Remember this article from CNN that renewed the Alfa Bank funny server story? It totally pissed me off for the way it cited about seven people telling it there was no there there, and then reporting that there was based off one identified source (a US official, who could be a member of Congress) and other non-identified ones.

In addition, it claimed that Dick DeVos leads Spectrum Health — my local hospital. DeVos is currently Chairman of the Board, but the company is “led” by CEO and President Rick Breon. DeVos “leads” a company called Windquest Group, which invests in boutique things like an excellent wine bar and the fancy gym I belonged to before I joined the Y. The DeVos family “owns” a lot more, notably RDV Corporation, through which they own and mismanage the Orlando Magic. There are probably a jillion servers associated with RDV corporation that could (and probably do!) conduct secret communications. Which is another way of saying that if Dick DeVos wanted to conduct secret conversations with Donald Trump at a time when he was attracting attention because he was not yet even donating money to the candidate, he might have done it via a server more directly operated by his family. Hell, since DeVos spooked up brother-in-law Erik Prince was supporting Trump at that time of the weird server activity, why wouldn’t we expect spooky conversations to happen from one of Prince’s far-flung spook properties?

But perhaps the funniest part of the CNN story is that it pointed to evidence the story had been packaged — but it didn’t seem to understand that.

Other computer experts said there could be additional lookups that weren’t captured by the original leak. That could mean that Alfa’s presence isn’t as dominant as it seems. But Dyn, which has a major presence on the internet’s domain name system, spotted only two such lookups — from the Netherlands on August 15.

If there were lookups not recorded in the publicly released data — even if there were just two of them — then it shows that the publicly released data is incomplete.

Other outlets say was even more data sometimes excluded from the public story. The Intercept cataloged how different sets of material purportedly backing this story include different sets of IP addresses.

On Tea Leaves’ WordPress site, he claimed that “only two networks resolved the mail1.trump-email.com host.” This is contradicted by the very works of analysis furnished by Tea Leaves’ collaborators: The author of the white paper found that at least 19 IP addresses, all belonging to different networks except for the two that belong to Alfa Bank, had looked up Trump’s server. And these are only the 19 the author was able to observe in a short time period — it can’t be ruled out that there were many more, which quickly deflates the portrait of a shady Russian backchannel.

The white paper included DNS look-up data, but not nearly enough to reproduce the results. Rather than the 19 IP addresses we expected to see, the data only included three, and the DNS look-ups were not for the same time period that the paper described. Tea Leaves published a different set of data on the dark web, which we also looked at, but this set of data only included a total of four IP addresses. When we pressed Tea Leaves for the complete set of data so we could attempt to reproduce the analysis, he gave us a new, more comprehensive set of data, but still that included a total of only eight IP addresses, and it was missing an IP address belonging to a VPN service in Utah that accounted for a significant portion of the DNS look-ups described in the paper.

And Robert Graham states that a source of his says the data for June — one of the key months in question — was altered.

Tea Leaves and Jean Camp are showing logs of private communications. Where did these logs come from? This information isn’t public. It means somebody has done something like hack into Alfa Bank. Or it means researchers who monitor DNS (for maintaing DNS, and for doing malware research) have broken their NDAs and possibly the law.

The data is incomplete and inconsistent. Those who work for other companies, like Dyn, claim it doesn’t match their own data. We have good reason to doubt these logs. There’s a good chance that the source doesn’t have as comprehensive a view as “Tea Leaves” claim. There’s also a good chance the data has been manipulated.

Specifically, I have as source who claims records for trump-email.com were changed in June, meaning either my source or Tea Leaves is lying.

Until we know more about the source of the data, it’s impossible to believe the conclusions that only Alfa Bank was doing DNS lookups.

Here’s his latest post on this issue.

All the different sets of data (and the way the data was culled without evidence about how that was done), plus the fact that the entity behind this story goes by the name “Tea Leaves” and now refuses to talk to anyone about it, really ought to raise questions about a hoax. But not CNN. For CNN it was all proof of something there.

Now CNN reports that once in February and increasingly since CNN’s story about a non-story, someone has been spoofing lookups from Trump to Alfa.

[O]n Friday, Alfa Bank claimed hackers are now trying to perpetuate that suspicion by tricking the Trump Organization into sending communication toward the bank.

[snip]

One attack happened on February 18, the bank said. (The bank did not mention that to CNN before its story published on March 10.)

After CNN published its story about the puzzling Trump-Alfa situation, hackers stepped up their attack on the Trump Organization with “spoofed” signals for five hours, which were then directed back towards the bank, Alfa Bank said.

Hackers continued this attack on March 13, the bank said.

The bank contacted the FBI and offered “complete co-operation in finding the people behind attempted cyberattacks.” A US law enforcement official confirmed that the FBI was contacted.

[snip]

According to Alfa Bank’s description of recent events, hackers have recently tricked a Trump Organization computer server into sending internet traffic to Alfa Bank.

Hackers have “manufactured this deceit by ‘spoofing’ or falsifying DNS lookups to create the impression of communication between Alfa Bank and the Trump Organization,” the bank said in a statement.

Alfa Bank offered this analogy: “A simple analogy would be someone in the U.S. sending an empty envelope… to a Trump office… addressed to Trump, but on the back of the envelope the return address is Russia… instead of its own real address.”

“So, on cursory examination, Alfa Bank appears to have been receiving responses to queries it never actually sent.”

Alex McGeorge, head of threat intelligence at cybersecurity firm Immunity, said this is a prank “that is simple to do from pretty much any internet connected computer. We could probably manufacture this from a Starbucks.”

That someone is trying to manufacture something out of nothing here should not be surprising. There’s abundant reason to believe that’s what was always happening. And now that the FBI has been called back in by Alfa, I do hope they find an explanation about whether this is a Hillary person trying to taint Trump or Russia trying to do a limited hangout on other more damaging Alfa stuff. Maybe both have been faking this story at different times?

In any case, at this point, the story should be about why this story got packaged in the way it did, as much as any questions about how Trump sends spam around the world.

Update: Here’s the press release from Alfa. They’re also calling the larger story a hoax.

Alfa Bank’s working hypothesis is that an individual — possibly well known in internet research circles — may have fed selected DNS data to an anonymous cyber group to ensure they reached a specific (and erroneous) conclusion. Alternatively, the cyber group may have been complicit in the deceit. In the most recent cases, unknown individuals demonstrably attempted to insert falsified records onto Alfa Bank’s computer systems designed to create the same impression.

An Alfa Bank spokesperson said: «The anonymous cyber group, which is led according to news accounts by ‘Tea Leaves,’ cannot produce evidence of a link because there never has been one. Alfa Bank believes that it is under attack and has pledged its complete cooperation to U.S. authorities to find out who is behind these malicious attacks and false stories.»

At the Atlantic, I expanded on this post to explore how Russia has to do by hacking what the US can do using Section 702. As I lay out, for a lot of foreign spying involving US tech companies, Russia has to do things like phish or hack Yahoo’s servers to gain the kind of access the NSA gets just by asking nicely.

But as Jeffrey Carr notes in this post, that’s not true for unencrypted communications that originate in Russia. FSB — the agency where alleged Yahoo hackers Dmitry Dokuchaev and Igor Sushchin worked — have access to anything that originates in Russia.

To put it another way, the FSB has total information awareness on every type of communication that originates in Russia or passes through Russian servers.

Carr uses that detail to argue that this probably means Dokuchaev — who was charged by Russia with treason in December — and Suschin were operating on their own.

[W]hy would the FSB, with their vast resources and legal authorities, need to collect information on Russian targets in Russia via Yahoo?

The obvious answer is — they don’t. And since all of the defendants with the exception of one person are either criminals or charged by the Russian government with treason, the Yahoo breach was most likely the act of corrupt FSB employees and criminal hackers rather than an official FSB operation.

Now, many if not most accounts identified in the indictment (I made a list of the described targets in this post) wouldn’t be officially available, because they’re located in countries adjoining Russia or the US.

But there are a few other details that do support Carr’s argument.

First, in addition to Yahoo and Google accounts, the conspirators targeted a Russian webmail service — probably Yandex.

In or around April 2016, the conspirators sought access to an account of a senior officer at a Russian webmail and internet-related services provider (the “Russian Webmail Provider”). On or about April 25, 2016, DOKUCHAEV successfully minted a cookie to gain access to the victim user’s account.

Admittedly, FSB might not want to go to Yandex (or whichever provider it is) to ask for information on one of their senior officers, but nevertheless, this information should be available officially in Russia. Another passage that describes the Russian webmail service lists only Russian targets, though that section also includes Google targets, so those may have been the GMail accounts of Russians unavailable in Russia.

In addition, the day after the indictment, Sushchin got fired from Renaissance Capital (which is owned by Nets owner Mikhail Prokhorov), where he was embedded. That suggests his was not an official embed noticed to the company (though it still may have been a legitimate FSB placement).

Most interesting of all is that Dokuchaev used US resources to conduct the hack. He had a Paypal account, which he presumably used to pay Karim Baratov.

All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx2639, held by DOKUCHAEV;

And, according to the G&M (and this is the most amazing part), Dokuchaev used a Yahoo account to communicate with Baratov.

Mr. Dokuchaev is alleged in the court documents to have used a Yahoo e-mail account to contact Mr. Baratov and hire him to get the log-in information for about 80 accounts belonging to victims of the Yahoo hack.

I get why you wouldn’t email Baratov from your [email protected] account, because that would alert Canadian and US authorities he was working with Russian spies. But surely a Russian spy knows enough not to communicate via an account that is readily available to US authorities under Section 702, even if the conspirators’ persistent presence in the Yahoo servers might alert you to such surveillance? Even if you wanted to use an account in North America there are surely better options.

In other words, there are a lot of reasons to believe that Dokuchaev was making more effort to keep this activity out of easy reach of Russian authorities then he did to hide it from the US.

The indictment accusing two FSB officers and two hackers of compromising Yahoo in 2014-2016 is remarkably detailed. It describes how Alexsey Belan accessed individual Yahoo accounts (though not how he broke in the first time). It provides lists and lists of who got hacked, in enough detail that any victims who didn’t already know would learn they had been targeted — as would anyone else in Moscow who might find these details of interest.

I want to look closely, though, at what it tells us about how one of the hackers, Karim Baratov, got paid.

The question is not that interesting as it pertains to Belan. In his case, the indictment describes a number of ways he profited off the hack — with marketing commissions for erectile dysfunction drugs, with spam targets based off millions of hacked Yahoo accounts, and with credit and gift card numbers stolen from specific accounts. Moreover, any additional payment to Belan would be internal to Russia — a cinch to pull off without attracting the attention of the FBI or Department of Treasury.

But Baratov, the phisher that broke into Google and (presumably) Yandex accounts for the FSB men after they were identified via Yahoo metadata, is in Canada, meaning financial transfers would be international.

The indictment explains that he demanded payment of about $100 via online payment system per successful phish, and that FSB officer Dmirty Dokuchaev had to pay before obtaining the credentials.

During the conspiracy DOKUCHAEV tasked BARATOV with obtaining unauthorized access to at least 80 identified email accounts, including at least 50 identified Google accounts.

[snip]

When BARATOV successfully obtained unauthorized access to a victim’s account, he notified DOKUCHAEV and provided evidence of that access. He then demanded payment-generally approximately U.S. $100-via online payment services.

Once DOKUCHAEV sent BARATOV a payment,’ BARATOV provided DOKUCHAEV with valid, illicitly obtained account credentials permitting DOKUCHAEV, SUSHCHIN, and others known and unknown to thereafter access the victim’s account without further assistance from BARATOV.

[snip]

Upon successfully gaining the credentials for a tasked account, BARATOV informed DOKUCHAEV thathe could be paid for his work in Russian rubles, U.S. dollars, Ukrainian hryvnia, or Euros through online payment services. DOKUCHAEV then paid BARATOV using these means.

Altogether, Baratov provided access to upwards 80 accounts, for a total profit of not much more than $8,000 for crimes that expose him to decades in prison.

At least once (though I believe just this once), the indictment actually records Dokuchaev paying Baratov.

On or about November 17, 2015, BARATOV sent DOKUCHAEV the password for ****[email protected], to which account DOKUCHAEV had tasked BARATOV to gain unauthorized access.

On or about November 17, 2015, DOKUCHAEV paid BARATOV U.S. $104.20.

We also learn that — in addition to seizing Baratov’s Aston Martin and Mercedes — the government will be seizing the contents of a Paypal account in his name.

All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx9844, held by BARATOV in the name of “Elite Space Corporation”;

Brian Krebs pointed to one of Baratov’s hacker for hire sites that also accepted payment in WebMoney and YandexMoney.

According to this G&M article, the documents filed in support for extraditing Baratov say the Paypal account was tied to a Royal Bank checking account. (It also says Dokuchaev communicated with Baratov via a Yahoo account!)

The payments are alleged to have travelled through Web accounts including a PayPal account that links to a Royal Bank chequing account in Mr. Baratov’s name. Between February, 2013, and October, 2016, Mr. Baratov received more than $211,000 via that PayPal account, the court records say, adding, however, that the amounts he is alleged to have earned from the Yahoo scheme are smaller.

And the indictment also lists a Dokuchaev Paypal account for forfeiture.

All funds which constitute proceeds that are held on deposit in PayPal account number xxxxxxxxxxxxxxx2639, held by DOKUCHAEV;

So we have a pretty good idea of how the Paypal payments got to Baratov: from Dokuchaev’s account to Baratov’s to Baratov’s Royal Bank checking account.

But we don’t know where the money in Dokuchaev’s account came from — and whether it made the FSB tie clear.

Jeffrey Carr has asked whether this operation was an official or rogue operation from the FSB side — a question which has merit and which I’ll return to. That question certainly raises the stakes on where the money in Dokuchaev’s Paypal account came from.

There’s also the other question. Baratov clearly made more than the $211,000 that came into his Royal Bank account. $211,000 would barely cover his fancy cars, much less the ability to throw $100 bills at trick or treaters. So where is the rest of Baratov’s hacking income coming from?

Incidentally, according to the G&M, Baratov was put under surveillance by the RCMP around March 7. His $900K house was put on sale on March 13, but then delisted after the indictment. The indictment was actually dated February 28.

Over the course of years of defending the NSA’s bulk metadata programs, Dianne Feinstein made a series of statements to suggest that massive collection of metadata — including aspiring to collect the phone records of every American — was no big deal because it didn’t include content.

June 6, 2013:

[T]his is just metadata. There is no content involved.

October 20, 2013:

The call-records program is not surveillance. It does not collect the content of any communication,

May 18, 2014:

It’s not a surveillance program, it’s a data-collection program.

But it appears Senator Feinstein no longer believes that the bulk collection of metadata is a minor issue. In response to yesterday’s unsealing of the indictment against 4 Russian hackers for targeting Yahoo, Feinstein had this to say:

Today’s charges against hackers and Russian spies for the theft of more than 500 million Yahoo user accounts is the latest evidence of a troubling trend: Russia’s sustained use of cyber warfare for both intelligence gathering and financial crimes. The indictment shows that Russia used these cyberattacks to target U.S. and Russian government officials, Russian journalists and employees of cybersecurity, financial services and commercial entities.

500 million user accounts didn’t get hacked. Upwards of 6,500 accounts got hacked for content, and the contacts of another 30 million were harvested for spam marketing. The 500 million number refers to the theft of a database of metadata. The indictment made clear that this was non-content data:

21. Beginning no later than 2014, the conspirators stole non-content information regarding more than 500 million Yahoo user accounts as a result of their malicious intrusion. The theft of user data was part of a larger intrusion into Yahoo’s computer network, which continued to and including at least September 2016. As part of this intrusion, malicious files and software tools were downloaded onto Yahoo’s computer network, and used to gain and maintain further unauthorized access to Yahoo’s network and to conceal the extent of such access.

22. The user data referenced in the preceding paragraph was held in Yahoo’s User Database (“UDB”). The UDB was, and contained, proprietary and confidential Yahoo technology and information, including, among other data, subscriber information, such as: account users’ names; recovery email accounts and phone numbers, which users provide to webmail providers, such as Yahoo, as alternative means of communication with the provider; password challenge questions and answers; and certain cryptographic security information associated with the account, i.e. the account’s “nonce”, further described below. Some of the information in the UDB was stored in an encrypted form.

Feinstein has long insisted that so long as content is not collected, it doesn’t amount to surveillance.

Now, I’ll grant you: the Yahoo database included far richer metadata than NSA got under the bulk phone and Internet metadata programs that Feinstein long championed. It includes names, alternate contacts, password hints, and that nonce (which is what the Russians used to break into email accounts themselves).

But we know that NSA’s phone and Internet dragnet programs correlated collected metadata with other information it had to develop this kind of profile of targeted users. We know it has the ability (and so therefore, presumably does) collect such data — as metadata — overseas. The definition of EO 12333 collected metadata that can be shared freely between intelligence agencies remains silent on whether it includes things like names. And even the modified phone dragnet program rolled out under USA Freedom Act correlates data — meaning it will pull from all known instances of the identifier — even before requesting data from providers.

So NSA is still collecting metadata — in quantities greater than what Russia stole from Yahoo — including metadata on US persons.

Perhaps given Feinstein’s newfound discovery of how compromising such information can be, she’ll be a little more attentive to NSA and FBI’s own use of bulk metadata?

With much fanfare today, DOJ indicted four men for pawning Yahoo from 2014 to 2016. The indictment names two FSB officers, Dmitry Dokuchaev (who was charged by Russia with treason in December) and Igor Sushchin (who worked undercover at a Russian financial company), and two other hackers, Alexsey Belan (who has been indicted in the US twice and was named in December’s DNC hack sanctions) and Karim Baratov (who, because he lives in Canada, was arrested and presumably will be extradited).

Among the charged crimes, they accused Belan of using his access to the Yahoo network to game search results for erectile dysfunction drugs, for which he got commission from the recipient of the redirected traffic.

BELAN leveraged his access to Yahoo’s network to enrich himself: (a) through an online marketing scheme, by manipulating Yahoo search results for erectile dysfunction drugs; (b) by searching Yahoo user email accounts for credit card and gift card account numbers and other information that could be monetized; and (c) by gaining unauthorized access to the accounts of more than 30 million Yahoo users, the contacts of whom were then stolen as part of a spam marketing scheme.

But almost the entirety of the rest of the indictment — forty-seven charges worth — consist of stuff the FBI and NSA do both lawfully in this country and under EO 12333 in other countries (almost certainly including Russia).

Collect metadata and then collect content over time

Consider the details the indictment provides about how these Russians obtained information from Yahoo and other email services, including Google.

First, they collected a whole bunch of metadata.

[T]he conspirators stole non-content information regarding more than 500 million Yahoo user accounts as a result of their malicious intrusion.

The US did this in bulk under the PRTT Internet dragnet program from 2004 to 2011, and now conducts similar metadata collection overseas (as well as — in more targeted fashion — under PRISM). Mind you, the Russians got far more types of metadata than the US did under the PRTT program.

account users’ names; recovery email accounts and phone numbers, which users provide to webmail providers, such as Yahoo, as alternative means of communication with the provider; password challenge questions and answers; and certain cryptographic security information associated with the account, i.e. the account’s “nonce”

But this likely gives you an understanding of the kinds of things the US does collect overseas, as well as via the PRISM program.

The Russians then either accessed the accounts directly or created fake cookies to access accounts (note, the US also gets cookies lawfully from at least some Internet providers; I suspect they also do so under the new USA Freedom collection).

The indictment provides this comment about how many Yahoo user accounts the Russians accessed by minting cookies over the almost three years they were in Yahoo’s networks (January 2014 to December 1, 2016; this may not represent the entirety of the Yahoo content they accessed).

The conspirators utilized cookie minting to access the contents of more than 6,500 Yahoo user accounts.

Compare that to US requests from Yahoo in just 2015. Yahoo turned over content on at least 40,000 accounts under FISA (first half, second half) and content in response to 2,356 US law enforcement requests during a period when government requests averaged 1.8 account per request (so roughly 4,240 accounts).

Once they accessed the accounts, they maintained access to them, as the government does under PRISM.

The conspirators used their access to the AMT to (among other unauthorized actions) maintain persistent unauthorized access to some of the compromised accounts.

The Russians used both the metadata and content stolen from Yahoo to obtain access to other accounts, both in the US and in Russia.

the conspirators used the stolen Yahoo data to compromise related user accounts at Yahoo, Google, and other webmail providers, including the Russian Webmail Provider

Again, this is a key function of metadata requests by the US — to put together a mosaic of all the online accounts of a given target, so they can access all the accounts that may be of interest.

Like PRISM (but reportedly unlike the scan of all Yahoo emails FBI had done in 2015), the Russians were not able to search all of Yahoo’s email for content. Instead they searched metadata to find content of interest.

The AMT did not permit text searches of underlying data. It permitted the conspirators to access information about particular Yahoo user accounts. However, by combining their control of the stolen UDE copy and access to the AMT, the conspirators could, for example, search the UDE contents to identify Yahoo user accounts for which the user had provided a recovery email account hosted by a specific company of interest to the conspirators (e.g., “[email protected]”)­ showing that the user was likely an employee of the company of interest-and then use information from the AMT to gain unauthorized access to the identified accounts using the means described in paragraph 26.

And, as we’ll see below, the Russians “hunted SysAdmins,” as we know NSA does, to get further access to whatever networks they managed.

In other words, aside from the Viagra ads and credit card theft, the Russians were doing stuff that America’s own spies do all the time, using many of the same methods.

Let me be clear: I’m not saying this means America is just as evil as Russia. Indeed, as the list of targets suggests, a lot of this collection serves for internal spying purposes, something the US primarily does under the guise of Insider Threat analysis. Rather, I’m simply observing that except for some of the alleged actions of Belan, this indictment is an indictment for spying, not typical hacking.

The US didn’t indict anyone in China when it hacked Google in 2013. Nor did China indict the US when details of America’s far greater sabotage of Huawei networks emerged under the Snowden leaks. But the US chose to indict not just Belan, but also three people engaged in nation-state spying. Why?

Redefine economic espionage

I find all this particularly interesting given that the government included four charges — counts 2 and 4 through 6 — related to economic espionage for stealing the following:

a. Yahoo’s UDB and the data therein, including user data such as the names of Yahoo users, identified recovery email accounts and password challenge answers, and Yahoo-created and controlled data regarding its users’ accounts;

b. Yahoo’s AMT, its method and manner of functioning and capabilities, and the data it contained and provided; and

c. Yahoo’s cookie minting source code.

The US always justifies its global spying by claiming that it does not engage in industrial espionage, based on the flimsy explanation that it doesn’t share any information with allegedly private companies (including government contractors like Lockheed) they can use to compete unfairly.

But here we are, treating nation-state information collection — the kinds of actions our own hackers do all the time — as economic espionage. The only distinction here is that Belan also used his Yahoo access for personal profit. And yet Sushchin and Dokuchaev are also named in those counts.

Which raises the question of why DOJ decided to indict this as they did, especially since it risks an escalation of spying-related indictments. If I were Russia (maybe even China) I’d draw up indictments of American spies who’ve accessed Vkontakte or Yandex and accuse them of economic espionage.

I’ve got several suggestions:

• To leverage Baratov to learn more about the other three indictees (and FSB Officer 3, who is also mentioned prominently in the indictment)
• To expose Russia’s targets
• To expose FSB’s internal spying

Leverage Baratov to learn more about the other three indictees (and FSB Officer 3)

The US is almost certainly never going to get custody of Sushchin, Dokuchaev, or Belan, who are all in Russia safe from any extradition requests. That’s not true of Baratov, who was arrested and whose beloved Aston Martin and Mercedes Benz will be seized. These charges are larded on in such a way as to incent cooperation from Baratov.

Which means the government probably hopes to use the indictment to learn more about the other three indictees.

Remember: Belan was named in the sanctions on the DNC hack. So it may be that DOJ wants more information about those he works with, possibly up to and including on the DNC hack.

Expose Russia’s targets

Then there are the very long descriptions of the kind of people the accused collected on. The indictment highlights these three examples.

For example, SUSHCHIN, DOKUCHAEV, and BARATOV sought access to the Google, Inc. (“Google”) webmail accounts of:

a. an assistant to the Deputy Chairman of the Russian Federation;

b. an officer of the Russian Ministry of Internal Affairs;

c. a physical training expert working in the Ministry of Sports of a Russian republic;

Then provides this list of people hacked at Yahoo:

• a diplomat from a country bordering Russia who was posted in a European country
• the former Minister of Economic Development of a country bordering Russia (“Victim A”) and his wife (“Victim B”)
• a Russian journalist and investigative reporter who worked for Kommersant Daily
• a public affairs consultant and researcher who analyzed Russia’s bid for World Trade Organization membership
• three different officers of U.S. Cloud Computing Company 1
• an account of a Russian Deputy Consul General
• a senior officer at a Russian webmail and internet-related services provider

And this list of people targeted by Belan (who may or may not have been related to his own efforts rather than FSB’s):

• 14 employees of a Swiss bitcoin wallet and banking firm
• a sales manager at a major U.S. financial company
• a Nevada gaming official
• a senior officer of a major U.S. airline
• a Shanghai-based managing director of a U.S. private equity firm
• the Chief Technology Officer of a French transportation company
• multiple Yahoo users affiliated with the Russian Financial Firm

And this list of people Baratov hacked at Gmail and other ISPs:

• an assistant to the Deputy Chairman of the Russian Federation
• a managing director, a former sales officer, and a researcher, all of whom worked for a major Russian cyber security firm;
• an officer of the Russian Ministry of Internal Affairs assigned to that Ministry’s “Department K,” its “Bureau of Special Technical Projects,” which investigates cyber, high technology, and child pornography crimes;
• a physical training expert working in the Ministry of Sports of a Russian republic;
• a Russian official who was both Chairman of a Russian Federation Council committee and a senior official at a major Russian transport corporation
• the CEO of a metals industry holding company in a country bordering Russia
• a prominent banker and university trustee in a country bordering Russia
• a managing director of a finance and banking company in a country bordering Russia
• a senior official in a country bordering Russia

For those who weren’t alerted by Yahoo or Google they’d been hacked, these descriptions provide enough detail (as well as partial email addresses for some targets) to figure it out from the indictment.

Expose FSB’s internal spying

As these descriptions make clear, some of these targets are potentially well-connected people in Russia: a Russian Deputy Consul General, someone from Department K, the office of the Deputy Chairman of the Russian Federation, the Chairman of a Russian Federation Council committee (who also happens to be a businessman). Perhaps those people were targeted for sound political reasons — perhaps counterintelligence or corruption, for example. Or perhaps FSB was just trying to gain leverage in the political games of Russia.

Remember: One of the guys — Dokuchaev — is already being prosecuted in Russia for treason. These details might give Russia more details to go after him.

Sushchin is a special example. As the indictment explains, he was working undercover at some Russian financial firm, but it’s unclear whether his firm knew he was FSB or not.

SUSHCHIN was embedded as a purported employee and Head of Information Security at the Russian Financial Firm, where he monitored the communications of Russian Financial Firm employees, although it is unknown to the grand jury whether the Russian Financial Firm knew of his FSB affiliation.

But it’s clear that Sushchin’s role here was largely to conduct some very focused spying on the firm that he worked for.

In one instance, in or around April 2015, SUSHCHIN ordered DOKUCHAEV to target a number ofindividuals, including a senior board member ofthe Russian Financial Firm, his wife, and his secretary; and a senior officer ofthe Russian Financial Firm (“Corporate Officer l “).

[snip]

[I]n or around April 2015, SUSHCHIN sent DOKUCHAEV a list of email accounts associated with Russian Financial Firm personnel and family members to target, including Google accounts. During these April 2015 communications, SUSHCHIN identified a Russian Financial Firm employee to DOKUCHAEV as the “main target.” Also during these April 2015 communications, SUSHCHIN forwarded to DOKUCHAEV an email sent by that “main target’s” wife to a number of other Russian Financial Firm employees. SUSHCHIN added the cover note “this may be of some use.”

Maybe that operation was known by his employers; maybe it wasn’t. Certainly, his cover has now been blown.

All of which is to say that — splashy as this indictment is — the unstated reasons behind it are probably far more interesting than the actual charges listed in it.

Update: After refusing to resign, Preet has now officially been fired. It remains to be seen whether there’s some underlying legal reason to force Trump to do this, or whether it’s press grand-standing.

Dana Boente, the US Attorney for Eastern District of VA and Acting Deputy Attorney General since Trump fired Sally Yates, just called the other US Attorneys and told them to submit their resignations effective immediately.

The press seems most interested in whether this order covers media hound Preet Bharara, US Attorney for Southern District of NY. Preet is leading an investigation into NY political scandals affecting key Democrats, and Trump had told him he would be kept on (Preet’s political godfather is Chuck Schumer, which may have had something to do with that).

But I’m far more interested in whether Boente himself is resigning to himself.

In addition to serving as Acting DAG, since Jeff Sessions recused himself from any investigation into Trump last week, Boente has been in charge of that investigation. So if Boente resigned to himself this afternoon, it would mean no one was in charge of the investigation. Plus, Boente also oversees several other interesting investigations, notably the long-standing investigation of Wikileaks.

Mind you, Rod Rosenstein, at least until this afternoon US Attorney for MD, is all teed up to be confirmed as DAG. Except Richard Blumenthal has said he would hold up that investigation until a special counsel was appointed to investigate Trump. With no DAG and no one in charge of the Trump investigation (the USAs in WDPA, DC, and NDCA, who also have a piece of the investigation presumably also just resigned), Blumenthal might be pressured to relent on that front.

Update: NBC finally got some clarity on Boente — he (and Rosenstein) will stay on. Which I guess means Preet is out.

Last week, at least three media outlets have provided new details about the relationship between former MI6 officer Christopher Steele — the author of the Trump dossier — and the FBI. First WaPo reported that Steele had reached a verbal agreement that the FBI would pay him to continue his investigation of Russia’s involvement with Trump after still unnamed Democrats stopped paying him after the election. CNN then reported that FBI actually had paid Steele for his expenses. Finally, NBC reported Steele backed out of the deal before it was finalized. Chuck Grassley just sent a letter to Jim Comey asking for more information about the proposed arrangement with Steele.

I’m with Grassley on this. According to WaPo and NBC, FBI would only have paid Steele after the election, presumably regardless of the outcome; by that point Steele’s research couldn’t affect the outcome of the investigation. Nevertheless, the possibility that FBI may have used information from a Democratically paid oppo researcher does raise questions of propriety. Add in the discrepancies in these three reports about whether FBI did pay for Steele’s work, and Grassley is right to raise questions.

I’m also interested in what the relationship says about the way in which political necessities may have impacted the content of Steele’s dossier. All three reports attribute the termination of any FBI-Steele relationship, at least in part, to Steele’s frustration with the FBI. WaPo goes on at some length, explaining that Steele got pissed when Jim Comey reopened the Hillary investigation on October 28, and then grew angrier after the NYT reported the FBI had not confirmed any link to Russia.

Ultimately, the FBI did not pay Steele. Communications between the bureau and the former spy were interrupted as Steele’s now-famous dossier became the subject of news stories, congressional inquiries and presidential denials, according to the people familiar with the arrangement, who spoke on the condition of anonymity because they were not authorized to discuss the matter.

[snip]

In October, anticipating that funding supplied through the original client would dry up, Steele and the FBI reached a spoken understanding: He would continue his work looking at the Kremlin’s ties to Trump and receive compensation for his efforts.

But Steele’s frustration deepened when FBI Director James B. Comey, who had been silent on the Russia inquiry, announced publicly 11 days before the election that the bureau was investigating a newly discovered cache of emails Clinton had exchanged using her private server, according to people familiar with Steele’s thinking.

Those people say Steele’s frustration with the FBI peaked after an Oct. 31 New York Times story that cited law enforcement sources drawing conclusions that he considered premature. The article said that the FBI had not yet found any “conclusive or direct link” between Trump and the Russian government and that the Russian hacking was not intended to help Trump.

WaPo doesn’t lay this out in detail, however. Here’s what happened on those days in October:

October 28: Comey informs eight committee chairs he will reopen the investigation, which promptly (and predictably) leaks.

October 30: Having been officially briefed on the dossier, Harry Reid writes Comey accusing him of a Hatch Act violation for releasing the information on Clinton while withholding what we know to be information in the dossier.

October 31, 6:52PM: David Corn publishes story based on dossier.

October 31, 9:27PM: NYT publishes article describing multiple investigations into Russian interference, stating “no evidence has emerged that would link him or anyone else in his business or political circle directly to Russia’s election operations.”

October 31, 10:52PM: NYT edits article, adding “conclusive or direct” as a caveat in the sentence “Law enforcement officials say that none of the investigations so far have found any conclusive or direct link between Mr. Trump and the Russian government.”

Notably, assuming the times in Newsdiffs (from which I got the NYT timing) are correct, Steele had already gone public before the NYT published its article. That suggests he (like Harry Reid) believed his research should be part of a competing public story. And by going public in what was obviously a Democratically-seeded article, Steele likely made it far more difficult for FBI to continue the relationship.

Already, these new timeline details raise questions about the degree to which Steele’s concerns that the Trump Russian investigation should have more prominence than the email investigation may have influenced his work. Even if Jim Comey did do something colossally stupid by announcing the reopening of the investigation, that shouldn’t affect Steele’s interest in providing the best intelligence to the US, regardless of the public impact, unless he was always motivated primarily by his role as campaign oppo researcher.

The pointless Alfa Bank report that nevertheless seems to reinforce the dodgy Alfa server story

But I also wonder whether it relates to the content. Consider report 112, dated September 14. It pertains to “Kremlin-Alpha Group Cooperation.” It doesn’t have much point in a dossier aiming to hurt Trump. None of his associates nor the Russian DNC hack are mentioned. It does suggest that that Alfa Group had a “bag carrier … to deliver large amounts of illicit cash to” Putin when he was Deputy Mayor of St. Petersburg, though describes the current relationship as “both carrot and stick,” relying in part on kompromat pertaining to Putin’s activities while Deputy Mayor. It makes no allegations of current bribery, though says mutual leverage helps Putin “do his political bidding.”

As I said, there’s no point to have that Alfa Bank passage in a dossier on Trump. But it does serve, in its disclosure, to add a data point (albeit not a very interesting one) to the Alfa Server story that (we now know) FBI was already reviewing but which hadn’t been pitched to the press yet. In Corn’s piece, he mentions the Alfa Bank story but not the report on Putin’s ties to it. It may be in there because someone — perhaps already in possession of the Alfa Bank allegations — asked Steele to lay out more about Alfa’s ties with Putin.

Here’s one reason that’s interesting, though. Even aside from all the other reasons the Alfa story is dodgy, it was deliberately packaged for press consumption. Rather than the at least 19 servers that Trump’s spam email was pinging, it revealed just two: Alfa Bank and Spectrum Health (the latter of which got spun, anachronistically, as a DeVos organization that thus had to be tight with Trump). Which is to say, the Alfa story was dodgy and packaged by yet unknown people.

The discovery of direct collusion during the intelligence review of the Russian hack

More interesting still is what happens in the period that — according to public reporting, anyway — Steele was working for free.

Contrary to what Steele’s anger suggests, there was no real evidence of direct Russian ties to Trump outside of the famous PeeGate incident (and even if that happened, he was not a knowing participant). In the first report, there’s a claim that “the Kremlin has been feeding TRUMP and his team valuable intelligence … including Democratic presidential candidate Hillary Clinton,” but the part of the report that purportedly describes that sharing states that the Kremlin file on Hillary “had not yet been made available abroad, including to TRUMP or his campaign team,” seemingly contradicting the claim. A subsequent report describes a Presidential Administration official discussed the “possible release [of the dossier] to the Republican’s campaign team,” but without any confirmation that occurred (or even that Trump knew about it).

A subsequent report includes a claim of a “well-developed conspiracy of co-operation between [Trump’s team] and the Russian leadership managed through Paul Manafort and Carter Page. It continued to suggest a quid pro quo between the Russian hack and a shift on Ukraine and NATO policies. But in subsequent discussions of Manafort and Page’s corruption, it drops this claim entirely. Even when Michael Cohen enters the narrative, its about managing fallout over Manafort’s Ukrainian corruption.

There are claims that Trump was trying to set up business in Russia, followed by repeated descriptions of Russians not succeeding in getting him to do so.

In other words, in spite of the fact that there were some really damning allegations in the reports, the subsequent reporting didn’t necessarily back the most inflammatory aspects of them.

After the election, there’s just one report, dated December 13. That dates it to after the CIA’s leak fest reporting that Putin hacked the DNC not just to hurt Hillary and the US, but also to elect Trump. It dates to after Obama ordered an IC report on the hack. It dates to after John McCain delivered yet another copy of the dossier to FBI. It slightly precedes a Crowdstrike report (also done for free) bumping its formerly non-public “medium” confidence Russia’s GRU hacked the DNC to “high.”

And after previous reports describing Michael Cohen’s meetings as serving to cover up Manafort’s corruption and Page’s non-consummated Rosneft deal, this one alleges “the operatives involved [in the DNC hack] had been paid by both TRUMP’s team and the Kremlin,” the first such allegation. That is, over a month after the election but less than a month before its leak, the kind of detail backing direct collusion reappeared in this report.

Chuck Grassley’s questions

Which brings me back to Grassley’s letter. In addition to asking about payments, whether the agreement ever went into force, and whether and how Steele’s material served as a basis for FBI reports or even warrants, Grassley asks a question I’ve long wanted to know: Why we got this version of the memo, which is obviously just a partial selection of the complete dossier (rather like the Alfa story).

6. How did the FBI first obtain Mr. Steele’s Trump investigation memos?  Has the FBI obtained additional memos from this same source that were not published by Buzzfeed?  If so, please provide copies.

We will actually learn a lot about the validity of the dossier if we see what other parts got dealt to the FBI, and if so whether the copy released to the public was cherry picked for the most damning information.

There are three developments in the wake of President Trump’s twitter rant claiming “Obama had my ‘wires tapped’ in Trump Tower” yesterday.

James Clapper denies a wiretap on Trump or his campaign

First, James Clapper went on Meet the Press and denied there was FISA-authorized wiretap activity mounted against Trump or his campaign.

CHUCK TODD: Let me start with the President’s tweets yesterday, this idea that maybe President Obama ordered an illegal wiretap of his offices. If something like that happened, would this be something you would be aware of?

JAMES CLAPPER: I would certainly hope so. I can’t say– obviously, I’m not, I can’t speak officially anymore. But I will say that, for the part of the national security apparatus that I oversaw as DNI, there was no such wiretap activity mounted against– the president elect at the time, or as a candidate, or against his campaign. I can’t speak for other Title Three authorized entities in the government or a state or local entity.

CHUCK TODD: Yeah, I was just going to say, if the F.B.I., for instance, had a FISA court order of some sort for a surveillance, would that be information you would know or not know?

JAMES CLAPPER: Yes.

CHUCK TODD: You would be told this?

JAMES CLAPPER: I would know that.

CHUCK TODD: If there was a FISA court order–

JAMES CLAPPER: Yes.

CHUCK TODD: –on something like this.

JAMES CLAPPER: Something like this, absolutely.

CHUCK TODD: And at this point, you can’t confirm or deny whether that exists?

JAMES CLAPPER: I can deny it.

CHUCK TODD: There is no FISA court order?

JAMES CLAPPER: Not– not to know my knowledge.

CHUCK TODD: Of anything at Trump Tower?

JAMES CLAPPER: No.

As always with Clapper, it pays to look at what he denies: “wiretap activity” of Trump or his campaign and a FISA court order “of anything at Trump Tower.” That still leaves open wiretaps directed at people deemed not to to be tied to his campaign — would Paul Manafort count, for example, after he had purportedly left the campaign? It leaves open the possibility of other kinds of collection, such as financial transfers (which they have multiple other ways of getting, like SWIFT and Section 215 and SARs from banks) affecting Trump’s campaign. It also leaves open a whole range of targeting of Russians that happen to pick up Trump’s campaign officials.

Clapper also excludes, in his denial, Title III warrants. That’s important because of reporting that the investigation of Manafort started as a criminal investigation.

Note, Clapper goes on to state clearly that, at least as of the time he left, there was no evidence of collusion between Trump’s campaign and the Russians. “[A]t the time [of the IC report], we had no evidence of such collusion,” though he allows such evidence could have “become available in the time since I left the government.”

Sean Spicer asks Congress to find out which Trump aides were wiretapped

Also this morning, Sean Spicer released a curious statement. It starts by stating that certain “reports” are “very troubling.”

Reports concerning potentially politically motivated investigations immediately ahead of the 2016 election are very troubling.

Not only does this attempt to absolve the President of his unhinged tweeting, but it backs my argument that Trump was responding to the Breitbart article which was itself based off misleading information.

Spicer then states the Trump “is requesting” that the intelligence committees “determine whether executive branch investigative powers were abused in 2016.”

President Donald J. Trump is requesting that as part of their investigation into Russian activity, the congressional intelligence committees exercise their oversight authority to determine whether executive branch investigative powers were abused in 2016.

White House Counsel Don McGahn reportedly spent yesterday trying to chase down a purported FISA warrant targeting Trump. Trump has the ability to do this himself (though it would be improper). Either McGahn learned there was nothing, or Trump wants to have the Intelligence Committees — led by Trump national security advisor Richard Burr and Trump transition official Devin Nunes — check into his claims.

And with that, Spicer says neither Trump nor anyone else will comment on Trump’s unhinged twitter rant until the intelligence committees are done.

Neither the White House nor the President will comment further until such oversight is conducted.

Let’s see whether Spicer can prevent Trump from going on another rant.

Devin Nunes takes up Trump’s request

Finally, Devin Nunes released a statement saying that the House Intelligence Committee would do what the President asked.

One of the focus points of the House Intelligence Committee’s investigation is the U.S. government’s response to actions taken by Russian intelligence agents during the presidential campaign. As such, the Committee will make inquiries into whether the government was conducting surveillance activities on any political party’s campaign officials or surrogates, and we will continue to investigate this issue if the evidence warrants it.

In fact, that category “the U.S. government’s response” was supposed to be geared towards preventing a future attack; that bullet ended “what do we need to do to protect ourselves and our allies in the future?” in the scope of investigation agreed on with Adam Schiff just earlier this week.

Plus, what happened to the previously emphasized part of the HPSCI investigation, leaks?

What possible leaks of classified information took place related to the Intelligence Community Assessment of these matters?

After all, if Trump’s twitter rant yesterday had any basis in truth, he just told a bunch of people about a FISA wiretap.

But Nunes doesn’t appear to think Trump’s twitter rant did reveal classified information. Huh.

In any case, let’s review what has happened.

On Thursday, Jeff Sessions recused from the election-related parts of this investigation. In response, Trump went on a rant (inside the White House) reported to be as angry as any since he became President. The next morning, Trump responded to a Breitbart article alleging a coup by making accusations that suggest any wiretaps involved in this investigation would be improper. Having reframed wiretaps that would be targeted at Russian spies as illegitimate, Trump then invited Nunes to explore any surveillance of campaign officials, even that not directly tied to Trump himself.

And Nunes obliged.

If I’m someone tied to the Hillary campaign, here’s what I do: I immediately call on Devin Nunes to explain how a second set of Huma Abedin’s emails involving the Hillary server got targeted just days before the election. We still don’t know the circumstances of that discovery. And if Nunes is concerned about inappropriate surveillance, surely he’ll want to get to the bottom of that potentially election-altering surveillance.

A story published in Steve Bannon’s rag, Breitbart, got circulated around the White House this morning like some President’s Daily Conspiracy, sending President Trump off on a rant attacking the counterintelligence investigation into his aides’ (and possibly his own) ties with Russia.

Let me unpack it.

The story basically captures a narrative Mark Levin rolled out Thursday night (that is, right after Jeff Sessions recused himself from the Russian hack investigation), which basically lards out the story of counterintelligence intercepts mostly targeting Russians, to suggest Jeff Sessions was brought down in an invented coup.

The Louise Mensch story

The story starts with this Louise Mensch story. For those who don’t know, Mensch is a former Tory Member of Parliament turned American rock promoter wife. Since quitting Parliament to spend more time with her family, she has become a pundit known for taking reasonable observations, injecting just a bit of whack, and turning them into fairly unhinged theories. Perhaps her best known foray into investigative work is when she unknowingly used her own racist search history to impugn a Jeremy Corbyn supporter. In spite of her still apparent tolerance for racism, she offered up her support to Hillary on Valentines Day in 2016. Of late, she has been writing unified theories of Russian spying that start from real nuggets and important observations, then spin loose from the actual supporting evidence.

Back to Mensch’s original article. At a time when Hillary’s team was furious that the FBI had been publicly discussing her emails rather than Trump’s Russian ties, Mensch reported that the FBI got a FISA order in October, after having been denied a more broadly drawn order earlier in the year.

The timing of the October FISA order has been backed in subsequent reporting. It is Mensch’s explanation for the basis of the order that is the problem, as it relied on the dodgy Alfa Bank story.

Contrary to earlier reporting in the New York Times, which cited FBI sources as saying that the agency did not believe that the private server in Donald Trump’s Trump Tower which was connected to a Russian bank had any nefarious purpose, the FBI’s counter-intelligence arm, sources say, re-drew an earlier FISA court request around possible financial and banking offenses related to the server. The first request, which, sources say, named Trump, was denied back in June, but the second was drawn more narrowly and was granted in October after evidence was presented of a server, possibly related to the Trump campaign, and its alleged links to two banks; SVB Bank and Russia’s Alfa Bank. While the Times story speaks of metadata, sources suggest that a FISA warrant was granted to look at the full content of emails and other related documents that may concern US persons.

[snip]

The FISA warrant was granted in connection with the investigation of suspected activity between the server and two banks, SVB Bank and Alfa Bank. However, it is thought in the intelligence community that the warrant covers any ‘US person’ connected to this investigation, and thus covers Donald Trump and at least three further men who have either formed part of his campaign or acted as his media surrogates. The warrant was sought, they say, because actionable intelligence on the matter provided by friendly foreign agencies could not properly be examined without a warrant by US intelligence as it involves ‘US Persons’ who come under the remit of the FBI and not the CIA. Should a counter-intelligence investigation lead to criminal prosecutions, sources say, the Justice Department is concerned that the chain of evidence have a basis in a clear  warrant

I will return to some other aspects of the Alfa Bank story shortly. But for now, consider that the evidence never said a private server “in Donald Trump’s Trump Tower … was connected to a Russian bank.” Rather, it showed that a marketing server in Philadelphia was pinging Alfa Bank and Grand Rapid’s Spectrum Health. As it turns out, it was pinging at least 16 other servers, but that detail was suppressed when the story got packaged up for the press by yet unidentified people. So even if the FBI would have needed a FISA warrant to read traffic involving a Russian (that is, non-US person located overseas) bank — which it wouldn’t — it’s highly unlikely they would have gotten that far, because the story didn’t hold up (and was easily explained by the spam that the servers in question were getting). Moreover, there is no way the FBI would have imagined “financial and banking offenses” from a spam marketing server sending regular pings to a bank. So even if the FBI continued to investigation suspected ties between Alfa Bank and Trump (again, more on that in a follow-up), the specific reference Mensch used to hang the FISA order on should never have involved allegations of a wiretap in Trump Tower.

This is not to say FISC didn’t issue an order pertaining to financial questions involving Russians. Mensch also points to David Corn’s piece on the Trump dossier, which we now know alleges a bunch of other, far more substantive financial issues. Later reporting described a tip from a Baltic country. But all of those pertain to suspected Russian bribes of people close to Trump or Paul Manafort’s corruption, not a spam marketing server sending spam to past clients of Trump hotels.

Which is to say that Mensch took a great tip — that there had been a FISC order — and slapped it onto dodgy allegations floating around in ways that didn’t even make sense for FISA, much less the allegations themselves.

Only Mensch says Trump was personally targeted in the FISA order

All that’s important because this is where the allegation that the order “covers Donald Trump” comes from.

The BBC, the next outlet to report it, claimed “Neither Mr Trump nor his associates are named in the Fisa order, which would only cover foreign citizens or foreign entities – in this case the Russian banks.” That didn’t make sense either, because — again — if the targets were two Russian banks, then FBI wouldn’t need a FISA order. And while it went on to to say three of Trump’s associates were the “subject” of the investigation (but not the target of the FISA order), it did cite someone outside of DOJ claiming that “it’s clear this is about Trump.” That’s still different than wiretapping Trump Tower.

The Guardian, reporting a week later, says that four of Trump’s associates were the targets of the broadly written FISA requested during the summer.

The Guardian has learned that the FBI applied for a warrant from the foreign intelligence surveillance (Fisa) court over the summer in order to monitor four members of the Trump team suspected of irregular contacts with Russian officials. The Fisa court turned down the application asking FBI counter-intelligence investigators to narrow its focus. According to one report, the FBI was finally granted a warrant in October, but that has not been confirmed, and it is not clear whether any warrant led to a full investigation.

But it doesn’t even confirm that the FISC order took place. Here’s a piece I did in January pushing back against claims that anything should be interpreted by the original “rejection” of the FISA order.

Andy McCarthy relies on Mensch to suggest the FISA order is improper

Mensch’s reliance on the Alfa server story also led Andy McCarthy to suggest impropriety in January, which is the next thing cited in Levin/Breitbart. McCarthy ignores the underlying premise — however discredited — of the Alfa story (that it was being used to bribe Trump) and uses Mensch’s inexact language to suggest FBI agents were instead using FISA to investigate bank crimes.

From the three reports, from the Guardian, Heat Street, and the New York Times, it appears the FBI had concerns about a private server in Trump Tower that was connected to one or two Russian banks. Heat Street describes these concerns as centering on “possible financial and banking offenses.” I italicize the word “offenses” because it denotes crimes. Ordinarily, when crimes are suspected, there is a criminal investigation, not a national-security investigation.

According to the New York Times (based on FBI sources), the FBI initially determined that the Trump Tower server did not have “any nefarious purpose.” But then, Heat Street says, “the FBI’s counter-intelligence arm, sources say, re-drew an earlier FISA court request around possible financial and banking offenses related to the server.”

Again, agents do not ordinarily draw FISA requests around possible crimes. Possible crimes prompt applications for regular criminal wiretaps because the objective is to prosecute any such crimes in court. (It is rare and controversial to use FISA wiretaps in criminal prosecutions.) FISA applications, to the contrary, are drawn around people suspected of being operatives of a (usually hostile) foreign power.

Probably the only thing in the larger range of allegations against Trump people that might be treated as a crime rather than a counterintelligence investigation is Paul Manafort’s acceptance of payments from Ukrainian oligarchs he may not have properly disclosed. Yet later reporting actually confirmed that that started as a criminal investigation, for which (as McCarthy points out) is a lot easier to get warrants. The rest involves bribery by a foreign power, so spying. So an appropriate use of FISA.

The expansion of 12333 sharing and the preservation of evidence

Amid a treatment of the Mike Flynn resignation, the release of the dossier (Breitbart sort of tweaks the timeline of these two, though I get that capturing the timeline is tough), and the Sessions’ disclosures, Breitbart discusses the expansion of information sharing and preservation of evidence.

6. January: Obama expands NSA sharing. As Michael Walsh later notes, and as the New York Times reports, the outgoing Obama administration “expanded the power of the National Security Agency to share globally intercepted personal communications with the government’s 16 other intelligence agencies before applying privacy protections.” The new powers, and reduced protections, could make it easier for intelligence on private citizens to be circulated improperly or leaked.

[snip]

10. March: the Washington Post targets Jeff Sessions. The Washington Postreports that Attorney General Jeff Sessions had contact twice with the Russian ambassador during the campaign — once at a Heritage Foundation event and once at a meeting in Sessions’s Senate office. The Post suggests that the two meetings contradict Sessions’s testimony at his confirmation hearings that he had no contacts with the Russians, though in context (not presented by the Post) it was clear he meant in his capacity as a campaign surrogate, and that he was responding to claims in the “dossier” of ongoing contacts. The New York Times, in covering the story, adds that the Obama White House “rushed to preserve” intelligence related to alleged Russian links with the Trump campaign. By “preserve” it really means “disseminate”: officials spread evidence throughout other government agencies “to leave a clear trail of intelligence for government investigators” and perhaps the media as well.

I think I was the one who first identified the irony of expanding 12333 sharing rules — a move that had been in the works since 2004, when CIA started pushing to resume sharing it had had under Stellar Wind — right as CIA and FBI were investigating Trump allies as potential Russian spies.

Understand: On January 3, 2017, amid heated discussions of the Russian hack of the DNC and public reporting that at least four of Trump’s close associates may have had inappropriate conversations with Russia, conversations that may be inaccessible under FISA’s probable cause standard, Loretta Lynch signed an order permitting the bulk sharing of data to (in part) find counterintelligence threats in the US.

This makes at least five years of information collected on Russian targets available, with few limits, to both the CIA and FBI. So long as the CIA or FBI were to tell DIRNSA or NSA’s OGC they were doing so, they could even keep conversations between Americans identified “incidentally” in this data.

I still don’t think giving the CIA and FBI (and 14 other agencies) access to NSA’s bulk SIGINT data with so little oversight is prudent.

But one of the only beneficial aspects of such sharing might be if, before Trump inevitably uses bulk SIGINT data to persecute his political enemies, CIA and FBI use such bulk data to chase down any Russian spies that may have had a role in defeating Hillary Clinton.

And while the expansion had been in the works for years, it is definitely true that both James Clapper and Loretta Lynch signed off on the sharing after the time Obama ordered a more detailed review of Russia’s role in the election. Indeed, Lynch signed off on it the day after FBI found Mike Flynn’s conversations with Sergey Kislyak showing Flynn telling the Ambassador not to worry about Obama’s new Russian sanctions. It is even possible that the sharing made available intercepts involving some of the Trump aides the FISC hadn’t approved for surveillance.

But Breitbart relies on a PJ Media piece instead, which falsely claims Flynn was targeted in the wiretaps of Kislyak and describes it as an expansion of NSA powers rather than an expansion of FBI and CIA access. Breitbart then concludes that “new powers, and reduced protections, could make it easier for intelligence on private citizens to be circulated improperly or leaked.” The guidelines do aspire to prevent that kind of abuse, but the protections against such abuse are far too weak.

For what it’s worth, I think that 12333 sharing is part of what the NYT reported on, the distribution of information around government. Whereas on January 2, only NSA might have had raw intercepts targeting Russians that might involve Trump aides, on January 3, CIA and FBI (and Treasury, which is also part of this inquiry) might have gotten their own copies, with FBI’s likely stored in an ad hoc database connected with the investigation (and therefore harder to find outside of the CI team investigating it). Nevertheless, the NYT story certainly suggests that Obama’s Administration worked to ensure that Trump couldn’t easily dismantle the investigation into his associates, while hiding the names of Russian spies and other informants. The question is whether it is appropriate to protect an ongoing investigation like that.

Breitbart gets an important detail wrong, however.

It treats the preservation of evidence — something more closely tied to the 12333 sharing and the investigation into people like Manafort and Carter Page — as part of the Jeff Sessions story. It is true that NYT ultimately added the Sessions story to its evidence preservation story, but that was added almost two hours after the story was first posted, to match the WaPo story.

Nevertheless, Breitbart, in a piece written by Trump’s campaign biographer in the rag until recent run by Trump’s consigliere Steve Bannon, links the two, tying this preservation of the ongoing investigation to the events that led to Sessions’ recusal.

Trump goes batshit in response Sessions’ recusal and then reads a misleading story placed in Bannon’s rag

All this is noteworthy because Trump was apparently already lashing out because Sessions recused himself.

Mr. Trump’s mood was said to be explosive before he departed for his weekend in Florida, with an episode in which he vented at his staff. The president’s ire was trained in particular on Donald F. McGahn, his White House counsel, according to two people briefed on the matter.

Mr. Trump was said to be frustrated about the decision by Jeff Sessions, his attorney general, to recuse himself from participating in any investigations of connections between the Trump campaign and Russia. Mr. Trump has said there were no such connections.

It’s particularly interesting that Trump attacked McGahn, because after what may have been a significant delay this week, he told White House staffers to retain records that may be relevant to the investigation. In addition, Sessions had informed McGahn he was recusing even as Trump was publicly claiming there was no reason to do so.

That’s the backdrop for the moment when Trump read the Breitbart article (I wonder who put it in his hands? Robert Costa reported that Bannon “is working closely with Trump on combating what he calls the ‘deep state’ in intel comm, per multiple people at WH”) and went on a Twitter rant complaining. The rant starts with the same projection he engaged in last night, suggesting Democratic meetings with Sergey Kislyak (about which no one lied about under oath) were just as damning as Sessions’ failure to disclose his own meetings with the Russian Ambassador.

He then immediately transitioned back and forth between the confused allegations from the original Mensch piece to Sessions again.

Which Trump then expands to suggest something even Breitbart did not — that Obama himself ordered the wiretap on Trump.

Trump’s accusations have led a range of sources to deny that Obama ordered the wiretap in both the NYT,

One former senior law enforcement official who worked under Mr. Obama said that it was “100 percent untrue” that the government had wiretapped Mr. Trump, and that the current president should be pressed to offer any evidence for his assertion.

Ben Rhodes, a former top national security aide to Mr. Obama, said in a Twitter message directed at Mr. Trump on Saturday that “no president can order a wiretap” and added, “Those restrictions were put in place to protect citizens from people like you.”

And in WaPo,

Kevin Lewis, a spokesman for Obama, said in a statement early Saturday afternoon: “A cardinal rule of the Obama Administration was that no White House official ever interfered with any independent investigation led by the Department of Justice. As part of that practice, neither President Obama nor any White House official ever ordered surveillance on any U.S. citizen. Any suggestion otherwise is simply false.”

Why do people believe Trump on Twitter?

In spite of the fact that Trump’s information can be pretty clearly attributed to the Breitbart piece, and the allegations about Trump Tower in it can be pretty clearly shown to be unsubstantiated, both the right and the left took Trump’s tirade to be some kind of confirmation, as if he just got briefed by the spooks that they’ve been listening in on this calls.

Trump hasn’t been bugged. It’s quite likely a number of Trump’s close associates are, after incriminating information showed up about or involving them on other wiretaps. There’s zero reason to believe Obama ordered them, not least because everyone involved believed Obama was responding too nonchalantly to the Russian accusations.

Trump’s associates are bugged, to the extent one or more of them are directly targeted rather than being collected incidentally, because they’re suspected of being Russian assets. That’s one of the key points of FISA, to use it to investigate possible spies working for foreign governments.

But because of the frenzy caused by Trump’s response to the Breitbart story, people are taking as true Trump’s claim he has been bugged, with Democrats claiming this is proof that Trump himself is in the crosshairs and normally surveillance loving Republicans suggesting using FISA to do what FISA is supposed to do is an abuse.

Remember, at least according to Sessions, he had decided to recuse before the WaPo disclosures on his ties with Kislyak. Whether or not that’s true, Trump is furious that Sessions recused even after a clear conflict became known.

And in response he tried — with a great deal of success — to discredit the very notion of this investigation.

Update: NYT updated their piece to reveal that WHCO Don McGahn is chasing down the purported FISA order covering Trump and his associates.

But a senior White House official said that Donald F. McGahn II, the president’s chief counsel, was working on Saturday to secure access to what the official described as a document issued by the Foreign Intelligence Surveillance Court authorizing surveillance of Mr. Trump and his associates. The official offered no evidence to support the notion that such a document exists; any such move by a White House counsel would be viewed at the Justice Department as a stunning case of interference.

Based on the assumption there is a FISA order covering at least some of his close associates, but probably not one covering him, understand what has happened here:

1. Trump’s Attorney General, who claims he had already decided to recuse, recused after his nomination lies were exposed, meaning he no longer controls the investigation into his boss
2. A misleading article written in response to that recusal led Trump to claim he was being targeted
3. Based on the claim, Trump sent out his WHCO to find a FISA order probably not targeting him but probably targeting his aides
4. Having just been deprived of visibility and control over the investigation, Trump is forcibly obtaining another way to control it

Update: I was on Democracy Now on these issues today. Here’s the link.

As you know, after having two meetings with Russian Ambassador Sergey Kislyak that he did not reveal in response to specific questions posed as part of his confirmation process exposed, Attorney General Jeff Sessions recused from any investigation into the elections.

Contrary to much reporting on the recusal, it was nowhere near a complete recusal from matters pertaining to Trump’s administration and its’ ties to Russia. Here’s what Sessions said in his statement:

During the course of the confirmation proceedings on my nomination to be Attorney General, I advised the Senate Judiciary Committee that ‘[i]f a specific matter arose where I believed my impartiality might reasonably be questioned, I would consult with Department ethics officials regarding the most appropriate way to proceed.

During the course of the last several weeks, I have met with the relevant senior career Department officials to discuss whether I should recuse myself from any matters arising from the campaigns for President of the United States.

Having concluded those meetings today, I have decided to recuse myself from any existing or future investigations of any matters related in any way to the campaigns for President of the United States.

I have taken no actions regarding any such matters, to the extent they exist.

This announcement should not be interpreted as confirmation of the existence of any investigation or suggestive of the scope of any such investigation.

Consistent with the succession order for the Department of Justice, Acting Deputy Attorney General and U.S. Attorney for the Eastern District of Virginia Dana Boente shall act as and perform the functions of the Attorney General with respect to any matters from which I have recused myself to the extent they exist.

As I emphasized, the only thing he is recusing from is “existing or future investigations of any matters related in any way to the campaigns for President of the United States.”

There are two areas of concern regarding Trump’s ties that would not definitively be included in this recusal: Trump’s long-term ties to mobbed up businessmen with ties to Russia (a matter not known to be under investigation but which could raise concerns about compromise of Trump going forward), and discussions about policy that may involve quid pro quos (such as the unproven allegation, made in the Trump dossier, that Carter Page might take 19% in Rosneft in exchange for ending sanctions against Russia), that didn’t involve a pay-off in terms of the hacking. There are further allegations of Trump involvement in the hacking (a weak one against Paul Manafort and a much stronger one against Michael Cohen, both in the dossier), but that’s in no way the only concern raised about Trump’s ties with Russians.

The concern about the scope of Sessions’ recusal is underscored by the way in which he narrowly addressed his lies to the Senate. Here is his answer to Al Franken, which was a question about campaign surrogates, but did not ask about communications about the campaign.

FRANKEN: CNN has just published a story and I’m telling you this about a news story that’s just been published. I’m not expecting you to know whether or not it’s true or not. But CNN just published a story alleging that the intelligence community provided documents to the president-elect last week that included information that quote, “Russian operatives claimed to have compromising personal and financial information about Mr. Trump.” These documents also allegedly say quote, “There was a continuing exchange of information during the campaign between Trump’s surrogates and intermediaries for the Russian government.”

Now, again, I’m telling you this as it’s coming out, so you know. But if it’s true, it’s obviously extremely serious and if there is any evidence that anyone affiliated with the Trump campaign communicated with the Russian government in the course of this campaign, what will you do?

SESSIONS: Senator Franken, I’m not aware of any of those activities. I have been called a surrogate at a time or two in that campaign and I didn’t have — did not have communications with the Russians, and I’m unable to comment on it.

His press conference and a (surprisingly good) interview with Tucker Carlson underscores that he is just addressing questions about the election, not conversations with Russians generally (conversations that might address those other two concerns, especially that of influencing policy on things like Ukraine). In the interview, Sessions denied having conversations with Russians “on a continuing basis to advance any kind of campaign agenda” and said “I never had any conversations with the Russians about the campaign.”

By Sessions’ own admission, the conversation with Kislyak concerned Ukraine; he said Kislyak was pushing back on what the Ukrainian Ambassador had said just the day before, though Sessions claims he himself pushed back as well.

That’s important because they key policy issue on which there have been concerns about undue influence is Ukraine.

It is not illegal to have meetings with an Ambassador, where the Ambassador makes a case for policies his country supports — precisely what appears to have gone on in the meeting Sessions did not disclose. But the (thus far unproven) allegations involving other Trump officials go beyond that, without necessarily pertaining to the election. That’s why Sessions’ recusal is far too narrow to be meaningful.