Posts

FBI’s Russian Hack-and-Leak Investigation as Disclosed by the Sussmann Trial

Now that he has been acquitted, it’s easy to conclude the Michael Sussmann prosecution was a pointless right wing conspiracy theory. It was!

But the exhibits that came out at trial are a worthwhile glimpse of both the FBI’s investigation into the 2016 Russian hack of Democrats and the Bureau’s shoddy investigation of the Alfa Bank anomalies.

I’ve started unpacking what a shitshow the FBI investigation into the latter was here and collecting technical exhibits pertaining the investigation here (though that post is currently out of date).

As to the Russian hack-and-leak, Sussmann’s team facilitated the process with a summary exhibit they included showing a selection of FBI communications pertaining to the investigation that either involve or mention Sussmann. Sussmann introduced these documents to show how obvious his ties to the Democrats would have been to the FBI, including to some people involved in the Alfa Bank investigation. A few of these communications refute specific claims Durham made, showing that meetings or communications Durham argued must relate to the Alfa Bank effort could be explained, in one case far more easily, as part of the hack-and-leak response. That is, some of these documents show that Durham was taking evidence of victimization by Russia and using it instead to argue that Sussmann was unfairly victimizing Trump.

 

 

Below, I’ve grouped the communications by topic (though a number of these communications span several topics). Note that Latham & Watkins’ paralegal only used the last date on these communications, which I will adopt. But a number reflect a communication chain that extends months and includes dates that are far more important to the Durham prosecution.

Some of these files include topics that have attracted a great deal of often misleading coverage, such as the efforts to get server images from the Democrats. Importantly, by the time the FBI asked for server images, according to these communications, the only place to get them was at CrowdStrike.

I don’t believe DNC/DCCC have the images that CS took. Only CS have those. It’s like paying ATM fees to your bank to get your cash. DNC/DCCC will be charged to get the images back.

After some discussion about who would pay CrowdStrike to create a second image, the firm offered to do it for free.

These communications also give a sense of the extent to which Democrats faced new and perceived threats all through the election. Given the communications below and some details I know of the Democrats’ response to the attacks, I suspect these communications do not include real attempted attacks, either because they were not reported or because the report went to FBI via another channel. While CrowdStrike attempted to ensure Sussmann was always in the loop, for example, that discipline was not maintained. And we know CrowdStrike found the compromise of the Democrats analytics hosted on AWS in September, a compromise that may only show up in these communications mentioned in passing. Some in the FBI seemed entirely unsympathetic to the paranoia that suffering a nation-state attack during an election caused, which couldn’t have helped already sour relations between the FBI and Hillary’s people.

Perhaps the most interesting communications — to me at least — pertain to efforts to authenticate the documents that got publicly posted and to identify any alterations to them. At least as laid out in these communications, the Democrats were way behind the public in identifying key alterations to documents posted by Guccifer 2.0, and it’s unclear whether the FBI was any further ahead. But these discussions show what kind of alterations the Democrats were able to identify (such as font changes) as well as which publicly posted documents the FBI was sharing internally.

FBI public statements

160614 DX102 A discussion of Jim Trainor’s preparation for a meeting with Ellen Nakashima in advance of her June 14, 2016 reporting the hack and CrowdStrike’s attribution. Among other things, they note Nakashima’s confidence that GOP PACs were also targeted.

160725 DX112 This email chain between Sussmann and Trainor captured Sussmann’s frustration that FBI made an announcement of an investigation into the DNC hack without first running the statement by Sussmann.

160729 DX117 Before FBI sent out a statement about the DCCC hack, Jim Trainor sent Sussmann their draft statement. In response, Sussmann complained that FBI said they were aware of media reports but not of the hack itself. The timing of this exchange is important because Durham’s team repeatedly described a meeting between Marc Elias and Sussmann that day pertaining to a server as relating to the Alfa Bank anomaly.

Points of contact

160616 DX105 An email thread sent within FBI OGC (including to Trisha Anderson) discussing an initial meeting between Jim Trainor, Amy Dacey, Sussmann, and Shawn Henry.

160621 DX107 Starting on June 16, Amy Dacey thanked Assistant Director Jim Trainor for meeting with the Democrats about the hack. The thread turned into a confused request from the campaign for a briefing about whether they, too, had been compromised.

160725 DX114 This chain reflects Hawkins’ confused response after Sussmann provided the contact information for a Hillary staffer with a role in technical security. Hawkins stated, “Nothing concerning HFA has come up.”

160809 DX127 After Donna Brazile replaced Debbie Wasserman Schultz, Sussmann set up a meeting between her and Jim Trainor.

160811 DX128 An email chain among cyber FBI personnel discusses three Secret threat briefings for the DNC, DCCC, and Hillary campaign. Sussmann was scheduled to attend all three briefings, and Marc Elias was scheduled to attend the DCCC and Hillary briefings (though he testified that he did not attend).

160811 DX130 Sussmann sent the FBI notice of a public report of the DNC’s establishment of a cybersecurity advisory board. The report was passed on to Jim Trainor.

DHS outreach

160802 DX106 A Lync chain starting in the initial aftermath of the Nakashima story, referencing an Intelligence Committee briefing, and discussing how to facilitate DHS assistance to the Democrats through Sussmann.

160802 DX120 With the goal of reaching out to the Democratic victims to offer assistance, DHS asked who the point of contact for both would be.

160816 DX125 This email chain documents DHS’ “SitRep” of their understanding of the DNC/DCCC hacks and their efforts to reach out to help. This includes sharing of DNC/DCCC “artifacts” with NCCIC.

Authentication and venue

160708 DX109 An email chain seeking DNC help authenticating a document released by Guccifer 2.0.

160723 DX110 A discussion starting on July 21 about authenticating and extending after the initial WikiLeaks dump. Hawkins observed, “Looks like there will be multiple releases on that [the WikiLeaks] front.”

160802 DX118 After Adrian Hawkins asked CrowdStrike’s Christopher Scott a question about a public report that the Democrats’ analytics had been hacked, Scott explained that Sussmann had to be involved in any discussions between the FBI and their cybersecurity contractor. Hawkins also asked for specifics about the compromised servers that the FBI could use to establish venue.

160816 DX134 An email chain mentioning but not including Sussmann describes the efforts to establish venue (especially for Field staff who rely on laptops and travel a lot) as well as the efforts to authenticate documents.

160822 DX136 Two Lync messages describing a script that can be used to match WordPress documents with files stolen from the DNC.

160922 DX145 NSD’s Deputy Chief of  Cyber, Sean Newell, asks Sussmann to meet to discuss some information requests from NDCA. They set up a meeting for September 26.

160930 DX147 Hawkins follows up on Newell’s request for information with a much more detailed request from the San Francisco Division. This request includes details of the forensics NDCA was asking for, generally to include the CrowdStrike reports, network diagrams, logs, and images for the compromised hosts.

161004 DX148 In response to WikiLeaks promises about an upcoming file release, Newell follows up on a September 27 request he made of Sussmann for any files that were altered as well as a list of files that had been released but not circulated outside of the victim organizations first, including some indication whether those had been altered. Sussmann says they would have information available later that week.

161012 DX150 In another chain of responses to Newell’s information request, someone at Perkins Coie passes on a description from the DCCC about how an image posted by Guccifer 2.0 differed from the file structure as it appeared on their server, including as it pertained to a file named, “Pelosi Vote Email.”

161026 DX154 This chain is a follow-up to the Newell request, though it actually includes Guccifer 2.0 documents about Trump’s taxes discussed. It includes description of an altered document published by Guccifer 2.0, in which the font was changed. It also includes a DOJ NSD person asking FBI to print out the document because they don’t have any unattributable computers.

161024 DX165 This is yet another continuation of the Newell request, this one included the Trump Report altered by Guccifer 2.0. It includes some discussion of alterations to that document (as compared to unaltered ones released by WikiLeaks). It also describes documents that a DNC research staffer believes were taken from his local desktop.

CrowdStrike Reports

160815 DX132 Burnham to Farrar explaining there are two CloudStrike reports, one for the DNC and the other for the DCCC. The former is done, while the latter will be done soon.

160825 DX137 Hawkins asks Sussmann about the DNC CrowdStrike report, Sussmann explains it’s still a few days away, but then the next day says he’s reading “it” (which may be the DCCC report). Sussmann’s response gets forwarded to a few more people.

160830 DX 138 A Lync chain conveying that Sussmann had alerted the FBI that the CrowdStrike report was done and asking if WFO should pick it up.

Server images

161013 DX151 In another chain of responses to Sean Newell’s information request, the discussion turns from Sussmann’s effort to make sure the Democrats respond to all the FBI’s data request to how to obtain images (whether to have CrowdStrike spend 10 hours to do it or let FBI onsite to do it themselves). As part of this chain, Sussmann says that “in theory” the Democrats would be amenable to letting the FBI onsite to image the serves themselves, but then checks to see whether the data is at CrowdStrike or the DNC.

161013 DX152 This chain is follow-up to the request for server images. Sussmann connects the FBI and CrowdStrike, CS offers to image the servers for free, and the FBI provides the address where to send them.

161028 DX153 A Lync that starts with Newell requesting someone attend the October 11 meeting with Sussmann, continues through a discussion about how to get images of the compromised servers (including whether Sussmann may have misinterpreted the ask), and includes a discussion about a re-compromise.

Lizard Squad ransomware threat

160803 DX121 Late night on August 2, Sussmann reported a ransomware threat from the Lizard Squad. This email discusses the various equities behind such a threat and involves a guy named Rodney Hays, whom the Durham team would at one point insist must be Rodney Joffe.

160806 DX124 This chain reflects more of the response to Sussmann reporting a ransomware threat from Lizard Squad. As noted, it involves a guy named Rodney Hays that Durham’s team insisted must be Joffe.

160922 DX144 Over a month after the Democrats reported the Lizard Squad threat, Eric Lu wrote up the intake report, including the bitcoin address involved and Sussmann’s email to Rodney on August 9 thanking him for his assistance.

Other threats

160726 DX115 Sussmann set up a meeting with Hawkins and others so someone could report “some offline activity related to the intrusion.” This was around the time when Ali Chalupa believed she was being followed, though nothing in this chain describes the threat.

160908 DX140 On August 26, EA Hawkins wrote Sussmann directly alerting him to a new phishing campaign targeting Democrats. On September 7, he wrote back with three accounts that may have been targeted.

160916 DX141 Moore emailing Josh Hubiak — a cyber agent in Pittsburgh — asking for contact information for Michael Sussmann so she can obtain the contact information for a DNC bigwig whose Microsoft Outlook account was compromised, apparently by APT 28. Hubiak is one of the agents also involved in the Alfa Bank investigation.

160917 DX142 The day after the request for contact information for the DNC bigwig, there’s further discussion about how to contact him. The FBI also shares new files reflecting the network share for a different DNC person, a former IT staffer, that was uploaded to Virus Total.

160927 DX146 In response to public reports that some Democratic phones may have been targeted and a potential compromise of Powell’s phone (probably Colin, whose communications were posted to dcleaks), there’s some chatter about what information is available from Apple and Google. One of the key agents involved complains that, “it would be awesome if Google helped out, as I know they are at least 2 steps ahead of me and I’m in a sad, losing game of catchup.”

161011 DX149 This seems to be a collection of Lync notes from October 11, showing three different issues pertaining to Sussmann happening at once: the transfer of custody of the thumb drives to the Chicago office, a reference to a meeting with Sussmann, and a report of a new Democratic concern about exposed Social Security numbers.

161230 DX155 A Lync chain that goes from October 28 through December 30 covering the concern about a bug at DNC HQ, the response to the NYT article naming Hawkins, and another compromise alert.

161017 DX164 This may be a summary prepared for Mother Jones. Whatever the purpose (there is no date), it describes the timeline of FBI’s response to a request for a sweep of DNC headquarters in response to some anomaly. Sussmann permitted the sweep but asked that it be done covertly, so as not to alert DNC staffers.

Crossfire Hurricane

160804 DX123 On August 4, Joe Pientka forwarded the original June 14 Nakashima story to the agents who had just been assigned to the Crossfire Hurricane team with the explanation, “Just going through old — possibly pertinent emails.”

Carter Page Believed James Wolfe Was Ellen Nakashima’s Source Disclosing His FISA Application Less than a Month After the Story

According to the Statement of Offense to which James Wolfe — the former Senate Intelligence Committee security official convicted of lying about his contacts with journalists — allocuted, Carter Page suspected Wolfe was the source for Ellen Nakashima’s story revealing Page had been targeted with a FISA order. When the former Trump campaign staffer wrote Nakashima to complain about the story less than four weeks after Washington Post published it, Page BCCed Wolfe. [Nakashima is Reporter #1 and Ali Watkins is Reporter #2.]

On May 8, 2017, MALE-1 emailed REPORTER #1 complaining about REPORTER #1’s reporting of him (MALE-1). According to the metadata recovered during the search of Wolfe’s email, Wolfe was blind-copied on that email by MALE-1.

That unexplained detail is important — albeit mystifying — background to two recent stories on leak investigations.

First, as reported last month, Nakashima was one of three journalists whose call records DOJ obtained last year.

The Trump Justice Department secretly obtained Washington Post journalists’ phone records and tried to obtain their email records over reporting they did in the early months of the Trump administration on Russia’s role in the 2016 election, according to government letters and officials.

In three separate letters dated May 3 and addressed to Post reporters Ellen Nakashima and Greg Miller, and former Post reporter Adam Entous, the Justice Department wrote they were “hereby notified that pursuant to legal process the United States Department of Justice received toll records associated with the following telephone numbers for the period from April 15, 2017 to July 31, 2017.” The letters listed work, home or cellphone numbers covering that three-and-a-half-month period.

The scope of the records obtained on the WaPo journalists last year started four days after the Page story, so while some May 11, 2017 emails between Nakashima and Wolfe would have been included in what got seized last year, any contacts prior to the FISA story would not have. And the public details on the prosecution of Wolfe show no sign that Nakashima’s records were obtained in that investigation (those of Ali Watkins, whom Wolfe was in a relationship, however, were). Indeed, the sentencing memo went out of its way to note that DOJ had not obtained deleted Signal texts from any journalists. “The government did not recover or otherwise obtain from any reporters’ communications devices or related records the content of any of these communications.”

That said, Nakashima’s reporting was targeted in two different leak investigations, covering sequential periods, three years apart.

It’s not clear how quickly the Page investigation focused on Wolfe. But it may have outside help. A CBP Agent unconnected to the FBI investigation grilled Watkins on her ties with Wolfe in June 2017.

The Sentencing Memorandum on Wolfe suggests the FBI came to focus on him — and excused their focus — after having learned of his affair with Watkins. They informed Richard Burr and Mark Warner, and obtained the first of several warrants to access his phone.

At the time the classified national security information about the FISA surveillance was published in the national media, defendant James A. Wolfe was the Director of Security for the SSCI. He was charged with safeguarding information furnished to the SSCI from throughout the United States Intelligence Community (“USIC”) to facilitate the SSCI’s critical oversight function. During the course of the investigation, the FBI learned that Wolfe had been involved in the logistical process for transporting the FISA materials from the Department of Justice for review at the SSCI. The FBI also discovered that Wolfe had been involved in a relationship with a reporter (referred to as REPORTER #2 in the Indictment and herein) that began as early as 2013, when REPORTER #2, then a college intern, published a series of articles containing highly sensitive U.S. government information. Between 2014 and 2017, Wolfe and REPORTER #2 exchanged tens of thousands of telephone calls and electronic messages. Also during this period, REPORTER #2 published dozens of news articles on national security matters that contained sensitive information related to the SSCI.

Upon realizing that Wolfe was engaged in conduct that appeared to the FBI to compromise his ability to fulfill his duties with respect to the handling of Executive Branch classified national security information as SSCI’s Director of Security, the FBI faced a dilemma. The FBI needed to conduct further investigation to determine whether Wolfe had disseminated classified information that had been entrusted to him over the past three decades in his role as SSCI Director of Security. To do that, the FBI would need more time to continue their investigation covertly. Typically, upon learning that an Executive Branch employee and Top Secret clearance holder had potentially been compromised in place – such as by engaging in a clandestine affair with a national security reporter – the FBI would routinely provide a “duty-to-warn” notification to the relevant USIC equity holder in order to allow the intelligence agencies to take mitigation measures to protect their national security equities. Here, given the sensitive separation of powers issue and the fact that the FISA was an FBI classified equity, the FBI determined that it would first conduct substantial additional investigation and monitoring of Wolfe’s activities. The FBI’s executive leadership also took the extraordinary mitigating step of limiting its initial notification of investigative findings to the ranking U.S. Senators who occupy the Chair and Vice Chair of the SSCI.2

The FBI obtained court authority to conduct a delayed-notice search warrant pursuant to 18 U.S.C. § 3103a(b), which allowed the FBI to image Wolfe’s smartphone in October 2017. This was conducted while Wolfe was in a meeting with the FBI in his role as SSCI Director of Security, ostensibly to discuss the FBI’s leak investigation of the classified FISA material that had been shared with the SSCI. That search uncovered additional evidence of Wolfe’s communications with REPORTER #2, but it did not yet reveal his encrypted communications with other reporters.

This process — as described by Jocelyn Ballantine and Tejpal Chawla, prosecutors involved in some of the other controversial subpoenas disclosed in the last month — is a useful lesson of how the government proceeded in a case that likely overlapped with the investigation into HPSCI that ended up seizing Swalwell and Schiff’s records. Given that Swalwell was targeted by a Chinese spy, it also suggests one excuse they may have used to obtain the records: by claiming it was a potential compromise.

Still, by the time FBI first informed Wolfe of the investigation, in October 2017, they had obtained his cell phone content showing that he was chatting up other journalists, in addition to Watkins — and indeed, he continued to share information on Page. By the time the FBI got Wolfe to perjure himself on a questionnaire about contacts with journalists in December 2017, they had presumably already searched Watkins’ emails going back years. Wolfe was removed from his position and stripped of clearance, making his indictment six months later only a matter of time.

All that said, the government never proved that Wolfe was the source for Nakashima. And Ballantine’s subpoena for HPSCI contacts, weeks later after FBI searched Wolfe’s phone, may have reflected a renewed attempt to pin the leak on someone, anyone (though it’s not clear whether investigators looked further than Congress, or even to Paul Ryan, who has been suspected of tipping Page off.

If the James Wolfe investigation reflects how they might have approached the HPSCI side, there’s one other alarming detail of this: The FBI alerted someone in Congress of the search, the Chair and Ranking Member of the Committee. But in HPSCI’s case, Schiff was the Ranking Member. Meaning it’s possible that, by targeting on Schiff, FBI gave itself a way to consult only with the Republican Chair of the Committee.

James Wolfe (and the investigation of Natalie Sours Edwards, who was sentenced to six months in prison last week) are an important lesson in leak investigations that serves as important background for Joe Biden’s promise that reporters won’t be targeted anymore. The way you conduct a leak investigation in this day and age is to seize the source’s phone, in part because that’s the only way to obtain Signal texts.

Timeline

March 2017: Exec Branch provides SSCI “the Classified Document,” which includes both Secret and Top Secret information, with details pertaining to Page classified as Secret.

March 2, 2017: James Comey briefs HPSCI on counterintelligence investigations, with a briefing to SSCI at almost the same time.

March 17, 2017: 82 text messages between Wolfe and Watkins.

April 3, 2017: Watkins confirms that Carter Page is Male-1.

April 11, 2017: WaPo reports FBI obtained FISA order on Carter Page.

June 2017: End date of five communications with Reporter #1 via Wolfe’s SSCI email.

June 2017: Using pretext of serving as a source, CBP agent Jeffrey Rambo grills Watkins about her travel with Wolfe.

October 2017: Wolfe offers up to be anonymous source for Reporter #4 on Signal.

October 16, 2017: Wolfe Signals Reporter #3 about Page’s subpoena.

October 17, 2017: NBC reports Carter Page subpoena.

October 24, 2017: Wolfe informs Reporter #3 of timing of Page’s testimony.

October 30, 2017: FBI informs James Wolfe of investigation.

November 15, 2017: 90 days before DOJ informs Ali Watkins they’ve seized her call records.

December 14, 2017: FBI approaches Watkins about Wolfe.

Prior to December 15, 2017 interview: Wolfe writes text message to Watkins about his support for her career.

December 15, 2017: FBI interviews Wolfe.

January 11, 2018: Second interview with Wolfe, after which FBI executes a Rule 41 warrant on his phone, discovering deleted Signal texts with other journalists.

February 6, 2018: Subpoena targeting Adam Schiff and others.

February 13, 2018: DOJ informs Watkins they’ve seized her call records.

June 6, 2018: Senate votes to make official records available to DOJ.

That the Chairman and Vice Chairman of the Senate Select Committee on Intelligence, acting jointly, are authorized to provide to the United States Department of Justice copies of Committee records sought in connection with a pending investigation arising out of allegations of the unauthorized disclosure of information, except concerning matters for which a privilege should be asserted.

June 7, 2018: Grand jury indicts Wolfe.

June 7, 2018: Richard Burr and Mark Warner release a statement:

We are troubled to hear of the charges filed against a former member of the Committee staff. While the charges do not appear to include anything related to the mishandling of classified information, the Committee takes this matter extremely seriously. We were made aware of the investigation late last year, and have fully cooperated with the Federal Bureau of Investigation and the Department of Justice since then. Working through Senate Legal Counsel, and as noted in a Senate Resolution, the Committee has made certain official records available to the Justice Department.

June 13, 2018: Wolfe arraigned in DC. His lawyers move to prohibit claims he leaked classified information.

Did John Durham Seize Journalists’ Call Records?

The WaPo has revealed that DOJ obtained toll records on three journalists, covering a 3.5 month period in 2017, in 2020.

The Trump Justice Department secretly obtained Washington Post journalists’ phone records and tried to obtain their email records over reporting they did in the early months of the Trump administration on Russia’s role in the 2016 election, according to government letters and officials.

In three separate letters dated May 3 and addressed to Post reporters Ellen Nakashima and Greg Miller, and former Post reporter Adam Entous, the Justice Department wrote they were “hereby notified that pursuant to legal process the United States Department of Justice received toll records associated with the following telephone numbers for the period from April 15, 2017 to July 31, 2017.” The letters listed work, home or cellphone numbers covering that three-and-a-half-month period.

[snip]

The letters do not say when Justice Department leadership approved the decision to seek the reporters’ records, but a department spokesman said it happened in 2020, during the Trump administration. William P. Barr, who served as Trump’s attorney general for nearly all of that year, before departing Dec. 23, declined to comment.

The WaPo cites two stories it think might be culprits:

But it misses a key story on which Ellen Nakashima — whose mobile phone and home numbers were seized — was the first byline.

There’s also one on which Nakashima was not the first byline that might be relevant.

Notably, the request goes through the time when Peter Strzok was on the Mueller team.

In August 2020, NYT reported that John Durham was investigating media leaks. As reported, that was focused on the original leak to David Ignatius that led Mike Flynn to respond. But it reported that it wasn’t clear whether the investigation included other leaks, such as the two stories based on leak intercepts from the period under subpoena.

This report looks like what you’d expect if Durham’s investigation was broader than that, covering the period through when Strzok was removed from Mueller’s team.

Update: Billy Barr told the AP that he had made Durham Special Counsel on December 1, just over 6 months before WaPo got notice that DOJ had seized their records. He did so, it’s now clear, so that whatever providers they were trying to obtain records for would know that he had the authority of Attorney General.

Update: What Durham is clearly pursuing is charging someone under 18 USC 798 for leaking signals intercepts that seeded three stories:

  • The David Ignatius story revealing Mike Flynn’s calls with Sergei Kislyak had been discovered
  • The WaPo story revealing that Jared Kushner’s effort to set up a back channel with Russia had been discovered
  • The WaPo story revealing that Jeff Sessions had lied when he said he hadn’t spoken to any Russians in his confirmation hearing

Update: To be quite clear: I have no reason to believe Durham has any evidence about Strzok. What I have is a bunch of evidence that 1) Durham doesn’t understand what he’s looking at and 2) he was hired to take out a couple of FBI people, starting with Strzok.

The Significance of the James Wolfe Sentence for Mike Flynn, Leak Investigations, and the Signal Application

Yesterday, Judge Ketanji Brown Jackson sentenced former SSCI head of security James Wolfe to two months in prison for lying to the FBI. In her comments announcing the sentence, Jackson explained why she was giving Wolfe a stiffer sentence than what George Papadopoulos and Alex van der Zwaan received: because Wolfe had abused a position of authority.

“This court routinely sentences people who come from nothing, who have nothing, and whose life circumstances are such that they really don’t have a realistic shot of doing anything other than committing crimes,” Jackson said. “The unfortunate life circumstances of those defendants don’t result in a lower penalty, so why should someone who had every chance of doing the right thing, a person who society rightly expects to live up to high moral and ethical standards and who has no excuse for breaking the law, be treated any better in this regard.”

[snip]

Wolfe’s case was not part of special counsel Robert Mueller’s investigation, but the judge compared his situation to two defendants in the Mueller probe who also pleaded guilty to making false statements — former Trump campaign adviser George Papadopoulos, who spent 12 days in prison, and Dutch lawyer Alex van der Zwaan, who was sentenced to 30 days. Jackson concluded that Wolfe’s position as head of security for the Intelligence Committee was an “aggravating” factor.

The public shame he had endured, and the loss of his job and reputation, were not punishment enough, the judge said, but were rather the “natural consequence of having chosen to break the law.”

“You made blatant false statements directly to FBI agents who questioned you about matters of significance in the context of an ongoing investigation. And if anything, the fact that you were a government official tasked with responsibility for protecting government secrets yourself seems to make you more culpable than van der Zwaan and Papadopoulos, who held no such positions,” Jackson said.

While the resolution of this case is itself notable, it has likely significance in three other areas: for Mike Flynn, for DOJ’s leak investigations, and for encrypted messaging apps.

Emmet Sullivan will cite this sentence as precedent

It’s still far from clear that Emmet Sullivan will be sentencing Mike Flynn three months from now. Given Trump’s increasingly unstable mood, Flynn might get pardoned. Or, Flynn might try to judge shop, citing Sullivan’s invocation of treason Tuesday.

But if Sullivan does eventually sentence Flynn and if he still feels inclined to impose some prison time to punish Flynn for selling out his country, he can cite both this sentence and the language Jackson used in imposing it. Like Wolfe, Flynn occupied a (arguably, the) position of great responsibility for protecting our national security. Sullivan seems to agree with Jackson that, like Wolfe, Flynn should face more consequences for abusing the public trust. So Wolfe’s sentence might start a countertrend to the David Petraeus treatment, whereby the powerful dodge all responsibility.

(Note, this is a view that Zoe Tillman also expressed yesterday.)

DOJ may rethink its approach to using false statements to avoid the difficulties of leak cases

I have zero doubt that DOJ prosecuted Wolfe because they believe he is Ellen Nakashima’s source for the story revealing that Carter Page had been targeted with a FISA order, which is how they came to focus on him in the first place. But instead of charging him with that, they charged him for lying about his contacts with Nakashima, Ali Watkins, and two other journalists (and, in their reply to his sentencing memo, made it clear he had leaked information to two other young female national security reporters). In the sentencing phase, however, the government asked for a significant upward departure, a two year sentence that would be equivalent to what he’d face if they actually had proven him to be Nakashima’s source.

While the government provided circumstantial evidence he was Nakashima’s source — in part, her communications to him in the aftermath of the story — he convincingly rebutted one aspect of that claim (a suggestion that she changed her email footer to make her PGP key available to him). More importantly, he rightly called out what they were doing, trying to insinuate he had leaked the FISA information without presenting evidence.

The government itself admitted no fewer than four times in its opening submission that it found no evidence that Mr. Wolfe disclosed Classified Information to anyone. See infra Part I.A. Nonetheless, the government deploys the word “Classified” 58 times in a sentencing memorandum about a case in which there is no evidence of disclosure of Classified Information—let alone a charge.

[snip]

The government grudgingly admits that it lacks evidence that Mr. Wolfe disclosed Classified Information to anyone. See, e.g., Gov. Mem. at 1 (“although the defendant is not alleged to have disclosed classified information”); id. at 6 (“notwithstanding the fact that the FBI did not uncover evidence that the defendant himself disclosed classified national security information”); id. at 22 (“[w]hile the investigation has not uncovered evidence that Wolfe disclosed classified information”); id. at 25 n.14 (“while Wolfe denied that he ever disclosed classified information to REPORTER #2, and the government has no evidence that he did”).

The Court should see through the government’s repetition of the word “Classified” in the hope that the Court will be confused about the nature of the actual evidence and charges in this case and sentence Mr. Wolfe as if he had compromised such information.1

1 Similarly, the government devotes multiple pages of its memorandum describing the classified document that Mr. Wolfe is not accused of having disclosed. And although the government has walked back its initial assertion that Mr. Wolfe “received, maintained, and managed the Classified Document” (Indictment ¶ 18) to acknowledge that he was merely “involved in coordinating logistics for the FISA materials to be transported to the SSCI” (Gov. Mem. at 10), what the government still resists conceding is the fact that Mr. Wolfe had no access to read that document, let alone disclose any part of it. Beyond providing an explanation of how the FBI’s investigation arose, that document has absolutely no relevance to Mr. Wolfe’s sentencing, but it and its subject, an individual under investigation for dealings with Russia potentially related to the Trump campaign, likely have everything to do with the vigor of the government’s position.

It’s unclear, at this point, whether the government had evidence against Wolfe but chose not to use it because it would have required imposing on Nakashima’s equities (notably, they appear to be treating Nakashima with more respect than Ali Watkins, though it may be that they only chose to parallel construct Ali Watkins’ comms) and introduce classified evidence at trial. It may be that Wolfe genuinely isn’t the culprit.

Or it may be that Wolfe’s operational security was just good enough to avoid leaving evidence.

Whatever it is, particularly in a culture of increasing aggressiveness on leaks, the failure to get Wolfe here may lead DOJ to intensify its other efforts to pursue leakers using the Espionage Act.

DOJ might blame Signal and other encrypted messaging apps for their failure to find the Carter Page FISA culprit

And if DOJ believes they couldn’t prove a real case against Wolfe because of his operational security, they may use it to go after Signal and other encrypted messaging apps.

That’s because Wolfe managed to hide a great deal of his communications with journalists until they had sufficient evidence for a Rule 41 warrant to search his phone (which may well mean they hacked his phone). Here’s what it took to get Wolfe’s Signal texts.

Once the government discovered that Wolfe was dating Watkins, they needed to find a way to investigate him without letting him know he was a target, which made keeping classified information particularly difficult. An initial step involved meeting with him to talk about the leak investigation — purportedly of others — which they used as an opportunity to image his phone.

The FBI obtained court authority to conduct a delayed-notice search warrant pursuant to 18 U.S.C. § 3103a(b), which allowed the FBI to image Wolfe’s smartphone in October 2017. This was conducted while Wolfe was in a meeting with the FBI in his role as SSCI Director of Security, ostensibly to discuss the FBI’s leak investigation of the classified FISA material that had been shared with the SSCI. That search uncovered additional evidence of Wolfe’s communications with REPORTER #2, but it did not yet reveal his encrypted communications with other reporters.

Imaging the phone was not sufficient to discover his Signal texts.

Last December and this January, the FBI had two more interviews with Wolfe where they explicitly asked him questions about the investigation. At the first one, even after he admitted his relationship with Watkins, Wolfe lied about the conversations he continued to have on Signal.

The government was able to recover and view a limited number of these encrypted conversations only by executing a Rule 41 search warrant on the defendant’s personal smartphone after his January 11, 2018 interview with the FBI. It is noteworthy that Signal advertises on its website that its private messaging application allows users to send messages that “are always end-to-end encrypted and painstakingly engineered to keep your communication safe. We [Signal] can’t read your messages or see your calls, and no one else can either.” See Signal Website, located at https://signal.org. The government did not recover or otherwise obtain from any reporters’ communications devices or related records the content of any of these communications.

Then, in a follow-up meeting, he continued to lie, after which they seized his phone and found “fragments” of his Signal conversations.

It is noteworthy that Wolfe continued to lie to the FBI about his contacts with reporters, even after he was stripped of his security clearances and removed from his SSCI job – when he no longer had the motive he claimed for having lied about those contacts on December 15. During a follow-up voluntary interview at his home on January 11, 2018, Wolfe signed a written statement falsely answering “no” to the question whether he provided REPORTER #2 “or any unauthorized person, in whole or in part, by way of summary, or verbal [or] non-verbal confirmation, the contents of any information controlled or possessed by SSCI.” On that same day, the FBI executed a second search warrant pursuant to which it physically seized Wolfe’s personal telephone. It was during this search, and after Wolfe had spoken with the FBI on three separate occasions about the investigation into the leak of classified information concerning the FISA application, that the FBI recovered fragments of his encrypted Signal communications with REPORTERS #3 and #4.

They specify that this second warrant was a Rule 41 warrant, which would mean it’s possible — though by no means definite — that they hacked the phone.

The government was able to recover and view a limited number of these encrypted conversations only by executing a Rule 41 search warrant on the defendant’s personal smartphone after his January 11, 2018 interview with the FBI. It is noteworthy that Signal advertises on its website that its private messaging application allows users to send messages that “are always end-to-end encrypted and painstakingly engineered to keep your communication safe. We [Signal] can’t read your messages or see your calls, and no one else can either.” See Signal Website, located at https://signal.org.

Mind you, this still doesn’t tell us much (surely by design). In another mention, they note Signal’s auto-delete functionality.

Given the nature of Signal communications, which can be set to delete automatically, and which are difficult to recover once deleted, it is impossible to tell the extent of Wolfe’s communications with these two reporters. The FBI recovered 626 Signal communications between Wolfe and REPORTER #3, and 106 Signal communications between Wolfe and REPORTER #4.

Yet it remains unclear (though probably likely) that the “recovered” texts were Signal (indeed, given that he was lying and the only executed the Rule 41 warrant after he had been interviewed a second time, he presumably would have deleted them then if not before). DOJ’s reply memo also reveals that Wolfe deleted a ton of his texts to Watkins, as well.

The defendant and REPORTER #2 had an extraordinary volume of contacts: in the ten months between December 1, 2016, and October 10, 2017, alone, they exchanged more than 25,750 text messages and had 556 phone calls, an average of more than 83 contacts per day. The FBI was unable to recover a significant portion of these text messages because they had been deleted by the defendant.

All of this is to say two things: first, the government would not pick up Signal texts — at least not deleted ones — from simply imaging a phone. Then, using what they specify was a Rule 41 warrant that could indicate hacking, they were able to obtain Signal. At least some of the Signal texts the government has revealed pre-date when his phone was imaged.

That’s still inconclusive as to whether Wolfe had deleted Signal texts and FBI was able to recover some of them, or whether they were unable to find Signal texts that remained on his phone when they imaged it in October.

Whichever it is, it seems clear that they required additional methods (and custody of the phone) to find the Signal texts revealing four relationships with journalists he had successfully hidden until that point.

Which is why I worry that the government will claim it was unable to solve the investigation into who leaked Carter Page’s FISA order because of Signal, and use that claim as an excuse to crack down on the app.

On The Passing of David Margolis, the DOJ Institution

david-margolis-250David Margolis was a living legend and giant at the Department of Justice. Now he has passed. Just posted is the following from DOJ:

Statements From Attorney General Loretta E. Lynch and Deputy Attorney General Sally Q. Yates on the Passing of Associate Deputy Attorney General David Margolis

Attorney General Loretta E. Lynch and Deputy Attorney General Sally Q. Yates released the following statements today on the passing of Associate Deputy Attorney General David Margolis, senior-most career employee at the Department of Justice.

Statement by Attorney General Lynch:

“David Margolis was a dedicated law enforcement officer and a consummate public servant who served the Department of Justice – and the American people – with unmatched devotion, remarkable skill and evident pride for more than half a century. From his earliest days as a hard-charging young prosecutor with a singular sense of style to his long tenure as one of the department’s senior leaders, David took on our nation’s most pressing issues and navigated our government’s most complex challenges. To generations of Justice Department employees, he was a respected colleague, a trusted advisor and most importantly, a beloved friend. We are heartbroken at his loss and he will be deeply missed. My thoughts and prayers are with David’s family, his friends and all who loved him.”

Statement by Deputy Attorney General Yates:

“David Margolis was the personification of all that is good about the Department of Justice. His dedication to our mission knew no bounds, and his judgment, wisdom and tenacity made him the “go-to” guy for department leaders for over 50 years. David was a good and loyal friend to all of us, and his loss leaves a gaping hole in the department and in our hearts.”

I am sure Mr. Margolis was a kind, personable and decent chap to those who knew and worked with him. I can be sure because there have been many voices I know who have related exactly that. He was undoubtedly a good family man and pillar of his community. None of that is hard to believe, indeed, it is easy to believe.

Sally Yates is spot on when she says Margolis’ “dedication to our [DOJ] mission knew no bounds”. That is not necessarily in a good way though, and Margolis was far from the the “personification of all that is good about the Department of Justice”. Mr. Margolis may have been such internally at the Department, but it is far less than clear he is really all that to the public and citizenry the Department is designed to serve. Indeed there is a pretty long record Mr. Margolis consistently not only frustrated accountability for DOJ malfeasance, but was the hand which guided and ingrained the craven protection of any and all DOJ attorneys for accountability, no matter how deeply they defiled the arc of justice.

This is no small matter. When DOJ Inspectors General go to Congress to decry the fact that there is an internal protection racket within the Department of Justice shielding even the worst wrongs by Department attorneys, as IG Glen Fine did:

Second, the current limitation on the DOJ OIG’s jurisdiction prevents the OIG – which by statute operates independent of the agency – from investigating an entire class of misconduct allegations involving DOJ attorneys’ actions, and instead assigns this responsibility to OPR, which is not statutorily independent and reports directly to the Attorney General and the Deputy Attorney General. In effect, the limitation on the OIG’s jurisdiction creates a conflict of interest and contravenes the rationale for establishing independent Inspectors General throughout the government. It also permits an Attorney General to assign an investigation raising questions about his conduct or the conduct of his senior staff to OPR, an entity reporting to and supervised by the Attorney General and Deputy Attorney General and lacking the insulation and independence guaranteed by the IG Act.

This concern is not merely hypothetical. Recently, the Attorney General directed OPR to investigate aspects of the removal of U.S. Attorneys. In essence, the Attorney General assigned OPR – an entity that does not have statutory independence and reports directly to the Deputy Attorney General and Attorney General – to investigate a matter involving the Attorney General’s and the Deputy Attorney General’s conduct. The IG Act created OIGs to avoid this type of conflict of interest. It created statutorily independent offices to investigate allegations of misconduct throughout the entire agency, including actions of agency leaders. All other federal agencies operate this way, and the DOJ should also.

Third, while the OIG operates transparently, OPR does not. The OIG publicly releases its reports on matters of public interest, with the facts and analysis underlying our conclusions available for review. In contrast, OPR operates in secret. Its reports, even when they examine matters of significant public interest, are not publicly released.

Said fact and heinous lack of accountability for Justice Department attorneys, not just in Washington, but across the country and territories, is largely because of, and jealously ingrained by, David Margolis. What Glen Fine was testifying about is the fact there is no independent regulation and accountability for DOJ attorneys.

They are generally excluded from the Department IG purview of authority, and it is rare, if ever, courts or state bar authorities will formally review DOJ attorneys without going throughout the filter of the OPR – the Office of Professional Responsibility – within the Department. A protection racket designed and jealously guarded for decades by David Margolis. Even when cases were found egregious enough to be referred out of OPR, they went to…..David Margolis.

In fact, attuned people literally called the OPR the “Roach Motel”:

“I used to call it the Roach Motel of the Justice Department,” says Fordham University law professor Bruce A. Green, a former federal prosecutor and ethics committee co-chair for the ABA Criminal Justice Section. “Cases check in, but they don’t check out.”

If you want a solid history of OPR, and the malfeasance it and Margolis have cravenly protected going back well over a decade, please go read “The Roach Motel”, a 2009 article in no less an authority than the American Bar Association Journal. It is a stunning and damning report. It is hard to describe just how much this one man, David Margolis, has frustrated public transparency and accountability into the Justice Department that supposedly works for the citizens of the United States. It is astounding really.

As I wrote back in 2010:

But just as there is an inherent conflict in the DOJ’s use of the fiction of the OPR to police itself, so too does David Margolis have issues giving the distinct appearance of impropriety. Who and what is David Margolis? A definitive look at the man was made by the National Law Journal (subscription required):

“Taking him on is a losing battle,” says the source. “The guy is Yoda. Nobody fucks with the guy.”
….
Margolis cut his teeth as an organized-crime prosecutor, and he often uses mob analogies in talking about his career at the Justice Department. When asked by an incoming attorney general what his job duties entailed, Margolis responded: “I’m the department’s cleaner. I clean up messes.”

The analogy calls to mind the character of Winston Wolfe, played by Harvey Keitel in the 1994 film “Pulp Fiction.” In the movie, Wolfe is called in by mob honchos to dispose of the evidence after two foot soldiers accidentally kill a murder witness in the back of their car.

“The Cleaner” Mr. Margolis considered himself, while fastidiously sanitizing gross malfeasance and misconduct by DOJ attorneys, all the while denying the American public the disinfectant of sunshine and transparency they deserve from their public servants (good discussion by Marcy, also from 2010).

Perhaps no single incident epitomized Margolis’ determination to be the “cleaner” for the Department of Justice and keep their dirt from public scrutiny and accountability than the case of John Yoo (and to similar extent, now lifetime federal judge Jay Bybee). Yoo as you may recall was the enlightened American who formally opinedcrushing innocent children’s testicles would be acceptable conduct for the United States to engage in. Yoo and Bybee, by their gross adoption of torture, literally personally soiled the reputation of the United States as detrimentally as any men in history.

So, what did David Margolis do in response to the heinous legal banality of evil John Yoo and Jay Bybee engendered in our name? Margolis cleaned it up. He sanitized it. Rationalized it. Ratified it. Hid it. To such an extent architects of such heinous war crimes are now lifetime appointed federal judges and tenured professors. Because that is what “The Cleaner” David Margolis did. “Protecting” the DOJ from accountability, at all costs, even from crimes against humanity, was simply the life goal of David Margolis, and he was depressingly successful at it.

So, less than 24 hours in to the passing of The Cleaner, is it too early to engage in this criticism? Clearly other career officials at the DOJ think discussing the pernicious effects of Margolis on accountability and transparency are out of bounds.

I wonder what the late Senator Ted Stevens would say in response to the “too soon” mandate of Steven Bressler? Because thanks to the efforts of The Cleaner Margolis, Stevens died without the public knowing what an unethical and craven, if not downright criminal, witch hunt attorneys in the Department of Justice ran on him. Even after Stevens was long gone from office and dead, there was Margolis “cleaning” it all up to protect his precious Justice Department when even the internal OPR found gross misconduct:

Following the Justice Department’s agreement in 2009 to vacate the convictions it obtained of former Alaska Senator Ted Stevens, it conducted an internal probe into the conduct of its senior lawyers and—surprise!—exonerated them and itself. It then refused to make the report public. However, at the time the conviction was voided, the presiding judge in Stevens’s case, Emmet Sullivan, appropriately wary of the department’s ethics office, appointed a special prosecutor, Henry F. Schuelke, III, an eminent Washington attorney and former prosecutor, to probe the DOJ’s conduct. Late last week, Schuelke’s 525-page report was released, over the loud objections of DOJ lawyers. The report revealed gross misconduct by the prosecutorial team, stretching over the entire course of the case and reaching into the upper echelons of the department. It concluded there had been “systematic concealment of significant exculpatory evidence which would have independently corroborated [Stevens’s] defense.”

Having laid out the above bill of particulars as to David Margolis, I’d like to return to where we started. As I said in the intro, “I am sure Mr. Margolis was a kind, personable and decent chap”. That was not cheap rhetoric, from all I can discern, both from reading accounts and talking to people who knew Mr. Margolis well, he was exactly that. Ellen Nakashima did a fantastic review of Margolis in the Washington Post last year. And, let’s be honest, the man she described is a guy you would love to know, work with and be around. I know I would. David Margolis was a man dedicated. And an incredibly significant man, even if few in the public understood it.

Say what you will, but Mr. Margolis was truly a giant. While I have no issue delineating what appear to be quite pernicious effects of David Margolis’ gargantuan footprint on the lack of accountability of the Department of Justice to the American citizenry, I have some real abiding respect for what, and who, he was as a man. Seriously, read the Nakashima article and tell me David Margolis is not a man you would love to kill some serious beers with by a peaceful lake somewhere.

But David Margolis, both the good and the bad, is gone now. Where will his legacy live? One of our very longtime friends here at Emptywheel, Avattoir, eruditely said just yesterday:

Focus instead on the institution, not the players. The players are just data points, hopefully leading to greater understanding of the institutional realities.

Those words were literally the first I thought of yesterday when I received the phone call David Margolis had passed. They are true and important words that I, and all, need to take heed of more frequently.

David Margolis, it turns out from all appearances and reports, was a complex man. Clearly great, and clearly detrimental, edges to him. So what will his legacy be at the Department of Justice? Will the closing of the Margolis era, and it was truly that, finally bring the institution of the Department into a modern and appropriate light of transparency, accountability and sunshine?

Or will the dirty deeds of David Margolis’ historical ratification and concealment of pervasive and gross misconduct by Department of Justice attorneys become permanently enshrined as a living legacy to the man?

We shall see.