WikiLeaks Reveals The "Snowden Stopper": CIA Tool To Track Whistleblowers

Tyler Durden's picture

As the latest installment of it's 'Vault 7' series, WikiLeaks has just dropped a user manual describing a CIA project known as ‘Scribbles’ (a.k.a. the "Snowden Stopper"), a piece of software purportedly designed to allow the embedding of ‘web beacon’ tags into documents “likely to be stolen.”  The web beacon tags are apparently able to collect information about an end user of a document and relay that information back to the beacon's creator without being detected. Per WikiLeaks' press release:

Today, April 28th 2017, WikiLeaks publishes the documentation and source code for CIA's "Scribbles" project, a document-watermarking preprocessing system to embed "Web beacon"-style tags into documents that are likely to be copied by Insiders, Whistleblowers, Journalists or others. The released version (v1.0 RC1) is dated March, 1st 2016 and classified SECRET//ORCON/NOFORN until 2066.


Scribbles is intended for off-line preprocessing of Microsoft Office documents. For reasons of operational security the user guide demands that "[t]he Scribbles executable, parameter files, receipts and log files should not be installed on a target machine, nor left in a location where it might be collected by an adversary."


The ‘Scribbles’ User Guide explains how the tool generates a random watermark for each document, inserts that watermark into the document, saves all such processed documents in an output directory, and creates a log file which identifies the watermarks inserted into each document.

Scribbles can watermark multiple documents in one batch and is designed to watermark several groups of documents.


Dr. Martin McHugh, Information Technology Programme chair at Dublin Institute of Technology, gave the RT more details on how the "Scribbles" tool can be used for "bad as well as good."

“Methods of tracking have historically been developed for our protection but have evolved to become used to track us without our knowledge."


“Web beacons typically go unnoticed. A tiny file is loaded as part of a webpage. Once this file is accessed, it records unique information about you, such as your IP address and sends this back to the creator of the beacon.”

But, the "Scribbles" user guide notes there is just one small problem with the only works with Microsoft Office products.  So, if end users use other programs such as OpenOffice of LibreOffice then the CIA's watermarks become visible to the end user and their cover is blown.

According to the documentation, "the Scribbles document watermarking tool has been successfully tested on [...] Microsoft Office 2013 (on Windows 8.1 x64), documents from Office versions 97-2016 (Office 95 documents will not work!) [and d]ocuments that are not be locked forms, encrypted, or password-protected". But this limitation to Microsoft Office documents seems to create problems: "If the targeted end-user opens them up in a different application, such as OpenOffice or LibreOffice, the watermark images and URLs may be visible to the end-user. For this reason, always make sure that the host names and URL components are logically consistent with the original content. If you are concerned that the targeted end-user may open these documents in a non-Microsoft Office application, please take some test documents and evaluate them in the likely application before deploying them."

So if you plan to steal some government documents at some point in the near future you may want to ditch Microsoft Word.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
hedgeless_horseman's picture


Watch the documentary, Citizen Four.


Ask President Trump to pardon Ed Snowden.


Watch the Ted Talk with Julian Assange, Why the World Needs WikiLeaks.


Donate to WikiLeaks.


Or just sit on your ass and complain while our liberty and privacy is destroyed by our "representatives."

JRobby's picture

"Always save the biggest nail for last................"

PrayingMantis's picture

... The only reason for surveillance is because all people are your relatives; therefore expect only trouble from them. This is Einstein’s revised theory of relativity ...


pot_and_kettle's picture

why do I envision Chigurh tracking the transponder through the Texas night...

SWRichmond's picture

They hate us for our freedom.

No, really.

Hammer of Light's picture

Post of 2017 so far! 10k x upvotes!

buttmint's picture

No Country for Old Men.....filmed entirely around Santa Fe, Albuquerque and Las Vegas, New Mexico.

Haunting movie.....

greenskeeper carl's picture

Maybe I'm a simpleton and don't understand this, but these water marks are digital, right? As in aren't apparent on a printed out document? If that's the case, wouldn't someone simply load the documents onto a non internet connected computer and printer, print them out, scan them, and release them with out being able to trace it?

Looney's picture


A Simpleton you ain’t.

All scanners, faxes, images, and printers have had their “embedded tracking” features for years.

A printer leaves a tiny invisible mark on every page.

If you really want to print something, you need an old, pre-9/11 printer, something like HP4 Series.


takeaction's picture

That is so funny that you mentioned that.  I am using the HP4000   It has been the best laser printer for all of these years.  What piece of electronics works that good nowadays.  Purchased in 1997.  Laserjet 4000.  Still works perfect...have used everyday for 20 years.  Did I have this hooked to my Commodore?  No  that was the MPS-803 dot matrix.  I am getting old...Yikes.

JRobby's picture

Purchased before HP decided "they had to compete". Cheap China junk has taken the day.

Apparently, all the ink is manufactured in Switzerland?

XqWretch's picture

Why even worry about it? They can always just frame you

Ace006's picture

I paid $400 for an Apple II+ floppy disk drive in 1984. What, 115K? This year i bought? a 2T external drive for $80.

cheech_wizard's picture

"Bloatware", no longer just for Microsoft software...


Nobody For President's picture

Apple II floppies (IBM compatible also) were 360K...

But yeah, I bought a 1 terabyte external drive for back up last year for ~$100.


man from glad's picture

I had one of those MPS-803's too. Loved the sound they made!

replaceme's picture

I'd seen the part about printers making marks on documents a couple years back, have to believe that just gets more and more invasive. Add to that the internal storage on the device, and I'd guess the sky's the limit as to what's tracked there. Network user, IP, time, mods to document, maybe its history, travels - I wouldn't be shocked by any of that.

Ace006's picture

Is the mark like a serial number or does the investigator have to have physical custody of a printer and a  suspect document to see if a page printed fresh has thw same secret mark?

If my tires have unique road wear or damage and their tracks are found at the crime scene I'm safe if the cops don't know which of 15,000,000 cars to check.

A source on this secret mark phenomenon?

seek's picture

It's a serial number. You can actually see the patterns if you look closely. It's why your printer will run out of yellow ink printing black and white text documents -- it sprinkles a sparse scattering of seemingly random single drops if ink that aren't visible if you don't look for them, but the drop pattern is deterministic, and the printer's serial number can be found from them.

There are number of sources on printer steganography. It's a big enough problem the EFF keeps track of who's doing it.

It also works the other way, many software makers were forced into detecting the "EURion" anti-counterfiting pattern and cease working if they see it.

techpriest's picture

Based on what I'm reading, here's what's happening:

The technology looks very much like the "tracking pixel" in most web sites. for example, when you open an email with a tracking pixel, and you have given your email permission to load external content, your mail program attempts to load the "image" (1 pixel x 1 pixel transparent image), which is usually a .gif, located on a server, with a load of query parameters.

In order to load it, your mail program has to contact the server with the pixel URL, and at that point the server records the data of your request. This typically includes your IP (much like a "return address" for a letter), user-agent (info about the program that sent the request), the exact URL requested, and if you added some data to the request, it will include that too. This is how the HTTP protocol works, and the tracking pixel method is very standard for things like tracking email opens, etc.

Maybe I'm missing something, but basically what they are saying is, they have a program to put tracking pixels into documents, so that every open is recorded.

In that case, a throwaway Linux laptop with no internet connection is recommended. Also, a log reader that checks for unexpected outbound requests, at which point you torch the laptop and toss it into the nearest dumpster. Of course, if that's all it is, then I'm actually kinda disappointed. This isn't super spy tech.

mkkby's picture

Snowden had his journalist contacts use a computer that is never to be connected to any local network or the internet.  You read the files on that.  The computer runs a version of linux that always starts with a fresh copy.  You don't have to discard the computer if you only use it as a reader.

He also had them leave all phones/electronics outside when they met in person.  The reason for that should be obvious.

Seeing Red's picture

I think it's worse than that.  Say a bunch of people in the CIA and/or NSA get copies of a sensitive document with unique watermarks (details are obviously kept in a log file).  If the document ever goes into the wild (say to Wikileaks), then there's a pretty clear indication of who leaked it.  Hopefully Wikileaks can sterilize their docs to remove these fingerprints.

Of course, what will eventually happen is someone will come up with a sneakier way to embed the watermarks, like innocous-looking font, spelling, or punctuation errors.  Hell, even 'random' extra spaces  would work.

techpriest's picture

This sort of tech would not be visible to the end user. For example, when you see bold text, it is really the plain text, wrapped in XML data that instructs Word to make the text bold. There is a great deal of other information in the document, invisible to you, known as "metadata" which contains a lot of information about the document. In this case, instead of "author=Agent 1" , the XML might look like "author=try(get(, except(Agent 1)," and Word would attempt to get the URL to see who the author is without you ever knowing.

What would be interesting is if the metadata included an access log on tracked machines, with an AI analyzing for behavioral patterns that would imply a leaker. This wouldn't require the simple "gotcha" of Wikileaks opening a tracked file, or a file with the identifying XML. I bet that CS departments are being offered grant money for this type of research as we speak.

Seeing Red's picture

Interesting -- quite a rabbit hole here.  This can get into "pre-crime" thought-police even ... yikes.

Hold on, someone's at the doo

BigJim's picture

Export the document as ACSII text.

Do a global replacement of multiple spaces to one space - it would be possible to have double spaces "randomly" dotted throughout the document that would actually identify seemingly "identical" instances of a particular document.


philipat's picture

Another example of the Land of the Free. That technology was introduced ostensibly to prevent folks from copying Green paper (a/k/a banknotes). Only The Fed is allowed to counterfeit currency....

r0mulus's picture

It sounds like digital watermarks that call back to some remote server when the content is loaded. I believe this is a lot like the tracking pixels that are scattered on nearly every webpage- you load the page, it calls to homebase to load a 1 px image, and logs your IP and metadata for ??? purposes.

Well, there are firewalls and port-blockers for nasty little things like that... If one wanted to be safe, one should probably use open-souce linux too so that one could be sure none of their inserted backdoors in mac or win systems are being used to bypass transport layer security.

If it was just document watermarks, surely you can just do the gold old fashioned make a screenshot method to circumvent that.

Tracking pixels have been around for awhile- it's pretty much why ghostery was originally invented. People should really be browing with noscript and umatrix in order to combat those kind of things.

espirit's picture


Prolly an IP tracer activated when a file is accessed from the database.


That’s how I’d do it.




giovanni_f's picture

It is good that a man is in charge who appointed Nikki Haley as UN ambassador, a Goldmann Sachs mole as treasury secretary and who supports Julian Assange to be indicted for a public service the cum-swallowing-media have been denying to us and which helped him become the dept ceiling extender in chief.


BennyBoy's picture


MS is the CIA/NSA and has been for decades.

hedgeless_horseman's picture


Sure, but...

The Deep State runs best on Oracle.™

giovanni_f's picture

Teradata for complex joins over many entities

Bob's picture

Funny, just got the film in the mail this morning after a very long wait.

shovelhead's picture

Why, this needs a .Gov petition...



victoriamproletari's picture

Yes petition trump to pardn snowden. He has a great record of integrity and honoring his promises.

Why not ask him to fuck Ivanka? Same result but thats worth holding.hope.out for...

hedgeless_horseman's picture


Because, like most of us, Donald Trump very much wants to be liked by others.

If enough Americans ask him, then I believe he will do it.

Also, like #15 in the Revolutionary Call to Arms, it is an exercise in courage, as the contact form requires a name, address, and telephone number, as if "they" don't already have it.  

As Goebbels understood, the fear that a list is being kept is far more powerful than anything that is actually done with the list.

hongdo's picture

Thanks for the donation link.  Hope it's not a front with a web bug.

hedgeless_horseman's picture


Abandon such hope.

It is all bugged.

Everything is tracked.

"You have zero privacy anyway. Get over it."


Scott McNealy
Chairman and Founder of Sun Microsystems


The idea is to get yourself to the point where your love of liberty is greater than your fear of tyranny.

This can help...

silvercity's picture

Your liberty and privacy is being destroyed by your neighbors who elect such representatives because your neighbors do not want you to be free to do things that your neighbors don't believe you should be allowed to do. It has always been so in every tribe/peoples all over the world. The weakness of libertarianism is that libertarians believe The Lie, that is, that people love liberty. Sorry, people love slavery which is why they will not allow a libertarian to save them. If you love liberty for yourself and your neighbor, all you can do is practice that as best you can and perhaps convert a neighbor by your behavour. 

Troy Ounce's picture


Microsoft in any case is part of Pentagon, like Google, Apple and Facebook.

Time to ditch this shit.

TeethVillage88s's picture

And AT&T and other Phone companies.

English herbsman's picture

I did it when Microsoft decided to give the world a free, forced OS. 

A company like that doesn't give anything free without a reason. 

techpriest's picture

All I'm saying is, Xubuntu 16.04 is screaming fast, and LibreOffice is just as good for 95% of what you do. I can also do recordings just fine with Open Broadcaster while cutting video in KDEnlive, images in GIMP, and audio with Audacity.

There's a learning curve, but its getting smaller every day, and until you get to the extreme high end, open source software will suffice for what you are doing.

Curiously_Crazy's picture

A Ubuntu derivative? Tell me you jest.

Ubuntu has been becoming more and more like M$ over the past several years. You know it uses trackers right? Have a read into how it forced those that use it as a base (Mint etc) into bullshit licencing terms.

Go vanilla Debian.

I never saw the attraction of Ubuntu from the onset when it was very first released and a story on slashdot provided free CD's (as many as you wanted. I got 10 sent to me for free). I tried it out and was sorta 'Meh'. Most slashdot users agreed. If anything it's been nothing more than a marketing miracle.

Disclaimer: Linux only user since '96 (thanks Slackware)

Zarbo's picture

One more blazing reason to not use Microsoft Office.  Go LibreOffice.

XqWretch's picture

Next up: "The Assange Ass Raper" Man our fucking president is pathetic. What a dissapointment, going after these guys...

Killtruck's picture

XqWretch - 2 years, 31 weeks on the Hedge.