Schneier on Security
A blog covering security and security technology.
« Passport Required to Use the Internet in Italy |
| UK Terrorism Law Used for Non-Terrorism Purposes »
October 19, 2005
Secret Forensic Codes in Color Laser Printers
Many color laser printers embed secret information in every page they print, basically to identify you by. Here, the EFF has cracked the code of the Xerox DocuColor series of printers.
The DocuColor series prints a rectangular grid of 15 by 8 miniscule yellow dots on every color page. The same grid is printed repeatedly over the entire page, but the repetitions of the grid are offset slightly from one another so that each grid is separated from the others. The grid is printed parallel to the edges of the page, and the offset of the grid from the edges of the page seems to vary. These dots encode up to 14 7-bit bytes of tracking information, plus row and column parity for error correction. Typically, about four of these bytes were unused (depending on printer model), giving 10 bytes of useful data. Below, we explain how to extract serial number, date, and time from these dots. Following the explanation, we implement the decoding process in an interactive computer program.
Because of their limited contrast with the background, the forensic dots are not usually visible to the naked eye under white light. They can be made visible by magnification (using a magnifying glass or microscope), or by illuminating the page with blue instead of white light. Pure blue light causes the yellow dots to appear black. It can be helpful to use magnification together with illumination under blue light, although most individuals with good vision will be able to see the dots distinctly using either technique by itself.
EDITED TO ADD: News story here.
EDITED TO ADD: And another.
Posted on October 19, 2005 at 8:12 AM
• 46 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I am surprised I have never heard of this before. What do you think would be the public's reaction to this?
It wasn't a big secret that it was there, I'd certainly never seen anyone explain what form it takes before.
This will be (and probably is) a superb tool to aid forensic document analysis in criminal cases. Pareticulalrly as there seems to be hardly any compromises with regards to printed image quality.
I must say though that the title of the trackback"... a way for the government to track your documents" was rather perplexing. I can;t possibly imagine that a random individual's documents are of any more interest to the government than what colour trousers a given person wears on a given day.
The public's reaction will be complete apathy.
The dot pattern is in-band, in the sense that the data (the image printed) and the dots both share the same medium.
Detection might be thwarted if you simply overlay all of the possible dot positions with dots in the printed image. If the printer adjusts to that by XOR-ing the image with the dot pattern then a random pattern can be used.
Another way to thwart detection is to break the evidence trail by buying the printer in cash and in disguise and in an out-of-town place, or steal it, or buy it used and in cash.
Isn't this intended to trace people copying money? Especially those easily copyable US Dollars (even if many machines can detect and stop if asked to copy notes).
However I wonder how much of our valuable ink is used to produce these dots? Must be environmentally unfriendly over time!
All of which explains why my yellow cartridge seems to evaporate even when I'm only doing b/w text printouts...
The worry is more about what the gov will do with groups that it doesn't like. Imagine if Martin Luther had used one of those printers. Or Benjamin Franklin. Or any group that prints the truths the government doesn't want published.
It's like CM said, to keep people from copying currency. It's probably how they found out a bunch of Columbia U. students were circulating copies of $20 bills just around Xmas a few years back...
I personally have no problem with this. Forensic analysis can usually trace back a document to a printer due to small discrepancies in the drum or fuser, now it's just a bit easier. I can also see how this could be useful to organizations tracking leaks of confidential/secret documents since we can see exactly which printer was used.
I think the only objection was that it was done w/o the public's knowledge.
@stewash -- I remember seeing articles about this months, if not years ago.
To me this is a serious privacy issue.
The US government has secretly asked to insert tracking codes on every printed pages. I really prefer to naively believe this was done specifically for money copying problems.
Whatever the original intent was, the fact is that tracking codes are systematically inserted without your knowledge and without your consent.
Add to that a weak and easily forgeable coding scheme. Yuk.
Where else does the US government has asked to put secret/hidden tracking codes?
Next thing you know everyone will be wearing RFIDs, surveillance cameras will be everywhere, and why not, you will be required to also wear your personnal blackbox, recording everything, at all time.
But eh! this is for the better of the community!
"... any more interest to the government than what colour trousers a given person wears on a given day."
And thanks to RFID being embedded in clothing, they know that too.
But seriously, consider the case of the corporate (or government) whistle-blower who prints out and incriminating email or document. If the evil-doers can get ahold of the printout, it's almost trivial to reconstruct when and where it was printed, and therefore significantly narrow down the person who leaked the information and punish them. A certain amount of "anonymous" data is a good safeguard for society.
(Also, it's unlikely that our hypothetical whistle-blower would be able to sneak in an "untraceable" printer.)
Does anyone know if this type of identification is admissable in court? Should it be?
Good question. I believe it has been used extensively in investigations, but have not heard/seen any specific court references to the technology.
Note: this is not new at all.
There was a big blow-up about it late last year, and I believe it was in the news the year before related to catching a suspect in a high-profile case. When I have some more time I'll see if I can dig up the actual story.
In the meantime, here's a good reference:
"Laser-printing technology makes it incredibly easy to counterfeit money and documents, and [senior research fellow at Xerox] Crean says the dots, in use in some printers for decades, allow law enforcement to identify and track down counterfeiters.
However, they could also be employed to track a document back to any person or business that printed it. Although the technology has existed for a long time, printer companies have not been required to notify customers of the feature.
Lorelei Pagano, a counterfeiting specialist with the U.S. Secret Service, stresses that the government uses the embedded serial numbers only when alerted to a forgery. 'The only time any information is gained from these documents is purely in [the case of] a criminal act,' she says."
As far as I can tell, this only applies to color laser printers.
Are ink-jet printers affected?
I have a vague recollection that this was worked out with the U.S. Treasury Dept. back when color copiers started to be good enough to make fake securities, currency (good enough to fool a bill changer), etc.
It traces the machine, not the user, of course. I wonder what a second-generation copy does. It must not see the glyph on the first copy and make a new one, you think?
There's a whole lot of underhand stuff embedded in printers, scanners and image-manipulation software. Much currency has a special pattern [nicknamed the EURion Constellation"] appearing on it - this is detected by some image-processing software [Adobe, Paint Shop Pro] and if you try to open such documents you are referred to http://www.rulesforuse.org/ where you get a homily on the evils of currency counteirfeiting.
Its more then
'The only time any information is gained from these documents is purely in [the case of] a criminal act,' she says." Lorelei Pagano
So the counter responses will be to a)avoid the tracking printer technology b) use older untraceable technologies and or c) simply mass produce on a scale such that it would be impossible to link back to original source printer technology (unless they are all unique? Questionable whether someone could prove beyond a reasonable doubt someone used a printer unless their biometric was also obstensibly embedded into the documents. Who would submit to these sorts of intrusions? Think of the broader privacy & security concerns and issues. Counterfeiting aside maybe they should upgrade the US money faster rather then waiting a dozen years for the criminals to catch on.
If the only excuse for this is currency counterfeiting, the simple solution is to make currency that isn't so easily copied with a $300 printer. US currency in particular is among the easiest to duplicate. I noticed on a recent trip to Canada that they have all sorts of neat things like Braille and metallic strips that aren't so easily copied with a printer.
Strange, I thought everyone knew about this. Everyone who watched CSI Miami last season anyway.
And yes, the evidence is admissible in court. That's why the time/date stamp is there...not that this can't be duped.
Remember back when subversive people didn't have the budget for color printing? Seriously, if you think about it, counterfeiting seems to be a much bigger target of this scheme than tracking down government dissidents. What I'm waiting for is for someone to figure out how to "mod" the chip in the printer so that one can spoof another printer. All it it takes is the technology to exist and then the utility of the tracking dots becomes much less valuable.
"The US government has secretly asked to insert tracking codes on every printed pages. I really prefer to naively believe this was done specifically for money copying problems."
This is actually very likely, since AFAIK B&W laser printers do not contain such codes. However, considering the resolution of modern printers, it may not be difficult to hide such things beneath what can be seen with the naked eye or perhaps even a strong magnifying glass.
"simply mass produce on a scale such that it would be impossible to link back to original source printer technology (unless they are all unique?"
I believe the serial number of the printer is included in the encoded information, and so it may be possible to trace where that printer is. At the very least, it can be combined with other evidence to provide corroboration as to means and opportunity.
Stupid question: Could you get the information from the MANUFACTURERS as part of a lawsuit, eg a civil suit involving printed evidence?
When I was working on a classified project in 1995, one of the subcontractors showed me some work being done on another classified project. That project concerned counterfeiting money on laser printers and how to detect it. I didn't get the details on how it worked but the samples I saw were detected easily. They told me that the same fake money fooled all the other equipment and experts.
The fakes looked good to me and I'm sure they have schemes for ink-jets now.
'The only time any information is gained from these documents is purely in [the case of] a criminal act,' she says.
Uh-huh. Like the goalpost of "criminal act" isn't already being shifted ...
You wouldn't happen to know specific examples of it being used in the courts would you?
I'm willing to bet that the technology does already exist.
If not, the capability is within grasp of the sufficiently motivated, talented, or funded. I think the difficulty, or cost, with which such identification remarks are forged is going to be central to arguments about admissibility.
Another interesting thought is the implications in countries without rights to free speech. E.g. antigovermental or religious writings.
After the reading of this message, I am is look at my firewall log (The printer in question has an Ethernet connection). It had already rather been notable me once that there was a line in it coming from the IP address of the printer. After a couple hour a packet has been stored that in the first place a attempt seems indicate that there new toner has been ordered must become. However also in the data comes a stiff data for that by chance corresponds to the number what in the dots stands. When not blocked is the printer thus also to find on basis of the tracing of the IP address.
Just thinking, what if a custom printer driver was made to add in little yellow dots to fill in the missing dots? Since you can't remove the dots, add your own.
Interesting info. I remember HP talking about a next gen system supposed to try and actively detect and prevent printing currency. Here's a link I dug up:
"Measures HP suggested include:
* Multi-level detection and deterrence
* Two-sided documents
* Color detection
* Printer identification
* Government lab"
I liked this quote:
"'We had to have a solution that was inexpensive, and it had to be unobtrusive,' says HP Labs researcher Henry Sang. 'Nobody's going to pay an extra $50 for a printer because it prevents counterfeiting, and they're not going to buy one that won't print green or that prints three times slower because it's trying to detect a counterfeit.'"
How true. Security enhancements never seem to be popular when you introduce them as "pay a lot more to do less".
People still try to forge the Australian notes. Especially the seldom-seen $100 note.
All Australian notes have the dot-pattern mentioned above that will not allow the notes to be scanned or printed on many devices. It's quite a fun exercise to try to spot them.
the Reserve Bank of Australia and the CSIRO hold about 25 patents regarding polymer banknotes, and Australia is the largest manufacturer and exporter of polymer currency in the world.
"The most obvious distinguishing feature of most NPA notes is a window - a transparent disc, seen on both sides of the note, that can be coloured, embossed or left plain. This is an important security element because the transparency cannot be photocopied, a favourite method of counterfeiting.
Conveniently, polymer notes are also printed on the same machines used for paper ones. This means note designers can still use intaglio, the engraving process that creates texture - another protection against photocopying. Security features are the chief selling point but using polymer is cheaper, too. Although the advance costs are greater - to produce a polymer note costs about double its paper equivalent - acentral bank's costs are smaller because polymer notes last longer.
Polymer is more durable partly because, unlike paper, it is not porous and therefore does not absorb sweat, bacteria or dirt. This also makes NPA notes more hygienic and helps preserve the sharpness of security features. When they are accidentally put through the washing machine, they just come out cleaner.
When Australia's $10 notes were printed on paper, they had to be replaced every eight months. Polymer ones last at least 30 months. And, once withdrawn from circulation, they are melted, broken down into granules and sold to make plastic gardening equipment. Paper notes have to be burnt or buried."
Is that why I feel so excited in the gardening section at Bunnings ? :-)
@stewarsh: "Forensic analysis can usually trace back a document to a printer due to small discrepancies in the drum or fuser, now it's just a bit easier."
No, it's at a whole new level. In the above situation the document itself doesn't point to a specific printer so a priori knowledge (probable cause, if you will) of what printer to test is required.
In the embedded dot situation the printer itself is identified, and the document itself might be construed as probable cause for further action. As others have mentioned, consider the ramifications of this for anonymity in free speech.
It should be noted that professional criminals will probably know about this, and will find ways to hide their tracks. The most likely to be caught by such a scheme are actually innocents: whistle-blowers and political opposition groups who are naive enough to believe in what the constitution says about free speech. It is extremely worrying that the government can impose such Orwellian measures, with private companies complying without a whim, and hardly anybody notices. Depressing, to say the least.
I imagine totalitarian and communist societies in China, North Korea, and Cuba will find great use for tracking the flow of information.
Each day the United States grows closer to regulating information in the same manner that the former Soviet Union could only dream of.
The first thing that occurred to me when I saw this was; it only affects honest people.
As happens in cases where gun registration is implemented to reduce gun crime, people who intend to commit a crime using such a printer will not legally buy it in a traceable manner. Instead they will simply steal it or buy it from a non-legal source. Therefore this is useless as a crime prevention measure.
My first thought was that this is a remarkably inefficient code. They have used 98 data bits (plus 22 parity bits) to store just 53 bits of information (~26 bits of time/date and ~27 bits of serial number).
Also by storing it in such a simple format, they made reverse engineering a lot easier than it needed to be, plus made tampering relatively simple, and allowing access to random snoops (who shouldn't have access) as well as Secret Service snoops (who should, but only under carefully guarded sufferance).
I would have concatenated the top 26 bits of Unix epoch time with 38 zero bits, and encrypted with simple 64 bit block cipher iterated enough times for encryption to take about 1/10 second. The machine key would be a hash of the machine serial number and a strong master key. This should keep everyone happy, as it means:
a) anybody without access to the master key, or a database of machine keys, can't tell anything about the watermark, and has low probability of being able to create a new one.
b) extracting a machine key from the printer's firmware only allows you to read watermarks from that specific printer;
c) but with the master key or a database of machine keys:
i) given a printout (e.g. forged banknote) and a machine serial number (i.e. a suspect), you can with high probability prove whether or not that machine did the printout, and if so, at what time (to within a minute); and
ii) given just the printout, but no suspect, it is possible to derive the serial number (and thus a useful "lead" for investigators tracing particular forged notes), but it will take much effort per document (~ 120 days/number of processors used/relative processor power) and thus is not suitable for snoops "trawling" thousands of documents. Also the probability of a random collision is about 1 in 3000 so this method would be useful to investigators but probably could not be used in court without additional corroborative evidence.
Oh, and finally I would have done error correction with a proper ECC instead of mere 2D parity. Actually my first choice would be a wavelet transformed watermark but probably it would be too computationally expensive to embed.
What about replacing your yellow ink with something else, at least for making black and white documents, as one of the above posters said, they wondered why the yellow was going low. Use the old reful kit and use water or something else of ink like viscosity?
Of course, there could become a whole new market for printing pages with nothing but a single period in the lower corner, and then the subsequent trading of those pages among folks for later use. Then you would have overlapping sets of dots. ought to confuse things up a bit eh?
I think you'd probably find that the yellow dot pattern only appears on colour pages. I work with xerox printers, and can say for a fact that at least in the low-mid volume colour copier/printers, up to even the Docucolor 12 (for long time a digital print-room staple) only engage the yellow drum when colour is used. Most of the time the yellow drum will never come into contact with the imaging belt.
@Dylan: "Paper notes have to be burnt or buried."
In Germany, when the Euro was introduced, the old D-Mark notes were not burned. They were shredded and then sold as souvenirs (make nice confetti) or used as heat-isolation in roofs.
NB: If you manage to put together a D-Mark note to at least 50% of its original size, you can still return them to the central bank for a refund.
There's a VERY easy work-around if you don't want the tracking ... simply remove the yellow ink source !!
Instead of a direct defense, has anyone looked at:
A. figuring out where the printer gets the date/time stamps from and changing the input data, i.e. causing the time to be wrong, and
B. techniques to alter the yellow dots. One way would be to run the same sheet through the printer twice, use multiple page orientations, run 1 sheet through two printers, or find a way to remove some yellow dots (the simple checksum is for error checking NOT error correction), or even add extra dots.
Here's an easy work-around:
Take the documents in question to a copy-machine in Staples, etc. make copies of copies of copies.....
There you go... I'm sure they won't be picking anything up.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.