Posts

The Superseding Assange Indictment Tidies Up CFAA Charges

Yesterday, the government released a second superseding indictment against Julian Assange. The EDVA press release explains that no new counts were added, but the language describing the computer hacking conspiracy was expanded.

The new indictment does not add additional counts to the prior 18-count superseding indictment returned against Assange in May 2019. It does, however, broaden the scope of the conspiracy surrounding alleged computer intrusions with which Assange was previously charged. According to the charging document, Assange and others at WikiLeaks recruited and agreed with hackers to commit computer intrusions to benefit WikiLeaks.

It is true the description of the hacking charge has been dramatically expanded, incorporating a bunch of hacks that WikiLeaks was associated with.

But there are a few details of the charges that changed as well. The CFAA charge has actually been reworked, focused on four different kinds of hacks:

  • Accessing a computer and exceeding access to obtain information classified Secret
  • Accessing a computer and exceeding access to obtain information from protected computers at a department or agency of the United States committed in furtherance of criminal acts
  • Knowingly transmitting code that can cause damage,
    • Greater than $5000
    • Used by an entity of the US in furtherance of the administration of justice, national defense, and national security
    • Affecting more than 10 or more protected computers in a given year
  • Intentionally accessing protecting computers without authorization to recklessly cause damage,
    • Greater than $5000
    • Used by an entity of the US in furtherance of the administration of justice, national defense, and national security
    • Affecting more than 10 or more protected computers in a given year

This is a grab bag of hacking charges, and it could easily cover (and I expect one day it will cover) actions not described in this indictment. While adding this grab bag of charges, the indictment takes out a specific reference to the Espionage Act, probably to ensure at least one charge against Assange can in no way be claimed to be a political crime. It also takes out 18 U.S.C. § 641, possibly because the thinking of its applicability to leaking classified information has gotten more controversial.

The indictment also changes the dates on several of the counts. The timeline on the three counts addressing leaking of informants’ identities (something that is criminalized in the UK in ways it is not here, but also the counts that most aggressively charge Assange for the publication of information) now extends to April 2019. The timeline on the hacking charges extends (for reasons I’ll explain below), to 2015. And the overall timeline of Assange’s behavior extends back to 2007, a date that post-dates the earliest WikiLeaks activity and so raises interesting questions about what actions it was chosen to include.

As to the 2015 date, the indictment gets there by discussing WikiLeaks’ role in helping Edward Snowden flee China and the ways WikiLeaks used Snowden’s case to encourage other leakers and hackers. It describes:

  • Sarah Harrison’s trip to Hong Kong in June 2013
  • The presentation Harrison, Jake Appelbaum, and Assange gave in December 2013 encouraging potential leakers to, “go and join the CIA. Go in there, go into the ballpark and get the ball and bring it out,” and claiming that, “Edward Snowden did not save himself … Harrison took actions to protect him”
  • A conference on May 6, 2014 when Harrison recruited others to obtain classified or stolen information to share with WikiLeaks
  • A May 15, 2015 Most Wanted Leaks pitch that linked back to the 2009 list that Chelsea Manning partly responded to
  • Comments Assange made on May 25, 2015 claiming to have created distractions to facilitate Snowden’s flight
  • Appelbaum and Harrison’s efforts to recruit more leakers at a June 18, 2015 event
  • The continued advertisement for Most Wanted Leaks until at least June 2015, still linking back to the 2009 file

I’ll explain in a follow-up where this is going. Obviously, though, the government could easily supersede this indictment to add later leakers, most notably but in no way limited to Joshua Schulte, who first started moving towards leaking all of CIA’s hacking tools to WikiLeaks in 2015.

I argued, in December, that the government appeared to be moving towards a continuing conspiracy charge, one that later hackers and leakers (as well as Appelbaum and Harrison) could easily be added to. Doing so as they’ve done here would in no way violate UK’s extradition rules. And fleshing out the CFAA charge makes this airtight from an extradition standpoint; some of the crimes alleged involving Anonymous have already been successfully prosecuted in the UK.

This doesn’t mitigate the harm of the strictly publishing counts. But it does allege Assange’s personal involvement in a number of hacks and leaks that others — both in the US and UK — have already been prosecuted for, making the basic extradition question much less risky for the US.

Update: I think this allegation in the new indictment is important:

In September 2010, ASSANGE directed [Siggi] to hack into the computer of an individual former associated with WikiLeaks and delete chat logs containing statements of ASSANGE. When Teenager asked how that could be done, ASSANGE wrote that the former WikiLeaks associate could “be fooled into downloading a trojan,” referring to malicious software, and then asked Teenager what operating system the former-WikiLeaks associate used.

I’ve heard allegations from the entire period of WikiLeaks’ prominence of Assange asking to spy on one or another partner or former partner, including protected entities. One relatively recent allegation I know of targeted a former WikiLeaks associate in 2016, after a break on election-related issues. I have no idea whether these allegations are credible (and I know of none who would involve law enforcement). But allegations that Assange considered — or did — spy on his allies undercuts his claim to being a journalist as much as anything else he does. It also raises questions about what WikiLeaks did with the unpublished Vault 7 files.

Update: Dell Cameron, who is the expert on the Stratfor hack, lays out some apparently big holes in the parts of the indictment that pertain to that.

Methinks Joshua Schulte Doth Protest Too Much over Anonymous

Accused Vault 7 leaker Joshua Schulte — whose trial starts Monday — and the government are having a fight over Paul Rosenzweig’s expert witness testimony again (see this post for the most comprehensive coverage of this dispute). Rosenzweig submitted the Powerpoint he plans to use at trial. Schulte raised objections to the Powerpoint as a whole and to specific slides on it. And the government responded, offering to make some modifications.

The general complaint from Schulte is that the government is using Rosenzweig to introduce otherwise inadmissible hearsay. In one case, the government has agreed to withdraw the claim (a quote from Fred Kaplan, who in my opinion is not particularly reliable with respect to WikiLeaks in any case). The government makes two responses of particular interest. First, that experts are allowed to draw on periodicals to make their conclusions.

Moreover, the defendant’s objection to the introduction of statements from respected news publications ignores that the Rules of Evidence expressly provide for the introduction of such material. Federal Rule of Evidence 803(18) expressly permits the recitation of “[a] statement contained in a . . . periodical . . . if . . . the statement is . . . relied on by the expert on direct examination; and . . . the publication is established as a reliable authority by the expert’s admission or testimony, by another expert’s testimony, or by judicial notice.”

After pulling the Kaplan quote, there’s not really much left in the slide deck that quotes journalistic sources, aside from direct quotes about the diplomatic backlash to the State cables. But what the government doesn’t say is that WikiLeaks presents itself as a respected news publication, which if they truly believe is true should allow introducing the WikiLeaks material as such.

But the government wants to prevent that from coming into evidence (even though Schulte warned that calling Rosenzweig would invite it). Indeed, rather than including material from the About page that Schulte would like to include that makes that point,

The excerpts from the WikiLeaks website are taken out of context. If the government is permitted to introduce two sentences from the lengthy “about” page on WikiLeaks.org, the defense would be entitled to introduce other portions of that page, including that WikiLeaks is a “multi-national media organization and associated library,” that it has “contractual relationships” with more than 100 major media organizations, and that it has won numerous media awards. See https://wikileaks.org/What-is-WikiLeaks.html.

The government has offered to pull this slide:

Rather than conceding (or even mentioning) WikiLeaks’ claim to be a respected media outlet, the government says it can introduce the vast majority of the clips from WikiLeaks’ site because they are not assertions at all.

Indeed, other than WikiLeaks’ statements regarding the content of the Vault 7 leaks, the particular statements from WikiLeaks and Assange about which Mr. Rosenzweig will testify are not “statements” or “assertions” such that the rule against hearsay is even applicable.

That’s true. Some of what Rosenzweig plans to submit includes the pre-release hype WikiLeaks gave the Vault 7 release, including the release purporting to show the US had infiltrated French political parties (which it claimed provided justification for the Vault 7 release) and slides emphasizing the spookiness of the release, including this one invoking Chelsea Manning and Edward Snowden in the same breath as Julian Assange.

Other slides capture the instructions WikiLeaks gives to leakers, including to contact WikiLeaks if you have very large submissions (as this was) and to format and dispose of hard drives.

The government will claim Schulte followed some — but not all — of these instructions, in part because he couldn’t dispose of his CIA workstation, and in part because he kept the hard drives and a thumb drive he used to exfiltrate the files.

Mind you, WikiLeaks didn’t warn leakers not to Google everything they were doing as they did it, which is the really damning evidence against Schulte.

In any case, I can’t help but imagine we’ll be seeing this very same slide deck in a trial in EDVA (if Assange is ever extradited), as it shows a continuation of the kinds of activities charged in the existing Assange indictment. Assange’s extradition hearing has been split into two, with the second starting in May, so the government would have plenty of time to add such charges after this trial (which may last a month).

In addition to Rosenzweig’s refusal to include WikiLeaks’ awards (which I would imagine Schulte will bring out on cross in any case, though I honestly wonder why they didn’t bring in their own expert to present such material), one Schulte claim that absolutely has merit is that Rosenzweig should not use the WikiLeaks logo on all these slides.

Each page of the power point has the WikiLeaks logo and name from the WikiLeaks website as if the power point document itself was created by WikiLeaks. This creates a misleading impression and should be removed.

Schulte doesn’t lay out what misleading impression the logo provides, but I would argue it suggests that WikiLeaks endorses some of the content in the slide deck, pertaining to damage or the characterization of certain leaks. The government says this misleading impression can be avoided with an instruction.

With respect to the inclusion of the WikiLeaks logo on the relevant pages of the Demonstrative, WikiLeaks is the subject of his testimony, and it is reasonable to include it as a header. To avoid any confusion, the Government will elicit from Mr. Rosenzweig that the Demonstrative as a whole was prepared as a demonstrative aid for his testimony and was not produced by WikiLeaks.

I vehemently disagree with this stance. Over half of people are visual learners (indeed, the government will rely on visual reenactments to show how they claim Schulte stole the files). The logo on this slide deck ascribes to WikiLeaks things that they would strongly dispute. Particularly given that Rosenzweig is claiming there are three official WikiLeaks channels — the site, the WikiLeaks Twitter account, and Assange’s Twitter account — it is imperative that he differentiate in his presentation between what is official and what is his own analysis.

All of which is to say that, as predicted, calling Rosenzweig will invite a dispute over what kind of organization WikiLeaks really is (which is probably the point).

All that said, I’m frankly stunned that, amidst all the other slides in this presentation — including the one showing convicted leaker Chelsea Manning (whose leaks, the government will show, Schulte viewed as damaging in real time) and admitted leaker Edward Snowden (whom the government will show Schulte was Googling at a key time in August as he was also Googling WikiLeaks for almost the first time) — Schulte objects, again, to the invocation of Anonymous in this slide.

Having not objected that the government will raise Chelsea Manning and not objected that the government will raise Edward Snowden, Schulte is objecting that they’re raising Jeremy Hammond — like Manning, a confessed WikiLeaks source — and a 2010 operation to punish Paypal and others for blacklisting WikiLeaks.

We renew our objections to references to Anonymous, which are irrelevant and prejudicial.

As I have laid out, the way in which Schulte himself adopted the identity of Anonymous as part of his effort to leak to the WaPo from jail links together the three main pieces of evidence of that — his Signal texts with Shane Harris, his ProtonMail account in the name of Anonymous, and his prison notebooks. Schulte’s the one who claimed to be Anonymous, whether or not it’s true (and given the ethics the group adopts about membership, by claiming to be a member he basically is one). Anonymous’ tie to WikiLeaks is clearly admissible evidence based on Schulte’s own actions.

Schulte deems the invocation of Anonymous to suggest “concerted activity” that is more disturbing than simply stealing CIA’s hacking tools and leaking them to WikiLeaks in an effort to burn CIA to the ground out of spite for being made to sit in what Schulte considered an “intern desk” rather than a “prestigious desk with a window,” which is the motive the government says it will present.

The evidence of claimed participation in a shadowy, underground group infamous for cyber-attacks and dumping on WikiLeaks is unduly prejudicial as it suggests concerted activity of a type even more disturbing than what is charged.

The evidence suggests that Schulte adopted at least three personalities to leak from jail, deliberately attempting to present the illusion of concerted activity. Given the concerted concern about Anonymous amid all the equally damning references, perhaps some of Schulte’s imaginary friends aren’t actually imaginary?

As I disclosed in 2018, I provided information to the FBI in 2017. The government recently stated publicly that matters on which I shared information are related to Schulte. Aside from two press inquiries, I have not spoken with the government about Schulte.

The WikiLeaks Conspiracy: The Government Prepares to Argue WikiLeaks Has Always Been an Organized Crime Syndicate

Last June, I ran into some folks who remain very close to Julian Assange. One of them scheduled dinner with me solely to scold me for writing honestly about the things that WikiLeaks had done in the past three years rather than focusing exclusively on the EDVA Espionage indictment charging Assange for things he did almost a decade ago.

The person complained that my factual reporting on 2016 election and — especially — the Vault 7 leak (I think this was the offending post) would undercut whatever unanimity there was among journalists (unanimity that I joined) that the existing charges against Assange were a dangerous precedent for actual journalists. Reporting true details about shitty things Assange had done in recent years on my humble little blog, it was claimed, would dangerously and singlehandedly undercut Assange’s defense.

No, I did not much appreciate the irony of being criticized for accurate reporting by someone purportedly defending journalism.

But I also thought the concerted effort to suppress what Assange had done recently, while perhaps necessary to generate the statements of support from journalists that were forthcoming, was short-sighted, because it misrepresents what Assange is actually facing. The grand jury in EDVA remains (as far as we know) active. The government specifically said, in June, that it needed Chelsea Manning’s testimony for subjects or charges not yet charged and said such charges were not time barred (as would be true of any ongoing conspiracy).

As the government’s ex parte submissions reflect, Manning’s testimony remains relevant and essential to an ongoing investigation into charges or targets that are not included in the superseding indictment. See Gov’t’s Ex Parte Mem. (May 23, 2019). The offenses that remain under investigation are not time barred, see id., and the submission of the government’s extradition request in the Assange case does not preclude future charges based on those offenses, see Gov’t’s Supplement to Ex Parte Mem. (June 14, 2019).

Since then, Jeremy Hammond has joined Manning in believing he can wait out whatever EDVA has in store.

Most of all, Joshua Schulte’s prosecution for the Vault 7 leak — a leak almost no WikiLeaks supporters I know will offer an enthusiastic defense of — kept chugging along. In recent weeks, Schulte has submitted a number of questionable filings claiming the dog ate his homework so he can’t be prepared in time for his trial:

  • The attorney appointed after defense attorneys said they needed one more attorney to prep for trial in time said he couldn’t prep for trial in time, but can’t talk about why not until he’s done with a week-long vacation
  • The government’s (admittedly long) motion in limine repeating details the government disclosed several times before took the defense by surprise
  • The defense can’t make a constitutional challenge to CIPA generally until the judge rules on CIPA specifically (this is the one arguably reasonable request)
  • The defense had no idea the government wasn’t claiming Schulte downloaded a terabyte of data onto a thumb drive that can’t hold that terabyte even though the government told the defense that a year ago and then again in November

But as of now, Schulte’s trial is due to start on January 13, a month and a half before Assange’s first substantive extradition hearing starting on February 25.

And at that trial, the government is preparing to argue that Schulte intended to harm the United States when he leaked these files to WikiLeaks, a stronger level of mens rea than needed to prove guilt under the Espionage Act (normally the government aims to prove someone should have known it could cause harm, relying on their Non-Disclosure Agreements to establish that), and one the government has, in other places, described as the difference between being a leaker and a spy.

To make that argument, the government is preparing to situate Schulte’s leaks in the context of prior WikiLeaks releases, in a move that looks conspicuously like the kind of ongoing conspiracy indictment one might expect to come out of the WikiLeaks grand jury, one that builds off some aspects of the existing Assange indictment.

In a motion opposing Schulte’s effort to disqualify Paul Rosenzweig as an expert witness (see this post for background), the government lays out some of the things it plans to have Rosenzweig explain to the jury. Some of this is dangerous criminalization of security, most notably tying WikiLeaks’ endorsement of Tor and Tails to Schulte’s own use of it.

But some of it fleshes out the scope the government laid out when it first requested to call Rosenzweig.

The Government recognizes the need to avoid undue prejudice, and will therefore limit Mr. Rosenzweig’s testimony to prior WikiLeaks leaks that have a direct relationship with particular aspects of the conduct relevant to this case, for example by linking specific harms caused by WikiLeaks in the past to Schulte’s own statements of his intent to cause similar harms to the United States or conduct. Those leaks include (i) the 2010 disclosure of documents provided to WikiLeaks illegally by Chelsea Manning; (ii) the 2010 disclosure of U.S. diplomatic cables; (iii) the 2012 disclosure of files stolen from the intelligence firm Stratfor; and (iv) the 2016 disclosure of emails stolen from a server operated by the Democratic National Committee.

For example, it will tie WikiLeaks’ failure to redact the identities of US sources in Chelsea Manning’s leaks — something charged in counts 15 through 17 of Assange’s indictment — to Schulte’s behavior. It sounds like Rosenzweig will explain something I’ve alluded to: WikiLeaks apparently left the names of some of Schulte’s colleagues unredacted, which given WikiLeaks’ big show of redacting the files could only have been intentional and would have required coordination with Schulte to do.

Mr. Rosenzweig will testify that WikiLeaks does not typically redact the information that it publicly discloses (even when that information may reveal confidential sources). The Government will introduce evidence, however, that the Classified Information was purportedly redacted when posted online. Mr. Rosenzweig’s testimony will help the jury understand the significance of WikiLeaks’ unique claim to have redacted the Classified Information, including, for example, the period of delay between when Schulte disclosed the Classified Information to WikiLeaks (in or about the spring of 2016) and when WikiLeaks first announced that it would begin to disclose the Classified Information (in or about the spring of 2017). [my emphasis]

One reason Assange made a show of redacting the identities was because he was attempting to extort a pardon at the time, so he had to appear willing to negotiate with DOJ. But it seems likely Rosenzweig will explain that that was just a show and that even as WikiLeaks was making that show it was also ensuring that other CIA SysAdmins might be targeted by foreign governments.

Likewise, Rosenzweig will tie the embarrassment caused by Manning’s releases to Schulte’s own intent to cause damage with his self-described Information War against the US.

The Government intends to introduce evidence (including his statements) of Schulte’s knowledge of Manning’s leak and the need for the U.S. government to maintain secrecy over certain information. Furthermore, the Government also plans to introduce evidence of how Schulte, from the Metropolitan Correctional Center (the “MCC”), declared an “information war” against the United States, pursuant to which he intended to publicly disclose classified information and misinformation, including through WikiLeaks (such as the Fake FBI Document), for the purpose of destroying the United States’ “diplomatic relationships,” and encouraged other U.S. government employees to disclose confidential information to WikiLeaks. Mr. Rosenzweig will explain to the jury generally information other leakers have transmitted to WikiLeaks that the organization published and how foreign governments reacted negatively to WikiLeaks’ disclosure of that information—leading, for example, to the highly-publicized resignation of the U.S. Ambassador to Mexico.

Effectively, the government will argue that if you want to conduct an Information War on the US, you choose to leak to WikiLeaks and ensure it will be as damaging as possible. Whatever the circumstances of Manning’s leaks, this uses Schulte’s stated desire to damage the US to retroactively taint what WikiLeaks has claimed in the past was mere journalistic exposure of wrong-doing. That doesn’t necessarily change the First Amendment danger in charging Assange. But it surely attempts to undercut WikiLeaks’ brand as a journalistic entity.

Most interestingly, the government will point to a claim Schulte made to a journalist while writing from jail (one that is plausible given some of his past public postings, but if true, is an unfathomable indictment of CIA’s vetting process) that he once belonged to Anonymous. Rosenzweig will tie this to Anonymous’ decisions to leak the Stratfor cables to WikiLeaks in 2012.

As described in the Government Motions in Limine, in encrypted communications from one of the Contraband Cellphones, Schulte (posing as a third person) stated that he had previously been a member of Anonymous, a group of online hacker activists. Mr. Rosenzweig will testify about how, in 2012, Anonymous and WikiLeaks worked together to release information from a private U.S. intelligence firm.

Of course, Anonymous didn’t just leak the Stratfor cables to WikiLeaks. They also shared files stolen during the Arab Spring and the Syria files. The latter leak provides one of the earliest indicators where the process by which WikiLeaks obtained files may have involvement of Russia, because somehow a file that would have been very damning for Russia never got published. But both would make the story the US wants to tell more complex (though still potentially consistent).

In any case, the focus on Stratfor may explain why the government is holding Jeremy Hammond in contempt to try to get him to testify in the EDVA grand jury, particularly if the government has reason to believe that Schulte was part of that hack.

Finally, the government will use Rosenzweig to explain how, in the wake of the DNC leak and at a time he was in a huff at his CIA bosses again, Schulte did … something in August 2016.

The Government intends to introduce evidence that Schulte transmitted the Classified Information to WikiLeaks in the spring of 2016, that WikiLeaks did not begin to disclose the Classified Information until March 2017, that Schulte was angry with CIA management in August 2016 over a performance review he received, that Schulte’s protective order against Employee-1 was vacated in August 2016, and that, around that same time (i.e., in August 2016), Schulte began to conduct extensive research online about WikiLeaks. The Government intends to offer evidence relating to those searches, including the specific queries Schulte conducted. Schulte has argued in his writings that his August 2016 research was related to WikiLeaks’ August 2016 disclosure of information stolen from a Democratic National Committee server (the “DNC Leak”). Mr. Rosenzweig will testify about the DNC Leak, including the type of information that WikiLeaks actually disclosed in connection with that leak, which will demonstrate why Schulte’s WikiLeaksrelated searches include queries that had nothing to do with the DNC Leak

Side note: Part of the media blitz Assange did in the wake of the DNC leaks included a claim to Chuck Todd that if WikiLeaks ever received information from US intelligence, they would publish it.

Well, it’s a meta story. If you’re asking would we accept information from U.S. intelligence that we had verified to be completely accurate, and would we publish that, and would we protect our sources in U.S. intelligence, the answer is yes, of course we would.

No one else would have, but Schulte would presumably have recognized this as a nod to him, reassurance provided on heavily watched TV that WikiLeaks was progressing towards releasing the files Schulte had leaked. Which is why the likelihood that Schulte also stole a single file reflecting CIA collecting information on who might win the 2012 French presidential election, which WikiLeaks subsequently falsely portrayed as proof that CIA had infiltrated political parties in France rather than asked well-placed sources for readily available information, is of particular interest.

The government, however, is going to point to other Google searches by Schulte from August 2016 that lump Edward Snowden and Shadow Brokers in with WikiLeaks.

For example, in addition to searching for information about WikiLeaks and Julian Assange, its primary leader, Schulte also conducted searches using the search terms “narcissist snowden,” “wikileaks code,” “wikileaks 2017,” “shadow brokers,” and “shadow broker’s auction bitcoin.” “Snowden” was presumably a reference to Edward Snowden, the former NSA contractor who disclosed information about a purported NSA surveillance program, and “Shadow Brokers” was a reference to a group of hackers who disclosed online computer code that they purportedly obtained from the NSA, beginning in or about August 2016.

I have long wondered whether Vault 7 was not a free-standing leak but instead part of the Shadow Brokers operation.  This seems to suggest the government knows they are. If that’s right, it would suggest that in the period when the government was trying to figure out precisely what Russia had done in 2016, both the NSA and CIA’s ability to spy on Russia (and other countries) would have been been deliberately burnt to the ground. And if Schulte knowingly participated in that — in an effort to ensure that the US would struggle to even learn what Russia had done in 2016 — it would explain why they’re planning on arguing he is more of a spy than a leaker.

Which would, in turn, explain why they took the first steps towards arresting Assange as FBI started putting together the evidence needed to charge Schulte on these leaks in 2017.

Let me be clear: I’m not saying I’m sure they’ll fill all these details in a superseding Assange indictment (though the government said it could not provide Assange the underlying evidence even for the 2010 charges until around Christmas — at which point Schulte will have gone through the CIPA process of declassifying classified information for use in his defense, and they could add charges at least until the February 25 hearing). It may still be that the government won’t want to get into the level of classified detail they’d need to to flesh out that case, particularly if they can’t coerce Manning and Hammond to cooperate.

I’m also not making a normative judgment that this eliminates the very real problems with the way Assange is charged now. Without seeing the government’s case, it’s too soon to tell.

What I’m trying to do is lay out what the government seems to be preparing to argue about WikiLeaks in the Schulte case. No doubt this will get me invited for another stern scolding at dinner, but it’s time to stop pretending Assange is being prosecuted for the understanding of WikiLeaks that existed in 2010. By all means, people can and will still defend Assange for taking on an imperialist America. For much of the world (though presumably not among any Five Eyes governments, including Assange’s home country), that still makes him an important dissident taking on a superpower. There is some merit to that stance, but it also requires arguing that superpowers shouldn’t have democratic elections.

But the government is preparing to argue that, after helping Russia tamper in America’s election, WikiLeaks deliberately burned some of CIA’s collection abilities to the ground, making it harder for the US to figure out how Russia did so. The government is preparing to argue that such actions are consistent with what WikiLeaks has been up to since 2010.

I’ve been expecting we might see an indictment alleging WikiLeaks and its associates were and remain engaged in an ongoing conspiracy (a possibility that, if Manning and Hammond’s lawyers haven’t warned them about, they are being utterly negligent, because the government could well argue that obstructing this investigation by refusing to provide immunized testimony is an overt act furthering the conspiracy).

The citations the government has used to justify Rosenzweig’s testimony are heavily focused on terrorism and mob cases (United States v. Farhane and United States v. Mustafa, which are al Qaeda cases; United States v. El Gammal, which is an ISIL one, and United States v. Rahimi, the self-radicalized Chelsea bomber; United States v. Lombardozzi and United States v. Locascio which are Gambino cases, United States v. Amuso, a Lucchese case), including one RICO case. That’s undoubtedly why Schulte’s lawyers really want Rosenzweig’s testimony excluded, to avoid having WikiLeaks treated like an organized crime syndicate.

But if the government is preparing to claim that WikiLeaks worked with Schulte not only to obtain files it tried to use to extort a pardon but then released them in a way that would hurt America’s efforts to respond to Russia’s 2016 operation, that’s a pretty compelling analogy.

Update: After comments from Stefania Maurizi, I’ve rephrased how I described what happened with the Syria Files. I want to be clear the statement in the post was not based on what I’ve been told by reliable sources about the process by which those files got shared with WikiLeaks.

As I disclosed last year, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

What if Julian Assange Flipped?

I’ve said this before, I’ll say it again: I hope to hell Chelsea Manning’s advisors are cognizant of the ways her attempts to avoid testifying against Julian Assange may put her in unforeseen legal jeopardy.

I’m thinking of that anew given my consideration of what I consider to be a distant, but real, possibility: that the US government would offer Assange a plea deal on the current charge he faces in exchange for testimony in a range of other issues. The idea is crazy, but perhaps not as crazy as it sounds.

As I laid out in this post, it seems the US government has been carefully orchestrating the Assange arrest since Ecuador first applied for diplomatic status for him in 2017 in an attempt to exfiltrate him, possibly to Russia. They’re now on the clock, with (depending on which expert you ask) just 44 more days to lard on the additional charges multiple outlets have reported are coming. Meanwhile, he’s being held at Belmarsh, with conflicting stories about what kind of visitors he’s been permitted — though the UN Special Rapporteur for Privacy did visit him this week. Though I’ve asked some top experts, it’s not entirely clear whether, if he were being interrogated right now, that’d be under UK law or US law; the former has fewer protections against self-incrimination for people being detained.

One passage of the Mueller Report may provide an explanation for why his prosecutors didn’t obtain Julian Assange’s testimony.

The Office limited its pursuit of other witnesses and information-such as information known to attorneys or individuals claiming to be members of the media-in light of internal Department of Justice policies. See, e.g., Justice Manual §§ 9-13.400, 13.410.

Assange would fall squarely within DOJ policy covering people who are subjects or targets of an investigation for activities related to their news-gathering activities.

Member of the news media as subject or target. In matters in which a member of the Department determines that a member of the news media is a subject or target of an investigation relating to an offense committed in the course of, or arising out of, newsgathering activities, the member of the Department requesting Attorney General authorization to use a subpoena, 2703(d) order, or 3123 order to obtain from a third party the communications records or business records of a member of the news media shall provide all facts necessary to a determination by the Attorney General regarding both whether the member of the news media is a subject or target of the investigation and whether to authorize the use of such subpoena or court order. 28 C.F.R. 50.10(c)(5)(i). If the Attorney General determines that the member of the news media is a subject or target of an investigation relating to an offense committed in the course of, or arising out of, newsgathering activities, the Attorney General’s determination should take into account the principles reflected in 28 C.F.R. 50.10(a), but need not take into account the considerations identified in 28 C.F.R. 50.10(c)(5)(ii) – (viii). Id. Members of the Department must consult with the PSEU regarding whether a member of the news media is a subject or target of an investigation related to an offense committed in the course of, or arising out of, newsgathering activities.

The EDVA case appears to have gotten over this policy (perhaps by distinguishing the assistance on cracking a password from newsgathering activities); but it’s not clear Mueller did (especially given the discussion of First Amendment considerations in passages relating to WikiLeaks). In any case, this calculus may change given that he’s in British, not US custody.

And there has been very little reporting on what’s going on with him — or with US investigations into him.

There are a number of investigations the government would love to get his testimony on, including:

Testimony against Joshua Schulte

Schulte is the accused Vault 7 leaker. WikiLeaks has been far less circumspect about the possibility he’s their source than with other leakers (while also engaging in far less of an effort to lay the case that he’s a whistleblower). Plus, the government has video evidence of Schulte attempting to leak classified information.

But thus far, Schulte’s prosecution has been slowed by CIA’s reluctance to share the classified information Schulte needs to defend himself. Plus, the FBI apparently bolloxed up the initial search warrants for Schulte (in what I suspect was a sloppy effort at parallel construction), which Schulte has been trying to win the ability to speak publicly about for over a year; he recently appealed a decision denying him a request to exempt those initial warrants from his protective order.

To the extent that Assange and Schulte (if he is really the Vault 7 source) communicated — and there’s good reason to believe WikiLeaks did communicate in advance of this publication — then Assange might be able to provide testimony that would get beyond the classification problems.

Testimony about the response to his pardon requests (including Roger Stone’s role in it)

I also believe that DOJ continues to investigate the long effort — an effort that includes Roger Stone, whom prosecutors say is still under investigation — in brokering a pardon for Assange, possibly in part for Assange providing disinformation about where the Democratic documents came from. Consider that, as recently as November, Mueller was trying to learn whether Trump had discussed pardoning Assange before his inauguration, a question about which Trump was especially contemptuous, even given his overall contempt for responding to questions.

Then there’s a subtle point I find really interesting. When the Mueller Report lays out all the times Don Jr magnified Russian trolls, it noted that the failson’s fondness for Russian propaganda continued after the election.

96 See, e.g., @DonaldJTrumpJr 10/26/16 Tweet (“RT @TEN_GOP: BREAKING Thousands of names changed on voter rolls in Indiana. Police investigating #VoterFraud. #DrainTheSwamp.”); @DonaldJTrumpJr 11/2/16 Tweet (“RT @TEN_GOP: BREAKING: #VoterFraud by counting tens of thousands of ineligible mail in Hillary votes being reported in Broward County, Florida.”); @DonaldJTrumpJr 11/8/16 Tweet CRT @TEN_GOP: This vet passed away last month before he could vote for Trump. Here he is in his #MAGA hat. #voted #ElectionDay.”). Trump Jr. retweeted additional @TEN_GOP content subsequent to the election.

[snip]

103 @DonaldJTrumpJr 11/7/16 Tweet (“RT @Pamela jetonc13. Detroit residents speak out against the failed policies of Obama, Hillary & democrats . . . . “) [my emphasis]

The page-long section (page 60) that lays out Don Jr’s innocuous pre-election interactions (which is how I described them when they were first published) does not, similarly, note the President’s son’s more damning interactions with WikiLeaks that took place after the election, where Assange once privately

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

And then publicly asked for an Ambassadorship that would amount to a pardon.

Given the thoroughness of the report, I find the silence about these exchanges to be notable.

Admittedly, one aspect of the pardon campaign implicates Assange far more than (at least given the public details) it does Trump: his seeming attempt at extortion using the CIA’s hacking tools. But that doesn’t mean the government wouldn’t like his testimony about the larger effort, and I have reason to suspect that is something they were pursuing via other channels as well.

WikiLeaks’ ongoing interactions with Russia

Finally, I’m sure the US government would be willing to give Assange some consideration if he offered to describe his interactions with Russia over the years. The most public aspect of that was the WikiLeaks effort to get Snowden safely out of Hong Kong, which ended unexpectedly in Russia. But there are also credible allegations WikiLeaks engaged in some catch-and-kill of damning documents, most publicly with an incriminating document from the Syria Files. Emma Best looks more closely at that incident in a longer profile of a Russian hacker, Maksym Igor Popov, who seemed to shift loyalties back and forth from the US to Russia even while cultivating Anonymous.

Simultaneously, Sabu, who had been boasting about an alleged breach of Iranian systems, pivoted to the then-pending Syria files. “We owned central syrian bank and got all their emails,” he told Popov. There were “a lot of scandals” in those emails. In the 2012 exchange, Popov is told about an alleged email revealing that Syria had secretly sent Russia billions of Euros. Sabu appears to confuse the amount, which was 2 billion, with an amount from a similar transfer involving an Austrian bank. Reporting by The Daily Dot implies that the two emails were often discussed in the same conversation, while also revealing that the email Sabu was describing to the alleged Russian contractor was omitted from WikiLeaks’ eventual release.

WikiLeaks responded to the reporting by claiming that they “either never had the data or [that it was] in some strange MIME format so it isn’t indexed,” and that the reporting was an attack on WikiLeaks that was meant “to help HRC.”

Popov was impressed by Sabu’s description of the Syria emails, though he briefly confused them with another, unspecified cache that Sabu hinted Popov helped release. “If you want real access to the emails, I can [give it to you],” Sabu offered. Popov responded ecstatically, saying he could use it to create disinformation and fabricate conspiracies. Undaunted by Popov’s intended use for the emails, Sabu said he’d “try to set it all up soon.”

This exchange occurred several months after WikiLeaks received the first batch of the Syria files and several weeks after WikiLeaks gave the LulzSec hackers private access to a search engine to help parse the Stratfor emails which the group had also provided to WikiLeaks.

19:16 <Sabu> though we did very well on syria.. we owned central syrian bank and got all their emails 19:16 <LoD> and Nepalese hack 19:16 <Sabu> a lot of scandals ... like syria sending russia 5 billion euros before civil unrest and when russia sent warsip to trait of whateves its called 19:16 <LoD> Ive actually checked it RESPECT syria gave me some things to mastermind my next operations those email accounts were of much help to improve our strategy 19:17 <LoD> i give you thumbs up 19:17 <Sabu> well we didn't realease it yet ... that was another small hack you released. if you want real access to emails I can ive you 19:17 <LoD> really? 19:17 <LoD> can you? 19:17 <LoD> man I WILL BE in DEBT 19:17 <LoD> I can utilize it in my release 19:18 <LoD> to create a conspiracy 19:18 <Sabu> ya I'll try to set it all up soon

If Popov acquired early access to the Syria files, it would have been the score of a lifetime, giving him an exclusive early inside look at corporations and governments. However, as any later logs of discussions between Popov and Sabu aren’t part of the leaked file, it’s unclear if Popov actually received early access to the Syria files.

Already by this time period in 2011, some former Anons were expressing concern that their operations were being facilitated by Russian infrastructure.

Some followers came to believe that the leaders sought only personal aggrandisement or were effectively in cahoots with the organised criminals who may have raided Sony’s credit-card hoard after Anonymous knocked down the door. Even stalwarts such as Housh are unhappy that much of Anonymous’s infrastructure is now housed on computers used by Russian criminals. “It’s not like the Russians wanted us to get HBGary, but I want to know personally why they are doing this,” he says of the chat hosts. “Where is the money coming from?”

To be sure: a tie with Anonymous is different than a tie directly with WikiLeaks, even if Anonymous was serving as one of WikiLeaks’ important source streams at the time. Further, Best notes that there’s no evidence in available files that Popov interacted directly with WikiLeaks — nor would there be, given the scope of the publicly available chat logs.

But, particularly given the allegations that Assange fed the Seth Rich hoax as part of an effort to deny that he knew he had gotten the Democratic files from Russia, I’m sure the US government would love to know from him about any ties between WikiLeaks and Russia.

Offering Assange a plea deal might be one way to close the book on WikiLeaks without the political controversy of a trial.

The question, of course, is whether Assange would take one. Admittedly, it’s highly unlikely.

Still, as noted, he repeatedly claimed he’d love to tell all if he could avoid prison altogether. But even in a best case scenario, he’s looking at a long extradition fight from Belmarsh in conditions that are reportedly pretty shitty. A plea deal might be one way to limit how much more time in custody he faces.

Which could bode poorly for people like Chelsea Manning, making significant sacrifices to protect Assange.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Is Matt DeHart Being Prosecuted Because FBI Investigated CIA for the Anthrax Leak?

Buzzfeed today revealed a key detail behind in the Matthew DeHart case: the content of the file which DeHart believes explains the government’s pursuit of him.  In addition to details of CIA’s role in drone-targeting and some ag company’s role in killing 13,000 people, DeHart claims a document dropped onto his Tor server included details of FBI’s investigation into CIA’s possible role in the anthrax attack.

According to Matt, he was sitting at his computer at home in September 2009 when he received an urgent message from a friend. A suspicious unencrypted folder of files had just been uploaded anonymously to the Shell. When Matt opened the folder, he was startled to find documents detailing the CIA’s role in assigning strike targets for drones at the 181st.

Matt says he thought of his fellow airmen, some of whom knew about the Shell. “I’m not going to say who I think it was, but there was a lot of dissatisfaction in my unit about cooperating with the CIA,” he says. Intelligence analysts with the proper clearance (such as Manning and others) had access to a deep trove of sensitive data on the Secret Internet Protocol Router Network, or SIPRNet, the classified computer network used by both the Defense and State departments.

As Matt read through the file, he says, he discovered even more incendiary material among the 300-odd pages of slides, documents, and handwritten notes. One folder contained what appeared to be internal documents from an agrochemical company expressing culpability for more than 13,000 deaths related to genetically modified organisms. There was also what appeared to be internal documents from the FBI, field notes on the bureau’s investigation into the worst biological attack in U.S. history: the anthrax-laced letters that killed five Americans and sickened 17 others shortly after Sept. 11.

Though the attacks were officially blamed on a government scientist who committed suicide after he was identified as a suspect, Matt says the documents on the Shell tell a far different story. It had already been revealed that the U.S. Army produced the Ames strain of anthrax — the same strain used in the Amerithrax attacks — at the Dugway Proving Ground in Utah. But the report built the case that the CIA was behind the attacks as part of an operation to fuel public terror and build support for the Iraq War.

Despite his intelligence training, Matt was no expert in government files, but this one, he insists, featured all the hallmarks of a legitimate document: the ponderous length, the bureaucratic nomenclature, the monotonous accumulation of detail. If it wasn’t the real thing, Matt thought, it was a remarkably sophisticated hoax. (The FBI declined requests for comment.)

Afraid of the repercussions of having seen the folder of files, Matt panicked, he claims, and deleted it from the server. But he says he kept screenshots of the dozen or so pages of the document that specifically related to the FBI investigation and the agrochemical matter, along with chat logs and passwords for the Shell, on two IronKey thumb drives, which he hid inside his gun case for safekeeping.

Is it possible DOJ would really go after DeHart for having seen and retaining part of that FBI file?

For what it’s worth, I think Bruce Ivins could not have been the sole culprit and it’s unlikely he was the culprit at all. I believe the possibility that a CIA-related entity, especially a contractor or an alumni, had a role in the anthrax attack to be possible. In my opinion, Batelle Labs in Ohio are the most likely source of the anthrax, not least because they’re close enough to New Jersey to have launched the attacks, but because — in addition to dismissing potential matches to the actual anthrax through a bunch of smoke (only looking for lone wolves) and mirrors (ignoring four of the potentially responsive samples) — Batelle did have a responsive sample of the anthrax. Though as a recently GAO report made clear, FBI didn’t even sample all the labs that had potentially responsive samples, so perhaps one of those labs should be considered a more likely source. Batelle does work for the CIA and just about everyone else, so if Batelle were involved, CIA involvement couldn’t be ruled out.

So I think it quite possible that FBI was investigating CIA or someone related to CIA in the attack. It’s quite possible, too, that someone might want to leak that information, as it has been clear for years that at least some in FBI were not really all that interested in solving the crime. Even the timing would make sense, coming as it would have in the wake of the FBI’s use of the Ivins suicide to stop looking for a culprit and even as the Obama Administration was beginning to hint it wasn’t all that interested in reviewing FBI’s investigation.

But there’s something odd about how this was allegedly leaked.

According to Buzzfeed, the anthrax investigation came in one unencrypted folder with the ag document and a document on drone targeting the source of which he thinks he knows (it would like have been a former colleague from the ANG).

How would it ever be possible that the same person would have access to all three of those things? While it’s possible the ag admission ended up in the government, even a DOJ investigation into such an admission would be in a different place than the FBI anthrax investigation, and both should be inaccessible to the ANG people working on SIPRNet.

That is, this feels like the Laptop of Death, which included all the documents you’d want to argue that Iran had an active and advanced nuclear weapons program, but which almost certainly would never all end up on the same laptop at the same time.

And, given DeHart’s belief reported elsewhere this was destined for WikiLeaks, I can’t help but remember the Defense Intelligence Agency report which noted that WikiLeaks might be susceptible to disinformation (not to mention the HB Gary plot to discredit WikiLeaks, but that came later).

This raises the possibility that the Wikileaks.org Web site could be used to post fabricated information; to post misinformation, disinformation, and propaganda; or to conduct perception management and influence operations designed to convey a negative message to those who view or retrieve information from the Web site

That is, given how unlikely it would be to find these juicy subjects all together in one folder, I do wonder whether they’re all authentic (though DeHart would presumably be able to assess the authenticity of the drone targeting documents).

And DeHart no longer has the documents in question — Canada hasn’t given them back.

Paul told the agents that his family had evidence to back up their account: court documents, medical records, and affidavits — along with the leaked FBI document Matt had found that exposed an explosive secret. It was all on two encrypted thumb drives, which Matt later pulled off a lanyard around his neck and handed to the guards.

[snip]

If Matt is, in fact, wrongly accused, answers could be on the thumb drives taken by the Canada Border Services Agency, which have yet to be returned to the DeHarts. But without access to the leaked files Matt claims to have seen, there is no way to verify whether he was actually in possession of them, and, if he was, whether they’re authentic.

Though at least one person (a friend in London? Any association with WikiLeaks?) may have a copy.

Inside a hotel room in Monterrey, Mexico, Matt says he copied the Shell files onto a handful of thumb drives. He mailed one to a friend outside London, and several others to locations he refuses to disclose. He also says he sent one to himself in care of his grandmother, which he later retrieved for himself. When the subject of the drives comes up, Matt acts circumspect because, he says, he knows that our communications are being monitored.

There’s definitely something funky about this story. Importantly, it’s not just DeHart and his family that are acting like something’s funky — the government is too.

But that doesn’t necessarily mean the FBI thinks CIA did the anthrax attack.

GCHQ DDoS Hackers Hang Out with NSA’s Audit-Free Techies

Yesterday, I noted NBC’s report that GCHQ conducted a DDoS attack against Anonymous IRC chat.

There’s a subtle point that deserves more attention: GCHQ presented the underlying Powerpoint to NSA’s SIGDEV conference.

The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder — and other techniques to scare away 80 percent of the users of Anonymous internet chat rooms.

[snip]

In the presentation on hacktivism that was prepared for the 2012 SIGDEV conference, one official working for JTRIG described the techniques the unit used to disrupt the communications of Anonymous and identify individual hacktivists, including some involved in Operation Payback. Called “Pushing the Boundaries and Action Against Hacktivism,” the presentation lists Anonymous, Lulzsec and the Syrian Cyber Army among “Hacktivist Groups,” says the hacktivists’ targets include corporations and governments, and says their techniques include DDOS and data theft.

SIGDEV is NSA’s term for the agency’s efforts to develop new signals intelligence techniques and sources. Thus, GCHQ presented the attack as the cutting edge of what NSA does.

Goodie.

But remember: NSA’s SIGDEV analysts have access to raw data outside of normal channels. This shows up repeatedly in the primary orders for the dragnet. And, as Bart Gellman noted (and I elaborated on here), Obama specifically exempted these folks from his Presidential Policy Directive limiting our spying (though his PPD did say foreigners could be spied on for cybersecurity reasons).

In other words, the people GCHQ boasted of their attack on Anonymous to are the people who have some of the least oversight within NSA.

The State Monopoly on DDoS

One reason I harped on the way Ken Dilanian referred to the “official position” that hacking other governments was acceptable was because I suspected the government does what NBC just reported they do: engage in hacking against other targets, in this case, hackers like Anonymous.

[A] division of Government Communications Headquarters Communications (GCHQ), the British counterpart of the NSA, shut down communications among Anonymous hacktivists by launching a “denial of service” (DDOS) attack – the same technique hackers use to take down bank, retail and government websites – making the British government the first Western government known to have conducted such an attack.

As I noted on Twitter, the report that GCHQ targeted Anonymous should raise questions (that have already been raised) whether either GCHQ or NSA was behind the DDoS attack on noted publishing site WikiLeaks in 2010.

So the NSA (and GCHQ) believe some hacks are legitimate and some are not. But in addition, both are effectively asserting that the state should have a monopoly on hacking, just as it asserts a monopoly on violence. As some of the people involved have been commenting on Twitter, they got charged for DDoSing, even as the Brits were engaging in precisely the same behavior. Particularly troubling, there’s no indication NSA or GCHQ believe they need warrants to exercise their monopoly on hacks against their own citizens (FBI has in the past gotten a warrant to bring down a botnet, so there is precedent).

Of course, therein lies part of the problem: that intelligence is bleeding into law enforcement, and the tools of inter-state spying are being wielded against criminals (and dissidents).

None of this is surprising. It arises directly out of the way the government has gone after terrorists, and this treatment of an IRC channel is directly parallel to the same kind of guilt by association used against terrorists.

With What Databases Has NCTC Cross-Referenced with FBI’s 12 Million iDevice User IDs?

Update, 6/13/13: For those coming to this via my Twitter link, subverzo reminded me that this turned out to be a false claim. The data came from an Apple developer, not from FBI. 

Sorry for the confusion.

As you may have heard, Anonymous and AntiSec hacked into a database of 12 million Apple Universal Device IDs that were in an FBI officer’s laptop and released 1 million of them, ostensibly so some people could identify if their device was one of those FBI was tracking.

They claimed to have tapped into a Dell laptop owned by Special Agent Christopher K. Stangl, an FBI cyber security expert. They downloaded several files, including one that contained “12,367,232 Apple iOS devices including Unique Device Identifiers (UDID)” and other personal information, they wrote in a text file published online. “[The] personal details fields referring to people appears many times empty leaving the whole list incompleted [sic] on many parts. no other file on the same folder makes mention about this list or its purpose.”

While it’s not immediately clear what the FBI is doing with the Apple UDIDs and detailed information on device owners, Gizmodo pointed out that the acronym “NCFTA” could stand for the National Cyber-Forensics & Training Alliance, a nonprofit that acts as an information-sharing gateway between private industry and law enforcement.

These are unique identifiers for things like iPhones and iPads that have long presented the risk of tying someone’s identity to an individual device.

There are multiple ways FBI could have collected this information–either using an NSL or Section 215 request or an insecure transmissions to an ad or game server. And no one knows how the FBI was using it. Whatever you think about Anonymous, we may finally learn more about how the government is tracking geolocation.

But here’s one other concern. Assuming that’s an official FBI database, not only the FBI has it, but also the National Counterterrorism Center. And they’ve got access to whatever federal databases they want to cross-check with existing counterterrorism databases. And one of the few checks we have on the use of our data in this way is a Privacy Act SCOTUS just watered down.

This is a massive amount of data the government likely has no good excuse for having collected, much less used. But it’s likely just one tip of a very big iceberg.

Spooky AssadLeaks: The Provenance of the Emails

As I wrote in this post, I got interested in the provenance of a set of leaked Bashar al-Assad emails largely because of the way in which two of them were used to suggest, dubiously, Nir Rosen was an Assad agent.

The Guardian and Al Arabiya have both offered posts describing, in part, how they came by the emails, with the Guardian’s offering more details. The short version is:

March 15, 2011: Uprising escalates in Daraa.

Late March: “a young government worker in Damascus” handed off a slip of paper to a friend. The paper had four codes (plus or including the two email addresses, the Guardian is not clear) that would provide access to personal email accounts of Bashar al-Assad and his wife Asma. The friend was apparently supposed to pass them onto “a small group of exiled Syrians who would know what to do with them.”

June: “Two Syrian professionals in a Gulf state” obtain the emails. The Guardian doesn’t explain whether they were the original intended recipients, nor does it explain the delay. Though it does include a blurb describing their sudden awakening to politics that makes it clear the Guardian has spoken to at least one of the activists and replicated their self-narrative uncritically.

The uprising in the southern Syrian city of Deraa on 15 March had empowered them, as it had hundreds of thousands of others in the totalitarian state. They were now determined to do what they could to bring an end to more than four decades of rule by the Assad clan.

“It was clear who we were dealing with,” said one of the activists. “This was the president and his wife. There was no doubt.”

August 6: Sabu solicits Syrian MOD hacker to “disrupt govt communication systems.”

June to December: The emails are used with increasing frequency over time; Assad appears to build a PR strategy using them.

January: Anonymous (which had been infiltrated by the FBI since at least June, the same month the Syrian activists purportedly got the email codes) hacks Bashar al-Assad’s servers, accessing 78 different email accounts.

February 7: Anonymous releases the Assad emails which were published by Ha-aretz, claims the password was 12345. These are, at least in part, the very same emails being released today. Assad’s brother-in-law Firas al-Akhras emails him to tell him the inbox of the Ministry of Presidential Affairs had been leaked. All the emails are shut down.

March 15, 2012: The emails published.

In their narratives, neither the Guardian nor al Arabiya note that the FBI had been running Sabu since last June, precisely the same month the “activists” reportedly got the “secret codes” (12345?) that would allow them to access the Assad emails.

Now there are plenty of questions I have about this: Who was the mole, how did he or she get this information, who was the friend, what caused the 3-month delay. All of those questions, of course, are particularly interesting giving the coincidence of timing with the Sabu recruitment.

And why release these emails now? Just because of the one-year anniversary of Daraa, and the other events planned for the day?

Suffice it to say it feels a lot like outside entities–aside from whatever professionals-turned-activists purportedly monitored these accounts–were involved.

With that feeling in mind, two more details worth noting. First, al Arabiya’s story on how they got the emails focuses instead on what they didn’t publish: a bunch of “scandalous emails.”

Hundreds of “scandalous” emails were accordingly deleted by Al Arabiya.

By comparison, the Guardian said only it didn’t publish personal emails. Both sources, however, want people–perhaps including Assad?–to know that there were more emails that may be out there.

The other thing I find interesting is the detail the Guardian pays to Assad’s email habits.

[The Syrian activists in the Gulf state] soon noticed differences in the way the couple used their email accounts. “We had to be quick with Bashar’s emails,” one of the activists said. “He would delete most as soon as they arrived in his inbox, whereas his wife wouldn’t. So as soon as they went from unread to read we had to get them fast.”

Deleting emails as soon as they arrive shows a degree of awareness of web security. So too did the fact that Assad never attached his name or initials to any of the emails he sent. However, many of the emails that arrived in his inbox are addressed to him as president and contain intimate details of events and discussions that were not known outside of the inner sanctum and would have been very difficult to manipulate.

Even before I remembered that the same guy the Guardian claims was showing some web security used “12345” as his password, this entire passage sounded bogus, more like a way to provide cover for some other means to collect these emails that don’t involve more sophisticated wiretapping of packets, as opposed to email in-boxes.

But once you remember this is a guy who reportedly used “12345” as his password, then the entire claim Assad was practicing good security becomes laughable. Which makes this entire passage suspect.

There are two stories of how Bashar al-Assad got his emails hacked in the last year. In one version, Syrian activists managed to spy on their dictator in real time and are presumably releasing emails that lack a smoking gun (but did include “scandalous” emails) as a sort of anniversary present for Assad. The other story involves the FBI flipping at least one hacker and having him continue to hack at their command.

Or maybe there’s just one, far more intriguing story.

Spooky AssadLeaks: The Nir Rosen Connection

Something curious has happened in the last few days while I’ve been traveling. The Guardian and Al Arabiya have been publishing leaked emails from Bashar al-Assad and his wife, showing both to be callous assholes but not otherwise producing a smoking gun (though I do hope to return to what they show about how they evaded sanctions).

In the last day or so, attention has shifted to two emails (here’s a translation of the first) between Assad aides and Assad, mentioning the journalist Nir Rosen. A number of people read them to suggest Rosen was an agent of Assad’s, perhaps even exposing other Western journalists who were sneaking into Syria.

Rosen responded to the allegations here, saying in part,

I believe the trove of leaked emails from the Syrian government are indeed all real. The emails which contain my name are certainly real, I don’t mind saying. They are from people who were introduced to me and other western journalists as media and public relations advisers to the Syrian government or the president himself. They are the same people who arranged for the ABC News interview with Barbara Walters, for the Sunday Times interview with Bashar al Assad, for Agence France Presse, and for others to enter Syria. This is normal. How else does a journalist enter a country such as Syria?

In November 2011 after al Jazeera conducted a live interview with Iran’s president Ahmedinajad, I tried to persuade media advisers to the Syrian president that they should grant a similar one to al Jazeera’s English network. I sent them several emails trying to persuade them it was a good idea, including an email with my CV and biography. I also met with these media officials to try to persuade them.

And as this November email also shows, I forwarded them a link to a BBC program on Syria done by the heroic Paul Wood in order to try to persuade them that journalists are coming in anyway and they might as well let al Jazeera in formally.

Importantly, the fact that I had to send my resume and biography to establish my credentials for an interview bid with Assad and the very need for sending these things shows I was not an agent for them.

I suspect all sorts of people will continue to focus on Rosen.

If you haven’t been following his work, a number of people have pointed to Rosen as one of the very few people giving a nuanced picture of what is going on in Syria right now. As an example, in this Q&A he talks about the stalemate-degrading-into-civil-war Syria is in right now.

Only a “Hama” could change the equation. Nobody can say exactly what that would entail, because “Hama” has become an epithet, a symbol, it just means for something terrible to happen. So, until now there is no Hama-type event that the opposition or international media could use to give leaders in Turkey or the West a pretext for humanitarian intervention or to delegitimise the country’s leadership. Such an incident would have to be so grave that international opponents would use it to obliterate the Russian and Chinese veto in the United Nations, and to criminalise those two countries for their backing of the Syrian regime.

In any case, that’s the Nir Rosen background to the emails.

All of which led me to ask where the emails came from. I have no doubt they’re real (or at least most of them)–Rosen has confirmed the emails mentioning him appear to be real. Here’s the Guardian’s description of who did and did not confirm the authenticity of emails involving them.

But having the entire contents of one or two email inboxes is not the same as reliably understanding how they came to be obtained and published. That’s the question I’d like to look at in more detail in a follow-up post.