Less than two weeks ago, Supreme Court investigators looking into the leak of the Dobbs v. Jackson Women’s Health Organization draft opinion had reportedly “narrowed their inquiry to a small number of suspects.” Ten days after that news, the Supreme Court issued a report stating that the investigation had in fact failed to determine who was behind the draft opinion leak.
The public report provides insights into the investigative process undertaken by the court, identifies a number of inadequate security controls, and provides recommendations to remedy the problems. That means the report is doubly instructive for would-be future leakers: It provides both a list of successful operational security techniques leakers may have employed to evade detection, as well as, thanks to the recommendations, forward-looking lessons on pitfalls to avoid in the future.
The investigation team used a number of techniques to attempt to identify the leaker, all of which proved to be dead ends.
They examined all available printer logs but found that Court printers have limited logging capabilities. The team also investigated email logs to determine if anyone had emailed the opinion draft to a third party; while staff had emailed copies of the draft to others on staff, there was no evidence that the opinion draft was emailed to anyone else.
The investigation looked not just at court-issued devices, but also at call and text records as well as billing statements of employees’ personal devices. Though the team reported that the court’s logging was rudimentary and thus did not yield any results that could identify a leaker, the key takeaway for future leakers is that much like organization-provided devices, personal devices should likewise not be used in the service of leaking. Instead, the principle of one-time use should be adopted: Temporary devices should be safely acquired and used for acquisition and dissemination of leak materials, after which the device should promptly be disposed of by secure means.
Court investigators paid particular attention to reviewing the legal search histories conducted by staff, aiming to “determine whether an employee might have researched the legality of disclosing confidential case-related information.” Notably, the investigation team obtained this legal search history “directly from the service providers.” Though it’s not clear which search providers were examined, the report could be referring to subscription databases like LexisNexis, highlighting the fact that leakers should be careful to avoid using third-party services, as a leak investigation may seek to obtain records from them. The report doesn’t state whether the investigative team subpoenaed the service providers, whether the providers shared the search histories without a subpoena, or whether investigators were able to view the histories through internal means like staff or administrative accounts, or invoices from the search providers that could include itemized search terms.
▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄
The report said investigators reviewed “the statements and conduct of personnel who displayed attributes associated with insider-threat behavior — violation of confidentiality rules, disgruntled attitude, claimed stressed, anger at the Court’s decision, etc.” In other words, as I predicted when the investigation was launched, the team deployed “sentiment analysis” tactics to attempt to identify disaffected staff (though this line of inquiry ignores the possibility that the draft may have been leaked by someone who supported the opinion). It is thus important for leakers to not display discontentment, either publicly or privately (including via “private messages,” which may not be particularly private).
The investigators sought to determine whether they could identify any connections between court staff and journalists, particularly anyone affiliated with Politico, which first published the draft opinion. This is why it’s important not to have visible contact with reporters; avoid following them on social media and access their contact information ideally using a separate disposable device, or at least not using organization-supplied hardware.
Though investigators analyzed the digital images of the opinion draft published by Politico, comparing it to copies obtained from court photocopiers and printers, they were unable to find anything of “evidentiary value.” In addition to not using company-provided or otherwise trackable devices when producing copies, would-be leakers should consider even going so far as to introduce errant stray markings that may lead investigators down dead ends.
The report mentions that the team analyzed an unspecified “item relevant to the investigation” for fingerprints. While they did find fingerprints with outside assistance, they were unable to match them to “any fingerprints of interest.” The report is curiously vague as to what the item of interest was; it could, for instance, be a rogue USB stick that was found to contain a copy of the opinion. Given that it’s not entirely unusual for leak investigations to sweep for physical prints as well as digital ones — Elon Musk, in his leak investigations at Tesla, also reportedly lifted fingerprints from printouts found near a photocopier — leakers should be careful not to leave any fingerprints when accessing or handling any sensitive materials.
The report makes it a point to state that the detailed recommendations on how to improve court policies and practices will only be shared with the justices and court officers in a private annex, because releasing them to the public “could unwisely expose Court operations and information to potential bad actors.” Nonetheless, the public report does provide a broad list of recommendations that are instructive for future leakers.
The team’s primary finding is that “too many personnel have access to certain Court-sensitive documents” and that there is an “inability to actively track who is handling and accessing these documents.” Though the recommendations from this finding are likely in the private annex, we can assume that the team may suggest the court implement more stringent access controls and tracking mechanisms.
The tracking mechanisms may involve detailed audit logs of which users viewed, copied, printed, or otherwise interacted with a given file, as well as uniquely watermarking versions of files to identify the owner of a given copy of a document, should it be leaked. There are a variety of ways to uniquely fingerprint a document, ranging from modifying the spacing of paragraphs, words, or characters to making slight modifications to the syntactic or semantic structure.
The report also found that “there are inadequate safeguards in place to track the printing and copying of sensitive documents” and that the court should “institute tracking mechanisms using technology that is currently available for this purpose.” Such technologies could include everything from detailed print histories, which log document name and size as well as username and IP address, to a Machine Identification Code embedded as a series of microdots or other watermarks on a printed page, which can identify the source printer as well as the date and time a document was printed.
With those tracking mechanisms in place, a leaker would need to avoid printing or photocopying documents using organization-provided hardware. To err still further on the side of safety, if physical copies need to be made, a device that can be linked to the leaker, like a home printer, should be avoided, and instead a device should only be used for the purposes of producing the leaked document (whether via printing or taking a photo) and then promptly and safely disposed of.
The court investigators may have failed to identify the source of the leaked opinion draft, but their report does help future leakers better protect their own identities.