How Elon Musk Says He Catches Leakers at His Companies

Musk has boasted of entrapping a Tesla leaker by watermarking emails, and he is threatening any dissidents still at Twitter.

Elon Musk and Twitter logo are seen in this photo illustration, on 30 November, 2022.
Elon Musk and Twitter logo in a photo illustration, on Nov. 30, 2022. Photo: STR/NurPhoto via Getty Images

In 2008, the Silicon Valley-focused blog Valleywag published a letter from a “Tesla insider” stating that the company only had about $9 million in cash on hand. Four days later, a Tesla employee apologized for writing the letter. When recently asked on Twitter how Tesla identified the leaker, Musk responded that “we sent what appeared to be identical emails to all, but each was actually coded with either one or two spaces between sentences, forming a binary signature that identified the leaker.”

Curiously, Musk’s recollection of how the Tesla leaker was caught is different from an account provided by Ashlee Vance in his 2015 biography, “Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future.” Vance states that Musk retyped the letter into a Word document, printed it, and then looked through printer logs to find who else had printed a document of the same size. Though a retyped document is unlikely to be byte-for-byte identical to the original letter, given the fluctuations in file size based on metadata and the like, the recreated letter would nonetheless be of comparable size, plausibly giving Musk a ballpark size to look for when auditing printer logs.

But there are yet other accounts of how the leaker was caught. The Sunday Times and Gawker, for instance, both reported that the leak investigation involved taking fingerprints from a printout near a copier, though neither publication explained how the fingerprints were used to identify a leaker. Those accounts raise the curious question of how Tesla or its investigators might have had access to employee fingerprint records.

Regardless of the particular methods used to identify the Tesla leaker, and whether Musk is indulging in a spot of parallel construction, the key takeaway for leakers at Musk’s newest and chaotic company, Twitter, is that they should not print out (or even compose) letters using company resources.

To begin with, a wide array of document watermarking measures can identify the source of a leak. That’s why leakers and publishers need to figure out whether a given document is unique and whether it is safe to publish the document itself — or maybe, in the interest of protecting the source, not publish or even write about the document at all.

The notion of uniquely fingerprinting or watermarking each version of a digital text using various spacing modifications is not particularly new. It has been discussed since at least the early 1990s, with research building on general fingerprinting literature from the early 1980s. Ironically, one of the original proposed applications of document watermarking was to protect newspaper and magazine articles from unauthorized distribution.

Every spatial element of a document — including the spacing between characters, words, sentences, and paragraphs — can be modified in every version to form a unique signature that identifies the recipient of that particular document. For instance, a version of a document sent to one person could have slight variations in the distance between certain characters, words, sentences, or paragraphs that uniquely differentiate the document from a version sent to another person with ever-so-slightly different spacings.

As Musk pointed out, a very primitive spatial watermarking scheme could code a single space after a sentence as a ‘0’, and a double space as a ‘1’, resulting in a “binary signature.” If every copy of an email has a unique spacing pattern, an organization can determine the specific recipient of a leaked email.

One of the original proposed applications of document watermarking was to protect newspaper and magazine articles from unauthorized distribution.

Of course, the amount of possible unique watermarks is dependent on the size of the available text, but that size doesn’t need to be large for the watermarking scheme to be sufficient. In the basic watermarking approach described by Musk, the number of possible unique emails doubles for every added sentence. A two-sentence email could have four unique permutations with both sentences having a double space, both having a single space, or one having a single space and the other a double space, and so on. A nine-sentence email could have up to 512 such permutations — and that would be more than enough to uniquely identify every Tesla staff member as of October 2008, when the company reportedly had under 400 employees. It should likewise be kept in mind that in a more complex spacing watermark scheme, seemingly errant spaces could also be introduced between words or even between characters, under the veneer of being typos, which would greatly increase the number of possible unique permutations even for a modest body of text.

The rub is that if an organization has hundreds or thousands of staff, it would need to create a watermarking (and accompanying distribution) system to match. This system could involve having the sender manually modify each email, or it could be an automated system that creates unique permutations of a given text and keeps track which employee is assigned each permutation.

This leads to a basic check that would-be leakers should apply prior to sharing an email or a document. Was the email sent to an individual email address or to a group email address? If the email was sent to a group address, is this an address that’s been used before, or is the address slightly off, perhaps including a stray character or number?

If an email was sent to an individual address, the chances are higher that it could be watermarked. However, an email can be watermarked even if sent to a group address. For instance, a sophisticated (and hypothetical) system could modify the membership of a group email address to only contain a single recipient for each permutation of an email. The group membership is temporarily modified to remove everyone but a single staff member who is sent a uniquely watermarked version of an email. That staff member is then removed from the group membership and another staffer is added who receives a different version, then that staffer is deleted and another is added who receives yet another version — and on and on the ruse goes until all staff receive an email that appears to have been sent to a group, but which in fact is unique to each staffer. Staff may be prone to thinking that the email they received is safe to leak, since it was sent to a group email address, though the emails are in fact individually marked.

Thus, receiving an email sent to what appears to be a group email address is not a guarantee that an email hasn’t been individually watermarked.

Good News, Bad News

Spatial watermarking can be neutralized through manual transcription. Instead of printing or copy-and-pasting a document, a leaker or the publisher of a leaked document can retype a document into plain-text format; this would get rid of spatial watermarks, as well as other techniques such as font-based watermarking, which would entail sending every recipient an email in a slightly different font, or homoglyph watermarking, which replaces certain characters with lookalike characters.

That’s the good news. However, in addition to “open space” watermarks, text can be watermarked via minute syntactic (structural) as well as semantic (word choice) alterations.

For instance, an example of syntactic watermarking arose when the website Genius, which posts and allows users to annotate song lyrics, suspected that Google was taking lyrics from their site and reproducing them in full in its search results (Google was trying to keep users from clicking away to other sites). Genius watermarked their lyrics with variations of straight and curly single-quote characters, which, when translated to Morse code, spelled out the word “red-handed.” When a search for song lyrics on Google turned up the same pattern of punctuation marks, Google was indeed caught red-handed.

It’s also been reported that Musk has used semantic watermarking techniques. As described by Gawker in 2009, “Musk set out to entrap potential leakers by sending each employee a slightly altered version of an email which he expected would get sent to the media.” Each copy of the email used unique word arrangements; for instance some stated “I am,” while others said “I’m.” The watermarking scheme was foiled when Tesla’s general counsel apparently forwarded to everyone in the company his copy of the email, which meant that staff could now compare the version they had received to the lawyer’s version. They could also just leak the lawyer’s version of the email.

Each copy of the email used unique word arrangements; for instance some stated “I am,” while others said “I’m.”

This case highlights how semantic watermarking would survive manual transcription, though it can be foiled by comparing multiple copies of a given text. However, if it’s not possible to review multiple copies, and there’s a possibility a document has been semantically watermarked, then it’s best to not reproduce the original document in a story, as well as, ideally, not quoting from it, lest the quotation contains part of the semantic watermark.

However, the deployment of a so-called canary trap or barium meal test extends beyond spacing or word alterations in documents. Other tactics involve each person at an organization being presented with a unique document or unique piece of information in a document (say, a supposedly new Twitter feature mentioned only to a suspected leaker). In these cases, a story’s reference to a particular document, or a particular item in the document, could identify the leaker. This highlights the crucial importance of obtaining multiple sources to confirm new information in a leaked document – and this may be tricky as revealing the new piece of information to a second source may compromise the original source if the second one mentions it to someone else at the organization.

Ultimately, a variety of strategies can be used to attempt to safeguard a source from watermarking schemes used by Musk or others, ranging from confirming that the same copy of a document was presented to multiple staff, to transcribing the document, to not quoting from the document, to altogether not mentioning a given document. Though organizations may have a variety of tricks up their sleeve, leakers are far from powerless in this dynamic and have a number of techniques at their disposal to foil watermarking measures.

Nonetheless, it’s important to remember that even the best attempts at foiling watermarks are not foolproof guarantees against source identification, as there are other methods of workplace surveillance, including audits of who accessed leaked documents and video footage of employees copying documents. With Musk recently making threats against would-be leakers, it’s now more important than ever to stay vigilant — even if you don’t work at Twitter.

Join The Conversation