The latest Wikileaks release of leaked CIA cyberweapons includes “Scribbles” – referred to by the CIA as the “Snowden Stopper” – a watermarking tool that embeds web-beacon style tracking beacons into secret documents that quietly notify a central server every time the document is opened.
The beacons are references to image files hosted on a server the CIA controls. Rendering this image requires that the user’s computer contact the CIA server to fetch a copy, giving the CIA insight into who is opening the document and when and where it is opened.
This is a pretty common technique, and one that is easily overcome by careful adversaries. It’s a standard feature in mass emails – if you’ve every looked at an analytics dashboard for something like Mailchimp, you’ll see entries estimating how many of the emails you sent out were read, how many were deleted, etc. That’s because mailing list software routinely embeds this sort of beacon in messages (most email programs let you turn off loading of remote contact, which foils this sort of tracking).
When I was working with the unpublished Snowden leaks, I only opened them on an airgapped machine that I had physically removed the network interfaces from (I glued the Ethernet port shut and ripped out the wifi card), which I purchased by walking to a store, taking it off a shelf, and walking it to the register, and which was only ever booted from an external drive containing the secure TAILS operating system. Good thing, too – more than once I fatfingered while scrolling through the docs and accidentally clicked a link in them, which could have revealed my activities to the NSA.
These are not extraordinary precautions for working with sensitive documents, and they would comprehensively defeat the CIA’s “Snowden Stopper.” But perfect operational security is hard. I think the CIA is betting that given enough time and enough documents, they would eventually catch even a very careful leaker due to a momentary slipup.
