about OBAMA?!

        reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 3 Jul 2018 @ 1:01am

        Re: Re: Next you'll learn about the EXIF of digital cameras!

        Nothing. But, he has to play team sports and pretend he knows more than anybody else, even though there's obvious and immediate differences!

        He really is the kind of fool who will gladly support mass surveillance and stripping of rights, so long as it's the right team doing it.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Jul 2018 @ 5:10am

        Re: Re: Next you'll learn about the EXIF of digital cameras!

        EXIF metadata can be scrubbed.

        Until governments pressure camera makers to encode the serial number in some other, hidden, way, like they did with printers. Maybe it's already happened-did anyone check?

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Jul 2018 @ 8:31pm

      Re: Next you'll learn about the EXIF of digital cameras!

      Trump's still not going to let you suck him off, blue.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Jul 2018 @ 10:04pm

      Re: Next you'll learn about the EXIF of digital cameras!

      Obama!

      Drink!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Jul 2018 @ 5:20am

    We need an OpenWRT for printers

    Printer firmware is awful, not just because of tracking dots. It's usually outdated, and likely totally insecure (as soon as someone cares to look - stay tuned!). The ideal solution is a firmware-replacement project like CHDK or OpenWRT. We could make sure these things all support TLS, SSH, IPv6, PostScript, PDF and printing status feedback, without vendor-specific drivers needed on the PC, and that they get security updates. "Enterprise" UI features, like swipe-card-based printing (it's crazy overpriced now), would be easy to add.

    reply to this | link to this | view in chronology ]

    • icon
      Gary (profile), 3 Jul 2018 @ 6:06am

      Re: We need an OpenWRT for printers

      That would be an IP minefield. Patents on the "inventions" you want to add, license on the psotscript, copyright on the existing firmware (it's encrypted!), and the hardware on printers varies radically.

      You don't own your printer any more than you own your farm tractor.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Jul 2018 @ 7:17am

        Re: Re: We need an OpenWRT for printers

        Patents on the "inventions" you want to add

        Maybe, but with that attitude we should just stop writing software. We could say the same about Linux, OpenWRT, and everything else. (None of the stuff I mentioned was an "invention" either; they were trivial combinations of existing technologies, not patentable under Alice.)

        license on the psotscript

        PostScript 3, the newest version, is 21 years old--so no patent concerns. We just need a free engine, like Ghostscript. (Trademark might apply... it may be why Brother calls theirs "BR Script".)

        copyright on the existing firmware (it's encrypted!),

        It wouldn't use copyrighted parts, so only DMCA-type laws would matter. The reverse-engineering could be done outside the USA, and/or anonymously. (Do all vendors encrypt it? Encrypted firmware is rare in other consumer electronics like routers.)

        the hardware on printers varies radically.

        That could be a huge problem. Although, things like paper-feeders can't be hugely complicated, and once we figure out the forward/reverse commands the same algorithms should apply everywhere. Linux might already run on the SoC, with support for GPIO, USB host, ...

        The imaging parts would be the main challenge. I'd start with a common model of black-and-white laser, ideally something available new and used with replacement parts (toners, drums) still current; and with a color version in the same product line.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 3 Jul 2018 @ 7:54am

          Re: Re: Re: We need an OpenWRT for printers

          Actually the low level hardware should be easy to drive, as it is number of steps per revolution, or encoder counts per revolution etc. or even just on/off control, along with optical or other presence sensors. What can be more tricky is figuring out how to drive any interface chips on the board, up to and including any FPGAs, which may provide functionality to generate pixel arrays.

          That is given the document, turning it into pixels is a well solved problem, as that is what is done to display it on screen. The motor and sensor level of controlling the machine is also a well solved problem, though time constraints on the software exists. The magic that needs figuring out is any and all hardware assists and ancillary processors on the board to help with those two tasks.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 3 Jul 2018 @ 8:11am

            Re: Re: Re: Re: We need an OpenWRT for printers

            That is given the document, turning it into pixels is a well solved problem

            Wikipedia says cheap printers don't even do it. (The printer driver sends pixels.)

            How about turning those into an electric charge on the drum? Apparently the laser hits it via a rotating mirror, and the laser needs to be switched on and off at up to 65 MHz to make an image, then it needs to be repeated for the next line. It doesn't sound easy (though any optics lab will be doing crazier stuff with lasers), and I'm not expecting a "standard" interface there.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 3 Jul 2018 @ 9:06am

              Re: Re: Re: Re: Re: We need an OpenWRT for printers

              Wikipedia says cheap printers don't even do it. (The printer driver sends pixels.)

              So, the document still needs to be turned into pixels, and it does not really matter where that is done, and you do not want to be using the proprietary drivers.

              and the laser needs to be switched on and off at up to 65 MHz

              And that is where what I call magic happens, probably an FPGA, fast memory and DMA into and out of its buffers. That is specialized hardware. These days it might be easier to build a new controller using FPGAs, and use the ARM libraries to implement your own processor on board. How to control micros and lasers is well known, and in principle standard control algorithms, doing it fast enough be a challenge.

              Thinking on it, you probably do not want to use any programmable device supplied by the printer manufacturer, as they are ideal places to hide the document marking. Interestingly these days, with the cheap board houses, and free software, even getting a multilayer board designed and made is possible for an individual to carry out.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 3 Jul 2018 @ 9:40am

                Re: Re: Re: Re: Re: Re: We need an OpenWRT for printers

                Thinking on it, you probably do not want to use any programmable device supplied by the printer manufacturer, as they are ideal places to hide the document marking.

                Maybe if your adversary is the NSA. This seems to be each printer manufacturer adding trackers (each is different), at government request. Worrying that the hardware itself will add trackers seems over-paranoid (and if we're this paranoid, can you trust "cheap board houses"?). It's almost certainly done in the firmware.

                Once you're creating your own boards, you might as well create a whole printer. There are open 3D printers, just not 2D.

                reply to this | link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 3 Jul 2018 @ 10:08am

                  Re: Re: Re: Re: Re: Re: Re: We need an OpenWRT for printers

                  When an FPGA is in use, it is programmable hardware, and that is where tracking can be implemented. As to the board houses, all you get them to do is make the circuit board. You get, solder on and program your own devices, so there is no need to trust the board house. Full surface mount assembly can be carried out in the home shop, just add a temperature controller to a toaster oven, and it helps if you get the board house to make the solder stencil for you.

                  The difficult to build parts of a laser printer are the optical system, and the paper transport mechanism, which are purely mechanical systems, and they come with a reasonable case as well. This can be much cheaper, and quicker than designing building and debugging several iterations of the hardware to get it right.

                  reply to this | link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 3 Jul 2018 @ 10:25am

                  Re: Re: Re: Re: Re: Re: Re: We need an OpenWRT for printers

                  To be fair, if you're a political activist then your opponents will always be those supporting the current government. In which case, you must do all you can to remain anonymous, or at least personally remain off TLA radar scopes. As once you become a nuisance, bringing down the attention and might of those agencies against individuals is like shooting fish in a barrel.

                  reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Jul 2018 @ 5:21am

    People still use printers?

    reply to this | link to this | view in chronology ]

    identicon
    Ritika Vijayavargi, 3 Jul 2018 @ 6:17am

    Appraisal

    Nice one dude
    Well explained

    reply to this | link to this | view in chronology ]

  • icon
    Bamboo Harvester (profile), 3 Jul 2018 @ 7:51am

    Tech revealed

    Now that it's "in the wild", I can see this becoming a sticking point in court cases, just like Stingray use and Breathalyzer technical specs.

    Defense attorneys are going to start seeking full Discovery on all cases involving printed documents on the tracking method, system, and encryption methods.

    It'll be interesting to see what makes and models cause Dismissal - those will be the ones with currently undiscovered tracking systems.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Jul 2018 @ 8:39am

    Somebody Should Print a List...

    ...of all the classes of devices you don't really own, even tho' you thought you'd bought one.

    reply to this | link to this | view in chronology ]


