March 7, 2021 / by 

 

FBI and DHS Aren’t Using the Free Expertise on Right Wing Terrorism While Looking to Pay for It

There was a remarkable moment in the Homeland Security/Rules hearing on January 6 the other day. Krysten Sinema asked whether FBI knew of the conversations on social media where people were openly planning for insurrection. FBI’s Assistant Director for Counterterrorism, Jill Sanborn, explained they did not know of them because the Bureau couldn’t collect on the social media of Americans without a predicated investigation.

Krysten Sinema: Was the FBI aware of these specific conversations on social media?

Jill Sanborn: To my knowledge, no ma’am, and I’ll just sort of articulate why that is. So under our authorities, because, being mindful of the First Amendment and our dual-hatted mission to uphold the Constitution, we cannot collect First Amendment protected activities without, sort of the next step, which is the intent, and so we’d have to have an already-predicated investigation that allowed us access to those comms and/or a lead or a tip or a report from a community citizen or a fellow law enforcement partner for us to gather that information.

Sinema: So the FBI does not monitor publicly-available social media conversations?

Sanborn: Correct, ma’am, it’s not within our authorities.

For what it’s worth, Sanborn’s first comment was about collecting on social media. Sinema then treated that as a limitation on monitoring it (and Sanborn didn’t correct her). Still, Sanborn explained away FBI’s failure to see the insurrection many of the rest of us were seeing develop in real time by saying that discovering it would have required tracking Americans’ protected speech.

A more revealing moment came elsewhere, when Sanborn revealed that just one person who has been arrested in the wake of the attack had already been under investigation. That means, in spite of the Proud Boys’ threat, with Roger Stone, against Amy Berman Jackson two years ago, the FBI didn’t have an enterprise investigation into them (or the Oath Keepers or a range of other extremist organizations involved in the attack). So, because the FBI was not investigating the Proud Boys, the Proud Boys were able to plan an insurrection in plain sight.

That has changed, of course.

Later in the hearing, Mark Warner — citing all the FBI’s warnings in recent years about what a lethal threat white supremacist terrorism is — asked both Sanborn and the woman currently running DHS’ Office of Intelligence and Analysis, Melissa Smislova, what they’re doing to improve things and whether they’re using any of the open source experts out there.

Sanborn talked about working with “partners” (which I took to mean social media companies) and Fusion centers. Smislova revealed that DHS is looking to contract with experts on the topic, rather than read what those experts produce on a regular basis.

Mark Warner: I appreciate Ms. Sanborn’s appropriate response that they not arbitrarily collect off of American citizens if there’s not some nexus, but I do think it’s important, I think others have mentioned this that Domestic Violent Extremists didn’t start with January 6. They didn’t start with Donald Trump. They’re not going to end with January 6. They’re not going to end with Donald Trump. In my state we saw, a few year’s back, the Unite the Right rally at Charlottesville where many of these same groups and affiliations came together in another violent effort where one protestor was killed, we unfortunately lost a couple members of our State Police. Director Wray has repeatedly said in testimony before the Intelligence Committee, the Worldwide Threat Assessment, that Domestic Violent Extremists are a major national security threat to this country. I personally believe that that message was downplayed during the previous Administration because they didn’t want to hear it. I want to start with Ms. Smislova and Assistant Director Sanborn — Director Sanborn it’s great to see you again — is that, recognizing the constraints that are placed upon you in terms of collections, and also acknowledging that this threat has been around for some time. The FBI in particular has acknowledged that it is an extraordinary major severe threat, what have you both been able to do in engaging in open source intelligence and independent research communities to better identify these DVEs. I know in the run-up to the January 6 insurrection there was research done by Harvard’s John Donovan and Elon University’s Megan Squire as well as other researchers that pointed to the fact that these DVEs and affiliated groups, oftentimes groups that are working in conjunction with groups in Europe, were planning this effort. So how are you both, DHS and FBI, utilizing these independent researchers, these open source activities, and making sure we’ve got a better handle on it, recognizing your appropriate constraints on what you can do directly?

Melissa Smislova: Yes, Senator, thank you for the question. We just last week met as, as inside I&A, to discuss contracting with some of those experts outside. We are aware that we need to invest more in our understanding of Domestic Terror, we understand as well that it will require a different approach than a traditional Intelligence Community approach, we must use different sources to understand this threat, we are looking to get outside experts, invest more in-house, we are secondly looking at how to better understand the social media world, so we can better focus on where we might find specific and insightful information about what the adversary is thinking about. We are additionally looking to partner more with our state and local colleagues who we know have a different perspective on this threat and have more information, in some cases, than we do, and we are also, again, partnering more across the department and with our federal partners, increasing our relationships with FBI.

Warner: Ms. Sanborn?

Jill Sanborn: Thank you Senator, nice to see you again as well. I’d sort of say what we’re trying to do, and I’ll put it in three buckets, really, for you. Increasing our private sector is 100%, I have a section just inside my division that does nothing but partner engagement. We have found that the better we educate them on the threat we’re facing and painting a picture for them of what those threats we are, they’re better able to pay attention and collect and refer information to us and that is helpful and that’s when we talk about the fact that 50% of our tips and leads to our cases, or predication for our cases come from that relationship and that education. We’re also, same as my colleague said, using the state and local partners, so we leverage the Fusion centers a lot and their ability and their expertise — and the Orange County Fusion Center is a great example of leading, sort of, the analytics of social media and leveraging their expertise to predicate cases and they were actually behind the predication of the case, The Base, that we disrupted. And then last, I’d say, challenging ourselves for better collection inside, right, trying to point our sources and our collection to be in the right places to collect the intelligence that we need and that is what led to the Norfolk SIR, that is us pointing our collection in a space that gathered that information.

Warner: I have to tell you, respectfully, I’m pretty disappointed with both of your answers. This is not a new threat, we’ve seen since 2016 election how foreign adversaries manipulate social media, hear repeatedly from DHS and FBI that we’re going to get better at collecting. We saw the Unite the Right rally in Charlottesville. We heard people say we’re gonna get better at collecting information and better partnering, neither one of your referenced — there’s literally a host of experts at academia, at organizations like Graphika, and others that are monitoring the DVEs and their activities, oftentimes in their connections to anti-government groups in Europe, again, oftentimes amplified by nations like Russia, and I guess we’re always going to get ready and we’re somehow surprised when we see the kind of chaos that took place on January 6th.

Mark Warner proceeded to chew out both FBI and DHS’s witnesses given that, even after he raised open source expertise available, neither mentioned relying on it.

I hope Warner is paying attention to Huffington Post’s recent reporting. On February 26, relying on the work of some anti-fascist researchers, HuffPo identified Danny Rodriguez as the likely culprit behind the tasing of DC cop Michael Fanone, which led him to suffer a mild heart attack. HuffPo also reported that the FBI had gotten tips IDing Rodriguez in January, but had done nothing to call those who submitted the tips until HuffPo called the Bureau for comment.

The man in the red “MAKE AMERICA GREAT AGAIN” hat seemed to think he was untouchable. He joined the mob as they yelled “HEAVE! HO!” and tried to force their way through a police line into the Capitol building. Once inside, he used a pole to ram against a window, trying to shatter it and bring more people into the Capitol. In the most disturbing footage of all, he was caught on camera appearing to shock D.C. Metropolitan Police Officer Mike Fanone with a stun gun. As rioters push Fanone down the stairs and away from other cops, video shows the man in the red cap pressing a small black device against the officer’s neck. Fanone instantly drops to the ground, swallowed by the mob.

[snip]

His assailant in the red MAGA hat, who has been at large since the insurrection, is 38-year-old Daniel Joseph Rodriguez from Fontana, California, HuffPost can confirm.

Rodriguez, who goes by “Danny” and “DJ,” is well known among Trump supporters in the Los Angeles area as a superfan of the former president. Multiple news outlets have featured him in their coverage of the local pro-Trump movement in recent years, in articles that included his name and photo. He regularly attended the weekly Trump rallies in Beverly Hills last year. He was recognizable there by his dark-rimmed glasses and the many distinctive pins on his hat, which has a big GOP elephant symbol on the brim.

[snip]

Two separate anti-fascist activists ― as well as a third witness who supported Trump and called himself a former friend of Rodriguez ― reviewed footage of the man at the Capitol and told HuffPost they recognized Rodriguez from the California rallies.

The FBI received tips about Rodriguez last month, including one from a man he assaulted on video at a Los Angeles-area rally. But it wasn’t until hours after a HuffPost inquiry to the bureau for this story that the tipster heard from an FBI special agent with questions specifically about a man named “Danny Rodriguez.”

Then, yesterday, HuffPo revealed another case where a researcher sent in a tip only to have no visible response from the FBI. Shortly after January 20, SeditionHunter “Amy” identified Robert Scott Palmer as the guy in an American flag jacket who sprayed a fire extinguisher at cops.

With bright red and white stripes across his body and stars down his sleeves, the man in the American flag jacket and “FLORIDA FOR TRUMP” hat wielded a fire extinguisher while charging the U.S. Capitol on the afternoon of Jan. 6. He shoved his way through the crowd of rioters to the police line, then sprayed officers at close range before chucking the emptied canister at them. By nightfall he himself had been lightly harmed, apparently by a police crowd control munition. He held up his shirt to show off his bruised gut during an interview with a female journalist filming him live as cops pushed the mob back from Capitol grounds. Then he looked straight into her livestreaming device and identified himself as Robert Palmer from Clearwater, Florida.

[snip]

Palmer is now publicly on the FBI’s radar, though not by name. Three photos of him are featured on the bureau’s Capitol violence page, where he’s listed only as “#246 – AFO [Assault on Federal Officer].” But the images didn’t appear there until nearly a month after Amy had already tipped off the FBI about his identity.

#FloridaFlagJacket was used as a hashtag on Twitter less than a week after the Capitol attack, when Trump was still in office. Amy sent in a tip naming Palmer not long after President Joe Biden was inaugurated. His photos were finally added to the FBI database in late February.

It’s not just online researchers whose tips the FBI isn’t moving on quickly. On January 11, someone who knew Peter Schwartz as a felon who had gotten released from prison due to COVID, alerted the FBI that Schwartz had skipped out on his halfway house to attend the rally (the tipster was friends with Schwartz but Schwartz owed him money). The FBI subsequently identified Schwartz as the person who maced some cops.

On January 11, 2021, the FBI National Threat Operations Center (NTOC) received a tip from an individual (hereinafter W-1) who is personally acquainted with SCHWARTZ. In the tip, W-1 reported that “Pete SCHWARTZ” was involved in the Capitol riots. W-1 stated SCHWARTZ is a felon and was released from prison due to COVID-19. W-1 also stated that SCHWARTZ is employed as a traveling welder. According to W-1, SCHWARTZ was supposed to be at a rehabilitation facility in Owensboro, Kentucky on January 6, 2021. However, W-1 saw a picture of SCHWARTZ on the Capitol Building steps that appeared to have been taken on January 6, 2021. As part of the tip, W-1 also provided the Facebook URL for what he claimed was SCHWARTZ’s Facebook page. W-1 did not provide any other photographs, however. Due to the volume of tips provided to the FBI since January 6, 2021 – which stands at over 150,000 as of January 26, 2021 – the FBI was not able to immediately contact W-1 regarding the information that W-1 provided and did not immediately link SCHWARTZ to the individual who repeatedly maced officers at the Capitol.

Schwartz wasn’t arrested until February 4.

Still, that’s less time than these other tips.

The FBI, perhaps justifiably given the flood of data they’re dealing with, seems to value tips from suspects’ direct associates rather than online tipsters. The vast majority of tips they have acted on do come from people who know a suspect directly, often their family or friends or high school classmates.

But many of these researchers have been doing what FBI claims it cannot do (or could not before an insurrection gave them the predicated investigation permitting them to do so): connect the dots from public social media.

Instead, DHS is looking to pay people for the assistance people are trying to give the FBI for free.


On January 12, UK Granted Exception to Rule of Specialty in Minh Quang Pham Case

Back in September, I argued that the case of Minh Quang Pham should be considered a precedent of sorts for Julian Assange. Pham is a Vietnamese refugee to the UK who was stripped of his UK citizenship and extradited to the US in 2015 on charges relating to AQAP. When he was originally extradited, most of what he was charged with was serving as a graphic designer for AQAP’s Inspire magazine, which was charged as material support for terrorism. He was also charged with terrorist training while wielding a firearm. That is, like the charges Assange faces, Pham was extradited for publication activities that the US deemed to threaten US national security.

Pham is held in Florence SuperMax, one of the prisons that Assange might be detained in if he were extradited and convicted.

After Pham tried to get his sentence lowered under the US v Davis precedent on his firearm charge, the government moved to vacate his plea deal and supersede his indictment to include a terrorist attack on Heathrow they claim Pham agreed to carry out with Anwar Awlaki. The charge relies on the testimony of Ahmed Warsame, whose cooperation with the US has allowed him to avoid prosecution for his very significant leadership role in al-Shabab. But to supersede Pham’s indictment, the government first had to ask the UK for an exception to the Rule of Specialty.

It seemed likely the UK would grant it — such things normally happen between the US and UK, and this was a case where the UK was happy to pawn off Pham to the US for its far more draconian prosecution. But the tensions around Anne Sacoolas and the high profile of the Assange extradition made the question more interesting.

It turns out, at least on terrorism cases, the UK and US remain happy to subject former UK citizens to the harshest aspects of US’ legal system.

According to a status report filed today, the UK granted the exception on January 12, and Pham will soon be re-indicted in preparation for a trial at which — having little to lose given his current sentence at Florence — he will vigorously contest both what he said in interviews he gave while in transit and the evidence provided by Warsame.


Unpacking a January 6 Phone Warrant

Given the focus on legal authorities used in the January 6 investigation, I wanted to look at a search warrant affidavit for the phone of Karl Dresch, a Yooper arrested on January 19 for trespassing and obstructing the vote certification. FBI obtained it Wednesday and executed it yesterday.

The investigation into Dresch arose, as most of the January 6 investigations have, when some informed the FBI — in his case, on January 7 — that Dresch had posted about busting into the Capitol on Facebook. The FBI obtained a warrant for Dresch’s Facebook content, and then, on January 19, arrested him on trespass and obstruction charges. On January 22, in part because of his Facebook posts promising “we will be back” and in part because he had a 2013 arrest and felony conviction for a high speed chase to avoid arrest in Wisconsin, he was ordered detained pending trial. Shortly thereafter, the Houghton County Sheriff, Brian McLean, who knows both Karl and his father (who helped bust the Oklahoma City bombing terrorists), told a reporter Karl should have gotten released on bail.

His father, Stephen Dresch, who died in 2006, provided the FBI information a year prior that led agents to a stash of explosives one of the Oklahoma City bombers had hidden away at his since-vacated Kansas home.

[snip]

Despite the polar opposite outcomes, Houghton County Sheriff Brian J. McLean, who knows the Dresch family, called Stephen Dresch’s son “a chip off the old block.”

[snip]

Stephen Dresch, whom McLean described as a “brilliant, sharp guy,” and his son were “very vocal” about their beliefs, the sheriff of 24 years said. Karl Dresch “likes to give his opinion, whether other people want to hear it or not,” he said.

Houghton County deputies have dealt with Karl Dresch on “minor nuisance calls,” but never anything serious, and he wouldn’t be on a “list of people we’re concerned about,” McLean said.

[snip]

Sheriff McLean disagrees with the risk assessment. He said Karl Dresch doesn’t pose a significant risk to the public and “absolutely” should have received bond.

Since then there’s little else that has happened in this case. On February 3 he was indicted — again for the obstruction and trespassing charges, but still not an illegal possession charge tied to having two guns as a felon. On February 19, a CJA attorney filed an appearance for him. But there’s not even (in the docket) notice of his arraignment.

Now, over forty days after seizing the phone that the FBI believes he had with him on January 6, they have taken steps to access it, stating that they believe they will find evidence relating to his existing charges (trespassing and obstruction) along with unlawful possession.

Search warrant boilerplate for January 6 is slightly more comprehensive than for arrest warrants. In this case, it includes details of people calling out for Nancy Pelosi and other Members of Congress, a description of the note that Jacob Chansley left for Mike Pence in the Senate Chamber: “Justice is Coming.” It describes Eric Munchel and others wandering around with zip ties. That is, it culls the evidence from various insurrectionists that hints towards a more malign plot against Congress, without stating that explicitly. It is the story that DOJ may believe they will one day tell.

In this case, too, it includes details on the exact location and the size of the Capitol, including the Visitor’s Center.

U.S. Capitol Police (USCP), the FBI, and assisting law enforcement agencies are investigating a riot and related offenses that occurred at the United States Capitol Building, located at 1 First Street, NW, Washington, D.C., 20510 at latitude 38.88997 and longitude -77.00906 on January 6, 2021.

At the U.S. Capitol, the building itself has 540 rooms covering 175,170 square feet of ground, roughly four acres. The building is 751 feet long (roughly 228 meters) from north to south and 350 feet wide (106 meters) at its widest point. The U.S. Capitol Visitor Center is 580,000 square feet and is located underground on the east side of the Capitol.

I note the inclusion of these details because these measurements would be really useful in an affidavit that relied on details — such as the ones in Jeremy Groseclose’s arrest affidavit — that talk about the granularity of the location data the FBI is obtaining. In Groseclose’s case, a Google warrant IDed his presence in the Crypt to within 34 meters at 68% confidence. Given the size of the Capitol, then, a Google result like that would fairly clearly show the target in the Capitol, and (given a room the size of the Visitor’s Center) in the room in question.

The Visitor’s Center is one of two places inside the Capitol (the other is the Crypt) where Dresch took pictures and videos he later posted to Facebook, including this one, which court documents describe Facebook data doesn’t include the time for, but which he posted later that night.

So that may be one thing the FBI hopes to find by accessing this phone: More details about the photos Dresch took while in the Capitol. For example, there may be something on the video he took that implicates either him or others, and so want better evidence for trial.

But that’s one of the interesting absences in this affidavit. The warrant notes that Dresch used Verizon, but it doesn’t mention anything about his Verizon call records or — more especially — his location data. Presumably they have that, but have chosen not to include it.

It’s possible (indeed, the government has asserted they think they’ll find) more on the guns he has, in particular any evidence he brought them to DC either on January 6 or some follow-up trip, the one suggested by a second hotel receipt (note, in the existing affidavits, the FBI doesn’t say whom Dresch told, “we have your back give the word and we will be back even stronger,” after January 6, but Facebook surely has that).  If the FBI had reason to believe they could place someone at the Capitol with a gun, that would be an important investigative addition.

There are also his interlocutors, especially the guy, USER 2, with whom he was sharing information about what was going on in the Capitol during the event. The FBI undoubtedly knows who that is, but it’s possible FBI has reason to believe there may be more (such as deleted content) on the phone itself.

Finally, one reason the government is always going to want to exploit a phone is to obtain encrypted communications (like Signal) that wouldn’t be accessible from a provider.

None of this is at all momentous: Just an affidavit to search the phone of one presumably very minor guy, and one that can’t be all that operationally interesting (or else they would have sealed it, as virtually all search warrants currently are). Just one case among 300. At least on its face, just an effort to add another charge or learn more about other insurrectionists.

Timeline

December 16, 2020: Dresch posting about January 6: “1/6/2021=7/4/1771”

January 3: Dresch posts that he’s headed to DC: “NO EXCUSES! NO RETREAT! NO SURRENDER! TAKE THE STREETS! TAKE BACK OUR COUNTRY! 1/6/2021=7/4/1776”

January 7: Tip that Dresch posted on Facebook about entering the Capitol.

January 12: Warrant for Facebook account.

January 13: FBI obtains Facebook content. Among other things it shows the following posts from January 6 and 7:

  • January 6, 2:26: Picture 3 taken with a Moto e6 in the Crypt, which is under the Rotunda
  • 2:43: USER 2 messages Dresch that, Patriots are in the Capitol building now”
  • 2:44: Dresch responds to USER 2: I am, with picture of Capitol Visitor’s Center
  • 2:48: USER 2 messages Dresch that, “Word is police are getting ready to use teach gas.
  • 2:48: Dresch responds, “Been using it. Mask up.”
  • 3:13: Dresch posts, “Who’s house? OUR HOUSE!”
  • 3:14: Dresch posts Picture 3 with caption, “We are in”
  • 4:46: Dresch responds to comments saying “It was peaceful … still got a lil gas tho … mask on for safety
  • 5:17, 5:18: Dresch sends USER 3 two pictures with the caption, “That’s right outside the house of representative … we got in! Took a lil gas … wtf I love masks now!” Had the cops booking it”
  • 6:09: Dresch responds to comments saying, “we broke no glass no shoving I seen”
  • 8:32: Dresch posts crowd at Washington Monument, “Total Victory!”
  • 8:44: Dresch posts “I’m excited”
  • January 7, 12:11 AM: Dresch posts image from Visitor’s Center stating that “antifa did not take the capitol. that was Patriots. … those traitors Know who’s really in charge”
  • 8:32PM: Dresch posts to another post, “Mike Pence gave our country to the communist hordes, traitor scum like the rest of them, we have your back give the word and we will be back even stronger”

January 15: FBI obtains arrest warrant for Dresch

January 19: FBI surveils Dresch’s residence and then arrests him outside it, searches his home, finding:

  • A Motorola that may be a Moto e6
  • A bag that Dresch had with him in one of the photos he posted to Facebook, including:
    • A receipt from a hotel in Washington DC (no date described)
    • Eight boxes of ammunition
    • A CB radio
    • A Whistler laser/radar detector
    • A DC Metro Pass
    • A hotel receipt for a hotel in Chantilly, VA for arrival on January 5 and departure on January 7
  • A Russian SKS-type rifle with a bayonet
  • A shotgun

January 22: Because of prior felony involving evading arrest, Dresch detained pending trial

March 3: Warrant obtained

March 4: Warrant executed


Insurrection Inciters Ted Cruz and Josh Hawley Only Want the Violent January 6 Criminals Prosecuted

I just waded through the 159 pages of culture war questions — God, guns, and racism — that GOP Senators posed to Merrick Garland to justify their votes opposing the widely-respected moderate to be Attorney General. Along with a seemingly broad certainty among the Republican Senators that John Durham will finally find something 21 months into his investigation and a committed belief in outright lies told about Mike Flynn’s prosecution, two of the Republicans — coup-sympathizers Ted Cruz and Josh Hawley — made it clear they think the only crime from January 6 that should be prosecuted is assault.

Cruz did so as part of a series of questions designed to both-sides domestic terrorism. While he may intend this question and a counterpart about all protests in Summer 2020 (whether conducted by leftists or not) to set up an attack on a DOJ appointee, Cruz created a false binary regarding crimes related to January 6, where people either simply “attended the Trump rally” or they “participate[d] in any act of violence.”

66. Do you believe that an individual who attended the Trump rally on January 6, 2021 did not participate in any act of violence should be prohibited in holding a political position in the Department of Justice in a future administration, even if he or she did not personally engage in any unlawful conduct?

RESPONSE: Americans have a constitutional right to engage in lawful, peaceful protest. If confirmed, I would assess any candidate’s fitness for a role in the Department on an individual basis and with the goal of hiring individuals who are capable of carrying out the Department’s important mission with integrity.

This ignores the people who committed a crime by peacefully entering the Capitol, as well as people who didn’t enter the building but in some other way participated in efforts to prevent the certification of the vote.

Cruz also challenged the description of January 6 in terms of domestic terrorism.

69. At your hearing, you stated that your definition of “domestic terrorism” is “about the same” as the statutory definition.

a. What is the statutory definition of “domestic terrorism”?

RESPONSE: The term “domestic terrorism” is statutorily defined in 18 U.S.C. § 2331.

b. What is your definition of “domestic terrorism”?

c. What is the difference between your definition and the statutory definition?

d. What relevance will your personal definition of “domestic terrorism” have to your duties, if confirmed, as Attorney General?

RESPONSE: At the hearing, I described domestic terrorism as using violence or threats of violence in an attempt to disrupt democratic processes, noting that this definition is close to the statutory definition of the term in the criminal code codified at 18 U.S.C. § 2331. If confirmed, all of my actions as Attorney General would be guided by the law as written.

Ultimately, Cruz seems to be objecting to treating the interruption of the certification of the vote as a particularly “heinous” crime, as Garland had labeled it during his confirmation hearing.

Meanwhile, Josh Hawley asked Garland how he intends to protect the First Amendment rights of Americans to “criticize their government and pursue political change” while investigating an insurrection that Hawley calls “rioting.”

5. If you are confirmed as Attorney General, as you conduct your investigation of the rioting that took place at the Capitol grounds on January 6, 2021, what specific steps do you intend to take to ensure that Americans’ First Amendment rights to criticize their government and pursue political change are not infringed?

RESPONSE: Americans have a fundamental right to engage in lawful, peaceful protest. If confirmed, I will vigorously defend this right. Acts of violence and other criminal acts are not protected under the Constitution.

As Cruz did, Hawley’s question treats the January 6 investigation as a binary, either violence or protected under the First Amendment.

This framework, in both cases, ignores that even those who didn’t enter the Capitol, along with people who entered as part of a larger violent effort, are being charged both for obstructing the vote certification (the treatment of which as terrorism offended Cruz) and for conspiracy in the larger goal of obstructing the certification.

Mind you, both of these men should be safe. They have the right to raise questions about the vote, and the effect of the insurrection was to interrupt whatever they were doing, even if it was, itself, delaying the certification. So their peaceful contributions to the events of January 6 should be fine.

Unless, of course, it can be shown that their efforts were coordinated with the larger effort, were an effort to buy time until the rioters could more effectively end the process of democracy that day.

In any case, both are very clearly working the soon-to-be ref here, hoping to limit the scope of the investigation to those who committed assault. As Hawley did the other day with his alarmed questions about normal legal process, we should expect Hawley to attempt to delegitimize any scrutiny into his far right allies from that day.


Chain of Command: The AWOL Descriptions of the Commander in Chief’s Role in the National Guard Non-Response on January 6

The only formal explanation Trump has offered to describe his role in deploying the National Guard in response to the attack on the Capitol on January 6 came in his impeachment defense. As part of that defense, Bruce Castor pointed to things he claimed happened before Trump’s speech ended. In Castor’s inaccurate portrayal of the timeline, he suggested that the first action Acting Secretary of Defense Christopher Miller took was when, at 1:05 (which Castor said was 11:05), Miller “received open source reports of demonstrator movements to the U.S. Capitol.” He continued to claim that,

At 1:09 PM, US Capitol Police Chief’s Steven Sund called the House and Senate Sergeants at Arms, telling them he wanted an emergency declared and he wanted the National Guard called. The point: given the timeline of events, the criminals at the Capitol were not there to even hear the President’s words. They were more than a mile away engaged in a preplanned assault on this very building.

Admittedly, this was probably no more than an incompetent parroting of the existing timeline released by DOD. It’s possible that Trump’s lawyers didn’t ask him what happened inside the White House that day, because if they did, it would not help their case.

Still: Trump’s own defense claimed that the first that Acting Secretary Miller did in the matter was at 1[1]:05 on January 6.

That’s mighty interesting because there have been two claims that Trump proactively offered up National Guard troops for January 6 in the days beforehand. The first came in a Vanity Fair piece written by a journalist that Trump’s DOD flunkies permitted to embed with them (he requested to do so before the insurrection, but didn’t start his embed until January 12, meaning the claims reported in this article were retrospective). That piece claimed that, the night before the attack, Trump told DOD they would need 10,000 people.

The president, Miller recalled, asked how many troops the Pentagon planned to turn out the following day. “We’re like, ‘We’re going to provide any National Guard support that the District requests,’” Miller responded. “And [Trump] goes, ‘You’re going to need 10,000 people.’ No, I’m not talking bullshit. He said that. And we’re like, ‘Maybe. But you know, someone’s going to have to ask for it.’” At that point Miller remembered the president telling him, “‘You do what you need to do. You do what you need to do.’ He said, ‘You’re going to need 10,000.’ That’s what he said. Swear to God.”

[snip]

“We had talked to [the president] in person the day before, on the phone the day before, and two days before that. We were given clear instructions. We had all our authorizations. We didn’t need to talk to the president. I was talking to [Trump’s chief of staff, Mark] Meadows, nonstop that day.”

[snip]

What did Miller think of the criticism that the Pentagon had dragged its feet in sending in the cavalry? He bristled. “Oh, that is complete horseshit. I gotta tell you, I cannot wait to go to the Hill and have those conversations with senators and representatives.”

[snip]

Miller and Patel both insisted, in separate conversations, that they neither tried nor needed to contact the president on January 6; they had already gotten approval to deploy forces. However, another senior defense official remembered things quite differently, “They couldn’t get through. They tried to call him”—meaning the president.

So according to Acting Secretary of Defense Christopher Miller, Trump had given him “clear instructions” to “do what you need to do,” and had warned him to have thousands of Guardsmen available. Miller said he was speaking non-stop to Mark Meadows, though an anonymous source stated that they tried but failed to get the President on the line.

Long after impeachment and even after his CPAC speech, Trump went to Fox to make the same claim that appeared in Vanity Fair.

Former President Trump told Fox News late Sunday that he expressed concern over the crowd size near the Capitol days before last month’s deadly riots and personally requested 10,000 National Guard troops be deployed in response.

Trump told “The Next Revolution With Steve Hilton” that his team alerted the Department of Defense days before the rally that crowds might be larger than anticipated and 10,000 national guardsmen should be ready to deploy. He said that — from what he understands — the warning was passed along to leaders at the Capitol, including House Speaker Nancy Pelosi — and he heard that the request was rejected because these leaders did not like the optics of 10,000 troops at the Capitol.

“So, you know, that was a big mistake,” he said.

Fox and other Trump mouthpieces have suggested that Nancy Pelosi rejected the Guard. That’s false. According to then Capitol Police Chief Steve Sund, House Sergeant at Arms Paul Irving did.

On Monday, January 4, I approached the two Sergeants at Arms to request the assistance of the National Guard, as I had no authority to do so without an Emergency Declaration by the Capitol Police Board (CPB). My regular interactions with the CPB, outside of our monthly meetings regarding law enforcement matters, were conducted with the House and Senate Sergeant at Arms, the two members of the CPB who have law enforcement experience. I first spoke with the House Sergeant at Arms to request the National Guard. Mr. Irving stated that he was concerned about the “optics” of having National Guard present and didn’t feel that the intelligence supported it. He referred me to the Senate Sergeant at Arms (who is currently the Chair of the CPB) to get his thoughts on the request. I then spoke to Mr. Stenger and again requested the National Guard. Instead of approving the use of the National Guard, however, Mr. Stenger suggested I ask them how quickly we could get support if needed and to “lean forward” in case we had to request assistance on January 6.

Notably, Sund’s request and Irving’s response occurred before the conversation between Miller and Trump purportedly took place the night before the attack (which was far too late to deploy 10,000 people in any case). Moreover, Pelosi, Zoe Lofgren, and Mark Warner, among others, raised concerns about staffing for the day, so it’s not like Democrats weren’t raising the alarm.

Still, over a month after making no such claim as part of his Impeachment defense, Trump and his flunkies want to claim that Trump was proactive about deploying 10,000 people to defend the Capitol against his most ardent supporters.

That’s interesting background to the testimony offered by Robert Salesses, the “Senior Official Performing the Duties of the Assistant Secretary for Homeland Defense and Global Security,” in a joint Rules/Homeland Committee hearing on January 6 yesterday. As several people noted during the hearing, for some reason DOD sent Salesses, who wasn’t involved in the key events on January 6, rather than people like General Walter Piatt or General [Mike’s brother] Charles Flynn — who were on a call with MPD Chief Robert Contee and Sund on January 6 and who have made disputed claims about what occurred, including that Piatt recommended against sending the Guard because of optics. Effectively, Salesses was repeating what others told him, offering no better (indeed, more dated) information than Vanity Fair was able to offer. Salesses apparently called General Piatt the day before and dutifully repeated Piatt’s claim that he did not use the word, “optics,” which DC National Guard Commander General William Walker had just testified did occur.

General Piatt told me yesterday, Senator, that he did not use the word, “optics.”

Salesses then gave more excuses, explaining,

Senator, in fairness to the committee, General Piatt is not a decision-maker. The only decision-makers on the Sixth of January were the Secretary of Defense and the Secretary of the Army Ryan McCarthy. It was a chain of command from the Secretary of Defense to Secretary McCarthy to General Walker. That was the chain of command.

General Walker, the Commander of the DC National Guard, responded by reiterating the response he had gotten from Piatt (and the brother of the guy who had incited many of the insurrectionists) implicitly correcting Salesses about chain of command. The Commander in Chief, of course, is in that chain of command.

Yes, Senator. So the chain of command is the President, the Secretary of Defense, the Secretary of the Army, [points to self] William Walker Commanding General District of Columbia National Guard.

After General Walker described more of the restrictions placed on him ahead of time, including the preapproval before moving a traffic control point from one block to another (which restriction, Walker said, he had never experienced in 19 years) and the issuance of riot gear, Salesses made more excuses (repeating his silence about the role of the President’s role in the chain of command). Remarkably, he described how Ryan McCarthy dithered from 3:04 until 4:10 because shots had been fired at the Capitol.

Salesses: Sir, Secretary Miller wanted to make the decisions on how the National Guard was going to be employed on that day. As you recall, Senator, the spring events, there was a number of things that happened during those events, that Secretary Miller as the Acting Secretary –

Rob Portman: Clearly he wanted to. The question is why? And how unusual. Don’t you think that’s unusual based on your experience at DOD?

Salesses: Senator, there was a lot of things that happened in the spring that the Department was criticized for — Sir, if I could. Civil Disturbance Operations? That authority rests with the Secretary of Defense. So if somebody’s gonna make a decision about employing military members against US citizens in a Civil Disturbance Operation —

Salesses: At 3:04, Secretary Miller made the decision to mobilize the entire National Guard. That meant that he was calling in all the National Guard members that were assigned to the DC National Guard. At 3:40–at 3:04 that decision was made. Between that period of time — between 3:04 and 4:10, basically, Secretary McCarthy had asked for — he wanted to understand, because of the dynamics on the Capitol lawn, with the explosives, obviously shots had been fired, he wanted to understand the employment of how the National Guard was going to be sent to the Capitol: what their missions were going to be, were they going to be clearing buildings, be doing perimeter security, how would they be equipped, he wanted to understand how they were going to be armed because, obviously, shots had been fired. He was asking a lot of questions to understand exactly how they were going to be employed here at the Capitol, and how many National Guard members needed to be deployed to the Capitol.

When asked whether restrictions placed on Walker hampered his defense, yes or no, Salesses again invoked the chain of command, again leaving out the Command-in-Chief.

Senator, General Walker, in fairness to him, can’t respond to a civil defense — a Civil Disturbance Operation without the authority of the Secretary of Defense.

Finally, Salesses explained a further 36-minute delay, from 4:32 until 5:08, when Walker was given approval to move, this way:

Salesses: In fairness to General Walker too, that’s when the Secretary of Defense made the decision, at 4:32. As General Walker has pointed out, cause I’ve seen all the timelines, he was not told that til 5:08.

Roy Blunt: How is that possible, Mr. Salazar [sic], do you think that the decision, in the moment we were in, was made at 4:32 and the person that had to be told wasn’t told for more than a half an hour after the decision.

Salesses: Senator, I think that’s an issue.

It’s not just that the people who were actually involved didn’t show up to explain all this to Congress. It’s not just that there were big gaps in the timeline, or gaps explained by dithering even after DOD learned about explosives and shots fired.

It’s that the guy sent to provide improbable answers seems to have removed the Commander-in-Chief, who was watching all this unfold on TV and now wants credit for proactively telling DOD they would need at least 10,000 people, from the chain of command he used to justify the delay.

That’s all the more striking given that — as Dana Milbank noted — the delay until Miller’s authorization (to say nothing of the 36-minute delay in informing Walker) also meant that DOD did not respond until after Trump had instructed his insurrection to go home.

Curiously, the Pentagon claims Miller’s authorization came at 4:32 — 15 minutes after Trump told his “very special” insurrectionists to “go home in peace.” Was Miller waiting for Trump’s blessing before defending the Capitol?

DOD’s selected witness yesterday said that General Walker couldn’t send the Guard to help protect the Capitol because of the chain of command. But the Commander-in-Chief seems to be AWOL from that chain of command.

Update: On Twitter AP observed that there is a discrepancy between Miller’s 10,000 person claim and Trump’s: Trump says it happened days before January 6, which would place it before Miller’s letter imposing new restrictions on the Guard.


Federal Protective Services Looking for Terrorists on Facebook, Not TheDonald or Parler

Federal Protective Services released 81 of 95 pages it had pertaining to January 6 to BuzzFeed and other news outlets. Mostly consisting of emails, the release shows that FPS knew several of the things to look for. They knew that anticipated attendees at the Trump rally had been raised from 5,000 to 30,000 but expected even more attendees. They knew which hotels were sold out and which one the Proud Boys initially planned on staying at. They were tracking the Proud Boy contingent that was moving on the Capitol in advance of Trump’s speech.

But the most telling thing about the release is its sourcing. The information on event expectations was sourced to how many people signed up on Facebook.

One of the sources for the Proud Boys’ movement was a journalist’s tweet. And FPS sourced its awareness that the Proud Boys were not going to wear typical Proud Boy colors during the events to Business Insider, not directly to Enrique Tarrio’s Parler post announcing the plan.

While there are a few sources redacted under a law enforcement sources and methods redaction and (as noted above) 14 pages either withheld entirely or referred to another agency, there are no unredacted references to Parler or TheDonald (the latter of which is where someone predicted war), where some of Trump’s most ardent supporters organized their trips to DC.

There was a discussion during yesterday’s hearing on January 6 about what, legally, DHS and FBI are permitted to access (FBI’s Assistant Director for Counterterrorism Jill Sanborn suggested FBI can’t refer to social media, though in other forums, that has been described as a limitation on including social media posts in finished intelligence). But, obviously, FPS was using social media — Facebook — to prepare for these events.

You’re not going to find potential terrorists in posts by official organizers on Facebook, and aspiring terrorists are unlikely to register their attendance plans on that site either. These people were planning in plain sight.

Just not on official Facebook pages.


The Passport and the Antifa Hunt: The Militia Counter-Stories Emerge

In both the case against Proud Boy Leader Ethan Nordean and accused Oath Keeper Thomas Caldwell, the defendants are arguing that the government has made errors about their activities.

With regards to the former, Nordean’s wife submitted a sworn declaration stating, among other things, that the passport the government has pointed to as evidence that Nordean might flee was not — as the government claimed — on the dresser by the bed, but instead inside a jewelry box on the dresser. She also claimed that Nordean received a Baofeng radio on January 7, the day after the insurrection, and that to her knowledge, he “did not possess” one before that date.

The government responded with a picture showing that, at a time they claim precedes the search, a picture they took to show the weapons they had secured shows the passports were on the dresser.

Additionally, she claimed that Nordean’s cell phone “was without power” on the day of the insurrection, which is irrelevant to why he stashed it in the drawer or whether it would have useful evidence.

Ms. Nordean responded with her own picture showing that, in a picture taken on December 8, 2020, the jewelry box was closed.

This would be a matter of he-said she-said, FBI agents against the wife of a suspect, except for one thing. In her original affidavit, Ms. Nordean tries to rebut the government’s focus on the Baofeng (the government claims the Baofeng he got on January 7 is a different one than the one he used the day of the riot, but in any case the one they seized was set to the channel used by the Proud Boys during the riot), she noted that “it is [her] understanding that his mobile phone was without power throughout January 6, 2021,” a detail the defense relied on to suggest, first of all, that the government was purposefully withholding that detail, and that that — and not the evidence of the Proud Boys discussing obtaining the radios and using a specific channel — is why the government had focused on the Baofeng.

But it does the opposite. A bunch of the Proud Boys brought live cell phones to their insurrection on January 6. William Chrestman appears to have tried avoiding using cell coverage, but got geolocated using his Google account. For Nordean to spend an entire day his phone powered off suggests an operational security that many of his buddies didn’t have. It certainly suggests he might have the wherewithal to search for a passport he might make use of, suggesting it’s possible that he, not the FBI, took the passports out of the jewelry box (though they would have been out there for a day because, per Ms. Nordean, Ethan wasn’t home the night before the raid.

Meanwhile, Thomas Caldwell says the government has similarly misunderstood everything about his involvement in an insurrection. There’s a claim he makes that I find quite compelling: that Jessica Watkins and Donovan Crowl hid out at his home — and tried to lose a tail on the way there — to hide from the press, not the FBI.

Contrary to the Court’s understanding, Caldwell informed FBI agents that Watkins and Crowl contacted him—not vice-versa–and requested to come to his farm to get away from the media, not law enforcement.22 That is, subsequent to a New Yorker article that identified Watkins and Crowl as being involved in entering the Capitol, their small town Ohio residences were surrounded by scores of media. 23

22 Undersigned counsel reviewed over a thousand social media messages in discovery. Multiple messages from Watkins and Crowl express a desire to run away from the media throng that descended on their small Ohio hometown. Not one message evinces an intent to avoid authorities, who had not yet charged the two with a crime. In fact, Watkins’ mother, who is not a suspect in this case, fled Ohio and hid from the media in Florida. Also, discovery confirms that Watkins and Crowl reached out to Caldwell, not vice-versa.

23 Similarly, the Government’s claim that Caldwell advised Watkins and Crowl to “avoid law enforcement” by making sure that they were not followed to his farm is misplaced. Caldwell’s concern was that the pair weren’t followed by the media to his farm. Caldwell did not want a hundred reporters camped outside his farm.

But in the rest of the filing, Caldwell spins a fairy tale while at the same time he admitted he spends a lot of time spinning fairy tales.

To put his personality in more context, Caldwell is an amateur screen writer. Specifically, Caldwell has written screenplays with military style plots.17 Undersigned counsel has read a couple of these screenplays, which are heavy on hyperbolic military language. To give the Court a sample of his writings, in one screenplay Caldwell depicts a “dog fight” between rival aircraft, with one pilot radioing out “Buzzard One, this is Slingshot, I got two bogies on my six; say again, two bogies on my six; May-day, May-day.” What the Government misunderstands is that Caldwell’s language and personality center around his military career and his addiction to Hollywood.18

Ultimately, the fairy tale Caldwell spins in this filing is that he didn’t conspire to interfere with the vote count, but instead was just aiming to hunt Antifa.

He explained his contacts with the Oath Keepers, who he viewed as a self-styled group of patriots who sought to protect Trump supporters from Antifa and who provided security at Trump events. The concerning social media posts Caldwell made, he explained, all referred to fear that Antifa would attack Trump supporters on January 6th . 21

21 This fear was well-founded. In fact, contrary to the Government’s suggestion that Antifa is a virtuous group with a few bad apples, this organization is a domestic terrorist organization that has taken over cities like Portland and Seattle, burned buildings and churches, killed and injured police officers, defaced and destroyed public monuments, and violently injured hundreds of Trump supporters across the country. In fact, just a month before the Capitol was breached, Antifa attacked elderly Trump supporters at a December rally in Washington.

As part of this fairy tale Caldwell argues that the government has the timeline of the Zello chats included in the evidence against him, and therefore mistook a plan to guard people like Roger Stone for a plan involving the Capitol.

The Court placed great weight on this evidence, as it purported to show a specific, contemporaneous plan to breach the Capitol. In court papers, the Government described the Zello communications as follows:

“At the approximate 5 minute mark, the voice believed to be [codefendant] Watkins reports, “We have a good group. We have about 30-40 of us. We are sticking together and sticking to the plan.”

“At the approximate 7 minute 44 mark, an unknown male states, “You are executing citizen’s arrest. Arrest this assembly, we have probable cause for acts of treason, election fraud.”

The voice believed to be WATKINS responds, “We are in the mezzanine. We are in the main dome right now. We are rocking it . . .[.]” ECF 1-1, ¶27 (ZMF-21-119) (second criminal complaint) (emphasis added).9

The latest indictment includes the same chronological representation, only without time-stamps. The Government’s inference is clear: The Oath Keepers had a plan to invade the Captiol and arrest elected officials, discussed this “invasion plan” at the “5 minute mark,” and were inside the Capitol a few minutes later executing the plan (at the 7:44 mark). Unfortunately, the Court has been misinformed by the Government. Upon receipt of discovery, undersigned counsel discovered that the Government’s Zello evidence actually consists of a National Public Radio (NPR) report, which aired random snippets of Zello communications. The above timestamps the Government referenced are time-stamps in the NPR report, not from Zello. In other words, the referenced Zello communications did not take place 2 minutes and 44 seconds apart in real time.

Ironically, after listening to these Zello communications, the Government’s smoking-gun proof of premeditation fizzles. Specifically, it is clear that the communication regarding “sticking to the plan” happened several hours before the Capitol breach, and probably in the very early morning, as there is no crowd noise in the background. 10 By contrast, the second Zello communication (from inside the Capitol) had substantial background noise.

10 Published reports suggest that as many as 500,000 demonstrators showed up to the rally. The fact that the audio reveals no crowd noise suggests that this particular Zello communication happened before hundreds of thousands of rally-goers entered the streets of Washington.

I’ll return to the temporal claim later. But there are several things that mark this story as a fairy tale. First, he’s complaining that the male voice has no background noise whereas Watkins’ does have background noise. Caldwell is comparing messages from different people in different places.

Moreover, while he nods to the NPR original of this (which he doesn’t cite, but I assume is this WNYC interview), he doesn’t acknowledge two sets of texts that the government has yet to rely on (but surely will), which make it clear the plan was prospective and tied to the Capitol. First, from two blocks away, Watkins reports that everyone is marching on the Capitol.

MILITIA What kind of numbers do we have going into the capital? Any estimates? What percentage of the crowd is going to the capital?

WATKINS One hundred percent. Everybody’s marching on the capital. All million of us. It’s insane. We’re about two blocks away from it now and police are doing nothing. They’re not even trying to stop us at this point. [END CLIP]

And then, a block away, Watkins informs her interlocutor that she’s going to go silent because “Imma be a little busy.”

WATKINS Yeah, we’re one block away from the Capitol now. I’m probably going to go silent when I get there because Imma be a little busy.

INFORMANT Hey, my girlfriend is at the Capitol right now and she said that cops are coming in from the right of the building. [END CLIP]

Even assuming the rest of the excerpts are a jumble (and I expect we’ll get clarity on this point shortly), it’s clear that Watkins’ objective is the Capitol, not guarding Roger Stone.

But there’s one more part of the texts that make that clear: the channel name. “Stop the Steal J6” The Oath Keepers didn’t arrange radio communications to keep Roger Stone safe. They arranged radio communications to stay in touch as they jointly assaulted the Capitol.

But there’s a bigger tell in this filing of fairy tales, the filing that argues Caldwell’s communications can’t be taken literally because he lives in a fantasy world, presents a claim that he believed Antifa presented a serious threat, and then claims that Caldwell’s denials must be believed because, “The word of a 20-year military veteran with no prior criminal record is evidence, and it is strong evidence, of his innocence.” Caldwell tells a fairy tale about the crimes of which he is accused.

Caldwell absolutely denies that he ever planned with members of the Oath Keepers, or any other person or group, to storm the Capitol. Caldwell absolutely denies that he obstructed justice. 3

The issue as to whether Caldwell violated 18 U.S.C. § 1752(a)(1) (Entering and Remaining in a Restricted Building or Grounds) is still being researched by undersigned counsel. Obviously, however, this charge is the least of the Court’s concerns in weighing the factors under the Bail Reform Act.

Caldwell is personally accused of two counts of obstruction. The first, 18 U.S.C. § 1512(c)(1), accuses him (like Graydon Young) of attempting to delete damning Facebook content, an accusation this filing rebuts.  But he is singularly and as part of the conspiracy also accused of violating 18 U.S.C. §§ 1512(c)(2), 2. The object of the conspiracy is not, as Caldwell would suggest, to storm the Capitol. It was, instead, to stop the electoral vote count.

The purpose of the conspiracy was to stop, delay, and hinder Congress’s certification of the Electoral College vote.

This is an accusation his entire fairy tale story doesn’t deny, nor does his narrative about his own actions that day (or the planning leading up to it) rebut the claim.

As I’ve said, at least one part of Caldwell’s story may well be true: that Watkins and Crowl were hiding out from the press, not (yet) the FBI. But none of Caldwell’s re-imagining of the record even attempts to rebut that he and his terrorist buddies were attempting to interfere with the counting of the vote as laid out in the Constitution.

Then again, Judge Mehta may not be his desired audience. Instead, his claim this was all about Antifa may be an attempt to feed GOP efforts to deny they encouraged a terrorist attack on the Capitol.

Update: Took out a reference to Nordean’s phone in his daughter’s drawer. That was William Chrestman, not Nordean. I thought I had removed it.

Update: Beryl Howell granted Nordean home detention yesterday, judging that the government (which backed off some of its earlier claims about Nordean’s role) had not proven that Nordean had directed the breach of the Capitol.


Josh Hawley Shocked and Alarmed to Discover the FBI Would Follow the Money behind Right Wing Terrorists

There wasn’t much useful oversight in the Senate Judiciary Committee hearing with FBI Director Christopher Wray today. Democrats got him to repeat, over and over, that there is no evidence that Antifa or people only pretending to be pro-Trump were behind the January 6 insurrection. But there was almost no mention of Trump as the unifying force behind the disparate groups there. Instead of talking about how the Former President’s lies riled up the insurrection, Ben Sasse focused on people in their mother’s basement and grandmother’s attic.

There was a lot of focus on how a January 5 FBI report predicting that Congress might be targeted got disseminated, but none on why the FBI didn’t know what the rest of us did much earlier than that: that these unhinged terrorists were coming to DC in large numbers. No one raised QAnon until Wray dodged Richard Blumenthal’s questions about whether members of Congress pushing QAnon conspiracies exacerbate the problem.

Lindsey Graham and John Kennedy tried to score points because someone didn’t activate the National Guard in time, all the while pretending not to understand that the single person in DC who had unquestioned authority to order the Guard to the Capitol, but did not, was the Commander in Chief at the time.

Things got really weird when Republicans expressed concern about surveillance.

Mike Lee — who actually is a champion of civil liberties — suggested the only reason why right wingers might have been interviewed by the FBI would be by geolocating those who attended the rallies, even if they didn’t enter the Capitol. Then he bizarrely asked if the legal process behind such surveillance was FISA, which targets foreign threats, or National Security Letters.

Crazier still was Josh Hawley’s follow-up to Mike Lee’s questions.

Hawley, who’s not a champion of civil liberties and normally likes to beat up social media companies, asked a series of questions that seemed utterly ignorant — shocked really — how over the course of arresting almost 300 people, the FBI would show probable cause to obtain geolocation data, metadata, financial data, and social media data.

Hawley: Can I just go back to a series of questions that Senator Lee asked you? He asked you about the geolocation and metadata aspect gathering related to, gathering of metadata, that is, related to your investigation of the January 6 riot. You said you weren’t familiar with the specifics. Can I just clarify your responses to him. So when you say you’re not familiar, are you saying you don’t know whether the Bureau has scooped up geolocation data, metadata, records from cell phone towers. Do you not know. Or are you saying that the Bureau maybe has or hasn’t done it. Just tell me what you know about this?

Wray: So when it comes to geolocation data specifically — again, not in a specific instance, but even the use of geolocation data — I would not be surprised to learn but I do not know for a fact that we were using geolocation data under any situation in connection with the investigation of January 6. But again, we do use geolocation data under specific authorities in specific instances. Because this is such a sprawling, that would not surprise me. When it comes to metadata, which is a little bit different, obviously than geolocation data, I feel confident that we are using various legal authorities to look at metadata under a variety of situations. But, again, the specifics of when, under what circumstances, with whom, that kind of thing, I’m not in a position to testify about with the sprawl and size of the investigation. And certainly not uh in a, you know, Congressional hearing.

Hawley: What authorities do you have in mind? You say that you’re using the relevant authorities, what authorities are they?

Wray: Well, we have various forms of legal process we can serve on companies that will allow us to get acc–

Hawley: And that’s been done?

Wray: We’re using a lot of legal process in connection with the investigation, so, yes.

Hawley: But, specifically, serving, serving process on companies, using, invoking your various legal powers to get that data from companies, that’s been, that’s been done, of gathering this data?

Wray: In gathering metadata? I, I,

Hawley: Yeah.

Wray: Again, I don’t know the specifics, but I feel confident that that has happened because metadata is often something that we look at. And we have a variety of legal tools that allow us to do that under certain circumstances.

Hawley: What about the cell tower data that, uh, was reportedly scooped up by the Bureau on the day, during, in fact, while the riot was underway. What’s happened to, what’s happened to that data? Do you still have it. Has it been retained? Uh, do you have plans to retain it?

Wray: Again: whatever we’re doing with cell phone data, I’m confident we’re doing it in conjunction with our appropriate legal tools–

Hawley: Well, how — here’s what I’m trying to get at, I think it’s what Senator Lee was trying to get at. How are we going to know what you are doing with it, and how are we going to evaluate the Bureau’s conduct if we don’t know what authorities you’re invoking, what precisely you’re doing, what you’re retaining. I mean, this is, you said to him repeatedly you weren’t familiar with the specifics, you’ve now said it to me. I don’t know, I’m not sure how this committee is supposed to evaluate anything that the Bureau is doing — you’re basically saying just “trust us.” I mean, how are we gonna know? Do we have to wait until the end of your investigation to find out what you’ve done?

Wray: Well, certainly I have to be careful about discussing an ongoing investigation, which I’m sure you can appreciate. Uh, but, uh, all the tools that we have done in conjunction with prosecutors and lawyers from the Justice Department. Now, if there’s information we can provide you, before an investigation’s completed that goes through what some of the authorities we have, the tools we have, etcetera we could probably provide some information like that that might be useful to you to help answer the question.

Hawley: That would be helpful. Thank you. I’ll hold you to that. Let me ask you about some other things that have been reported, um in the press, particularly there have been a series of reports that the Bureau has worked with banks in the course of the investigation into the January 6 riot, both before and after, and that some banks, particularly Bank of America, may have handed over data for 200 plus clients who may have used their credit or debit cards to make purchases in the DC area. What do you know about this? Has Bank of America voluntarily turned over information to the Bureau about its customers?

Wray: I don’t know of any of the specifics so I’d have to look into that.

Hawley: And so has the FBI requested similar information from any other companies to your knowledge?

Wray: Again, sitting here right now, I do not know the answer to that question. I do know that we work with private sector partners, including financial institutions in a variety of ways, all the time, in a variety of investigations. But exactly the specifics of what may or may not have happened here? That I don’t know sitting here as we’re talking today.

Hawley: As I’m sure you can appreciate, my concern here is that 12 USC 3403 prohibits financial institutions from turning over confidential client records, unless of course they’ve got reasonable suspicion that there’s a crime being committed. Now the news reports on this have reported that financial institutions were doing this in cooperation with the Bureau without any such indication of a crime, they’re just turning over reams of consumer data. That obviously would be a major legal problem. A major legal concern. Can you try and get me some answers to these questions? I appreciate you say you don’t know today, you’re not aware of what’s going on, but can you look into this and follow-up with me on this?

[Wray acknowledges that the FBI has many authorities]

Hawley: What about the, some of the technology companies, Facebook, Google, Twitter, Apple, Amazon. Has the the FBI had contact with those tech platforms following the events of the Sixth?

Wray: We’ve certainly had contact with a number of the social media companies in connection with the Sixth. So that much I know.

Hawley: Has the Bureau sought to compel any of those companies to turn over user data related to the Sixth?

Wray: Well, again, I can’t tell you the specifics here, but what I will tell you is that we, I feel certain that we have served legal process on those companies which we do with some frequency and we have received information from some of those companies. And whether that’s true from every single one of the companies you listed I can’t say for sure but I suspect it is, because we work with the Social Media companies quite a lot.

Hawley: Are you aware of any of the companies voluntarily turning over data to the Bureau in relationship to the events of the Sixth?

Wray: Sitting here right now, I can’t say for sure.

I knew when I read The Intercept piece making thinly sourced allegations that this would happen, that right wingers trying to protect right wing terrorists and possibly even themselves would profess shock that the FBI used very basic investigative techniques to investigate an attack on the Capitol (Hawley seems to be relying, as well, on Fox News reports, including Tucker Carlson).

But I find it shocking that the former Attorney General of Missouri, with an office full of staffers, can’t review the arrest documents for the 270 people publicly arrested so far to answer these questions. Had he done so, he would have seen that affidavit after affidavit talks about obtaining warrants, including (for non-public data) from Facebook. And the single reference to Bank of America I can think of — describing Kelly Meggs paying for rooms in VA and DC in conjunction with the attack — makes it clear that the FBI used some kind of legal process.

Records obtained from the Comfort Inn in Arlington, Virginia, show that a credit card belonging to Kelly Meggs was used to pay for a room at the hotel on the nights of January 5 and 6, 2021.21 The room, with two queen beds, was booked in the name of a different person suspected of being affiliated with the Oath Keepers.

21 Pursuant to legal process, the government obtained records from Bank of America, which show two charges to the Comfort Inn on January 5, 2021, each for $224. The records also show that on January 7, 2021, Kelly Meggs paid a charge of $302 to the Hilton Garden Inn, located at 1225 First Street NE, Washington, D.C.

A grand jury has already found that these credit card charges — the coordinated spending of people who forced their way into the Capitol wearing tactical gear after providing “security” for right wing figureheads — was evidence of a conspiracy, “to stop, delay, and hinder Congress’s certification of the Electoral College vote.”

And the Senator from Missouri who shared that goal seems awfully concerned that the FBI is using very routine legal process to investigate the larger conspiracy.


Journalists May Be Most at Risk (as Described) from a Presumed January 6 GeoFence Warrant

On February 22, the Intercept had a thinly sourced story reporting (heavily relying on one “recently retired senior FBI official” whose motive and access weren’t explained and one other even less-defined source) on methods used in the January 6 investigation. It started by describing something unsurprising (some of which had been previously reported): that the FBI was using emergency legal authorities to conduct an investigation in the wake of an insurrection.

Using special emergency powers and other measures, the FBI has collected reams of private cellphone data and communications that go beyond the videos that rioters shared widely on social media, according to two sources with knowledge of the collection effort.

In the hours and days after the Capitol riot, the FBI relied in some cases on emergency orders that do not require court authorization in order to quickly secure actual communications from people who were identified at the crime scene. Investigators have also relied on data “dumps” from cellphone towers in the area to provide a map of who was there, allowing them to trace call records — but not content — from the phones.

From there, the story made conclusions that were not borne out by the evidence presented (which is not to say that such conclusions won’t one day be supported).

In particular, the story suggested that these investigative methods were used to investigate Congress, and likewise suggested that the involvement of Public Integrity prosecutors must mean members of Congress are already the focus of the investigation and further suggesting that the location data collection tied to the investigation of members of Congress.

The cellphone data includes many records from the members of Congress and staff members who were at the Capitol that day to certify President Joe Biden’s election victory.

[snip]

The Justice Department has publicly said that its task force includes senior public corruption officials. That involvement “indicates a focus on public officials, i.e. Capitol Police and members of Congress,” the retired FBI official said.

To make the insinuation, the story misstates the intent of a Sheldon Whitehouse statement aiming to use Congressional authorities to remove coup sympathizers from committees of jurisdiction (and ignores Whitehouse’s earlier statement that calls for the kind of data collection described in the story).

On January 11, Sen. Sheldon Whitehouse, D-R.I., released a statement warning against the Justice Department getting involved in the investigation of the attack, at least regarding members of Congress, asserting that the Senate should oversee the matter.

Thus far, the story seems tailor-made to get Congress — the Republican members of which are already trying to sabotage the investigation — to start tampering with it.

Far down in the story, it also describes the orders used with more specificity — but not yet enough specificity to substantiate the claims made earlier in it.

Federal authorities have used the emergency orders in combination with signed court orders under the so-called pen/trap exception to the Stored Communications Act to try to determine who was present at the time that the Capitol was breached, the source said. In some cases, the Justice Department has used these and other “hybrid” court orders to collect actual content from cellphones, like text messages and other communications, in building cases against the rioters.

At the time I suggested the story’s conclusions went well beyond the evidence included in it. I had several concerns about the story.

First, it didn’t address the granularity of location data collected, explaining whether the data collection focused just on the Capitol building or (as the story claimed) “in the area” generally. The Capitol is, according to multiple experts, incredibly wired up, meaning that one can obtain a great deal of data specific to the Capitol building itself. That matters here, because as soon as Trump insurrectionists entered the Capitol building, they committed the trespass crimes charged against virtually all the defendants. And the people legally in the Capitol that day were largely victims and/or law enforcement. It’s not an exaggeration to say that anyone collected off location collection narrowly targeted to the Capitol building itself is either a criminal, a witness, or a victim (and often some mix of the three).

If location collection was focused on the Capitol building itself (we don’t know whether it was or not, and the reports of collection aiming to the find the person who left pipe-bombs in the neighborhood on January 5 do pose real cause for concern), it mitigates some of the concerns normally raised by the use of IMSI-catchers at public events and protests, which is that such location collection would include a large number of people who were just engaging in protected speech, as many of the people outside the Capitol were. Similarly, unlike with most geofence warrants or tower dumps, which are used to find possible leads for a crime, here, FBI had an overwhelming list of suspects from its mass of tips and video evidence already: it wasn’t relying on location data to find suspects. Plus, with normal geofence warrants and tower dumps, the vast majority of the data obtained comes from uninvolved people, posing a risk that those unrelated people could become false positives who, as a result, would get investigated closely. Here, again, anyone collected from location data inside the Capitol was by definition associated with the crime, either as witness, victim, or perpetrator.

Finally, the story not only didn’t rely on, but showed little familiarity with the hundreds of arrest affidavits released so far, which provide some explanation (albeit undoubtedly parallel constructed) for how the FBI built cases against those hundreds of people.

Well before The Intercept article was written, there were a few interesting techniques revealed in the affidavits. Perhaps the most interesting (and not specifically covered in The Intercept article, unless as a hybrid order) described identifying Christopher Spencer from the livestreams on Facebook he posted from inside the Capitol.

The government received information as part of a search warrant return that Facebook UID 100047172724820 was livestreaming video in the Capitol during these events. The government also received subscriber information for Facebook UID 100047172724820 in response to legal process served on Facebook. Facebook UID 100047172724820 is registered to Chris Spencer (“SPENCER”). SPENCER provided subscriber information, including a date of birth; current city/state, and a phone number to Facebook to create the account.

[snip]

The government received three livestream videos from SPENCER’s Facebook UID 100047172724820 as part of a search warrant return. At different times during the videos, Spencer either used the rear facing camera to show himself talking, or turned the phone toward his face. Your affiant would note that the camera is capturing a reversed image of SPENCER in two of these sections of video as evidenced by the text on SPENCER’s hat. As such, reversed images are also provided below the original screenshot [my emphasis]

The first mention of the Facebook return appears before a paragraph describing an associate of Spencer’s who had seen the videos and recognized his wife, and the later paragraph describes the associate sharing a phone number for Spencer that the FBI seemed to have already received from Facebook. As written (and this structure is matched in the affidavit for Spencer’s wife, Jenny) the narrative may indicate that the FBI obtained the Facebook return before the tip and identified Spencer from the Facebook return even before receiving the tip. This is one of the strongest pieces of evidence that the FBI used data obtained from location-based collection in the Capitol from any social media source to identify an unknown subject. But, as described, it also has some protections built in. The data was obtained with a warrant, not PRTT or d-order. That means the FBI would have had to show probable cause to obtain the content (but, for the reasons I explained above, most people in the Capitol live-streaming were committing a crime). There’s also no indication here that this video was privately posted (though with a warrant the FBI would be able to obtain such videos).

All this is a read of what this paragraph might suggest about data collection. It doesn’t describe whether the data was obtained via a particularized warrant (targeting just Spencer), or whether the FBI asked Facebook to provide all live-streaming posted from within the Capitol during the insurrection (there are other early affidavits that targeted the content of Facebook via individualized warrants). In Spencer’s case, I suspect it’s the latter (there’s nothing that remarkable about Spencer’s video, except he was outside Speaker Pelosi’s office). Even so, for most people, posting from inside the Capitol during the insurrection would amount to probable cause the person was trespassing.

Even before The Intercept piece was posted I had also pointed to the affidavit for the Kansas cell of the Proud Boys. It uses location data to place one after another of the suspects “in or around” the Capitol during the insurrection: cell site data showed that the phones of Christopher Kuehne, Louis Colon, Felicia Konold were “in or around” the Capitol during the insurrection. That of Cory Konold, Felicia’s brother, was not shown to be, but,

Lawfully-obtained cell site records indicated that the FELICIA KONOLD cell called a number associated with CORY KONOLD while in or around the Capitol on January 6, 2021.

The most interesting detail in that affidavit pertained to William Chrestman. His phone wasn’t IDed off a cell site. Rather, it was IDed by connecting to Google services “in or around” the Capitol.

According to records produced by CHRESTMAN’s wireless cell phone provider in response to legal process, CHRESTMAN is listed as the owner of a cell phone number (“CHRESTMAN cell”). Lawfully-obtained Google records show that a Google account associated with the CHRESTMAN cell number was connected to Google services and was present in or around the U.S. Capitol on January 6, 2021.

A more recent document — the complaint against the southern Oath Keepers obtained on February 11 but unsealed long after that — describes the phones of those suspects in an area “includ[ing]” (but not necessarily limited to) the interior of the Capitol.

having utilized a cell site consistent with providing service to the geographic area that includes the interior of the United States Capitol building.

Unlike Spencer, the use of location data in the Proud Boys and Oath Keeper complaints seems to be used to establish probable cause. In both the militia group cases, the individuals appear to have been identified via different means (unsurprisingly, given their flamboyantly coordinated actions), with the location data being used in the affidavit to flesh out probable cause. (Undoubtedly, the FBI exploited this information far more thoroughly in an effort to map out other co-conspirators, but it is equally without doubt that the FBI had adequate probable cause to do so.)

The other day, DOJ unsealed an affidavit — that of Jeremy Groseclose — that provides more detail about the location collection at the Capitol. The FBI describes identifying Groseclose off of two tips, both on January 7, from people who had seen him post about being in the Capitol on Facebook (and in one case, remove his Facebook posts after he posted them).

Groseclose wore a gas mask for much of the time he was inside the Capitol (though wore the same clothes as he had outside), which undoubtedly made it more difficult to prove he was the person illegally inside the Capitol preventing cops from ousting the rioters.

The FBI affidavit describes times when Groseclose appears on security footage from inside the Capitol without the gas mask, but doesn’t include it. To substantiate his presence in the Capitol, the FBI included three paragraphs describing what must be a Google geofence warrant showing the device identifiers for everyone within a certain geographic area.

According to records obtained through a search warrant served on Google, a mobile device associated with [my redaction]@gmail.com was present at the U.S. Capitol on January 6, 2021. Google estimates device location using sources including GPS data and information about nearby Wi-Fi access points and Bluetooth beacons. This location data varies in its accuracy, depending on the source(s) of the data. As a result, Google assigns a “maps display radius” for each location data point. Thus, where Google estimates that its location data is accurate to within 10 meters, Google assigns a “maps display radius” of 10 meters to the location data point. Finally, Google reports that its “maps display radius” reflects the actual location of the covered device approximately 68% of the time. In this case, Google location data shows that a device associated with [my redaction]@gmail.com was within the U.S. Capitol at coordinates associated with the center of the Capitol Building, which I know includes the Rotunda, at 2:56 p.m. Google records show that the “maps display radius” for this location data was 34 meters.

Law enforcement officers, to the best of their ability, have compiled a list (the “Exclusion List”) of any Identification Numbers, related devices, and information related to individuals who were authorized to be inside the U.S. Capitol during the events of January 6, 2021, described above. Such authorized individuals include: Congressional Members and Staffers, responding law enforcement agents and officers, Secret Service Protectees, otherwise authorized governmental employees, and responding medical staff. The mobile device associated with [my redaction]@gmail.com is not on the Exclusion List. Accordingly, I believe that the individual possessing this device was not authorized to be within the U.S. Capitol Building on January 6, 2021. Furthermore, surveillance footage from the Rotunda, time-stamped within a minute of 2:56 p.m., shows GROSECLOSE, in his distinctive clothing, using his cell phone in an apparent attempt to take a picture.

Records provided by Google revealed that the mobile device associated with [my redaction]@gmail.com belonged to a Google account registered in the name of “Jeremy Groseclose.” The Google account also lists a recovery SMS phone number that matches [my redaction]. The recovery email address for this account appears to be in the name of GROSECLOSE’s significant other, with whom he has two children in common. Additionally, I have reviewed subscriber records from U.S. Cellular, related to the phone number [my redaction]. This number, along with another, are connected to an account in the name of GROSECLOSE’s significant other. The billing address for this account is [my redaction]. One of GROSECLOSE’s neighbors identified [my redaction] as GROSECLOSE’s address.

This seems to confirm that FBI obtained a geofence warrant from Google, but — at least as described — it was focused on those at the Capitol, perhaps focused on the Rotunda and anything 100 feet from it. This is the kind of granularity that will exclude most uninvolved people. They may have used it (or included it in the affidavit) because by wearing a gas mask, Groseclose made it difficult to show his face in the existing film of the attack.

The affidavit suggests that the Google geofence relied not just on GPS data of users’ phones, but also Wi-Fi access points (there’s another affidavit where the suspect’s phone triggered the Capitol Wi-Fi) and Bluetooth beacons. Again, given how wired the Capitol is, this would offer a granularity to the data that wouldn’t exist in most geofence warrants.

Finally, and most interestingly, this affidavit (obtained on the same day as the The Intercept story and so presumably after the Intercept called for comment) describes that the FBI has an “Exclusion List” of everyone who had a known legal right to be in the Capitol that day. That suggests that, after such time as the FBI completed this list, they could identify which of those present in the Capitol were probably there illegally.

There are concerns about FBI putting together a list like this. After all, Members of Congress might have good Separation of Power reasons to want to keep their personal phone numbers private. That said, there’s reason to believe that the FBI has used this method of separating out congressional identifiers and creating a white list in the past (including with the Section 215 phone dragnet), with congressional approval.

The concern arises in FBI’s definition of how it describes those legally present:

  • Members of Congress
  • Congressional staffers
  • Law enforcement responding to the insurrection (as distinct from law enforcement joining in it)
  • Secret Service Protectees (AKA, Mike Pence and his family)
  • Other government employees (like custodial staff)
  • Medical staff

Not on this list? Journalists, not even those journalists holding valid congressional credentials covering the vote certification.

Already, there have been several cases where suspects have claimed to be present as media, only to be charged both because of their comments while present and the fact that they don’t have congressional credentials. Three are:

  • Provocateur John Sullivan, who filmed the riot and sold the footage to multiple media outlets and “claimed to be an activist and journalist that filmed protests and riots, but admitted that he did not have any press credentials.”
  • Nick DeCarlo, who told the LA Times he and Nicholas Ochs were there as journalists but who FBI noted, “is not listed as a credentialed reporter with the House Periodical Press Gallery or the U.S. Senate Press Gallery, the organizations that credential Congressional correspondents.”
  • Brian McCreary, who on his own sent the video he took on his phone while inside the Capitol, but who later admitted to the FBI that entering the Capitol “might not have been legal” and also described admitting to cops present that he was not a member of the media.

If the FBI is going to use official credentials to distinguish journalists from trespassers, then it could also use those credentialing lists to white list journalists present at the Capitol. But to do that, the journalists in question would have to be willing to share identifying information for all the devices that were turned on at the Capitol, something they might have good reasons not to want to do.

Plus, I suspect there are a number of journalists without Congressional credentials who were covering the events outside the Capitol and, as the rally turned into a riot, entered the Capitol to cover it. Those journalists risked their lives and provided some of the most important early information about the riot and did so in ways that in no way glorified it. But in doing so, their devices may be in an FBI database relating to the attack.

There is clear evidence that the FBI obtained location data from the Capitol as part of its investigation, including Google and almost certainly Facebook. Thus far, the available evidence suggests that the ability to target that collection narrowly limits the typical concerns about tower dumps and geofence warrants (again, any similar data collection outside the Capitol in an effort to find the person who left the pipe bombs is another issue). Moreover, almost all those legal present in the Capitol appear to be whitelisted.

But not all. And the exception, journalists, include those who have the most at stake not having their devices identified and investigated by the FBI.

All that said, perhaps a similarly controversial question pertains to preservation orders. The Intercept describes a letter from Mark Warner calling on carriers to preserve data (and rightly questioning his legal authority to make such a request), then suggests the carriers have done so on their own.

Some of the telecommunications providers questioned whether Warner has the authority to make such a request, but a number of them appear to have been preserving data from the event anyway because of the large scale of violence, the source said.

The story doesn’t consider the — by far — most likely explanation, which is that FBI served very broad preservation orders on social media companies (though some key ones, such as Facebook, would keep data for a period even after insurrectionists attempted to delete it in the days after the attack as normal practice). In any case, broad preservation orders on social media companies would be solidly within existing precedent. But I suspect it may be one of the more interesting legal questions that will come out of this investigation.

Update March 7: Added McCreary.


Oath Keepers Learn the Hard Way: Don’t Plan an Insurrection on Facebook

“For every Oath Keeper you see, there are at least two you don’t see.” – email from Oath Keeper head Stewart Rhodes forwarded from Oath Keeper Graydon Young to his sister, Laura Steele, on January 4, 2021

I want to look at filings from the Oath Keepers investigation to show how FBI is juggling to move quickly enough to prevent obvious subjects from obstructing the investigation without tipping off others to the substance of the investigation. The filings confirm that the FBI will get sealed arrest warrants against subjects who are obviously obstructing the investigation, but may not use them right away, so as to obtain more evidence against them and their immediate co-conspirators. The filings also show how hard it is to delete evidence in an age of social media while conspiring with dozens of other co-conspirators.

The investigation from Watkins to Caldwell to the Parkers, Youngs, and Biggs

There’s a story about the Oath Keepers investigation that arises from the nature of the first publicly charged defendants. According to that story, the founder of an Ohio militia affiliated with the Oath Keepers, Jessica Watkins, boasted on Parler about “forcing entry into the Capitol” on the day of the attack. Videos of the Oath Keeper Stack showed up in videos posted within a day of the attack. Then, on January 13, the Ohio Capital Journal posted an interview with Watkins where she described it “the most beautiful thing” until she started hearing glass smashing — which she blamed on an Antifa false flag attack (a subsequent filing suggests Watkins wanted the Oath Keepers to get good press from the attack, threatening to sue some male journalist if he portrayed the Oath Keepers negatively).

That’s the evidence the FBI showed to obtain an arrest warrant on Watkins on January 16.

Meanwhile, as the investigation was closing in on Watkins, her recruit Donovan Crowl did an interview with the New Yorker for a story loaded with more images of coordinated movement from the Oath Keepers. Crowl offered similarly contradictory excuses for his action as Watkins.

On January 17, the FBI tried to conduct an interview with Watkins, only to be told by her partner, Montana Siniff, that she left Ohio on January 14 to stay with her friend and fellow Oath Keeper, “Commander Tom.”

At some point, the FBI obtained information from Facebook — they don’t explain when or on whom it was served, which I’ll return to. The return showed that Caldwell coordinated hotel reservations at the Comfort Inn/Ballston, not just with Watkins, but also others from North Carolina, as well as speaking with Crowl. This content may not have been obtained via Caldwell yet, because Caldwell’s private messages don’t show up in filings until January 19 (alternately they may have delayed that reveal until Caldwell was arrested).

But the FBI used that public Facebook information to obtain a warrant for Crowl on January 17. Watkins and Crowl turned themselves into Urbana, OH police that day, where the FBI took them into custody.

On January 13, the Guardian did a story on Watkins’ use of Zello.

“We are in the main dome right now,” said a female militia member, speaking on Zello, her voice competing with the cacophony of a clash with Capitol police. “We are rocking it. They’re throwing grenades, they’re frickin’ shooting people with paintballs, but we’re in here.”

“God bless and godspeed. Keep going,” said a male voice from a quiet environment.

“Jess, do your shit,” said another. “This is what we fucking lived up for. Everything we fucking trained for.”

The frenzied exchange took place at 2.44pm in a public Zello channel called “STOP THE STEAL J6”, where Trump supporters at home and in Washington DC discussed the riot as it unfolded. Dynamic group conversations like this exemplify why Zello, a smartphone and PC app, has become popular among militias, which have long fetishized military-like communication on analog radio.

On January 19, the government obtained an amended conspiracy complaint against Watkins, Crowl, and Caldwell. It included the following new information:

  • Quotations from the Zello messaging
  • Facebook messaging from Caldwell pictured standing outside the riot calling everyone in Congress a traitor
  • Facebook messages showing planning between Watkins, Crowl, and Caldwell between December 24 and January 8
  • Instructions for making plastic explosives found at Watkins’ house

Of particular interest, the complaint included the first hint that the Oath Keepers had intelligence — shared using Facebook — about the movements of Members of Congress.

On January 6, 2021, while at the Capitol, CALDWELL received the following Facebook message: “All members are in the tunnels under capital seal them in . Turn on gas”. When CALDWELL posted a Facebook message that read, “Inside,” he received the following messages, among others: “Tom take that bitch over”; “Tom all legislators are down in the Tunnels 3floors down”; “Do like we had to do when I was in the core start tearing oit florrs go from top to bottom”; and “Go through back house chamber doors facing N left down hallway down steps.”

Having arrested the two Oath Keepers blabbing to the press and the guy they hid out with, there’s not much more overt sign of the investigation until February 11, when the government submitted filings supporting pre-trial detention for both Watkins and Caldwell.

Arrest affidavits submitted on February 11 and February 12 (but sealed until after February 16) also refer to Watkins’ cell phone returns, including address book information describing Bennie Parker as a recruit, texts between Watkins and Parker coordinating plans for the insurrection and reassuring him the FBI would not prosecute them after the insurrection, and a picture of his wife Sandi Parker. Watkins’ cell phone returns also show a contact for Kelly Meggs in Florida, which she associated in her address book with the Oath Keepers.

Those initially sealed arrest affidavits also rely on surveillance footage and financial records from the Comfort Inn where all the Ohioans  stayed. It shows the Ohioans together in the lobby. It reveals that Kelly Meggs paid for a room that night registered under another suspected Oath Keeper’s name (according to credit card records showing a $302 charge, Meggs apparently stayed at the Hilton Garden Inn the night of January 7). [Update: The indictment clarifies that Meggs paid for two rooms at the Comfort Inn and booked two at the Hilton, of which he paid for one. h/t bb]

The initial affidavit against Kelly and Connie Meggs and Graydon Young and Laura Steele also includes a picture taken — by some unidentified person — from the van from North Carolina.

The same affidavit includes testimony from a witness who interacted with the Oath Keepers on January 6 and was on a text message chain including Young and Steele, who was introduced to them as Gray and Laura and learned they had taken the Metro into DC. It relies on surveillance video from the Metro. It includes returns from Steele and Young’s Google accounts, including Steele’s application to join the Oath Keepers.

It includes location data showing Graydon Young’s phone traveling from Englewood, FL to Thomasville, NC to Springfield, VA, to DC, then back to Thomasville and ultimately, on January 8, back to Englewood. It includes his round trip flight records from Tampa to Greensboro, consistent with the movement of his phone. The affidavit also uses location data to place Steele and the Meggses in a “geographic area that includes the interior of the United States Capitol building.”

It includes subscriber records for Steele, Young, and Kelly Megg’s MeWe accounts, as well as subscriber records for Facebook accounts for everyone. Of particular note, the affidavit used to arrest Young and the others shows advanced legal process for Young, but mostly subscriber information for the others. They also use Young’s Google data to establish probable cause against the Meggs but do not, yet, use it against Young.

It’s likely in the five days between the affidavit and the arrest, more warrants were served for materials on the others.

There wasn’t much added in a February 25 memo supporting Watkins’ pretrial detention — except that aforementioned Watkins text with Stewart Rhodes complaining about media reports making the Oath Keepers look bad (which, because of the timing of the coverage, likely happened almost a week after the insurrection, or later).

If he has anything negative to say about us OATHKEEPERS, I’ll let you know so we can sue harder. Class action style. Oathkeepers are the shit. They rescued cops, WE saved lives and did all the right things. At the end of the day, this guy better not try us. A lawsuit could even put cash in OK coffers. He doesn’t know who he is playing with. I won’t tolerate a defamation of character, mine or the Patriots we served with in DC. Hooah?!

But in a hearing held February 26, prosecutors told Judge Amit Mehta something in an ex parte hearing to support their argument that there really was a Quick Reaction Force outside of DC on the day of the insurrection ready to bring weapons into the Oath Keepers already in DC, which is one of the reasons he denied Watkins’ motion for release.

The earlier investigation into Graydon Young

It took a while for DOJ to unseal all the filings from the other co-conspirators, particularly the long affidavit for the four southerners. But a docket unsealed last week tells another side of that story. On January 15, a tipster identified Graydon Young, one of the Floridians added to the Caldwell and Watkins conspiracy. Based off that tip, the FBI prepared and got authorization for an arrest warrant by January 18. But they didn’t use it, perhaps because FBI was chasing down two false positives based off pictures of Young, as described in the later affidavit (the first of which may have been based off facial recognition).

First, on or around January 14, 2021, after receiving an internet tip and viewing similar photographs and video of Young from the civil unrest on January 6, 2021, an FBI agent drafted an arrest warrant for an individual (Subject-1) other than Young, based on a review of Subject-1’s driver’s license photo and the fact that Subject-1 was affiliated with the Oath Keepers. An FBI agent in Kansas City, Missouri, who was familiar with Subject-1, then determined that Subject-1 was not the individual depicted in the photos at the U.S. Capitol on January 6, 2021. The government did not pursue charges against Subject-1. Second, on or around January 15, 2021, a concerned citizen provided the FBI with a tip that the photograph of Young in the Rotunda was a photograph of Subject-2, who was a co-worker of the concerned citizen in Illinois. On January 18, 2021, SA Wren spoke with the concerned citizen, who stated that Subject-2 had quit the job and moved to Colorado, and “seemed like the type” who would have gone to the Capitol. SA Wren reviewed Subject-2’s driver’s license photo and determined that Subject-2 is not the person depicted in the photographs of Young at the U.S. Capitol.

In other words, FBI was prepared to arrest Young by January 18, within a day of the initial Watkins arrest. But they did not. They kept that arrest warrant sealed while they obtained his location records, travel records (including evidence he drove home from North Carolina rather than flying, and had his sister’s car towed back to North Carolina afterwards), and subscriber information for other social media.

At some point (as noted), FBI obtained Young’s Google account. But on February 11, they used that “solely as evidence against Kelly Meggs. At this time, the government is not seeking to use this email against Young,” suggesting they still needed legal process to use it against him.

Don’t launch an insurrection with a still-active Facebook account

Given that the FBI was ready to arrest Graydon Young on January 18, it’s worth looking more closely at the Facebook evidence in this conspiracy.

The FBI learned on January 15 that Young was probably at the insurrection, had been tagged in planning for the event on January 4, and had attempted to delete his Facebook account on January 7 (it went into effect the next day). Young didn’t delete his related Instagram account until January 13.

At some point, the FBI also learned that Caldwell attempted to unsend messages on January 8, the same day Young shut down his Facebook account.

Nevertheless, Facebook still had Young’s data, including a post from January 6 boasting, “We stormed and got inside.”

The government also obtained highly damning Facebook content from much earlier, including a message he posted to a group, the “War of Northern Aggression,” on November 7. In it, he clearly acknowledges Joe Biden’s victory.

Will this group consider migration to MeWe and Parler? I think censorship is going to get worse with Biden win.

On November 9, he asked again to move from Facebook to MeWe and Parler.

On November 30, he pushed MeWe and Parler again.

I already have MeWe and Parler … waiting for this drama to end before I delete my FB account.

Hey Graydon?!?! The drama for you is just beginning.

Meanwhile, Caldwell didn’t succeed in deleting all his evidence either. As early as January 17, in Crowl’s affidavit, they had a message (it’s unclear whether it’s public or private)

Here is the direct number for Comfort Inn Ballston/Arlington 1-571-397-3955 I strongly recommend you guys get one or two rooms for a night or two. Arrive 5th, depart 7th will work. She says there are five of you including a husband and wife new recruits. This time of year especially you will need to be indoors to set up, etc. Really, press this home, just get somebody to put it on a credit card. Even if you tell the hotel its double occupancy, you can STILL get a couple of people on the floor with bedrolls and the hotel won’t know shit. Paul said he might be able to take one or two in his room as well. I spoke to the hotel last night (actually 2 a.m. this morning) and they still had rooms. This is a good location and would allow us to hunt at night if we wanted to. I don’t know if Stewie has even gotten out his call to arms but it’s a little friggin late. This is one we are doing on our own. We will link up with the north carolina [sic] crew.

The later affidavits include Caldwell Facebook messages sent in November predicting violence.

I am very worried about the future of our country. Once lawyers get involved all of us normal people get screwed. I believe we will have to get violent to stop this, especially the antifa maggots who are sure to come out en masse even if we get the Prez for 4 more years.

On January 6, Caldwell continued to use Facebook, receiving a message informing him,

All members are in the tunnels under capital seal them in. Turn on gas.

And,

Tom all legislators are down in the Tunnels 3floors down

Between Young and Caldwell, Facebook evidence shows that this operation clearly targeted legislators even after they knew Joe Biden had been elected. It turns out that neither of them successfully deleted this Facebook content before the drama really got started.

The delayed reveal

As noted, it took some time for the affidavit for the southern Oath Keepers to be unsealed. In the interim period, the FBI would have been able to investigate the Oath Keeper whose name was on the hotel room Young paid for, and all the other people on the bus on which Young and his sister were pictured. The FBI surely has reviewed any role the War of Norther Aggression Facebook group had in the insurrection. The accounts for which the FBI just had subscriber information on February 11 are probably now being fully exploited (including the WeMe accounts on which they may have been more open about their plotting).

There are still members of The Stack at large, the others on the bus, the group from Mississippi those who provided “security” for Trump’s closest associates. We don’t know where the next Oath Keepers to be arrested are. We do know where the FBI was, 17 days ago.

Timeline of Oath Keeper conspiracy

January 4: Young travels from Englewood, FL to Thomasville, NC. Young tagged in planning messaging for the attack.

January 5: Young travels from Thomasville to Springfield, VA, then heads to DC for the evening.

January 6: Young travels into DC, then back to Thomasville that night. Watkins posts to Parler and Caldwell posts to Facebook. Young posts, “we stormed and got inside” on Facebook.

January 7: Young deleted Facebook content going back to March 2019 (per Facebook record it goes into effect on January 8).

January 8: Caldwell unsends Facebook messages continuing evidence. Young returns to Englewood. Young writes an email saying that his “team leader” during the insurrection was “OK Gator 1” with Kelly Meggs’ phone number.

January 9: Watkins texts Bennie Parker telling him not to worry about the FBI investigating them.

January 11: Young has a vehicle registered to Steele’s address towed from a location near his home to Steele’s home in NC. Young deletes his Instagram account.

January 13: Watkins interview in Ohio Capital Journal. Guardian story on Watkins’ use of Zello. Young closes Instagram account.

January 14: Donovan Crowl story in New Yorker. Watkins and Crowl travel to Caldwell’s property in VA; he gives them OpSec tips for the drive. Bennie Parker texts Watkins asking if she put Sandi “out there” in the Capitol. FBI chases a false positive for Young on an Oath Keeper who lives in Kansas City, MO.

January 15: A tipster who has known Young for 35 years identified Young in an image published by NBC, informs the FBI that on January 4, other people had tagged Young in a discussion about traveling to DC. The tipster further revealed that on January 7, Young deleted his Facebook content going back to March 2019, then deleted the whole thing. FBI chases a false positive for Young to someone in CO.

January 16: Arrest warrant for Watkins.

January 17: Search of Watkins’ house discovers gear and other military items. Interview of her partner reveals she has left to stay with a friend, Commander Tom, and provides a phone registered to him at his VA property as the way to reach Watkins. Arrest warrant for Crowl. Search of a location where Crowl stays finds his tactical vest. Arrest warrant for Caldwell. Both Watkins and Crowl turn themselves in to the Urbana Police, where the FBI takes them into custody.

January 18: First arrest warrant for Graydon Young.

January 19: Caldwell, Crowl arrested by FBI, and Watkins arrested. Amended criminal complaint makes conspiracy charges against Watkins, Crowl, and Caldwell more formal. Search of Caldwell’s property finds Death List targeting election official from a different, a Gadsden flag signed by Crowl and Watkins, and a sales invoice for a weapon designed to look like a phone.

Janaury 21: Stewart Rhodes declares Biden’s “not a constitutional government.” Kelly Meggs closes his Facebook account.

January 27: Indictment for Watkins, Crowl, and Caldwell.

January 29: NYT does video analysis showing the movements of the Oath Keepers from the Ellipse to the Capitol.

February 11: Counterterrorism prosecutors Justin Sher and Alexandra Hughes join team. Motions for pre-trial detention for both Watkins and Caldwell. Sealed complaint filed against Kelly and Connie Meggs, Graydon Young, and Laura Steele.

February 12: Government moves for protective order against the original conspirators; Caldwell objects. Sealed complaint filed against Bennie and Sandi Parker.

February 16: Graydon Young arrested.

February 17: The Meggs and Laura Steele arrested.

February 18: The Parkers arrested.

February 23: Thomas Caldwell appeals detention.

February 26: Amit Mehta grants government motion to detain Jessica Watkins.

Update: I clarified that the email quoted at the top is from Stewart Rhodes, not Graydon Young.

Copyright © 2021 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/author/emptywheel/