Can Congress — or Robert Mueller — Order Facebook to Direct Its Machine Learning?

The other day I pointed out that two articles (WSJ, CNN) — both of which infer that Robert Mueller obtained a probable cause search warrant on Facebook based off an interpretation that under Facebook’s privacy policy a warrant would be required — actually ignored two other possibilities. Without something stronger than inference, then, these articles do not prove Mueller got a search warrant (particularly given that both miss the logical step of proving that the things Facebook shared with Mueller count as content and not business records).

In response to that and to this column arguing that Facebook should provide more information, some of the smartest surveillance lawyers in the country discussed what kind of legal process would be required, but were unable to come to any conclusions.

Last night, WaPo published a story that made it clear Congress wanted far more than WSJ and CNN had suggested (which largely fell under the category of business records and the ads posted to targets, the latter of which Congress had been able to see but not keep). What Congress is really after is details about the machine learning Facebook used to identify the malicious activity identified in April and the ads described in its most recent report, to test whether Facebook’s study was thorough enough.

A 13-page “white paper” that Facebook published in April drew from this fuller internal report but left out critical details about how the Russian operation worked and how Facebook discovered it, according to people briefed on its contents.

Investigators believe the company has not fully examined all potential ways that Russians could have manipulated Facebook’s sprawling social media platform.

[snip]

Congressional investigators are questioning whether the Facebook review that yielded those findings was sufficiently thorough.

They said some of the ad purchases that Facebook has unearthed so far had obvious Russian fingerprints, including Russian addresses and payments made in rubles, the Russian currency.

Investigators are pushing Facebook to use its powerful data-crunching ability to track relationships among accounts and ad purchases that may not be as obvious, with the goal of potentially detecting subtle patterns of behavior and content shared by several Facebook users or advertisers.

Such connections — if they exist and can be discovered — might make clear the nature and reach of the Russian propaganda campaign and whether there was collusion between foreign and domestic political actors. Investigators also are pushing for fuller answers from Google and Twitter, both of which may have been targets of Russian propaganda efforts during the 2016 campaign, according to several independent researchers and Hill investigators.

“The internal analysis Facebook has done [on Russian ads] has been very helpful, but we need to know if it’s complete,” Schiff said. “I don’t think Facebook fully knows the answer yet.”

[snip]

In the white paper, Facebook noted new techniques the company had adopted to trace propaganda and disinformation.

Facebook said it was using a data-mining technique known as machine learning to detect patterns of suspicious behavior. The company said its systems could detect “repeated posting of the same content” or huge spikes in the volume of content created as signals of attempts to manipulate the platform.

The push to do more — led largely by Adam Schiff and Mark Warner (both of whom have gotten ahead of the evidence at times in their respective studies) — is totally understandable. We need to know how malicious foreign actors manipulate the social media headquartered in Schiff’s home state to sway elections. That’s presumably why Facebook voluntarily conducted the study of ads in response to cajoling from Warner.

But the demands they’re making are also fairly breathtaking. They’re demanding that Facebook use its own intelligence resources to respond to the questions posed by Congress. They’re also demanding that Facebook reveal those resources to the public.

Now, I’d be surprised (pleasantly) if either Schiff or Warner made such detailed demands of the NSA. Hell, Congress can’t even get NSA to count how many Americans are swept up under Section 702, and that takes far less bulk analysis than Facebook appears to have conducted. And Schiff and Warner surely would never demand that NSA reveal the extent of machine learning techniques that it uses on bulk data, even though that, too, has implications for privacy and democracy (America’s and other countries’). And yet they’re asking Facebook to do just that.

And consider how two laws might offer guidelines, but (in my opinion) fall far short of authorizing such a request.

There’s Section 702, which permits the government to oblige providers to provide certain data on foreign intelligence targets. Section 702’s minimization procedures even permit Congress to obtain data collected by the NSA for their oversight purposes.

Certainly, the Russian (and now Macedonian and Belarus) troll farms Congress wants investigated fall squarely under the definition of permissible targets under the Foreign Government certificate. But there’s no public record of NSA making a request as breathtaking as this one, that Facebook (or any other provider) use its own intelligence resources to answer questions the government wants answered. While the NSA does draw from far more data than most people understand (including, probably, providers’ own algorithms about individually targeted accounts), the most sweeping request we know of involves Yahoo scanning all its email servers for a signature.

Then there’s CISA, which permits providers to voluntarily share cyber threat indicators with the federal government, using these definitions:

(A) IN GENERAL.—Except as provided in subparagraph (B), the term “cybersecurity threat” means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.

(B) EXCLUSION.—The term “cybersecurity threat” does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.

(6) CYBER THREAT INDICATOR.—The term “cyber threat indicator” means information that is necessary to describe or identify—

(A) malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;

(B) a method of defeating a security control or exploitation of a security vulnerability;

(C) a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;

(D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;

(E) malicious cyber command and control;

(F) the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;

(G) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or

(H) any combination thereof.

Since January, discussions of Russian tampering have certainly collapsed Russia’s efforts on social media with their various hacks. Certainly, Russian abuse of social media has been treated as exploiting a vulnerability. But none of this language defining a cyber threat indicator envisions the malicious use of legitimate ad systems.

Plus, CISA is entirely voluntary. While Facebook thus far has seemed willing to be cajoled into doing these studies, that willingness might change quickly if they had to expose their sources and methods, just as NSA clams up every time you ask about their sources and methods.

Moreover, unlike the sharing provisions in 702 minimization procedures, I’m aware of no language in CISA that permits sharing of this information with Congress.

Mind you, part of the problem may be that we’ve got global companies that have sources and methods that are as sophisticated as those of most nation-states. And, inadequate as they are, Facebook is hypothetically subject to more controls than nation-state intelligence agencies because of Europe’s data privacy laws.

All that said, let’s be aware of what Schiff and Warner are asking for, however justified it may be from a investigative standpoint. They’re asking for things from Facebook that they, NSA’s overseers, have been unable to ask from NSA.

If we’re going to demand transparency on sources and methods, perhaps we should demand it all around?

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Domestic Communications NSA Won’t Reveal Are Almost Certainly Obscured Location Communications

The other day, I laid out the continuing fight between Director of National Intelligence Dan Coats and Senator Ron Wyden over the former’s unwillingness to explain why he can’t answer the question, “Can the government use FISA Act Section 702 to collect communications it knows are entirely domestic?” in unclassified form. As I noted, Coats is parsing the difference between “intentionally acquir[ing] any communication as to which the sender and all intended recipients are known at the time of acquisition to be located in the United States,” which Section 702 prohibits, and “collect[ing] communications [the government] knows are entirely domestic,” which this exchange and Wyden’s long history of calling out such things clearly indicates the government does.

As I noted, the earlier iteration of this debate took place in early June. Since then, we’ve gotten two sets of documents that all but prove that the entirely domestic communication the NSA refuses to tell us about involves communications that obscure their location, probably via Tor or VPNs.

Most Entirely Domestic Communications Collected Via Upstream Surveillance in 2011 Obscured Their Location

The first set of documents are those on the 2011 discussion about upstream collection liberated just recently by Charlie Savage. They show that in the September 7, 2011 hearing, John Bates told the government that he believed the collection of discrete communications the government had not examined in their sampling might also contain “about” communications that were entirely domestic. (PDF 113)

We also have this other category, in your random sampling, again, that is 9/10ths of the random sampling that was set aside as being discrete communications — 45,000 out of the 50,0000 — as to which our questioning has indicataed we have a concern that some of the about communications may actually have wholly domestic communications.

And I don’t think that you’ve really assessed that, either theoretically or by any actual examination of those particular transactions or communications. And I’m not indicating to you what I expect you to do, but I do have this concern that there are a fair number of wholly domestic communications in that category, and there’s nothing–you really haven’t had an opportunity to address that, but there’s nothing that has been said to date that would dissuade me from that conclusion. So I’m looking there for some convincing, if you will, assessment of why there are not wholly domestic communications with that body which is 9/10s of the random sample.

In a filing submitted two days later, the government tried to explain away the possibility this would include (many) domestic communications. (The discussion responding to this question starts at PDF 120.) First, the NSA used technical means to determine that 41,272 of the 45,359 communications in the sample were not entirely domestic. That left 4,087 communications, which the NSA was able to analyze in just 48 hours. Of those, the NSA found just 25 that were not to or from a tasked selector (meaning they were “abouts” or correlated identities, described as “potentially alternate accounts/addresses/identifiers for current NSA targets” in footnote 7, which may be the first public confirmation that NSA collects on correlated identifiers). NSA then did the same kind of analysis it does on the communications that it does as part of its pre-tasking determination that a target is located outside the US. This focused entirely on location data.

Notably, none of the reviewed transactions featured an account/address/identifier that resolved to the United States. Further, each of the 25 communications contained location information for at least one account/address/identifier such that NSA’s analysts were able assess [sic] that at least one communicant for each of these 25 communications was located outside of the United States. (PDF 121)

Note that the government here (finally) drops the charade that these are simply emails, discussing three kinds of collection: accounts (which could be both email and messenger accounts), addresses (which having excluded accounts would significantly include IP addresses), and identifiers. And they say that having identified an overseas location for the communication, NSA treats it as an overseas communication.

The next paragraph is even more remarkable. Rather than doing more analysis on those just 25 communications it effectively argues that because latency is bad, it’s safe to assume that any service that is available entirely within the US will be delivered to an American entirely within the US, and so those 25 communications must not be American.

Given the United States’ status as the “world’s premier electronic communications hub,” and further based on NSA’s knowledge of Internet routing patterns, the Government has already asserted that “the vast majority of communications between persons located in the United States are not routed through servers outside the United Staes.” See the Government’s June 1, 2011 Submission at 11. As a practical matter, it is a common business practice for Internet and web service providers alike to attempt to deliver their customers the best user experience possible by reducing latency and increasing capacity. Latency is determined in part by the geographical distance between the user and the server, thus, providers frequently host their services on servers close to their users, and users are frequently directed to the servers closest to them. While such practices are not absolute in any respect and are wholly contingent on potentially dynamic practices of particular service providers and users,9 if all parties to a communication are located in the United States and the required services are available in the United States, in most instances those communications will be routed by service providers through infrastructure wholly within the United States.

Amid a bunch of redactions (including footnote 9, which is around 16 lines long and entirely redacted), the government then claims that its IP filters would ensure that it wouldn’t pick up any of the entirely domestic exceptions to what I’ll call its “avoidance of latency” assumption and so these 25 communications are no biggie, from a Fourth Amendment perspective.

Of course, the entirety of this unredacted discussion presumes that all consumers will be working with providers whose goal is to avoid latency. None of the unredacted discussion admits that some consumers choose to accept some latency in order to obscure their location by routing it through one (VPN) or multiple (Tor) servers distant from their location, including servers located overseas.

For what it’s worth, I think the estimate Bates did on his own to come up with a number of these SCTs was high, in 2011. He guessed there would be 46,000 entirely domestic communications collected each year; by my admittedly rusty math, it appears it would be closer to 12,000 (25 / 50,000 comms in the sample = .05% of the total; .05% of the 11,925,000 upstream transactions in that 6 month period = 5,962, times 2 = roughly 12,000 a year). Still, it was a bigger part of the entirely domestic upstream collection than those collected as MCTs, and all those entirely domestic communications have been improperly back door searched in the interim.

Collyer claims to have ended “about” collection but admits upstream will still collect entirely domestic communications

Now, if that analysis done in 2011 were applicable to today’s collection, there shouldn’t be a way for the NSA to collect entirely domestic communications today. That’s because all of those 25 potentially domestic comms were described as “about” collection. Rosemary Collyer has, according to her IMO apparently imperfect understanding of upstream collection, shut down “about” collection. So that should have eliminated the possibility for entirely domestic collection via upstream, right?

Nope.

As she admits in her opinion, it will still be possible for the NSA to “acquire an MCT” (that is, bundled collection) “that contains a domestic communication.”

So there must be something that has changed since 2011 that would lead NSA to collect entirely domestic communications even if that communication didn’t include an “about” selector.

In 2014 Collyer enforced a practice that would expose Americans to 702 collection

Which brings me back to the practice approved in 2014 in which, according to providers newly targeted under the practice, “the communications of U.S. person will be collected as part of such surveillance.”

As I laid out in this post, in 2014 Thomas Hogan approved a change in the targeting procedures. Previously, all users of a targeted facility had to be foreign for it to qualify as a foreign target. But for some “limited” exception, Hogan for the first time permitted the NSA to collect on a facility even if Americans used that facility as well, along with the foreign targets.

The first revision to the NSA Targeting Procedures concerns who will be regarded as a “target” of acquisition or a “user” of a tasked facility for purposes of those procedures. As a general rule, and without exception under the NSA targeting procedures now in effect, any user of a tasked facility is regarded as a person targeted for acquisition. This approach has sometimes resulted in NSA’ s becoming obligated to detask a selector when it learns that [redacted]

The relevant revision would permit continued acquisition for such a facility.

It appears that Hogan agreed it would be adequate to weed out American communications after collection in post-task analysis.

Some months after this change, some providers got some directives (apparently spanning all three known certificates), and challenged them, though of course Collyer didn’t permit them to read the Hogan opinion approving the change.

Here’s some of what Collyer’s opinion enforcing the directives revealed about the practice.

Collyer’s opinion includes more of the provider’s arguments than the Reply did. It describes the Directives as involving “surveillance conducted on the servers of a U.S.-based provider” in which “the communications of U.S. person will be collected as part of such surveillance.” (29) It says [in Collyer’s words] that the provider “believes that the government will unreasonably intrude on the privacy interests of United States persons and persons in the United States [redacted] because the government will regularly acquire, store, and use their private communications and related information without a foreign intelligence or law enforcement justification.” (32-3) It notes that the provider argued there would be “a heightened risk of error” in tasking its customers. (12) The provider argued something about the targeting and minimization procedures “render[ed] the directives invalid as applied to its service.” (16) The provider also raised concerns that because the NSA “minimization procedures [] do not require the government to immediately delete such information[, they] do not adequately protect United States person.” (26)

[snip]

Collyer, too, says a few interesting things about the proposed surveillance. For example, she refers to a selector as an “electronic communications account” as distinct from an email — a rare public admission from the FISC that 702 targets things beyond just emails. And she treats these Directives as an “expansion of 702 acquisitions” to some new provider or technology.

Now, there’s no reason to believe this provider was involved in upstream collection. Clearly, they’re being asked to provide data from their own servers, not from the telecom backbone (in fact, I wonder whether this new practice is why NSA has renamed “PRISM” “downstream” collection).

But we know two things. First: the discrete domestic communications that got sucked up in upstream collection in 2011 appear to have obscured their location. And, there is now a means of collecting bundles of communications via upstream collection (assuming Collyer’s use of MCT here is correct, which it might not be) such that even communications involving no “about” collection would be swept up.

Again, the evidence is still circumstantial, but there is increasing evidence that in 2014 the NSA got approval to collect on servers that obscure location, and that that is the remaining kind of collection (which might exist under both upstream and downstream collection) that will knowingly be swept up under Section 702. That’s the collection, it seems likely, that Coats doesn’t want to admit.

The problems with permitting collection on location-obscured Americans

If I’m right about this, then there are three really big problems with this practice.

First, in 2011, location-obscuring servers would not themselves be targeted. Communications using such servers would only be collected (if the NSA’s response to Bates is to be believed) if they included an “about’ selector.

But it appears there is now some collection that specifically targets those location-obscuring servers, and knowingly collects US person communications along with whatever else the government is after. If that’s right, then it will affect far more than just 12,000 people a year.

That’s especially true given that a lot more people are using location-obscuring servers now than on October 3, 2011, when Bates issued his opinion. Tor usage in the US has gone from around 150,000 mean users a day to around 430,000 users.

And that’s just Tor. While fewer VPN users will consistently use overseas servers, sometimes it will happen for efficacy reasons and sometimes it will happen to access content that is unavailable in the US (like decent Olympics coverage).

In neither of Collyer’s opinions did she ask for the kind of numerical counts of people affected that Bates asked for in 2011. If 430,000 Americans a day are being exposed to this collection under the 2014 change, it represents a far bigger problem than the one Bates called a Fourth Amendment violation in 2011.

Finally, and perhaps most importantly, Collyer newly permitted back door searches on upstream collection, even though she knew that (for some reason) it would still collect US person communications. So not only could the NSA collect and hold location obscured US person communications, but those communications might be accessed (if they’re not encrypted) via back door searches that (with Attorney General approval) don’t require a FISA order (though Americans back door searched by NSA are often covered by FISA orders).

In other words, if I’m right about this, the NSA can use 702 to collect on Americans. And the NSA will be permitted to keep what they find (on a communication by communication basis) if they fall under four exceptions to the destruction requirement.

The government is, once again, fighting Congressional efforts to provide a count of how many Americans are getting sucked up in 702 (even though the documents liberated by Savage reveal that such a count wouldn’t take as long as the government keeps claiming). If any of this speculation is correct, it would explain the reluctance. Because once the NSA admits how much US person data it is collecting, it becomes illegal under John Bates’ 2010 PRTT order.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Jemele Hill Is Right, Trump Is A Racist Bigot, Trash Talk

The biggest sports story of the week, unless you are a legal freak in the Zeke Elliot weeds, is more politics than sports. The classy and wonderful Jemele Hill of ESPN let fly some hard truth about Trump on his favorite medium, Twitter. And of course the vacuous suits at Fox News got bent out of shape over the fact a smart woman, especially one of color, had the temerity to point out that their boy Trump was indeed a racist bigot.

I usually tailor videos and images, but had a hard time with this one from USA Today, so you get the full screen scene this time. It is short and lays everything out that you need:

Did Jemele take to a soapbox and do this on air with her partner, Michael Smith on their absolutely excellent Sportscenter 6 platform? Nope, she did it in her private time, on her own personal Twitter account. Now, ESPN is a business, a House of Mouse one at that, so first amendment protections are inapplicable. But that does not mean ESPN ought be censoring or punishing her private thoughts and political speech. Especially on a platform that the snowflake President takes to daily to issue outright lies, bigotry, racism and generally ignorant screed. To ESPN’s credit, while they stepped back from Hill slightly, they did not step away from her. That is good, because Jemele Hill is not only a better and smarter person than Trump, she is quite likely far more popular too. I will stand with her any day and every day.

Okay, back to the games! Hell of a tilt between USC and Texas last night. Don’t know how in the world the Trojans let the Horns back in it, but it was thrilling. In the NFL, it is getting to where who “isn’t” playing is as important as who is. The Cardinals looked horrible last week against Detroit when they had David Johnson, now they don’t, and may not the rest of the year. Luckily, they are playing the Colts, who do not have Andrew Luck. Think Homer Simpson is scheduled to start for the Colts. He probably will beat the hapless Cards.

The Eagles at Chiefs looks to be a great game. Vikings at Steelers looked like it would be too…..but this morning it was announced that Sam Bradford is out for the game. Bradford looked like a world beater last week in collecting up offensive player of the week accolades. But apparently tweaked a knee in the process that we didn’t really see. So, the Vikes will go with Case Keenum today. Not the worst substitute, he is capable.

Cowboys at Broncos looks pretty interesting too. Trevor Siemian did not look that good in the second half last week, and the Broncs were lucky to emerge with a win. He will have to play much better this week, even with the aid of Mile High. The Sunday Night feature of Packers at Falcons should also be great. First NFL game for the Dirty Birds in their new gazillion dollar nest.

Who knows what you will get out of the MNF game between the Lions and Giants? Last week was the return of Really Bad Eli. I am not sure this week will be the return of Good Eli. That is the beauty of it though, like Forrest Gump’s stupid box of chocolates, you just never know what you will get! Matt Stafford has been playing consistently solid ball for quite a while though.

Last, but not least, two future Hall of Famers duel down in Nawlins. Brady and Brees. Deflategate versus Bountygate. Two weeks ago, I would have said this is a laugher. Nut, man, the Patriots looked awfully non-Belichickian last week. So maybe worth a watch.

That is it for this week, rock on.

Bmaz is a rather large saguaro cactus in the Southwestern Sonoran desert. A lover of the Constitution, law, family, sports, food and spirits. As you might imagine, a bit prickly occasionally. Bmaz has attended all three state universities in Arizona, with both undergraduate and graduate degrees from Arizona State University, and with significant post-graduate work (in physics and organic chemistry, go figure) at both the University of Colorado in Boulder and the University of Arizona. Married, with both a lovely child and a giant Sasquatch dog. Bmaz has been a participant on the internet since the early 2000’s, including active participation in the precursor to Emptywheel, The Next Hurrah. Formally joined the Emptywheel blog as an original contributing member at its founding in 2007. Bmaz grew up around politics, education, sports and, most significantly, cars; notably around Formula One racing and Concours de Elegance automobile restoration and showing. Currently lives in the Cactus Patch with his lovely wife and beast of a dog, and practices both criminal and civil trial law.

Financing Medicare For All

If you only read mainstream media you’d think Bernie Sanders’ Medicare for All bill was terrifyingly expensive. An opinion piece behind the paywall in the Wall Street Journal cites a couple of studies with huge headline numbers like $2.5 trillion dollars in the first year, from the Urban Institute. Taxes will soar, government takeover of health care blah blah blah. It comes from centrist Democrats like Jonathan Chait and Ezra Klein who I saw in an appearance on Seth Meyer’s show. Here are two things to bear in mind in self-defense.

1. In 2015, we spent about $3.2 trillion on health care in the US. There is a cool graphic here showing where it was spent and who paid that amount. Maybe the cost of health care covering everyone for the kinds of things the Affordable Care Act requires would cost more than that. (The Sanders Plan covers other services as well as those under the ACA, but let’s ignore that because I can’t find numbers.) We calculate the additional amount we would need by adding the cost of all uninsured people and the cost of the care that people with insurance can’t afford because of deductibles and other co-pays, and subtracting the savings from the new plan. Any analysis that doesn’t start with this is bullshit.

It’s true that the Sanders plan would change who pays and how much, so someone would have to redo that cool graphic I mentioned. Some businesses would pay more, others less, and there would be a change in corporate taxation as deductible costs of insurance change. Some individuals would pay more and others less. But whatever those changes might be, the amount we need to raise isn’t frightening, and practically everyone will be better off.

It’s easy to see the savings from negotiating drug prices, lowering the reimbursement to doctors and hospitals, reducing excess profits from the health insurance companies, and reducing the costs of administration throughout the health care business.

It’s also easy to see that the additional costs are not that high. Approximately 9.1% of us were uninsured in 2015, so the cost might be as high as 10%, or $320 billion. That doesn’t seem too terrible when the savings are deducted. It will be easy to finance that if we want to. I have a long list of things to cut if anyone cares, starting with dismantling the carceral state.

2. We need to think clearly about taxation. We live in a fiat money system; the US is sovereign in its own currency and cannot go bankrupt. I’ve read Modern Monetary Theory by Randall Wray and many shorter pieces and I am convinced. I could make an interesting argument from MMT about this whole matter, but I won’t and I not going to focus on that. If single-payer a hard sale, convincing the devotees of Econ 101 (course title: My Neoliberalism) about MMT is hopeless. Actually with the excellent Stephanie Kelton as a teacher and leader I could well be wrong. Check out this on the Twitter, and follow her if you don’t already.

I agree with Warren Mosler, another MMT theorist, that taxes for revenue are obsolete. But that doesn’t mean that taxes are obsolete. Quite the contrary. Mosler quotes from a 1945 speech by Beardsley Ruml, chair of the New York Fed, to the American Bar Association. Ruml gives four grounds for taxation other than revenue:

1. As an instrument of fiscal policy to help stabilize the purchasing power of the dollar;

2. To express public policy in the distribution of wealth and of income, as in the case of the progressive income and estate taxes;

3. To express public policy in subsidizing or in penalizing various industries and economic groups;

4. To isolate and assess directly the costs of certain national benefits, such as highways and social security.

We can make a case for taxes and other measures to support Medicare for All relying solely on those four principles, without explicitly discussing MMT. If we do that, we lay a foundation for future tax issues, and for a sensible discussion of tax reform more broadly. I have a list of tax changes that will meet those standards. How about that NASCAR deduction for a starter. We raise a bit of money and get rid of a bit of corruption with one change.

This is a great teachable moment for MMT, just as the government shutdowns were with the heated arguments about the trillion dollar coin. I know Kelton and others will push on the MMT side. We need to win this, and we can’t afford to fight on two fronts. In particular, it isn’t helpful to attack people who don’t want to argue about MMT on the way to fixing our health care system. People like me.

Notre Dame undergrad (math); JD, Indiana University at Bloomington; 1st Lieutenant, US Army.; private practice in corporate and securities law; Assistant AG in Tennessee for consumer protection and securities; Blue Sky Securities Commissioner, Tennessee; private practice, bankruptcy and corporate law.

I have had a lifelong interest in economics. For most of my career, that interest was practical, focused on the problems in front of me. Lately I have been more interested in economics as a theory, especially its impact on the lives of people like those I met in my bankruptcy practice, and on the politics of money in the US. I also enjoy reading philosophers, starting in college and steadily expanding my reading ever since. I wrote at FireDogLake for a number of years.

Generally, I think the problem facing the US is the dominance of neoliberal discourse. I think it clouds the vision, and limits the kinds of problems that can be identified and solved. For example, the existence and danger of climate change can easily be identified in a scientific discussion. However, the problem does not fit the neoliberal discourse because science insists that the pursuit of individual and corporate self-interest will lead to devastation. In neoliberal discourse, the pursuit of self-interest always leads to Eden.

The neoliberal project has two prongs. One is the police function of crushing dissent and alternative views. The police function is provided by government agencies and private and institutional actors. The counterpart is the economic system , which is operated by government and by private and institutional actors. Some of these actors operate in both spheres. I focus on the second prong.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers and the “Second Source”

When I emphasized Der Spiegel’s reporting on TAO in this post on the tool for which Shadow Brokers recently released a manual, UNITEDRAKE, I was thinking along the same lines Electrospaces was here. Electrospaces lays out a universe of documents and reporting that doesn’t derive from Edward Snowden leaked documents, notes some similarity in content (a focus on NSA’s Tailored Access Operations), and the inclusion of documents from NSA’s San Antonio location. From that, Electrospaces posits that Shadow Brokers could be “identical with the Second Source.”

With the documents published by the Shadow Brokers apparently being stolen by an insider at NSA, the obvious question is: could the Shadow Brokers be identical with the Second Source?

One interesting fact is that the last revelation that could be attributed to the second source occured on February 23, 2016, and that in August of that year the Shadow Brokers started with their release of hacking files. This could mean that the second source decided to publish his documents in the more distinct and noticeable way under the guise of the Shadow Brokers.

But there’s probably also a much more direct connection: the batch of documents published along with Der Spiegel’s main piece from December 29, 2013 include a presentation about the TAO unit at NSA’s Cryptologic Center in San Antonio, Texas, known as NSA/CSS Texas (NSAT):


TAO Texas presentation, published by Der Spiegel in December 2013
(click for the full presentation)And surprisingly, the series of three slides that were released by the Shadow Brokers on April 14 were also from NSA/CSS Texas. They show three seals: in the upper left corner those of NSA and CSS and in the upper right corner that of the Texas Cryptologic Center:

TAO Texas slide, published by the Shadow Brokers in April 2017
(click for the full presentation)NSA/CSS TexasIt’s quite remarkable that among the hundreds of NSA documents that have been published so far, there are only these two sets from NSA/CSS Texas, which is responsible for operations in Latin America, the Caribbean, and along the Atlantic littoral of Africa in support of the US Southern and Central Commands.Besides the one in San Antonio, Texas, NSA has three other regional Cryptologic Centers in the US: in Augusta, Georgia, in Honolulu, Hawaii and in Denver, Colorado. These four locations were established in 1995 as Regional Security Operations Centers (RSOC) in order to disperse operational facilities from the Washington DC area, providing redundancy in the event of an emergency.So far, no documents from any of these regional centers have been published, except for the two from NSA/CSS Texas. This could be a strong indication that they came from the same source – and it seems plausible to assume that that source is someone who actually worked at that NSA location in San Antonio.

Frankly, I’m skeptical of the underlying reports that Shadow Brokers must be a disgruntled NSA employee or contractor, which derives in part from the conclusion that many of the files released include documents that had to be internal to NSA, and in part from this report that says that’s the profile of the suspect the government is looking for.

The U.S. government’s counterintelligence investigation into the so-called Shadow Brokers group is currently focused on identifying a disgruntled, former U.S. intelligence community insider, multiple people familiar with the matter told CyberScoop.

Sources tell CyberScoop that former NSA employees have been contacted by investigators in the probe to discover how a bevy of elite computer hacking tools fell into the Shadow Brokers’ possession.

Those sources asked for anonymity due to sensitivity of the investigation.

While investigators believe that a former insider is involved, the expansive probe also spans other possibilities, including the threat of a current intelligence community employee being connected to the mysterious group.

The investigatory effort is being led by a combination of professionals from the FBI, National Counterintelligence and Security Center (NCSC), and NSA’s internal policing group known as Q Group.

It’s not clear if the former insider was once a contractor or in-house employee of the secretive agency. Two people familiar with the matter said the investigation “goes beyond” Harold Martin, the former Booz Allen Hamilton contractor who is currently facing charges for taking troves of classified material outside a secure environment.

The report clearly suggests (and I confirmed with its author, Chris Bing) that the government is still testing out theories, and that the current profile (or the one they were chasing in July) happens to be an insider of some sort, but that they didn’t have a specific insider in mind as the suspect.

There are a number of  reasons I’m skeptical. First, part of that theory is based on Shadow Brokers making comments about Jake Williams that reflects some inside knowledge about an incident that happened while he was at NSA (Shadow Brokers has deleted most of his tweets, but they’re available in this superb timeline).

trying so hard so  helping out…you having big mouth for former  member what was name of.

leak OddJob? Windows BITS persistence? CCI? Maybe not understand gravity of situation USG investigating members talked to Q group yet

theshadowbrokers ISNOT in habit of outing  members but had make exception for big mouth, keep talking shit  your next

Even there, Shadow Brokers was falsely suggesting that Matt Suiche, who’s not even an American citizen, might be NSA. But things got worse in June, when Shadow Brokers thought he had doxed @drwolfff as a former NSA employee, only to have @drwolfff out himself as someone else entirely (see this post, where Shadow Brokers tried to pretend he hadn’t made a mistake). So Shadow Brokers has been wrong about who is and was NSA more often than he has been right.

Another reason I doubt he’s a direct insider is because when he posted the filenames for Message 6, he listed a good many of the files as “unknown.” (Message 6 on Steemit, archived version)

That suggests that even if Shadow Brokers had some insider role, he wasn’t using these particular files directly (or didn’t want to advertise them as what they were).

And because I’m not convinced that Shadow Brokers is, personally, an insider, I’m not convinced that he necessarily is (as Electrospaces argues) “identical with the Second Source.”

Rather, I think it possible that Jacob Appelbaum and Shadow Brokers have a mutually shared source. That’s all the more intriguing given that Wikileaks once claimed that they had a copy of at least the first set of Shadow Brokers files, which Shadow Brokers recalled in January, and that Julian Assange released an insurance file days after Guccifer 2.0 first started posting hacked Democratic documents (see this post on the insurance file and this one on Shadow Brokers calling out WikiLeaks for hoarding that document).

Maybe they’re all bullshitting. But given Electrospaces’ observation that some of the files (covering intercepts of US allies, often pertaining to trade deals) for which there is no known source went straight to WikiLeaks, I think a shared source is possible.

All that said, there’s one more detail I’d add to Electrospaces’ piece. As noted, he finds the inclusion, in both the Shadow Brokers and the Appelbaum files, of documents from NSA’s San Antonio location to be intriguing. So do I.

Which is why it’s worth noting that that location is among the three where — as late as the first half of 2016 — a DOD Inspector General audit found servers and other sensitive equipment unlocked.

An unlocked server would in no way explain all of the files included even in a narrowly scoped collection of “Second Source” files. But it would indicate that the San Antonio facility was among those that wasn’t adequately secured years after the Snowden leaks.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Software is a Long Con

I had a conversation with a bridge engineer one evening not long ago. I said, “Bridges, they are nice, and vital, but they fall down a lot.”

He looked at me with a well-worn frustration and replied, “Falling down is what bridges do. It’s the fate of all bridges to fall down, if you don’t understand that, you don’t understand bridges.”

“Ok, I do understand that,” I replied. “But they fall down a lot. Maybe if we stepped back and looked at how we’re building bridges –”

“You can’t build a bridge that doesn’t fall down. That’s just not how bridges work”

I took a deep breath. “What if you could build a bridge that didn’t fall down as often?”

“Not practical — it’s too hard, and besides, people want bridges.” By now, he was starting to look bored with the conversation.

“I bet if you slowed down how you build bridges, you could make ones that lasted decades, even in some cases, centuries. You might have to be thoughtful, set more realistic expectations, do a lot more of the design of a bridge before you start building it, but..”

He interrupted me again. “Look, you’re not a bridge engineer, so you don’t really understand how bridges work, but people want bridges now. So no one is going to build a bridge like that, even if it were possible, and I’m not saying it is.”

“But people get hurt, sometimes die, on these bridges.”

“Bridges fall down. Sometimes people are on them when they do. That’s not my fault as a bridge engineer, that’s literally how gravity works,” he said.

“I know there will always be accidents and problems with bridges, but I really do think that you could build them with careful planning, and maybe shared standards and even regulations in such a way that bridge collapses could be rare. Some of the problems with bridges are faults we’ve known about for decades, but they still get built into bridges all the time.”

He took a deep breath, and pinned me with a stare. “Even if we could, and it’s still entirely possible that no one can build these mythical bridges you’re talking about, that would slow down the building of bridges. People need bridges to get places. No one could afford to build bridges that slowly, and people would complain.” He stretched out the –plaaaain in complain, in a way that made clear this was the end of the argument and he’d won.

“They might not complain if they didn’t fall off bridges so often,” I mumbled.

He heard me. “Unlike you, people know that bridges fall down.”

Just then, a friend of mine, also a writer, also interested in bridges, stopped by.

“Hey guys!” he said. “So it looks like there’s a crew of Russian bridge destroyers with hammers and lighters who are running around in the middle of the night setting fires to bridges and knocking off braces with hammers. They started in Ukraine but they’re spreading around the world now, and we don’t know if our bridges are safe. They’ve studied bridges carefully and they seem to be good at finding where they’re most flammable and which braces to knock off with their hammer.”

We both regarded my friend a long moment, letting it sink in. I turned back to the bridge engineer and said, “Maybe we need to make them out of non-flammable material and rivet them instead of using exposed braces and clamps.”

But he was already red in the face, eyes wide with anger and fear. “GET THE RUSSIANS!” he screamed.

OK, obviously it’s not bridges I’m talking about, it’s software. And that other writer is Wired’s Andy Greenberg, who wrote a  piece not that long ago on Russian hacking.

Greenberg’s detailed and riveting story focuses largely on the politics of hacking, and the conflict between an increasingly imperialist Russia, and Ukraine, with an eye towards what it means for America. For people who respond to such attacks, like FireEye and Crowdstrike, these kinds of events are bread and butter. They have every reason to emphasize the danger Russia (or a few years ago, China) pose to the USA. It’s intense, cinematic stuff.

It’s also one of a long sequence of stories in this vein. These stories, some of which I’ve written over the years, show that our computers and our networks are the battlegrounds for the next great set of political maneuvers between nation-states. We the people, Americans, Russians, whomever, are just helpless victims for the coming hacker wars. We have Cyber Commands and Cyber attack and Cyber defense units, all mysterious, all made romantic and arcane by their fictional counterparts in popular media.

But there’s another way to look at it. Computer systems are poorly built, badly maintained, and often locked in a maze of vendor contracts and outdated spaghetti code that amounts to a death spiral. This is true of nothing else we buy.

Our food cannot routinely poison us. Our electronics cannot blow up, and burn down our houses. If they did, we could sue the pants off whomever sold us the flawed product. But not in the case of our software.

The Software Is Provided “As Is”, Without Warranty of Any Kind

This line is one of the most common in software licenses. In developed nations, it is a uniquely low standard. I cannot think of anything infrastructural that is held to such a low standard. Your restaurants are inspected. Your consumer purchases enveloped in regulations and liability law. Your doctors and lawyers must be accredited. Your car cannot stop working while it is going down the freeway and kill you without consequences, except maybe if it’s caused by a software bug.

It is to the benefit of software companies and programmers to claim that software as we know it is the state of nature. They can do stupid things, things we know will result in software vulnerabilities, and they suffer no consequences because people don’t know that software could be well-written. Often this ignorance includes developers themselves. We’ve also been conditioned to believe that software rots as fast as fruit. That if we waited for something, and paid more, it would still stop working in six months and we’d have to buy something new. The cruel irony of this is that despite being pushed to run out and buy the latest piece of software and the latest hardware to run it, our infrastructure is often running on horribly configured systems with crap code that can’t or won’t ever be updated or made secure.

People don’t understand their computers. And this lets people who do understand computers mislead the public about how they work, often without even realizing they are doing it.

Almost every initial attack comes through a phishing email. Not initial attack on infrastructure — initial attacks on everything — begins with someone clicking on an attachment or a link they shouldn’t. This means most attacks rely on a shocking level of digital illiteracy and bad IT policy, allowing malware to get to end-user computers, and failing to train people to recognize when they are executing a program.

From there, attackers move laterally through systems that aren’t maintained, or written in code so poor it should be a crime, or more often, both. The code itself isn’t covered by criminal law, or consumer law, but contract law. The EULAs, or End User Licensing Agreements (aka the contracts you agree to in order to use software), which are clicked through by infrastructure employees are as bad, or worse, as the ones we robotically click through everyday.

There are two reasons why I gave up reporting on hacking attacks and data breach. One is that Obama’s Department of Justice had moved their policies towards making that kind of coverage illegal, as I’ve written about here. But the other, more compelling reason, was that they have gotten very very boring. It’s  always the same story, no one is using sophistication, why would you bother? It’s dumb to burn a zero day when you can send a phishing mail. It’s dumb to look for an advanced zero day when you can just look for memory addressing problems in C, improperly sanitized database inputs, and the other programatic problems we solved 20 years ago or more.

Programmers make the same mistakes over and over again for decades, because software companies suffer no consequences when they do. Like pollution and habitat destruction, security is an externality. And really, it’s not just security, it’s whether the damn things work at all. Most bugs don’t drain our bank accounts, or ransom our electrical grids. They just make our lives suck a little bit more, and our infrastructure fail a little more often, even without any hackers in sight.

When that happens with a dam, or a streetlight, or a new oven, we demand that the people who provided those things fix the flaws. If one of those things blows up and hurt someone, the makers of those things are liable for the harm they have caused. Not so if any of these things happen because of software. You click through our EULA, and we are held harmless no matter how much harm we cause.

When I became a reporter, I decided I never wanted my career to become telling the same story over and over again. And this is, once again, always the same story. It’s a story of software behaving badly, some people exploiting that software to harm other people, and most people not knowing they could have it better. I’m glad people like Andy Greenberg and others at my old Wired home, the good folks at Motherboard and Ars Technica, and others, are telling these stories. It’s important that we know how often the bridges burned down.

But make no mistake, as long as we blame the people burning the bridges and not the people building them, they will keep burning down.

And shit software will still remain more profitable than software that would make our lives easier, better, faster, and safer. And yeah, we would probably have to wait a few more months to get it. It might even need a better business model than collecting and selling your personal information to advertisers and whomever else comes calling.

I could keep writing about this, there’s a career’s worth of pieces to write about how bad software is, and how insecure it makes us, and I have written many of those pieces. But like writing about hackers compromising terrible systems, I don’t want to write the same thing telling you that software is the problem, not the Chinese or the Russians or the boogeyman de jour.

You, the person reading this, whether you work in the media or tech or unloading container ships or selling falafels, need to learn how computers work, and start demanding they work better for you. Not everything, not how to write code, but the basics of digital and internet literacy.

Stop asking what the Russians could do to our voting machines, and start asking why our voting machines are so terrible, and often no one can legally review their code.

Stop asking who is behind viruses and ransomware, and ask why corporations and large organizations don’t patch their software.

Don’t ask who took the site down, ask why the site was ever up with a laundry list of known vulnerabilities.

Start asking lawmakers why you have to give up otherwise inalienable consumer rights the second you touch a Turing machine.

Don’t ask who stole troves of personal data or what they can do with it, ask why it was kept in the first place. This all goes double for the journalists who write about these things — you’re not helping people with your digital credulity, you’re just helping intel services and consultants and global defense budgets and Hollywood producers make the world worse.

And for the love of the gods, stop it with emailing attachments and links. Just stop. Do not send them, do not click on them. Use Whatsapp, use Dropbox, use a cloud account or hand someone a USB if you must, but stop using email to execute programs on your computer.

Thanks to my Patrons on Patreon, who make this and my general living possible. You can support this more of work at Patreon.

Image CC Skez

 

UNITEDRAKE and Hacking under FISA Orders

As I noted yesterday, along with the encrypted files you have to pay for, on September 6, Shadow Brokers released the manual for an NSA tool called UNITEDRAKE.

As Bruce Schneier points out, the tool has shown up in released documents on multiple occasions — in the catalog of TAO tools leaked by a second source (not Snowden) and released by Jacob Appelbaum, and in three other Snowden documents (one, two, three) talking about how the US hacks other computers, all of which first appeared in Der Spiegel’s reporting (one, two, three). [Update: See ElectroSpaces comments about this Spiegel reporting and its source.]

The copy, as released, is a mess — it appears to have been altered by an open source graphics program and then re-saved as a PDF. Along with classification marks, the margins and the address for the company behind it appears to have been altered.

The NSA is surely doing a comparison with the real manual (presumably as it existed at the time it may have been stolen) in an effort to understand how and why it got manipulated.

I suspect Shadow Brokers released it as a message to those pursuing him as much as to entice more Warez sales, for the observations I lay out below.

The tool permits NSA hackers to track and control implants, doing things like prioritizing collection, controlling when an implant calls back and how much data is collected at a given time, and destroying an implant and the associated UNITEDRAKE code (PDF 47 and following includes descriptions of these functions).

It includes doing things like impersonating the user of an implanted computer.

Depending on how dated this manual is, it may demonstrate that Shadow Brokers knows what ports the NSA will generally use to hack a target, and what code might be associated with an implant.

It also makes clear, at a time when the US is targeting Russia’s use of botnets, that the NSA carries out its own sophisticated bot-facilitated collection.

Finally of particular interest to me, the manual shows that UNITEDRAKE can be used to hack targets of FISA orders.

To use it to target people under a FISA order, the NSA hacker would have to enter both the FISA order number and the date the FISA order expires. After that point, UNITEDRAKE will simply stop collecting off that implant.

Note, I believe that — at least in this deployment — these FISA orders would be strictly for use overseas. One of the previous references to UNITEDRAKE describes doing a USSID-18 check on location.

SEPI analysts validate the target’s identity and location (USSID-18 check), then provide a deployment list to Olympus operators to load a more sophisticated Trojan implant (currently OLYMPUS, future UNITEDRAKE).

That suggests this would be exclusively EO 12333 collection — or collection under FISA 704/705(b) orders.

But the way in which UNITEDRAKE is used with FISA is problematic. Note that it doesn’t include a start date. So the NSA could collect data from before the period when the court permitted the government to spy on them. If an American were targeted only under Title I (permitting collection of data in motion, therefore prospective data), they’d automatically qualify for 705(b) targeting with Attorney General approval if they traveled overseas. Using UNITEDRAKE on — say, the laptop they brought with them — would allow the NSA to exfiltrate historic data, effectively collecting on a person from a time when they weren’t targeted under FISA. I believe this kind of temporal problem explains a lot of the recent problems NSA has had complying with 704/705(b) collection.

In any case, Shadow Brokers may or may not have UNITEDRAKE among the files he is selling. But what he has done by publishing this manual is tell the world a lot of details about how NSA uses implants to collect intelligence.

And very significantly for anyone who might be targeted by NSA hacking tools under FISA (including, presumably, him), he has also made it clear that with the click of a button, the NSA can pretend to be the person operating the computer. This should create real problems for using data hacked by NSA in criminal prosecutions.

Except, of course, especially given the provenance problems with this document, no defendant will ever be able to use it to challenge such hacking.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

John Sipher’s Garbage Post Arguing the Steele Dossier Isn’t Garbage

I generally find former CIA officer John Sipher’s work rigorous and interesting, if not always persuasive. Which is why I find the shoddiness of this post — arguing, just as Republicans in Congress and litigious Russians start to uncover information about the Christopher Steele dossier, that the dossier is not garbage  — so telling.

I don’t think the Steele dossier is garbage.

But neither do I think it supports the claim that it predicted a lot of information we’ve found since, something Sipher goes to great pains to argue. And there are far more problems with the dossier and its production than Sipher, who claims to be offering his wisdom about how to interpret raw intelligence, lets on. So the dossier isn’t garbage (though the story behind its production may well be). But Sipher’s post is. And given that it appears to be such a desperate — and frankly, unnecessary — attempt to reclaim the credibility of the dossier, it raises questions about why he feels the need.

Making and claiming accuracy for a narrative out of raw intelligence

Sipher’s project appears to be taking what he admits is raw intelligence and providing a narrative that he says we should continue to use to understand Trump’s Russian ties.

Close to the beginning of his piece, Sipher emphasizes that the dossier is not a finished intelligence report, but raw intelligence; he blames the media for not understanding the difference.

I spent almost thirty years producing what CIA calls “raw reporting” from human agents.  At heart, this is what Orbis did.  They were not producing finished analysis, but were passing on to a client distilled reporting that they had obtained in response to specific questions.  The difference is crucial, for it is the one that American journalists routinely fail to understand.

[snip]

Mr. Steele’s product is not a report delivered with a bow at the end of an investigation.  Instead, it is a series of contemporaneous raw reports that do not have the benefit of hindsight.

Sipher explains that you need analysts to make sense of these raw reports.

The onus for sorting out the veracity and for putting the reporting in context against other reporting – which may confirm or deny the new report – rests with the intelligence community’s professional analytic cadre.

He then steps into that role, an old clandestine services guy doing the work of the analysts. The result, he says, is a narrative he says we should still use — even in the wake of eight months of aggressive reporting since the dossier came out — in trying to understand what went on with the election.

As a result, they offer an overarching framework for what might have happened based on individuals on the Russian side who claimed to have insight into Moscow’s goals and operational tactics.  Until we have another more credible narrative, we should do all we can to examine closely and confirm or dispute the reports.

[snip]

Looking at new information through the framework outlined in the Steele document is not a bad place to start.

How to read a dossier

One thing Sipher aspires to do — something that would have been enormously helpful back in January — is explain how an intelligence professional converts those raw intelligence reports into a coherent report. He describes the first thing you do is source validation.

In the intelligence world, we always begin with source validation, focusing on what intelligence professionals call “the chain of acquisition.”  In this case we would look for detailed information on (in this order) Orbis, Steele, his means of collection (e.g., who was working for him in collecting information), his sources, their sub-sources (witting or unwitting), and the actual people, organizations and issues being reported on.

He goes to great lengths to explain how credible Steele is, noting even that he “was the President of the Cambridge Union at university.” I don’t dispute that Steele is, by all accounts, an accomplished intelligence pro.

But Sipher unwisely invests a great deal of weight into the fact that the FBI sought to work with Steele.

The fact that the FBI reportedly sought to work with him and to pay him to develop additional information on the sources suggest that at least some of them were worth taking seriously.  At the very least, the FBI will be able to validate the credibility of the sources, and therefore better judge the information.  As one recently retired senior intelligence officer with deep experience in espionage investigations quipped, “I assign more credence to the Steele report knowing that the FBI paid him for his research.  From my experience, there is nobody more miserly than the FBI.  If they were willing to pay Mr. Steele, they must have seen something of real value.”

This is flat-out dumb for two reasons. First, it is one of the things the GOP has used to discredit the dossier and prosecution — complaining (rightly) that the FBI was using a document designed as opposition research, possibly even to apply for a FISA warrant. If the FBI did that, I’m troubled by it.

More importantly, the actual facts about whether FBI did pay Steele are very much in dispute, with three different versions in the public record and Chuck Grassley claiming the FBI has been giving conflicting details about what happened (it’s likely that FBI paid Steele’s travel to the US but not for the dossier itself).

WaPo reported that Steele had reached a verbal agreement that the FBI would pay him to continue his investigation of Russia’s involvement with Trump after still unnamed Democrats stopped paying him after the election. CNN then reported that FBI actually had paid Steele for his expenses. Finally, NBC reported Steele backed out of the deal before it was finalized.

If the FBI planned to pay Steele, but got cold feet after Steele briefed David Corn for a piece that made explicit reference to the dossier, it suggests FBI may have decided the dossier was too clearly partisan for its continued use. In any case, citing a “recently retired senior intelligence officer” claiming the FBI did pay Steele should either be accompanied by a “BREAKING, confirming the detail no one else has been able to!” tag, or should include a caveat that the record doesn’t affirmatively support that claim.

After vouching for Steele (again, I don’t dispute Steele’s credentials), Sipher lays out the other things that need to happen to properly vet raw intelligence, which he claims we can’t do.

The biggest problem with confirming the details of the Steele “dossier” is obvious: we do not know his sources, other than via the short descriptions in the reports.  In CIA’s clandestine service, we spent by far the bulk of our work finding, recruiting and validating sources.  Before we would ever consider disseminating an intelligence report, we would move heaven and earth to understand the access, reliability, trustworthiness, motivation and dependability of our source.  We believe it is critical to validate the source before we can validate the reliability of the source’s information.  How does the source know about what he/she is reporting?  How did the source get the information?  Who are his/her sub-sources?  What do we know about the sub-sources?  Why is the source sharing the information?  Is the source a serious person who has taken appropriate measures to protect their efforts?

The thing is, we actually know answers to two of these questions. First, Steele’s sources shared the information (at least in part) because they were paid. That’s totally normal for spying, of course, but if Sipher aspires to explain to us how to assess the dossier, he needs to admit that money changes hands and that’s just the way things are done (again, that’s all the more important given that it’s one of the bases the GOP is using to discredit the report).

More importantly, Sipher should note that Steele worked one step removed — from London, rather than from Moscow — than an intelligence officer otherwise might. The reports may still be great, but that additional step introduces more uncertainty into the validation. It’s all the more important that Sipher address these two issues, because they’re the ones the GOP has been and will continue to use to discredit the dossier.

Ultimately, though, in his section on vetting the document, Sipher doesn’t deal with some key questions about the dossier. Way at the end of his piece, he questions whether we’re looking at the entire dossier.

We also don’t know if the 35 pages leaked by BuzzFeed is the entirety of the dossier.  I suspect not.

He doesn’t raise two other key questions about the provenance of the dossier we’ve been given, some of which I laid out when the dossier came out when I also noted that the numbering of the dossier by itself makes it clear it’s not the complete dossier. Importantly: is the copy of the dossier leaked to BuzzFeed an unaltered copy of what Steele delivered to Fusion, in spite of the weird textual artifacts in it? And how and why did the dossier get leaked to BuzzFeed, which Steele has told us was not one of the six outlets that he briefed on its contents.

Finally, Sipher includes the obligation to “openly acknowledge the gaps in understanding” outside of the section on vetting, which is telling given that he notes only a few of the obvious gaps in this dossier.

Sipher claims the dossier predicted what wasn’t known

So there are a lot of aspects of vetting Sipher doesn’t do, whether or not he has the ability to. But having done the vetting of checking Steele’s college extracurricular record, he declares the dossier has proven to be “stunningly accurate.”

Did any of the activities reported happen as predicted?

To a large extent, yes.

The most obvious occurrence that could not have been known to Orbis in June 2016, but shines bright in retrospect is the fact that Russia undertook a coordinated and massive effort to disrupt the 2016 U.S. election to help Donald Trump, as the U.S. intelligence community itself later concluded.  Well before any public knowledge of these events, the Orbis report identified multiple elements of the Russian operation including a cyber campaign, leaked documents related to Hillary Clinton, and meetings with Paul Manafort and other Trump affiliates to discuss the receipt of stolen documents.  Mr. Steele could not have known that the Russians stole information on Hillary Clinton, or that they were considering means to weaponize them in the U.S. election, all of which turned out to be stunningly accurate.

Now as I said above, I don’t believe the dossier is junk. But this defense of the dossier, specifically as formulated here, is junk. Central to Sipher’s proof that Steele’s dossier bears out are these claims:

  • Russia undertook a coordinated and massive effort to disrupt the 2016 U.S. election to help Donald Trump
  • The Orbis report identified multiple elements of the Russian operation including
    • A cyber campaign
    • Leaked documents related to Hillary Clinton
    • Meetings with Paul Manafort and other Trump affiliates to discuss the receipt of stolen documents

As I’ll show, these claims are, with limited exceptions, not actually what the dossier shows. Far later into the dossier, the reason Sipher frames it this way is clear. He’s taking validation from recent details about the June 9, 2016 meeting.

Of course, to determine if collusion occurred as alleged in the dossier, we would have to know if the Trump campaign continued to meet with Russian representatives subsequent to the June meeting.

The Steele dossier was way behind contemporary reporting on the hack-and-leak campaign

I consider the dossier strongest in its reports on early ties between Trump associates and Russians, as I’ll lay out below. But one area where it is — I believe this is the technical term — a shit-show is the section claiming the report predicted Russia’s hacking campaign.

Here’s how Sipher substantiates that claim.

By late fall 2016, the Orbis team reported that a Russian-supported company had been “using botnets and porn traffic to transmit viruses, plant bugs, steal data and conduct ‘altering operations’ against the Democratic Party leadership.” Hackers recruited by the FSB under duress were involved in the operations. According to the report, Carter Page insisted that payments be made quickly and discreetly, and that cyber operators should go to ground and cover their tracks.

[snip]

Consider, in addition, the Orbis report saying that Russia was utilizing hackers to influence voters and referring to payments to “hackers who had worked in Europe under Kremlin direction against the Clinton campaign.” A January 2017 Stanford study found that “fabricated stories favoring Donald Trump were shared a total of 30 million times, nearly quadruple the number of pro-Hillary Clinton shares leading up to the election.”  Also, in November, researchers at Oxford University published a report based on analysis of 19.4 million Twitter posts from early November prior to the election.  The report found that an “automated army of pro-Trump chatbots overwhelmed Clinton bots five to one in the days leading up to the presidential election.”  In March 2017, former FBI agent Clint Watts told Congress about websites involved in the Russian disinformation campaign “some of which mysteriously operate from Eastern Europe and are curiously led by pro-Russian editors of unknown financing.”

The Orbis report also refers specifically to the aim of the Russian influence campaign “to swing supporters of Bernie Sanders away from Hillary Clinton and across to Trump,” based on information given to Steele in early August 2016. It was not until March 2017, however, that former director of the National Security Agency, retired Gen. Keith Alexander in Senate testimony said of the Russian influence campaign, “what they were trying to do is to drive a wedge within the Democratic Party between the Clinton group and the Sanders group.”

Here’s what the dossier actually shows about both kompromat on Hillary and hacking.

June 20: In the first report, issued 6 days after the DNC announced it had been hacked by Russia, and 5 days after Guccifer 2.0 said he had sent stolen documents to WikiLeaks, the dossier spoke of kompromat on Hillary, clearly described as years old wiretaps from when she was visiting Russia. While the report conflicts internally, one part of it said it had not been distributed abroad. As I note in this post, if true, that would mean the documents Natalia Veselnitsaka shared with Trump folks on June 9 was not the kompromat in question.

July 19: After Guccifer 2.0 had released 7 posts, most with documents, and after extended reporting concluding that he was a Russian front, the second report discussed kompromat — still seemingly meaning that dated FSB dossier — as if it were prospective.

July 26: Four days after WikiLeaks released DNC emails first promised in mid-June, Steele submitted a report claiming that Russian state hackers had had “only limited success in penetrating the ‘first tier’ of foreign targets. These comprised western (especially G7 and NATO) governments, security and intelligence services and central banks, and the IFIs.” There had been public reports of FSB-associated APT 29’s hacking of such targets since at least July 2015, and public reporting on their campaigns that should have been identified when DNC did a Google search in response to FBI’s warnings in September 2015. It’s stunning anyone involved in intelligence would claim Russia hadn’t had some success penetrating those first tier targets.

Report 095: An undated report, probably dating sometime between July 26 and July 30, did state that a Trump associate admitted Russia was behind WikiLeaks release of emails, something that had been widely understood for well over a month.

July 30: A few weeks before WikiLeaks reportedly got the second tranche of (Podesta) emails, a report states that Russia is worried that the email hacking operation is spiraling out of control so “it is unlikely that these [operations] would be ratcheted up.”

August 5: A report says Dmitry Peskov, who is reportedly in charge of the campaign, is “scared shitless” about being scapegoated for it.

August 10: Just days before WikiLeaks purportedly got the Podesta tranche of emails, a report says Sergei Ivanov said “Russians would not risk their position for the time being with new leaked material, even to a third party like WikiLeaks.”

August 10: Months after a contentious primary and over two weeks after Debbie Wasserman Schultz’s resignation during the convention (purportedly because of DNC’s preference for Hillary), a report cites an ethnic Russian associate of Russian US presidential candidate Donald TRUMP campaign insider, not a Russian, saying the email leaks were designed to “swing supporters of Bernie SANDERS and away from Hillary CLINTON and across to TRUMP.” It attributes that plan to Carter Page, but does not claim any Russian government involvement in that strategy. Nor would it take a genius for anyone involved in American politics to pursue such a strategy.

August 22: A report on Manafort’s “demise” doesn’t mention emails or any kompromat.

September 14: Three months after Guccifer 2.0 first appeared, the dossier for the first time treated the Russians’ kompromat as the emails, stating that more might be released in late September. That might coincide with Craig Murray’s reported contact with a go-between (Murray has been very clear he did not ferry the emails themselves though he did have some contact in late September).

October 12: A week after the Podesta emails first started appearing, a report states that “a stream of further hacked CLINTON materials already had been injected by the Kremlin into compliant media outlets like Wikileaks, which remained at least “plausibly deniable”, so the stream of these would continue through October and up to the election, something Julian Assange had made pretty clear. See this report for more.

October 18, 19, 19: Three reports produced in quick succession describe Michael Cohen’s role in covering up the Trump-Russia mess, without making any explicit (unredacted) mention of emails. See this post on that timing.

December 20: A virgin birth report produced as the US intelligence community scrambled to put together the case against Russia for the first time ties Cohen to the emails in unredacted form).

What the timeline of the hacking allegations in the Steele dossier (and therefore also “predictions” about leaked documents) reveal is not that his sources predicted the hack-and-leak campaign, but on the contrary, he and his sources were unbelievably behind in their understanding of Russian hacking and the campaign generally (or his Russian sources were planting outright disinformation). Someone wanting to learn about the campaign would be better off simply hanging out on Twitter or reading the many security reports issued on the hack in real time.

Perhaps Sipher wants to cover this over when he claims that, “The Russian effort was aggressive over the summer months, but seemed to back off and go into cover-up mode following the Access Hollywood revelations and the Obama Administration’s acknowledgement of Russian interference in the fall, realizing they might have gone too far and possibly benefitted Ms. Clinton.” Sure, that’s sort of (though not entirely) what the dossier described. But the reality is that WikiLeaks was dropping new Podesta emails every day, Guccifer 2.0 was parroting Russian (and Republican) themes about a rigged election, and Obama was making the first ever cyber “red phone” call to Moscow because of Russia’s continued probes of the election infrastructure (part of the Russian effort about which both the dossier and Sipher’s post are silent).

The quotes Sipher uses to defend his claim are even worse. The first passage includes two clear errors. The report in question was actually the December 13 one, not “late fall 2016” one. And the Trump associate who agreed (in the alleged August meeting in Prague, anticipating that Hillary might win) to making quick payments to hackers was Michael Cohen, not Carter Page. Many things suggest this particular report should be read with great skepticism, not least that it post-dated both the disclosure of the existence of the dossier and the election, and that this intelligence was offered up to Steele, not solicited, and was offered for free.

Next, Sipher again cites the December 13 report to claim Steele predicted something reported in a November Oxford University report (and anyway widely reported by BuzzFeed for months), which seems to require either a time machine or an explanation for why Steele didn’t report that earlier. He attributes a quote sourced to a Trump insider as indicating Russian strategy, which that report doesn’t support. And if you need Keith Alexander to suss out the logic of Democratic infighting that had been clear for six months, then you’re in real trouble!

Sipher would have been better off citing the undated Report 095 (which is another report about which there should be provenance questions), which relies on the same ethnic Russian Trump insider as the August 10 report, which claims agents/facilitators within the Democratic Party and Russian émigré hackers working in the United States — a claim that is incendiary but (short of proof that the Al-Awan brothers or Seth Rich really were involved) — one that has not been substantiated.

In short, the evidence in the dossier simply doesn’t support the claim it predicted two of the three things Sipher claims it does, at least not yet.

The dossier is stronger in sketchy contacts with Russians

The dossier is stronger with respect to some, but not all Trump associates. But even there, Sipher’s defense demonstrates uneven analytic work.

First, note that Sipher relies on “renowned investigative journalist” Michael Isikoff to validate some of these claims.

Renowned investigative journalist Michael Isikoff reported in September 2016 that U.S. intelligence sources confirmed that Page met with both Sechin and Divyekin during his July trip to Russia.

[snip]

A June 2017 Yahoo News article by Michael Isikoff described the Administration’s efforts to engage the State Department about lifting sanctions “almost as soon as they took office.”

Among the six journalists Steele admits he briefed on his dossier is someone from Yahoo.

The journalists initially briefed at the end of September 2016 by [Steele] and Fusion at Fusion’s instruction were from the New York Times, the Washington Post, Yahoo News, the New Yorker and CNN. [Steele] subsequently participated in further meetings at Fusion’s instruction with Fusion and the New York Times, the Washington Post and Yahoo News, which took place in mid-October 2016.

That the Yahoo journalist is Isikoff would be a cinch to guess. But we don’t have to guess, because Isikoff made it clear it was him in his first report after the dossier got leaked.

Another of Steele’s reports, first reported by Yahoo News last September, involved alleged meetings last July between then-Trump foreign policy adviser Carter Page and two high-level Russian operatives, including Igor Sechin — a longtime associate of Russian President Vladimir Putin who became the chief executive of Rosneft, the Russian energy giant.

In other words, Sipher is engaging in navel-gazing here, citing a report based on the Steele dossier, to say it confirms what was in the Steele dossier.

Sipher similarly cites a NYT article that was among the most criticized for the way it interprets “senior Russian intelligence officials” loosely to include anyone who might be suspect of being a spook.

We have also subsequently learned of Trump’s long-standing interest in, and experience with Russia and Russians.  A February 2017 New York Times article reported that phone records and intercepted calls show that members of Trump’s campaign and other Trump associates had repeated contacts with senior Russian officials in the year before the election.  The New York Times article was also corroborated by CNN and Reuters independent reports.

The two reports he claims corroborate the NYT one fall far short of the NYT claim about talks with Russian intelligence officials — a distinction that is critical given what Sipher claims about Sergey Kislyak, which I note below.

Carter Page

Sipher cites the Carter Page FISA order as proof that some of these claims have held up.

What’s more, the Justice Department obtained a wiretap in summer 2016 on Page after satisfying a court that there was sufficient evidence to show Page was operating as a Russian agent.

But more recent reporting, by journalists Sipher elsewhere cites approvingly, reveals that Page had actually been under a FISA order as early as 2014.

Page had been the subject of a secret intelligence surveillance warrant since 2014, earlier than had been previously reported, US officials briefed on the probe told CNN.

Paul Manafort

I have no complaint with Sipher’s claims about Manafort — except to the extent he suggests Manafort’s Ukrainian corruption wasn’t know long before the election. Sipher does, however, repeat a common myth about Manafort’s influence on the GOP platform.

The quid pro quo as alleged in the dossier was for the Trump team to “sideline” the Ukrainian issue in the campaign.  We learned subsequently the Trump platform committee changed only a single plank in the 60-page Republican platform prior to the Republican convention.  Of the hundreds of Republican positions and proposals, they altered only the single sentence that called for maintaining or increasing sanctions against Russia, increasing aid for Ukraine and “providing lethal defensive weapons” to the Ukrainian military.  The Trump team changed the wording to the more benign, “appropriate assistance.”

Republicans have credibly challenged this claim about the platform. Bob Dole is credited with making the platform far harsher on China in the service of his Taiwanese clients. And Trump’s team also put in language endorsing the revival of Glass-Steagall, with support from Manafort and/or Carl Icahn.

Michael Cohen

Sipher’s discussion of Trump lawyer Michael Cohen is the weirdest of all, not least because the Cohen reports are the most incendiary but also because they were written at a time when Steele had already pitched the dossier to the media (making it far more likely the ensuing reports were the result of disinformation). Here’s how Sipher claims the Steele dossier reports have been validated.

We do not have any reporting that implicates Michael Cohen in meetings with Russians as outlined in the dossier.  However, recent revelations indicate his long-standing relationships with key Russian and Ukrainian interlocutors, and highlight his role in a previously hidden effort to build a Trump tower in Moscow. During the campaign, those efforts included email exchanges with Trump associate Felix Sater explicitly referring to getting Putin’s circle involved and helping Trump get elected.

Go look at that “recent revelations” link. It goes to this Josh Marshall post which describes its own sourcing this way:

TPM Reader BR flagged my attention to this 2007 article in The New York Post.

[snip]

Because two years ago, in February 2015, New York real estate trade sheet The Real Deal reported that Cohen purchased a $58 million rental building on the Upper East Side.

This is not recent reporting!! Again, this is stuff that was publicly known before the election.

More importantly, given Cohen’s rebuttal to the dossier, Marshall supports a claim that Cohen has ties to Ukraine, not Russia. The dossier, however, claims Cohen has ties to the latter, as Cohen mockingly notes.

Felix Sater

Then there are the Trump associates who are now known to have been central to any ties between Trump and the Russians that the Steele dossier didn’t cite — as least not as subjects (all could well be sources, which raises other questions). The first is Felix Sater, whom Sipher discusses three times in suggesting that the dossier accurately predicts Cohen’s involvement in the Russian negotiations.

To take one example, the first report says that Kremlin spokesman Dmitry Peskov was responsible for Russia’s compromising materials on Hillary Clinton, and now we have reports that Michael Cohen had contacted Peskov directly in January 2016 seeking help with a Trump business deal in Moscow (after Cohen received the email from Trump business associate Felix Sater saying “Our boy can become president of the USA and we can engineer it. I will get all of Putins team to buy in on this.”).

[snip]

Following the inauguration, Cohen was involved, again with Felix Sater, to engage in back-channel negotiations seeking a means to lift sanctions via a semi-developed Russian-Ukrainian plan (which also included the hand delivery of derogatory information on Ukrainian leaders) also fits with Orbis reporting related to Cohen.

Given that Sater’s publicly known links between mobbed up Russians and Trump go back a decade, why isn’t he mentioned in the dossier? And why does the dossier seemingly contradict these claims about an active Trump Tower deal?

Aras Agalarov and Rinat Akhmetshin

There are far more significant silences about two other Trump associates, Aras Agalarov and Rinat Akhmetshin.

To be fair, the dossier isn’t entirely silent about the former, noting in at one place that Agalarov would be the guy to go to to learn about dirt on Trump in Petersburg (elsewhere he could be a source).

Far, far more damning is the dossier’s silence (again, at least as a subject rather than source) about Akhmetshin. That’s long been one of the GOP complaints about the dossier — that Akhmetshin was closely involved with Fusion GPS on Magnitsky work in parallel with the Trump dossier, which (if Akhmetshin really is still tied to Russian intelligence) would provide an easy feedback loop to the Russians. The dossier’s silence on someone well known to Fusion GPS is all the more damning given the way that Sipher points to the June 9 meeting (which the dossier didn’t report, either) as proof that the dossier has been vindicated.

It was also apparently news to investigators when the New York Times in July 2017 published Don Jr’s emails arranging for the receipt of information held by the Russians about Hillary Clinton. How could Steele and Orbis know in June 2016 that the Russians were working actively to elect Donald Trump and damage Hillary Clinton?

[snip]

To take another example, the third Orbis report says that Trump campaign manager Paul Manafort was managing the connection with the Kremlin, and we now know that he was present at the June 9 2016 meeting with Donald Trump, Jr., Russian lawyer Natalia Veselnitskaya and Rinat Akhmetshin, who has reportedly boasted of his ties to ties and experience in Soviet intelligence and counterintelligence.  According to a recent New York Times story, “Akhmetshin told journalists that he was a longtime acquaintance of Paul J. Manafort.”

There’s no allegation that investigations didn’t know about June 2016 plan to hurt Hillary (indeed, the Guccifer 2.0 stuff that Sipher ignores was public to all). Rather they didn’t know — but neither did Fusion, who has an established relationship with Akhmetshin — about the meeting involving Akhmetshin. If you’re going to claim the June 9 meeting proves anything, it’s that the dossier as currently known has a big hole right in Fusion’s client/researcher list.

Sergey Kislyak

Which brings me — finally! — to Sipher’s weird treatment of Sergey Kislyak. Sipher argues (correctly) that Trump associates’ failure to report details of their contacts with Russians may support a conspiracy claim.

 Of course, the failure of the Trump team to report details that later leaked out and fit the narrative may make the Steele allegations appear more prescient than they otherwise might.  At the same time, the hesitancy to be honest about contacts with Russia is consistent with allegations of a conspiracy.

Of course, Trump’s folks have failed to report details of that June 9 meeting as well as meetings with Sergey Kislyak. Having now invested his vindication story on that June 9 meeting, he argues that reports about Kislyak (on which the NYT article he cites approvingly probably rely) are misguided; we need to look to that June 9 meeting intead.

It should be noted in this context, that the much-reported meetings with Ambassador Kislyak do not seem to be tied to the conspiracy. He is not an intelligence officer, and would be in the position to offer advice on politics, personalities and political culture in the United States, but would not be asked to engage in espionage activity.  It is likewise notable that Ambassador Kislyak receives only a passing reference in the Steele dossier and only having to do with his internal advice on the political fallout in the U.S. in reaction to the Russian campaign.

Of course, to determine if collusion occurred as alleged in the dossier, we would have to know if the Trump campaign continued to meet with Russian representatives subsequent to the June meeting.

This seems utterly bizarre. We know what happened after June 9, in part: Per Jared Kushner (who also is not mentioned in the dossier or Sipher’s column), immediately after the election Kislyak started moving towards meeting about Syria (not Ukraine). But in the process, Kushner may have asked for a back channel and at Kislyak’s urging, Kushner took a meeting with the head of a sanctioned bank potentially to talk about investments in his family’s debt-ridden empire. And all that is the lead-up to the Mike Flynn calls with Kislyak about sanctions relief which provide some of the proof that Trump was willing to deliver the quo that the dossier claims got offered for quids.

That latter story — of the meetings Kushner and Flynn did in the wake of the election and events that may have taken place since — is every bit as coherent a narrative as the Steele dossier or the entirely new narratives tied to the June 9 meeting (which Sipher claims are actually the Steele narrative).

Of course, neither is yet evidence of collusion. And that’s, frankly, what we as citizens should be after.

A narrative offered up by an intelligence contractor who was always trying to catch up to the central part of the story — the hack-and-leak — is not what we should be striving for. That’s why this dossier is probably mostly irrelevant to the Mueller probe, no matter how the GOP would like to insinuate the opposite. If there was collusion (or rather, coordination on all this stuff between the campaign and Russia), we should expect evidence of it. The Steele dossier, as I have noted, left out one of the key potential proofs of that, in spite of having ties with someone who attended the meeting.

All that said, it would be useful for someone responsible to respond to GOP criticisms and, where invented (such as with the claim that Steele paying sources diminishes its value), demonstrate that. It would be useful for someone to explain what we should take from the dossier.

Sipher didn’t do that, though. Indeed, his post largely suffers from the same bad analysis he accuses the media of.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Guccifer 2.0: What about those DCCC and “Clinton Foundation” documents

In this post, I addressed one recent and one not-recent research finding pertaining to Guccifer 2.0 (I had already raised both of them, but I addressed them at more length). I pointed out the conclusions of the research itself (that Guccifer 2.0 put Russian metadata in the first documents he released intentionally, just as he had put the name Felix Dzerzhinsky in one; and that some files released by proxy in September were copied locally) were not that controversial and certainly don’t refute the Intelligence Community conclusion that Russia was behind these hacks.

I also pointed out something that came out of that and related research — the understanding that the documents Guccifer 2.0 first released weren’t the DNC documents released to WikiLeaks at all, and so had absolutely no bearing on the question of whether Guccifer 2.0 provided the DNC documents to WikiLeaks. The NYer’s Raffi Khatchadourian used that same data as part of his argument that Russia was clearly working with WikiLeaks.

Cui bono from DCCC documents

Not only does all this analysis focus on the DNC when it really should focus on Hillary documents, but it almost entirely ignores the later documents Guccifer 2.0. For example, here’s how Adam Carter dismisses the import of the DCCC documents in considering attribution.

The documents he posted online were a mixture of some from the public domain (eg. already been published by OpenSecrets.org in 2009), were manipulated copies of research documents originally created by Lauren Dillon (see attachments) and others or were legitimate, unique documents that were of little significant damage to the DNC. (Such as the DCCC documents)

The DCCC documents didn’t reveal anything particularly damaging. It did include a list of fundraisers/bundlers but that wasn’t likely to cause controversy (the fundraising totals, etc. are likely to end up on sites like OpenSecrets, etc within a year anyway). – It did however trigger 4chan to investigate and a correlation was found between the DNC’s best performing bundlers and ambassadorships. – This revelation though, is to be credited to 4chan. – The leaked financial data wasn’t, in itself, damaging – and some of the key data will be disclosed publicly in future anyway.

Even ignoring that some of these documents provided the DCCC’s views of races and candidates, the notion that data will one day become public in no way minimizes the value of having that data in time for an electoral race, which is what Guccifer 2.0’s release of them did.

Even Khatchadourian simply nods at what, given the timing, are likely the DCCC documents. After laying out what are suggestions of pressure Assange’s source is exerting on WikiLeaks in the early summer, he reveals that in August, Guccifer 2.0 considered leaking documents through Emma Best (who, notably, had just linked the Turkish emails that WikiLeaks would get blamed for at the end of July).

In mid-August, Guccifer 2.0 expressed interest in offering a trove of Democratic e-mails to Emma Best, a journalist and a specialist in archival research, who is known for acquiring and publishing millions of declassified government documents. Assange, I was told, urged Best to decline, intimating that he was in contact with the persona’s handlers, and that the material would have greater impact if he released it first.

Given the mid-August date, those emails are likely the DCCC emails that Guccifer 2.0 first announced on August 12 by publishing the contact information of members and their key staffers (one of the several things over the course of the operation that got suppressed by providers). While Khatchadourian doesn’t dwell on what happened to them instead of release via Best, it is significant: Guccifer 2.0 reached out to local journalists to report on the state-level data. That is, for a limited set of what must have been available at DCCC, a set focused on swing states (which, contrary to what Carter suggests, cannot be bracketed off from the top of the ticket in a presidential year), Guccifer 2.0 worked to magnify these documents too, with mixed success.

It’s hard to imagine why anyone associated with the Democratic party or Crowdstrike  — who both have been accused of being the real insiders behind the Wikileaks documents — would release those documents, no matter how uninteresting people outside of politics find them. Likewise, even the most bitter Bernie supporter would have little reason to help Republicans get elected to Congress. Leaking boring but useful documents that benefit just Republicans doesn’t even fit with the hacktivist persona Guccifer 2.0 presented as. That leaves GOPers, as well as the Russians if they were siding with the GOP, with sufficient motive to hack and leak them.

Moreover, given questions about whether Republicans incorporated data made available by Russia in their own data analysis, the release of these documents may have provided a way to do that while maintaining plausible deniability. This stuff could get more interesting now, given that Ron DeSantis, who benefitted from these state level leaks, wants to cut the Mueller investigation short.

What about Guccifer 2.0’s Clinton Foundation headfake?

Which brings us to some other still unexplained events from last year: Roger Stone’s promises that WikiLeaks would release the Clinton Foundation emails in early October. A lot gets missed in the public narrative of that period. Stone turned out to repeatedly promise files, only to be wrong, which (on its face, anyway) undermines Democratic accusations he was in cahoots with WikiLeaks. And ultimately, WikiLeaks didn’t publish the Clinton Foundation files; instead, it released the Podesta document that included excerpts of Hillary’s speeches. Though — again, contrary to what the Democrats now complain — those were completely drowned out by the Access Hollywood release. No one mentions, either, that Stone sort of sulked away, uninterested in WikiLeaks emails anymore, moving on to Bill Clinton rape allegations. What happened?

Here’s what I laid out in April.

CNN has a timeline of many of Stone’s Wikileaks related comments, which actually shows that in August, at least, Stone believed Wikileaks would release Clinton Foundation emails (a claim that derived from other known sources, including Bill Binney’s claim that the NSA should have all the Clinton Foundation emails).

It notes, as many timelines of Stone’s claims do, that on Saturday October 1 (or early morning on October 2 in GMT; the Twitter times in this post have been calculated off the unix time in the source code), Stone said that on Wednesday (October 5), Hillary Clinton is done.

Fewer of these timelines note that Wikileaks didn’t release anything that Wednesday. It did, however, call out Guccifer 2.0’s purported release of Clinton Foundation documents (though the documents were real, they were almost certainly mislabeled Democratic Party documents) on October 5. The fact that Guccifer 2.0 chose to mislabel those documents is worth further consideration, especially given public focus on the Foundation documents rather than other Democratic ones. I’ll come back to that.

Throughout the week — both before and after the Guccifer 2.0 release — Stone kept tweeting that he trusted the Wikileaks dump was still coming.

Monday, October 3:

Wednesday, October 5 (though this would have been middle of the night ET):

Thursday, October 6 (again, this would have been nighttime ET, after it was clear Wikileaks had not released on Wednesday):

On October 7, at 4:03PM, David Fahrenthold tweeted out the Access Hollywood video.

On October 7, at 4:32 PM, Wikileaks started releasing the Podesta emails.

Stone didn’t really comment on the substance of the Wikileaks release. In fact, even before the Access Hollywood release, he was accusing Bill Clinton of rape, and he continued in that vein after the release of the video, virtually ignoring the Podesta emails.

Two parts of this narrative now look very different, given what we know now. As noted, Kachadourian argues that Guccifer 2.0 served as a pressure point for WikiLeaks, pushing Assange to release things on the persona’s timeline. I’ve long been puzzled (for obvious reasons) by Guccifer 2.0’s response to my tweet, calling out his supposed October 4 release of Clinton Foundation documents as the bullshit it was.

There was no private conversation behind this — Guccifer 2.0 and I never spoke by DM. My guess is he chose to respond to my tweet because Glenn Greenwald immediately responded to me and took my debunking seriously, though Guccifer 2.0’s response was quick — within 45 minutes. And only after that tweet did he follow me. It was a rare unsolicited response to someone, and it was one of maybe three tweets he sent responding to a criticism. (Interesting side note: I realized when reviewing his tweets that a few of Guccifer 2.0’s tweets appear in Twitter’s count but are not visible.) In other words, Guccifer 2.0 apparently wanted to respond to my debunking, perhaps because Greenwald found them credible, thereby sustaining the claim he really had Clinton Foundation emails. But it happened at a time when Stone, too, was pushing WikiLeaks to release Clinton Foundation emails.

Now couple that information with the details of GOP rat-fucker Peter Smith’s attempt to hunt down Clinton Foundation emails. As Matt Tait describes, close to the July 22 release of the the DNC emails, Smith contacted him already having been contacted by someone who claimed to have copies of Hillary’s Clinton Foundation emails.

Over the course of a long phone call, he mentioned that he had been contacted by someone on the “Dark Web” who claimed to have a copy of emails from Secretary Clinton’s private server, and this was why he had contacted me; he wanted me to help validate whether or not the emails were genuine.

The WSJ explained that Smith could never authenticate any of the emails he got pitched, which is why they weren’t ever published, and recommended they be dealt to WikiLeaks.

So what if someone actually did deal those emails to WikiLeaks, authentic or not? What if Guccifer 2.0 somehow knew that? It would explain Stone’s certainty they’d come out, Guccifer 2.0’s attempt to claim he had them, and the back-and-forth in early October.

Incidentally, the latest stink in the right wing noise machine is that a guy trying to obtain more Hillary related emails via FOIA got denied because the public interest doesn’t outweigh Hillary’s privacy interests. [Deleted: this was one of the fake Assange accounts–thanks to  Arbed for heads up.] Assange claim he has duplicates.

To be clear, I don’t believe those are Clinton Foundation emails. But I find the possibility that Assange may still be getting and releasing materials damning to Hillary.

Guccifer 2.0’s other propaganda

Finally, it’s worth noting that these reassessments of Guccifer 2.0 largely look at the documents he released, out of context of the things he said.

I think that’s particularly problematic given this last two posts, which align with activities alleged to have ties to Russia. His second-to-last post was typically nonsensical (the FEC’s networks have nothing to do with vote counting). But it attributed any tampering with software to Democrats.

INFO FROM INSIDE THE FEC: THE DEMOCRATS MAY RIG THE ELECTIONS

I’d like to warn you that the Democrats may rig the elections on November 8. This may be possible because of the software installed in the FEC networks by the large IT companies.

As I’ve already said, their software is of poor quality, with many holes and vulnerabilities.

I have registered in the FEC electronic system as an independent election observer; so I will monitor that the elections are held honestly.

I also call on other hackers to join me, monitor the elections from inside and inform the U.S. society about the facts of electoral fraud.

We’ve since learned (most recently in this NYT piece) that there was more risk of tampering with the vote count than initially revealed. And no matter whether or not you believe the Russians did it, there is no credible reason why Democrats would target turnout that they needed to win the election. This message, Guccifer 2.0’s last before the election, could only serve to give pre-emptive cover for any tampering that did get discovered.

Finally, there’s Guccifer 2.0’s last post, bizarrely posted months after he seemed to be done, capitalizing on legitimate complaints about the first Joint Analysis Report released on December 29 to suggest the evidence implicating him as Russian is fake.

The technical evidence contained in the reports doesn’t stand up to scrutiny. This is a crude fake.

Any IT professional can see that a malware sample mentioned in the Joint Analysis Report was taken from the web and was commonly available. A lot of hackers use it. I think it was inserted in the report to make it look a bit more plausible.

But several things are interesting about this post (in addition to the way it coincided with what Shadow Brokers claimed was going to be his last post). In spite of using the singular “this” to refer to the “reports,” Guccifer 2.0 claims that several reports tie him to Russia.

The U.S. intelligence agencies have published several reports of late claiming I have ties with Russia.

But the JAR actually doesn’t mention him at all. What does mention him is the Intelligence Community Assessment.

We assess with high confidence that the GRU used the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to release US victim data obtained in cyber operations publicly and in exclusives to media outlets.

Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple contradictory statements and false claims about his likely Russian identity throughout the election. Press reporting suggests more than one person claiming to be Guccifer 2.0 interacted with journalists.

Guccifer 2.0’s silence about the ICA is all the more interesting given that the post — dated January 12 and so immediately after the leak of the Steele dossier — doesn’t mention that, but says the Obama Administration would release more fake information in the coming week.

Certainly, those who believe Guccifer 2.0 is not Russian even while noting his many false claims will take this post as gospel. But it’s worth noting that it doesn’t actually refute the substance of the claims made about Guccifer 2.0, rather than Russia.

Reassessing the Role of Guccifer 2.0 Should Not Terrify Analysts

I’m glad folks are still poking around the Guccifer 2.0 documents, and applaud the openness of the researchers to respond to criticism. Frankly, it’s a model those who made initial claims about Guccifer 2.0 — most egregiously, that Cyrillic metadata in a document adopting the name of Felix Dzerzhinsky would not be every bit as intentional as that graffiti — should adopt. There were errors in the early analysis of the Guccifer 2.0 persona (such as the assumption he was publishing DNC documents), that, with hindsight, are more clear. One particularly annoying one is the logic that because Guccifer 2.0 got caught pretending to be Romanian — a claim he backed off of in his FAQ a week later in any case — he had to be Russian. The unwillingness to revise early analysis only feeds the distrust of the Russian attribution.

That said, in my opinion nothing about the new analysis undermines the claim of Russian attribution, and the majority of the known evidence does support it (and has since been backed — for example — by Facebook, which has its own set of global data to draw from).

Update: I thought Stone was involved in the Smith effort. This article describes him as chatting to Guccifer 2.0 at the direction of Smith.

“The magnitude of what he was trying to do was kind of impressive,” Johnson said. “He had people running around Europe, had people talking to Guccifer.” (U.S. intelligence agencies have linked the materials provided by “Guccifer 2.0”—an alias that has taken credit for hacking the Democratic National Committee and communicated with Republican operatives, including Trump confidant Roger Stone—to Russian government hackers.)

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

On the New (and Not-So New) Claims about Guccifer 2.0

The initial files released by the persona Guccifer 2.0 on June 15, 2016 included — in addition to graffiti paying tribute to Felix Dzerzhinsky, the founder of Russia’s secret police — metadata deliberately set to Cyrillic (the metadata had previously been interpreted, implausibly even at the time, to be a mistake).

And a file later released on September 13, 2016 purportedly from Guccifer 2.0 but released via a magnet site and never linked on his WordPress site, was probably copied, locally, to a Linux drive somewhere in the Eastern time zone on July 5, 2016; the files were then copied to a Windows file on September 1, 2016.

Those are the fairly uncontroversial findings from two separate research efforts that have recently renewed debate over whether the conclusion of the intelligence community, that Russia hacked the DNC, is valid.

I’m going to do a two part post on this issue.

What to Read

As you might be able to figure out, nothing about those two conclusions at all dictates that the Intelligence Community conclusions that Russia is behind the hack of Democratic targets are wrong. The reason they’re so controversial is because they’ve been used, in tandem, to support claims that the IC conclusion is wrong, first in a (to me) unconvincing letter by the Veteran Intelligence Professionals for Sanity (chiefly Bill Binney, Kirk Wiebe, Ed Loomis, and Ray McGovern), and then in some even sloppier versions, most notably at the Nation. In between the original analysis and these reports are some other pieces making conclusions about the research itself that are in no way dictated by the research.

In other words, it’s all a big game of telephone, some research going in the front end and a significantly distorted message coming out the back end.

So before I get into what the two studies do show, let’s talk about what you should read. The first argument has been made by Adam Carter at his G2-space, which is laudable as a resource for documents on Guccifer 2.0, no matter what you think of his conclusions. There’s a ton in there, not all of which I find as persuasive as the argument pertaining to the Russian metadata. Happily, he made two free-standing posts demonstrating the RSID analysis (one, two). I first discussed this analysis here.

The RSID analysis showing that the cyrillic in Guccifer 2.0’s documents was actually intentional relies, in part, on the work of someone else, posting under the name /u/tvor_22. His post on this is worthwhile not just for the way it maps out how people came to be fooled by the analysis,  but for the five alternative explanations he offers. In in no way think those five possibilities are comprehensive, but I appreciate the effort to remain open about what conclusions might be drawn from the evidence.

Between those three posts, they show that the first five documents released by Guccifer 2.0 were all copied into one with certain settings set, deliberately, to the Russian language. That’s the first conclusion.

The forensics on copying was done by a guy posting under the name The Forensicator, whose main post is here. Note his site engages in good faith with the rebuttals he has gotten, so poke around and see how he responds.  He argues a bunch of things, most notably that the first copy of files released in September was copied locally back in July, perhaps from a computer networked to the host server. That analysis doesn’t rule out that the data was on some server outside of the DNC. I raised one concern about this analysis here.

Finally, for a more measured skeptical take — from someone also associated with VIPS who did not join in their letter — see Scott Ritter’s take. I don’t agree with all of that either, but I think a second skeptical view is worthwhile.

All of which is to say if you want to read the analysis — rather than conclusions that I think go well beyond the analysis — read the analysis. Assuming both are valid (again, I think the RSID case is stronger than the copying one), the sole conclusions I’d draw from them is that the Guccifer 2.0 figure wanted to be perceived as a Russian — something he succeeded in doing through far more than just metadata, though the predispositions of researchers and the press certainly made it easy for him. And, some entity that may associated with Guccifer 2.0 (but may also be a proxy)  is probably in the Eastern Time Zone, possibly (though not definitely) close to the DNC (or some other target server). That’s it. That’s what you need to explain if you believe both pieces of analysis.

Whatever explanation you use to explain the inclusion of Iron Felix in the documents (which is consistent with graffiti left in the hacked servers) would be the same one you use to explain why the metadata was set to Cyrillic; the IC and people close to the hack have explained that the hackers liked to boast. And the only explanation you need for the local copy is that someone associated with the Russians was close to DC, such as at the Maryland compound that got shut down.

Guccifer and the DNC … or DCCC … or Hillary

Since we’re examining these claims, there’s another part of the presentation on the RSID data (and Carter’s site generally), that deserves far more prominent mention than the current debate has given, because it undermines the framing of the debate. We’ve been arguing for a year about Russia’s tie to Guccifer 2.0 based on the persona’s claim to have provided DNC documents to WikiLeaks. But the documents originally released in the initial weeks by Guccifer 2.0 were, by and large, not DNC documents. As far as I know/u/tvor_22 was the first to note this. He describes that the Trump document first leaked only appears via other sources as an attachment to a Podesta email, though there are alterations in the metadata, as are three of the others, with the fifth coming from an unidentified source.

Let’s take the very first document posted by Guccifer2.0, which some security researchers have cited as ‘an altered document not properly sanitised.’ If we diff the raw copy — pasted into text documents — of both the original Trump document found in the Podesta emails and the Guccifer 2.0 version, ignoring white-spaces and tabs (diff -w original.txt altered.txt):

  • the table of contents has been re-factored.
  • many of the links are naked in the Guccifer2.0 version. (Naked as in not properly behind link titles, indicating Guccifer2.0’s version may have been an earlier draft.)
  • the error messages are in Russian.
  • None of the above quirks could be found in comparing 2,3, or 5.doc to their originals (100% textually equivalent). 4.doc could not be found on WikiLeaks for a comparison.

None of the textual content in any of these four ‘poorly sanitised’ documents has been altered, removed, or doctored. In other words all the differences you would expect from a copy and paste from one editor to another. So why bother copy and pasting into a new document at all? I wonder.

[1.doc’s original, 2.doc’s original, 3.doc’s original, 5.doc’original. 4.doc could not be found in Wikileaks. The bare texts of 2,3, and 5 are checksum equivalent.]

G2-space has posted an expansion of this analysis, by JimmysLlama. It provides a list for where the first 40 documents (covering Guccifer 2.0’s first two WordPress posts) can — or cannot — be found. The source for (roughly) half remains unidentified, the other half came from Podesta’s emails. At the very least, that reporting makes it clear that even for documents claimed (falsely) to be DNC documents, Guccifer had a broader range of documents than what WikiLeaks published.

That explains reporting from last summer that indicated the FBI wasn’t sure if WikiLeaks’ documents had come from Russia/Guccifer 2.0.

The bureau is trying to determine whether the emails obtained by the Russians are the same ones that appeared on the website of the anti-secrecy group WikiLeaks on Friday, setting off a firestorm that roiled the party in the lead-up to the convention.

The FBI is also examining whether APT 28 or an affiliated group passed those emails to WikiLeaks, law enforcement sources said.

Now we know why: because they weren’t the same set of files as had been taken from the DNC (though the FBI did already know some Hillary staffers had been hacked.) See this post from last summer, in which I explore that and related questions.

The detail that Guccifer 2.0 was actual posting Hillary, not DNC, documents is somewhat consistent with what John Podesta has said. He revealed that he recognized an early “DNC” document probably came from his email.

And other campaign officials also had their emails divulge earlier than October 7th. But in one of those D.N.C. dumps, there was a document that appeared to me was– that appeared came– might have come from my account.

Podesta he has always been squirrelly about thus stuff and probably has reason to hide that the Democrats’ claims that Guccifer 2.0 was releasing DNC documents were wrong (indeed, that’s something that would be far more supportive of skeptics’ alternative theories than this Guccifer 2.0 data, but it’s also easily explained by Democrats’ understandable choices to minimize their exposure last summer). Importantly, Podesta also suggests that “other campaign officials also had their emails divulged earlier than October 7th,” without any suggestion that that is just via DC Leaks.

On top of a lot of other implications of this, it shifts the entire debate about whether Guccifer 2.0 was WikiLeaks’ source, which has always focused on whether the documents leaked on July 22 came from Guccifer 2.0. Regardless of what you might conclude about that, it shifts the question to whether the Podesta emails WikiLeaks posted came from Guccifer 2.0, because those are the ones where there’s clear overlap. Russia’s role in hacking Podesta has always been easier to show than its role in hacking the DNC.

It also shifts the focus away from whether FBI obtained enough details from the DNC server via the forensic image it received from Crowdstrike to adequately assess the culprit. Both the DNC and Hillary (as well as the DCCC) servers are important. Though those that squawk about this always seem to miss that FBI, via FireEye, disagreed with Crowdstrike on a key point: the degree to which the two separate sets of hackers coordinated in targeted servers; I’ve been told by someone with independent knowledge that the FBI read is the correct one, so FBI certainly did their own assessment of the forensics and may have obtained more accurate results than Crowdstrike (I’ve noted elsewhere that public IC statements make it clear that not all public reports on the Russian hacks are correct).

In other words, given that the files that Guccifer 2.0 first leaked actually preempted WikiLeaks’ release of those files by four months, what you’d need to show about the DNC file leaks is something entirely different than what has been shown.

New Yorker’s analysis on coordination

That’s a task Raffi Khatchadourian took on, using an analysis of what got published when, to argue that Russia is WikiLeaks’ source in his recent profile of Assange (I don’t agree with all his logical steps, particularly his treatment of the relationship between Guccifer 2.0 and DC Leaks, but in general my disagreements don’t affect his analysis about Russia).

Throughout June, as WikiLeaks staff worked on the e-mails, the persona had made frequent efforts to keep the D.N.C. leaks in the news, but also appeared to leave space for Assange by refraining from publishing anything that he had. On June 17th, the editor of the Smoking Gun asked Guccifer 2.0 if Assange would publish the same material it was then doling out. “I gave WikiLeaks the greater part of the files, but saved some for myself,” it replied. “Don’t worry everything you receive is exclusive.” The claim at that time was true. None of the first forty documents posted on WordPress can be found in the WikiLeaks trove; in fact, at least half of them do not even appear to be from the D.N.C., despite the way they were advertised.

But then, on July 6th, just before Guccifer 2.0 complained that WikiLeaks was “playing for time,” this pattern of behavior abruptly reversed itself. “I have a new bunch of docs from the DNC server for you,” the persona wrote on WordPress. The files were utterly lacking in news value, and had no connection to one another—except that every item was an attachment in the D.N.C. e-mails that WikiLeaks had. The shift had the appearance of a threat. If Russian intelligence officers were inclined to indicate impatience, this was a way to do it.

On July 18th, the day Assange originally planned to publish, Guccifer 2.0 released another batch of so-called D.N.C. documents, this time to Joe Uchill, of The Hill. Four days later, after WikiLeaks began to release its D.N.C. archive, Uchill reached out to Guccifer 2.0 for comment. The reply was “At last!”

[snip]

Whatever one thinks of Assange’s election disclosures, accepting his contention that they shared no ties with the two Russian fronts requires willful blindness. Guccifer 2.0’s handlers predicted the WikiLeaks D.N.C. release. They demonstrated inside knowledge that Assange was struggling to get it out on time. And they proved, incontrovertibly, that they had privileged access to D.N.C. documents that appeared nowhere else publicly, other than in WikiLeaks publications. The twenty thousand or so D.N.C. e-mails that WikiLeaks published were extracted from ten compromised e-mail accounts, and all but one of the people who used those accounts worked in just two departments: finance and strategic communications. (The single exception belonged to a researcher who worked extensively with communications.) All the D.N.C. documents that Guccifer 2.0 released appeared to come from those same two departments.

The Podesta e-mails only make the connections between WikiLeaks and Russia appear stronger. Nearly half of the first forty documents that Guccifer 2.0 published can be found as attachments among the Podesta e-mails that WikiLeaks later published. Moreover, all of the hacked election e-mails on DCLeaks appeared to come from Clinton staffers who used Gmail, and of course Podesta was a Clinton staffer who used Gmail. The phishing attacks that targeted all of the staffers in the spring, and that targeted Podesta, are forensically linked; they originated from a single identifiable cybermechanism, like form letters from the same typewriter. SecureWorks, a cybersecurity firm with no ties to the Democratic Party, made this assessment, and it is uncontested.

Now, I’d like to see the analysis behind this publicly. It should be expanded to include all the documents leaked by Guccifer 2.0. It should include more careful analysis of the forensics behind the phishes (security companies have done this, but have not shown all their work). Moreover, it doesn’t rule out a piggyback hack, though given that Guccifer 2.0 was leaking Hillary emails from the start, it’s unclear how that piggyback would work. All that said, it provides a circumstantial case that these were the same two sets of documents.

Khatchadourian doesn’t dwell on something he alluded to here, which is that all the DNC documents were email focused, collected from just 10 mailboxes. That’s the nugget that, I suspect, Assange will point to (and may have shared with Dana Rohrabacher) in an effort to rebut the claims his source was Russia (one thing Khatchadourian gets wrong is what Craig Murray said about two different sources for WikiLeaks, but then he points to a WikiLeaks claim they got the emails in late summer and September 19 date on all of them — not long before Murray picked something up in DC — so that’s another area worth greater focus). For now, I’ll bracket that, but while I suspect it points to really interesting conclusions, I don’t think it necessarily undermines the claim that Russia was Assange’s source. More importantly, none of the things people are pointing to in this new analysis — the metadata in files released by Guccifer 2.0, the metadata in files released on a magnet site but never directly by Guccifer 2.0 — affects the analysis of how completely unrelated emails got to WikiLeaks at all.

All of which is to say that the these two pieces of analysis actually miss the far more interesting analysis that got done with it.

Update: Turns out the Nation issued a correction today, which reads in part,

Subsequently, Nation editors themselves raised questions about the editorial process that preceded the publication of the article. The article was indeed fact-checked to ensure that Patrick Lawrence, a regular Nation contributor, accurately reported the VIPS analysis and conclusions, which he did. As part of the editing process, however, we should have made certain that several of the article’s conclusions were presented as possibilities, not as certainties. And given the technical complexity of the material, we would have benefited from bringing on an independent expert to conduct a rigorous review of the VIPS technical claims.

It added an outside analysis by Nathanial Freitas of the two reports, a rebuttal from VIPS members who did not join the letter, and a response from those who did. Freitas provides a number of other possibilities to get the throughput observed by Forensicator. The VIPS dissenters raise some of the same points I do, including that this server may be somewhere outside of DNC.

It is important to note that it’s equally plausible that the cited July 5, 2016, event was carried out on a server separate from the DNC or elsewhere, and with data previously copied, transferred, or even exfiltrated from the DNC.

However, independent of transfer/copy speeds, if the data was not on the DNC server on July 5, 2016, then none of this VIPS analysis matters (including the categorically stated fact that the local copy was acquired by an insider) and simply undermines the credibility of any and all analysis in the VIPS memo when joined with this flawed predicate.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.