Posts

“The Bell Can Never Be Unrung” … The Many Times Durham’s Prosecutors Flouted Judge Cooper’s Orders

/64 Comments/in , /by

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work. 

The jury in the Michael Sussmann case will return to work this morning. They deliberated for some period on Friday (I’m not sure whether how long they deliberated has been reported). But the jury was unable to get questions answered or a verdict accepted after Judge Christopher Cooper left for the long holiday at 2:30PM. Even if the jury ends up finding Jim Baker’s testimony unreliable — which would likely be the quickest way to come to a verdict one way or another — I would expect it to take the jury a bit of time to sort through the centrality of his testimony to the charges.

So while we wait, I want to catalog how Durham’s team blew off just about every adverse decision Cooper made against them.

1. Delayed Request for Privileged Material

As I laid out in this post, Cooper ruled that a bunch of the emails over which the Democrats had originally claimed privilege were not. But because Durham waited so long to request a review of the privileged documents, Cooper ruled Durham could not use the emails at trial.

In cross-examination of Fusion’s tech person, Laura Seago, DeFilippis used the content of one of those emails that apparently discussed hiding her Fusion affiliation from Tea Leaves. (I laid out this exchange in this post.)

MR. DeFILIPPIS: So we have an issue with regard to Ms. Seago’s testimony. The government followed carefully Your Honor’s order with regard to the Fusion emails that were determined not to be privileged but that the government had moved on.

As Your Honor may recall, there was an email in there in which Ms. Seago talks very explicitly about seeking to approach someone associated with the Alfa-Bank matter and concealing her affiliation with Fusion in the email. When we asked her broadly whether she ever did that, she definitively said no when I, you know, revisited it with her. So it raises the prospect that she may be giving false testimony.

And so we were — you know, I considered trying to refresh her with that, but I didn’t understand that to be in line with Your Honor’s ruling. So the government is — we’d like to consider whether we should be — we’d like Your Honor to consider whether we should be able to at least recall her and refresh her with that document?

THE COURT: I don’t remember that question, but the subject matter was concealing Fusion or her identities in conversations with the press. If I recall correctly, that email related to “tea leaves,” correct?

After repeatedly asking Seago whether she had hidden her affiliation from the media, he asked about this email, catching Seago in a gotcha (though both Judge Cooper and Sussmann lawyer Sean Berkowitz took the question, as Seago seemed to, to relate to outreach to the press).

After setting his perjury trap, DeFilippis immediately tried to recall Seago onto the stand to delve into the content of this email. In this case, Judge Cooper ruled that DeFilippis had waived his opportunity to do so.

THE COURT: Well, I think the time to have asked the Court whether using the document to refresh was consistent with the order was before she was tendered and dismissed. So I think you waived your opportunity. All right? So we’re going to move on.

2. Non-Expert Expert Testimony

One of the most contentious arguments leading up to trial was Durham’s belated attempt to use an expert witness, ostensibly to discuss the technical complexities of DNS and Tor at the heart of the case (topics which prosecutors had witnesses explain over and over in as much detail as their nominal expert witness David Martin did), to address the accuracy of the research on the DNS anomaly.

This was an attempt to lead the jury to believe the anomaly was fabricated by Rodney Joffe and the researchers, in spite of the fact that Durham obtained plenty of evidence it was not.

On April 25, Judge Cooper ruled that Durham could have an expert discuss the technicalities of the data, but could only raise the accuracy if Sussmann did so himself.

Then on May 6, Durham attempted to expand that ruling by asking the expert to address materiality. In discussions the morning of opening arguments that focused entirely on the testimony of non-DNS expert Scott Hellman, not the nominal expert on DNS David Martin, Cooper prohibited Martin’s discussion of spoofing. (I describe these discussions here.)

Ironically, this was all supposed to be about visibility, the import of understanding how much DNS traffic a researcher could access to the quality of that researcher’s work. In Hellman’s own analysis — for which he fairly demonstrably did not review the data that Sussmann shared with the FBI very closely —  he showed no curiosity about the issue.

Searched “…global nonpublic DNS activity…” (unclear how this was done) and discovered there are (4) primary IP addresses that have resolved to the name “mail1.trump-email.com”. Two of these belong to DNS servers at Russian Alfa Bank. [my emphasis]

Nevertheless, DeFilippis used this nested set of witnesses as an opportunity to get Hellman — who admitted he had only a basic understanding of DNS, who didn’t review the data very closely, and who formed his initial conclusion in about a day — to comment on the methodology of the researchers.

Q. And what, if anything, did you conclude about whether you believed the authors of the paper or author of the paper was fairly and neutrally conducting an analysis? Did you have an opinion either way?

MR. BERKOWITZ: Objection, Your Honor.

THE COURT: Basis?

MR. BERKOWITZ: Objection on foundation. He asked him his opinion. He’s not qualified as an expert for that.

THE COURT: I’ll overrule it.

A. Sorry, can you please repeat the question?

Q. Sure. Did you draw a conclusion one way or the other as to whether the authors of this paper seemed to be applying a sound methodology or whether, to the contrary, they were trying to reach a particular result? Did you —

A. Based upon the conclusions they drew and the assumptions that they made, I did not feel like they were objective in the conclusions that they came to.

Q. And any particular reasons or support for that?

A. Just the assumption you would have to make was so far reaching, it didn’t — it just didn’t make any sense.

This is precisely the kind of opinion that Cooper had prohibited from an actual expert, admitted from someone whose own shoddy analysis became a recurrent theme for the defense.

3. Hearsay Clinton Tweet

DeFilippis’ efforts to get excluded information introduced was still more brazen with hearsay materials.

On May 7, Judge Cooper issued his initial ruling on which parts of Durham’s conspiracy theory could be admitted at trial. In general, Cooper permitted the introduction of Fusion GPS emails with the press about the Alfa Bank allegations, all of which post-date Sussmann’s alleged lie. He excluded all but one of the emails between Rodney Joffe and the researchers (more on the exception below).

Cooper equivocated wildly about a tweet sent out under Hillary Clinton’s name in response to the Franklin Foer story on the anomaly. In a hearing on April 27, he excluded it as hearsay.

THE COURT: All right. The Clinton Campaign Tweet, the Court will exclude that as hearsay. To the extent that the government believes that it offers some connection to the campaign and an attorney-client relationship, it’s likely duplicative of other evidence, so the Tweet will not come in.

In a pre-trial hearing on May 9 (after he had issued his order on motions in limine), Cooper explained he was revisiting the decision.

But I guess my question, as I have thought more about this, given the sort of two competing theories of the case and two narratives laid out in the Court’s ruling on the motion in limine, is whether it is relevant not for the truth, but to show the campaign’s connection to the alleged public relations effort to play stories regarding the Alfa-Bank data with the press and that therefore it is sort of context for the Government’s motive theory, that Mr. Sussmann sought to conceal that effort, as well as the campaign’s general connection to that effort.

After Sussmann lawyer Sean Berkowitz explained that the defense would not contest that the campaign wanted a story out there, Cooper opined that would make the tweet cumulative.

Well, if that’s going to be the case, and he’s not contesting that he was representing the campaign in connection with that effort, isn’t the tweet cumulative? It’s icing on the cake. Right?

DeFilippis claimed that without the tweet they would have no evidence about how the campaign worked the press on this issue (even though both Marc Elias, called as a government witness, and Robby Mook, who was originally listed as a government witness, eventually testified to the issue on the stand). After Judge Cooper said he would reserve his decision, Berkowitz noted that in fact, DeFilippis planned to use the tweet to claim the campaign wanted to go to the FBI when the testimony at trial (from both Elias and Mook) would establish that going to the FBI conflicted with the campaign’s goals.

[T]hey are offering the tweet for the truth of the matter, that that’s what the campaign desired and wanted and that it was a accumulation of the efforts.

Number one, it’s not the truth; and in fact, it’s the opposite of the truth. We expect there to be testimony from the campaign that, while they were interested in an article on this coming out, going to the FBI is something that was inconsistent with what they would have wanted before there was any press. And in fact, going to the FBI killed the press story, which was inconsistent with what the campaign would have wanted.

And so we think that a tweet in October after there’s an article about it is being offered to prove something inconsistent with what actually happened.

Then, after both Elias and Mook had testified that they had not sanctioned Sussmann going to the FBI, DeFilippis renewed his assault on Cooper’s initial exclusion, asking to introduce it through Mook’s knowledge that the campaign had tried to capitalize on the Foer story.

Having ruled in the past that the tweet was cumulative and highly prejudicial, Cooper nevertheless permitted DeFilippis to introduce the tweet if he could establish that Mook knew that the campaign tried to capitalize on the Foer story.

But Cooper set two rules: The government could not read from the tweet and could not introduce the part of the tweet that referenced the FBI investigation. (I explained what DeFilippis did at more length in this post.)

THE COURT: All right. Mr. DeFilippis, if you can lay a foundation that he had knowledge that a story had come out and that the campaign decided to issue the release in response to the story, I’ll let you admit the Tweet. However, the last paragraph, I agree with the defense, is substantially more prejudicial than it is probative because he has testified that had neither — he nor anyone at the campaign knew that Mr. Sussmann went to the FBI, no one authorized him to go to the FBI, and there’s been no other evidence admitted in the case that would suggest that that took place. And so this last paragraph, I think, would unfairly suggest to the jury, without any evidentiary foundation, that that was the case. All right?

MR. DeFILIPPIS: Your Honor, just two brief questions on that.

THE COURT: Okay.

MR. DeFILIPPIS: Can we — so can we use — depending on what he says about whether he was aware of the Tweet or the public statement, may we use it to refresh him?

THE COURT: Sure. Sure.

MR. DeFILIPPIS: Okay. And then, as to the last paragraph, could it be used for impeachment or refreshing purposes as well in terms of any dealings with the FBI?

THE COURT: You can use anything to refresh.

MR. DeFILIPPIS: Okay.

THE COURT: But we’re not going to publish it to the jury. We’re not going to read from it. And let’s see what he says. [my emphasis]

Having just been told not to read the tweet, especially not the part about the FBI investigation, DeFilippis proceeded to have Mook do just that.

The exhibit of the tweet that got sent to the jury had that paragraph redacted and that part of the transcript was also redacted. But, predictably, the press focused on little but the tweet, including the part that Cooper had explicitly forbidden from coming into evidence.

4. Hearsay about Joffe’s Request for Feedback

As noted above, Judge Cooper permitted just one email between Joffe and the researchers to come into evidence: a request for feedback Rodney Joffe made of the researches. But he did so based on Durham’s representation that either David Dagon or Manos Antonakakis — both of whom received the email — would testify.

Neither did.

During Sean Berkowitz’ cross-examination of Curtis Heide, one of the agents assigned to investigate the anomaly, Sussmann’s attorney had Heide explain how they knew David Dagon had a role in the research, but nevertheless never bothered to speak to him directly.

AUSA Jonathan Algor used that as an opportunity to ask to introduce not just the email that had been permitted, but also the response, claiming that by highlighting how shoddy the FBI investigation was, Berkowitz was opening the door to accuracy questions.

MR. ALGOR: So, Your Honor, there was a good amount of cross-examination regarding David Dagon.

THE COURT: Yes.

MR. ALGOR: And specifically asking about reaching out to him and also going into that he was the source of the white paper and what types of questions you would ask him and all. I think that this goes right to the red herring email.

THE COURT: I’m sorry, the what email?

MR. ALGOR: The red herring email, which you’ve previously excluded. It was Government Exhibit 124, when you would go through what type of questions. Now that Mr. Berkowitz has asked these, I would ask: What would you have asked having to provide data related to it? You know, Were there drafts of the white paper? Would Agent Heide ask who else he communicated with and what he believed regarding all of that data? And so I think he’s opened the door regarding that email.

Berkowitz noted that neither Sussmann nor Heide knew of the email.

MR. BERKOWITZ: Judge, this is not an email that was authored by Mr. Dagon. My cross-examination went directly to their investigation, who they spoke to, who they didn’t speak to. I asked him, he doesn’t know what Mr. Dagon said to Mr. Sussmann, if anything, and he said he didn’t. And I don’t think that opening the door to these communications where there’s no indication that it went to Mr. Sussmann is appropriate.

Cooper ruled that Algor could not introduce the email response.

That did not open the door to the excluded email about which — about what his and the other researchers’ views on the data or motivations may have been. In any case, the emails reflect — or the email reflects the views of Mr. Joffe, not Mr. Dagon, and those views came a full month and a half before the FBI was in a position to interview Mr. Dagon. They are, therefore, not relevant to Mr. Dagon’s views or motivations in any event.

So you can — you can certainly ask him, as you have in direct, what he would have done differently, what he would have questioned Mr. Dagon about, you know, to establish a materiality argument, but we’re not going to get into what the researchers’ motivations were. Okay?

Minutes later, Algor walked how Heide didn’t know any of the people on the email, and elicited from Heide the opinion that even asking the opinion might suggest people were trying to fabricate the data.

Q. Okay. And it — the “from” is Rodney Joffe. Do you see that?

A. Yes.

Q. And then the “to” is to Manos Antonakakis. Do you see that?

A. Yes.

Q. Do you know who that is?

A. I do not.

Q. And David Dagon, do you see that second name?

A. Yes.

Q. Do you know who David Dagon is?

A. No.

Q. You testified —

A. I’m sorry.

Q. — earlier —

A. I never met David Dagon, but I do know that he was the information that the source came forward and said he was potentially the author of the white paper.

Q. Okay. And that’s from a CHS that your team was contacted by?

A. Yes. Yes.

Q. And then, finally, April Lorenzen. Do you know who April Lorenzen is?

A. I do not.

[snip]

Q. Would you also want to know whether the authors of the white paper were trying to make it out so that it wasn’t — so that it couldn’t be understood if you weren’t a DNS expert?

A. That would be important.

Q. And if you could read that last line, please.

A. It says, “Do NOT spend more than a short while on this (if you spend more than an hour you have failed the assignment). Hopefully less.”

Q. And just going back to the line above, it says, without — it says, “NOT to be able to say this is, with out doubt, fact, but to merely be plausible,” would you want to understand that coming from the source of the white paper?

A. Yes.

The discussion of the bench conference immediately after Heide left the stand (Berkowitz generally refrained from objecting to these shenanigans in front of the jury) is entirely redacted. But as noted below, Judge Cooper ultimately excluded the entire email as hearsay introduced without proper foundation.

6. Hearsay Commentary on an Attorney

In the very same sidebar where Judge Cooper excluded the Heide testimony, he also explicitly prohibited prosecutors from tying a research request that Rodney Joffe had given a colleague, Jared Novick, to an attorney. The research request pertained to Richard Burt and Carter Page (among others) at a time both had established ties to Russia. Novick testified to Joffe’s displeasure with his work abilities and it’s quite clear the two don’t like each other.

MR. BERKOWITZ: So with respect, Judge, to that, it sounds as if outside the norm of what he normally does, that he thought it was likely for a political campaign. I’m not sure that his determination that he thought it was for an attorney is relevant. If they want to put in an attorney-client-privileged document that he saw, I think he can do that. But if he says I understood this was going to an attorney connected to the campaign, that’s hearsay. And it really doesn’t have anything to do with Mr. Sussmann, unless they can tie it up in any way.

THE COURT: Is there — is there any link to the defendant?

MR. ALGOR: Your Honor, just that he understood the tasking was related to opposition research regarding Trump; that he was told by Mr. Joffe — and his understanding was — that it was — it was someone tied to the Clinton campaign. But his understanding overall, full context and understanding, regardless of what Mr. Joffe said, was that this was going to someone tied to the campaign; and that also in receiving the document that had attorney-client privilege, that he understood it to be for an attorney.

THE COURT: How is that not hearsay if Mr. Joffe offered for the purpose of showing that, in fact, it was from —

MR. ALGOR: Because it’s a full understanding. It’s not getting into the actual specific statements that Mr. Joffe told him, but just the full context of what he was tasked to do and who the ultimate receiver was.

THE COURT: Okay.

MR. KEILTY: One second, Your Honor.

THE COURT: You can elicit his understanding that it was for a campaign, that it was unusual, that it may have had some political purpose. But I want you to stay away from any suggestion, which I don’t think has been established, that it was from Mr. Sussmann, including by suggesting it was from an attorney. Okay? [my enphasis]

Once again, minutes after Judge Cooper issued an order — this one ruling that Durham’s team could not elicit any reference to an attorney — Algor nevertheless got a former Joffe associate to do so.

Q. And, again, you — during cross-examination, Mr. Berkowitz asked you a series of questions regarding — regarding your work for Mr. Joffe on this project?

A. Uh-huh.

Q. And without getting into any specific conversations, based on the totality of your work, who was the intended audience for the project?

A. It was to go to an attorney with ties.

MR. BERKOWITZ: Objection, Your Honor.

THE COURT: Sustained.

That was the first time Berkowitz started getting really insistent about the pattern of Durham’s prosecutors completely ignoring explicit prohibitions from Cooper.

MR. BERKOWITZ: And — and just briefly, Your Honor, I don’t know when is an appropriate time to — to raise this. I want to express what — and I am not a — a hotheaded person —

THE COURT: You’re not a what?

MR. BERKOWITZ: I’m not a hotheaded person, but I have deep concern over the last line of questioning with the witness eliciting something that I think was clearly prohibited. And it’s consistent, in our view, with the line of questioning relative to Mr. Elias, [sic] relative to them reading the tweet that had been excluded. And, again, I know you don’t apportion bad faith, and I’m not asking you to do that at this point, but I just — I’m — I’m really concerned about the number of those issues that have come in and the prejudice to Mr. Sussmann. And I don’t know how best to deal with it, but I want to raise that to your attention.

Judge Cooper finally warns Durham to follow his orders

The Novick questioning finally stirred Cooper to try to do something about prosecutors flouting his orders. The first thing the next morning, he issued a both-sides warning about adhering to his rulings.

THE COURT: Okay. Good morning, everybody. All right. I just want to return briefly to the discussion we had at the end of the day yesterday.

You know, we’ve been here for two weeks. I have tried my best to let you folks try your cases as you see fit without undue intervention from the Court, as is my usual practice. But I obviously have set some evidentiary guardrails in the case that I expect both sides to follow, and I think you’ve done that for the most part.

Yesterday, however, I thought it was pretty clear — that I was pretty clear that in Mr. Novick’s testimony the government was not to suggest a link between the defendant and — on the one hand, and Mr. Joffe and the researchers’ data collection efforts on the other hand, or their views about the data. I didn’t think there was an evidentiary foundation for that.

I thought that the jury would only be able to speculate about any such connection, and I thought that any knowledge Mr. Novick had about that was necessarily hearsay from Mr. Joffe, who obviously is not here to testify. And I thought, at least, the final question in the redirect that was asked yesterday, nevertheless, attempted to establish such a link.

You know, I know that questions get asked rhetorically or argumentatively that are likely to draw an objection, and I will give lawyers some slack on that, but I expect both sides to comply with my evidentiary rulings.

There’s a lot of evidence in this case. There’s a lot for the jury to digest. They will have plenty of validly admitted evidence to pore over, and from here on out, including in arguments, I expect both sides to comply with both the letter and the spirit of the Court’s evidentiary rulings. So let’s keep it clean from here, okay?

MR. KEILTY: Yes, Your Honor.

Berkowitz used that exchange to request that Cooper exclude the entirety of the email that Algor used to invite Heide to suggest the data had been fabricated as the only way to limit the damage from prosecutors breaking Cooper’s rules.

MR. BERKOWITZ: Thank you very much for that, Your Honor. I have one other request related to it. And I don’t mean to go to the well, but there was an additional line of questioning yesterday related to Government Exhibit 132 with Agent Heide. I’m happy to provide a copy of it, if you would like.

THE COURT: Just remind me what it is.

MR. BERKOWITZ: It’s the document they sought to admit between Rodney Joffe, David Dagon, and Manos Antonakakis, “Is this a plausible explanation?”

THE COURT: Yes, I know that one. Actually, pass it up.

MR. BERKOWITZ: Your Honor, I went back and read the basis for your admitting the document, which was that it was not hearsay because there was a statement, “can you review,” and a question, “is this a plausible explanation?” I think we all contemplated at the time that both Mr. Dagon and Mr. Antonakakis were on the witness list and might testify.

You did allow it in. We didn’t object on the basis that you had previously ruled on it.

The manner in which it was used with the witness, I think, didn’t comply with the spirit of the Court’s ruling. There were questions asked related to “if you had spoken with Mr. Dagon, and you were aware of this communication” words to the effect of “would that have been concerning?”

And the witness — and I’m not suggesting that it was elicited intentionally, but the witness said “it would concern me because it appears as if it’s fabricated.”

Berkowitz noted that (like the Clinton tweet before it, though Berkowitz didn’t make the connection) that exchange got reported in the press.

That’s been reported in the press, even though you struck it from the record at our request.

Our remedy request, Your Honor, in light of that, and in light of the lack of probative value of that document with no connection to Mr. Sussmann, would be to strike the question and answering related to that document, to strike that document from the record, and not allow the prosecution team to use it with any defense witnesses, as well as not to use it in argument because it would have been stricken from the record.

We think the probative value of that document at this stage is minimal, and I expect that if it is published to the jury and used in any way, the jurors will associate it with the fabrication comment. And you worked real hard — and we have all worked really hard — to keep out the accuracy of the data. And the prejudicial nature of the document and the testimony associated with it is something that we think, while it can’t be remedied, and the bell can never be unrung, they should not be reminded and put before them. [my emphasis]

After having just been scolded, DeFilippis nevertheless made a bid to keep the document that might trigger the improperly elicited comment in as evidence.

Michael Keilty — the closest thing to a grown-up on this team — then tried to explain away Algor’s flouting of the rules with Novick.

MR. KEILTY: One last thing, Your Honor, just with respect to the final question to Mr. Novick yesterday. I think Your Honor’s aware that the government obviously did not intend for that — to elicit that answer. Instead, it intended to elicit an answer regarding Mr. Novick’s thoughts about whether this was involved with a political entity or political campaign. We didn’t have the opportunity or the benefit of conferring with Mr. Novick prior to Your Honor’s ruling. So we apologize for that, but we just wanted to put on the record some of the reasons why.

THE COURT: Well, you could have asked, “Without telling me who it came from, what was your understanding of the general nature of the source?” Right?

7. Hearsay on Top of Hearsay about Joffe’s Joke about a Job

But the Durham team’s defiance of Cooper didn’t stop there. While Cooper had permitted (with the proper foundation) a Joffe email that elicited feedback, Cooper had excluded an email — sent to someone never identified as a witness in this case — in which Joffe had joked about working in cybersecurity under a Clinton Administration. Nevertheless, as part of a long exchange with retired FBI Agent Tom Grasso in which DeFilippis asked Grasso materiality questions about stuff he heard about but had no firsthand knowledge of — each time presented as fact rather than as a conspiracy that Durham had explicitly been prohibited from presenting because they hadn’t charged it — Durham’s lead prosecutor raised the allegation he had been prohibited from raising.

Q. So when he came to you or at any time after that, did Mr. Joffe disclose to you whether he was working on this with representatives of the — of a political campaign?

A. He did not, no.

Q. And do you think you’d remember if he had told you at the time, you know, “I’m doing this, working with some folks who are working with the political campaign”?

A. I would think I would remember that, yes.

Q. So Mr. Joffe didn’t tell you — have you heard of a firm called Fusion GPS?

A. I have heard of Fusion GPS, yes, sir.

Q. Okay. And are you generally aware that they had — without getting into any specific work you did, are you generally aware that they had done some work for the Clinton Campaign at the time?

A. Yes, I —

Q. Okay.

A. Yes, I am aware of that, yes.

Q. So Mr. Joffe didn’t say he was working with Fusion GPS on this project?

A. Not that I recall, no.

Q. And Mr. Joffe never told you that, you know, this project had arisen in the context of opposition research that the Clinton Campaign was working on?

A. I do not recall that coming up, no.

Q. If Mr. Joffe had come to you and said, “I’m working with some investigators and some lawyers who are working for the Clinton Campaign, and, you know, that’s part of what I’m doing here with this information, can you please keep my name out of this,” would you have viewed that differently than you viewed the information as you got it?

[snip]

Q. Okay. And in the 2016 election period, you and Mr. Joffe, I imagine, never discussed politics or anything like that?

A. I don’t recall political discussions with him, no.

Q. Okay. And did you — so you certainly didn’t know that he was working with folks affiliated with a particular political party or campaign on what he brought to you, right?

A. I have no recollection of that.

Q. And any recollection of hearing or learning that he was expecting any kind of position in a future political administration?

A. I do not have a recollection of that other than — let me rephrase that. I have a recollection of that being reported in the media, but I don’t have a —

MR. BERKOWITZ: Objection, Your Honor.

THE COURT: Sustained. [my emphasis]

When Berkowitz raised this exchange at the end of the day, Judge Cooper noted that the several meetings they had with Grasso were ample basis for DeFilippis to understand that Grasso had no knowledge of those matters (or, for that matter, the topics covered by that entire line of questioning).

MR. BERKOWITZ: Judge, I regret that I’m going back to this same issue that we started the day with where  you admonished counsel to be careful of the guardrails related to evidentiary rulings. We had another situation n today that I think ran afoul of your comments. There was an email that was the subject of a motion related to Mr. Joffe communicating about a potential job. And in the cross-examination of Agent Grasso there was a question about, “He certainly didn’t know he was working with folks affiliated with a particular political party or campaign when he brought that to you. Right?”

Answer: “I have no recollection of that.” I didn’t object.

And then he followed up with: “And any recollection of hearing or learning that he was expecting any kind of position in a future political administration, knowing that there was nothing in the 3500 materials related to that and knowing an objection that was sustained could elicit a belief that he would do that?”

The witness answered, “I do not have a recollection of that other than — let me rephrase that. I have a recollection of that being reported in the media.”

I objected. Your Honor, they had met with this witness four times. They had pretried him twice. There was nothing in the 3500 material to suggest that he had any belief of that or any recollection or any connection.

And it’s another instance in a litany of instances that’s suggesting to the jury topics and issues that were the subject of your ruling. And I, you know, particularly  with the potential testimony of Mr. Sussmann coming up, I don’t know what else to say or to do, and we’ll consider filing a motion. But I wanted to raise the issue, and I take no joy in continuing to do this. But I cannot stand by while it continues to go on.

DeFilippis at first tried to excuse blowing off Cooper’s ruling by saying that the rules for cross-examination are different. But not if the witness was originally a witness for the prosecution.

THE COURT: Counsel?

MR. DeFILIPPIS: Yes, Your Honor. I guess we’re glad that Mr. Berkowitz raised it in the sense that, you know, typically the rules for cross-examination are different from evidence presented in a case in chief. And if there is a good-faith basis to ask — inquire as to knowledge of a matter, Your Honor, the government didn’t phrase the question tethered to any email or refer to any hearsay.

It was just inquiring as to knowledge and then inquiring as to whether that fact would be relevant to what  it is that Mr. Grasso’s interactions with Mr. Joffe were.

So if, again if the Court wants —-

THE COURT: Counsel, I don’t disagree with that, but you got to have a good faith basis for asking the question. Right? And if you prepped this guy and he’s never said anything about it, then there’s no good-faith basis. Okay? Him reading it in The New York Times or whatever is not a good-faith basis.

Then DeFilippis claimed that the question — which came after two earlier ones in which he asked Grasso questions about things he had “heard of” — was not deliberately intended to elicit such a response.

MR. DeFILIPPIS: Yeah, and to be clear, Your Honor, the portion where he said he read in the — we didn’t know that, and we wouldn’t have intentionally elicited something from a press account. So we will certainly be careful.

THE COURT: He was the defense’s witness here, but he was on your witness list. You should have known. If there was a basis to ask that question, you should have known what it was.

MR. DeFILIPPIS: Yeah. Understood, Your Honor.

Only after this exchange on prosecutors using someone who had originally been a government witness to invite speculation did Cooper exclude the entire email discussion involving Heide.

THE COURT: In that vein, let’s go back to GX-132 the admission of the email did not sit well with me yesterday, and it still does not sit well with me.

The Court ruled that the document was [sic] hearsay originally because it contained a question and a request, as opposed to an assertion. But the Court made clear in its order that, in order to be admitted, it would still need a proper foundation. The witness through which the document ultimately was admitted, albeit not without an objection from the defense, was Mr. Heide, who, as far as I could tell, had no personal knowledge whatsoever of the email. He didn’t know Mr. Joffe. He didn’t know the researchers who received it. He obviously was not a party to the email. So frankly, I don’t see how he could testify to that email in his personal knowledge as required by Rule 602.

So for that reason, I don’t think it was properly admitted through that witness. As I said yesterday, we had expected at least two of the researchers to testify based on who was on the government’s list. And I think it would have been properly admissible through those people to explain how the data came into being  as the Court ruled prior to trial. So I am going to exclude that email as well as any testimony by Mr. Heide describing his interpretation or views or thoughts on the email. Okay?

Conspiracy theory

This repeated defiance of Judge Cooper was treated as one after another evidentiary issue, usually prosecutors sneaking in hearsay with no basis. Ultimately, however, it was about a more basic ruling Judge Cooper had made, that this trial would not be about a conspiracy theory that Durham wanted to criminalize without charging.

As Berkowitz observed in his close,

This case is not about a giant political conspiracy theory. It’s about a short meeting.

[snip]

So the people who were part of this large political conspiracy theory are the people at HFA, Rodney Joffe, and Fusion GPS. They’re the people that are supposedly involved in this conspiracy.

There will be a lot said about this trial, no matter the verdict. But the serial defiance of the Durham prosecutors was a successful attempt to do something else that Judge Cooper had prohibited: to criminalize, under a conspiracy theory, perfectly legal behavior.

OTHER SUSSMANN TRIAL COVERAGE

Scene-Setter for the Sussmann Trial, Part One: The Elements of the Offense

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

The Founding Fantasy of Durham’s Prosecution of Michael Sussmann: Hillary’s Successful October Surprise

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

John Durham’s Lies with Metadata

emptywheel’s Continuing Obsession with Sticky Notes, Michael Sussmann Trial Edition

Brittain Shaw’s Privileged Attempt to Misrepresent Eric Lichtblau’s Privilege

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Jim Baker’s Tweet and the Recidivist Foreign Influence Cheater

That Clinton Tweet Could Lead To a Mistrial (or Reversal on Appeal)

John Durham Is Prosecuting Michael Sussmann for Sharing a Tip on Now-Sanctioned Alfa Bank

Apprehension and Dread with Bates Stamps: The Case of Jim Baker’s Missing Jencks Production

Technical Exhibits, Michael Sussmann Trial

Jim Baker’s “Doctored” Memory Forgot the Meeting He Had Immediately After His Michael Sussmann Meeting

The FBI Believed Michael Sussmann Was Working for the DNC … Until Andrew DeFilippis Coached Them to Believe Otherwise

The Visibility of FBI’s Close Hold: John Durham Will Blame Michael Sussmann that FBI Told Alfa Bank They Were Investigating

The Staples Receipt and FBI’s Description of Michael Sussmann Sharing a Tip from Hillary

“and” / “or” : How Judge Cooper Rewrote the Michael Sussmann Indictment

 

Judge Cooper Probes Andrew DeFilippis’ Conspiracy Theory about “Worker Bees” in a “Cabal”

/126 Comments/in , /by

I’m certain that the hearing in the Michael Sussmann case the other day was not laugh-out-loud funny in real time. I’m certain that when Judge Christopher Cooper rules on what can and cannot come in, some of the conspiracy theory that John Durham is pursuing may come in to substantiate the motive he alleges Michael Sussmann had for allegedly hiding the existence of a client in a meeting with FBI General Counsel James Baker. I also recognize that Durham may moot many of these issues by bringing one or several interlocutory appeals before the trial to buy time to continue to spin his conspiracy theories some more.

But when I was reading the part of the transcript pertaining to whether Durham will be able to introduce researcher emails at trial, I started laughing out loud when Judge Cooper said this:

You could call Mr. Joffe.

The comment came after the discussion earlier in the hearing about what kind of evidence Durham might present to prove that Sussmann had a privileged relationship with both the Hillary campaign and Rodney Joffe.

It came after the discussion about whether Durham should be forced to immunize Rodney Joffe or not. That discussion had a lot more nuance than reports I had seen, including that Cooper floated the idea of prohibiting any Durham questions to Joffe about the allegations — that he had Sussmann share information showing the use of a YotaPhone by someone who was sometimes in Donald Trump’s presence — that Durham claims would be the basis of a contract fraud charge against Joffe if the data actually were only available as part of a DARPA contract that didn’t already, for very good cybersecurity reasons, encourage the tracking of such things.

THE COURT: What if the Court were to grant your motion in limine to keep out the information that he provided later to the CIA, and all the YotaPhone stuff is not in the case? Do you believe that Mr. Joffe would — and seeing that that appears to be the basis of the government’s position that there is some continuing exposure, do you think Mr. Joffe would see fit to change his position?

And the hearing, and so therefore this discussion on the conspiracy theory, came before Cooper turns to adjudicating Durham’s bid to pierce privilege claims, a bid which — I have already noted — makes a solid case that Durham should immunize Joffe rather than Fusion GPS’ Laura Seago, whom he plans to call as a witness.

So between the time when Cooper considered ways to make Joffe’s testimony available to Sussmann and the time when he turns to Durham’s false claim that the only possible way of accessing testimony about communications between Joffe and Seago is by calling Seago, the judge noted that one way of accomplishing what Durham claims to want to accomplish, rather than by introducing hearsay emails, would be to call Joffe.

Cooper made the comment to lay out that, if Durham really wanted to present the mindset researchers had as they attempted to understand a DNS anomaly involving a Trump marketing server and Alfa Bank, he could simply call the researchers directly.

And these emails, regardless of the words of any particular one, you’re offering them to show that the researchers had concerns about the data, right? And so you’re offering them for the truth of that proposition, that the folks who were in on this common venture had concerns about the data that Mr. Sussmann wanted to keep in the dark and, therefore, did not reveal to Mr. Baker why he was there. And so, the truth of the emails is that we have concerns.

Now, you know, if that’s a — if that’s an acceptable basis — if that’s relevant, right, you could certainly call those researchers. You could call Mr. Joffe. They could testify about how — you know, what was going on in, you know, those few weeks in August or whenever.

So, A, you know, why do you need the emails? [my emphasis]

In response to that, Andrew DeFilippis tried to spin that the government wasn’t trying to introduce the emails for the truth, but to show the existence of what he claims amounts to a conspiracy. In doing so, DeFilippis described that the emails were critical to tie Joffe to the effort to collect the data.

All we’re saying is that the existence of that written record itself might have provided a motive for Mr. Joffe or Mr. Sussmann to tell the lie that we allege he did. Now, that is the government’s secondary argument. The principal argument we’re making, Your Honor, is that these emails show a back-and-forth that tie Mr. Joffe to the data that went into the FBI, that tie Mr. Joffe to the white papers that went into the FBI, and tie Mr. Joffe to the entire effort which, absent that —

THE COURT: Mr. Joffe or Mr. Sussmann?

MR. DeFILIPPIS: First Mr. Joffe. And the reason why that’s important, Your Honor, is, again, because the defendant is alleged to have lied about whether, among other things, he had a relationship with Mr. Joffe, an attorney- client relationship. [my emphasis]

Cooper’s response — Mr. Joffe or Mr. Sussmann — nodded to the fact that Sussmann’s state of mind, not Joffe’s, is what’s on trial. Though shortly thereafter, he noted that the charged lie wasn’t even an attempt to hide Joffe personally.

THE COURT: Well, let’s just — you know, words matter, and let’s just be clear. He wasn’t asked “Are you here on behalf of Mr. Joffe?” and said no. He didn’t say “I’m not here on behalf of Mr. Joffe.”

He said generally, allegedly, he’s not here on behalf of a client, so at this point I’m not sure how relevant Mr. Joffe actually is at the time of the statement.

Indeed, much later, Sussmann’s lawyer noted that there’s no contest Sussmann told Baker he had gotten the allegations from cybersecurity experts.

What do we know is undisputed? That Mr. Baker will testify that Mr. Sussmann said the information was from cyber experts, okay? Not whether it was a client or not, but it was from cyber experts.

Cooper’s discussion of Durham’s conspiracy theory continued through DeFilippis’ effort to acknowledge that he’s not alleging collecting political dirt is illegal — though it may be “improper” — and then admitting this is not a “standard drug case.”

I have not seen one case where the charge is not conspiracy and the alleged conspiracy in which the statements are being made in furtherance of it is not criminal or improper in any way. Would this be the first time?

MR. DeFILIPPIS: Your Honor, I think — so we would not expressly allege to the jury that it was criminal. There are aspects of it that may be improper.

[snip]

And I think, Your Honor, that most — that this hasn’t come up often should not cause the Court to hesitate just because these facts are a bit different than your standard drug case or, you know, your standard criminal case.

And it continued to DeFilippis’ effort to describe why people whose actions preceded the alleged formation of a conspiracy and other people who expressed reservations about joining into this alleged conspiracy would be included in what Cooper dubbed “a cabal.”

THE COURT: Okay. So who was part of this joint venture, in your view?

MR. DeFILIPPIS: So, Your Honor, it would be three principal categories of people. We have the researchers and company personnel who supported Mr. Joffe once they were tasked by Mr. Joffe.

THE COURT: Okay, but they were just tasked. You’ve made the point yourself that some of them, you know, had concerns. Some of them had issues with the data. Some had concerns that what they were doing was proper or not until they were satisfied that it was.

MR. DeFILIPPIS: That’s true, Your Honor, but —

THE COURT: How are they members of this cabal?

[snip]

MR. DeFILIPPIS: — just to distill it down as to each category of people. The thrust of this joint venture was that there was a decision and an effort to gather derogatory Internet-based data about a presidential candidate — about a presidential candidate among these folks. There were the researchers who began doing that, it seems, before Perkins Coie became fully involved, and there are emails we will offer that show that data was being pulled in late July and August. So the researchers were the engine of this joint venture in the sense that they were doing the work, and they were doing — and the emails make clear they were doing it for the express purpose of finding derogatory information in Internet data. So that’s one category. [my emphasis]

I mean, even ignoring the fact that the record shows these researchers were not, in fact, analyzing data for “the express purpose of finding derogatory information in Internet data” — indeed, if one actually cares about national security, their actions might be better understood as an effort to protect Donald Trump from his dishonest campaign manager with a history of laundering money from Putin-linked oligarchs through Cyprus — DeFilippis admitted right here that the research into the data preceded the moment when DeFilippis wants to make it criminal (but not criminal in “your standard drug case” sense).

But Durham’s frothy lead prosecutor wants to treat cybersecurity research as — in Cooper’s word! — a cabal.

DeFilippis then went on to call some of the top cybersecurity researchers in the US, who found and started trying to understand an anomaly on their own volition, “the worker bees who are bringing the data and funneling it into this effort.”

Maybe I have a twisted sense of humor. But I was guffawing at this point.

Judge Cooper, however, capped DeFilippis’ effort with the same question:

THE COURT: And assuming that I agree that it’s relevant, you could get that in by calling witnesses without the emails, correct?

Everything that DeFilippis wants to do — even before he wants to get Laura Seago (who, Sussmann attorney Sean Berkowitz revealed later, would testify that she doesn’t even know about key parts of DeFilippis’ conspiracy theory, starting with Christopher Steele’s involvement) to offer the non-unique testimony about her conversations with Joffe — is best done by calling Joffe as a witness.

I’m not the only one, it seems, who recognizes that some of what Durham wants to do actually depends on calling Joffe as a witness.

Tunnel Vision: Durham Treats Citizens’ Research into Real Paul Manafort Crimes Like a Criminal Conspiracy

/40 Comments/in , , /by

On Monday, both John Durham and Michael Sussmann submitted their motions in limine, which are filings to argue about what can be admitted at trial. They address a range of issues that I’ll cover in several posts:

Sussmann:

Durham wants to:

  • Admit witnesses’ contemporaneous notes of conversations with the FBI General Counsel
  • Admit emails referenced in the Indictment and other, similar emails (see this post)
  • Admit certain acts and statements (including the defendant’s February 2017 meeting with a government agency, his December 2017 Congressional testimony, and his former employer’s October 2018 statements to the media) as direct evidence or, alternatively, pursuant to Federal Rule of Evidence 404(b)
  • Exclude evidence and preclude argument concerning allegations of political bias on the part of the Special Counsel (addressed in this post)
  • Admit an October 31, 2016 tweet by the Clinton Campaign

I will link my discussions in serial fashion.

It’s a testament to how deep John Durham is in his conspiracy-driven rabbit hole that he assumes a 24-minute meeting between Marc Elias and Michael Sussmann on July 31, 2016 to discuss the “server issue” pertained to the Alfa Bank allegations. Just days earlier, after all, Donald Trump had asked Russia to hack Hillary Clinton, and within hours, Russian hackers obliged by targeting, for the first time, Hillary’s home office. Someone who worked in security for Hillary’s campaign told me that from his perspective, the Russian attacks on Hillary seemed like a series of increasing waves of attacks, and the response to Trump’s comments was one of those waves (this former staffer documented such waves of attack in real time). The Hillary campaign didn’t need Robert Mueller to tell them that Russia seemed to respond to Trump’s request by ratcheting up their attacks, and Russia’s response to Trump would have been an urgent issue for the lawyer in charge of their cybersecurity response.

It’s certainly possible this reference to the “server” issue pertained to the Alfa Bank allegations. But Durham probably doesn’t know; nor do I. None of the other billing references Durham suggests pertain to the Alfa Bank issue reference a server.

The possibility that Durham is seeing a conspiracy to attack Donald Trump in evidence that could, instead, be evidence of Hillary’s campaign response to an unprecedented nation-state attack, is a worthwhile demonstration of the way the two sides in this case have two entirely different theories of the conspiracy that occurred during that election. That’s particularly apparent given the competing motions in limine seeking both to prohibit and to include a bunch of communications from that period. These motions are not symmetrical. Sussmann moved to,

preclude three categories of evidence and/or arguments that the Special Counsel has suggested it might offer, namely, evidence and arguments concerning: (1) the gathering of DNS data by Mr. Sussmann’s former client Rodney Joffe, and/or other data scientists, and fellow business personnel of Mr. Joffe (collectively “Mr. Joffe and Others”); (2) the accuracy of this data and the accuracy of the conclusions and analysis based on this data; and (3) Christopher Steele and information he separately provided to the Federal Bureau of Investigation (“FBI”) (including the so-called “Steele Dossier”) (all three, collectively, the “Joffe and Steele Conduct”).

Sussmann is not moving to exclude mention his contact with Fusion GPS or reporters (though he is fighting to keep Christopher Steele out of his trial).

Whereas Durham is seeking to,

(ii) admit emails referenced in the Indictment and other, similar emails, (iii) admit certain acts and statements (including the defendant’s February 2017 meeting with a government agency, his December 2017 Congressional testimony, and his former employer’s October 2018 statements to the media) as direct evidence or, alternatively, pursuant to Federal Rule of Evidence 404(b),

[snip]

(v) admit an October 31, 2016 tweet by the Clinton Campaign.

Ultimately this is a fight about whether Sussmann’s alleged lie amounted to reporting a tip about a real cybersecurity anomaly, as Sussmann maintains, or, as Durham argues, seeding dirt as part of a dirty tricks campaign against Trump.

Predictably, in addition to emails involving Fusion GPS, Durham wants to introduce the emails between Rodney Joffe and researchers — emails to which Sussmann was not privy — as statements of co-conspirators.

In addition, Rule 801(d)(2)(E) authorizes the admission of an out-ofcourt statement “by a co-conspirator of a party during the course and in furtherance of the conspiracy.” Where a defendant objects to such an admission, however, the district court must find by a preponderance of the evidence that a conspiracy existed and that the defendant and declarant were members of that conspiracy. Bourjaily v. United States, 483 U.S. 171, 175-76 (1987). A court can preliminarily admit hearsay statements of co-conspirators, subject to connection through proof of conspiracy. See United States v. Jackson, 627 F. 2d 1198, 1218 (D.C. Cir. 1980) (approving procedure). To admit a statement under Rule 801(d)(2)(E), the court must find (i) that there was a conspiracy; (ii) that its members included the declarant and the party against whom the statement is offered; and (iii) that the statement was made during the course of and in furtherance of the conspiracy. Bourjaily 483 U.S. at 175.

Importantly, although Rule 801(d)(2)(E) refers to “conspiracy” and “co-conspirators,” the D.C. Circuit has expressly held that “the doctrine is not limited to unlawful combinations.” United States v. Weisz, 718 F. 2d 413, 433 (D.C. Cir. 1983). “Rather, the rule, based on concepts of agency and partnership law and applicable in both civil and criminal trials, ‘embodies the long-standing doctrine that when two or more individuals are acting in concert toward a common goal, the outof-court statements of one are . . . admissible against the others, if made in furtherance of the common goal.’” United States v. Gewin, 471 F. 3d 197, 201–02 (D.C. Cir. 2006) (citing Weisz, 718 F. 2d at 433)). In quoting and citing the 1974 Senate Advisory Committee note to Rule 801(d)(2)(E), the D.C. Circuit has also explained that “[Rule 801(d)(2)(E)] was meant to carry forward the universally accepted doctrine that a joint venturer is considered as a coconspirator for the purpose of this [R]ule even though no conspiracy has been charged.” Weisz, 718 F. 2d at 433 (citations and quotation marks omitted); United States v. Owens, 484 U.S. 554, 562 (1988) (invoking Advisory Committee note in interpreting Federal Rules of Evidence).

Durham describes that the object of that conspiracy was to deal dirt on Donald Trump to the US government and the media.

As an initial matter, the Government expects that the evidence at trial will show that beginning in late July/early August 2016, the defendant, Tech Executive-1, and agents of the Clinton Campaign were “acting in concert toward a common goal,” Gewin, 471 F. 3d at 201–02, namely, the goal of assembling and disseminating the Russian Bank-1 allegations and other derogatory information about Trump and his associates to the media and the U.S. government.

[snip]

More specifically, these emails show that the researchers and Tech Executive-1 were acting in concert with the defendant and others to gather and spread damaging information about a Presidential candidate shortly before the scheduled election.

And that, Durham claims, makes an attempt to understand a cybersecurity anomaly a political act.

In addition, the aforementioned communications demonstrate the materiality of the defendant’s lie insofar as they reveal the political origins and purposes for this work. And those political origins are especially probative here because they provided a motive for the defendant to conceal his clients’ involvement in these matters.

There is a great deal that is alarming and problematic with this schema. For starters, it suggests Sussmann’s response to Eric Lichtblau’s question asking, “I see Russians are hacking away. any big news?” (in what is clearly a follow-up of earlier conversations about the very real attack on Hillary by Russia) was part of a conspiracy and not a legitimate response to an obvious good faith and important question from a journalist.

Emails, billing records, and testimonial evidence to be offered at trial reflect that during approximately the same time period – and before approaching the FBI about these matters – the defendant provided the Russian Bank-1 allegations to a reporter from a major U.S. newspaper.

Many of the problems in Durham’s argument pertain to April Lorenzen, who started looking into this anomaly in June. But Durham — who also wants to make the source of these anomalies an issue at trial — seems to suggest this conspiracy started on some calls and one meeting between Marc Elias, Joffe, and Sussmann that started on August 12.

Testimony at trial will establish that among the individuals whom Tech Executive1 and Originator-1 enlisted in this project were researchers at University-1 who were assigned to a then-pending federal cybersecurity contract with a U.S. government agency (“Agency-1”). At the time, Tech Executive-1 was negotiating an agreement between his then-employer (“Internet Company-1”) and University-1 to sell large amounts of internet data to the university for use under the Agency-1 contract. The intended purpose of this agreement and University-1’s sensitive work with Agency-1 was to gather and analyze internet metadata in order to detect malicious cyberattacks. As set forth in the Indictment, however, Tech Executive-1 and Originator-1 worked with two of these University-1 researchers (“Researcher-1” and “Researcher-2”) to mine internet data for the purpose of assisting the aforementioned opposition research.

That is, Durham both includes Lorenzen’s earlier actions in his scope, but imagines that the conspiracy in question didn’t form until long after she identified the anomaly.

Similarly, Durham holds Sussmann accountable for the eventual articles written by Lichtblau and Franklin Foer, even though Lorenzen was far more involved in that process (and random people like “Phil” who were signing comments Guccifer 2.0 were also pushing the NYT to write a story). After the FBI killed the initial story, Durham has not shown any evidence that Sussmann was pushing the actual Alfa Bank story until after the Lichtblau and Foer stories were published.

Meanwhile, Durham’s interpretation of this Lorenzen email — written in the wake of Paul Manafort’s firing because his secret influence-peddling for Russian backed Ukrainian Oligarchs had become a campaign liability — is fairly shocking.

NOTE: The Russian money launderers, sometimes assisted by Americans like those you see listed in the PDF [Tech Executive-1] just shared [the Trump Associates List], and others you’ll see in [name redacted]’s next document …. Cyprus is one of the places they like. That’s where [Russian Bank-1]-Forex is organized. Choose .com or .ru when studying their domains … and remember we don’t need a russian IP, domain or company for money to flow from Russians to Trump.

[Russian Bank-1]-* has massive tentacles in so many countries including the USA. Regarding this whole project, my opinion is that from DNS all we could gain even in the best case is an *inference*.

I have not the slightest doubt that illegal money and relationships exist between pro-Russian and pro-Trump, meaning actual people very close to Trump if not himself. And by Putin’s traditional style, people Putin controls, but not himself. He controls the oligarchs and they control massive fortunes and cross nearly all major industries in a vast number of countries.

But even if we found what [Tech Executive-1] asks us to find in DNS we don’t see the money flow, and we don’t see the content of some message saying “send me the money here” etc.

I could fill out a sales form on two websites, faking the other company’s email address in each form, and cause them to appear to communicate with each other in DNS. (And other ways I can think of and I feel sure [Researcher-2] can think of.)

IF [Tech Executive-1] can take the *inference* we gain through this team exercise … and cause someone to apply more useful tools of more useful observation or study or questioning … then work to develop even an inference may be worthwhile.

That is how I understood the task. Because [Tech Executive-1] didn’t tell me more context or specific things. What [name redacted] has been digging up is going to wind up being significant. It’s just not the case that you can rest assured that Hil[l]ary’s opposition research and whatever professional govts and investigative journalists are also digging … they just don’t all come up with the same things or interpret them the same way. But if you find any benefit in what she has done or is doing, you need to say so, to encourage her. Because we are both killing ourselves here, every day for weeks.

I’m on the verge of something interesting with hosts that talk to the list of Trump dirty advisor domain resources, and hosts that talk to [Russian Bank1]-* domains. Take even my start on this and you have Tehran and a set of Russian banks they talk to. I absolutely do not assume that money is passing thru Tehran to Trump. It’s just one of many *inferences* I’m looking at.

SAME IRANIAN IP THAT TALKS TO SOME TRUMP ADVISORS, also talks to:

[list of domains redacted]

(Capitals don’t mean SUPER SIGNIFICANT it was just a heading.)

Many of the IPs we have to work with are quite MIXED in purpose, meaning that a lot of work is needed to WINNOW down and then you will still only be left in most cases with an *inference* not a certainty. Trump/ advisor domains I’ve been using. These include ALL from [Tech Executive-1’s] PDF [the Trump Associate’s List] plus more from [name redacted]’s work:

[list of domains redacted]

[RUSSIAN BANK-1] DOMAINS

[list of domains redacted]

More needs to be added to both lists. [Durham’s bold, my italics]

That’s true in part, because Durham suggests the entirety of this email is part of the conspiracy, but it’s clear that Lorenzen was working with another person, whose name Durham redacts, who seems arbitrarily excluded from it.

But it’s also true because Lorenzen sent it in the wake of Trump’s false claim — made in the same appearance where he asked Russia to hack Hillary some more — that he had no business ties to Russia, when in fact he continued to pursue a Trump Tower deal that would have relied on funding from one of two sanctioned banks. She sent it in the wake of Manafort’s false claims (and Rick Gates’ lies to the press) that served to hide his real ties to Russian-backed oligarchs, including one centrally involved in the Russian effort to tamper in the election, Oleg Deripaska, and his money laundering through Cyprus of payments from those Oligarchs. Manafort was helped in those lies — in the same weeks as Sussmann met with James Baker!!!! — by the son-in-law of Alfa Bank’s co-founder German Khan, Alex Van der Zwaan, who went on to lie about his actions to Mueller. In the same month Sussmann met with Baker, Mueller found probable cause to investigate, Trump got a $10 million infusion from an Egyptian state-owned bank. Lorenzen’s suspicions were not only realistic, but some turned out to be absolutely true.

Similarly, Durham makes much of this email from Lorenzen:

[Tech Executive-1’s] carefully designed actions provide the possibility of: 1. causing the adversaries to react. Stop using? Explain? 2. Getting more people with more resources to find out the things that are unknown, whether those be NON-internet channels of connection between Trump, [Healthcare Company1][owners of Healthcare Company-1], [Russian Bank-1] … money flows, deals, God knows it could be [owners of Healthcare Company-1’s] children married to Russians who run [Russian Bank1]. Or like Researcher-2 shared, someone’s wife vacationing with someone else’s wife.

I have no clue. These are things other people may look into, if they know a direction of interest to look. 3. Legal action to protect our country from people who act against our national interests. I don’t care in the least whether I’m right or wrong about VPN from [Russian Bank-1], [TOR] from Russian Bank-1, or just SMTP artifact pointing to a 3-way connection. [Tech Executive1] has carefully crafted a message that could work to accomplish the goals. Weakening that message in any way would in my opinion be a mistake. [Durham’s bold, my italics]

Here, again, Lorenzen wonders about suspect ties of those married to the children of Alfa Bank’s founders within days of Van der Zwaan taking actions to hide Manafort’s ties to Russian-backed oligarchs.

In other words, Durham treats Lorenzen’s inferences, some of which turned out not just to be right, but to be centrally important to the ongoing Russian attack on the US, as improper dirt on a presidential candidate and not stuff that every citizen of the United States would want to know. Durham is criminalizing a private citizen’s effort (one for which he shows no direct tie to the Clinton campaign) to understand real corruption of Trump and his campaign manager. Durham literally calls this effort to research a political candidate — a core responsibility in a democracy — a “venture to gather and disseminate purportedly derogatory internet data regarding a Presidential candidate.”

This is not the only email that pointed to real criminal evidence pertaining to Russia’s attack in 2016. He cites David Dagon justifying using this data by pointing to the FBI’s investigation into Fancy Bear — the hackers who were in that same month still hacking Hillary and trying to hack election infrastructure.

I believe this is at a threshold of probable cause for violation of Commerce Dept sanctions, FEC elections rules, and has releva[n]cy for the Bureau’s Fancy Bear inquiry, etc._ I also have some graphs/animations of the Trump [] router, which I can clean up and contribute. (They merely give a glimpse of aggregate volume, since we lack actual flows.) I’d need until the weekend.”

Again, Paul Manafort did turn out to have real ties to the APT 28 operation, Roger Stone appears to have been in direct contact with the GRU-backed persona since before it went public, and Mueller did charge an Oligarch with close ties to Putin, Yevgeniy Prigozhin, with violating FEC election rules. To suggest that it was improper to try to investigate these ongoing crimes in real time — to suggest the investigation is itself a conspiracy — undermines any possibility for a vibrant democracy.

And Durham decided belatedly (Sussmann’s filing makes it clear Durham laid all this out in a March 23 404(b) notice, 5 days past his due date) to argue that all these emails are admissible so he can argue that Joffe asked Sussmann to hide his role in all this so he could hide the emails that show real investigation into real, ongoing crimes.

Indeed, many of the emails’ contents are relevant and not hearsay for the additional reason that they shed important light on the defendant’s and Tech Executive-1’s “intent, motive, or state of mind,” and “help to explain their future conduct.” Safavian, 435 F. Supp. at 45–46. In particular, the mere fact that these emails (i) existed in written form prior to the defendant’s September 19, 2016 meeting with the FBI and (ii) reflected instances of serious doubts about whether the Russian Bank-1 data might have been “spoofed,” a “red herring,” “wrong,” or a product of “tunnel vision” or bias against Trump, provided Tech Executive-1 and the defendant with motive to conceal the origins and provenance of the Russian Bank-1 allegations from the FBI. In particular, a reasonable jury could infer from these and other facts that Tech Executive-1 made the defendant aware of these prior doubts and therefore supplied the defendant – as Tech Executive-1’s representative – with a motive to conceal their client relationship from the FBI General Counsel. A jury could similarly infer that even if Tech Executive-1 did not make the defendant aware of these communications, he nevertheless instructed the defendant to deny the existence of such a client relationship for the same reason (i.e., to avoid the FBI’s potential discovery of the doubts reflected in these prior discussions).

Durham’s conspiracy theorizing is not just a dangerous attack on citizenship. It is also cherry picking. He has left out a number of the people who were pursuing the DNS question, including those — Matt Blaze and others — whom Sussmann said he had consulted with in his meeting with Baker, but put in people that Sussmann did not even know.

Sussmann notes he wasn’t involved in any of this data-gathering, nor was the Clinton campaign.

There cannot be any credible argument that the data-gathering sheds light on Mr. Sussmann’s representation of Mr. Joffe, because there is no evidence that Mr. Sussmann was involved in the data-gathering or that it was being done to give to Mr. Sussmann, as Mr. Joffe’s counsel. It is just as specious to suggest that the data-gathering bears on Mr. Sussmann’s attorney-client relationship with the Clinton Campaign. There is no evidence that the Clinton Campaign directed or was involved in the gathering of data, via Mr. Sussmann or otherwise. Nor is there any evidence of communications on issues pertinent to the Indictment between Mr. Joffe and the Clinton Campaign. As such, the manner in which data was gathered has no bearing on Mr. Sussmann’s attorney-client relationship with the Clinton Campaign.

In what is likely to be a persuasive argument to Judge Cooper, Sussmann argued that the only thing that can be relevant to the charge against him — a false statements charge, not conspiracy to defraud the US — is his state of mind.

Evidence that lacks a connection to the charge or the defendant’s scope of knowledge, including as to the defendant’s state of mind, is decidedly not relevant. See, e.g., United States v. Wade, 512 F. App’x 11, 14 (2d Cir. 2013) (excluding testimony about another act because it “was not temporally or physically linked” to the crime at issue and the “testimony presented a risk of juror confusion and extended litigation of a collateral matter”); United States v. Libby, 467 F. Supp. 2d 1, 15-16 (D.D.C. 2006) (rejecting attempts to “elicit . . . what others were told” as “simply irrelevant to the defendant’s state of mind” in a false statements and perjury case); United States v. George, 786 F. Supp. 56, 64 (D.D.C. 1992) (without the “crucial link” that “defendant knew what information others had,” that information is not material to the defendant’s state of mind in an obstruction and false statements case); United States v. Secord, 726 F. Supp. 845, 848-49 (D.D.C. 1989) (information of which the defendant had no knowledge is necessarily immaterial to the defendant’s state of mind, intent, or motive in a false statements case).

[snip]

First, evidence regarding the accuracy of the data or the conclusions drawn from that data is simply irrelevant to the false statement charge against Mr. Sussmann. Mr. Sussmann is not charged with defrauding the government or with a conspiracy to do that or anything else. There is no allegation or evidence that Mr. Sussmann was privy to any of the communications between Mr. Joffe and Others about the data or its analyses that the Special Counsel misleadingly cites in the Indictment.

I think Durham’s bid to include communications with those (Lorenzen and Manos Antonakakis) Sussmann did not have direct contact with is likely to fail. So most of Durham’s conspiracy theorizing will likely remain on the pages of these filings.

But along the way, Durham’s tunnel vision about 2016 led him to forget to exclude the things that do go to Sussmann’s state of mind, such as the very real Russian attack on Hillary Clinton and Donald Trump’s public call for more such attacks.

So while Durham may be excluded from claiming that a private citizen’s attempt to learn about real crimes by a Presidential candidate before he is elected amounts to a criminal conspiracy, it is too late for Durham now to try to exclude evidence about Sussmann’s understanding of Donald Trump’s very real role in a hack of his client.

The Guy Investigating the Claimed Politicized Hiring of a Special Counsel Insists that the Hiring of a Special Counsel Cannot Be Political

/16 Comments/in , , /by

On Monday, both John Durham and Michael Sussmann submitted their motions in limine, which are filings to argue about what can be admitted at trial. They address a range of issues that I’ll cover in several posts:

Sussmann:

Durham wants to:

  • Admit witnesses’ contemporaneous notes of conversations with the FBI General Counsel
  • Admit emails referenced in the Indictment and other, similar emails (see this post)
  • Admit certain acts and statements (including the defendant’s February 2017 meeting with a government agency, his December 2017 Congressional testimony, and his former employer’s October 2018 statements to the media) as direct evidence or, alternatively, pursuant to Federal Rule of Evidence 404(b)
  • Exclude evidence and preclude argument concerning allegations of political bias on the part of the Special Counsel (addressed in this post)
  • Admit an October 31, 2016 tweet by the Clinton Campaign

I will link my discussions in serial fashion.

Here’s how John Durham moved to exclude any evidence that his team was ordered to produce results in time for the 2020 election, bullied witnesses, or treated Hillary Clinton as a more dangerous adversary than Russia.

The Government expects that defense counsel may seek to present evidence at trial and make arguments that depict the Special Counsel as politically motived or biased based on his appointment by the prior administration. Notwithstanding the patently untrue nature of those allegations, such matters are irrelevant to this case and would create a substantial danger of unfair prejudice, confusion, and delay. In particular, the government seeks to preclude the defendant from introducing any evidence or making any argument concerning the circumstances surrounding the appointment of the Special Counsel and alleged political bias on the part of the Special Counsel’s Office. Indeed, the defendant has foreshadowed some of these arguments in correspondence with the Special Counsel and others, and their assertions lack any valid basis.

Only relevant evidence is admissible at trial. Fed. R. Evid. 402. The definition of relevance is inclusive, see Fed. R. Evid. 401(a), but depends on the possibility of establishing a fact that “is of consequence in determining the action,” Fed. R. Evid. 401(b). Evidence is therefore relevant only if it logically relates to matters that are at issue in the case. E.g., United States v. O’Neal, 844 F. 3d 271, 278 (D.C. Cir. 2016); see Sprint/United Management Co. v. Mendelsohn, 552 U.S. 379, 387 (2008). The party seeking to introduce evidence bears the burden of establishing relevancy. Dowling v. United States, 493 U.S. 342, 351 n.3 (1990).

Here, the defendant is charged with making a false statement to the FBI General Counsel in violation of 18 U.S.C. § 1001. A jury will have to decide only whether the defendant knowingly and willfully made a materially false statement to the FBI General Counsel. Nothing more, nothing less. Baseless political allegations are irrelevant to the crime charged. See, e.g., United States v. Regan, 103 F. 3d 1072, 1082 (2d Cir. 1997) (claims of Government misconduct are “ultimately separate from the issue of [a defendant’s] factual guilt”); United States v. Washington, 705 F. 2d 489, 495 (D.C. Cir. 1983) (similar). Evidence or argument concerning these issues should therefore be excluded. See Fed. R. Evid. 402; see, e.g., O’Neal, 844 F,3d at 278; United States v. Stone, 19 CR 18 (D.D.C. Sept. 26, 2019) ECF Minute Order (granting the government’s motion in limine to exclude evidence or argument regarding alleged misconduct in the government’s investigation or prosecution of Roger Stone).

The only purpose in advancing these arguments would be to stir the pot of political polarization, garner public attention, and, most inappropriately, confuse jurors or encourage jury nullification. Put bluntly, the defense wishes to make the Special Counsel out to be a political actor when, in fact, nothing could be further from the truth.11 Injecting politics into the trial proceedings is in no way relevant and completely unjustified. See United States v. Gorham, 523 F. 2d 1088, 1097-1098 (D.C. Cir. 1975) (upholding trial court’s decision to preclude evidence relevant only to jury nullification); see also United States v. Rushin, 844 F. 3d 933, 942 (11th Cir. 2016) (same); United States v. Castro, 411 Fed. App’x 415, 420 (2d Cir. 2011) (same); United States v. Funches, 135 F.3d 1405, 1408-1409 (11th Cir. 1998) (same); United States v. Cropp, 127 F.3d 354, 358-359 (4th Cir. 1997). With respect to concerns about jury nullification, this Circuit has opined:

[Defendant’s] argument is tantamount to the assertion that traditional principles concerning the admissibility of evidence should be disregarded, and that extraneous factors should be introduced at trial to become part of the jury’s deliberations. Of course a jury can render a verdict at odds with the evidence and the law in a given case, but it undermines the very basis of our legal system when it does so. The right to equal justice under law inures to the public as well as to individual parties to specific litigation, and that right is debased when juries at their caprice ignore the dictates of established precedent and procedure.

Gorham, 523 F.2d at 1098. Even if evidence related to the defendant’s anticipated allegations had “marginal relevance” to this case (which it does not), the “likely (and presumably intended) effect” would be “to shift the focus away from the relevant evidence of [the defendant’s] wrongdoing” to matters that are, at most, “tangentially related.” United States v. Malpeso, 115 F. 3d 155, 163 (2d Cir. 1997) (upholding exclusion of evidence of alleged misconduct by FBI agent). For the foregoing reasons, the defendant should not be permitted to introduce evidence or make arguments to the jury about the circumstances surrounding the appointment of the Special Counsel and alleged political bias on the part of the Special Counsel.

11 By point of fact, the Special Counsel has been appointed by both Democratic and Republican appointed Attorneys General to conduct investigations of highly-sensitive matters, including Attorneys General Janet Reno, Michael Mukasey, Eric Holder, Jeff Sessions and William Barr. [my emphasis]

Durham stuck the section between an extended section arguing that Judge Christopher Cooper should treat the interlinked investigations — by those working for the Hillary campaign and those, working independently of the campaign, who believed Donald Trump presented a grave risk to national security — into Trump’s ties to Russia as a unified conspiracy and another section asking that Clinton Campaign tweets magnifying the Alfa Bank allegations be admitted, even though the argument to include them is closely related.

Even ignoring how Durham pitches this issue, the placement of this argument — smack dab in the middle of an effort to treat protected political speech he admits is not criminal like a criminal conspiracy — seems like a deliberate joke. All the more so coming from prosecutors who, with their conflicts motion,

stir[red] the pot of political polarization, garner[ed] public attention, and, most inappropriately, confuse[d potential] jurors

It’s pure projection, presented in the middle of just that kind of deliberately polarizing argument. From the moment the Durham team — which relied heavily on an FBI Agent who reportedly sent pro-Trump texts on his FBI phone — tried to enhance Kevin Clinesmith’s punishment for altering documents because he sent anti-Trump texts on his FBI phone, Durham has criminalized opposition to Trump.

And Durham himself made his hiring an issue by claiming that the guy who misrepresented his conflicts motion by using it to suggest that Sussmann and Rodney Joffe should be executed, Donald Trump, is a mere third party and not the guy who made him a US Attorney.

But it’s also misleading, for multiple reasons.

The initial bias in question pertains to covering up for Russia, not helping Republicans

Sussmann’s likely complaints at trial have little to do with the fact that Durham was appointed by a Republican. Rather, a key complaint will likely have to do with the fact that Durham was appointed as part of a sustained campaign to misrepresent the entire set of events leading up to the appointment of his predecessor as Special Counsel, Robert Mueller, by a guy who auditioned for the job of Attorney General based on his claims — reflecting his warped Fox News understanding of the investigation — that the confirmed outcome of that investigation was false.

You cannot separate Durham’s appointment from Billy Barr’s primary goal in returning as Attorney General to undermine the evidence of improper Trump ties to Russia. You cannot separate Durham’s appointment, in the same days as Mueller acquired key evidence in two investigations (the Egyptian bank donation and Roger Stone) that Barr subsequently shut down, from Barr’s attempt to undermine the past and ongoing investigation. You cannot separate Durham’s appointment from what several other DC District judges (Reggie Walton, Emmet Sullivan, and Amy Berman Jacksonthe latter, twice) have said was Barr’s improper tampering in the Russian investigation.

That is, Durham was appointed to cover-up Trump’s confirmed relationship with Russia, not to attack Democrats. But in order to cover up for Russia, Durham will, and has, attacked the Democrats who were first victimized by Russia for viewing Russia as a threat (though I believe that Republicans were victimized, too).

That bias has exhibited in the following ways, among others:

  • Treating concern about Trump’s solicitation of further hacks by Russia and his confirmed ties to Russian money laundering as a partisan issue, and not a national security issue (something Durham continues with this filing)
  • Treatment, in the Danchenko case, of Charles Dolan’s involvement in the most accurate report in the Steele dossier as more damning that the likely involvement of Dmitri Peskov in the most inflammatory reports that paralleled the secret communications with Dmitry Peskov that Trump and Michael Cohen lied to cover up
  • Insinuations from Andrew DeFilippis to Manos Antonakakis that it was inappropriate for DARPA to ask researchers to investigate ongoing Russian hacks during an election
  • A prosecutorial decision that risks making sensitive FISA information available to Russia that will, at the same time, signal that the FBI won’t protect informants against Russia

There are other indications that Durham has taken probable Russian disinformation that implicates Roger Stone as instead reliable evidence against Hillary.

Durham’s investigation into an investigation during an election was a key prop during an investigation

Another thing Durham may be trying to stave off is Sussmann calling Nora Dannehy as a witness to explain why she quit the investigation just before the election. Even assuming Durham could spin concerns about pressure to bring charges before an election, that pressure again goes to Billy Barr’s project.

When Durham didn’t bring charges, some of the same documents Durham was reviewing got shared with Jeffrey Jensen, whose team then altered several of them, at least one of them misleadingly, to present a false narrative about Trump’s opponent’s role in the investigation. Suspected fraudster Sidney Powell seems to have shared that false narrative with Donald Trump, who then used it in a packaged attack in the first debate.

This is one of the reasons why Durham’s submission of Bill Priestap’s notes in such a way as to obscure whether those notes have some of the same indices of unreliability as the altered filings in the Mike Flynn case matters.

In other words, Durham is claiming that scrutinizing the same kind of questions that Durham himself has been scrutinizing for years is improper.

The bullying

I find it interesting that Durham claims that, “the defendant has foreshadowed some of these arguments in correspondence with the Special Counsel and others,” without citing any. That’s because the only thing in the record is that Sussmann asked for evidence of Durham bullying witnesses to alter their testimony — in response to which Durham provided communications with April Lorenzen’s attorneys.

On December 10, 2021, the defense requested, among other things, all of the prosecution team’s communications with counsel for witnesses or subjects in this investigation, including, “any records reflecting any consideration, concern, or threats from your office relating to those individuals’ or their counsels’ conduct. . . and all formal or informal complaints received by you or others” about the conduct of the Special Counsel’s Office.” Although communications with other counsel are rarely discoverable, especially this far in advance of trial, the Government expects to produce certain materials responsive to this request later this week. The Government notes that it is doing so despite the fact that certain counsel persistently have targeted prosecutors and investigators on the Special Counsel’s team with baseless and polemical attacks that unfairly malign and mischaracterize the conduct of this investigation. For example, certain counsel have falsely accused the Special Counsel’s Office of leaking information to the media and have mischaracterized efforts to warn witnesses of the consequences of false testimony or false statements as “threats” or “intimidation.”

And this set of filings reveals that Durham is still trying to force Rodney Joffe to testify against Sussmann, even though Joffe says his testimony will actually help Sussmann.

In other words, this may be a bid by Durham to prevent evidence of prosecutorial misconduct under the guise of maintaining a monopoly on the right to politicize the case.

Normally, arguments like this have great merit and are upheld.

But by making the argument, Durham is effectively arguing that the entire premise of his own investigation — an inquiry into imagined biases behind an investigation and later appointment of a Special Counsel — is illegitimate.

As we’ll see, what Judge Christopher Cooper is left with is nothing more than competing claims of conspiracy.

Before John Durham’s Originator-1, There Was a Claimed BGP Hijack

/61 Comments/in , , /by

In this post, I described that “Phil,” the guy I went to the FBI about because I suspected he had a role in the Guccifer 2.0 persona, had a role in the Alfa Bank story. As noted, Phil’s provable role in pushing the Alfa Bank story in October 2016 was minor and would have no effect on the false statement charge — for an alleged lie told in September 2016 — against Michael Sussmann. But because of Durham’s sweeping materiality claims, it might have an impact on discovery.

It has to do with the theory that Alfa Bank has about the DNS anomalies, a theory that Durham seems to share: that the data was faked.

As Alfa laid out in its now abandoned John Doe lawsuits, it claims that the anomalous DNS traffic that Michael Sussmann shared with the FBI in September 2016 was faked. The bank appears to believe not just that the data was faked, but that April Lorenzen is involved in some way. For example, it describes that Tea Leaves and “two accomplices” were sources for Franklin Foer (though elsewhere, the lawsuit claims that Tea Leaves was pointed to the data by the unknown John Doe defendants).

Durham seems even more sure that Lorenzen is the culprit. For example, he always refers to the data as “purported.” He refers to Lorenzen as “Originator-1” rather than “Data Scientist-1” or “Tea Leaves,” insinuating she fabricated the data. And when Sussmann asked for all evidence indicating that Durham had bullied witnesses, Durham provided emails involving Lorenzen’s lawyers.

Alfa Bank might be excused for imagining that Lorenzen is the primary culprit to have fabricated the data. According to Krypt3ia, when Alfa asked him for his communications, he only had one email, with a different journalist, to share. They quite clearly don’t understand that someone else was involved in publicizing these claims.

Durham doesn’t have the same excuse.

That’s because DOJ – of which Durham remains a part – knows at least some of the details about “Phil” that I laid out in my last post. Because they would have checked Twitter to vet some of my most basic claims, they almost certainly obtained the Twitter DMs (or at least the metadata) showing that Phil brokered the tie between Krypt3ia and the NYT.

To be clear: I have no evidence that Phil altered the DNS records. I’m agnostic about what caused the anomaly (though am convinced that the experts involved believe the anomaly is real, even if they offer varying explanations for the cause). But Durham has made the source of the anomaly an issue to bolster his claims about materiality. And, as Sussmann noted in a recent filing, “Much as the Special Counsel may now wish to ignore the allegations in the Indictment, he is bound by them.” So, it seems, Durham’s on the hook for telling Sussmann if DOJ knows of anyone else involved in pushing the Alfa Bank story who could be a possible culprit for fabricating the data, especially if that person was known to have clandestinely signed a comment, “Guccifer 2.0.”

Phil probably faked a BGP hijack

The fact that Phil alerted the NYT to the Russian proxy of Lorenzen’s data matters not just because he had, months earlier, claimed to work for an FSB-led company and, even before that, claimed to have been coerced by Russian intelligence at an overseas meeting before the known DNC operation started.

It also matters because (I believe) Phil faked an Internet routing record in the same month the Alfa/Trump/Spectrum anomalies started.

In May 2016, Phil shared what he claimed was a traceroute of a request to my site, an Internet routing record that is different than but related to the DNS records at the heart of the Alfa Bank story. The screencap he sent me purported to show that a request to my site had been routed through (to the best of my memory) some L3 routers in Chicago, to Australia, back to those L3 switches, to my site. Phil was claiming to show me proof that someone had diverted requests to my site overseas along the way – what is known as a BGP hijack. Phil showed this to me in the wake and context of a DDOS attack that had brought my site down for days, an attack which led me to rebuild my site, change hosts, and add Cloudflare DDOS protection.

May 2016, the month Phil showed me what I believe to be a faked traceroute, is the same month the anomalous traffic involving Alfa Bank, Spectrum Health, and a Trump-related server started.

Phil used that traceroute to claim that the US intelligence community was diverting and spying on traffic to my website.

The claim made no sense. The only thing that diverting my traffic would get spies is access to my readers’ metadata, which would be readily accessible via easier means, including with a subpoena to my host provider. Aside from a bunch of drafts that I’ve decided didn’t merit publication, there’s no non-public content on my site. I was not competent (and did not ask others) to assess the validity of the screencap itself, but I considered it unreliable because it didn’t show the query or originating IP address behind the record, which would be needed to test its provenance.

I don’t have that original traceroute (I replaced my phone not long after he sent it). But in June 2016 he shared a reverse DNS look-up related to my site that wasn’t altered but in which Phil invoked the earlier one.

I corrected him in this case – this IP address was readily explainable; it was Cloudflare (which Phil surely knew). But Phil nevertheless repeated his earlier claim that “they” were hijacking my traffic.

When I said that Phil had been tracking how requests to my site worked for some time before he left a comment signed [email protected] in July 2016, this weeks-long exchange is what I was referring to. He had, effectively, been watching as I added Cloudflare protection to my site.

These screencaps show that Phil, who months later would play a role in pushing the Alfa Bank story, was using DNS records — real and possibly faked — as a prop in a false story.

Phil tracked DOD contracts closely

That’s not the only detail that DOJ may know about that Durham should consider before insinuating that Lorenzen is the most likely culprit if this data was fabricated. DOJ may know that Phil tracked DOD contracts very closely. That’s important because it explains how Phil could have learned researchers would be looking closely at DNS records.

For years, I’ve believed that the Alfa-Trump-Spectrum Health effort was disinformation, because so much of what came out that year was and because I viewed the Spectrum Health stuff to be such a reach. My belief it might be disinformation only grew stronger when I discovered the focus on Spectrum Health, with its link to Erik Prince’s sister’s spouse, came just after Prince had asked Roger Stone about his efforts to reach out to WikiLeaks.

Certainly, Putin exploited the allegations afterwards to his advantage. He used them to push Alfa Bank’s Petr Aven to take a primary role in reaching out to Trump during the transition, at least as recounted in the Mueller Report.

According to Aven, at his Q4 2016 one-on-one meeting with Putin,981 Putin raised the prospect that the United States would impose additional sanctions on Russian interests, including sanctions against Aven and/or Alfa-Bank.982 Putin suggested that Aven needed to take steps to protect himself and Alfa-Bank.983

981 At the time of his Q4 2016 meeting with Putin, Aven was generally aware of the press coverage about Russian interference in the U.S. election. According to Aven, he did not discuss that topic with Putin at any point, and Putin did not mention the rationale behind the threat of new sanctions

Aven even used Richard Burt, one of the people scrutinized by the Fusion and DNS research, to reach out to Trump, effectively pursuing precisely the back channel between Alfa and Trump that Fusion suspected months earlier.

The relevant part of Aven’s interview is redacted, so it’s not clear whether Aven mentioned that Alfa Bank had been a key focus of the interference allegations. But that’s the presumptive subtext: along with the Steele dossier, the DNS anomaly – both of which, in several lawsuits since, Aven or Alfa have claimed were “gravely damaging” – raised suspicions about Alfa Bank and made it more likely the bank would be sanctioned than had been the case previously.

And before the bank did get sanctioned last month, Alfa was using the DNS anomaly to conduct a lawfare campaign to learn how the US uses DNS tracking to thwart hacks (one wonders if Putin ordered that campaign, like he personally ordered Aven to reach out to Trump). That campaign even got a bunch of frothy right-wingers to decry efforts to prevent and detect nation-state hacks on the US. So at the very least, Russia has exploited the Alfa-Trump allegations to great benefit, one measure of whether something could be deliberate disinformation.

But as I’ve talked to people who’ve tried to figure out what the anomaly was – including experts who believed it did reflect real communication as well as some who didn’t – they always explained that seeding disinformation in such a fashion would be useless. That’s because you couldn’t ensure that any disinformation you planted would be seen. That is, unlike the Steele dossier, which was being collected by an Oleg Deripaska associate and shared with the press (and for which there’s far more evidence Russia used it to plant disinformation), you could never expect the disinformation to be noisy enough to attract the desired attention.

In the years since the original story, how researchers who found the anomalous data obtained the DNS data has driven a lot of the hostility behind it. The researchers have tried to hide where they got the data for proprietary and cybersecurity reasons. John Durham has alleged there was some legal impropriety behind using it, even when used (as the researchers understood they were doing) to research ongoing nation-state hacks. And Alfa Bank was using lawfare to try to find out as much about the means by which this DNS traffic was observed by cybersecurity experts as possible. The full story of how the researchers accessed the data has yet to be reported, but as I understand it, there’s more complexity to the question than initially made out or than has made it into Durham’s court filings. That complexity would make it even harder to anticipate where DNS researchers were looking. So, multiple experts told me, it would be crazy to imagine anyone would have thought to seed disinformation in DNS records expecting it’d get picked up via those collection points in 2016, because no one would have expected anyone was observing all those collection points.

If a Fancy Bear shits in the DNS woods but there’s no one there to see it, did it really happen?

But there was, in fact, a way to anticipate it might get seen.

As the Sussmann indictment vaguely alluded to and this NYT story laid out in detail, researchers found the DNS anomalies in the context of preparing a bid for a DARPA research contract.

The involvement of the researchers traces back to the spring of 2016. DARPA, the Pentagon’s research funding agency, wanted to commission data scientists to develop the use of so-called DNS logs, records of when servers have prepared to communicate with other servers over the internet, as a tool for hacking investigations.

DARPA identified Georgia Tech as a potential recipient of funding and encouraged researchers there to develop examples. Mr. Antonakakis and Mr. Dagon reached out to Mr. Joffe to gain access to Neustar’s repository of DNS logs, people familiar with the matter said, and began sifting them.

Separately, when the news broke in June 2016 that Russia had hacked the Democratic National Committee’s servers, Mr. Dagon and Ms. Lorenzen began talking at a conference about whether such data might uncover other election-related hacking.

The DOD bidding process provided public notice that DARPA was asking researchers to explore multiple ways, including DNS traffic, to attribute persistent hacking campaigns in real time.

The initial DARPA RFP was posted on April 22, 2016, ten days before the anomalous traffic started but well after the Russian hacking campaign had launched (documents FOIAed by the frothers reveal that the project was under discussion for months before that). This RFP provided a way for anyone who tracked DOD contracts closely to know that people would be looking and the announcement itself included DNS records and network infrastructure among its desired measurements. Depending on the means by which DARPA communicated about the contract, it might also provide a way to find out who would be looking and how and where they would be looking, though as I understand it, the team at Georgia Tech would have been an obvious choice in any case.

Phil tracked DOD contracts very closely. In September 2016, for example, he sent me a text alerting me to a new Dataminr contract just 66 minutes after I published a post about the company (I later wrote up the contract).

Phil also told me, verbally, he was checking what contracts DOD had with one of the US tech companies for which a back door was exposed in summer 2016. He claimed he was doing so to see how badly the government had fucked itself with its failure to disclose the vulnerability. By memory (though I am not certain), I believe it was Juniper Networks, in the wake of the Shadow Brokers release of an NSA exploit targeting the company.

And even on top of Phil’s efforts to convince me that the DNC hack wasn’t done by APT 28, DOJ has other evidence that Phil tracked APT attribution efforts closely, even using official government resources to do so. So it would be unsurprising if he had taken an interest in a contract on APT attribution in real time.

Durham may have access to some or all of this

Durham insinuates the DNS records are faked and he appears to want to blame Lorenzen for faking them. But he may be ignoring evidence in DOJ’s possession that someone else who, I’ve now confirmed, played at least a minor role in pushing the Alfa Bank story was using Internet routing records, possibly faked, to support a false story in May 2016.

To be sure: while I know the investigation into Phil continued at least the better part of a year after my FBI interview about him, any feedback I’ve gotten about that investigation has been deliberately vague. So aside from the obvious things – like the Twitter records that would show Phil’s DMs with Krypt3ia and Nicole Perloth – I can’t be sure what is in DOJ’s possession.

I don’t even know whether the 302 from my FBI interview would mention Phil’s pitch of the Alfa Bank story to me. It was on a list of the things I had intended to describe in that interview. But I didn’t work from the list in the interview itself and I have no affirmative memory of having mentioned it. If I did, it would have amounted to me saying little more than, “he also was pushing the Alfa Bank story.”

That said, unless the FBI agents were epically incompetent, my 302 should mention Alfa Bank, because I’m absolutely certain I raised this post and its emphasis on the inclusion of Alfa Bank in an alarming April 2017 BGP hijack.

And in fact, there’s a way Durham could have found out about Phil’s role in the Alfa Bank story independent of my FBI interview. Of just two people in the US government with whom I shared some of the Alfa Bank-related texts I exchanged with Phil (both were Republicans), one was centrally involved in the investigations that fed into the Durham investigation. If this stuff matters, Durham should ask why several of his key source investigations didn’t focus on it.

Durham should know that Phil had a role in the Alfa Bank story.

And given his insinuations in the indictment that Lorenzen fabricated DNS data in May 2016, making the insinuation part of his materiality claims, Durham may be obligated to tell Michael Sussmann that DOJ already knows of someone who was pushing the Alfa Bank story who used DNS data to tell a false story in May and June 2016.

John Durham Keeps Chasing Possible Russian Disinformation

/59 Comments/in , /by

Yesterday, the two sides in the Michael Sussmann case submitted the proposed jury questions they agree on and some they disagree on.

Durham objects to questions about security clearances and educational background (presumably Durham wants to make it harder for Sussmann to get people who understand computers and classification on the jury).

Sussmann objects to questions about April Lorenzen’s company and Georgia Tech.

He also objects to a question that assumes, as fact, that the Hillary campaign and the DNC “promoted” a “collusion narrative.”

I suspect Sussmann’s objections to these questions are about direct contact. For all of Durham’s heaving and hollering, while Sussmann definitely met with Fusion GPS, of the researchers, the indictment against Sussmann only shows direct contact with David Dagon. Everything else goes through Rodney Joffe. Plus, a document FOIAed by the frothy right shows that Manos Antonakakis believes what is portrayed in the indictment is at times misleading and other times false, which I assume he’ll have an opportunity to explain at trial.

As regards the campaign, as I already noted, when Sussmann asked Durham what proof the Special Counsel had that he was coordinating with the campaign, Durham pointed to Marc Elias’ contacts with the campaign and, for the first time (over a month after the indictment), decided to interview a Clinton staffer.

Sussmann will probably just argue that Durham’s plan to invoke these things simply reflects Durham’s obstinate and improper treatment of a single false statement charge as a conspiracy the Special Counsel didn’t have the evidence to charge.

But Durham’s inclusion of it makes me suspect that Durham wants to use an intelligence report that even at the time analysts noted, “The IC does not know the accuracy of this allegation or the extent to which the Russian intelligence analysis may reflect exaggeration or fabrication.” Nevertheless, John Ratcliffe, who has a history of exaggeration for career advancement, declassified, unmasked Hillary’s name, and then shared with Durham.

If Durham does intend to use this, though, it would likely mean Durham would have to share parts of the Roger Stone investigation file with Sussmann. That’s because the report in question ties the purported Clinton plan to Guccifer 2.0.

And as the FBI later discovered, there was significant evidence that Roger Stone had been informed of the Guccifer 2.0 persona before it went public.

That information, along with a bunch of other things revealed about Stone’s activities before this Russian report, suggest the Russian report may actually be an attempt to protect Stone, one that anticipated Stone’s claims in the days after the report that Guccifer 2.0 was not Russian.

Unless Durham finds a way to charge conspiracy in the next two months, Judge Christopher Cooper would do well to prevent Durham from continuing his wild conspiracy theorizing. Because it’s not clear Durham knows where the strings he is pulling actually lead.

John Durham’s Top Prosecutor, Andrew DeFilippis, Allegedly Miffed that DARPA Investigated Guccifer 2.0

/59 Comments/in , , /by

Vladimir Putin’s invasion of Ukraine and the sanctions imposed as a result has led lawyers in the US to drop the now-sanctioned Alfa Bank and its owners, leading to the dismissal of the John Doe, BuzzFeed, and Fusion GPS lawsuits filed by Alfa Bank or its owners. That has, for now, brought an end to a sustained Russian effort to use lawfare to discover “U.S. cybersecurity methods and means” (as some of Alfa’s targets described the effort).

But the dismissal of the Alfa Bank suits hasn’t halted the effort to expose US cybersecurity efforts in the guise of pursuing right wing conspiracy theories. Both Federalist Faceplant Margot Cleveland and “online sleuths” goaded, in part, by Sergei Millian have picked up where Alfa Bank left off. In recent days, for example, documents obtained via a Federalist FOIA to Georgia Tech exposed the members of a cybersecurity sharing group, including a bunch at Three-Letter Agencies, which has little news value but plenty of intelligence value to America’s adversaries (these names were released even while someone — either Georgia Tech or the Federalist — chose to redact the contact information for Durham’s investigators, some of which is otherwise public).

Even while doing her part to make America less safe (raising the perennial question of who funds the Federalist), Cleveland has continued to do astounding work misrepresenting Durham’s investigation. From the same FOIA release, she published a document in which research scientist Manos Antonakakis described that chief Durham AUSA Andrew DeFilippis insinuated to him that it was abusive for DARPA to try to discover the network behind the Guccifer 2.0 persona.

Finally, I will leave you with an anecdote and a thought. During one of my interviews with the Special Counsel prosecutor, I was asked point blank by Mr. DeFilippis, “Do you believe that DARPA should be instructing you to investigate the origins of a hacker (Guccifer_2.0) that hacked a political entity (DNC)?” Let that sync for a moment, folks. Someone hacked a political party (DNC, in this case), in the middle of an election year (2016), and the lead investigator of DoJ’s special council would question whether US researchers working for DARPA should conduct investigations in this matter is “acceptable”! While I was tempted to say back to him “What if this hacker hacked GOP? Would you want me to investigate him then?”, I kept my cool and I told him that this is a question for DARPA’s director, and not for me to answer.

Assuming this is an accurate description, this is a shocking anecdote, a betrayal of US national security.

It suggests that Durham’s lead prosecutor doesn’t believe the government should throw its most innovative research at a hostile nation-state attack while that nation-state is attempting to influence an election. Sadly, though, it’s not surprising.

It is consistent with things we’ve seen from Durham’s team throughout. It’s consistent with Durham’s treatment of a loose tie between an indirect and unwitting Steele dossier source and the Hillary campaign as a bigger threat than multiple ties to Russian intelligence (or Dmitry Peskov’s office, which knew that Michael Cohen and Donald Trump were lying about the former’s secret communications with Peskov’s office). It is consistent with Durham’s more recent suggestion that the victim of such a nation-state attack must wait until after an election to report a tip that might implicate her opponent.

I almost feel like DeFilippis will eventually say Hillary should have just laid back and enjoyed being hacked in 2016.

DeFilippis, and Durham generally, have consistently treated Hillary as a far graver threat than Russia, even now, even as Russia conducts a barbaric invasion of a peaceful democracy.

But Antonakakis’ anecdote is all the more troubling because it suggests that DeFilippis seems to misunderstand what happened with the DARPA contract in question in 2016. The Enhanced Attribution RFP’s description of the hacking campaigns it was targeting — “multiple concurrent independent malicious cyber campaigns, each involving several operators” — pretty obviously aims to tackle Advanced Persistent Threats, of which APT 28 and 29 (both of which targeted the DNC) were among the most pressing in 2016. DARPA presumably didn’t ask Antonakakis to focus on Guccifer 2.0 — a persona which didn’t exist when the contract was put up for bid in April 2016, much less in the months earlier when it was originally conceived. Rather, by description, they were asking bidders to look at APTs, and looking at APT 28 would have happened to include looking at Guccifer 2.0, the DNC hack, and a number of hacks elsewhere in the US and the world.  The reason DARPA would ask Georgia Tech to look at APT 28 is because APT 28 was hacking a lot of targets in the time period, all of which provided learning sets for a researcher like Antonakakis. DeFilippis, then, seems miffed that the APT that DARPA wanted to combat happened to be one of two that targeted Hillary.

That’s a choice Russia made, not DARPA.

While I think Cleveland did serious damage with some of her releases, I’m glad she released this document because it provides a way for Michael Sussmann to make DeFilippis’ troubling views on national security a central issue at trial, something that normally is difficult to do.

It also provided Cleveland another opportunity to faceplant in spectacular trademark Federalist fashion. Cleveland used this document to rile up the frothers by suggesting this is proof that Durham is investigating the DNC attribution.

Exclusive: Special Counsel’s Office Is Investigating The 2016 DNC Server Hack

The U.S. Department of Defense tasked the same Georgia Tech researcher embroiled in the Alfa Bank hoax with investigating the “origins” of the Democratic National Committee hacker, according to an email first obtained by The Federalist on Wednesday. That email also indicates the special counsel’s office is investigating the investigation into the DNC hack and that prosecutors harbor concerns about the DOD’s decision to involve the Georgia Tech researcher in its probe.

[snip]

The public storyline until now had been that CrowdStrike, the cybersecurity firm Sussmann hired in April 2016, had concluded Russians had hacked the DNC server, and that the FBI, which never examined the server, concurred in that conclusion. Intelligence agencies and former Special Counsel Robert Mueller likewise concluded that Russian agents were behind the DNC hack, but with little public details provided.

It now appears that DARPA had some role in that assessment, or rather Antonakakis did on behalf of DARPA, which leads to a whole host of other questions, including whether DARPA had access to the DNC server and data and, if so, from whom did the DOD’s research arm get that access? Was it Sussmann?

There’s no reason to believe this and every reason to believe that — as I said — DeFilippis is pissed that DARPA prioritized their research on a target that was badly affecting national security (and not just in US, but also in allied countries) in 2016, one that happened to attempt to help Trump get elected.

But look how many errors Faceplant’s Cleveland made in the process:

Cleveland repeats the Single Server Fallacy, imagining that the DNC, DCCC, and Hillary had just one server between them to be hacked and all the servers that got hacked were in the possession of one of those victims. That’s, of course, ridiculous. The server that GRU hacked to get John Podesta’s emails belonged to Google. The server that GRU hacked to get Hillary’s analytics belonged to AWS. There was a staging server in AZ; I have been told that the FBI seized at least one US-based server that did not belong to the DNC (that server is why the frothy right’s focus on what Shawn Henry testified to HPSCI is so painfully ignorant — because it ignores that the FBI had access to servers that Henry did not that did show exfiltration).

Cleveland apparently doesn’t know that FBI knew who was hacking the DNC when they warned them starting in September 2015 they were being hacked. The FBI’s awareness of that not only explains why APT 29 and 28 would have been included in DARPA’s targets for EA, but proves that the government was tracking these hacking groups above and beyond the attack on Hillary. This was never just a reaction to the election year hack.

Cleveland claims Mueller’s attribution of the DNC hack to the GRU provided “little public details,” when in fact the Mueller Report showed 29 sources other than CrowdStrike, including:

  • Gmail
  • Linked-In
  • Microsoft
  • Facebook
  • Twitter
  • WordPress
  • ActBlue
  • AWS
  • AOL
  • Smartech Corporation
  • URL shortening service
  • Bitcoin exchanges
  • VPN services

According to Mueller’s report, all these sources also corroborated the GRU attribution. And Mueller’s list doesn’t include a number of other known entities that corroborated the attribution, including NSA and Dutch intelligence, which couldn’t be named in a public DOJ document. Mueller’s list doesn’t include Georgia Tech either, but it wouldn’t need to, because there was so much other evidence.

The Mueller Report described obtaining almost 500 warrants, but the released list — from which FBI’s Cyber Division successfully withheld those pertaining to the GRU investigation — only includes around 370-400 warrants (based on an 156 pages of warrants with roughly three per page), suggesting there may be 100 warrants tied to the GRU attribution alone.

By the time Antonakakis started looking at the DNC hack as part of EA, multiple entities, including several Infosec contractors, non-US intelligence services, and non-governmental entities like tech giants (including at least three of the ones on Mueller’s list), had plenty of evidence that the Guccifer 2.0 campaign was run by the APT 28. Including Guccifer 2.0 as part of the research set would simply be part of the existing targeting of a dangerous APT.

But apparently neither DeFilippis nor Cleveland understand that 2016 was part of an ongoing identified threat to US national security.

One thing Putin did in 2016 was to use disinformation to train the frothy right to favor Russia more than fellow Americans from the opposing party. Even as Russia attacks Ukraine, that still seems to be true.