Posts

10 Years of emptywheel: Key Non-Surveillance Posts 2013-2015

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten today.

To celebrate, over the next few days, the emptywheel team will be sharing some of our favorite work from the last decade. I’ll be doing 4 posts featuring some of my most important or — in my opinion — resilient non-surveillance posts, plus a separate post bringing together some of my most important surveillance work. I think everyone else is teeing up their favorites, too.

Putting together these posts has been a remarkable experience to see where we’ve been and the breadth of what we’ve covered, on top of mainstays like surveillance. I’m really proud of the work I’ve done, and proud of the community we’ve maintained over the years.

For years, we’ve done this content ad free, relying on donations and me doing freelance work for others to fund the stuff you read here. I would make far more if I worked for some free-standing outlet, but I wouldn’t be able to do the weedy, iterative work that I do here, which would amount to not being able to do my best work.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

2013

What a Targeted Killing in the US Would Look Like

Amid now-abandoned discussions about using the FISA court to review targeted killing, I pointed out that a targeted killing in the US would look just like the October 28, 2009 killing of Imam Luqman Abdullah.

Article II or AUMF? “A High Level Official” (AKA John Brennan) Says CIA Can Murder You

When the second memo (as opposed to the first 7-page version) used to authorize the killing of Anwar al-Awlaki, it became clear that OLC never really decided whether the killing was done under Article II or the AUMF. That’s important because if it’s the latter, it suggests the President can order anyone killed.

John Brennan Sworn in as CIA Director Using Constitution Lacking Bill of Rights

I know in the Trump era we’re supposed to forget that John Brennan sponsored a whole lot of drone killing and surveillance. But I spent a good deal of the Obama Administration pointing that out. Including by pointing out that the Constitution he swore to protect and defend didn’t have the First, Fourth, Fifth, and Sixth amendment in it.

2014

The Day After Government Catalogs Data NSA Collected on Tsarnaevs, DOJ Refuses to Give Dzhokhar Notice

I actually think it’s unreasonable to expect the government’s dragnets to prevent all attacks. But over and over (including with 9/11), NSA gets a pass when we do reviews of why an attack was missed. This post lays out how that happened in the Boston Marathon case. A follow-up continued that analysis.

A Guide to John Rizzo’s Lies, For Lazy Journalists

Former CIA General Counsel John Rizzo lies, a lot. But that doesn’t seem to lead journalists to treat his claims skeptically, nor did it prevent them from taking his memoir as a statement of fact. In this post I summarized all the lies he told in the first 10 pages of it.

Obama to Release OLC Memo after Only 24 Congressional Requests from 31 Members of Congress

Over the year and a half when one after another member of Congress asked for the OLC memos that authorized the drone execution of Anwar al-Awlaki, I tracked all those requests. This was the last post, summarizing all of them.

The West’s Ideological Vacuum

With the rise of Trump and the success of Russia intervening in US and European politics, I’ve been talking about how the failures of US neoliberal ideology created a vacuum to allow those things to happen. But I’ve been talking about the failures of our ideology for longer than that, here in a post on ISIS.

KSM Had the CIA Believing in Black Muslim Convert Jihadist Arsonists in Montana for 3 Months

There weren’t a huge number of huge surprises in the SSCI Torture Report for me (indeed, its scope left out some details about the involvement of the White House I had previously covered). But it did include a lot of details that really illustrate the stupidity of the torture program. None was more pathetic than the revelation that KSM had the CIA convinced that he was recruiting black Muslim converts to use arson in Montana.

2015

The Jeffrey Sterling Trial: Merlin Meets Curveball

A big part of the Jeffrey Sterling trial was CIA theater, with far more rigorous protection for 10 year old sources and methods than given to 4 year old Presidential Daily Briefs in the Scooter Libby trial. Both sides seemed aware that the theater was part of an attempt, in part, to help the CIA gets its reputation back after the Iraq War debacle. Except that the actual evidence presented at trial showed CIA was up to the same old tricks. That didn’t help Sterling at all. But neither did it help CIA as much as government prosecutors claimed.

The Real Story Behind 2014 Indictment of Chinese Hackers: Ben Rhodes Moves the IP Theft Goal Posts

I’ve written a lot about the first indictment of nation-state hackers — People’s Liberation Army hackers who compromised some mostly Pittsburgh located entities, including the US Steel Workers. Contrary to virtually all the reporting on the indictment, the indictment pertained to things we nation-state hack for too: predominantly, spying on negotiations. The sole exception involves the theft of some nuclear technology from Westinghouse that might have otherwise been dealt to China as part of a technology transfer arrangement.

Obama’s Terrorism Cancer Speech, Carter’s Malaise Speech

In response to a horrible Obama speech capitulating to Republican demands he treat the San Bernardino attack specially, as Islamic terrorism, I compared the speech to Jimmy Carter’s malaise speech. Along the way, I noted that Carter signed the finding to train the mujahadeen at almost the exactly moment he gave the malaise speech. The trajectory of America has never been the same since.

Other Key Posts Threads

10 Years of emptywheel: Key Non-Surveillance Posts 2008-2010

10 Years of emptywheel: Key Non-Surveillance Posts 2011-2012

Dzhokhar Tsarnaev’s Yahoo Warrant

The government has started unsealing a bunch of previously sealed documents from the Boston Marathon investigation. In this post I wanted to comment on a motion to suppress the evidence from a Yahoo, Google, and computer search.

There are two interesting details in it. The FBI got a warrant for both Tsarnaev brothers’ Yahoo email on April 19, 2013, while Dzhokhar was still bleeding out in a boat in Watertown. The warrant basically got everything connected with the account, and then permitted the government to search both the contents and metadata for a list of things:

1. All communications between or among Tamerian [sic] Tsarnaev and Dzhokhar Tsarnaev;

2. All communications pertaining to the Boston Marathon, explosives, bombs, the making of improvised explosive devices, firearms, and potential people and places against which to use firearms, explosives or other destructive devices.;

3. The identity of the person or persons who have owned or operated the [email protected] and [email protected] e-mail accounts or any associated e-mail accounts;

4. The data described in paragraphs II(A)(3)-(5), above [i.e., the contents of all electronic data files, whether word-processing, spreadsheet, image, video, or any other content, calendar data, and lists of friends, buddies, contacts, or other subscribers].

6. [sic] The existence and identity of any co-conspirators;

7. The travel or whereabouts of the person or persons who have owned or operated the [email protected] and [email protected] e-mail accounts or any associated email accounts;

8. The identity, location, and ownership of any computers used to access these e-mail accounts;

9. Other e-mail or Internet accounts providing Internet access or remote data storage or e-commerce accounts;

10.The existence or location of physical media storing electronic data, such as hard drives, CD- or DVD-ROMs, or thumb drives; and

11.The existence or location of paper print-outs of any data from any of the above.

The motion went on to explain that item 4, above, included the following:

3. The contents of all electronic data files, whether word-processing, spreadsheet, image, video, or any other content;

4. The contents of all calendar data;

5. Lists of friends, buddies, contacts, or other subscribers.

I’m interested in this because the full list — including whatever other items were included in item 4 and whatever was originally numbered 5 — probably resembles what the government would get from Yahoo under PRISM, and therefore answers questions I raised in this post about how the government requests under PRISM to Yahoo expanded between August 2007 and January 2008. The calendar and buddy lists are unsurprising (indeed, we know NSA used to steal that stuff in the clear). But I’m also interested in how many of the initial list address hardware, which suggests one thing they’re likely getting under PRISM is mapping of such hardware. Also note the location-data of both the person using the account and the hardware associated with its use.

The other interesting detail is that the government didn’t go after Dzhokhar’s other Internet accounts until July 3, 2013, after he’d already been indicted.

On July 3, 2013, after the grand jury had returned its indictment against Mr. Tsarnaev, the government sought search warrants for multiple providers, including Google, Facebook, YouTube, Twitter, Instagram, and Skype.

The motion doesn’t say whether or not the government had already obtained the call detail records from these accounts, which it could have gotten with an administrative subpoena. It also doesn’t include Vkontakte (which would have required an MLAT process), which both brothers used.

I’m most interested in this, however, because it means the government didn’t go after Skype until over two months into the investigation. Remember: Dzhokhar had relied entirely on Skype for his “calling” for several weeks leading up to the attack, between the time his iPhone got shut down and the time he got a burner for use in the attack. So I find the delay of interest.

Of course, these Internet communications platforms are all things we believe the government dragnets the metadata of overseas.  I assume they got call detail records using an Administrative subpoena, but technically it’s the kind of thing they might not have needed to do.

Update: Nick Weaver pulled the warrant itself. Here’s the section on connection logs.

User connection logs for any connections to or from these and any associated e-mail accounts, including:

a. Connection time and date;

b. Disconnect time and date;

c. The IP address that was used when the user connected to the service;

d. Source and destination of any e-mail messages sent from or received by the account, and the date, time, and length of the message; and

e. Any address to which e-mail was or is to be forwarded from the account or e-mail address.

Update: Here’s a list of what has been released so far. Fox says they’ll update as things get unsealed here.

What We Know about the Section 215 Phone Dragnet and Location Data

Last month’s squabble between Marco Rubio and Ted Cruz about USA Freedom Act led a number of USAF boosters to belatedly understand what I’ve been writing for years: that USAF expanded the universe of people whose records would be collected under the program, and would therefore expose more completely innocent people, along with more potential suspects, to the full analytical tradecraft of the NSA, indefinitely.

In an attempt to explain why that might be so, Julian Sanchez wrote this post, focusing on the limits on location data collection that restricted cell phone collection. Sanchez ignores two other likely factors — the probable inclusion of Internet phone calls and the ability to do certain kinds of connection chaining — that mark key new functionalities in the program which would have posed difficulties prior to USAF. But he also misses a lot of the public facts about location collection and cell phones under the Section 215 dragnet.  This post will lay those out.

The short version is this: the FISC appears to have imposed some limits on prospective cell location collection under Section 215 even as the phone dragnet moved over to it, and it was not until August 2011 that NSA started collecting cell phone records — stripped of location — from AT&T under Section 215 collection rules. The NSA was clearly getting “domestic” records from cell phones prior to that point, though it’s possible they weren’t coming from Section 215 data. Indeed, the only known “successes” of the phone dragnet — Basaaly Moalin and Adis Medunjanin — identified cell phones. It’s not clear whether those came from EO 12333, secondary database information that didn’t include location, or something else.

Here’s the more detailed explanation, along with a timeline of key dates:

There is significant circumstantial evidence that by February 17, 2006 — two months before the FISA Court approved the use of Section 215 of the PATRIOT Act to aspire to collect all Americans’ phone records — the FISA Court required briefing on the use of “hybrid” requests to get real-time location data from targets using a FISA Pen Register together with a Section 215 order. The move appears to have been a reaction to a series of magistrates’ rulings against a parallel practice in criminal cases. The briefing order came in advance of the 2006 PATRIOT Act reauthorization going into effect, which newly limited Section 215 requests to things that could be obtained with a grand jury subpoena. Because some courts had required more than a subpoena to obtain location, it appears, FISC reviewed the practice in the FISC — and, given the BR/PR numbers reported in IG Reports, ended, sometime before the end of 2006 though not immediately.

The FISC taking notice of criminal rulings and restricting FISC-authorized collection accordingly would be consistent with information provided in response to a January 2014 Ron Wyden query about what standards the FBI uses for obtaining location data under FISA. To get historic data (at least according to the letter), FBI used a 215 order at that point. But because some district courts (this was written in 2014, before some states and circuits had weighed in on prospective location collection, not to mention the 11th circuit ruling on historical location data under US v. Davis) require a warrant, “the FBI elects to seek prospective CSLI pursuant to a full content FISA order, thus matching the higher standard imposed in some U.S. districts.” In other words, as soon as some criminal courts started requiring a warrant, FISC apparently adopted that standard. If FISC continued to adopt criminal precedents, then at least after the first US v. Davis ruling, it would have and might still require a warrant (that is, an individualized FISA order) even for historical cell location data (though Davis did not apply to Stingrays).

FISC doesn’t always adopt the criminal court standard; at least until 2009 and by all appearances still, for example, FISC permits the collection, then minimization, of Post Cut Through Dialed Digits collected using FISA Pen Registers, whereas in the criminal context FBI does not collect PCTDD. But the FISC does take notice of, and respond to — even imposing a higher national security standard than what exists at some district levels — criminal court decisions. So the developments affecting location collection in magistrate, district, and circuit courts would be one limit on the government’s ability to collect location under FISA.

That wouldn’t necessarily prevent NSA from collecting cell records using a Section 215 order, at least until the Davis decision. After all, does that count as historic (a daily collection of records each day) or prospective (the approval to collect data going forward in 90 day approvals)? Plus, given the PCTDD and some other later FISA decisions, it’s possible FISC would have permitted the government to collect but minimize location data. But the decisions in criminal courts likely gave FISC pause, especially considering the magnitude of the production.

Then there’s the chaos of the program up to 2009.

At least between January 2008 and March 2009, and to some degree for the entire period preceding the 2009 clean-up of the phone and Internet dragnets, the NSA was applying EO 12333 standards to FISC-authorized metadata collection. In January 2008, NSA co-mingled 215 and EO 12333 data in either a repository or interface, and when the shit started hitting the fan the next year, analysts were instructed to distinguish the two authorities by date (which would have been useless to do). Not long after this data was co-mingled in 2008, FISC first approved IMEI and IMSI as identifiers for use in Section 215 chaining. In other words, any restrictions on cell collection in this period may have been meaningless, because NSA wasn’t heeding FISC’s restrictions on PATRIOT authorized collection, nor could it distinguish between the data it got under EO 12333 and Section 215.

Few people seem to get this point, but at least during 2008, and probably during the entire period leading up to 2009, there was no appreciable analytical border between where the EO 12333 phone dragnet ended and the Section 215 one began.

There’s no unredacted evidence (aside from the IMEI/IMSI permission) the NSA was collecting cell phone records under Section 215 before the 2009 process, though in 2009, both Sprint and Verizon (even AT&T, though to a much less significant level) had to separate out their entirely foreign collection from their domestic, meaning they were turning over data subject to EO 12333 and Section 215 together for years. That’s also roughly the point when NSA moved toward XML coding of data on intake, clearly identifying where and under what authority it obtained the data. Thus, it’s only from that point forward where (at least according to what we know) the data collected under Section 215 would clearly have adhered to any restrictions imposed on location.

In 2010, the NSA first started experimenting with smaller collections of records including location data at a time when Verizon Wireless was named on primary orders. And we have two separate documents describing what NSA considered its first collection of cell data under Section 215 on August 29, 2011. But it did so only after AT&T had stripped the location data from the records.

It appears Verizon never did the same (indeed, Verizon objected to any request to do so in testimony leading up to USAF’s passage). The telecoms used different methods of delivering call records under the program. In fact, in August 2, 2012, NSA’s IG described the orders as requiring telecoms to produce “certain call detail records (CDRs) or telephony metadata,” which may differentiate records that (which may just be AT&T) got processed before turning over. Also in 2009, part of Verizon ended its contract with the FBI to provide special compliance with NSLs. Both things may have affected Verizon’s ability or willingness to custom what it was delivering to NSA, as compared to AT&T.

All of which suggests that at least Verizon could not or chose not to do what AT&T did: strip location data from its call records. Section 215, before USAF, could only require providers to turn over records they kept, it could not require, as USAF may, provision of records under the form required by the government. Additionally, under Section 215, providers did not get compensated after the first two dragnet orders.

All that said, the dragnet has identified cell phones! In fact, the only known “successes” under Section 215 — the discovery of Basaaly Moalin’s T-Mobile cell phone and the discovery of Adis Medunjanin’s unknown, but believed to be Verizon, cell phone — did, and they are cell phones from companies that didn’t turn over records. In addition, there’s another case, cited in a 2009 Robert Mueller declaration preceding the Medunjanin discovery, that found a US-based cell phone.

There are several possible explanations for that. The first is that these phones were identified based off calls from landlines and/or off backbone records (so the phone number would be identified, but not the cell information). But note that, in the Moalin case, there are no known land lines involved in the presumed chain from Ayro to Moalin.

Another possibility — a very real possibility with some of these — is that the underlying records weren’t collected under Section 215 at all, but were instead collected under EO 12333 (though Moalin’s phone was identified before Michael Mukasey signed off on procedures permitting the chaining through US person records). That’s all the more likely given that all the known hits were collected before the point in 2009 when the FISC started requiring providers to separate out foreign (EO 12333) collection from domestic and international (Section 215) collection. In other words, the Section 215 phone dragnet may have been working swimmingly up until 2009 because NSA was breaking the rules, but as soon as it started abiding by the rules — and adhering to FISC’s increasingly strict limits on cell location data — it all of a sudden became virtually useless given the likelihood that potential terrorism targets would use exclusively cell and/or Internet calls just as they came to bypass telephony lines. Though as that happened, the permissions on tracking US persons via records collected under EO 12333, including doing location analysis, grew far more permissive.

In any case, at least in recent years, it’s clear that by giving notice and adjusting policy to match districts, the FISC and FBI made it very difficult to collect prospective location records under FISA, and therefore absent some means of forcing telecoms to strip their records before turning them over, to collect cell data.

Read more

A Tale of Two Gun Possessions: Dylann Roof and Alexander Ciccolo

Ciccolos GunsI have been wondering whether the FBI has been coy about the ISIS-related arrests they’ve leaked to the press, in part, because those “terrorist plots” look minor compared to the murder, allegedly by Dylann Roof, of nine people at a black church in Charleston. As of four days ago, after all, Jim Comey was still weighing whether the attack on the historic black church by a right wing extremist who had written a manifesto explaining his views is terrorism. Did FBI miss the Charleston terrorism attack because it was focusing so much more closely on potential ISIS attacks? Does it want to avoid calling it terrorism because it would mean they failed to prevent a terrorist attack?

I grew all the more curious when FBI announced that Roof only managed to purchase the gun for the attack because his March admission to possession of drugs in conjunction with a felony [local officials have since corrected the record to reflect a misdemeanor arrest] arrest did not get processed before the 3-day window during which dealers have to wait on background checks.

On April 11, Roof attempted to purchase a handgun from a store in West Columbia, South Carolina, a near suburb of Columbia. That day was a Saturday. On the next business day, April 13, an examiner in our West Virginia facility was assigned the case and began to process it.

Her initial check of Roof’s criminal history showed that he had been arrested in South Carolina March 1 on a felony drug charge. This charge alone is not enough to deny proceeding with the transaction. As a result, this charge required further inquiry of two potential reasons to deny the transaction. First, the person could have been convicted of a felony since the arrest. Second, the underlying facts of the arrest could show the person to be an unlawful drug user or addict.

[snip]

So the court records showed no conviction yet and what she thought were the relevant agencies had no information or hadn’t responded. While she processed the many, many other firearms purchases in her queue, the case remained in “delayed/pending.”

By Thursday, April 16, the case was still listed as “status pending,” so the gun dealer exercised its lawful discretion and transferred the gun to Dylann Roof.

Had the FBI tracked down Roof’s admission to doing drugs before that 3-day window expired, he might not have gotten the gun he used to kill 9 people, and maybe their lives would have been saved. (See this story from today on inaccuracies in the local records on Roof’s arrest.)

The release today of information on Alexander Ciccolo, the estranged son of a Boston cop who is charged with illegal gun purchases but allegedly was planning to conduct an ISIS-inspired attack on a university outside of Massachusetts, makes the comparison of these two alleged aspiring terrorists all the more poignant.

According to the detention memo and reporting from ABC, Ciccolo has had long difficulties with mental illness, and embraced Islam in roughly March 2013. On September 11, 2014, a “close acquaintance” (who may have been his father) reported him to the FBI, when they started monitoring his Facebook. On June 24 (just incidentally, a week after the Charleston attack, but also several weeks after Boston cops shot Usaama Rahim on June 2, and the month after Dzhokhar Tsarnaev (Ciccolo’s father took part in the manhunt for Tsarnaev) got sentenced to death in Massachusetts), an undercover informant (described as a “cooperating witness”) met with Ciccolo face-to-face; it’s unclear how long they had corresponded online first and how discussions of an attack first came up.

The detention memo makes it clear that Ciccolo was discussing attacks designed to inflict maximal casualties and he was modeling them at least partly on the Boston Marathon attack. Ciccolo — a cop’s son — said he had grown up around guns, so on that level, at least, he was probably far more competent than most plotters caught in stings. And while, as with most transcriptions of FBI recordings, this has lapses, the many changes in Ciccolo’s plans, as reported to the informant, makes it sounds like he was driving this plan (but also make him sound mentally ill). So Ciccolo looks like more of a threat than some of the people the FBI has caught in an FBI-planned plot.

That’s why the arrest and timing is interesting. On February 17, 2015, this guy — who was supposedly obsessed with Islam — was convicted of drunken driving, but given probation. That made it illegal for him to possess a gun that had been involved in interstate transit. An affidavit accompanying the detention memo describes that on July 2, after prompting from the informant, Ciccolo responded, “You get the rifles, I’ll get the powder” — though it also said Ciccolo had earlier “planned to rob a gun store to obtain firearms” — which for a number of reasons make the guns one of the dodgy aspects of his sting. On July 3, Ciccolo bought a pressure cooker from WalMart.

But you can’t arrest someone for buying a pressure cooker (at least not yet), especially given that he appears not to have obtained any powder to use in a pressure cooker bomb, given what they found in a search of his place. But you can arrest a felon for possessing guns.

On July 4, the informant gave Ciccolo (the memo says he “took possession of” and there is no mention of money exchanged) four guns, after which the FBI immediately arrested him.

And then the FBI sealed everything up. The docket still appears to be sealed, but he was apparently arraigned on July 6 (after two days), and the detention memo notes that he waived Miranda rights. “After the defendant was arrested, he waived his Miranda rights and spoke to FBI Special Agents Paul Ambrogio and Julia Cowley. The defendant refused to talk about the guns with which he was arrested but he reaffirmed his support for ISIL.”

The local press did report on the FBI’s search, but was denied information until today.

And thus far, at least, they haven’t charged Ciccolo with anything more — material support or a plan to engage in terrorism.

Now, as I have said, given the evidence in the documents released so far, it appears that Ciccolo may present more of a threat than most FBI sting targets (though he also seems like a guy who should have gotten mental health care years ago). As such, getting guns into his hands was a way for the FBI to get him in custody. We shall see how good the evidence is that Ciccolo, and not the informant, was driving the attack.

But ultimately, what we have here are two examples of alleged aspiring terrorists with prior arrest records tied to intoxicating substances that could be used to arrest them if they got a gun. In Ciccolo’s case, that was used as a way to get him in custody and — the FBI suggests — to prevent a planned attack on a college in another state. In Roof’s case, the FBI did the requisite background check but didn’t track down the actual records in timely fashion. Had the FBI tracked Roof — whose online activities the FBI continues to investigate, but appears to have been active on at least one Neo-Nazi site — as closely as it had been tracking Ciccolo, it might have caught him in a sting too.

But there’s no evidence the FBI tracks white supremacist threats of violence as closely as it tracks ISIS or Al Qaeda related threats of violence.

I’m not saying the FBI should have prevented the Charleston attack; I don’t think it’s possible for FBI to stop everything, nor do I support the kind of dragnets that might try.

But the comparison of what happened to these two alleged aspiring terrorists when they tried to obtain guns is notable.

Dzhokhar’s Phones

According to an exhibit introduced in the Dzhokhar Tsarnaev trial, the government subpoenaed T-Mobile on April 19, 2013  for the subscriber information from the two pre-paid phones used by the brothers during the attack. T-Mobile (unsurprisingly) replied that same day. The government appears to have redacted the fax time stamp to hide what time that occurred. But at that point, they were only getting subscriber information based off the phone numbers from phones they may or may not have had in custody.

Tamerlan had gotten his phone immediately after returning from Russia, but Dzhokhar got his just the day before the attack. Presumably, Tamerlan’s phone would have been used regularly (though we don’t know that — unless I’m mistaken, the government never submitted a summary of his calls). In addition to three calls with his brother during the actual attack and one between the time Sean Collier was killed and the time Tamerlan hijacked the Mercedes (Dzhokhar also communicated with Tamerlan via Skype during this period), Dzhokhar contacted several other people using his phone.

The government claims (dubiously) that it did not identify the brothers until after Tamerlan was fingerprinted at the hospital, which would have happened sometime around 1:06AM on April 19.

In a hearing against Dzhokhar’s buddies from summer 2014, a prosecutor questioning FBI Agent John Walker tried to place this time closer to 6:50AM, though I think this is based on the public release of Dzhokar’s ID, not the identification of Tamerlan’s.

Q. And by 6:50 a.m. Friday morning, April 19th, had the suspected bombers in those photographs been identified?

Walker. By 6:50 a.m. the FBI was certainly aware of the identity of one of those persons, then deceased, and the FBI publicized the name of the second person in the photograph, colloquially referred to as “White Hat” or “Bomber Number Two.” But, yes, we had.

Q. And how was it that the FBI was able to identify the individuals in those photographs?

Walker. We identified the first individual based on a positive comparison of his known fingerprints. A fingerprint from the decedent was transmitted to our facility in West Virginia, the repository for fingerprints, and within moments we had a positive identification on that person.

From Walker’s description, though, it should have taken place “just moments” after they got his fingerprints, so closer to 1:06 AM than 6:50 AM.

I’m interested in this because of Walker’s description of how they obtained and responded to information on Dzhokhar’s previous phone, one of four phones tied to an AT&T Friends and Family account under his name but billed to the buddies’ address.

Walker seems to suggest that they found these phones by Dzhokhar’s name, not by phone number, and only then discovered that Azamat Tazhayakov had been in contact with Dzhokhar (though I don’t see that in the phone records submitted at trial). This means that by 10, they were doing significant call record analysis on the AT&T phones, regardless of what they were doing on the T-Mobile phones.

Q: On the morning of April 19th, had the FBI received any information about telephones subscribed to Tsarnaev?

Walker: We had. We knew that Tsarnaev, Dzhokhar Tsarnaev, subscribed to four telephones with AT&T, and that the address that he provided and the address to which his telephone bills were sent was 69 Carriage Drive, New Bedford, Massachusetts.

One of those phones was significant to us immediately, because the telephone showed enormous and continuing and temporally significant connectivity with the late Tamrelan Tsarnaev, including around the time of the bombings.

Almost as importantly for my work there that day, a second of the telephones again subscribed by Tsarnaev happened to show connectivity with Dzhokhar Tsarnaev a few hours before the bombings that Monday, April 15th. The other two phones showed little, if any, recent connectivity to either of the Tsarnaev brothers.

Q: Was there a belief at the FBI at the time that telephones, mobile phones, were used during the execution of the bombing attack?

Walker: Yes.

Q: So, based on that information, this telephone information that you had received, subscriber information, what did the FBI do next?

Walker: Well, we were naturally all week long very concerned with regard to phones, because, as I have mentioned, we suspected that phones were used in the general commission of the act of terrorism on the Monday. We were also interested in potentially exploiting intelligence from the phones to locate the fugitive Tsarnaev.

[snip]

I received a call from the FBI Command Post in Boston that about 20 minutes earlier — and the time I received it I thought about 10:40 a.m. — but about 20 minutes earlier that the second phone in question that I just mentioned had transmitted a message to Russia, and that message had bounced off a tower located about a mile from the campus at UMass Dartmouth.

So, I believed at the time that there was a stronger possibility that Tsarnaev may have actually eluded capture in Watertown and might be transmitting communications from down in the New Bedford/North Dartmouth area.

Q: Now, talking about this phone, were the last four digits 9049?

Walker: Yes.

Q: And did you subsequently learn that the phone was used by one of the defendants?

Walker: I did.

Q: And which defendant was that?

Walker: Mr. Tazhayahkov. [sic]

Q: And a moment ago you said approximately shortly after 10:00 a.m. that one of the phones had sent a text message or had some activity with Russia?

Walker: Yes.

Q: How far was that tower that it bounced off from the defendants’ apartment?

Walker. From the defendants’ apartment it was — and I know this because I mapped it out after the fact — but it’s approximately 900 meters.

Q: Now, what, if any, belief — sorry. Strike that. During the afternoon of April 19th, 2013, was the FBI able to determine the location of any of Tsarnaev’s phones, Dzhokhar Tsarnaev’s phones?

Walker: Yes.

Q: And can you tell us what was learned that afternoon about where that phone was located?

Walker: We learned that the phone ending or having the suffix 9049 was physically present within, because we could not see it on the outside, but within 69 Carriage Drive in New Bedford. It’s a two-story, four-apartment building amidst a larger complex of similarly constructed buildings.

Q: So, based on that information, the FBI believed that one of Tsarnaev’s phones was located in 69 Carriage Drive; is that what you said?

Walker: Yes.

I’m still trying to make sense of this — I have no conclusions about it. I’m mostly trying to understand whether discovery of these phones followed one from another or not, and what database they used to do the analysis. I think it most likely they used AT&T’s onsite response, which should have had both AT&T and T-Mobile records, probably without a formal subpoena. You would think they would have formally served a subpoena before using the AT&T account to raid the New Bedford apartment, but they certainly didn’t get a warrant.

Update: There’s one more detail I can’t make sense of. Walker said that Dzhokhar logged into UMass Dartmouth’s system at 6:19 AM.

I learned later, but not too much later, we received a report on campus from the campus technology infrastructure that at 6:19 a.m. on the morning of Friday, April 19, that Tsarnaev had logged onto the system on campus. While I was determining whether that logon was remote or was — would suggest that he was physically present on campus, I received a second report from campus authorities that he logged on and was thought to be physically present on campus at 6:21 a.m. that Friday.

He would have been hiding in the Slip Away by this point.

Tamerlan Tsarnaev Moved Inspire onto Dzhokhar’s Computer the Day He Left for Russia

Yesterday, the defense in the Dzhokhar Tsarnaev trial rested; closing arguments will be Monday. Dzhokhar’s defense consisted of just four witnesses, undermining the suggestions by the prosecution that he was just as steeped in jihadist propaganda as Tamerlan (see this post for part of a description).

As part of their efforts to do that, the defense showed, in far more detail, what the brothers had been doing online, and how the complete copies of Inspire magazine had gotten onto all their computers and when. (The defense exhibits are here, though this site is apparently being flagged as itself suspicious, at least by Twitter.) This document, for example, shows that Dzhokhar spent more time on Pornhub than he did on anything explicitly jihadist (though who knows what we was doing on Facebook and VKontakte, his most commonly accessed sites, by a very large margin). Several of the others show that the searches for explosives related materials took place on Tamerlan’s computer (though oddly, he already had some of those materials by that point).

And while I don’t think the defense laid this case out yesterday, it appears that Tamerlan loaded Inspire onto a thumb drive and then onto Dzhokhar’s computer the morning of January 21, 2012, just before he left for Russia.

This document shows that the Sony Vaio, which ultimately became Dzhokhar’s computer, was loaded with Windows in early 2011. Then came the HP that was in a room in Cambridge that fall. And finally came the Samsung loaded with Windows December 21, 2011, not long before Tamerlan would go to Russia. This document shows CompleteInspire being created on the Samsung that day, December 21, 2011. This document appears to show someone inserting a thumb drive into the Samsung at 6:22 AM on January 21, 2012, moving a copy of Inspire onto it, and then moving copies of those onto the Sony.

This CBP record shows his departure that day on Aeroflot flight 316, which at least currently departs at 8:05PM.

It’s not clear what to make of this — though it does make clear that Dzhokhar, at least, would have avoided any upstream searches on Inspire because it got placed on his computer view thumb drive, not download. It also doesn’t prove that Dzhokhar wasn’t reading Inspire by that point — as far as I understand it, the Sony was his computer by that point. But I find the timing — that the first thing Tamerlan did the morning he left for Russia was to make sure all the laptops had a copy of Inspire on them — rather curious.

One more note: something else introduced in the last days also showed a Russian version of Inspire.

Also, from the exhibits, it’s not really clear whether these files were found on the computer or deleted in unallocated space. There was a second copy of CompleteInspire loaded onto the Samsung in August 2012, after Tamerlan returned from Russia. So it’s possible that what we’re seeing is Tamerlan moving Inspire onto his brother’s computer, deleting it on his own for border crossings, and then reloading it on his own after his return.

That said, if he didn’t delete that copy of Inspire the morning he left for Russia, if CBP done a perfectly legal device search on Tamerlan’s computer at JFK that evening, they might have seen that he was flying with a full copy of Inspire on his device (though remember, this computer, unlike the Sony, was encrypted). Which, if it were the case, would make CBP’s failure to do so all the more damning.

Details on the Pressure Cooker Dragnet

Screen Shot 2015-03-25 at 4.14.58 PM

Tamerlan walking out of Target after having purchased the backpacks used in attack.

In this morning’s Tsarnaev trial testimony, FBI’s Christian Fierabend testified to the evidence about purchases leading up to the attack (h/t to CBS’s Jim Armstrong among others for the live-tweeting). As much as possible, he tried to show both GPS coordinates from one of the Tsarnaevs’ cars and some kind of purchase record for the the attack equipment (things like BBs, backpacks, and the remote car detonator).

Some of this was easy because a number of the receipts (such as for the backpacks used to carry the bombs) were sitting in Tamerlan’s wallet, which the government retrieved from Dzhokhar’s Civic at the Watertown scene. Some, such as remote controlled cars, were online purchases involving credit cards.

But in spite of the fact that Tamerlan Tsarnaev purchased some of his supplies using a credit card, according to Fierabend, the pressure cookers, Fagor Elites sold exclusively at Macys, which currently sell for $50 to $60 apiece, were purchased with cash. According to Fieraband, the government obtained records of all the Fagor Elites purchased in the US between August 2012 and April 2013. Of the 74 pressure cookers sold in the Northwest in that period, just 5 pressure cookers were purchased in cash, just 3 in MA.

According to rather remarkable testimony, Macys has no  surveillance video of those purchases.

The government did, however, cross-reference the purchases to the Tsarnaevs through use of a portable GPS that was ultimately apparently retrieved from the Mercedes the brothers hijacked.

In other words, the implication is one of the Tsarnaevs or someone else used cash to purchase pressure cookers, which you would thing would be an attempt to hide the identity of the purchaser, but not only do it while running a portable GPS that tracked back to their Cambridge home, but then bring that portable GPS into the getaway car they hijacked.

That’s all the more crazy given that the last pressure cooker wasn’t purchased until March, and Tamerlan appeared to be prepping to die, given that he sent his mother $900 the day before the attack (unless she had funded the attack specifically). If you’re going to ID yourself with a GPS, then pay with a credit card and get it for free.

All that said, I’m cognizant Tamerlan left his wallet, with receipts, in the Civic, along with some other identifying documents, and also by carrying that GPS at least made himself appear to be the purchaser of the pressure cooker, whether or not he was. Tamerlan wasn’t hiding his identity.

And yet someone paid cash for the pressure cookers.

The one other nifty detail in all this is that if you also bought a Fagor Elite pressure cooker in this period, you’re likely to be in an FBI database until 2043.

Update: One more thing about the pressure cookers. There was part of a lid and a gasket from a pressure cooker at the apartment, which means there must be one more pressure cooker. That one, then, might be unaccounted by the purchase records evidence.

Update: Here are the exhibits from today’s testimony. Unless I’m mistaken, the government only entered purchase records from one of the pressure cooker purchases, the purchase of two from the Boston store on January 31, 2013 (this is the one they tied to the portable GPS device). So there should be two more pressure cookers — the second 6 quart one used in the race attack, and the one from which the lid and the gasket were taken in the Cambridge apartment.

The $450 an Hour Terror Industry Echo Chamber

Screen Shot 2015-03-24 at 10.00.22 AMMatthew Levitt, a prominent figure in the Terror Industry, has been testifying in the Dzhokhar Tsarnaev trial. He’s one of a number of noted figures who gets presented as experts at trials who doesn’t speak Arabic, who hasn’t bothered to learn Arabic over the course of years of this work.

Yesterday, Levitt spent several hours explaining how the explanation Dzhokhar wrote on a boat in Watertown had to have come from Anwar al-Awlaki’s propaganda.

Just before Levitt testified yesterday, he RTed an article describing him as the expert that would testify at Dzhokhar’s trial. As soon as he got done, he RTed several more articles about his own testimony, describing himself as an “expert” “decoding” the boat. And then, for good measure, he RTed a livetweet from his own testimony.

Today, on cross, it became clear the Awlaki propaganda on Dzhokhar’s computer was all Levitt got from prosectors. He didn’t know how long it had been on Dzhokhar’s computer. Nor did he know what else Dzhokhar has read. He also doesn’t know much about Chechnya, except in the context of Jihad. And though Levitt testified yesterday that there always must be a “radicalizer,” he did not know, nor was he asked, to identify the “radicalizer” in Dzhokhar’s life.

Levitt also did not, apparently, recognize some of what Dzhokhar had written as the boat as having come from the Quran.

He did, however, reveal that he gets paid $450 an hour to do this work.

When called on his RTing of his own testimony by the defense, Levitt admitted he “should have been wiser” about having done so.

I wonder, though, if Levitt was worried that the mystique of his expertise might not hold up if he didn’t constantly reinforce it with his own echo chamber?

Correlations and FBI Claims in the Marathon Trial

Kevin Swindon, the FBI Supervisory Special Agent in charge of computer forensics for the Boston Marathon attack just finished testimony. His testimony raised more questions than it answered. That’s true, in part, because the government had him testify rather than some of the Agents who report to him who did the actual analysis on the many devices related to the investigation. So for key questions, he had to answer he didn’t know. He also dodged explaining who cherry picked the files to present to the jury that made Dzhokhar Tsarnaev look singularly focused on jihad when his computer showed he was more interested in pop music and something else — probably sexual? — that young men are often interested in.

On cross, Dzhokhar’s attorney William Fick tried to direct Swindon to describe more about a laptop found at Watertown that apparently belonged to Tamerlan. Swindon admitted the laptop — unlike all the computers Dzhokhar used — used strong encryption and also had a goodly number of Russian language documents on explosives. But over and over Swindon claimed he had only taken a “cursory” look at that computer.

I’m betting the person who did the more than cursory analysis of it would be a far more interesting witness and that’s why we didn’t hear from him or her. Not only will we not get to hear from that witness, apparently, but Judge George O’Toole upheld a prosecution objection to ask further questions about it.

Before that, prosecutor Aloke Chakravarty led Swindon through a very bizarre exercise. He had Swindon show how the same songs that were one one of Dzhokhar’s devices showed up on another. He showed continuity between an iPod, a Samsung phone, and the Sony found at his dorm room. In other words, the government used common songs as a means to correlate these computers, rather than actual forensic evidence that Swindon surely could have presented. I find that really problematic. Sure, the government probably wants to pretend it doesn’t do such correlations forensically, but to suggest that someone’s musical downloads shows common ownership seems really problematic.

All the more so given that for another of the computers (I’m not sure if this is Dzhokhar’s college computer or the HP at Tsarnaev house in Cambridge, but it may not matter as Dzhokhar’s computer dated to when he still lived at home) there was evidence of multiple Skype users, though Swindon claimed to be unaware of that fact. We know the government correlates using such things, and the fact that evidence of others users was deliberately not presented (probably through choice of witness more than through deceit) is really problematic.

The defense also showed that the thumb drive found in the computer that Dzhokhar’s buddies had thrown out had a rental application from his sister-in-law, showing that whether or not he used these devices in common, plenty of other people were using them as well.

In short, the government wanted to use really problematic correlations mapping to prove that Dzhokhar was accessing jihadist material (even though a question about whether one of the computers had ever searched on the term was not permitted), but they can’t even prove who was using any of the computers when, and pointedly avoided using real forensics means to do so.

The Marathon Trial: An Assessment of FBI and NSA’s Online Investigations

There are a number of journalists doing a superb job of live-tweeting the Boston Marathon trial (I’m following @JimArmstrongWBZ, @susanzalkind, and @GlobeCullen, among others).

On top of gruesome details from survivors about the injuries they suffered, FBI witnesses have provided some interesting details on the investigation. For example, we’ve learned that Dzhokhar Tsarnaev and his brother used TMobile phones the day of the attack, though Dzhokhar’s handset had been set up just days earlier.

That the brothers used TMobile is significant because the NSA boasted it had used the phone dragnet to contact chain the brothers after the attack. But anonymous sources claiming the dragnet is not comprehensive have claimed the dragnet doesn’t pull in TMobile records. Given that Basaaly Moalin is the only other person with whom the phone dragnet was deemed a success, and he also had a TMobile phone, the claim that NSA is not getting TMobile calls (which is distinct from whether they’re getting call records from TMobile) is likely bullshit.

Dzhokhar had two Twitter accounts. Both of them — @j_tsar and @Al_firdausiA — link up to his Gmail account. And he also had a Yahoo account.

FBI Agent Steven Kimball, who introduced all this evidence, doesn’t appear to have explained how he connected all these together, which is significant because they likely could have done it via NSA databases before criminally subpoenaing Twitter and Google.

Anyway, those data points are ones we can return to as we get more information. The truly appalling revelation, however, came when Dzhokhar attorney Miriam Conrad cross-examined Kimball after he had introduced a bunch of tweets claiming they were evidence of the defendant’s jihadist intent.

Turns out they were less evidence of jihadist intent than that Dzhokhar consumes the same pop culture many other Americans his age consume (along with a Russian rap artist). Conrad not only showed that the Kimball had no idea what he had been looking at, but hadn’t even clicked through the links Dzhokhar had included to figure out what they meant.

She asked Kimball if he knew the tweet “I Shall Die Young” was from a Russian rap song.

He did not.

Were you aware, she continued, that Dzhokhar Tsarnaev posted a link to that song?

“No.”

The day before, the prosecution had gone to great lengths to point out one of Tsarnaev’s tweets that said, “September 10th baby, you know what tomorrow is. Party at my house!” It suggested someone tasteless if not cruel, someone who celebrated 9/11.

But Conrad asked Kimball if he knew that the line was from a sketch on a Comedy Central show? He didn’t.

While Conrad didn’t say, it was from a segment called “Things You Don’t Yell When Entering a Room” from the Tosh.O show, which is popular with college kids who like to sit around their dorm rooms getting high. Which is precisely the picture that the defense wants the jury to imagine. Not some jihadi wannabe kneeling on a prayer mat in front of a poster of Osama bin Laden, but some stoner down at UMass Dartmouth, watching Tosh with his buds and a bowl.

In fact, so the jury would get that picture, Conrad asked FBI Special Agent Steve Kimball if he knew what the word “cooked” meant in one of Tsarnaev’s tweets.

“I assume, like, crazy?” Kimball guessed.

He guessed wrong. It means the same as baked. High. Stoned.

About the only Twitter phrase Kimball correctly IDed was LOL.

Conrad also showed that Kimball misidentified the account photo on Dzhokhar’s twitter accounts as coming from Mecca, when it in fact came from Grozny.

“You said the picture [that forms the background of the second account] was a picture of Mecca,” said Conrad, towards the end of a lengthy and tense cross-examination.

“Yes, to the best of my knowledge,” answered Kimball.

“Did you bother to look at a picture of Mecca?” Conrad shot back.

“No.”

“Would it surprise you to learn that it is a picture of Grozny?”

The picture on the account is not of Mecca – the FBI had misidentified it. It is in fact a picture of the Akhmad Kadyrov Mosque in Grozny.

Let me be clear: While it was funny to see Conrad carve up the prosecution’s witness, that’s not, by itself, going to save Dzhokhar’s life (nor should it, if that’s what the jury decides is appropriate punishment).

But this does betray a real methodological problem with the FBI’s approach to interpreting Twitter content that goes well beyond this trial. If the FBI believes it doesn’t even have to click a link to understand a Tweet — a pretty egregious Twitter faux pas even for people just conversing — it suggests a lot of their profiling may be based off baseless overdetermined interpretations.