‘Scribbles’ is the CIA’s answer to the Edward Snowden conundrum

On the 28th of April 2017 Wikileaks published a new batch from their Vault 7 leaks, exposing the documentation and source code for a CIA project known as “Scribbles.”




The software has been touted as the ‘Snowden stopper’, in reference to the NSA whistleblower that became a thorn in the side of the US intelligence community back in 2013. And with good reason.

Scribbles is a tool for CIA publishers to trace the destination of a document, as well as identifying its origin in order to find out which CIA staff member is culpable for a leak.

It achieves this by inserting a web-beacon style watermark into the document. Microsoft office allows rich content such as embedded remote tags to open as default, and so opening the document would automatically ping identifying details such as the user’s IP address and Microsoft licence back to a central server.

Each CIA publisher is assigned a unique watermark ID which is logged before the document is published and shared. When the document is opened by an unexpected end-user and this data is pinged-back to the CIA, it is possible to view the watermark’s log files to find the source of the leak within the CIA.

In the software user guide they are quick to point-out that Scribbles only functions on Microsoft Word and that opening the document in a different word processor such as OpenOffice or LibreOffice might make the watermark ‘visible to the end user’.

The software is not particularly sophisticated; essentially it’s just a bespoke CIA variant of existing commercial digital rights management software such DocTrack by IntraLinks.

However, it does provide an interesting glimpse into rearrangement of the US Intelligence Community’s security protocol in a post-Snowden environment.

The CIA and NSA went through a stage in the mid 2000’s when they were increasingly outsourcing much of their work to private firms, most notably of which, Booz Allen Hamilton, produced Edward Snowden and Harold T. Martin.

Martin stole terabytes of NSA malware for personal use – most likely selling it over the dark net, considering the size of the market – rather than intending to become a whistleblower like Snowden. He was arrested six months after the user guide for Scribbles was published. It is currently unknown whether the software played any part in identifying Martin as the source of the data breach.

The CIA’s increased efforts to prevent whistleblowers releasing confidential information haven’t helped them find the source of Vault 7, which has become the largest ever leak of CIA data in their 70 year history.

The CIA claim to have discovered the leak of files, that was later coined as Vault 7, towards the end of 2016. A criminal case was opened two days after Wikileaks published the first tranche of data, described as “another major mole hunt” by an insider.

In a sign of increased aggression towards the transparency organisation, Mike Pompeo claimed in his first public comments as head of the CIA that Wikileaks is “a non-state hostile intelligence service often abetted by state actors like Russia” and called founder Julian Assange a “demon.”

Hundreds of possible suspects have been investigated, but in this case the CIA still haven’t found their ‘traitor’.

See the Scribbles User Guide below:

Wikileaks Decrypted | Scribbles – Vault 7