On Monday afternoon, The Intercept published a bombshell story: “Top-secret NSA report details Russian hacking effort days before 2016 election.” The story — later confirmed by CBS — reveals that “Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept,” and includes PDFs of the NSA’s report.

And THIS is why I've been trying to get all of you to use security keys— the only thing that foils this method. Get a blue Yubikey, $17.99. https://t.co/RevnYlA9Bc

— Zeynep Tufekci (@zeynep) June 6, 2017

The story is a potentially huge one, providing the most evidence we’ve seen thus far that the Russian government attempted to influence the outcome of the U.S. election in ways beyond just spreading misinformation (and Russian president Vladimir Putin had even denied his government’s role in that). But another story is emerging around The Intercept’s story as well: By Monday evening, a 25-year-old federal contractor, Reality Leigh Winner, was charged with leaking the documents (the first criminal leak case under Trump). If Winner was indeed The Intercept’s source, there are questions about whether The Intercept could have done more to protect her — starting with those PDFs it published as part of its story.

The PDFs include a matrix of microdots — printer steganography — that could be used to trace the printer back to its source, as Ted Han (@knowtheory), the director of technology at DocumentCloud (whose platform The Intercept used to embed the PDFs in its story), pointed out Monday. And some of the pages were creased.

oh wow, @knowtheory just pointed out the microdots on the first and late page of the intercept's docs. printer dots kill puppies, folks. pic.twitter.com/w8qxJ9zvhf

— Quinn's internet 👻 (@quinnnorton) June 6, 2017

The date in the microdots is 6:20 2017/05/09 from a printer with serial number #5429535218, according to https://t.co/PVVm7AAjlL pic.twitter.com/6BY7Y3MFhL

— Tim Bennett (@flashman) June 6, 2017

Cybersecurity expert Robert Graham explained on his blog how the microdots created by a color printer can be used to track the printer’s source, and writes:

The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017 at 6:20. The NSA almost certainly has a record of who used the printer at that time.

The situation is similar to how Vice outed the location of John McAfee, by publishing JPEG photographs of him with the EXIF GPS coordinates still hidden in the file. Or it’s how PDFs are often redacted by adding a black bar on top of image, leaving the underlying contents still in the file for people to read, such as in this NYTimes accident with a Snowden document. Or how opening a Microsoft Office document, then accidentally saving it, leaves fingerprints identifying you behind, as repeatedly happened with the Wikileaks election leaks. These sorts of failures are common with leaks. To fix this yellow-dot problem, use a black-and-white printer, black-and-white scanner, or convert to black-and-white with an image editor.

The Washington Post’s Erik Wemple has a good writeup of how steps The Intercept took to verify the documents may have contributed to Winner’s cover being blown — but it’s also clear that she didn’t follow many of the precautions that The Intercept publishes on its own how-to-leak page. (For instance: “Don’t contact us from work”; the FBI says Winner corresponded with The Intercept from her work computer.)

FBI clued into NSA leaker by looking at crease in document paper, and then narrowing suspects to those who had printed report.

— Sheera Frenkel (@sheeraf) June 5, 2017

Some lessons here for potential whistleblowers, and for journalists looking to keep sources safe.

— Sheera Frenkel (@sheeraf) June 5, 2017

We've printed docs, scanned them, and OCR'd them in the past to get rid of unwanted data. Worth it with a sensitive source.

— Quinn's internet 👻 (@quinnnorton) June 6, 2017

10. From what we know, there was poor OPSEC everywhere here: the contractor, the source, and @theintercept.

— leah mcelrath 🗽 (@leahmcelrath) June 5, 2017

12. The source apparently used her own WORK computer to communicate with the Intercept, which is incredibly stupid.

— leah mcelrath 🗽 (@leahmcelrath) June 5, 2017

12. The source apparently used her own WORK computer to communicate with the Intercept, which is incredibly stupid.

— leah mcelrath 🗽 (@leahmcelrath) June 5, 2017

The journalist Barton Gellman, who led The Washington Post’s Pulitzer Prize–winning coverage of the NSA in 2013 and 2014, offered more thoughts in a tweetstorm Tuesday.

3/ Cuts deprived both Russia and US public of details (GRU units, individuals, possibly exploits) that show how NSA knows. It’s a tradeoff.

— Barton Gellman (@bartongellman) June 6, 2017

10/ Normal people don’t know all this, but journalists should. And @theintercept does. Has world class experts in @headhntr and @micahflee.

— Barton Gellman (@bartongellman) June 6, 2017

12/ That too is something @theintercept would denounce with contempt if happened elsewhere. Everyone makes mistakes, but this was a bad one.

— Barton Gellman (@bartongellman) June 6, 2017

Matthew Garrett, a security developer at Google, has some ideas for news outlets’ how-to-leak pages.

But there are legitimate questions. The printer dot thing isn't new. Could steps have been taken to avoid that?

— Matthew Garrett (@mjg59) June 6, 2017

It's a document that goes into detail on how to anonymously communicate, but doesn't cover basics like "Is this material access controlled?"

— Matthew Garrett (@mjg59) June 6, 2017

Other than having emailed The Intercept on an apparently separate matter, Reality Winner seems to have done everything listed on that page

— Matthew Garrett (@mjg59) June 6, 2017

If you have a page that encourages people to break the law, you owe it to them to provide enough information to help them assess the risks

— Matthew Garrett (@mjg59) June 6, 2017

When you're documenting a process that could land someone in jail for the rest of their life (or worse), your documentation should be *good*

— Matthew Garrett (@mjg59) June 6, 2017

When asked for comment, The Intercept issued this statement, which doesn’t address any questions about the outlet’s potential missteps:

On June 5 The Intercept published a story about a top-secret NSA document that was provided to us completely anonymously. Shortly after the article was posted, the Justice Department announced the arrest of Reality Leigh Winner, a 25-year-old government contractor in Augusta, Georgia, for transmitting defense information under the Espionage Act. Although we have no knowledge of the identity of the person who provided us with the document, the U.S. government has told news organizations that Winner was that individual.

While the FBI’s allegations against Winner have been made public through the release of an affidavit and search warrant, which were unsealed at the government’s request, it is important to keep in mind that these documents contain unproven assertions and speculation designed to serve the government’s agenda and as such warrant skepticism. Winner faces allegations that have not been proven. The same is true of the FBI’s claims about how it came to arrest Winner.

We take this matter with the utmost seriousness. However, because of the continued investigation, we will make no further comment on it at this time.