A little-noticed system that allows printed documents to be tracked by government agents has gotten the attention of the EU Commissioner for Justice Freedom and Security, who says the technology may violate EU human rights guarantees. The technology is baked in to many popular color laser printers and photocopiers, including …
The technique was forced on the manufacturers by the US, but still the problem is with China being authoritarian. Of course. Not the US. Of course (bis). They wouldn't think of tracking every single human being on the planet. They never did (of course -ter) and won't ever try (of course -quater). ECHELON is a myth right? And their intelligence agencies are unlikely to randomly listen to their own citizens' phone call whithout control, right?
Indeed, China is the one and only threat around...
More details on the dots
The Lives of Others
Just watched this on DVD, belatedly. Didn't the US congratulate the German people for breaking down the Berlin Wall? Only to then try to recreate the functions of the Stasi for themselves back in the "land of the free"? Thought so.
The system relies on printing a code in yellow dots at the edge of the document - yellow chosen as it's not obvious in daylight, but clearly visible under something like red light. Take out the yellow cartridge & traceability isn't a problem as the dots won't get printed.
Or just buy a mono laser printer/copier.
Though obviously if you're wanting to print something colourful instead of a plain document this isn't workable.
To be honest this is only a serious concern if you've registered your printer & serial number *and* you're printing stuff that you might not want traced back to you.
Otherwise it would need someone to actually get hold of your printer to do the comparison check, in which case it's probably a bit late. And in any case comparison of print engine defects has allowed printer/document matching for years without needing deliberately hidden patterns.
In general terms I don't see this as a particular problem as it's something that *could* be checked, but in general terms can't really compromise privacy: how many times will you produce a document which is unattributed, that you don't want traced to you, that someone with the necessary resources would actually like to track back, and would cause you legal problems if traced?
The other interesting 'hidden' technology is the anti-copy patterns that are embedded in things like banknotes eg. 'eurion', which cause things like copiers to just refuse to copy the document. Not quite so sneaky because you can see it, and has the advantage of being easily duplicated allowing DIY copy protection on paper documents once you know the spec to follow...
...forced on the manufactures...
How does this happen? How does the Gumment force manufactures to include such features? It's not that I don't believe it, I'm just curious of the process that leads to someone agreeing to include such features. Is there a law?
Re: The Lives of Others
It's not only the US. It turns out that the RCMP here in Canada has a secret database devoted to 'national security' that is filled mostly with unsubstantiated rumours and unproven suspicions.
Um laser printers were the first to have them also HP printers use black micro dots
Re: ...forced on the manufactures...
If Microsoft can get manufacturers to do their bidding perhaps the US government can also be persuasive. Yes, it would be interesting to find out about the actual mechanism. I wouldn't be surprised if things wern't completely kosher.
On another note. Some people have said that you need to get the registration, or actual printer, in order to make a correlation. Actually, the fact that it has the year, month, day, hour, and minute, could be damning. The EFF has simple information on how to read the (up to) 14 7-bit bytes (plus parity) on their site: http://w2.eff.org/Privacy/printers/docucolor/
Does anyone have any information on the chip involved? Pinouts would be useful. I can see a little business in "re-chipping" printers.
This is a good example of why RFID is a threat. The serial # can easily be encoded to the RFID device and as soon as you use your card to purchase, your info would be known to the manufacturer or the government without ever having to register the product.
Microsoft word document?
Has anybody bothered to download the doc file and check it for metadata?
You know, revision history, people who have commented on it and details about the user's computer. That kind of stuff.
Let's not forget...
Many Government-owned printers will probably have this "feature" too. The difference being that many of us would know how to mess with it and the average minion wouldn't. Advantage to the hackers and crackers again.
Get your own Ideas
No wonder my stuff keeps been nicked. Every so now and then a few months after I have a brain wave, some US company starts doing it. Stay of my PC dude.
its rarely used
The function has been on colour copiers for years, i work for one of the large companies and the police well in the UK anyway would have to go though the OEM to get them to tell them the exact details.
From what i know its rarely used or the information requested. Any way just buy a cheap scanner and colour printer and it will not be on there as if you buy in cash and don't register even if the code was on there. Who would know?
Is that my own petard?
From the comments I'm reading, I take it that El Reg readers do not buy printers at Frys Electronics, Best Buy, etc. (Electronic supermarkets based within the USA.) My most recent Frys receipt bears the serial number of my most recently purchased inkjet printer as well as a portion of the account number for the credit card I used to transact the purchase. (The counter clerk who checked my purchases, scanned the serial number from an external barcode sticker, and then ran my credit card. Took less than a minute.)
I'm thinking it might take all of 3-4 minutes for a government functionary to correlate the printer serial number with my financial records, and to pull-up my name, address, phone number, and credit history.
Not to mention that there was a $50 mail-in rebate offer, and so I had to send-in the serial number sticker along with some other proof-of-purchase material. So now the printer manufacturer has most of the same data.
Give it up. The war on terror is over. The terrorists won.
- The Garret
Re: Easily sorted
"To be honest this is only a serious concern if you've registered your printer & serial number"
Of course it could never be traced back to the credit/debit card that was used when purchasing it.
Barcodes do make for an easy life.
They really expect to pick out the yellow dots?
The way my colour print head gets clogged up the date would probably be 3 centurys ago and some other printer would get fingered.
@ Ole Juul
Let's get our priorities in order, shall we? Where does it show you how to get a printer to copy currency?
They should print it in public view
Write a visible mark in the margin, e.g. 'printed from HP2948575 on 14 Feb 2008' or a watermark across the back.
Then let people decide if they want that information. After-all, if it's OK to have that mark, then why should only *some* people be able to read it, *everyone* should be able to read it, especially the people who make the documents! Everyone is equal and since we've done nothing wrong, there is no reason to conceal that from us.
Personally, I'm pissed off with electronics taking a record of everything I do, and since it isn't just the police in criminal prosecutions that have access to it, I don't think that it should be allowed. Why should I be preemptively searched? Why should any little official be able to peer into my life?
We have privacy or not? It's written right there in the Fundamental Human rights, and even Bush tries to withhold his official emails, and Blair strengthened the official secrets act. So everyone, even the bad guys doing the undermining of privacy, understand the importance of it....
@Anonymous Coward [Easily Sorted]
"To be honest this is only a serious concern if you've registered your printer & serial number..."
1) Government has document they want to trace. They extract the serial number + date / time information.
2) They present the serial number to the manufacturer who tells them which supplier bought the printer.
3) Government contacts supplier with serial number to find out where it was sold.
4) Repeat 3 as required until at end of chain.
5) Your "unregistered" printer is now traced.
In practice, this won't take very long at all as all suppliers track inventory with the serial number. Oh, and in the future imagine if you have to present your ID card to buy a colour laser printer. In which case, they'll record the S/N on the central government database.
"*and* you're printing stuff that you might not want traced back to you."
Maybe when you bought the printer you had a government that wasn't so control-freakishly oppressive that you wouldn't... but nowadays?
p.s. Surely, the answer is to print on yellow paper?! :P
The beast approaches?
Its coming, for your benefit, to protect you, for your security. You will be just a number, but by the time you wake up to the fact that your privacy and civil liberties have gone, it will be too late.
"And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand or IN their foreheads, And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name."
I thought this was a load of EU hand-wringing (from listening to the EFF-tin-foil-hats too much), after all what self-respecting subversive political group would circulate its literature on colour-copies instead of cheap and untraceable b&w material ? If you're rich enough to sell your message in glossy CMYK you're likely to be rich enough to prefer the way things are run at the moment.
But then I remembered the 'Inside Hamas' documentary last week, everyone seemed to be carrying an A0 full-colour print-out from photoshop of their martyred son or of a political leader - I'm sure the Israeli authorities are glad each copy is easy to trace!
Re: ...forced on the manufactures...
"How does this happen?"
US govt buys quite a few things, says we will only buy printers that have this tracking technology. And probably only from companies that introduce it into all their products.
No law, just simple economic blackmail.
If I were going to publish a subversive pamphlet, I think I'd go for laser/inkjet print for the master copy, then photocopy the rest from that master.
It does look like, what with laser printers being very good these days, the law enforcement people wanted to be able to trace counterfeits of banknotes. (they are distributed over the whole page and this isn't implemented on inkjets, which would be useless for counterfieting). Now the question is, was it ever intended for other law enforcement agencies?
Now answer that question considering that the easiest explanation for the vast majority of conspiracy theories is incompetence. In this case - they just didn't think what else it could/would be used for. Or maybe not?
Never attribute to malice, what can be more easily attributed to stupidity.
@By Anonymous Coward
as a former frys employee I can tell you most of the time the serial number entered is just some random bar code. Unless the serial is really easy to find we would type in the numbers from the first bar code we could find
I have two old mono printers, from the days when they were built to last. While I can still get toner cartridges I see no need to upgrade. Even then, I'd be tempted to buy second-hand, locally, with cash (which is how I got the two mono lasers). Of course, as someone who registered with No2ID, the government probably knows all about me anyway.
@Ole - probably not a discrete chip
I don't expect that one can remove/replace a chip in these printers in order to change the tracking output, it's much more likely to be code within the firmware that reads the serial no., date and time, and inserts the necessary Postscript into the stream going to the rendering engine. Just when you thought your software was getting free, you find that your hardware is going all squeally on you!
I find, however, that I can telnet into the printers in my establishment, since nobody has bothered to set access passwords. If it was *really* necessary, my printouts wouldn't have the right date, at least!
Or maybe I'll prepare a few sheets of paper covered with tiny yellow dot patterns. Even I can write a bit of Postscript to do that.
As usual ...
a pretty intrusive manoeuvre well thought in advance. If I were to print fake bank notes I'd start by stealing such a printer (since I don't have any monies). So unless we learn that there is a GPS terminal in every printer and that the firmware can be fried remotely ... well the chances to catch a proper criminal are quite remote.
But if you finally found the dog that was posted missing on a flyer that no longer has any phone number readable ... give the FBI/CIA a call to get the details.
What's all this about credit cards?
Or cheques, for that matter? I prefer coins and notes.
So let me get this straight. It prints yellow dots in the margin. So if you want your document to be anonymus you put a big yellow border around your pamphlet of subversion.
It can't really be that easy and if it is where's the big problem?
Plus la change...
Just take a little step back in time to those halcyon days of yore, and the stink of your local elementary schools banda room.
I mean, hot-headed revolutionaries always have a crew of nerds who dont want to get their hands bloody who wont mind cranking the handle, right?
what you want to be afraid of is paper watermark tracking.
*million dollar scheme pending. mine! get away from my one good idea!
Paris, for the spirits!
"So let me get this straight. It prints yellow dots in the margin."
It's not just in the margin, the way to fix it is to avoid the printers on the EFF list that do it. It's one thing for a printer to refuse to print perfect copies of a bank note, it's another when it starts printing tracking ids on the damn paper.
Someone got a little over the top when designing this feature, and as happens often when security guys discuss things in secret, they forgot about the users right to privacy. But heck we make a noise, EFF makes a list and people can avoid those printer.
Even with coins and notes you're vulnerable to tracking in some ways. The big-chain electrical goods stores here ask for your name, postcode and house-number "for your guarantee" when you purchase electrical goods (including printers).
I just tell them to bugger-off but many don't.
Re: @ Yellow
Whoopie! I use Oki!
stealing a printer, not that much help
If you are going to be using one of these printers to counterfeit bank notes, it is highly likely that you've nicked it. The thing is that this is probably accepted, but once the rozzers have cought up with you, they have a very easy way of proving what you've done, you can't say that it was done on another identical printer.
I've tested a whole load of this sort of printer/MFD (canon image runners, big HP laserjets, etc. etc.) and the first thing that I did was see just how well the copied a bank note (only one side, mind, just in case and then I shredded the results!) They were pretty good, the main problem is that the colours were _slightly_ off and that the paper was just wrong. Also there was no integlio printing, but that's probably not going to be noticed by most. I think that you probably could get away with using these machines to copy currency if you have plausable paper to print on and an environment where the money isn't too closely looked at.
I can see why these printers cause concern for the cops/currency issuing banks.
Posted anon, for obvious reasons...
I work for a reasonably sized manufacturer of printers etc. Many years ago, while working in technical support, I received a phone call from someone at the Dept' of Forensics. They wanted to know how they would be able to tell if a counterfeit had been produced on one of our machines. I replied that it would be soaked in silicon oil and wouldn't look anything like the original. They seemd quite happy with that.
If you print a yellow border on your pamphlet, chances are the dots will be in yellow relief, just as difficult to spot as the yellow dots themselves.
Before we lambast the US government, I think you'll find most Eu governments started to insist on serial identification of documents once copiers and printers reached the sort of quality that made counterfeiting viable.
Or use Samsung, + RIPA related
"Whoopie! I use Oki!"
That list is enough to swing my next purchase from Canon to Samsung.... I don't see why some little tin pot dictator (**) should be able to take a printout of mine and track it back to the printers id.
I wonder if RIPA's 'data related to communications' clause lets them (*) get the serial id to purchase / registration details without a warrant by claiming the document is a communication under 21.4.b.
"(b) any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person— (i) of any postal service or telecommunications service;...."
* them being the 1000+ government departments that can get access to this on request without a warrant.
** tin pot dictators = soup nazi's = officials who use leverage their little power to control others. The numties in government that the legal process is supposed to protect us from.
"To be honest this is only a serious concern if you've registered your printer & serial number *and* you're printing stuff that you might not want traced back to you."
Indeed, if you have nothing to hide you should be safe in this world of habeas corpus, freedom and liberty, etc. etc.. But what if this nice world is changing (maybe the iron curtain coming down on the wrong side of the border)? Maybe you should think about privacy while you have it -- and remember that some people in less free countries rely on the same hardware to maintain a privacy their powers would rather not respect.
Muddying the waters
Well the best solution is to add your own dots to the document to muddle things up.
Take down a couple of serial numbers in the shop for your model of printer and create the dot grid using the code on the EFF page.
Then add those into the background of the document you are printing. Add enough different ones and they won't know which printer actually printed it.
Do we have a source for that?
"I think you'll find most Eu governments started to insist on serial identification of documents once copiers and printers reached the sort of quality that made counterfeiting viable."
Do we have a source for that. We know the legal basis for privacy, it's Article 8 of the Human Rights acts (and others). That's what protects for example, political leaflets printed on these printers being used to identify the source and hence protect political protest and discussion.
To break that they would (should) need a law.
(The state can't violate privacy except in accordance with the law, i.e. they need to make a law to violate privacy, they can't just ask).
use 2 printers
"print" some blank paper through the first one, this will add an array of yellow dots, then use this paper to print the next documents and your 2nd printer will add it's own dots to the array and therefore totally screw up the info.
oh .. really ...
in this case I think there's a bit too much paranioa at work here ... AFAIAA the original suggestion of the dots, and the only way they've been used (to date) is to prove that "document X" was printed on "printer Y", when "suspect Z" is arrested under "suspicion of Z` " i.e. plod arrest Joe Bloggs for trying to palm off a forged tenner. Joe Bloggs details a bloke down the pub whose face he can't remember. Plod raid Joe Bloggs drum, and find a printer whose code matches the code in the funny-money.
"It's a fair cop guv".
From experience ..
.. in the retail industry most UK companies don't bother taking a note of the serial numbers when they hand the stock over to customers anyway.
So yes, the manufacturer may be able to tell the police which wholsaler had the machine, and they can probably say which chain/branch they delivered it to. However the retailer is likely to say "sorry, we don't keep a note of serial numbers".
This may be different in the US but none of the retailers I've worked for bother.
just "join" the dots
if you know wher the matrix pattern is printed on your documents (easy to find) and know exactly the colour used (maybe not so easy) seems the best denial would be to fill in the rest of the dots to give a nice regular rectangular pattern with no gaps at all.
Any bets that the printers 'look' for this and deny it . . .
What about photoshop?
"i.e. plod arrest Joe Bloggs for trying to palm off a forged tenner. Joe Bloggs details a bloke down the pub whose face he can't remember. Plod raid Joe Bloggs drum, and find a printer whose code matches the code in the funny-money.""
The trouble with that scenario is the printers that have the serial number printing also have the note detection code and won't print the fake tenners in the first place.
Looks like the treasury dept that did the code (also in photoshop, wonder if that has the serial number dots too?) got a little carried away and added stuff that wouldn't have been included if it had been openly discussed.
Did they not realize that the dots would get noticed and people would figure out how to determine if 2 printouts came from the same printer? I think it's naive to assume that it isn't already being misused since it's fairly easy to detect once you know about them.
I wonder if photoshop (which has the note detection code in it since version 8) has some unwanted dots and watermarking in it too?
... have been doing something like this for years. When I started at IBM in 1989, all off the printers would print their serial number on every sheet, and the photocopiers had their serial number etched into the glass in several places. It was supposidly to be able to trace any confidential documents leaked outside of the company.
I know that this was human-readable, but the intention was pretty much the same.
I remember reading an article in a paper some time ago about a leaked document and it mentioned some or other method that makes it possible to trace who produced the document.
Apparently the way around it was to get someone else to re-type the document before giving it to the journalist. Perhaps this was the method used?
Although I'm sure the technology will eventually be used on the public, I'll bet the original intention was to catch spooks leaking official secrets.
"The big-chain electrical goods stores here ask for your name, postcode and house-number"
And how do they know you gave them the correct answer to those? Do they ask for your phone bill?
Funny Enough (2)
Franco Frattini last year proposed to censor websites that included terms like "killing" and "bombs".
I can forsee the main impact of this being on the environment - If printers contain a code linking documents produced by them to the original purchaser, then all end-of-life printing hardware will have to be destroyed.
I bought a Freeview box, but they wanted my name address and postcode before they would sell it to me. I chucked the £40 on the counter and walked out with the unit. The checkout girl was gobsmacked. I have since realised why they were doing the governments licence fee intelegence.
If you have a pay as you go SIM card then you assume it's untracable. Especially if you got the phone at a boot sale. However people will have your number on their phone. So the spys only need to ask someone you have called whose number it is. Chances are they will have put your name against the number.
The advice here is buy second hand and only use the printer/device for your subversive stuff. Use another printer for your business invoices with your name and address on them. hehhehe.