Garrett Ziegler’s Landscaping Problem

According to emails posted at BidenLaptopEmails dot com made available by Garrett Ziegler, sometime around May 31, 2017, someone set a Google alert for weekly landscaping work, which usually took place in the mornings. Many weeks, Hunter Biden would receive a Google alert on Wednesday, reminding him landscapers would show up the next day. Then the next day, his iCloud email would email his RosemontSeneca email (hosted by Google) with a reminder.

In the depths of his addiction — again, per emails made available by Garrett Ziegler — the only emails that Hunter Biden “sent,” the only sign of life on his email accounts, was that email. For weeks on end, the only communication “from” Hunter is that eerie repetitive notice: “Alert – FYI landscapers at CBR (usually in AM).” It’s like that Google alert is a phantom, always there in Hunter’s email box.

I’m not sure the technical explanation for it — though I expect that experts would be able to use the nature of those weekly alerts to determine what inboxes were really used to load up the laptop that found its way to John Paul Mac Isaac and from there, on a hard drive, to Rudy Giuliani and then, another hard drive, to Garrett Ziegler. The technical explanation may also explain why the FBI relied on the laptop for Google alert information rather than the information the FBI received from Google itself, as I laid out here.

“Alert – FYI landscapers at CBR (usually in AM).” There must be over 150 versions of either the Google alert or the email from Hunter’s iCloud email to Hunter’s RosemontSeneca email in the collection made available by Garrett Ziegler.

In fact, those emails, “Alert – FYI landscapers at CBR (usually in AM),” may doom Ziegler’s effort to defeat Hunter Biden’s hacking lawsuit against him.

Ziegler filed his response, along with a sworn but not notarized declaration from Ziegler himself, yesterday.

As to the claim that he hacked Hunter Biden’s phone — which I’ve noted is a key vulnerability for Ziegler — Ziegler admits he used a password to access the backup from a phone Hunter allegedly owned in 2019.

19. Paragraph 29 falsely casts my comments to imply thta I and Defendant Marco Polo “hacked” into Plaintiff’s iPhone backup file.

20. In the case of the iPhone backup file referred to in paragraph 29, I received a copy of an iPhone backup file which existed as part of the copied files.

21. Also contained on the external hard drive given to me were files containing passcodes, which are essentially similar in function to passwords designed to allow access to password-protected files. Although it took months of examination, we were able to locate the passcode which allowed access to the iPhone backup file. Those files existed on the external hard drive when it was first given to me.

But he argues that because the disk drive he received from an associate of Rudy Giuliani had the password for the phone on it, and because Hunter never owned the hard drive on which Ziegler received both sets of data, he did not “hack” anything.

Plaintiff selectively cites to Defendant Ziegler’s December 2022 remarks about decrypting a specific file which stored the passcode to the iPhone backup file, both of which were on Defendants’ copy of the Laptop. (Compl. at ¶ 29). The Complaint falsely suggests Defendants “hacked” into Plaintiff’s iPhone backup. (Zeigler Decl. at ¶ 19). Defendants received a copy of Plaintiff’s iPhone backup file which existed as part of the files. (Id. at ¶ 20). When Defendants received the external hard drive, it contained passcodes, which allowed access to the iPhone backup file. (Id. at ¶ 21).


Moreover, Plaintiff does not allege unlawful access to a computer within the meaning of the CFAA. A computer user “without authorization” is one who accesses a computer the user has no permission to access whatsoever—an “outside hacker[ ].” Van Buren v. United States, 141 S. Ct. 1648, 1658, (2021). Here, Plaintiff admitted that Defendants accessed and used a hard drive that Plaintiff never possessed. Specifically, Plaintiff alleges that Defendants accessed a hard drive provided by a third party which contains a copy (duplicates) of files. (Compl. at ¶ 18). Plaintiff does not allege that Defendants possessed or accessed Biden’s computer or original files.

Plaintiff alludes to his actual iPhone and iCloud account when he alleges that “at least some of the data that Defendants have accessed, tampered with, manipulated, damaged and copied without Plaintiff’s authorization or consent originally was stored on Plaintiff’s iPhone and backed-up to Plaintiff’s iCloud storage.” (Id. at ¶ 28). However, Plaintiff alleges no facts which demonstrate Defendants ever accessed any computer, storage, or service which Plaintiff either owns or has exclusive control over. Likewise, the Complaint also shows facts which conclusively prove that Defendants had no need to access any service or storage because the laptop copy in their possession admittedly contained all of the necessary information, including the passcode to view all of the files contained on the Biden Laptop regardless of encryption. (Id. at ¶ 18). Put simply, both the encrypted iPhone backup file and the passcode to open the iPhone backup file were on the Laptop copy.

Given that Hunter’s lawsuit also names a bunch of John Does, blaming his access to this backup on Rudy’s unnamed associate and Rudy and John Paul Mac Isaac may not help Ziegler.

In any case, Ziegler may hope he doesn’t have to rely on this argument. His response actually spends more time arguing that venue, in California, is improper than he does that using a password to access an encrypted backup is legal. The “work” Ziegler did to make ten years of Hunter Biden’s emails available took place in Illinois. He has no employees or board members in California. Fewer than 10% of Marco Polo’s supporters live in California (Ziegler doesn’t say what percentage of his donations they provide, however).

His venue argument and his hacking argument ignore a part of Hunter’s lawsuit, though, which alleges that Ziegler “directed illegal conduct to occur in California.”

Plaintiff is informed and believes that Defendant Ziegler intentionally directed illegal conduct to occur in California and has therefore subjected himself to jurisdiction in California.

Similarly, his response only mentions Hunter’s allegation that in addition to accessing that iPhone, he also accessed data in the cloud once.

Plaintiff accuses Defendants of “knowingly accessing and without permission taking and using data from” Plaintiff’s devices or “cloud” storage (Compl. at ¶¶ 40, 41), computer service (id. at ¶ 42), or protected computer (id. at ¶ 35) but fails to identify a single device Defendants accessed without authorization

That allegation is a key part of alleging that Ziegler broke the law in California.

40. Defendants have violated California Penal Code § 502(c)(1) by knowingly accessing and without permission taking and using data from Plaintiff’s devices or “cloud” storage, including but not limited to, Plaintiff’s encrypted iPhone backup to devise or execute a scheme to defraud or deceive, or to wrongfully obtain money, property, or data.

41. Defendants also have violated California Penal Code § 502(c)(2) by knowingly and without permission accessing, taking, copying, and making use of programs, data, and files from Plaintiff’s devices or “cloud” storage, including but not limited to, Plaintiff’s encrypted iPhone backup.

Ziegler denies accessing any computer in the possession of Hunter Biden. That falls short of denying that he hacked data owned by Hunter Biden.

22. Neither I nor any person associated with Marco Polo have accessed, or attempted to access, any computer, device, or system owned or controlled by Plaintiff. We are not hackers, we are simply publishers, and the Plaintiff is attempting to chill our First Amendment rights and harass us through a frivolous and vexatious lawsuit.

I think Ziegler has a problem with his description of where the iPhone backup came from in the first place: he says that the “laptop” was in Hunter Biden’s possession when the iPhone backup was saved to it on February 6, 2019.

The metadata concerning the duplicated iPhone backup file on our external hard drive indicates that the last backup made of the iPhone file to the plaintiff’s laptop, which he left at the repair show of John Paul Mac Isaac on April 12, 2019, occurred on February 6, 2019, while still in the plaintiff’s possession based upon all the facts known to me to be provably true beyond dispute.

Hunter may be able to prove that Ziegler, of all people, doesn’t believe that to be true, doesn’t believe that when that iPhone was backed up on February 6 — a day when someone presenting as Hunter was involved in a car accident in DC — Hunter was in possession of that laptop.

But the bigger problem Ziegler that has is that phantom landscaping reminder.

According to emails that Garrett Ziegler has made publicly available, an October 14, 2021 notice triggered by a Google alert was received on November 24, 2021, long past the time, per Ziegler’s declaration, he was in possession of this hard drive.

Again, I’m not sure how that happened technically. But if it involved either Apple servers or Google servers (or both, given that the notice was dated October 24, 2021), that would get you venue in California.

Hunter Biden may not have been in possession of Apple’s and Google’s servers in 2021, but accessing them using passwords stored on the hard drive — at least one password that Ziegler admits to using — would also constitute hacking.

Update, to answer a question below: The text of the email shows that the notice was October 14, but the email was received on November 24, 2021.

96 replies
    • earlofhuntingdon says:

      That distinction might have held during Alito’s beloved 17th and 18th centuries. Today it’s irrelevant. Opening an unlocked door or window is sufficient to commit burglary, if you follow it by entering with intent to commit a crime.

      Use of a password without permission to access a h/d without permission would be hacking. It’s still hacking if the personal data you’re accessing was previously copied onto a h/d, which the owner of that data had never owned. The arguments seem pretty desperate.

      • emptywheel says:

        I don’t think he knows all those circumstances–but Orin Kerr found the question more interesting than that. I guess I should ping him on this.

        • emptywheel says:

          There’s IP addresses for when some things were done. But I’m not sure we’re working with the right laptop even.

          I assume Hunter has been given a copy of the FBI laptop in discovery. So he may be able to tell what was actually done on that device and what wasn’t. But I don’t know if a protective order would allow him to use that in this lawsuit.

        • Harry Eagar says:

          It has my house wrong and Google refuses to correct it.

          The previous owner tried and I tried several times.

          Do not trust Google Maps

        • Matt___B says:

          I have a friend who has been to my house many times but like many, lazily relies on the Apple Maps app to give driving directions. He punched in my address and followed the route, but when it said “you have arrived at your destination”, he didn’t see my house. Turns out AM directed him to a house 4 blocks to the north. When he called me to ask what to do, I said “look at the address of the house you’re currently in front of” and sure enough, it wasn’t my address at all. Then this same event happened to another friend who was using Google Maps. The fact that 2 different map apps misdirected 2 different friends to the wrong location blows my mind. Also, without the driving directions, both map apps located the correct building. Very strange…

        • Jim Henley says:

          Hi, Matt. As I understand it, Apple long relied on Tom-Tom Go’s mapping data, and may still. Google might well have too. There may ultimately be only one source involved.

        • algebraist says:

          Apple hasn’t relied on TomTom data in a number of years now, and they map their own in similar ways to how Google does it.

          You still have to process what you collect, and that’s where things can get funky.

        • P J Evans says:

          If you can check Street View, do. At least then you can *see* what it says. (I’ve corrected a couple of locations. Sometimes it will allow it, and sometimes it’s “it’s close enough” even when it isn’t close.)

        • Troutwaxer says:

          The possible problem here is that IP Addresses are transitory. When you attach your computer to an ordinary Internet connection you’re given a temporary IP Address by a system called DHCP (Dynamic Host Configuration Protocol, I think.) This address can change over time, particularly if your system is disconnected for more than (usually) 24 hours.

          The big prize, if the information is available, is the MAC Address of the originating or receiving computer. The MAC Address represents physical hardware much more directly than the IP Address. Usually, in fact, an IP Address is allocated to a MAC Address.

          For a good analogy, consider the following address:

          Joe Sixpack
          1234 Some Place.
          Riverside CA, 92506

          “Joe Sixpack” (the top line of the address) is a computer’s IP Address. It can change with circumstances. The MAC Address is the bottom two lines of Joe’s address – the home’s physical location (the computer’s network hardware) is highly unlikely to change.

          IP addresses can easily change every hour or every day, however, much more frequently than the resident of a particular building. The real hope here is that the IP Address and some kind of timestamp can lead Hunter’s Team to a MAC Address or someone’s account number, or in the other direction to an ISP’s MAC Address.

        • EuroTark says:

          There’s one difference that might give the IP addresses some value. They aren’t actually allocated to end-users, but rather to corporations such as your Internet Service Provider (ISP). They then allocate their addresses to their active users, and depending on their load and your usage pattern, you might have the same IP address for months or get a new one every time you log on.

          However, most ISPs don’t just randomly allocate IPs, but set aside blocks and ranges to customers in a given geographical area. This has given rise to what’s called “Geolocation” based on IP where services try to reverse-engineer the mapping so you can go from IP to geographical area. This should be used by some caution, as they can be hilariously wrong. Personally, my ISP has assigned me a range that’s for an area some 100 miles away.

        • It's complicated says:

          It can be even funnier.
          We have a VDSL landline, the IP address usually doesn’t change for months at a time. The geolocation displayed at the end of a google search page is usually accurate.

          But often, when I return from a walk in the park at the other end of town and my smartphone reverts to using the router’s wifi, google will suddenly switch to displaying that park’s location with search results, for a few hours or so.

        • EuroTark says:

          Google’s geolocation services have more factors to consider than just the IP though. Even if you have GPS turned off they can usually place you pretty accurately based on which wi-fi networks are in range. When they send out the cars for street view, they also log which networks are reachable, and can usually infer from that where you are.

        • Troutwaxer says:

          This is quite true. But regarding IP Addresses as definitive proof for anything is iffy, at best. They’re more like clues than facts.

        • EuroTark says:

          Indeed. While IP addresses can’t be reliably faked, there are several zombie armies of bots out there which can serve as the exit point for a tunnel, if you’ve got the resources. Think of it as running a VPN through some unsuspecting stranger’s WiFi fridge.

        • Shadowalker says:

          My ISP geolocates my IPv4 address to a town about 50 miles to the north, my IPv6 address locates several states to the east into another timezone.

        • Rayne says:

          This: “The possible problem here is that IP Addresses are transitory” is too absolutist.

          IP addresses can be transitory, but dependent on a number of factors.

          I know for a fact the same IP address can be used for years by the same device; the same LAN range can be used for years by the same device.

          More details are needed about the IP addresses in question. Ditto MAC addresses, but we already know there are multiple devices and not a mythical single laptop.

        • Troutwaxer says:

          Just to clear this up completely, IP Addresses (as we are discussing them) fall into two categories; dynamic and static. Static IP Addresses will stay same until someone manually changes them. Dynamic IP Addresses will change on an irregular basis, anywhere from hours to mouths depending on how they are used. In this case the IP Address of a device someone carries around, like a laptop or a phone is likely to by dynamic. The IP Address of a server is likely to be static.

          Less obviously, the whole field of IP addressing is fairly complex; any true statement made by any of us about the subject is probably false under a particular set of circumstances.

          Also, IP4 Addresses which begin with 10, 172, or 192.168 are likely to have multiple duplicates.

        • bflapinga says:

          It is unlikely for a host on the Internet to be configured with an IP address in one of those ranges as they are reserved for private networks.

      • Fraud Guy says:

        I was advised of this on occasion when trying to backtrace fraud accounts to their origin. Knowing a passphrase to access an account does not give you permission to access it. Just because you can, doesn’t mean you should.

      • Novembirdie says:

        IANAL. But I do work in high tech, where we are required to take security classes so we don’t-in popular vernacular- get hacked.

  1. Rugger_9 says:

    Ah, the trail of crumbs combined with the RWNJ penchants for lack of attention to detail and being too clever by half will land GZ in deep doo-doo. However, what really needs to be done here is to go after the money funding these operations. I would suspect that once the business model for rat fornication involves risk of jail time, they’ll find better ways to spend it.

    • Rugger_9 says:

      Maybe HB should consider a restraining order against the non-government pack of RWNJ wolves. If he manages to make the CA locus sick, it’s a viable option.

    • emptywheel says:

      That’s one reason that I noted that Ziegler was using NUMBER of donors to argue there’s no venue in CA. Hunter has previously lobbied the powers that be to eliminate Marco Polo’s tax exempt status, bc it doesn’t provide the transparency that’d require. Ziegler may have forced to prove his claim about donors.

      • Rugger_9 says:

        The number of donors is a weird argument to make when only one is required to create a CA nexus. A market share threshold is not a legal criterion, just a commercial one.

        • earlofhuntingdon says:

          As I think Marcy implies, focusing on the number of donors rather than the percentage of money coming from Californian donors might be a way to hide the latter. One or a few big donors, making up a large percentage of the total, would enhance the nexus argument.

  2. John Paul Jones says:

    I’m confused; I’m not seeing an October date in the red box, just a duplicate entry of 24 November 2021 (?).

    The different style of notifications might be a difference between notifications coming from Google Calendar and those coming from the Mac Calendar app. I’m not sure whether the two can be completely synced as I’ve never used Google Calendar, but just the Mac app.

  3. phoffman says:

    The time zone (UTC-03:00) seems odd to me. What do we know about people who were at that offset from UTC on November 24, 2021? (Wikipedia article on time zones at that offset:

    Also, just FYI, the date and time in the e-mail header shown in the second image is almost certainly at that same offset from UTC, since the “date-received” time stamp in integer form (1637782072 ) represents the same second as 2021-11-24 16:27:52 UTC-03:00.

    • Dan Riley says:

      Those emails weren’t received, they originated on the local system. Look at the headers of the raw file, there’s no Received headers indicating that the emails went anywhere besides the “Sent” folder. So there’s also no evidence that apple or google servers were involved. If the headers are true, they originated from a local calendar app reminders, not from the cloud.

      The datestamps are from the local system clock, which is not necessarily reliable without the attestation of some external server.

      The only explanation I can come up with is that they booted a Mac using the HB backup disk as the system disk, which resulted in the reminder email triggering, and the weird timezone on all the exported emails. If so, I would consider that gross investigatory incompetence.

      • emptywheel says:

        Oh that makes sense–then the same happened with Rudy (the earlier one).

        The date stamps are in the neighborhood of the last modified dates for a lot of the emails.

        • Dan Riley says:

          Rereading some Matt Green twitter from a year ago:

          “Rudy Giuliani and his amateur friends using their master copy of the purported hard drive as a read/write *boot disk* sure didn’t help.”

          I think it’s safe to conclude that whoever is behind the “Marco Polo” disclosures are similarly incompetent amateurs. I do some incident response, and OMG what are they thinking? It doesn’t take a Matt Green or Steve Bellovin to see this is not what you do for a competent forensic analysis.

        • emptywheel says:

          I think Matt Green and Jake Williams were limited by the task they were assigned: to validate as many emails as they could. Both instead said, “this thing is a forensic mess.” Which may be why WaPo buried the reports themselves.

          Everyone else has done a correlative matching to “validate” that this was Hunter’s iCloud account. Gus Dimetrelos’ reports did more but that’s when I started to cop on that there were real legal complexities with the latop, included the encrypted phone back-up.

      • Troutwaxer says:

        The current MacIntosh system is a multi-user operating system (though usually only one person uses a particular computer at a time) with BSD UNIX under the hood. It’s very easy to send yourself an email!

  4. Matt Foley says:

    Isn’t Ziegler the one who has threesomes? Or is that the rapist? I need one of emptywheel’s famous tables to keep track of the Republican Christians who are making America great again.

  5. Tech Support says:

    I look at this list of emails and it really bugs the hell out of me.

    When I read Marcy’s description of these emails, I immediately assumed we were talking about mail rule based email forwarding, but that isn’t possible here. You’ve got these long gaps between the inbound emails and the outbound ones. Furthermore, the subject line is substantially different while lacking a FW: prefix.

    The best explanation I have here is that the outbound e-mails are not some sort of reaction to the inbound google calendar notifications. They are actually oubound iCloud calendar notifications for an entry on HB’s iCloud calendar that is effectively a duplicate of the one on his Google Calendar. Not a perfect duplicate however as they are logged at different dates/times.

    I suspect that the Google Calendar entry is one that was actually generated by the landscaper and sent as an invite to HB’s spamtrap/retail-cutout Gmail account. The Gmail account is set up to email calendar alerts to the iCloud account. You could use some form of calendar syncing at this point but that’s nerdy.

    So HB created a duplicate Calendar entry in his iCloud calendar, at a date/time where the notifications would be more relevant to the amount of lead time he felt he needed, and had those calendar entries also send e-mail based notificaitons to his address on the domain.

    You’ll also see that in several cases there are multiple outbound emails sent that correspond to a single inbound notification. One of two things are possible. The more likely is that the iCloud Calendar alert was set up with a repeat interval of two hours. The less likely is that HB somehow inadvertently (or deliberately because he doesn’t understand how to configure repeat intervals) created two calendar entries, two hours apart, for the same event.

    I don’t have an explanation for all the gaps in what appears to be a predictable weekly cycle. Beyond that, the last thing that bugged me was the fact that the last two emails, the ones that are red boxed, have the exact same timestamp. Assuming I’m correct in that these are iCloud Calendar alerts, that means that in November of 2021, there were two simultaneous calendar entries for the same instance of the recurring landscaper event.

    I don’t think I can speculate how that happened, though I can imagine both innocently dumb and malicious scenarios.

    • emptywheel says:

      Thanks. That’s really helpful.

      I would need to look. Hunter (or Hunter’s friends) kept changing his alert email for his iCloud account. So it’s possible the doubles involve one going to Rosemont Seneca and the other going to another one of his emails.

      But that still doesn’t explain some of the lapses, unless he just deleted some of them.

      • timbozone says:

        Lapses or gaps? The long 1 year gap has a number of explanations:

        1. (This, to me, is the most likely.) Someone accessed the Google server directly using a browser and deleted the 1 year of missing notifications within the one week period prior to the last two messages date stamps on the list. The device/image that shows the gap period was not set to download email messages from the Google server during that time… OR the device/images credentials were not valid during that period of time to permit downloading.

        2. Someone accessed the Google email server with an email app set to delete messages on the server that were older than a week. This happens to people with multiple devices all the time, as the default deletion period is sometimes not set to “never” by default on new app configurations for imap.

        Question: Do we know if imap or pop was used for email file retention on the stolen device/image? Both of those email connection services have different ways of behaving when it comes to retention of email data in the cloud, have seperate settings for maintaining data both on the host device and on the remote server, etc.

        3. The email app on the stolen device/image was set to >not< download files during the 1 year gap intentionally or by mistake. Or, it simply did not access the email/notification server during that gap.

        4. Someone intentionally deleted that one year of email notifications from the "stolen" device image (and it propogated to the server.

        5. Glitches caused by other failed credentials/apis from the notification apps and server services themselves. Note that during the gap period, Google or other service providers involved likely may have required new authentication credentials prior to resumption of email or notification services.

        Question: Did the possessors of the stolen device/image attempt to and/or succeed at creating new valid credentials at the end of the gap period? For all we know there was a valid credential stuggle going on during this period of time between those with a lawful reason to be creating new credentials and those who did not have a lawful reason to do so.

        6. A combination of the above 1-5 or explanations even farther afield.

        • emptywheel says:

          All questions I can’t answer, but I find them helpful.

          It seems highly likely that when Rudy got the laptop, most of the credentials would still work. It seems less believable that by the time Ziegler got started, they remained valid. But there was a key chain and cookies on that hard drive, so there was a lot there.

  6. Amicus12 says:

    Thank you for linking to the language of the declaration. I smell a rat.

    You can submit a testimonial and unnotarized declaration in federal court pursuant to 28 U.S.C. § 1746. To do so, the declaration must state:
    If executed without the United States: “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date).
    If executed within the United States, its territories, possessions, or commonwealths: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date).

    The language of the Ziegler declaration does not track the requirements of 28 U.S.C. § 1746. Ziegler states that “I declare under penalty of perjury under the laws of the State of California that the foregoing is true and correct.” Notice the inclusion of the language “under the laws of the State of California.” The laws of the State of California have no bearing on the testimonial requirements of a declaration submitted in federal court.

    What this should mean is that the declaration has no testimonial validity in the proceeding. And it’s exactly the kind of weasel language one might insert if one knew that what they were saying was not “true and correct” and they did not want perjury – federal perjury – to attach to the Declaration.

    I hope HB’s lawyers are alert to this. Because it’s important.

    • emptywheel says:

      Interesting. Because his declaration is less than thorough on a number of points, even where he’s less than forthcoming. Eg, WHICH Rudy associate gave you the laptop? WHO are your CA donors (and your other donors)? And like I said, I’m pretty sure that Ziegler doesn’t actually believe that the laptop was in Hunter’s possession at the time the iPhone was backed up to it. I certainly don’t.

      Abbe Lowell is the attorney on this as well (and I assume Kevin Morris knows these rules in CA). So hopefully he’ll take note.

      • emptywheel says:

        Oh, and the Ziegler speech cited in the complaint is really only consistent with hacking the password, not finding it. The Gus Dimetrelos report he cites did claim to find the password on the laptop itself, so he may have adopted that explanation after the fact.

        • Amicus12 says:

          Now, in fairness, this could be a mistake because it is the attestation language that is used for a declaration in California state court. Cal. Code of Civil Procedure § 2015.5. Someone could have used a state declaration as a model or guide.

          But if it’s a mistake it’s a fundamental one. If you practice in the California state and federal courts, you know they are chalk and cheese. I remember when the firm bought California yellow books (California Style Manuals) so we could use citations proper in state court filings.

          And while some judges will grant leave to refile the declaration with the correct attestation, others won’t. To the extent the motion to dismiss rests on the declaration in its current form it’s meritless and subject to dismissal. And even if the court gives you a mulligan, you’ve lost trust in a major way.

  7. bloopie2 says:

    Sounds familiar. Some official forms for US Patent and Trademark Office submissions (patent administrative proceedings) recite:

    I hereby declare that all statements made herein of my own knowledge are true and that all statements made on information and belief are believed to be true; and further that these statements were made with the knowledge that willful false statements and the like so made are punishable by fine or imprisonment, or both, under 18 U.S.C. 1001 and that such willful false statements may jeopardize the validity of the application or any patent issued thereon.

    No notarization needed; the party is bound by that.

  8. Error Prone says:

    The California declaration language was used by counsel practicing in California and likely is a mistake. What concerns me is representing personal knowledge to which he could testify. Then, paragraph 4 he says a computer abandoned by Hunter Biden. Is that a fact Biden still has not conceded, it being his laptop, and Ziegler has no personal knowledge of who left the computer. He wasn’t there. Am I wrong?

    Last I read the pleading was private data of Hunter Biden not authorized for use or access by him to Ziegler nor to anyone else. Expropriated, somehow, from Hunter. All Ziegler has personal knowledge of is somebody gave him a hard drive, with representations about it of some kind, but he cannot validate truth of the representations. Again, am I wrong?

    • bmaz says:

      You are certainly getting warmer as to the myriad of problems as to veracity and admissibility under FRE Rules 403, 901 and a few more.

    • emptywheel says:

      You’re correct. Though he did submit John Paul Mac Isaac’s paperwork to support his claims. Of course, as I’ve noted, JPMI didn’t write down serial numbers of the laptops he took in and none of the ones he describes matches the one shared with the FBI.

    • Amicus12 says:

      Mistake or no, what you identify is why you close the loophole. You argue to the court that either the declaration should be disregarded or corrected. Then one of three things happens: the court grants leave to correct; the court says close enough for horseshoes; or the court denies the parts of the MTD based on the declaration.

      Because if plaintiff survives the MTD, when you take Ziegler’s deposition you want to be able to drill into those statements as made on personal knowledge on pain of perjury.

      And mistake or no, the MTD and declaration are made by an attorney that knows how to practice in federal court in California.

    • Dragonfly says:

      Since accuracy is valued here, this farm girl needs to point out that maggots would have zero interest in poop, especially of the ungulate variety. Maggots need animal flesh – usually, but not always – dead
      (search fly strike). Many creative analogy opportunities there!

      I am so grateful for the clarity and high standards here. Thanks to each of you who makes this an exceptional place. You’ve given this news obsessed shut-in many hours of company and thoughtful engagement. And I rarely have to yell at the screen like I do often with regular news!

      Thanks everyone and keep up the good work.

      • Benji-am-Groot says:

        Flystrike. Dayum.

        And thank you, new word learned.

        I find many of the folk here to be helpful – they are cheaper than a therapist or a bartender and help make things better – for free!

        Have a great holiday all!

  9. algebraist says:

    Quoting Marcy’s article:

    .. to load up the laptop that found its way to John Paul Mac Isaac and from there, on a hard drive, to Rudy Giuliani and then, another hard drive, to Garrett Ziegler. The technical explanation may also explain why the FBI relied on the laptop for Google alert information …

    As someone who does work in IT, even if this statement is only half true there’s enough here wrong that any competent forensic technician would be running screaming for the hills. There’s no registered chain of custody and the data could very well claim to have been interfered with at a number of different points in it’s handling chain from Hunter via this sorry excuse for a tech, through that corrupt lawyer to the FBI.

    The point basically is anyone could have interfered with the data and doesn’t that count as “Fruit of the Poisonous Tree”? It’s certainly barely evidence anymore since so much doubt on it’s veracity could be sown. This is specifically referring to the hard drives, the cloud backup stuff is another ball game entirely.

    The FBI has likely followed something close to proper process for the google notification stuff, but again with the chain of non law enforcement handling these devices it could all still be challenged. I’ve failed to see for a long time how this is admissible evidence of anything.

    • earlofhuntingdon says:

      It might be fruit of a poisonous tree, an analogy for evidence derived from other evidence that was illegal obtained, although it might only have been obtained wrongfully, rather than illegally. If admissible, that would still subject it severe impeachment. But the information lacks provenance in so many ways that it appears to be inadmissible, at least for the purpose of proving its truth.

      • algebraist says:

        Non legal expert time:

        As far as i’m aware there’s some relevant exceptions to the rule.
        1. Discovered in part as a result of an independent, untainted source
        2. Inevitably discovered despite the tainted source
        3. Chain of causation between the illegal action and the tainted evidence is too attenuated

        1. BZZT. This one can certainly be ruled out.
        2. Possibly yes possibly not? I am not sure. I am also not a lawyer.
        3. Does one person illegally possessing said data, copying it off a few times and passing it on count? I doubt it.

        This is probably what Abbe Lowell is going for with some of the initial arguments over hacking too.

    • emptywheel says:

      Ziegler’s provenance problems matter for people like me, relying on emails he made available.

      The JPMI ones, still significant, are what will affect FBI and (because Congress is also using his data), impeachment.

  10. e.a. foster says:

    Is this how it ends? A pissing contest between some people about what some wods mean and if some actions are legal or not. Its so bizare. The U.S.A. is an incredible country with immense wealth, fire power, brains and here they sit, dealing with this bit of “fluff” in an attempt to continue their Biden lap top game. Don’t these people understand they have a country to run. They’re assisting two other countries in wars, women are dying due to lack of maternity care.
    Tomorrow is 24 Dec. I’ve started my party with Mexican coke. No its not that stuff, is a drink and the coke is made with sugar cane. It tastes a lot better than theh Canadian/American made coca cola.
    Merry Christmas and Happy Boxing Day!

    Empty Wheel thank you for writing all about this because if you didn’t a lot of us would simply not know and its important we do know and understand

      • e.a. foster says:

        Its available on Vancouver Island, B.C., Canada! I buy mine at the Country Grocery, a small independant grocery store chain on Vancouver Island, actually its only in the middle of Vancouver Island, so just drive north, take the ferry to Nanaimo, Duke Point terminal. If you ask most people they can direct you. There is also a Mexican cola brand, Jarritos, made in Mexico and its pretty good also, but my favorite is made in Mexico by the Coca Cola corp, with sugar cane.
        In Vancouver, B.C. the Mexican coke is sold in a Central American bakery which makes the most amazing empinadas. Don’t miss the ex, but sure miss their mom’s empinadas. Try checking in at some Mexican or Central American food shops. If no luck, take a trip to B.C., but leave the guns at home. Customs isn’t keen when they show up at the border. We do have a lot of weed though.


        May the new year have a whole lot more food programs for children and fewer dump/dumb politicians.

  11. zscoreUSA says:

    Interesting about the calendar notifications. The alerts seem to go out on Thursdays and 10/14/21 was a Thursday. I was curious how an email could be sent and a device connected to the Internet without the rest of the emails since March 2019 loading up, but comments above seem to explain.

    If not located in California, I have suspected that someone on Ziegler’s team may be located on the West Coast since some of the texts on their website appear to be UTC -8.

    According to my notes, Ziegler begins working in the Marco Polo Report 9/17/21

  12. zscoreUSA says:

    For 2/6 and the phone extraction and DC car accident
    Based on texts and data on Marco Polo, Hunter starts off the day before dawn recording a home movie in Delaware a few hours before the phone contents are extracted at 5:10 am. The last text sent in that data set is 6 minutes before the phone extraction, to the person with whom he had just recorded the home movie, so possibly in the room with him at the time of phone extraction. Which is the same person who the Hunter i/o app appears to email “test” a few days later, plus or minus a couple hours from having recorded a different home movie.

    In this time frame, Hunter has been trying to get one of his phones back that he had placed in Hallie’s car to monitor GPS. He is also texting Ablow he plans to drive back up to Boston so they can write their books and record their podcasts and go skiing. There are receipts and texts that he is in DC later in the day on 2/6, including hotel and text with the Lyft driver from the collision. The Lyft collision being located in DC doesn’t sound suspicious, imho, though I’m not sure the purpose for being in DC (instead of Delaware). He started the morning in Delaware and ended the day in DC. Was in an accident in DC at night. Is that suspicious?

    I’m not sure what to make of the phone extraction date, or which phone is which, but the phone that was extracted is the only phone that Dimitrelos lists as the currently connected to Apple ID. Which seems bizarre with his plethora of Apple devices, only 3 are connected.

    Can only 1 phone, 1 laptop, 1 iPad at a time be an Apple ID trusted device?

    And how does a phone extraction work? Does it pull every file from the phone? Could Hunter have extracted to get home videos then all of the text messages came along as part of the process?

    RHB currently has three (3) devices verified with his iCloud account allowing him to
    access, open, author, revise, upload, send, store and download data from the account.

Comments are closed.