All of the blame has unfairly been put on The Intercept for Reality Winner’s arrest to paint them as incompetent and scare away potential whistle-blowers. While yellow printer dots are one of the ways to trace the document to the source printer, its not the only one. Anyhow in the future The Intercept should consider posting transcribed data from originals they verified for authenticity instead.
Its probably certain that machines with Top Secret access are part of a comprehensive auditing framework which also combines data from mass surveillance on employees. For example an investigator can run a query for everyone who accessed the file AND who used Tor or started doing so recently from a location tied to them. Just like the Harvard student who sent the bomb threat was caught. The circumstantial evidence from this data narrows down the set of suspects and kills any plausible deniability.
She also did a lot of fatal mistakes during and after leaking:
* Searched on her work computer how to evade warnings from auditing systems.
* Spilled the beans on what she did and her planned defense on prison phones (or any phone for that matter)
No one is born knowing good opsec but I wonder if we missed an opportunity to make our documentation on the topic more accessible to users.