Government Decides Reality Winner Leaked Just One Document After All

Back in June, I noted that one of the reasons the government convinced a judge to deny Reality Winner bail was that she had leaked documents, plural.

There’s no written record for this yet, but it appears from one of the less-shitty reports on the hearing that the claim is based on three things: First, Winner stuck a thumb drive in a Top Secret computer last year.

Winner inserted a portable hard drive in a top-secret Air Force computer before she left the military last year. She said authorities don’t know what happened to the drive or what was on it.

Second, because Solari portrayed the 25-year old translator’s knowledge as a danger unto itself (more ridiculously, she painted Winner’s knowledge of Tor — which Winner didn’t use to look up sensitive information — as a means by which she might flee).

“We don’t know how much more she knows and how much more she remembers,” Solari said. “But we do know she’s very intelligent. So she’s got a lot of valuable information in her head.”

And finally, because Winner told her mother, in a conversation from jail that was recorded, that she was sorry about the documents, plural.

Solari said Winner also confessed to her mother during a recorded jailhouse phone call, saying: “Mom, those documents. I screwed up.”

Solari apparently emphasized the latter point as a way to suggest Winter might still have documents to leak.

Solari stressed that Winner referred to “documents” in the plural, and that federal agents were looking to see whether she may have stolen other classified information.

The idea is that because Winner used the plural and she only leaked one document, there must be more she’s planning on leaking.

Except that doesn’t appear right.

It appears Winner actually already leaked two documents. [my emphasis]

I showed that Winner actually leaked two documents to the Intercept.

Curiously, it appears the prosecutor in this case, Jennifer Solari, has changed her mind. Attached to a motion to reconsider bail, Winner’s lawyers have noted that weeks after claiming Winner had to be jailed because she told her mom she had stolen multiple documents, Solari listened to the transcript and decided Winner only referred to a document, singular.

The following is new evidence that was not available at the time of the initial detention hearing (and could not have reasonably been available given the mere three days between the initial appearance and detention hearing), all of which have a material bearing on the issue of release. • While repeatedly alleging that Ms. Winner disclosed numerous “documents” at the initial detention hearing—a fact that the Court specifically noted in its findings to support detention the Government has, via email to this Court, retracted those assertions. The Government now alleges there was only one document, rather than numerous documents, at issue. [See Exhibit A (email correspondence from Assistant United States Attorney Jennifer Solari to defense counsel and the Court dated June 29, 2017); Doc. 29 p. 105; see also Doc. 72].

In her email informing the defense of this, Solari explained,

Before the hearing, I had only heard a portion of the call in which the defendant asked her mother to “play that angle” regarding the alleged circumstances of her FBI interview. I proffered information about the other jail calls based upon verbal summaries I was provided by the FBI just before the hearing. Now that I’ve heard the recordings myself, I’d like to clarify some of the information for the court and counsel.

Solari goes on to suggest that another correction — regarding why Winner had her mom transfer money — came from an inference the FBI agent made.

I’m glad Solari corrected these issues — prosecutors often double down in such instances. I’d certainly scrutinize the other claims made by the FBI agents in the case after this.

Apparently, the government also left other details out of its story when painting Winter as an opsec genius to deny her bail. For example, in addition to pointing out how many people use Tor, her lawyers revealed that she had used it to access Wikileaks once.

The Government failed to explain, however, that Ms. Winner told the Government during her interrogation on June 3, 2017, that she used Tor once for looking at WikiLeaks.

It also notes that the superseding indictment still just charges Winner for the one document.

Finally, it compares her treatment with all of the other alleged leakers who got bail (including David Petraeus).

It’s unclear whether this will win her release. But it certainly suggests the government overstated her threat in her bail hearing.

The Mark Zaid Materials from the Jeffrey Sterling Trial

Because he just formed a new whistleblower group with John Napier Tye, there as been renewed interest in allegations an FBI Agent made during the Jeffrey Sterling case about attorney Mark Zaid. But there was actually a second detail regarding Zaid released just after the trial that has not been publicly reported: Zaid was interviewed by the FBI, twice, and was even interviewed before Sterling himself was.

I asked Zaid whether he was obligated to do the FBI interviews on Twitter but got no response. I think it’s possible FBI asked to interview him as much because the Senate Intelligence Committee was refusing to cooperate in the investigation as anything else; at the time, FBI considered SSCI staffer Bill Duhnke a more likely suspect than Sterling (and it’s not clear they ever ruled him out).

Let me be clear: I’m posting these materials to make the full context of them accessible. Zaid has not explained these, but he has promised repeatedly there is an explanation for them. As noted, there may be a perfectly logical explanation that has as much to do with Senate privileges as it does with attorney-client.

In any case, these materials are just what was directly related to the criminal case. The criminal investigation actually interacted with events in Sterling’s EEO lawsuit — which is what Zaid was primarily representing Sterling on in 2003 — in even more interesting ways I may return to.

Special Agent Ashley Hunt’s accusations

The following accusation came in prosecutor Eric Olshan’s redirect of Ashley Hunt, the FBI witness in the trial, after Sterling’s lawyers had demonstrated that the investigation was narrowly focused on Sterling without questioning some of the other possible witnesses in the case.

Q. When you initiated the investigation, I believe you testified it was in April of 2003?

A. That’s correct.

Q. At the time when you initiated your investigation concerning unauthorized disclosure of classified information to James Risen, did you learn any information regarding Mark Zaid and Mr. Krieger that, that directed your investigation?

A. I did.

MR. MAC MAHON: Your Honor, objection. That door was not opened as to Mr. Sterling’s prior lawyers.

MR. OLSHAN: Your Honor, this is about why —

THE COURT: Again, the scope of the investigation, what was done and not done, was clearly part of the cross. I’m going to allow it, excuse me, on redirect; and if there needs to be recross on that, you’ll be allowed to. Go ahead.

MR. MAC MAHON: Thank you, Your Honor.

BY MR. OLSHAN: Q. What did you learn at the outset of your investigation about information from Mr. Krieger and Zaid that helped you direct your investigation and focus it?

A. When I opened my investigation on April 8, 2003, my investigation was based on a report I received from the CIA dated April 7, 2003. In that report, the CIA provided information about the fact —

MR. MAC MAHON: Your Honor, that’s hearsay.

THE COURT: Wait.

MR. OLSHAN: Your Honor, this is not for the truth. It’s why she took the actions.

THE COURT: It explains why she is acting, takes the investigative tacks that she does, so I’m going to overrule the objection. It’s not hearsay.

BY MR. OLSHAN: Q. You may continue, Special Agent Hunt.

A. The CIA advised that on February 24, 2003, it was contacted by Mark Zaid and Roy Krieger. They told the CIA on February 24 that a client of theirs had contacted them on February 21, 2003, and that that client, that unnamed client at the time voiced his concerns about an operation that was nuclear in nature, and he threatened to go to the media.

Q. Did you later learn who that client was from Mr. Zaid and Mr. Krieger in the course of your investigation?

A. I did.

Q. Did those facts help you focus the direction of your investigation?

A. They did.

Q. And who did you learn was the client of Mr. Krieger and Mr. Zaid?

A. Jeffrey Sterling.

On recross, Sterling lawyer Edward McMahon worked to undercut the revelation by having Hunt describe how, when she wrote up a memo on the case on April 12, 2003, she believed it unlikely he was the leaker.

Q. Okay. And you had written about Mr. Sterling in 2003, hadn’t you, the same time you’re telling in answer to Mr. Olshan’s questions that you were hearing some hearsay about Mr. Sterling’s lawyers?

A. I’m sorry, what’s the question?

Q. You said you had heard some hearsay that Mr. Sterling’s lawyers were talking about him at the CIA, correct?

A. What I said is that his attorneys went to the CIA on February 24. At that time, they did not name Jeffrey Sterling.

Q. All right. But on April 12 of 2003, you wrote a memo about Mr. Sterling, and you said that it was unlikely that it was Mr. Sterling who was the leak, correct?

A. If I wrote that at that time, then that was based on the information I had at that time.

Q. Right. You said that it’s unlikely that someone who has already attempted to settle an EEO lawsuit for a few hundred thousand dollars would choose to attack and enrage the organization from which he seeks but has not yet received a settlement. That’s your writing, isn’t it?

A. I don’t know. You haven’t shown me the document.

Q. And you also in the same document dismiss your concerns about Mr. Zaid and Krieger, correct? You don’t remember that?

A. I don’t know. It was 12 years ago.

Q. And in the last 12 years, you still haven’t come up with any proof that Mr. Sterling ever talked to Mr. Risen about Classified Program No. 1 or Merlin, right?

A. Correct.

Thus far, the timeline looks like this:

February 21: Alleged contact between Sterling and Zaid (not stated whether this is phone call or email, which would show up in call records available with a relevance standard)

February 24: Alleged call from Zaid and his partner warning that one of their clients would leak

April 7: CIA referral includes their claim about Zaid call

April 8: Hunt opens investigation

April 12: Hunt writes memo dismissing likelihood that Sterling is leaker

The FBI Interview Dates

Now consider the dates of the 2003 FBI 302s included in these two CIPA letters (the names with the first initial last name are CIA witnesses; it’s unclear whether that’s true of the entirely redacted names).

April 12: Redacted name

April 12: Robert J. E

April 12: Bob S

April 13: Redacted name

April 13: Redacted name

April 14: Bill H (almost certainly Bill Harlow, CIA’s then spox)

April 18: Mark Zaid (three page 302)

April 28: Bill H (again, almost certain Harlow)

May 7: Redacted name

May 9: Redacted name

June 19: Sterling

June 26: Bob S (Sterling’s supervisor)

July 18: Redacted name

July 21: Thomas H

August 1: David C

August 13: Redacted name

August 14: Diane F

That is, the memo where Hunt said she didn’t think Sterling was the leaker was written either before she had done any interviews, or after she had done just the first CIA ones (including with Sterling’s boss, who definitely blamed Sterling). The first round of interviews appear to be primarily or all CIA witnesses.

And the next interview — at least among those that Sterling’s defense thought they might use at trial — was Zaid. Zaid’s interview, in fact, was months before Sterling’s. The second letter shows a second Zaid interview on September 2, 2010.

To emphasize: Sterling’s lawyers requested these FBI interviews be available for trial, not the prosecution. It’s unclear whether they did that because the interviews would have helped them, or because (as was the case with virtually all the other witnesses) they thought they might need to draw on those interviews for cross-examination.

But unless there’s some wildly egregious error in these files, Mark Zaid did two interviews with the FBI before he — obligated by subpoena, he said repeatedly — testified before the grand jury on September 22, 2010.

SSCI Plays Hardball with Michael Cohen’s Attempt to Distract from Trump Tower Deal

Just before it was supposed to start, SSCI canceled Michael Cohen’s private interview with the committee. They did so, per a statement from Richard Burr and Mark Warner, because Cohen broke an agreement not to talk to the press by releasing what has generally been described as “his statement” to the press beforehand.

We were disappointed that Mr. Cohen decided to pre-empt today’s interview by releasing a public statement prior to his engagement with Committee staff, in spite of the Committee’s requests that he refrain from public comment. As a result, we declined to move forward with today’s interview and will reschedule Mr. Cohen’s appearance before the Committee in open session at a date in the near future. The Committee expects witnesses in this investigation to work in good faith with the Senate.

But in point of fact, what got published as his “statement” was not the entirety of it. Close to the end of the “statement” is this paragraph, alluding to a further two page statement on the Trump Tower deal that somehow didn’t get leaked.

I assume we will discuss the rejected proposal to build a Trump property in Moscow that was terminated in January of 2016; which occurred before the Iowa caucus and months before the very first primary. This was solely a real estate deal and nothing more. I was doing my job. I would ask that the two-page statement about the Moscow proposal that I sent to the Committee in August be incorporated into and attached to this transcript.

Other than that paragraph, mind you, Cohen’s statement closely parallels the letter to HPSCI Cohen released last month after spending a week distracting from and pre-empting the Trump Tower story. Both deny the allegations in the Christopher Steele dossier, and try to suggest that if he is found innocent of those allegations, then HPSCI and/or SSCI must issue a statement exonerating him.

In other words, with both committees, Cohen has manipulated the press so as to set a narrative about his testimony, a narrative that treats the Steele dossier as the entirety of his expose, rather than the now far more interesting (and interestingly time) real estate deal.

Four days ago, Michael Cohen (or the Trump Organization) pre-empted revelations that would leak as soon as he turned over a third tranche of documents to the House Intelligence Committee by revealing a seemingly damning detail from it: along with Trump’s associate Felix Sater, Cohen was pursuing a Trump Tower deal in Moscow well after Trump’s campaign was in full swing. Sure enough, more damning information was still to come: Sater somehow imagined the deal — whatever it was — would get Trump elected. Then still more damning information: in January 2016, Cohen reached out to trusted Putin aide Dmitry Peskov to push for help on the deal. That’s when Cohen began to not recall precisely what happened, and also ignore questions about why he hadn’t told Trump about this call, unlike the other actions he took on this deal.

[snip]

All that said, the way in which Cohen has orchestrated this disclosure — up to and including his failures to recall and answer obvious questions — is either great lawyering and/or sign that this earlier deal making is a real problem.

Of course, Burr and Warner were having none of this narrative scene setting and so now will force Cohen to testify publicly.

Cohen is sure spending a lot of time orchestrating distractions from this property deal. A pity for him his second attempt didn’t work as well as the first one.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers and the “Second Source”

When I emphasized Der Spiegel’s reporting on TAO in this post on the tool for which Shadow Brokers recently released a manual, UNITEDRAKE, I was thinking along the same lines Electrospaces was here. Electrospaces lays out a universe of documents and reporting that doesn’t derive from Edward Snowden leaked documents, notes some similarity in content (a focus on NSA’s Tailored Access Operations), and the inclusion of documents from NSA’s San Antonio location. From that, Electrospaces posits that Shadow Brokers could be “identical with the Second Source.”

With the documents published by the Shadow Brokers apparently being stolen by an insider at NSA, the obvious question is: could the Shadow Brokers be identical with the Second Source?

One interesting fact is that the last revelation that could be attributed to the second source occured on February 23, 2016, and that in August of that year the Shadow Brokers started with their release of hacking files. This could mean that the second source decided to publish his documents in the more distinct and noticeable way under the guise of the Shadow Brokers.

But there’s probably also a much more direct connection: the batch of documents published along with Der Spiegel’s main piece from December 29, 2013 include a presentation about the TAO unit at NSA’s Cryptologic Center in San Antonio, Texas, known as NSA/CSS Texas (NSAT):


TAO Texas presentation, published by Der Spiegel in December 2013
(click for the full presentation)And surprisingly, the series of three slides that were released by the Shadow Brokers on April 14 were also from NSA/CSS Texas. They show three seals: in the upper left corner those of NSA and CSS and in the upper right corner that of the Texas Cryptologic Center:

TAO Texas slide, published by the Shadow Brokers in April 2017
(click for the full presentation)NSA/CSS TexasIt’s quite remarkable that among the hundreds of NSA documents that have been published so far, there are only these two sets from NSA/CSS Texas, which is responsible for operations in Latin America, the Caribbean, and along the Atlantic littoral of Africa in support of the US Southern and Central Commands.Besides the one in San Antonio, Texas, NSA has three other regional Cryptologic Centers in the US: in Augusta, Georgia, in Honolulu, Hawaii and in Denver, Colorado. These four locations were established in 1995 as Regional Security Operations Centers (RSOC) in order to disperse operational facilities from the Washington DC area, providing redundancy in the event of an emergency.So far, no documents from any of these regional centers have been published, except for the two from NSA/CSS Texas. This could be a strong indication that they came from the same source – and it seems plausible to assume that that source is someone who actually worked at that NSA location in San Antonio.

Frankly, I’m skeptical of the underlying reports that Shadow Brokers must be a disgruntled NSA employee or contractor, which derives in part from the conclusion that many of the files released include documents that had to be internal to NSA, and in part from this report that says that’s the profile of the suspect the government is looking for.

The U.S. government’s counterintelligence investigation into the so-called Shadow Brokers group is currently focused on identifying a disgruntled, former U.S. intelligence community insider, multiple people familiar with the matter told CyberScoop.

Sources tell CyberScoop that former NSA employees have been contacted by investigators in the probe to discover how a bevy of elite computer hacking tools fell into the Shadow Brokers’ possession.

Those sources asked for anonymity due to sensitivity of the investigation.

While investigators believe that a former insider is involved, the expansive probe also spans other possibilities, including the threat of a current intelligence community employee being connected to the mysterious group.

The investigatory effort is being led by a combination of professionals from the FBI, National Counterintelligence and Security Center (NCSC), and NSA’s internal policing group known as Q Group.

It’s not clear if the former insider was once a contractor or in-house employee of the secretive agency. Two people familiar with the matter said the investigation “goes beyond” Harold Martin, the former Booz Allen Hamilton contractor who is currently facing charges for taking troves of classified material outside a secure environment.

The report clearly suggests (and I confirmed with its author, Chris Bing) that the government is still testing out theories, and that the current profile (or the one they were chasing in July) happens to be an insider of some sort, but that they didn’t have a specific insider in mind as the suspect.

There are a number of  reasons I’m skeptical. First, part of that theory is based on Shadow Brokers making comments about Jake Williams that reflects some inside knowledge about an incident that happened while he was at NSA (Shadow Brokers has deleted most of his tweets, but they’re available in this superb timeline).

trying so hard so  helping out…you having big mouth for former  member what was name of.

leak OddJob? Windows BITS persistence? CCI? Maybe not understand gravity of situation USG investigating members talked to Q group yet

theshadowbrokers ISNOT in habit of outing  members but had make exception for big mouth, keep talking shit  your next

Even there, Shadow Brokers was falsely suggesting that Matt Suiche, who’s not even an American citizen, might be NSA. But things got worse in June, when Shadow Brokers thought he had doxed @drwolfff as a former NSA employee, only to have @drwolfff out himself as someone else entirely (see this post, where Shadow Brokers tried to pretend he hadn’t made a mistake). So Shadow Brokers has been wrong about who is and was NSA more often than he has been right.

Another reason I doubt he’s a direct insider is because when he posted the filenames for Message 6, he listed a good many of the files as “unknown.” (Message 6 on Steemit, archived version)

That suggests that even if Shadow Brokers had some insider role, he wasn’t using these particular files directly (or didn’t want to advertise them as what they were).

And because I’m not convinced that Shadow Brokers is, personally, an insider, I’m not convinced that he necessarily is (as Electrospaces argues) “identical with the Second Source.”

Rather, I think it possible that Jacob Appelbaum and Shadow Brokers have a mutually shared source. That’s all the more intriguing given that Wikileaks once claimed that they had a copy of at least the first set of Shadow Brokers files, which Shadow Brokers recalled in January, and that Julian Assange released an insurance file days after Guccifer 2.0 first started posting hacked Democratic documents (see this post on the insurance file and this one on Shadow Brokers calling out WikiLeaks for hoarding that document).

Maybe they’re all bullshitting. But given Electrospaces’ observation that some of the files (covering intercepts of US allies, often pertaining to trade deals) for which there is no known source went straight to WikiLeaks, I think a shared source is possible.

All that said, there’s one more detail I’d add to Electrospaces’ piece. As noted, he finds the inclusion, in both the Shadow Brokers and the Appelbaum files, of documents from NSA’s San Antonio location to be intriguing. So do I.

Which is why it’s worth noting that that location is among the three where — as late as the first half of 2016 — a DOD Inspector General audit found servers and other sensitive equipment unlocked.

An unlocked server would in no way explain all of the files included even in a narrowly scoped collection of “Second Source” files. But it would indicate that the San Antonio facility was among those that wasn’t adequately secured years after the Snowden leaks.

Twitter Asked to Tell Reality Winner the FBI Had Obtained Her Social Media Activity

Last week, the Augusta Chronicle reported that the government had unsealed notice that it had obtained access to Reality Winner’s phone and social media metadata. Altogether, the government obtained metadata from her AT&T cell phone, two Google accounts, her Facebook and Instagram accounts, and her Twitter account. Of those providers, it appears that only Twitter asked to tell Winner the government had obtained that information. The government obtained the 2703(d) order on June 13. On June 26, Twitter asked the FBI to rescind the non-disclosure order. In response, FBI got a 180-day deadline on lifting the gag; then on August 31, the FBI asked the court to unseal the order for Twitter, as well as the other providers.

The applications all include this language on Winner’s use of Tor, and more details about using a thumb drive with a computer last November.

During the search of her home, agents found spiral-bound notebooks in which the defendant had written information about setting up a single-use “burner” email account, downloading the TOR darkweb browser at its highest security setting, and unlocking a cell phone to enable the removal and replacement of its SIM card. Agents also learned, and the defendant admitted, that the defendant had inserted a thumb drive into a classified computer in November 2016, while on active duty with the U.S. Air Force and holding a Top Secret/SCI clearance. The defendant claimed to have thrown the thumb drive away in November 2016, and agents have not located the thumb drive.

Given that the FBI applied for and eventually unsealed the orders in all these cases, it provides a good way to compare what the FBI asks for from each provider — which gives you a sense of how the FBI actually uses these metadata requests to get a comprehensive picture of all the aliases, including IP addresses, someone might use. The MAC and IP addresses, in particular, would be very valuable to identify any of her otherwise unidentified device and Internet usage. Note, too, that AT&T gets asked to share all details of wire communications sent using the phone — so any information, including cell tower location, an app shares with AT&T would be included in that. AT&T, of course, tends to interpret surveillance requests broadly.

Though note: the prosecutor here pretty obviously cut and paste from the Google request for the social media companies, given that she copied over the Google language on cookies in her Twitter request.

AT&T

AT&T Corporation is required to disclose the following records and other information, if available, to the United States for each Account listed in Part I of this Attachment, for the time period beginning June 1, 2016, through and including June 7, 2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses. Electronic Serial Numbers (“ESN”), Mobile Electronic Identity Numbers (“MEIN”), Mobile Equipment Identifier (“MEID”), Mobile Identification Numbers (“MIN”), Subscriber Identity Modules (“SIM”), Mobile Subscriber Integrated Services Digital Network Number (“MSISDN”), International Mobile Subscriber Identifiers (“IMSl”), or International Mobile Equipment Identities (“IMEI”));
7. Other subscriber numbers or identities (including the registration Internet Protocol (“IP”) address); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to wire and electronic communications sent from or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers), and including information regarding the cell towers and sectors through which the communications were sent or received.

Records of any accounts registered with the same email address, phone number(s), or method(s) of payment as the account listed in Part I.

Google

Google is required to disclose the following records and other information, if available, to the United States for each account or identifier listed in Part 1 of this Attachment (“Account”), for the time period beginning June 1, 2016, through and including June 7,2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Internet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Internet Protocol addresses;
2. Information about each communication sent or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers);
3. Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address as either of the accounts listed in Part 1; and Records of any accounts that are linked to either of the accounts listed in Part 1 by machine cookies (meaning all Google user IDs that logged into any Google account by the same machine as either of the accounts in Part

Facebook/Instagram

Facebook, Inc. is required to disclose tbe following records and other information, if available, to the United States for each account or identifier listed in Part 1 of this Attachment (“Account”),
for the time period beginning June 1, 2016, through and including June 7, 2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Intemet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Intemet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Intemet Protocol addresses;
2. Information about each communication sent or received by tbe Account, including tbe date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers). Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address as either of the accounts listed in Part I; and
3. Records of any accounts that are linked to either of the accounts listed in Part I by machine cookies (meaning all Facebook/Instagram user IDs that logged into any Facebook/Instagram account by the same machine as either of the accounts in Part I).

Twitter

Twitter, Inc. is required to disclose the following records and other information, if available, to the United States for each account or identifier listed in Part 1 of this Attachment (“Account”), for the time period beginning June 1,2016, through and including June 7,2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Internet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Internet Protocol addresses;
2. Information about each communication sent or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers).
3. Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address the account listed in Part I; and
4. Records of any accounts that are linked to the account listed in Part I by machine cookies (meaning all Google [sic] user IDs that logged into any Google [sic] account by the same machine as the account in Part I).

Report from North Carolina Makes Reality Winner Leak Far More Important

According to NPR, the poll books in six precincts in Durham County, NC, went haywire on election day, which led the entire county to shift to paper poll books.

When people showed up in several North Carolina precincts to vote last November, weird things started to happen with the electronic systems used to check them in.

“Voters were going in and being told that they had already voted — and they hadn’t,” recalls Allison Riggs, an attorney with the Southern Coalition for Social Justice.

The electronic systems — known as pollbooks — also indicated that some voters had to show identification, even though they did not.

[snip]

At first, the county decided to switch to paper pollbooks in just those precincts to be safe. But Bowens says the State Board of Elections & Ethics Enforcement got involved “and determined that it would be better to have uniformity across all of our 57 precincts and we went paper pollbooks across the county.”

That move caused a whole new set of problems: Voting was delayed — up to an hour and a half — in a number of precincts as pollworkers waited for new supplies. With paper pollbooks, they had to cut voters’ names out and attach them to a form before people could get their ballots.

The company that provided the software for the poll books is VR Systems — the company that the document Reality Winner leaked showed had been probed by Russian hackers.

But Susan Greenhalgh, who’s part of an election security group called Verified Voting, worried that authorities underreacted. She was monitoring developments in Durham County when she saw a news report that the problem pollbooks were supplied by a Florida company named VR Systems.

“My stomach just dropped,” says Greenhalgh.

She knew that in September, the FBI had warned Florida election officials that Russians had tried to hack one of their vendor’s computers. VR Systems was rumored to be that company.

Because of the publicity surrounding the VR targeting — thanks to the document leaked by Winner — NC has now launched an investigation.

Lawson says the state first learned of the hack attempt when The Intercept, an online news site, published its story detailing Russian attempts to hack VR Systems. The leaked report said hackers then sent emails to local election offices that appeared to come from VR — but which actually contained malicious software.

[snip]

So now, months after the election, the state has launched an investigation into what happened in Durham County. It has secured the pollbooks that displayed the inaccurate information so forensic teams can examine them.

So this may be the first concrete proof that Russian hackers affected the election. But we’ll only find out of that’s true thanks to Winner’s leak.

Except she can’t raise that at trial.

Last week, Magistrate Judge Brian Epps imposed a protection order in her case that prohibits her or her team from raising any information from a document the government deems to be classified, even if that document has been in the public record. That includes the document she leaked.

The protective order is typical for leak cases. Except in this case, it covers information akin to information that appeared in other outlets without eliciting a criminal prosecution. And more importantly, Winner could now point to an important benefit of her leak, if only she could point to the tie between her leak and this investigation in North Carolina.

With the protection order, she can’t.

Note one more implication of this story.

In addition to the Presidential election last year, North Carolina had a surprisingly close Senate election, in which Senate Intelligence Committee Chair Richard Burr beat Deborah Ross by 6%. Admittedly, the margin was large — over 200,000 votes. But Durham County is the most Democratic county in the state.

Burr, of course, is presiding over one of the four investigations into the Russian hacks. And while I don’t think this story, yet, says that Burr won because of the hack, if the investigations shows VR was hacked in the state and it affected throughput in the most Democratic county, then it means Burr benefitted as clearly from the Russian hacks as Trump did.

The SSCI investigation has been going better than I had imagined. But this seems like a conflict of interest.

Update: I originally said the entire state switched to paper pollbooks. That’s incorrect: just Durham County did, which makes the issue even more important.

Former Senators Sessions and Coats Likely Just Set Off a Conflict with Congress

I’ll have more to say about Jeff Sessions’ new witch hunt on leaks later. But for now I want to look at what former Assistant Director Ron Hosko had to say to Daily Beast.

Ron Hosko, former deputy director of the FBI, said these changes could result in prosecution of members of Congress and Hill staffers. In the past, he said the FBI identified members of Congress who leaked classified information, who the Justice Department then declined to prosecute. Agents were often frustrated by this, Hosko added. Given the attorney general’s announcement, he said, members of Congress and Hill staffers may be more likely to face prosecution.

As I was listening to the press presentation (I won’t call it a conference because Sessions and Coats ran away without answering questions), I couldn’t help but thinking what a shitshow these two former Senators were likely setting off.

That’s because the universe of potential leakers is fraught for DOJ especially.

There are the various White House leakers (not including the President, who will escape notice even though he is one of the most prolific and dangerous leakers). Prosecuting them will be difficult politically in this contentious Administration.

There are the IC leakers. While some will likely be charged, a good many will be — like David Petraeus — too dangerous to aggressively prosecute, because they know where the truly interesting secrets are.

Most of all, though, there are the current and former members of Congress and their staffers, who have clearly been a central source of leaks embarrassing the White House.

Hosko is right that FBI has bumped up against limits in prosecuting Congress before. In the Jeffrey Sterling case, for example, SSCI staff director Bill Duhnke was FBI’s first and primary suspect (and a far more likely source for James Risen’s 2003 story than Sterling, not least because the final form of that story included a seeming reference to Iraq that Sterling wouldn’t have known). But SSCI refused to cooperate with the FBI investigation for years, and Duhnke reportedly never did. Duhnke remains in the Senate, working as the Rules Staff Director.

There’s nothing the Sessions hearing today included that would change the circumstances of Congress’ non-participation in the prosecution of Duhnke going forward (except perhaps the threat to jail journalists, but that’s still not likely to be enough to get past Congressional Speech and Debate privilege.

Moreover, if the FBI pushes too hard, Congress will just legislate itself — and reporters — protections (as Congress has been threatening to do for some time).

Given the Fourth Circuit precedents tied to the Sterling case, I think it will be easier for FBI to go after low level IC staffers. But I’m fairly confident if it gets close to Congress there will be a significant backlash that will make former Senators Sessions and Coats regret they didn’t account for their former colleagues’ equities before rolling out a witch hunt.

With Clowns To The Left, And Jokers On The Right, Trump Turns To Scaramucci

What is up today, you ask?

Well, not much…..oh, holy shit!

On Wednesday night, I received a phone call from Anthony Scaramucci, the new White House communications director. He wasn’t happy. Earlier in the night, I’d tweeted, citing a “senior White House official,” that Scaramucci was having dinner at the White House with President Trump, the First Lady, Sean Hannity, and the former Fox News executive Bill Shine. It was an interesting group, and raised some questions. Was Trump getting strategic advice from Hannity? Was he considering hiring Shine? But Scaramucci had his own question—for me.

“Who leaked that to you?” he asked. I said I couldn’t give him that information. He responded by threatening to fire the entire White House communications staff. “What I’m going to do is, I will eliminate everyone in the comms team and we’ll start over,” he said. I laughed, not sure if he really believed that such a threat would convince a journalist to reveal a source. He continued to press me and complain about the staff he’s inherited in his new job. “I ask these guys not to leak anything and they can’t help themselves,” he said. “You’re an American citizen, this is a major catastrophe for the American country. So I’m asking you as an American patriot to give me a sense of who leaked it.”

Ooof. That is pretty psychotic on the part of Scaramouche, glad he didn’t go too batshit…. Yikes, nevermind:

“Reince is a fucking paranoid schizophrenic, a paranoiac,” Scaramucci said. He channelled Priebus as he spoke: “ ‘Oh, Bill Shine is coming in. Let me leak the fucking thing and see if I can cock-block these people the way I cock-blocked Scaramucci for six months.’ ” (Priebus did not respond to a request for comment.)
Scaramucci was particularly incensed by a Politico report about his financial-disclosure form, which he viewed as an illegal act of retaliation by Priebus. The reporter said Thursday morning that the document was publicly available and she had obtained it from the Export-Import Bank. Scaramucci didn’t know this at the time, and he insisted to me that Priebus had leaked the document, and that the act was “a felony.”

“I’ve called the F.B.I. and the Department of Justice,” he told me.
“Are you serious?” I asked.

“The swamp will not defeat him,” he said, breaking into the third person. “They’re trying to resist me, but it’s not going to work. I’ve done nothing wrong on my financial disclosures, so they’re going to have to go fuck themselves.”

Just to be clear, this is the rootin tootin slick dick Harvard Law financial genius that Trump brought in to clean up his Presidency’s previous failures, and bring order and success to the West Wing.

A fine tuned machine!

The Complexities of Reality Winner’s Case

I suggested in this post that some of the coverage of Reality Winner’s arraignment was less than stellar.

Case in point: I didn’t see any reporting of the hearing that the government had moved to declare her case complex because they intended to use the Classified Information Procedures Act (CIPA, which governs how the government uses or substitutes classified information to be used in a trial); Winner’s attorney did not object. The court formally approved that on June 14. Then, on June 19, the government moved for a CIPA pretrial conference, which (credit where due) the Augusta press covered on Friday.

Perhaps this is just formality. At the end of its CIPA motion, the government refers to the “fast-moving nature of this case” even while admitting that it may not need some (or most?) of the CIPA procedures it had just laid out.

Given that this investigation concerns the disclosure of classified material and that the government’s evidence includes classified information, the government respectfully moves for a pretrial conference, pursuant to Section 2 of CIPA, to establish a discovery and motion schedule relating to any classified information. The government notes that some of the CIPA sections outlined above may not be invoked or need to be addressed.

Further, dependent upon future events and potential pretrial resolutions and proceedings, there may be no need for hearings pursuant to CIPA. Because of the fast-moving nature of this case, the precise amount of classified information that may be discoverable or used as evidence is still being determined.

Claims of thumb drives inserted into Air Force computers last year notwithstanding, on its face, this appears to be a cut-and-dry case: out of a pool of six potential leakers, one — Winner — has already confessed to the FBI. So perhaps the government is just doing this to ensure it has a Court Information Security Officer involved and a hefty protection order imposed on Winner’s defense team.

But in the same motion, the government makes it clear that it collected classified material beyond the document that Winner is alleged to have leaked to The Intercept.

The indictment in this case charges the defendant with unlawfully retaining and transmitting classified national defense information in violation of 18 U.S.C. § 793(e). Classified material, including but not limited to the document which the defendant is charged with unlawfully retaining and transmitting, was collected as part of the underlying investigation and will be the subject of certain procedures set forth in CIPA, as well as in other applicable rules, statutes, and case law. The disclosure of such material will raise issues of national security that the Court must address before the material is provided to the defense. [my emphasis]

That might just refer to data the NSA and FBI used to hone in on Winner. Or it may mean there’s more to the case than meets the eye.

And whatever that is will remain out of eyesight, behind CIPA.

In Opinion Mostly Rejecting Jeffrey Sterling Appeal, Fourth Circuit Criminalizes Unclassified Tips

The Fourth Circuit just codified the principle that you can go to prison for four minutes and 11 seconds of phone calls during which you tell a reporter to go find out classified details you know about.

They just released an opinion mostly upholding Jeffrey Sterling’s conviction. The majority, penned by Albert Diaz, overturned one conviction based on whether Sterling handed a letter (about which the court seems to have misunderstood the evidence) to James Risen in Virginia, but that didn’t result in any reduction in sentence. The court not only upheld all other convictions, but did so in ways that will be really horrible for any clearance holders charged with leaks in the Fourth Circuit (the jurisdiction of which covers all the major government spy agencies).

Four minutes and 11 seconds of metadata

First, there’s the matter of whether there was evidence to support the three charges related to the first story James Risen attempted to write on Merlin in 2003. The opinion claims Sterling and Risen had “numerous” phone calls in advance of Risen going to the CIA with his story.

The government presented evidence of numerous phone calls in February and March 2003, between Sterling’s home in Virginia and Risen’s home in Maryland. These phone calls occurred right before Risen notified the CIA that he had learned about the program from confidential sources and was planning to write an article about its classified operations. Furthermore, all of these calls were made nearly a year after Risen wrote an article about Sterling’s discrimination lawsuit.

Here’s what those “numerous” calls look like:

Altogether, the government presented evidence that Sterling and Risen spoke for four minutes and 11 seconds in advance of the first story. Sterling also sent an unclassified email referring to a CNN story on Iran’s nukes.

Significantly, the court doesn’t even hold that Sterling may have transmitted classified information in those calls. It holds that he may have “encouraged” and “caused” Risen to publish the information.

That circumstantial evidence, viewed in the light most favorable to the government, could have led a rational jury to infer that Sterling discussed some classified information with Risen during these calls—the longest of which was 91 seconds—or encouraged Risen to publish the information. Thus, a jury could find that, more likely than not, Sterling helped “cause” dissemination of the information to the public through phone communications from his home in the Eastern District of Virginia, making venue proper for Counts I, II, and IX.

This establishes a standard criminalizing something that happens all the time in DC — where sources point reporters to something that’s classified without providing any classified information, leading the reporter to go find the classified information from other sources.

Importantly (and not mentioned in the Fourth Circuit opinion), the FBI’s initial suspect in this case was then-SSCI staffer Bill Duhnke. SSCI refused to cooperate with the FBI in the early stages of the investigation and may never have done so with respect to Duhnke. Nothing in the public record ever ruled out that he was Risen’s source for this early story.

The Court erroneously claims that Sterling had “the letter” printed in Risen’s book

The court makes two troubling steps in upholding Sterling’s conviction for illegally retaining classified information, which it upholds this way.

As to this offense, the Russian scientist testified that he gave Sterling a copy of the program letter in 2000. Sterling lost access to classified materials after he was fired in early 2002 (when he was working and living in Virginia), and Risen first notified authorities that he had seen the letter in April 2003. Finally, the government introduced evidence that in 2006, Sterling had stored other classified documents in his Missouri home, after he moved in mid-2003. On this evidence, a jury could therefore reasonably infer that after Sterling left the CIA in 2002, he unlawfully retained the program letter in his home—which was then in the Eastern District of Virginia.

In the language rejecting the conviction that Sterling transmitted the actual letter to Risen in Virginia, the court claimed that both sides agree that Sterling actually had the letter.

Because both sides agree that Sterling provided Risen with a paper copy of the letter, evidence of phone and email communications alone cannot support proper venue for Count V.

The claim that the defense agreed that Sterling even had the hard copy of the letter, much less handed it to Risen, is utterly inconsistent with this statement later in the opinion.

Sterling argued throughout the trial that he never retained or transmitted classified material.

Perhaps the court meant to say that “Sterling would have had to hand Risen a paper copy”?

Moreover, unless I’m missing something, not only does the defense not agree that Sterling handed over the letter, but it doesn’t even agree that Sterling ever had or saw the letter in the form handed to Risen. Indeed, the defense repeatedly got the government to admit they never found a copy of the actual letter that appeared in Risen’s book (though the record is inconsistent about whether that letter that got handed to the Iranians actually matched what appeared in Risen’s book).

That’s important — as I lay out in depth in this post — because Sterling was not involved in some key meetings leading up to the time Merlin went to Vienna. Given that he wasn’t involved in some of the meetings, it’s quite possible Sterling never saw the letter as it appeared in Risen’s book. I’d even say it’s likely, because Sterling’s habit was to include a verbatim transcript of letters Merlin was writing in his reporting, whereas Bob S, who handled the meetings Sterling didn’t attend, did not do so.

CIA has effectively — and not very credibly — claimed they didn’t have a copy of the letter as it appeared in Risen’s book, and in later years of the investigation Merlin started claiming he destroyed all evidence of it. Which would seem to undermine the claim that either side agreed Sterling handed over the actual letter to Risen.

I’m not sure how, based on that record, the Fourth Circuit can claim that Sterling ever had the letter in question.

Going to prison for keeping a procedure on how to dial a rotary phone

Then there’s what the court does to get to the claim that “in 2006, Sterling had stored other classified documents in his Missouri home, after he moved in mid-2003.”

The defense objected to the introduction of these documents, which included a performance review from the time Sterling was a trainee and instructions on how to dial into Langley from a rotary phone, specifically because of the way in which the documents were presented to the jury. The documents were handed out in red classified folders in unredacted form with great fanfare, whereas all other (far more classified) documents had been redacted and simply handed over to the jury in evidence binders.

Here’s how I described the theater surrounding these documents at the time.

A court officer handed out a packet of these same documents with bright red SECRET markings on the front to each juror (the government had tried to include such a warning on the binders of other exhibits, but the defense pointed out that nothing in them was actually classified at all). Judge Leonie Brinkema, apparently responding to the confused look on jurors’ faces, explained these were still-classified documents intended for their eyes only. “You’ll get the context,” Judge Brinkema added. “The content is not really anything you have to worry about.” The government then explained these documents were seized from Jeffrey Sterling’s house in Missouri in 2006. Then the court officer collected the documents back up again, having introduced the jurors to the exclusive world of CIA’s secrets for just a few moments.

On cross, however, the defense explained a bit about what these documents were. Edward MacMahon made it clear the date on the documents was February 1987 — a point which Lutz apparently missed. MacMahon then revealed that the documents explained how to use rotary phones when a CIA officer is out of the office. I believe the prosecution objected — so jurors can’t use MacMahon’s description in their consideration of how badly these documents implicate Sterling — but perhaps the improper description will help cue the jurors’ own understanding about what the documents they had glimpsed were really about, making it clear to them they’re being asked to convict a man because he possessed documents about using a rotary phone that the CIA retroactively decided were SECRET.

The court doesn’t deal with the silent witness aspect of this presentation at all. On the contrary, the court makes no mention of it when it dismisses the possibility this was inflammatory.

All probative evidence may be prejudicial to the defendant in some way, but we have found Rule 404(b) evidence to be unfairly prejudicial when it inflames the jury or encourages them to draw an inference against the defendant, based solely on a judgment about the defendant’s criminal character or wicked disposition. McBride, 676 F.3d at 399; Hernandez, 975 F.2d at 1041.

Here, evidence showing that Sterling had improperly retained four classified documents in the past encouraged the proper evidentiary inference that any subsequent retention of classified documents was, if proven, intentional.

The court’s treatment of these documents (and its silence on their actual content or the theater surrounding the introduction of them) is all the more troubling given that the court claimed the “prior bad acts” implicated by Sterling’s retention of these documents “were exactly the same as the act Sterling was charged with under Count III.”

Although the Rule 404(b) evidence was fairly old in this case, it did bear sufficient similarity in terms of pattern of conduct to justify its admission. An FBI search of Sterling’s Missouri home in 2006 uncovered four classified documents, which Sterling had improperly kept. And Sterling’s improper retention of these documents occurred during the same timeframe as his improper retention of files concerning the Program. Furthermore, the prior bad acts were exactly the same as the act Sterling was charged with under Count III.

Sure, in a legal sense, retaining classified information is retaining classified information. That’s how the Fourth Circuit gets to its “exactly the same” claim.

But retaining 20 year old HR documents — including a performance review — you obtained as a trainee just getting used to classification rules is not the same as retaining documents from covert operations. It’s not. And the claim it is is all the more outrageous given that Sterling wasn’t permitted to talk about how the witnesses against him had also retained classified information, and probably information that was far more classified than rotary phone dialing instructions.

Effectively, along with criminalizing sharing unclassified tips, the Fourth Circuit has also just criminalized mistakenly retaining HR documents in your basement, something that a large proportion of clearance holders have probably done over the course of their career.

Obstruction before the fact

Finally, here’s the court found that Sterling’s obstruction conviction was proper even though the government presented no proof whether he had deleted the unclassified email mentioning Iran’s nuclear program before or after receiving a subpoena for classified materials.

Sterling notes that this specific email “was not among the categories of documents requested by the grand jury’s [June 2006] subpoena.” Appellant’s Br. at 44. He argues, therefore, that even if he did delete the email, he could not have done so with the intent to impair the grand jury investigation. But while the email may not have been explicitly included in the subpoena’s categories, in that it did not directly share information about the classified program, it did reference Iran’s nuclear development efforts. Furthermore, the email and its brief comments suggest that Risen and Sterling had previously discussed Iran’s nuclear program.

We have said that to be culpable of obstructing justice, the actual documents destroyed “do not have to be under subpoena.” United States v. Gravely, 840 F.2d 1156, 1160 (4th Cir. 1988) (analyzing a conviction for obstruction of justice under 18 U.S.C. § 1503). Instead, “it is sufficient if the defendant is aware that the grand jury will likely seek the documents in its investigation.” Id. A rational jury could infer, based on the evidence at trial, that Sterling deleted the email between April and July 2006 in order to conceal it from a grand jury investigation. We therefore reject Sterling’s challenge to this conviction.

This language is just — what is the technical term? — weird.

First of all, the court never explains how Sterling would know there was a grand jury before receiving a subpoena from it, which is pretty important given that Sterling had known there was an investigation for three years, but hadn’t deleted that email before then.

Moreover, even as it deems it rational to believe that Sterling deleted the email thinking the grand jury will “likely seek the documents,” the court ignores that the grand jury actually never did seek such an email. So Sterling, with no formal notice of a grand jury introduced in the trial, not only deleted the unclassified email knowing there would be one, but happened to delete an email that the grand jury, in fact, would never go onto ask for?

Somehow, too, unless I missed it the court neglected to deal with venue on this claim. They just … ignored that part of Sterling’s appeal.

The Fourth Circuit just made it illegal to share unclassified information

So between the finding that Sterling criminally “encouraged” the transmission of classified information in four minutes and 11 seconds of phone calls of unknown content, and the finding that Sterling obstructed justice before knowing there was a grand jury by deleting information that unknown grand jury ultimately never asked for, the Fourth Circuit has just criminalized sharing unclassified information.

image_print