March 18, 2021 / by emptywheel


How to Arrest Someone (Almost) Entirely Off Social Media

Brandon and Stephanie Miller are, like Jeremy Groseclose, really minor players who entered the Capitol on January 6 while there was an insurrection going on around them. The one amusing tidbit in the arrest affidavit for the married couple quoted Brandon, stating on Facebook the day after the riot, that he hadn’t yet gotten into trouble, two months before he would get into trouble.

“Went in the capital [sic] building.” This user asked Brandon Miller, “You didn’t get into any trouble,” to which he responded, “No not yet anyway lol I’m home now I’m banded on Facebook for me going live while I was there we just walked down the main hallway we did see the blood trail from the girl that got shot and killed then I just seen a post saying 3 people died not sure on that one tho.”

What’s interesting about the affidavit is it shows how the FBI arrested the two largely off their social media use.

A Facebook geofence

The investigation started when the FBI obtained Brandon’s Facebook ID in response to a request for everyone who had live-streamed or posted video from inside the Capitol — a kind of Facebook geofence I described likely was used in this post. So at the very start, they didn’t know who Brandon was, but they knew he had trespassed and created his own record of doing so.

The Federal Bureau of Investigations sought information from Facebook as part of the federal investigation that began in the aftermath of the January 6, 2021 events at the U.S. Capitol Building. Specifically, the FBI requested that Facebook identify any “Facebook Live” videos which may have been streamed and/or uploaded to Facebook from physically within the building of the U.S. Capitol during the time on January 6, 2021 that the mob had stormed and occupied the Capitol Building.

Facebook responded by providing the Object IDs for multiple videos linked to specific Facebook accounts/user IDs. Among the accounts provided by Facebook was Facebook account number 100011360648175.

The FBI presumably obtained the Facebook ID for everyone who posted from inside the Capitol that day. I suspect they immediately got preservation orders for everyone whose account came up, which wasn’t a problem here (the Millers did not attempt to delete any of this), but likely explains why others were unsuccessful in their efforts to delete damning evidence on Facebook.

Warrant on Facebook

Remember, virtually every outsider who was in the Capitol that day was trespassing. That made it easy for the FBI to say that anyone who had, like Brandon, uploaded video from inside the Capitol had probably been committing a crime (to say nothing that such videos might provide evidence of other people committing a crime), because by being there to livestream the content, they were trespassing. The FBI got a warrant return from Facebook by January 14 (meaning turnaround and seeking those warrants was almost immediate after the riot). That gave the FBI Brandon’s credit card information, his address, his phone number, and Stephanie’s name and status as Brandon’s spouse.

On or about January 14, 2021, Facebook provided a response to a search warrant for Brandon Miller’s Facebook. Subscriber information provided by Facebook included credit cards associated with the account. The credit card had a zip code of 45308, which resolves to Bradford, OH. Brandon Miller’s Facebook account listed him as living in Bradford, Ohio. The registered phone number to the account is was (***) ***-6025.


His Facebook profile as indicated that Brandon Miller was married to Facebook user Stephanie Miller.

The FBI used this information to obtain their driver’s license records, one of the few things that didn’t come directly from social media.

Public commentary on January 6 on Facebook

Both Brandon and Stephanie had their Facebook content accessible to the public (but the FBI would have obtained Brandon’s with their warrant anyway). In addition to the comment, above, where Brandon said he was not yet in trouble, they posted a bunch of other things confirming that they had entered the Capitol. Among other things, though, they posted content that showed they did not have the intent to prevent the vote count (thereby saving themselves the felony charge others have gotten off their pre-January 6 postings).

On or about January 5, 2021, Brandon Miller, in direct messages with another Facebook user wrote, “Heading to DC for tomorrow the 6th the really not sure if you have seen anything about it but me and Stephanie are going to witness history.”

On or about January 6, 2021, Brandon Miller’s Facebook timeline showed he was with Stephanie Miller at a hotel in Washington, D.C. with the accompanying message: “Cant’ wait to witness history”

They were in DC to witness history, not to upend it.

One live witness from Facebook — probably IDed on Facebook

FBI then did the one thing that isn’t obviously from Facebook, but probably is: interview one of the Millers’ family members, twice.

On or about January 26, 2021, a witness, (hereinafter referred to as “W-1”), was interviewed by the FBI. W-1 informed the FBI that he was a family member of Brandon and Stephanie Miller’s. W-1 had heard from another family member that Brandon and Stephanie Miller were at the Capitol and went inside. W-1 observed a Facebook Live video on Brandon Miller’s Facebook account that showed himself and Stephanie Miller inside the Capitol. W-1 provided both Brandon and Stephanie Miller’s phone number as (***) ***-6025. W-1 also provided an address for the Millers in Bradford, Ohio, which matched the Miller’s address in their respective BMV records.

In a subsequent interview, W-1 was shown the photograph above from Brandon Miller’s Facebook. W-1 identified the man in the foreground of the photo as “Brandon Miller” and the woman behind him as “Stephanie Miller” by writing their names next to their respective images. W-1 also viewed the below photograph taken inside the Capitol. W-1 identified the woman in the foreground of the photo as “Stephanie Miller” by writing her name next to her image.

This person honestly told the FBI that they knew the couple had been to the Capitol, had seen Brandon’s Live video, and corroborated all the other data the FBI had already collected off Facebook. The same witness subsequently confirmed the IDs of the pictures that would have been identifiable from Facebook anyway.

The FBI could have IDed this person via many means (such as public records). But Facebook would probably be the easiest and most likely way they did so. Moreover, by doing so using Facebook, the FBI would have known precisely what answers a particular witness could answer, such as their awareness that the couple had been inside the Capitol. Effectively, when they did those interviews, they knew every single answer they’d get, and they knew the witness knew the answers.

FBI could ID family members from tags, pictures, and Facebook content, and then get those family members to corroborate everything made clear in Facebook anyway.

A Google Geofence tour around the Capitol

Then the FBI took two steps to obtain a Google Geofence showing Stephanie (likely with Brandon at her side) wandering around the Capitol. First, by February 4, they got Brandon and Stephanie’s Google identities, using either their phone number and/or Google IDs that would have been returned by Facebook. This would have been a subpoena. Then they used that information to get a warrant for the Geofence showing where Stephanie went in the Capitol, likely with Brandon walking by her side.

Obtain cell site location within the Capitol

The FBI agent who did this work must be really anal (or maybe he’s just showing the work that every agent is doing), because after having obtained location data from Google and Facebook placing the couple inside the Capitol, he obtained cell site location data placing them … in the Capitol.

According to records obtained through a search warrant which was served on AT&T on January 6, 2021, in and around the time of the incident at the U.S. Capitol Building, the cellphones associated with phone numbers (***) ***-5898 and (***) ***-6025 were identified as having utilized a cell site consistent with providing service to a geographic area that included the interior of the U.S. Capitol Building.

The agent got this information two days after the subscriber information from Google, February 6, one month after the riot.

At this point, the agent had three pieces of evidence — the Facebook “geofence,” the Google geofence, and the AT&T location data — placing them inside the Capitol.

Match all that location data to security footage

Then, on February 11, the agent got security footage corresponding with all that location data. Sure enough, they were walking together through the Capitol, gaping at history, just like they said they were going to.

This is what you can do with the power of social media with two people who were doing nothing to hide their actions. Lucky for them, everything they said corroborated their claim they were just there to see history. The FBI has obligingly given them more souvenir pictures for their trouble … and two misdemeanor charges. Along with a very good lesson about how intrusive social media can be.

Remember: this entire process was predicated off the reasonable suspicion that someone live-streaming from the Capitol on January 6 was trespassing. The very act of live-streaming was, in virtually all cases, either evidence from victims or evidence of a misdemeanor. That’s what makes this reasonable rather than a privacy nightmare.

But it’s also a ready lesson about what kind of privacy nightmare it could be, if the FBI were to come up with some other, less obvious basis for probable cause.

Update: After I wrote this I realized I wasn’t as clear about something as I’d like. This data is not — as might be imagined from reading how it served to capture this couple in misdemeanor trespassing charges — worthless data for the larger project of figuring out what plans to overthrow democracy people had coming in. Not only was this social media approach really useful in collecting on the Oath Keepers, who have been charged in a conspiracy to prevent the vote certification, but many of these techniques were first obvious, though not explicitly explained, in the first William Chrestman cell affidavit. This same granular data helped the FBI identify precisely where Proud Boy Chrestman was at any given time he was in the Capitol, who was with him, and what measures they were taking that put members of Congress a significant risk. With the Millers this might seem like overkill. But with a bunch of militia groups that FBI should have had investigations on but didn’t, this data is proving key to being able to reconstruct what happened.

Copyright © 2021 emptywheel. All rights reserved.
Originally Posted @