I would love to know how many engineers, managers, and execs at printer companies were/are complicit in this.
Obviously it's a useful feature for an employer; a little underhanded (it should be common knowledge, not a secret program) and understandable from a business perspective. Especially for an organization like the NSA.
But for a consumer product, it is completely unreasonable to at least not offer an option to disable the feature. The only other product that deliberately leaves identifying traces that I can think of is ammunition.
Did anyone at one of these printer companies express reluctance over the idea? Was anyone let go over it? Did anyone refuse to work on the project?
I've worked at one of the printer companies in the article. Someone in my weekly meetings merely gave the weekly report "I worked on project XXXX" for a year. I'm not censoring him: he censored himself and just stopped giving details about his project, including the name of the project. I suspect he was working on currency constellation detection, not these tracking dots, but that's roughly how it plays out.
Is anyone reluctant to do this work? Hell, no; that stuff is really cool to work on.
And the moral dilemma is more limited than you might realize. Frankly, given enough time, a printer company could identify a printer from a printout without these dots, down to its manufacturing batch (you could confirm the specific printer if you had access to the printer itself) and date of printing (down to a couple days or weeks, depending on how long ago it was). The dots just make it automatic instead of painstaking.
> The dots just make it automatic instead of painstaking.
That's significant though. Something that's painstaking only gets done if someone thinks there's a specific, targeted reason to do it. Something that's trivial and automatic gets used broadly without any individualized suspicion unless there are legal limits on doing so.
We don't have the sort of clear ethics rules in tech that doctors, lawyers and engineers have, but if we did I think one of them should be that tech should not intentionally work against the interests of its user or owner. That means introducing surveillance features into a printer without telling the buyer they're present is unethical. Using a tracking feature as a selling point, say, to allow an organization to identify the origin of a leaked document is another matter.
I said this elsewhere[1], but its not immediately obvious that you can identify printers via machine learning. Classification gets really difficult when you have millions or billions of classes. Accuracy tends to fall off a cliff.
Roughly, the printer industry set up self-surveillance in the 90s, because they figured the alternative would be bans on their products. On the government side, European countries were pushing for it at least as hard as the US was.
The imaging engine chips (soc with arm processors) for printers aren't made by the printer companies, but bought from third parties. From what I understand I don't think they're going to allow this feature to be turned off.
Despite CA's idiosyncratic firearms laws, microstamping effectively does not exist in the real world (as in, no firearms on the market employ it, though the technology does exist).
Firing pins are pretty easy to swap out, though. Easy enough that this could be used to tamper with evidence or even frame someone. It doesn't really seem like a great idea.
Anything in a gun is easy to swap, but also illegal if it violates the law.
Micro stamping is currently not enforced strictly but if it would it would be no more legal to swap the firing pin as it would be to put in a full auto fire control mechanism on a federa level, or on a state level flash hider or a normal capacity magazine in states that forbid them.
I'm guessing they are talking about barrel rifling and firing pin/ejector marks that are used in matching weapons to crimes. I guess the could add some serial number during firing, but I've not heard of this as something in civilian weapons.
I have never heard of serial numbers on bullets, and a google search led only to proposed state-level legislation to require them, which has not passed.
As far as I'm aware, no handguns currently being sold in the US employ microstamping. Also, I've never heard of serialized ammunition being sold in the US. Do you have sources on either of these currently being on the market?
California has a law requiring the use of microstamping on semi-automatic handguns, however, models previously certified for sale in the state are exempt. I do not believe any manufacturer is actually offering a microstamped firearm for sale.
The stamps are required to be on the firearm, not the ammunition. They're supposed to leave an identifiable mark on the ammunition when fired.
I believe they are in place to help the Secret Service track down people who counterfeit money.[0]
In 2012, the Secret Service released a document in response to an FOIA request that listed the manufacturers that agreed to add these tracking dots at that time.[1]
Probably not today, with all the new features, but maybe earlier, e.g. when color inkjets became mainstream and for small denomination bills (no one checks watermarks when accepting old $1 bills).
That said, I suspect this mis-feature is being forced on manufacturers now ostensibly for anti-counterfeiting, but in reality to enable tracking for other 3-letter agencies :(
the government in our tech. Lovely. I knew about it before, but this drives home the point that tech people need to work harder and value freedom more than we do today. Otherwise we end up in a police state dystopia.
We need our telecom back, our Internet, our printers, all of it. To hell with all the "but muh terrorism" excuses.
Is there any law that permits the USG to compel any action, other than those legal requests pursuant to an active investigation, on the part of private companies?
How about the the General Services Administration saying "We won't buy, nor allow contractors to use, any printers that don't comply." If I were a manufacturer, that would be compelling.
Depends who you want to fool. If it's a human-to-human transaction in a busy setting (like a marketplace transaction or something similar) it's pretty easy to slip a simple fake without getting caught. Especially if you mix it with real currency and only use small bills.
I remember watching a news report a few years ago where the journalist tried doing just that (with photocopied euro bills on regular paper without any clever trick) and he had a pretty high success rate.
That being said I can't really imagine anybody doing that at a big enough scale that somebody would bother tracing printer dots back to them. I don't think the authorities are going to bother with that if you slip a dozen fake 10 euro bills around Paris. I guess it can be dissuasive though, keeping honest people honest.
I remember hearing stories about a friend's cousin would use photo copiers / printers to copy small bills to put in coke machines, change machines etc. I never tried this myself for obvious reasons, so I don't know if it actually worked, but I can see how being able to track down the printer type etc. would help in this.
There was a story a while back about a team of people working out of a garage who were bleaching lower denominations and printing a higher value note onto the bleached paper. Higher end inkjets are quite capable, the 'feel' was the biggest issue.
Would only work on old currency. Currency since 1990 has had embedded plastic denomination strips so it's easy to check if you're wondering. In 1996 they started putting the denomination strips in difference locations for each value so you don't even need to be able to read it.
Plus the bills are printed using intaglio so yep, real currency has raised ink but that's hard to reproduce.
Maybe good enough to fool a vending machine... There is this story of a guy who would ink-jet print the front and back of money on thin newsprint then glue them together with a fake security strip in the middle.
Back in the 80s there was a famous "hack" which was to take a small bill, in my case a $5 bill, and one would use clear packing tape and create a tether on the bill.
You would put the bill in a vending machine and once it read it and credited the transaction you could yank the bill out of the machine and make a selection, and you'd pic the cheapest thing in the machine and it would give you the goods and change.
The only machine in my town that this worked on was at the local post office on the stamp machine.
I had a shit-ton of stamps, and nobody to write to as a twelve year old hooligan. But I was able to buy a lot of ice cream and lame toys with the change stolen from that machine.
There was a hack to make $5 bills get credited as $100 bills. It was on the JCM WBA-22/23 bill validator model used in slot machines. You needed a small screwdriver a wire and a battery. Stick it between the door bezel and under the BV then short two pins and insert the $5 bill. All while avoiding surveillance of course. The fix was to cover the IC with anti-static black cardboard.
May or may not have perpetrated the same crime circa late 80s using $1 bills on soda machines not yet hardened against the attack. It may or may not have taken a lot of dexterity and timing to pull the bill back just at the right time or the soda machine would be left inop with a long strip of clear tape hanging out of the bill slot.
As horny Australian teenagers, my girlfriend and I worked out that putting a 10c and 5c piece face to face together into a $2 condom vending machine allowed us a $1.85 discount.
US consumers are very conservative when it comes to money. I'm not sure why exactly. Plus no one prints more bills than the US Treasury so some security features would be too expensive or wouldn't hold up for the period of time necessary.
Just show someone some Canadian money and you'll most likely get snickers and "Monopoly money" comments.
That being said US currency does have a number of security features - maybe other countries are overdoing it?
Really? I guess the people you passed were not paying much attention. Inkjet prints flat money - US currency is intaglio printed which makes the print raised.
Plus you can't duplicate the micro printing, the security thread or the color changing ink.
I guess for 5's maybe but 20's? Everyone should take a quick look at those.
This was 2001 remember, and all the "p-notes", as they were called, I created were the old-school bills with few security measures.
Yes I passed them at fast-food places and, to be honest, for drug deals, which perhaps doesn't count as much to some, but I do remember a McDonalds where the drive-thru person said "sorry we can't take this" and I just feigned surprise and handed them a real note.
Also, I used a linen paper from office depot that gave the notes a decent feel.
Those features are fairly recent. In a high-volume cash business like fast food or a truck stop 20s will almost never get scrutiny unless the reflectivity or the feel of the paper are off. I used to process $8,000 to $12,000 an hour on a busy day, usually almost half of that in cash.
Is this an example of market failure? I mean, absolutely no customer pressed for this mis-feature, and no customer made a decision to buy a printer with this mis-feature.
It doesn't feel like it fits easily into an economics template to talk about it as a "market failure."
If I turn my head and squint, it looks roughly like "Government oversight / voluntary manufacturer action to minimize cost due to tragedy of the commons"---the technology makes some forms of crime much cheaper, the government worked with manufacturers (probably with some off-the-books arm-twisting) to alter the technology to minimize its efficacy for a subset of those forms of crime.
The GSA buys a lot of stuff. It's probably very clearly on the books. Only products of class "Y" which offer feature "X" will be considered for purchase by the entirety of the US government based on a single document by a single agency.
Just because you didn't know about it doesn't mean that the General Services Administration and large corporate IT departments weren't quietly asking for it.
Have you used printers? Because you write like you're only vaguely acquainted with the concept of printing, let alone ever having tried to print something.
Because 'your' printer, and its manufacturer, are hostile to you.
Edit:
> Finish your sentence, please :)
OK: Because 'your' printer, and its manufacturer, [and the NSA/Erdogan/multinational corp.] are hostile to you [printing illegal protest posters/exposing corporate crimes/spreading dissent/whistleblowing].
And yes, preventing individuals from breaking the law is hostile to those individuals, even if all laws were just. And they are not.
We have a legal principle in most countries that you can't be forced to testify against yourself or against family, or that the court can't use illegally obtained evidence. If we were just interested in solving crimes above all, we wouldn't have those restrictions. Why don't we e.g. make the punishment for not confessing or denunciating equal to the punishment for the crime itself?
In the same vein, I think there should be a restriction in place in principle. Your stuff cannot be made to work against you.
The police should not be able to remotely stop your car via software. And more importantly, if you have any implants like a pacemaker, the police should not be able to use that to incapacitate you. It's entirely concievable that at some point there will be a hostage situation where the criminal has an implant, and somebody will come up with that plan.
More general, as "stuff" is becoming more and more intelligent, we should be able to trust our stuff. I think it is a fundamental value in the modern "information society" or "IOT world" or "industry 4.0" or what you might call it.
The idea seems crazy at first, but the more I think about it, it is right up there with free speech, or the idea that my wife can't be forced to testify against me. (Or, controversially, the right to bear arms - and I say that as a liberal who is for strict gun control! - but I think the sentiment is related. When the government goes out of control, some people want to rely on their guns - I think that is not realistic, and harmful for society - but I just want to be able to rely on my laptop, to be able to write subversive content without it ratting me out!)
There are already court cases that affirm that anything you store in the cloud is not subject to 4th Amendment protections because it's not on "your" hardware. WTF? We get conned into buying into all this cloud bs and then they turn the tables on us!
> Because 'your' printer, and its manufacturer, [and the Secret Service,] are hostile to you [counterfeiting money].
Finish your sentence, please :)
That was the original purpose of the tracking dots. I don't think it's at all surprising that an intelligence agency would co-opt a law enforcement identification mechanism.
There is nothing "hostile" about preventing individuals from breaking the law.
> There is nothing "hostile" about preventing individuals from breaking the law.
1) It prevents nothing. It is about post-facto detection.
2) It is self-evidently hostile to the law-breaker.
3) Whether or not it is moral to break the law is the relevant question, and that depends on the law. The "original purpose" of this tech hardly matters. Ask the authors of Soviet-era samizdat.
How can you counterfeit money with an inkjet? You'll get caught in days (wrong paper, streaking, poor quality print) with or without the dots. You'd have to be blind not to notice the difference, but then you'd feel the difference. Heck, you could hear the difference. Smell the difference. Troublesome counterfeiting is more sophisticated than a $100 throw away printer.
The Stasi took fingerprints of every typewritter so people couldn't publish illegal things. This is not hostile only if the state is defined as non hostile.
> There is nothing "hostile" about preventing individuals from breaking the law.
Shall we all be clockwork oranges, then? The only ones allowed to have free will shall be the ones that programmed us to vote them into the legislature every time?
This is why you can't print in B&W from a color printer when the color cartridges are out of ink. No yellow ink, no printer fingerprint on the document.
My Dad had a complete melt down one day about not being able to print in B&W. When I told him about the yellow fingerprinting, he thought I was joking. Nope!
I find it sad/ humourous that open source printer firmware was part of the impetus behind the free software movement, yet it's probably still one of the most opaque areas there is.
What I want is an open source printer--like a reprap, but 2D? Why not? The printers we buy are such obnoxious crap that falls apart as soon as the warranty is over.
I know someone who used to design chips that went into printers.
There is code At the chip level that is unknown to the what it actually does provided by the government. Thought to be currency detection, but maybe adding these dots too?
At one point I was working at a printing shop. One time I was testing color calibration, running the same sheet through the printer multiple times, and these dots became visible clearly.
It was quite a head scratchier, we actually thought there's something wrong with our printer until I googled about these yellow dots.
Someone with knowledge and money should push for the development of alternative open and free (as in speech) printer mainboards to swap the original ones. In some cases reverse engineering and flash reprogramming should be enough.
I'd happily donate some quid if such a project would exist.
Sort of relevant is microprinting that still is in use today on money documents such as checks [1].
It would be interesting to combine the two techniques!
Microprinting is for preventing forgery and thus is incredibly difficult to copy but techniques to copy are always improving. I assume microdots are not as difficult to copy and are about tracking.
So if someone effectively copied the microprint you could inject microdots and those would be copied as well. Thus you might be able to track the forger as well detect forgery statistical analysis (based on the fact microdots encode changing data such as time).
How do the dots get linked to me? E.g. lets say I print a ransom note and send it to someone.
The police can analyze the dots on them, find the id of my printer... And then?
I never registered my printer with my name somewhere or so.
Not to go off on a tangent but I find it disappointing that printer manufacturers choose to spend time and money on this instead of providing up to date firmware.
I know of a line of printers that you can netcat firmware into. That's just terrifying.
I always figured one of the drivers for this was that the NSA basically mandated that this feature to be built into any printers it would buy (or let be bought). The power of the federal/DOD purse is a thing.
Obviously it's a useful feature for an employer; a little underhanded (it should be common knowledge, not a secret program) and understandable from a business perspective. Especially for an organization like the NSA.
But for a consumer product, it is completely unreasonable to at least not offer an option to disable the feature. The only other product that deliberately leaves identifying traces that I can think of is ammunition.
Did anyone at one of these printer companies express reluctance over the idea? Was anyone let go over it? Did anyone refuse to work on the project?