John Durham’s Irregular Now-Sealed Timeline

As I noted here, John Durham claimed to attempt to file a bunch of confidential Fusion emails under seal.

Whether intentionally or not, he failed, at first, but has now closed the barn doors after voluntarily publishing damning evidence (much of it true!) against the purported victims he claims to be avenging.

By publishing these emails on the docket, Durham has revealed that his exhibit has irregularities in the emails pertaining to a key issue: whether Fusion sent out a link to April Lorenzen’s i2p site before Mark Hosenball sent it to them.

This shows up in the timestamps. In the exhibit, the lead email for each appearance appears to be set to UTC, whereas the sent emails included in any thread appear to be set to ET.

For example, in this screencap, the time shown for Mark Hosenball’s response to Peter Fritsch (the pink rectangle) is 1:35 PM, which is presumably Eastern Time.

In this screencap, the very same response appears to be sent at 5:36PM, which is presumably UTC.

Both instances of Peter Fritsch’s email (the green rectangle), “that memo is OTR–tho all open source,” show at 1:33PM, again, Eastern Time.

To be clear: this irregularity likely stems from Fusion’s email system, not DOJ’s. It appears that the email being provided itself is rendered in UTC, while all the underlying emails are rendered in the actual received time.

But given that these emails are being submitted to Judge Cooper in regards to a privilege claim, the fact that DOJ has made no effort to fix — or at least call attention to — the anomaly, it makes the exhibit affirmatively misleading with regards to perhaps the most important detail in the exhibit.

As I note in the timeline below, this obscures the order in which Fusion received and passed on a link to the mediafire package introducing Tea Leaves’ DNS allegation package — precisely the issue (and, it is now clear, the specific communication) about which Alfa Bank had confusion in their lawsuit. I explained the import of these communications here.

Given the selection of emails included here (not even all from this time period  are included as primary emails, which is what makes the anomaly misleading, and one involving Mark Hosenball — in the italicized email, he references having sent a summary to Fritsch —  appears to be entirely missing), Fusion’s public explanation — that they received this link and then passed it on — cannot be proven or disproven. But it is clear that after Fritsch got the mediafire link, he sent it to Lichtblau, which I’ve bolded below. And by context, it appears that Laura Seago had already figured out that the mediafire package was first posted on Reddit.

(I’ll have to check but given what Perloth told me, this may not actually be how NYT first got this data.)

Update, May 19: I’ve added emails from trial.

October 5 emails:

1:31PM: [not included] Fritsch to Hosenball email with Alfa Group overview

1:32PM: Fritsch sends Isikoff the September 1, 2016 Alfa Group overview (full report included in unsealed exhibit)

1:33PM [not included] Fritsch to Hosenball, “that memo is OTR — tho all open source”

1:35/1:36PM: Hosenball replies, “yep got it, but is that from you all or from the outside computer experts?”

1:37PM: Fritsch responds,

the DNS stuff? not us at all

outside computer experts

we did put up an alfa memo unrelated to all this

1:38PM: [not included] Hosenball to Fritsch:

is the alfa attachment you just sent me experts or yours ? also is there additional data posted by the experts ? all I have found is the summary I sent you and a chart… [my emphasis]

1:41PM: [not included] Fritsch to Hosenball:

alfa was something we did unrelated to this. i sent you what we have BUT it gives you a tutanota address to leave questions.  1. Leave questions at: [email protected]

1:41PM: [not included] Hosenball to Fritsch:

yes I have emailed tuta and they have responded but haven’t sent me any new links yet. but I am pressing. but have you downloaded more data from them ?

1:43PM: [not included] Fritsch to Hosenball, “no”

1:44PM: Fritsch to Lichtblau:

fyi found this published on web … and downloaded it. super interesting in context of our discussions

[mediafire link] [my emphasis]

2:23PM: [not included] Lichtblau to Fritsch, “thanks. where did this come from?”

2:27PM: [not included] Hosenball to Fritsch:

tuta sent me this guidance


Since I am technically hopeless I have asked our techie person to try to get into this. But here is the raw info in case you get there first. Chrs mh

2:32PM: Fritsch to Lichtblau:

no idea. our tech maven says it was first posted via reddit. i see it has a tutanota contact — so someone anonymous and encrypted. so it’s either someone real who has real info or one of donald’s 400 pounders. the de vos stuff looks rank to me … weird

3:27PM: [not included] Fritsch to Hosenball cc Simpson: “All same stuff”

3:58PM: [not included] Hosenball to Fritsch, asking, “so the trumpies just sent me the explanation below; how do I get behind it?”

4:28PM: [not included] Fritsch to Hosenball, “not easily, alas”

4:32PM: Fritsch to Hosenball, cc Simpson:

Though first step is to send that explanation to the source who posted this stuff. I understand the trump explanations can be refuted.

5:23PM (could be 1:23?): Seago to Fritsch, Is this safe?

6:33PM (likely 2:33PM): Fwd Alfa

6:57PM (like 2:57PM): Re Alfa

7:02PM (likely 3:02): Seago to Fritsch re Alfa

46 replies
  1. Thomas says:

    Impossible timelines seem to be a feature of rightwing conspiracy theories.
    Peter Schweizer’s timeline in “Clinton Cash” for the “Uranium One” hoax is only possible if Hillary Clinton is a time travelor.
    Schweizer has similar time anomalies in “Secret Empires” when he tries to make the false claim that Joe Biden had Viktor Shokin fired to “cover up” for Hunter at Burisma.
    I think we may be on the cusp of a time in which authoritarians cannot play this game any longer, but a lot relies on having a population in which more than half of them can do simple arithmetic.

    • gmoke says:

      Hasn’t Florida declared “simple arithmetic” pedophiliac grooming and/or critical race theory? Not to mention they use of Arabic (!) numerals which indoctrinate our children into Sharia law.

      • Tarkeel says:

        The move seems to be more about which books are not banned. From twitter:

        Old Man Lefty
        The only publisher approved by Ron DeSantis for K-5 mathematics is Accelerate Learning..

        The Carlyle Group, acquired Accelerate Learning in, 2018.

        During that time, VA Gov. Glenn Youngkin was the CEO of the firm, and had been for 25 years.

        Need more be said…
        6:30 AM · Apr 20, 2022·Twitter Web App

      • Thomas says:

        Thank you for that!
        It’s important to remember that the culture war attacks are not legitimate issues at all. Like other fabricated moral panics, they are slanders and false propaganda for the purpose of attacking free, universal public education.

    • RMS says:

      After Mrs. Clinton supernaturally sat through 11 hours of Benghazi nonsense without cracking (or, really, even blinking), why would you think she might not in fact be a time traveler? That possibility is certainly more likely for example, than, e.g., TFG ever actually telling the truth.

  2. WilliamOckham says:

    Ok, here’s how to unravel this. Start with the fact that all these documents were produced by FusionGPS. That means the top timestamp in any email thread will be in the time zone of Fusion’s server. However, you have to look very closely to determine which server timestamped subsequent emails in the thread. Fusion’s email server is pretty clearly using UTC. During October 2016, Eastern time was UTC -4 hours. Here’s a reconstruction of Fritsch’s emails with Hosenball on October 5. 2018:
    [Timestamps in bold are Hosenball’s (Thomson Reuters). Timestamps in italic are Fusion GPS]
    5:31pm / 1:31pm Email to Hosenball (pdf p. 52) (attachment)
    5:33pm / 1:33pm Follow up to Hosenball (p. 37) (OTR – open source)
    5:36pm* / 1:35pm* Hosenball reply (p. 52, fusiongps , p. 53 thomsonreuters) (got it)
    5:37pm / 1:37pm Fritsch reply (p. 53 fusiongps p. 56 thomsonreuters (the DNS stuff)

    (etc., you get the idea)
    *the one minute time difference is not uncommon

  3. Riktol says:

    (IANAJ) Does OTR normally stand for _on_ the record or _off_ the record?

    Other than appearing incompetent to the judge (and your boss), is there any penalty for filing something in public when it should be under seal?

    I assume the docket will get amended and replaced with properly redacted versions, but you’ve linked to copies on courtlistener. Will the courtlistener version remain or will they get removed?

    Does anyone have an obligation to notify the people who have been doxxed?

    • BobCon says:

      OTR is commonly understood to mean OFF the record.

      Journalists shouldn’t let sources declare something off the record after the fact, although they do it all the time. It’s possible that in a situation like this there is a broader agreement that a source can share a raft of information first and then go back and establish the attribution. But in general, letting sources dictate OTR retroactively is bad practice.

      This talks about the issue:

      What’s oh so special is the quote by Haberman, because there is zero doubt that she gives sources the right to retroactively declare things off the record all the time, and I strongly bet she goes to bat for her sources if her people want to retroactively declare something OTR to keep it out of the paper when a colleague wants to print something.

      Who can doubt she gets panicked calls from people realizing they never confirmed OTR status with another reporter and then promises them she’ll fix it with a call to a colleague or an editor.

      What she’s doing there is acting as an enforcer against someone she doesn’t like.

      • Riktol says:

        Thanks. That article seems to involve several people behaving badly.

        Do you know whether, in general, journalists and sources establish a OTR relationship covering everything they discuss (for efficiency’s sake), or would they do so on a more selective basis, like per topic? Or is it generally line by line, statement by statement?

          • BobCon says:

            To expand on that, it can be OK to declare an entire conversation OTR, but it gets grossly overused. The vast majority of the time it’s just used to deliver bad faith spin which is useless to everyone, press and public, and to obscure how relevant the source is.

            Reporters tend to wildly overreport how often it’s used to obtain valid information — your typical NY Times political reporter, with a few exceptions, is more than happy to play all kinds of games to the detriment of their readers and even the reputation of the paper.

        • Peterr says:

          Tim Russert was gracious enough to testify to his embrace of the “efficiency” approach under oath in federal court, back in the Scooter Libby trial.

  4. Savage Librarian says:

    In the case I filed (and ultimately settled) there was a strange anomaly involving the time stamp of when I sent a key email. Days after I sent the email, I was suspended. Then later, demoted. During a civil service hearing (to exhaust my administrative remedies), the City used this anomaly to discredit me and the email. I don’t recall if the email ever made it into evidence in the federal courtroom.

    But representatives of the City called a witness (who was by no means an expert, by any stretch of the imagination) during the civil service hearing to “explain” how such a discrepancy could occur. He said he was not sure, but he said that when he reset his internal clock to keep some free applications from expiring, he thought something like that might occur. I’m not saying this is any kind of legitimate explanation. But it does show a certain mindset.

  5. greenbird says:

    um … okay: it showed up on the public docket, where i downloaded the pdf.
    but now, it’s being sealed.
    yet, is it the SAME as what i downloaded ?
    and how should the docket present it ?
    [he does this on purpose, right ?]

    and now we have Doc 101, a response in op to Doc 64 from Tech Exec-1.
    i need a nap.

  6. WilliamOckham says:

    Ok, I realized exactly what’s going on with the timestamps. [This may be of no interest to anyone but me.] The emails were produced from Fusion’s server where all timestamps are stored as UTC. They are displayed to the end user in their current time zone. That explains something that was puzzling me, which is that the Fusion embedded timestamps (a la “On Monday, October 31, 2016, 7:30 AM,”) are in EDT.

    So, as usual, Marcy Wheeler was exactly right.

    • emptywheel says:

      It is of interest to me!

      But tell me what it means? And what’s with the minute differential?

      • Leoghann says:

        This was explained to me: Because the “international clock” that all online machines follow isn’t actually just one clock, but several iterations of it that are available locally. In addition, servers may differ from one another by a few seconds. It’s possible that one server could say it’s 10:45:49, and another, 10:46:03. Since time stamps only show hours a.d minutes, they appear to be a second off from one another.

          • Leoghann says:

            Either that or they’re in two different parallel universes.

            By the way, SL, I need to thank you for introducing me to Quordle. I really enjoy it.

          • Rayne says:

            It’s not just iterations of clocks across a network but distance between each node on the network. Data may travel at the speed of light (over fiber optic cable) but every node or device through which data must travel as well as changes from fiberoptic to copper if used in the network will add to the amount of time between Originator and Recipient.

            The lag in time is called latency. This is a decent explainer of latency bordering on technical; of particular importance is the definitions of propagation, transmission, processing, and queuing delay.

      • CJ says:

        The typical reason you’d have slight differences in timestamps between senders’ copies and recipients’ copies of the same message is because email isn’t instantaneous: it’s generally getting relayed between at least four different computers (sender’s computer, sender’s ISP/organization’s server, recipient’s ISP/organization’s server, recipient’s computer). There are very often additional hops — e.g. a large organization might well have separate servers for inbound SMTP, spam & virus filtering, and POP/IMAP. The sender sees the timestamp of when it left their client, while the recipient may see the timestamp of when it was sent, or when it was received by the last server in the chain, depending on what their client does: a minute’s difference is thoroughly unremarkable.

        While it is true that computers’ clocks can drift somewhat from consensus time, pretty much everything that’s connected to the internet these days and displays time has an NTP client on it that keeps it within a few seconds of sync, if not better.

        (For context, I’ve been running my own mail servers and occasionally getting paid to run them for others since before the turn of the century.)

      • RJames says:

        If we had access to the metadata of the email, we could trace the route it took and the UTC time stamps for each jump. I would hope that in a court setting this would be SOP.

        • Glen Dudek says:

          RJames is exactly right, and also note that the metadata he refers to is in the header lines of the email (as is the Subject: and To: and From: information), and are not stored separately on the computer/server. Additional header lines are appended to the header as it passes through each server. Most of these header lines are usually not shown to the end user by their email reader, but they are all in the original email message as received by the recipient.

  7. Peterr says:

    Given Marcy’s move from Michigan to Ireland, and her continued attention to US politics and governing, it is no surprise to me that Marcy has a firm grasp of time zones.

    Unlike a certain former president . . .

    Perhaps Durham shares Trump’s penchant for disregarding the existence of inconvenient time zones.

      • Leoghann says:

        Word is that, since Tesla stock has taken such a bath the last few days, he may no longer have the cash equity he pledged. And if that’s the case, the deal would be off. His bullshit games with the SEC can’t be helping his situation any.

        • bmaz says:

          If enterprising big journalists cared to look, there is a lot going on. First off, Tesla never ran a profit until the last year and a half or so, and a lot of that came through government “emission credits” and, believe it or not, Bitcoin investment (Lol, that won’t last). But, additionally, there was fancy accounting. They sold cars before they were made. Tesla stock is WAY overinflated. Twitter is a fantastic aggregation tool, kind of priceless in a way. But Twitter is no net profit monster either, and never really has been. Add them up, and you can start to see the issue on this.

          • Rayne says:

            The scuttlebutt inside the automation (not just automotive) industry is that Tesla has been extremely disorganized, reinventing the wheel rather than trying to utilize technology already developed by the automotive industry over the course of decades. Lots of new sunk costs rather than avoiding them, which may explain why there have been more quality problems over the last two years rather than less.

            IOW, Tesla could have been profitable earlier but the corporate culture is and has been that of the lone cowboy. (Need to find a South African equivalent of that stereotype.)

            • Artemis says:

              Looks like he plans to run Twitter in a similar way. Ignore all prior knowledge about content moderation and try to build it from the ground up. Studying prior knowledge instead of starting from scratch is definitely more efficient bc you can still improve on the status quo and come up with new ideas without having to go through the same trials and tribulations that others learned from a long time ago.

              • Rayne says:

                Except it would be cheaper to start from the ground up and hire people who already know how to launch/operate/secure a social media platform and avoid dealing with the baggage Twitter brings along with its sunk costs. He wouldn’t have to study anything, he’d have to allow that others know more than he does and give them adequate resources to do it.

                Just as with Tesla he could have avoided the Big 3’s mistakes by hiring not from them but the people who make their capital equipment and the process applications which run their production at scale to quality on time. But like the malignant narcissist-in-chief, Musk believes he alone can fix the problem with social media. What a pity he’s lousy at social with little understanding of media.

        • P J Evans says:

          His remarks about Twitter’s management – on Twitter – can’t be helping either. (There *is* a non-disparagement clause in the deal.) He may be trying to back out, now that he’s learning what it involves.

    • Eureka says:

      To the general issue, MMFA’s Gertz had this the other day which doesn’t seem to be getting much discussion (when it should be sustained) amidst Musk’s poo-flinging:

      Matthew Gertz: “Before Elon Musk and Twitter got to a deal, House Republicans threatened the company’s board with political retribution if they didn’t sell. Outright gangsterism. [media matters link]”
      3:22 PM · Apr 25, 2022

  8. greenbird says:

    our buddy charlie live-tweeted for us:
    DeFilippis sought clarity that Judge Cooper will let discussion of CIA/Yotaphone meeting in, but set parameters on it.
    Judge affirmed.

    So judge will issue a written ruling sorting through some of these;
    others may be decided at the trial depending on how things go.

    (tell me again why i got up at this time of night …)

Comments are closed.