DOJ just filed charges against an NSA contractor who mailed a document to The Intercept. A related application for a search warrant shows that they were identified by examination of the creases in the scan posted online, access logs, and email metadata:
14) The U.S. Government Agency examined the document shared by the News Outlet and determined the pages of the intelligence reporting appeared to be folded and/or creased, suggesting they had been printed and hand-carried out of a secured space.
15) The U.S. Government Agency conducted an internal audit to determine who accessed the intelligence reporting since its publication. The U.S. Government Agency determined that six individuals printed this reporting. These six individuals included WINNER. A further audit of the six individuals' desk computers revealed that WINNER had e-mail contact with the News Outlet. The audit did not reveal that any of the other individuals had e-mail contact with the News Outlet.
via this tweet
One could take multiple lessons from this. One would be: don't email reporters from work! Unfortunately, you have to think of that before you decide to leak.
- Jonathan