<!--
Copyright:

   {{project_name_long}} Printing and Scanning wiki page Copyright (C) Amnesia <amnesia at boum dot org>
   {{project_name_short}} Printing and Scanning wiki page Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to:

    Free Software Foundation, Inc.
    51 Franklin St, Fifth Floor
    Boston, MA 02110-1301, USA.

On Debian GNU/Linux systems, the complete text of the GNU General Public
License can be found in the /usr/share/common-licenses' directory.

The complete text of the GNU General Public License can also be found online on gnu.org <https://www.gnu.org/licenses/gpl.html>, in {{project_name_short}} virtual machine images in /usr/share/common-licenses/GPL-3 file or on Github <https://github.com/{{project_name_short}}/derivative-maker/blob/master/GPLv3>.
-->
<!--
The {{project_name_short}} Printing and Scanning wiki page is forked from the Tails Office suite, Audio, Printing and scanning page.
-->
{{Header}}
{{#seo:
|description=Effective measures to mitigate the inherent risks associated with using printers and scanners.
|image=Printingandscaning.jpg
}}
[[File:Printingandscaning.jpg|thumb]]
{{intro|
Effective measures to mitigate the inherent risks associated with using printers and scanners.
}}
= Introduction =

Printing is a [https://en.wikipedia.org/wiki/Machine_Identification_Code risky endeavor]. This risk is unrelated to {{project_name_short}} and is a general issue with printers.

The Electronic Frontier Foundation (EFF) notes: <ref>
https://www.eff.org/issues/printers
</ref>

<blockquote>
Imagine that every time you printed a document it automatically included a secret code that could be used to identify the printer - and potentially the person who used it. Sounds like something from an episode of "Alias" right?<br />
<br />
Unfortunately the scenario is not fictional.
</blockquote>

The EFF has confirmed that some color laser printer manufacturers encode identifying information on each page, in an effort to identify counterfeiters. Identifying information contained within forensic tracking codes can include the date, time and printer serial numbers attached to the printout. For instance, a sample [https://w2.eff.org/Privacy/printers/docucolor/docucolor.cgi script] is provided by the EFF which deciphers these forensic dot patterns for the Xerox DocuColor laser printer. <ref>
https://w2.eff.org/Privacy/printers/docucolor/
</ref> The downside for privacy advocates is immediately apparent: this same technique can be used as a common tool for government surveillance.

DEDA (Tracking Dots Extraction, Decoding and Anonymisation toolkit) is a tool for countering the yellow dot watermarking threat. It may be packaged for Debian in the future. <ref>
https://lists.autistici.org/message/20200306.003951.1880c4b4.en.html
</ref> <ref>
https://github.com/dfd-tud/deda
</ref> The technique it uses was criticized by the Metadata Anonymization Toolkit (MAT) developer for using a blacklist and not being a generic solution and recommends using black and white only printers as a safer solution. <ref>
https://lists.autistici.org/message/20200308.154747.1b4d1245.en.html
</ref>

== Safety Principles ==

Workarounds exist for printing materials such as political leaflets safely:

* This [https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots page] has compiled a list of printers and whether or not they include forensic watermarking.
* According to MIT, forensic markers are not present in black-and-white print-outs, so long as no color cartridge is present. <ref>
http://seeingyellow.com/
</ref>
* Relying on a USB-Printer bought at a garage sale might be a good option to help maintain anonymity.

Note that these factors only apply to printers under a person's control. If a printer is used that is controlled by an adversary and they want to track down the source printer for particular documents, then color printing can be enforced at all times for this purpose.

Modern printers and scanners are embedded computers with their own dedicated internal storage. It has been discovered that scanned documents are saved by these devices, leaking the handling of sensitive documents. <ref>
https://www.schneier.com/blog/archives/2017/01/photocopier_sec.html
l</ref> One workaround is to use a cell phone that is only used for dedicated anonymous activities to take photos of the material, however this recommendation comes with its own [[Surfing_Posting_Blogging#Photographs|caveats]].

Finally, persons wanting to print anonymously must also consider non-technical issues, such as forensic traces related to physical fingerprints, DNA traces left on materials and so on.

= Mitigating Printing Risk =

{{mbox
| image   = [[File:Ambox_notice.png|40px|alt=Qubes info box]]
| text    = [[Qubes|{{q_project_name_long}}]] only.
}}

== Warnings ==

Pairing {{project_name_short}} with network printers is strongly discouraged. This is because most (if not all) network printing relies upon insecure, unencrypted protocols. This means the documents being printed will likely be visible to attackers who are able to sniff the local network, or who control the (normally untrusted) Qubes NetVM. This is a limitation of modern printers and printing protocols and not something that can be solved by Qubes or any other OS. <ref name=network-printer>
https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/network-printer.md
</ref>

Particular care must be taken in Qubes to mitigate the risk of exposing dom0 to malware -- [[Qubes|{{q_project_name_short}}]] users should utilize a dedicated [https://www.qubes-os.org/doc/how-to-use-usb-devices/ USB qube] when using a USB printer. Further, printer driver plugins should never be installed in a trusted Template! The reason is many driver plugins are [https://en.wikipedia.org/wiki/Proprietary_software proprietary] and most often downloaded from the vendor’s website in the form of ready-to-install packages. However, they are usually unsigned and only made available for download over HTTP connections. If these third-party driver plugins are installed in a trusted Template, the template may be compromised as well as every AppVM based upon it. <ref name=network-printer />

Bearing in mind the risky nature of printing, the threats posed by printer driver plugins can be mitigated via several methods outlined below.

== Install Printer Drivers: TemplateBasedVM ==

{{mbox
| image   = [[File:Ambox_warning_pn.svg.png|40px]]
| text    = '''Warning:''' Some users may be tempted to use the AppVM's root filesystem as a [https://web.archive.org/web/20180315024701/https://www.qubes-os.org/doc/software-update-vm/#note-on-treating-appvms-root-filesystem-non-persistence-as-a-security-feature non-persistent security feature]. However, malware can persist if the AppVM is infected --  all data in the normal user filesystem, <code>/home</code>, <code>/rw</code> and <code>/usr/local</code> survives reboot. It is feasible that advanced malware (or malware specifically targeted at Qubes-based AppVMs) could install its hooks inside the user home directory files only. <ref>
https://web.archive.org/web/20180315024701/https://www.qubes-os.org/doc/software-update-vm/#note-on-treating-appvms-root-filesystem-non-persistence-as-a-security-feature
</ref>
}}

There is no reason to avoid installing software in TemplateBasedVMs. Therefore, it is possible to install the printer drivers in an AppVM which is based on the <code>{{project_name_workstation_template}}</code> template.

# Create an AppVM based on <code>{{project_name_workstation_template}}</code>. The untrusted AppVM should be named so it is not confused with a more trusted VM - for instance <code>anon-printer</code>.
# Install the printer drivers in the <code>anon-printer</code> AppVM. Use Tor Browser or konsole to download the necessary drivers; see [[Install Software|Install Software]] and [[Secure Downloads|Secure Downloads]] for more advice.
# Once the drivers are installed, use the <code>anon-printer</code> AppVM for printing. Do not use it for any other sensitive activity!
# Optional: Minimize the risk of user mistakes persisting to the next printing session. Once printing is complete, shutdown the <code>anon-printer</code> VM and [https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/qvm-remove.html remove] it from the system. When further printing is required, repeat steps 1-3 to recreate another <code>anon-printer</code> AppVM.

== Install Printer Drivers: TemplateBasedVM with Selective Persistence ==

Using selective [https://www.qubes-os.org/doc/bind-dirs/ bind-dirs] persistence is currently undocumented. Further research is required to ascertain which files require persistence across VM reboots. This task would also be difficult.

== Install Printer Drivers: StandaloneVM ==

# Create a [https://www.qubes-os.org/doc/standalones-and-hvms/#creating-a-standalone Standalone] {{project_name_workstation_long}} VM. The untrusted Standalone VM should be named so it is not confused with a more trusted VM - for instance <code>anon-printer</code>.
# Install the printer drivers as per normal procedures. Use Tor Browser or konsole to download the drivers.
# Once the drivers are installed, use the Standalone <code>anon-printer</code> VM for printing. Do not use this VM for any other sensitive activity because printer driver plugins can pose a serious risk to security and anonymity.

= Footnotes =
{{reflist|close=1}}

= License =
{{License_Amnesia|{{FULLPAGENAME}}}}

{{Footer}}

[[Category:Documentation]]