Posts

FBI and DHS Aren’t Using the Free Expertise on Right Wing Terrorism While Looking to Pay for It

There was a remarkable moment in the Homeland Security/Rules hearing on January 6 the other day. Krysten Sinema asked whether FBI knew of the conversations on social media where people were openly planning for insurrection. FBI’s Assistant Director for Counterterrorism, Jill Sanborn, explained they did not know of them because the Bureau couldn’t collect on the social media of Americans without a predicated investigation.

Krysten Sinema: Was the FBI aware of these specific conversations on social media?

Jill Sanborn: To my knowledge, no ma’am, and I’ll just sort of articulate why that is. So under our authorities, because, being mindful of the First Amendment and our dual-hatted mission to uphold the Constitution, we cannot collect First Amendment protected activities without, sort of the next step, which is the intent, and so we’d have to have an already-predicated investigation that allowed us access to those comms and/or a lead or a tip or a report from a community citizen or a fellow law enforcement partner for us to gather that information.

Sinema: So the FBI does not monitor publicly-available social media conversations?

Sanborn: Correct, ma’am, it’s not within our authorities.

For what it’s worth, Sanborn’s first comment was about collecting on social media. Sinema then treated that as a limitation on monitoring it (and Sanborn didn’t correct her). Still, Sanborn explained away FBI’s failure to see the insurrection many of the rest of us were seeing develop in real time by saying that discovering it would have required tracking Americans’ protected speech.

A more revealing moment came elsewhere, when Sanborn revealed that just one person who has been arrested in the wake of the attack had already been under investigation. That means, in spite of the Proud Boys’ threat, with Roger Stone, against Amy Berman Jackson two years ago, the FBI didn’t have an enterprise investigation into them (or the Oath Keepers or a range of other extremist organizations involved in the attack). So, because the FBI was not investigating the Proud Boys, the Proud Boys were able to plan an insurrection in plain sight.

That has changed, of course.

Later in the hearing, Mark Warner — citing all the FBI’s warnings in recent years about what a lethal threat white supremacist terrorism is — asked both Sanborn and the woman currently running DHS’ Office of Intelligence and Analysis, Melissa Smislova, what they’re doing to improve things and whether they’re using any of the open source experts out there.

Sanborn talked about working with “partners” (which I took to mean social media companies) and Fusion centers. Smislova revealed that DHS is looking to contract with experts on the topic, rather than read what those experts produce on a regular basis.

Mark Warner: I appreciate Ms. Sanborn’s appropriate response that they not arbitrarily collect off of American citizens if there’s not some nexus, but I do think it’s important, I think others have mentioned this that Domestic Violent Extremists didn’t start with January 6. They didn’t start with Donald Trump. They’re not going to end with January 6. They’re not going to end with Donald Trump. In my state we saw, a few year’s back, the Unite the Right rally at Charlottesville where many of these same groups and affiliations came together in another violent effort where one protestor was killed, we unfortunately lost a couple members of our State Police. Director Wray has repeatedly said in testimony before the Intelligence Committee, the Worldwide Threat Assessment, that Domestic Violent Extremists are a major national security threat to this country. I personally believe that that message was downplayed during the previous Administration because they didn’t want to hear it. I want to start with Ms. Smislova and Assistant Director Sanborn — Director Sanborn it’s great to see you again — is that, recognizing the constraints that are placed upon you in terms of collections, and also acknowledging that this threat has been around for some time. The FBI in particular has acknowledged that it is an extraordinary major severe threat, what have you both been able to do in engaging in open source intelligence and independent research communities to better identify these DVEs. I know in the run-up to the January 6 insurrection there was research done by Harvard’s John Donovan and Elon University’s Megan Squire as well as other researchers that pointed to the fact that these DVEs and affiliated groups, oftentimes groups that are working in conjunction with groups in Europe, were planning this effort. So how are you both, DHS and FBI, utilizing these independent researchers, these open source activities, and making sure we’ve got a better handle on it, recognizing your appropriate constraints on what you can do directly?

Melissa Smislova: Yes, Senator, thank you for the question. We just last week met as, as inside I&A, to discuss contracting with some of those experts outside. We are aware that we need to invest more in our understanding of Domestic Terror, we understand as well that it will require a different approach than a traditional Intelligence Community approach, we must use different sources to understand this threat, we are looking to get outside experts, invest more in-house, we are secondly looking at how to better understand the social media world, so we can better focus on where we might find specific and insightful information about what the adversary is thinking about. We are additionally looking to partner more with our state and local colleagues who we know have a different perspective on this threat and have more information, in some cases, than we do, and we are also, again, partnering more across the department and with our federal partners, increasing our relationships with FBI.

Warner: Ms. Sanborn?

Jill Sanborn: Thank you Senator, nice to see you again as well. I’d sort of say what we’re trying to do, and I’ll put it in three buckets, really, for you. Increasing our private sector is 100%, I have a section just inside my division that does nothing but partner engagement. We have found that the better we educate them on the threat we’re facing and painting a picture for them of what those threats we are, they’re better able to pay attention and collect and refer information to us and that is helpful and that’s when we talk about the fact that 50% of our tips and leads to our cases, or predication for our cases come from that relationship and that education. We’re also, same as my colleague said, using the state and local partners, so we leverage the Fusion centers a lot and their ability and their expertise — and the Orange County Fusion Center is a great example of leading, sort of, the analytics of social media and leveraging their expertise to predicate cases and they were actually behind the predication of the case, The Base, that we disrupted. And then last, I’d say, challenging ourselves for better collection inside, right, trying to point our sources and our collection to be in the right places to collect the intelligence that we need and that is what led to the Norfolk SIR, that is us pointing our collection in a space that gathered that information.

Warner: I have to tell you, respectfully, I’m pretty disappointed with both of your answers. This is not a new threat, we’ve seen since 2016 election how foreign adversaries manipulate social media, hear repeatedly from DHS and FBI that we’re going to get better at collecting. We saw the Unite the Right rally in Charlottesville. We heard people say we’re gonna get better at collecting information and better partnering, neither one of your referenced — there’s literally a host of experts at academia, at organizations like Graphika, and others that are monitoring the DVEs and their activities, oftentimes in their connections to anti-government groups in Europe, again, oftentimes amplified by nations like Russia, and I guess we’re always going to get ready and we’re somehow surprised when we see the kind of chaos that took place on January 6th.

Mark Warner proceeded to chew out both FBI and DHS’s witnesses given that, even after he raised open source expertise available, neither mentioned relying on it.

I hope Warner is paying attention to Huffington Post’s recent reporting. On February 26, relying on the work of some anti-fascist researchers, HuffPo identified Danny Rodriguez as the likely culprit behind the tasing of DC cop Michael Fanone, which led him to suffer a mild heart attack. HuffPo also reported that the FBI had gotten tips IDing Rodriguez in January, but had done nothing to call those who submitted the tips until HuffPo called the Bureau for comment.

The man in the red “MAKE AMERICA GREAT AGAIN” hat seemed to think he was untouchable. He joined the mob as they yelled “HEAVE! HO!” and tried to force their way through a police line into the Capitol building. Once inside, he used a pole to ram against a window, trying to shatter it and bring more people into the Capitol. In the most disturbing footage of all, he was caught on camera appearing to shock D.C. Metropolitan Police Officer Mike Fanone with a stun gun. As rioters push Fanone down the stairs and away from other cops, video shows the man in the red cap pressing a small black device against the officer’s neck. Fanone instantly drops to the ground, swallowed by the mob.

[snip]

His assailant in the red MAGA hat, who has been at large since the insurrection, is 38-year-old Daniel Joseph Rodriguez from Fontana, California, HuffPost can confirm.

Rodriguez, who goes by “Danny” and “DJ,” is well known among Trump supporters in the Los Angeles area as a superfan of the former president. Multiple news outlets have featured him in their coverage of the local pro-Trump movement in recent years, in articles that included his name and photo. He regularly attended the weekly Trump rallies in Beverly Hills last year. He was recognizable there by his dark-rimmed glasses and the many distinctive pins on his hat, which has a big GOP elephant symbol on the brim.

[snip]

Two separate anti-fascist activists ― as well as a third witness who supported Trump and called himself a former friend of Rodriguez ― reviewed footage of the man at the Capitol and told HuffPost they recognized Rodriguez from the California rallies.

The FBI received tips about Rodriguez last month, including one from a man he assaulted on video at a Los Angeles-area rally. But it wasn’t until hours after a HuffPost inquiry to the bureau for this story that the tipster heard from an FBI special agent with questions specifically about a man named “Danny Rodriguez.”

Then, yesterday, HuffPo revealed another case where a researcher sent in a tip only to have no visible response from the FBI. Shortly after January 20, SeditionHunter “Amy” identified Robert Scott Palmer as the guy in an American flag jacket who sprayed a fire extinguisher at cops.

With bright red and white stripes across his body and stars down his sleeves, the man in the American flag jacket and “FLORIDA FOR TRUMP” hat wielded a fire extinguisher while charging the U.S. Capitol on the afternoon of Jan. 6. He shoved his way through the crowd of rioters to the police line, then sprayed officers at close range before chucking the emptied canister at them. By nightfall he himself had been lightly harmed, apparently by a police crowd control munition. He held up his shirt to show off his bruised gut during an interview with a female journalist filming him live as cops pushed the mob back from Capitol grounds. Then he looked straight into her livestreaming device and identified himself as Robert Palmer from Clearwater, Florida.

[snip]

Palmer is now publicly on the FBI’s radar, though not by name. Three photos of him are featured on the bureau’s Capitol violence page, where he’s listed only as “#246 – AFO [Assault on Federal Officer].” But the images didn’t appear there until nearly a month after Amy had already tipped off the FBI about his identity.

#FloridaFlagJacket was used as a hashtag on Twitter less than a week after the Capitol attack, when Trump was still in office. Amy sent in a tip naming Palmer not long after President Joe Biden was inaugurated. His photos were finally added to the FBI database in late February.

It’s not just online researchers whose tips the FBI isn’t moving on quickly. On January 11, someone who knew Peter Schwartz as a felon who had gotten released from prison due to COVID, alerted the FBI that Schwartz had skipped out on his halfway house to attend the rally (the tipster was friends with Schwartz but Schwartz owed him money). The FBI subsequently identified Schwartz as the person who maced some cops.

On January 11, 2021, the FBI National Threat Operations Center (NTOC) received a tip from an individual (hereinafter W-1) who is personally acquainted with SCHWARTZ. In the tip, W-1 reported that “Pete SCHWARTZ” was involved in the Capitol riots. W-1 stated SCHWARTZ is a felon and was released from prison due to COVID-19. W-1 also stated that SCHWARTZ is employed as a traveling welder. According to W-1, SCHWARTZ was supposed to be at a rehabilitation facility in Owensboro, Kentucky on January 6, 2021. However, W-1 saw a picture of SCHWARTZ on the Capitol Building steps that appeared to have been taken on January 6, 2021. As part of the tip, W-1 also provided the Facebook URL for what he claimed was SCHWARTZ’s Facebook page. W-1 did not provide any other photographs, however. Due to the volume of tips provided to the FBI since January 6, 2021 – which stands at over 150,000 as of January 26, 2021 – the FBI was not able to immediately contact W-1 regarding the information that W-1 provided and did not immediately link SCHWARTZ to the individual who repeatedly maced officers at the Capitol.

Schwartz wasn’t arrested until February 4.

Still, that’s less time than these other tips.

The FBI, perhaps justifiably given the flood of data they’re dealing with, seems to value tips from suspects’ direct associates rather than online tipsters. The vast majority of tips they have acted on do come from people who know a suspect directly, often their family or friends or high school classmates.

But many of these researchers have been doing what FBI claims it cannot do (or could not before an insurrection gave them the predicated investigation permitting them to do so): connect the dots from public social media.

Instead, DHS is looking to pay people for the assistance people are trying to give the FBI for free.

Chain of Command: The AWOL Descriptions of the Commander in Chief’s Role in the National Guard Non-Response on January 6

The only formal explanation Trump has offered to describe his role in deploying the National Guard in response to the attack on the Capitol on January 6 came in his impeachment defense. As part of that defense, Bruce Castor pointed to things he claimed happened before Trump’s speech ended. In Castor’s inaccurate portrayal of the timeline, he suggested that the first action Acting Secretary of Defense Christopher Miller took was when, at 1:05 (which Castor said was 11:05), Miller “received open source reports of demonstrator movements to the U.S. Capitol.” He continued to claim that,

At 1:09 PM, US Capitol Police Chief’s Steven Sund called the House and Senate Sergeants at Arms, telling them he wanted an emergency declared and he wanted the National Guard called. The point: given the timeline of events, the criminals at the Capitol were not there to even hear the President’s words. They were more than a mile away engaged in a preplanned assault on this very building.

Admittedly, this was probably no more than an incompetent parroting of the existing timeline released by DOD. It’s possible that Trump’s lawyers didn’t ask him what happened inside the White House that day, because if they did, it would not help their case.

Still: Trump’s own defense claimed that the first that Acting Secretary Miller did in the matter was at 1[1]:05 on January 6.

That’s mighty interesting because there have been two claims that Trump proactively offered up National Guard troops for January 6 in the days beforehand. The first came in a Vanity Fair piece written by a journalist that Trump’s DOD flunkies permitted to embed with them (he requested to do so before the insurrection, but didn’t start his embed until January 12, meaning the claims reported in this article were retrospective). That piece claimed that, the night before the attack, Trump told DOD they would need 10,000 people.

The president, Miller recalled, asked how many troops the Pentagon planned to turn out the following day. “We’re like, ‘We’re going to provide any National Guard support that the District requests,’” Miller responded. “And [Trump] goes, ‘You’re going to need 10,000 people.’ No, I’m not talking bullshit. He said that. And we’re like, ‘Maybe. But you know, someone’s going to have to ask for it.’” At that point Miller remembered the president telling him, “‘You do what you need to do. You do what you need to do.’ He said, ‘You’re going to need 10,000.’ That’s what he said. Swear to God.”

[snip]

“We had talked to [the president] in person the day before, on the phone the day before, and two days before that. We were given clear instructions. We had all our authorizations. We didn’t need to talk to the president. I was talking to [Trump’s chief of staff, Mark] Meadows, nonstop that day.”

[snip]

What did Miller think of the criticism that the Pentagon had dragged its feet in sending in the cavalry? He bristled. “Oh, that is complete horseshit. I gotta tell you, I cannot wait to go to the Hill and have those conversations with senators and representatives.”

[snip]

Miller and Patel both insisted, in separate conversations, that they neither tried nor needed to contact the president on January 6; they had already gotten approval to deploy forces. However, another senior defense official remembered things quite differently, “They couldn’t get through. They tried to call him”—meaning the president.

So according to Acting Secretary of Defense Christopher Miller, Trump had given him “clear instructions” to “do what you need to do,” and had warned him to have thousands of Guardsmen available. Miller said he was speaking non-stop to Mark Meadows, though an anonymous source stated that they tried but failed to get the President on the line.

Long after impeachment and even after his CPAC speech, Trump went to Fox to make the same claim that appeared in Vanity Fair.

Former President Trump told Fox News late Sunday that he expressed concern over the crowd size near the Capitol days before last month’s deadly riots and personally requested 10,000 National Guard troops be deployed in response.

Trump told “The Next Revolution With Steve Hilton” that his team alerted the Department of Defense days before the rally that crowds might be larger than anticipated and 10,000 national guardsmen should be ready to deploy. He said that — from what he understands — the warning was passed along to leaders at the Capitol, including House Speaker Nancy Pelosi — and he heard that the request was rejected because these leaders did not like the optics of 10,000 troops at the Capitol.

“So, you know, that was a big mistake,” he said.

Fox and other Trump mouthpieces have suggested that Nancy Pelosi rejected the Guard. That’s false. According to then Capitol Police Chief Steve Sund, House Sergeant at Arms Paul Irving did.

On Monday, January 4, I approached the two Sergeants at Arms to request the assistance of the National Guard, as I had no authority to do so without an Emergency Declaration by the Capitol Police Board (CPB). My regular interactions with the CPB, outside of our monthly meetings regarding law enforcement matters, were conducted with the House and Senate Sergeant at Arms, the two members of the CPB who have law enforcement experience. I first spoke with the House Sergeant at Arms to request the National Guard. Mr. Irving stated that he was concerned about the “optics” of having National Guard present and didn’t feel that the intelligence supported it. He referred me to the Senate Sergeant at Arms (who is currently the Chair of the CPB) to get his thoughts on the request. I then spoke to Mr. Stenger and again requested the National Guard. Instead of approving the use of the National Guard, however, Mr. Stenger suggested I ask them how quickly we could get support if needed and to “lean forward” in case we had to request assistance on January 6.

Notably, Sund’s request and Irving’s response occurred before the conversation between Miller and Trump purportedly took place the night before the attack (which was far too late to deploy 10,000 people in any case). Moreover, Pelosi, Zoe Lofgren, and Mark Warner, among others, raised concerns about staffing for the day, so it’s not like Democrats weren’t raising the alarm.

Still, over a month after making no such claim as part of his Impeachment defense, Trump and his flunkies want to claim that Trump was proactive about deploying 10,000 people to defend the Capitol against his most ardent supporters.

That’s interesting background to the testimony offered by Robert Salesses, the “Senior Official Performing the Duties of the Assistant Secretary for Homeland Defense and Global Security,” in a joint Rules/Homeland Committee hearing on January 6 yesterday. As several people noted during the hearing, for some reason DOD sent Salesses, who wasn’t involved in the key events on January 6, rather than people like General Walter Piatt or General [Mike’s brother] Charles Flynn — who were on a call with MPD Chief Robert Contee and Sund on January 6 and who have made disputed claims about what occurred, including that Piatt recommended against sending the Guard because of optics. Effectively, Salesses was repeating what others told him, offering no better (indeed, more dated) information than Vanity Fair was able to offer. Salesses apparently called General Piatt the day before and dutifully repeated Piatt’s claim that he did not use the word, “optics,” which DC National Guard Commander General William Walker had just testified did occur.

General Piatt told me yesterday, Senator, that he did not use the word, “optics.”

Salesses then gave more excuses, explaining,

Senator, in fairness to the committee, General Piatt is not a decision-maker. The only decision-makers on the Sixth of January were the Secretary of Defense and the Secretary of the Army Ryan McCarthy. It was a chain of command from the Secretary of Defense to Secretary McCarthy to General Walker. That was the chain of command.

General Walker, the Commander of the DC National Guard, responded by reiterating the response he had gotten from Piatt (and the brother of the guy who had incited many of the insurrectionists) implicitly correcting Salesses about chain of command. The Commander in Chief, of course, is in that chain of command.

Yes, Senator. So the chain of command is the President, the Secretary of Defense, the Secretary of the Army, [points to self] William Walker Commanding General District of Columbia National Guard.

After General Walker described more of the restrictions placed on him ahead of time, including the preapproval before moving a traffic control point from one block to another (which restriction, Walker said, he had never experienced in 19 years) and the issuance of riot gear, Salesses made more excuses (repeating his silence about the role of the President’s role in the chain of command). Remarkably, he described how Ryan McCarthy dithered from 3:04 until 4:10 because shots had been fired at the Capitol.

Salesses: Sir, Secretary Miller wanted to make the decisions on how the National Guard was going to be employed on that day. As you recall, Senator, the spring events, there was a number of things that happened during those events, that Secretary Miller as the Acting Secretary –

Rob Portman: Clearly he wanted to. The question is why? And how unusual. Don’t you think that’s unusual based on your experience at DOD?

Salesses: Senator, there was a lot of things that happened in the spring that the Department was criticized for — Sir, if I could. Civil Disturbance Operations? That authority rests with the Secretary of Defense. So if somebody’s gonna make a decision about employing military members against US citizens in a Civil Disturbance Operation —

Salesses: At 3:04, Secretary Miller made the decision to mobilize the entire National Guard. That meant that he was calling in all the National Guard members that were assigned to the DC National Guard. At 3:40–at 3:04 that decision was made. Between that period of time — between 3:04 and 4:10, basically, Secretary McCarthy had asked for — he wanted to understand, because of the dynamics on the Capitol lawn, with the explosives, obviously shots had been fired, he wanted to understand the employment of how the National Guard was going to be sent to the Capitol: what their missions were going to be, were they going to be clearing buildings, be doing perimeter security, how would they be equipped, he wanted to understand how they were going to be armed because, obviously, shots had been fired. He was asking a lot of questions to understand exactly how they were going to be employed here at the Capitol, and how many National Guard members needed to be deployed to the Capitol.

When asked whether restrictions placed on Walker hampered his defense, yes or no, Salesses again invoked the chain of command, again leaving out the Command-in-Chief.

Senator, General Walker, in fairness to him, can’t respond to a civil defense — a Civil Disturbance Operation without the authority of the Secretary of Defense.

Finally, Salesses explained a further 36-minute delay, from 4:32 until 5:08, when Walker was given approval to move, this way:

Salesses: In fairness to General Walker too, that’s when the Secretary of Defense made the decision, at 4:32. As General Walker has pointed out, cause I’ve seen all the timelines, he was not told that til 5:08.

Roy Blunt: How is that possible, Mr. Salazar [sic], do you think that the decision, in the moment we were in, was made at 4:32 and the person that had to be told wasn’t told for more than a half an hour after the decision.

Salesses: Senator, I think that’s an issue.

It’s not just that the people who were actually involved didn’t show up to explain all this to Congress. It’s not just that there were big gaps in the timeline, or gaps explained by dithering even after DOD learned about explosives and shots fired.

It’s that the guy sent to provide improbable answers seems to have removed the Commander-in-Chief, who was watching all this unfold on TV and now wants credit for proactively telling DOD they would need at least 10,000 people, from the chain of command he used to justify the delay.

That’s all the more striking given that — as Dana Milbank noted — the delay until Miller’s authorization (to say nothing of the 36-minute delay in informing Walker) also meant that DOD did not respond until after Trump had instructed his insurrection to go home.

Curiously, the Pentagon claims Miller’s authorization came at 4:32 — 15 minutes after Trump told his “very special” insurrectionists to “go home in peace.” Was Miller waiting for Trump’s blessing before defending the Capitol?

DOD’s selected witness yesterday said that General Walker couldn’t send the Guard to help protect the Capitol because of the chain of command. But the Commander-in-Chief seems to be AWOL from that chain of command.

Update: On Twitter AP observed that there is a discrepancy between Miller’s 10,000 person claim and Trump’s: Trump says it happened days before January 6, which would place it before Miller’s letter imposing new restrictions on the Guard.

Journalists May Be Most at Risk (as Described) from a Presumed January 6 GeoFence Warrant

On February 22, the Intercept had a thinly sourced story reporting (heavily relying on one “recently retired senior FBI official” whose motive and access weren’t explained and one other even less-defined source) on methods used in the January 6 investigation. It started by describing something unsurprising (some of which had been previously reported): that the FBI was using emergency legal authorities to conduct an investigation in the wake of an insurrection.

Using special emergency powers and other measures, the FBI has collected reams of private cellphone data and communications that go beyond the videos that rioters shared widely on social media, according to two sources with knowledge of the collection effort.

In the hours and days after the Capitol riot, the FBI relied in some cases on emergency orders that do not require court authorization in order to quickly secure actual communications from people who were identified at the crime scene. Investigators have also relied on data “dumps” from cellphone towers in the area to provide a map of who was there, allowing them to trace call records — but not content — from the phones.

From there, the story made conclusions that were not borne out by the evidence presented (which is not to say that such conclusions won’t one day be supported).

In particular, the story suggested that these investigative methods were used to investigate Congress, and likewise suggested that the involvement of Public Integrity prosecutors must mean members of Congress are already the focus of the investigation and further suggesting that the location data collection tied to the investigation of members of Congress.

The cellphone data includes many records from the members of Congress and staff members who were at the Capitol that day to certify President Joe Biden’s election victory.

[snip]

The Justice Department has publicly said that its task force includes senior public corruption officials. That involvement “indicates a focus on public officials, i.e. Capitol Police and members of Congress,” the retired FBI official said.

To make the insinuation, the story misstates the intent of a Sheldon Whitehouse statement aiming to use Congressional authorities to remove coup sympathizers from committees of jurisdiction (and ignores Whitehouse’s earlier statement that calls for the kind of data collection described in the story).

On January 11, Sen. Sheldon Whitehouse, D-R.I., released a statement warning against the Justice Department getting involved in the investigation of the attack, at least regarding members of Congress, asserting that the Senate should oversee the matter.

Thus far, the story seems tailor-made to get Congress — the Republican members of which are already trying to sabotage the investigation — to start tampering with it.

Far down in the story, it also describes the orders used with more specificity — but not yet enough specificity to substantiate the claims made earlier in it.

Federal authorities have used the emergency orders in combination with signed court orders under the so-called pen/trap exception to the Stored Communications Act to try to determine who was present at the time that the Capitol was breached, the source said. In some cases, the Justice Department has used these and other “hybrid” court orders to collect actual content from cellphones, like text messages and other communications, in building cases against the rioters.

At the time I suggested the story’s conclusions went well beyond the evidence included in it. I had several concerns about the story.

First, it didn’t address the granularity of location data collected, explaining whether the data collection focused just on the Capitol building or (as the story claimed) “in the area” generally. The Capitol is, according to multiple experts, incredibly wired up, meaning that one can obtain a great deal of data specific to the Capitol building itself. That matters here, because as soon as Trump insurrectionists entered the Capitol building, they committed the trespass crimes charged against virtually all the defendants. And the people legally in the Capitol that day were largely victims and/or law enforcement. It’s not an exaggeration to say that anyone collected off location collection narrowly targeted to the Capitol building itself is either a criminal, a witness, or a victim (and often some mix of the three).

If location collection was focused on the Capitol building itself (we don’t know whether it was or not, and the reports of collection aiming to the find the person who left pipe-bombs in the neighborhood on January 5 do pose real cause for concern), it mitigates some of the concerns normally raised by the use of IMSI-catchers at public events and protests, which is that such location collection would include a large number of people who were just engaging in protected speech, as many of the people outside the Capitol were. Similarly, unlike with most geofence warrants or tower dumps, which are used to find possible leads for a crime, here, FBI had an overwhelming list of suspects from its mass of tips and video evidence already: it wasn’t relying on location data to find suspects. Plus, with normal geofence warrants and tower dumps, the vast majority of the data obtained comes from uninvolved people, posing a risk that those unrelated people could become false positives who, as a result, would get investigated closely. Here, again, anyone collected from location data inside the Capitol was by definition associated with the crime, either as witness, victim, or perpetrator.

Finally, the story not only didn’t rely on, but showed little familiarity with the hundreds of arrest affidavits released so far, which provide some explanation (albeit undoubtedly parallel constructed) for how the FBI built cases against those hundreds of people.

Well before The Intercept article was written, there were a few interesting techniques revealed in the affidavits. Perhaps the most interesting (and not specifically covered in The Intercept article, unless as a hybrid order) described identifying Christopher Spencer from the livestreams on Facebook he posted from inside the Capitol.

The government received information as part of a search warrant return that Facebook UID 100047172724820 was livestreaming video in the Capitol during these events. The government also received subscriber information for Facebook UID 100047172724820 in response to legal process served on Facebook. Facebook UID 100047172724820 is registered to Chris Spencer (“SPENCER”). SPENCER provided subscriber information, including a date of birth; current city/state, and a phone number to Facebook to create the account.

[snip]

The government received three livestream videos from SPENCER’s Facebook UID 100047172724820 as part of a search warrant return. At different times during the videos, Spencer either used the rear facing camera to show himself talking, or turned the phone toward his face. Your affiant would note that the camera is capturing a reversed image of SPENCER in two of these sections of video as evidenced by the text on SPENCER’s hat. As such, reversed images are also provided below the original screenshot [my emphasis]

The first mention of the Facebook return appears before a paragraph describing an associate of Spencer’s who had seen the videos and recognized his wife, and the later paragraph describes the associate sharing a phone number for Spencer that the FBI seemed to have already received from Facebook. As written (and this structure is matched in the affidavit for Spencer’s wife, Jenny) the narrative may indicate that the FBI obtained the Facebook return before the tip and identified Spencer from the Facebook return even before receiving the tip. This is one of the strongest pieces of evidence that the FBI used data obtained from location-based collection in the Capitol from any social media source to identify an unknown subject. But, as described, it also has some protections built in. The data was obtained with a warrant, not PRTT or d-order. That means the FBI would have had to show probable cause to obtain the content (but, for the reasons I explained above, most people in the Capitol live-streaming were committing a crime). There’s also no indication here that this video was privately posted (though with a warrant the FBI would be able to obtain such videos).

All this is a read of what this paragraph might suggest about data collection. It doesn’t describe whether the data was obtained via a particularized warrant (targeting just Spencer), or whether the FBI asked Facebook to provide all live-streaming posted from within the Capitol during the insurrection (there are other early affidavits that targeted the content of Facebook via individualized warrants). In Spencer’s case, I suspect it’s the latter (there’s nothing that remarkable about Spencer’s video, except he was outside Speaker Pelosi’s office). Even so, for most people, posting from inside the Capitol during the insurrection would amount to probable cause the person was trespassing.

Even before The Intercept piece was posted I had also pointed to the affidavit for the Kansas cell of the Proud Boys. It uses location data to place one after another of the suspects “in or around” the Capitol during the insurrection: cell site data showed that the phones of Christopher Kuehne, Louis Colon, Felicia Konold were “in or around” the Capitol during the insurrection. That of Cory Konold, Felicia’s brother, was not shown to be, but,

Lawfully-obtained cell site records indicated that the FELICIA KONOLD cell called a number associated with CORY KONOLD while in or around the Capitol on January 6, 2021.

The most interesting detail in that affidavit pertained to William Chrestman. His phone wasn’t IDed off a cell site. Rather, it was IDed by connecting to Google services “in or around” the Capitol.

According to records produced by CHRESTMAN’s wireless cell phone provider in response to legal process, CHRESTMAN is listed as the owner of a cell phone number (“CHRESTMAN cell”). Lawfully-obtained Google records show that a Google account associated with the CHRESTMAN cell number was connected to Google services and was present in or around the U.S. Capitol on January 6, 2021.

A more recent document — the complaint against the southern Oath Keepers obtained on February 11 but unsealed long after that — describes the phones of those suspects in an area “includ[ing]” (but not necessarily limited to) the interior of the Capitol.

having utilized a cell site consistent with providing service to the geographic area that includes the interior of the United States Capitol building.

Unlike Spencer, the use of location data in the Proud Boys and Oath Keeper complaints seems to be used to establish probable cause. In both the militia group cases, the individuals appear to have been identified via different means (unsurprisingly, given their flamboyantly coordinated actions), with the location data being used in the affidavit to flesh out probable cause. (Undoubtedly, the FBI exploited this information far more thoroughly in an effort to map out other co-conspirators, but it is equally without doubt that the FBI had adequate probable cause to do so.)

The other day, DOJ unsealed an affidavit — that of Jeremy Groseclose — that provides more detail about the location collection at the Capitol. The FBI describes identifying Groseclose off of two tips, both on January 7, from people who had seen him post about being in the Capitol on Facebook (and in one case, remove his Facebook posts after he posted them).

Groseclose wore a gas mask for much of the time he was inside the Capitol (though wore the same clothes as he had outside), which undoubtedly made it more difficult to prove he was the person illegally inside the Capitol preventing cops from ousting the rioters.

The FBI affidavit describes times when Groseclose appears on security footage from inside the Capitol without the gas mask, but doesn’t include it. To substantiate his presence in the Capitol, the FBI included three paragraphs describing what must be a Google geofence warrant showing the device identifiers for everyone within a certain geographic area.

According to records obtained through a search warrant served on Google, a mobile device associated with [my redaction]@gmail.com was present at the U.S. Capitol on January 6, 2021. Google estimates device location using sources including GPS data and information about nearby Wi-Fi access points and Bluetooth beacons. This location data varies in its accuracy, depending on the source(s) of the data. As a result, Google assigns a “maps display radius” for each location data point. Thus, where Google estimates that its location data is accurate to within 10 meters, Google assigns a “maps display radius” of 10 meters to the location data point. Finally, Google reports that its “maps display radius” reflects the actual location of the covered device approximately 68% of the time. In this case, Google location data shows that a device associated with [my redaction]@gmail.com was within the U.S. Capitol at coordinates associated with the center of the Capitol Building, which I know includes the Rotunda, at 2:56 p.m. Google records show that the “maps display radius” for this location data was 34 meters.

Law enforcement officers, to the best of their ability, have compiled a list (the “Exclusion List”) of any Identification Numbers, related devices, and information related to individuals who were authorized to be inside the U.S. Capitol during the events of January 6, 2021, described above. Such authorized individuals include: Congressional Members and Staffers, responding law enforcement agents and officers, Secret Service Protectees, otherwise authorized governmental employees, and responding medical staff. The mobile device associated with [my redaction]@gmail.com is not on the Exclusion List. Accordingly, I believe that the individual possessing this device was not authorized to be within the U.S. Capitol Building on January 6, 2021. Furthermore, surveillance footage from the Rotunda, time-stamped within a minute of 2:56 p.m., shows GROSECLOSE, in his distinctive clothing, using his cell phone in an apparent attempt to take a picture.

Records provided by Google revealed that the mobile device associated with [my redaction]@gmail.com belonged to a Google account registered in the name of “Jeremy Groseclose.” The Google account also lists a recovery SMS phone number that matches [my redaction]. The recovery email address for this account appears to be in the name of GROSECLOSE’s significant other, with whom he has two children in common. Additionally, I have reviewed subscriber records from U.S. Cellular, related to the phone number [my redaction]. This number, along with another, are connected to an account in the name of GROSECLOSE’s significant other. The billing address for this account is [my redaction]. One of GROSECLOSE’s neighbors identified [my redaction] as GROSECLOSE’s address.

This seems to confirm that FBI obtained a geofence warrant from Google, but — at least as described — it was focused on those at the Capitol, perhaps focused on the Rotunda and anything 100 feet from it. This is the kind of granularity that will exclude most uninvolved people. They may have used it (or included it in the affidavit) because by wearing a gas mask, Groseclose made it difficult to show his face in the existing film of the attack.

The affidavit suggests that the Google geofence relied not just on GPS data of users’ phones, but also Wi-Fi access points (there’s another affidavit where the suspect’s phone triggered the Capitol Wi-Fi) and Bluetooth beacons. Again, given how wired the Capitol is, this would offer a granularity to the data that wouldn’t exist in most geofence warrants.

Finally, and most interestingly, this affidavit (obtained on the same day as the The Intercept story and so presumably after the Intercept called for comment) describes that the FBI has an “Exclusion List” of everyone who had a known legal right to be in the Capitol that day. That suggests that, after such time as the FBI completed this list, they could identify which of those present in the Capitol were probably there illegally.

There are concerns about FBI putting together a list like this. After all, Members of Congress might have good Separation of Power reasons to want to keep their personal phone numbers private. That said, there’s reason to believe that the FBI has used this method of separating out congressional identifiers and creating a white list in the past (including with the Section 215 phone dragnet), with congressional approval.

The concern arises in FBI’s definition of how it describes those legally present:

  • Members of Congress
  • Congressional staffers
  • Law enforcement responding to the insurrection (as distinct from law enforcement joining in it)
  • Secret Service Protectees (AKA, Mike Pence and his family)
  • Other government employees (like custodial staff)
  • Medical staff

Not on this list? Journalists, not even those journalists holding valid congressional credentials covering the vote certification.

Already, there have been several cases where suspects have claimed to be present as media, only to be charged both because of their comments while present and the fact that they don’t have congressional credentials. Three are:

  • Provocateur John Sullivan, who filmed the riot and sold the footage to multiple media outlets and “claimed to be an activist and journalist that filmed protests and riots, but admitted that he did not have any press credentials.”
  • Nick DeCarlo, who told the LA Times he and Nicholas Ochs were there as journalists but who FBI noted, “is not listed as a credentialed reporter with the House Periodical Press Gallery or the U.S. Senate Press Gallery, the organizations that credential Congressional correspondents.”
  • Brian McCreary, who on his own sent the video he took on his phone while inside the Capitol, but who later admitted to the FBI that entering the Capitol “might not have been legal” and also described admitting to cops present that he was not a member of the media.

If the FBI is going to use official credentials to distinguish journalists from trespassers, then it could also use those credentialing lists to white list journalists present at the Capitol. But to do that, the journalists in question would have to be willing to share identifying information for all the devices that were turned on at the Capitol, something they might have good reasons not to want to do.

Plus, I suspect there are a number of journalists without Congressional credentials who were covering the events outside the Capitol and, as the rally turned into a riot, entered the Capitol to cover it. Those journalists risked their lives and provided some of the most important early information about the riot and did so in ways that in no way glorified it. But in doing so, their devices may be in an FBI database relating to the attack.

There is clear evidence that the FBI obtained location data from the Capitol as part of its investigation, including Google and almost certainly Facebook. Thus far, the available evidence suggests that the ability to target that collection narrowly limits the typical concerns about tower dumps and geofence warrants (again, any similar data collection outside the Capitol in an effort to find the person who left the pipe bombs is another issue). Moreover, almost all those legal present in the Capitol appear to be whitelisted.

But not all. And the exception, journalists, include those who have the most at stake not having their devices identified and investigated by the FBI.

All that said, perhaps a similarly controversial question pertains to preservation orders. The Intercept describes a letter from Mark Warner calling on carriers to preserve data (and rightly questioning his legal authority to make such a request), then suggests the carriers have done so on their own.

Some of the telecommunications providers questioned whether Warner has the authority to make such a request, but a number of them appear to have been preserving data from the event anyway because of the large scale of violence, the source said.

The story doesn’t consider the — by far — most likely explanation, which is that FBI served very broad preservation orders on social media companies (though some key ones, such as Facebook, would keep data for a period even after insurrectionists attempted to delete it in the days after the attack as normal practice). In any case, broad preservation orders on social media companies would be solidly within existing precedent. But I suspect it may be one of the more interesting legal questions that will come out of this investigation.

Update March 7: Added McCreary.

As Richard Burr Rushes to Release Volume Five of SSCI’s Russian Investigation, the FBI Closes In

Update: As I was posting this, reports that Burr is stepping down as Chair of SSCI came out.

The LAT has a big scoop revealing that the FBI seized Richard Burr’s cell phone yesterday, having gotten a probable cause warrant incorporating information they obtained via a search of his iCloud.

Federal agents seized a cellphone belonging to a prominent Republican senator on Wednesday night as part of the Justice Department’s investigation into controversial stock trades he made as the novel coronavirus first struck the U.S., a law enforcement official said.

[snip]

Such a warrant being served on a sitting U.S. senator would require approval from the highest ranks of the Justice Department and is a step that would not be taken lightly. Kerri Kupec, a Justice Department spokeswoman, declined to comment.

A second law enforcement official said FBI agents served a warrant in recent days on Apple to obtain information from Burr’s iCloud account and said agents used data obtained from the California-based company as part of the evidence used to obtain the warrant for the senator’s phone.

[snip]

The same day Burr sold his stocks, Burr’s brother-in-law, Gerald Fauth, sold between $97,000 and $280,000 worth of six stocks, according to documents filed with the Office of Government Ethics. Fauth serves on the National Mediation Board, which provides mediation for labor disputes in the aviation and rail industries.

Burr has denied coordinating trading with his brother-in-law.

Given the progression from an iCloud warrant to the warrant for the cell phone, it’s likely the FBI is seeking out texts between Burr and his brother-in-law around the time of the stock sales. (The FBI often access iCloud to find out what apps someone has accessed, obtains a pen register to identify communications of interest using that app, then seizes the phone to get those encrypted communications.)

The public evidence again Burr is quite damning, so there’s no question that this is a properly predicated investigation.

Still, coming from a DOJ that has gone to great lengths to protect other looting (and has not taken similar public steps against Kelly Loeffler), the move does raise questions.

Particularly given the focus that Richard Burr gave, during the John Ratcliffe confirmation hearing, to getting the final volume of the SSCI Report on 2016 declassified and released by August.

Richard Burr: Congressman, over the course of the last three years this committee has issued four reports about Russia’s meddling in our elections covering Russia’s intrusions into state election systems, their use of social media to attempt to influence the election, and. most recently confirming the findings of the 2017 Intelligence Community Assessment. While being mindful of the fact that we’re, um, in an unclassified setting, what are your views on Russia’s meddling in our elections?

John Ratcliffe: Chairman, my views are that Russia meddled or interfered with Active Measures in 2016, they interfered in 2018, they will attempt to do so in 2018 [sic]. They have a goal of sowing discord, and they have been successful in sowing discord. Fortunately, based on the work–the good work of this committee, we know that they may have been successful in that regard but they have not been successful in changing votes or the outcome of any election. The Intelligence Community, as you know, plays a vital role on insuring we have safe, secure, and credible elections and that every vote cast by every American is done so properly and counted properly.

Burr: Will you commit to bringing information about threats to the election infrastructure and about foreign governments’ efforts to influence to Congress so we’re fully and currently informed?

Ratcliffe: I will.

Burr; Will you commit to testify at this committee’s annual worldwide threats hearing?

Ratcliffe: I will.

Burr: And last question, over the last three years we have issued four reports. Number five is finished. Number five will go for declassification. Do we have your commitment as DNI that you would expeditiously go through the declassification process?

Ratcliffe: You do.

Burr: Senator Warner.

Mark Warner: Thank you Mr. Chairman. You actually took some of my questions.

Burr: My eyesight is good.

Warner: Mr. Ratcliffe, good to see you again and I appreciated our time, um, um, last Friday. I want to follow-up on a couple of the Chairman’s questions first. As we discussed, we’re … Volume Five, and so far our first four volumes have all been unanimous. Or maybe with the exception of one dissenting vote. If we get this document to the ODNI we need your commitment not only that we do it expeditiously, but as much as possible to get that Volume Five reviewed, redacted, and released, ideally before the August, the August recess. Now, I know you’ve not seen the report yet. All I would ask is, aspirationally that you commit to that goal, because I think as we discussed, to have a document that could be [big pause] potentially significant come out in the midst of a presidential campaign isn’t good or fair on either side. So if I could clarify a bit, recognizing that you’ve not seen the document is a thousand pages, that you’d try to get this cleared prior to August.

Ratcliffe: Vice Chairman, I would again, commit that I would work with you to get that as expeditiously as possible.

During the 2018 election, Burr had — at a time when the committee assuredly did not have the ability to rule it out — twice said there was no evidence of “collusion.” Burr has made no such claims recently.

Even just the Roger Stone disclosures from his trial make it clear “collusion” happened, and that’s ignoring the ongoing Foreign Agent investigation involving Stone. And the Intelligence Committees have been briefed on the existence of — and possibly some details about — either that or other ongoing investigations.

If Richard Burr is prepping to reverse his prior public comments about “collusion,” it might explain why the Bill Barr DOJ, which has stopped hiding that it is an instrument used to enforce political loyalty to Trump, would more aggressively investigate Burr than others.

Again, there’s no question that this is a properly predicated investigation. But in the Barr DOJ, properly predicated investigations about political allies of Trump all get quashed. This one has, instead, been aggressively and overtly pursued.

Ric Grenell Declassified George Papadopoulos’ Brags about Fucking Older Women, but Not about Befriending Sergey Millian

In the name of exposing “FISA abuse,” Lindsey Graham got Ric Grenell to declassify details of George Papadopoulos bragging about fucking a woman who was 42.

CT: I was banging a 42-year-old. That’s the oldest I ever went. And she was the best sex I ever had in my life.

CHS: You know you can’t, uh, knock down them…

CT: But 42, that’s like borderline old, you know.

But Grenell left what DOJ IG treated as a reference to Sergey Millian living in Brooklyn classified (see page 66).

Grenell did so even though this reference to “Sergey” has already been formally declassified, for the DOJ IG Report (though I would argue that in places DOJ IG’s transcriptions are not always fair descriptions of what the transcripts show).

Papadopoulos did not say much about Russia during the first conversation with Source 3, other than to mention a “friend Sergey … [who] lives in … Brooklyn,” and invite Source 3 to travel with Papadopoulos to Russia in the summertime.

Perhaps this just stems from bureaucratic incompetence. But the Trump Administration made a fairly aggressive decision to declassify details about Sergey Millian for the DOJ IG Report because it served their narrative about Christopher Steele. But when it came time to claim–abundant evidence in the transcripts to the contrary–that George Papadopoulos wasn’t an obvious subject for a counterintelligence investigation, the Trump Administration treated one of the most damning details as classified.

This matters, because the frothy right has been ginning up a scandal over the delayed release of the House Intelligence transcripts, and the fact that, having been told everything is ready, Adam Schiff is taking a few days to review what Grenell has done to ensure the integrity of the redactions. They’re doing so even as both Mark Warner and Richard Burr spent the beginning of John Ratcliffe’s confirmation making sure the declassification of their report on the Russian operation would be quick and non-partisan.

But we’ve already got hints that Grenell is politicizing the declassification process. In a 90-page transcript, he redacted the detail that most undermined the frothy right narrative.

After Years of Squealing about “FISA Abuse,” Trump’s DNI Nominee Won’t Rule Out Warrantless Wiretapping

As I noted earlier, in his confirmation hearing to be Director of National Intelligence, John Ratcliffe made it crystal clear he will lie to protect Trump by stating that he believed Trump has always accurately conveyed the threat of COVID-19.

Ratcliffe made some other alarming comments. For example:

  • He repeatedly said that Russia had not changed any votes in 2016. The Intelligence Community did not review that issue and Ratcliffe has no basis to make that claim.
  • Ratcliffe also repeatedly refused to back SSCI’s unanimous conclusion that Russia intervened to help Trump.
  • He dodged when Warner asked him to promise to brief the committee even if Russia were trying to help Trump.
  • When asked whether he supported Inspectors General, Ratcliffe said that he supported Michael Horowitz when others attacked him but then suggested he disagreed with Horowitz’ “opinion,” making it clear he does not accept Horowitz’ conclusions that he found no evidence that bias affected the investigation into Trump’s flunkies.
  • Ratcliffe claimed he didn’t have enough information to address Michael Atkinson’s firing.
  • When Dianne Feinstein read his quotes about the Ukraine whistleblower to him, Ratcliffe pretended those quotes were about something they weren’t.
  • He might not provide intelligence on COVID-19 that showed how Trump blew it off.
  • He suggested that if only the IC had reviewed open source data, they might have warned of the dangers of COVID-19, which they did warn of using both OSINT and classified intelligence.
  • He refused to answer whether he thought there was a Deep State in the IC, and later suggested a few members of the IC were Deep State.
  • Ratcliffe refused to agree to release a report showing that Mohammed bin Salman had Jamal Khashoggi executed and chopped into bits, as required by last year’s Defense Authorization. He suggested that it might have been properly classified; as DNI, he would be the Original Classification Authority to make that decision.
  • He refused to answer clearly on whether Trump’s policies on North Korea and Iran have worked.
  • He later suggested he might not share intelligence if it were too sensitive, again ignoring that as OCA he gets to decide whether it’s really classified.
  • After saying he would appear for a Global Threats hearing, he then dodged when later asked whether he would appear before the committee generally.

Ratcliffe made several comments to make it clear he would side with expansive Unitary Executive interpretations holding that:

  • There are limits to whistleblower protection.
  • If torture were deemed legal it would okay to do it.
  • The executive can use warrantless wiretapping.

There were a few additional hints about stuff going on right now:

  • Mark Warner said that intelligence professionals have been pressured to limit information they share with Congress.
  • Warner also said that Ric Grenell was undermining the IC’s election security group.
  • Both Warner and Richard Burr seemed concerned that the DNI would not declassify their 1000-page Volume V of their Report on Russia’s 2016 election interference (I’m not sure whether this assess the Steele dossier or lays out whether and how Trump “colluded” during 2016).
  • Martin Heinrich made it clear that Grenell is reorganizing the IC, without any consultation or approval from Congress.

It’s not just unqualified, he’s a sycophant. But it seems like there’s so much that Grenell is already screwing up, Republicans on the committee, at least, prefer Ratcliffe.

Update: Here are Ratcliffe’s Questions for the Record. They’re particularly troubling on sharing with Congress.

He twice refused to say that he wouldn’t impose loyalty tests.

QUESTION 39: Personnel decisions can affect analytic integrity and objectivity. A. Would you consider an individual’s personal political preferences, to include “loyalty” to the President, in making a decision to hire, fire, or promote an individual?

Answer: Personnel decisions should be based on qualifications, skills, merit, and other standards which demonstrate the ability, dedication and integrity required to support the central IC mission of providing unvarnished intelligence to policymakers.

B. Do you commit to exclusively consider professional qualifications in IC personnel decisions, without consideration of partisan or political factors?

Answer: Personnel decisions should be based on qualifications, skills, merit, and other standards that demonstrate the ability, dedication and integrity required to support the central IC mission of providing unvarnished intelligence to policymakers.

He refused to promise to keep the Election Threats Executive Office open.

QUESTION 45: Would you commit to keep the Election Threats Executive Office in place to ensure continuity of efforts, and build on the successes of the 2018 midterms?

Answer: If confirmed, I will work with IC leaders and ODNI officials to ensure the IC is well-positioned to address the election security threats facing our Nation.

He refused to promise to notify Congress if Russia starts helping Trump again.

QUESTION 53: Do you commit to immediately notifying policymakers and the public of Russian attempts to meddle in U.S. democratic processes, to include our elections?

Answer: If confirmed, I would work with the Committee to accommodate its legitimate oversight needs while safeguarding the confidentiality interests of the Executive Branch, including the protection from unauthorized disclosure of classified intelligence sources and methods

He suggested he had no problem with Section 215 being used to access someone’s browsing records.

QUESTION 7: Do you believe that Section 215 of the USA PATRIOT Act should be used to collect Americans’ web browsing and internet search history? If yes, do you believe there are or should be any limitations to “digital tracking” of Americans without a warrant, in terms of length of time, the amount of information collected, or the nature of the information collected (e.g., whether particular kinds of websites raise special privacy concerns)?

Answer: I believe it is important for the Intelligence Community to use its authorities appropriately against valid intelligence targets. The amendments to Title V of FISA made by Section 215 of the USA PATRIOT Act expired on March 15, 2020 and, to date, have not been reauthorized.

Ratcliffe dodged several questions about whether FISA was exclusive means to collect

Extra-Statutory Collection

QUESTION 9: Title 50, section 1812 provides for exclusive means by which electronic surveillance and interception of certain communications may be conducted. Do you agree that this provision of law is binding on the President?

Answer: If confirmed, I would work with the Attorney General to ensure that IC activities are carried out in accordance with the Constitution and applicable federal law.

QUESTION 10: Do you believe that the intelligence surveillance and collection activities covered by FISA can be conducted outside the FISA framework? If yes, please specify which intelligence surveillance and collection activities, the limits (if any) on extra-statutory collection activities, and the legal authorities you believe would authorize those activities.

Answer: If confirmed, I would work with the Attorney General and the heads of IC elements, as well as the General Counsels throughout the IC, to ensure that intelligence activities are conducted in accordance with the Constitution and applicable federal law. As set forth in Section 112 of FISA, with limited exceptions, FISA constitutes the exclusive statutory means by which electronic surveillance, as defined in FISA, and the interception of domestic wire, oral, or electric communications for foreign intelligence purposes may be conducted.

QUESTION 11: What would you do if the IC was requested or directed to conduct such collection activities outside the FISA framework? Would you notify the full congressional intelligence activities?

Answer: Consistent with the requirements of the National Security Act, I would keep the congressional intelligence committees informed of the intelligence activities of the United States, including any illegal intelligence activities. As you know, not all intelligence activities are governed by FISA.

If confirmed, I would work with the Attorney General and the heads of IC elements, as well as the General Counsels throughout the IC, to ensure that intelligence activities are conducted in accordance with the Constitution and applicable federal law.

Senator Wyden asked a question about the IC purchasing stuff they otherwise would need a warrant for.

QUESTION 12: Do you believe the IC can purchase information related to U.S. persons if the compelled production of that information would be covered by FISA? If yes, what rules and guidelines would apply to the type and quantity of the information purchased and to the use, retention and dissemination of that information? Should the congressional intelligence committees be briefed on any such collection activities?

Answer: Elements of the IC are authorized to collect, retain, or disseminate information concerning U.S. persons only in accordance with procedures approved by the Attorney General. As you know, not all intelligence activities are governed by FISA, and it is my understanding that in appropriate circumstances elements of the IC may lawfully purchase information from the private sector in furtherance of their authorized missions. Nonetheless, any intelligence activity not governed by FISA would be regulated by the Attorney General-approved procedures that govern the intelligence activities of that IC element. Consistent with the requirements of the National Security Act, if confirmed, I would keep the congressional intelligence committees informed of the intelligence activities of the United States.

 

SSCI Has Already Dismissed One of the Key Issues John Durham Is Investigating

The other day, the NYT had an update on another area included in John Durham’s 9-month investigation of the Russian investigation. Durham appears to be chasing a theory (based on what predication, aside from Bill Barr’s fevered imagination, it’s unclear) that John Brennan tricked the FBI into investigating Trump by fooling them into believing Russia wanted Trump elected.

Questions asked by Mr. Durham, who was assigned by Attorney General William P. Barr to scrutinize the early actions of law enforcement and intelligence officials struggling to understand the scope of Russia’s scheme, suggest that Mr. Durham may have come to view with suspicion several clashes between analysts at different intelligence agencies over who could see each other’s highly sensitive secrets, the people said.

Mr. Durham appears to be pursuing a theory that the C.I.A., under its former director John O. Brennan, had a preconceived notion about Russia or was trying to get to a particular result — and was nefariously trying to keep other agencies from seeing the full picture lest they interfere with that goal, the people said.

[snip]

The Justice Department has declined to talk about Mr. Durham’s work in meaningful detail, but he has been said to be interested in how the intelligence community came up with its analytical judgments — including its assessment that Russia was not merely sowing discord, but specifically sought to help Mr. Trump defeat Hillary Clinton in the 2016 election.

A key part of this involves the credibility assigned to a Russian source and the CIA’s initial unwillingness to share his identity.

One fight, they said, concerned the identity and placement of a C.I.A. source inside the Kremlin. Analysts at the National Security Agency wanted to know more about him to weigh the credibility of his information. The C.I.A. was initially reluctant to share details about the Russian’s identity but eventually relented.

But officials disagreed about how much weight to give the source’s information, and the intelligence community’s eventual assessment apparently reflected that division. While the F.B.I. and the C.I.A. concluded with “high confidence” that Mr. Putin was specifically trying to help Mr. Trump win the election, the National Security Agency agreed but said it had only “moderate confidence.”

As with much of the Durham investigation, this likely came from a partisan investigation — specifically the HPSCI Report on Russian interference that the GOP released with little Democratic involvement. It found that

(U) Finding #16: The lntelllgence Communi· tv Assessment judgments on Putin’s strategic intentions did not employ proper ana· lytic tradecraft. (U) While the Committee found that most ICA analysis held-up to scrutiny, the investigation also identified significant intelligence tradecraft failings that undermine confidence in the JCA judgments regarding Russian President Vladimir Putin’s strategic objectives for disrupting the U.S. election. Those judgments failed to meet longstanding standards set forth in the primary guiding document for IC analysis, ICD 203, Analytic Standards including:

(U) ”Properly describe quality and credibilit:y of underlying sources.”

(U) “Properly express and explain uncertainties associated with major analytic judgments.”

(U) “Incorporate analysis of alternatives ·- [particularly] when major judgments must contend with significant uncertainties or … high-impact results.”

(U) Base confidence assessments on “the quantity and quality of source material.”

(U) “Be informed by all relevant information available.”

(U) “Be independent of political considerations.”

[snip]

The Committee’s findings on ICA tradecraft focused on the use of sensitive, [redacted] intelligence [redacted] cited by the ICA. This presented a significant challenge for classification downgrade. The Committee worked with intelligence officers from the agencies who own the raw reporting cited in the ICA to downgrade the classification of compartmented findings [redacted]

In short, in the same way that the HJC/OGR echo chamber of shoddy propaganda injected George Papadopoulos’ claims into Durham’s investigation, the HPSCI report likely gave Barr a way to demand this prong of the investigation.

The thing is, however, the Senate Intelligence Committee has also reviewed this intelligence — notably, at a time after the CIA source behind it had been exfiltrated (and after abundant other evidence proving that Putin really did prefer Trump came in). And SSCI had no problem with the conclusion.

The ICA states that:

We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the U.S. presidential election. Russia’s goals were to undermine public faith in the U.S. democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump.[2]

  • The Committee found that the ICA provided a range of all-source reporting to support these assessments.
  • The Committee concurs with intelligence and open-source assessments that this influence campaign was approved by President Putin.
  • Further, a body of reporting, to include different intelligence disciplines, open source reporting on Russian leadership policy preferences, and Russian media content, showed that Moscow sought to denigrate Secretary Clinton.
  • The ICA relies on public Russian leadership commentary, Russian state media reports, public examples of where Russian interests would have aligned with candidates’ policy statements, and a body of intelligence reporting to support the assessment that Putin and the Russian Government developed a clear preference for Trump.

The ICA also states that:

We also assess Putin and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him.[3]

  • The Committee found that the ICA provided intelligence and open source reporting to support this assessment, and information obtained subsequent to publication of the ICA provides further support.
  • This is the only assessment in the ICA that had different confidence levels between the participating agencies—the CIA and FBI assessed with “high confidence” and the NSA assessed with “moderate confidence”—so the Committee gave this section additional attention.

The Committee found that the analytical disagreement was reasonable, transparent, and openly debated among the agencies and analysts, with analysts, managers, and agency heads on both sides of the confidence level articulately justifying their positions. [my emphasis]

Significantly, over time that conclusion has held up.

In fact, an even more recent SSCI Report — released in recent weeks — makes it clear that what is obviously this same reporting stream provided the “wake up” call that led the IC to take the Russian attack as seriously as they should have. The intelligence is introduced (but entirely redacted) on page 11, but the description of Brennan’s action — and the degree to which this intelligence was closely held thereafter — makes it clear that this is the CIA HUMINT.

According to Director Brennan, he recommended that the intelligence be briefed to the Gang of Eight, stating, “I think it’s important that this be a personal briefing.”

[snip]

According to multiple administration officials, the receipt of the sensitive intelligence prompted the NSC to being a series of restricted PC meetings to craft the administration’s response to the Russians’ active measures campaign. These restricted “small group” PC meetings, and the corresponding Deputies Committee (DC) meetings, were atypically restricted, and excluded regular PC and DC attendees such as the relevant Senior Directors within the NSC and subject matter experts that normally accompanied the principals and deputies from the U.S. Government departments and agencies.

According to former NSC Senior Director for Intelligence Programs, Brett Holmgren, no one other than the principals participated in the initial PC meetings, due to the sensitivity of the intelligence reporting. Mr. Holmgren further stated that the “reports were briefed verbally, often times by Director Brennan. So I didn’t get access to a lot of these reports until the November or December time frame.”

To be clear, ultimately this more recent SSCI Report comes down on the same side that the Durham inquiry seems to be — that CIA ended up holding this too close, making it difficult for other agencies to properly vet it. This SSCI Report argues that the close hold led to a less robust response than the US should have mounted.

So all four reviews — HPSCI’s, SSCI’s ICA assessment and 3rd volume, along with Durham’s current review — agree that the CIA held this information really closely. But the bipartisan reports that assess whether the conclusion held up over time — just the SSCI ones — not only find that CIA was right, but that that view marked the belated moment when the US IC started taking the attack seriously enough.

In other words, John Durham is investigating something that the proper oversight authorities already have deemed the correct result that actually came too late and not broadly enough, and trying to find fault with it. Bill Barr is trying to get Durham to criminalize an intelligence conclusion that is the one thing that didn’t lead us to get more badly damaged by the attack.

The Black Hole Where SSCI’s Current Understanding of WikiLeaks Is

Four years after it started, the Senate Intelligence Committee continues its investigation into Russia’s 2016 election interference, this week releasing the report on what the Obama Administration could have done better. For a variety of reasons, these reports have been as interesting for their redactions or silences as for what the unredacted bits say.

This latest report is no different.

Putin responded to Obama’s warnings by waggling his nukes

The most interested unredacted bit pertains to Susan Rice’s efforts, scheduled to occur just before ODNI and DHS released their report attributing the hack to Russia, to warn Russia against continuing to tamper in the election. That would place the meeting at just about precisely the moment the Access Hollywood video and Podesta email release happened, a big fuck you even as Obama was trying to do something about the tampering. The meeting also would have occurred during the period when Sergei Kislyak was bitching about FBI efforts to prevent Russia from sending election observers to voting sites.

The description of the meeting between Rice and Kislyak is redacted. But the report does reveal, for the first that I heard, that Russia responded to being warned by raising its nukes.

Approximately a week after the October 7. 2016. meeting, Ambassador Kislyak asked to meet with Ambassador Rice to deliver Putin’s response. The response, as characterized by Ambassador Rice, was “denial and obfuscation,” and “[t]he only thing notable about it is that Putin somehow deemed it necessary to mention the obvious fact that Russia remains a nuclear power.”

This exchange is all the more interesting given that there’s an entirely redacted bullet (on page 37) describing actions that “Russian cyber actors” took after Obama warned Putin. Given that the state and county scanning and the alleged hack of VR Systems shows up, there’s something we either still don’t know about or SSCI continues to hide more details of the VR Systems hack.

The page long post-election response to the election year attack

The longest subsection in a section devoted to describing Obama’s response is redacted (pages 39-41).

Here’s what the timing of the unredacted parts of that section is:

  • A: Expulsion of Russian diplomats (December 29, 2016)
  • B: Modifying the EO and sanctions (December 29, 2016)
  • C: redacted
  • D: Cybersecurity action in the form of the issuance of two technical reports (December 29, 2016 and February 10, 2017)
  • E: Tasking the ICA Report (initiated December 6, 2016; completed December 30, 2016; published January 5 and 6, 2017)
  • F: Protecting election infrastructure (January 5, 2017)

That might suggest that whatever secret action the Obama Administration took happened right in December, with everything else.

John Brennan was proved fucking right

There’s a redacted passage that may undermine the entire premise of the John Durham investigation, which purports to review what agencies, other than FBI, did to lead to an investigation focused on Trump’s campaign. Some reporting suggests Durham is investigating whether CIA tricked FBI into investigating Trump’s flunkies.

But this report describes how, in spite of knowing about related Russian hacks in 2015 and Russia’s habit of leaking information they stole, the IC really wasn’t aware of what was going on until John Brennan got an intelligence tip during the summer of 2016. That intelligence tip was described at length in a WaPo story that resembles this section of the report.

Early last August, an envelope with extraordinary handling restrictions arrived at the White House. Sent by courier from the CIA, it carried “eyes only” instructions that its contents be shown to just four people: President Barack Obama and three senior aides.

Inside was an intelligence bombshell, a report drawn from sourcing deep inside the Russian government that detailed Russian President Vladi­mir Putin’s direct involvement in a cyber campaign to disrupt and discredit the U.S. presidential race.

But it went further. The intelligence captured Putin’s specific instructions on the operation’s audacious objectives — defeat or at least damage the Democratic nominee, Hillary Clinton, and help elect her opponent, Donald Trump.

At that point, the outlines of the Russian assault on the U.S. election were increasingly apparent. Hackers with ties to Russian intelligence services had been rummaging through Democratic Party computer networks, as well as some Republican systems, for more than a year. In July, the FBI had opened an investigation of contacts between Russian officials and Trump associates. And on July 22, nearly 20,000 emails stolen from the Democratic National Committee were dumped online by WikiLeaks.

But at the highest levels of government, among those responsible for managing the crisis, the first moment of true foreboding about Russia’s intentions arrived with that CIA intelligence.

The section in this report is redacted.

Effectively, this report seems to confirm the WaPo reporting (which may have been based off sources close to those who testified to SSCI). It also emphasizes the import of this intelligence. But for this intelligence, the IC may have continued to remain ignorant of Putin’s plans for the operation.

The IC won’t let SSCI share its current understanding of WikiLeaks

But the most interesting redactions pertain to WikiLeaks.

There are four redacted paragraphs describing how hard it was for the IC to come up with a consensus attribution for the hack and leak operation.

Senior administration officials told the Committee that they hesitated to publicly attribute the cyber efforts to Russia m1til they had sufficient information on the penetration of the DNC network and the subsequent disclosure of stolen information via WikiLeaks, DCLeaks, and Guccifer 2.0.

More interesting still, almost the entirety of the page-plus discussion (relying on testimony from Ben Rhodes, Michael Daniel, Paul Selva, Mike Rogers, and others) of why it took so long to understand WikiLeaks remains redacted.

One reference that is unredacted, however, describes WikiLeaks as “coopted.”

This information would be of particular interest as the prosecution of Julian Assange goes forward. That — and the fact that some of this determination, relying as it does on former NSA Director Mike Rogers, appears to rely on NSA information — may be why it remains redacted.

Update: I’ve deleted the remainder of this post. It came from Wyden’s views, not the report itself.

Revisiting the First Time President Trump Blabbed Out Classified Information for Political Gain

I’d like to revisit what might be the first time in his presidency that Donald Trump blabbed out highly classified information for political gain. Trump appears to have endangered the investigation into CIA’s stolen hacking tools, all to blame Obama for the leak.

It happened on March 15, 2017, during an interview with Tucker Carlson.

Amid a long exchange where Tucker challenges Trump, asking why he claimed — 11 days earlier — that Obama had “tapped” Trump Tower without offering proof, Trump blurted out that the CIA was hacked during the Obama Administration.

Tucker: On March 4, 6:35 in the morning, you’re down in Florida, and you tweet, the former Administration wiretapped me, surveilled me, at Trump Tower during the last election. Um, how did you find out? You said, I just found out. How did you learn that?

Trump: I’ve been reading about things. I read in, I think it was January 20th, a NYT article, they were talking about wiretapping. There was an article, I think they used that exact term. I read other things. I watched your friend Bret Baier, the day previous, where he was talking about certain very complex sets of things happening, and wiretapping. I said, wait a minute, there’s a lot of wiretapping being talked about. I’ve been seeing a lot of things. Now, for the most part I’m not going to discuss it because we have it before the committee, and we will be submitting things before the committee very soon, that hasn’t been submitted as of yet. But it’s potentially a very serious situation.

Tucker: So 51,000 people retweeted that, so a lot of people thought that was plausible, they believe you, you’re the president. You’re in charge of the agencies, every intelligence agency reports to you. Why not immediately go to them and gather evidence to support that?

Trump: Because I don’t want to do anything that’s going to violate any strength of an agency. You know we have enough problems. And by the way, with the CIA, I just want people to know, the CIA was hacked and a lot of things taken. That was during the Obama years. That was not during, us, that was during the Obama situation. Mike Pompeo is there now, doing a fantastic job. But we will be submitting certain things, and I will be perhaps speaking about this next week. But it’s right now before the Committee, and I think I want to leave it at that. I have a lot of confidence in the committee.

Tucker: Why not wait to tweet about it until you can prove it? Does it devalue your words when you can’t provide evidence?

Trump: Well because the NYT wrote about it. You know, not that I respect the NYT. I call it the failing NYT. They did write on January 20 using the word wiretap. Other people have come out with —

Tucker: Right, but you’re the President. You have the ability to gather all the evidence you want.

Trump: I do, I do. But I think that frankly we have a lot right now and I think if you watch, uh, if you watched the Brett Baier and what he was saying and what he was talking about and how he mentioned the word wiretap, you would feel very confident that you could mention the name. He mentioned it and other people have mentioned it. But if you take a look at some of the things written about wiretapping and eavesdropping, and don’t forget when I say wiretap, those words were in quotes, that really covers, because wiretapping is pretty old fashioned stuff. But that really covers surveillance and many other things. And nobody ever talks about the fact that it was in quotes but that’s a very important thing. But wiretap covers a lot of different things. I think you’re going to find some very interesting items over the next two weeks. [my emphasis]

It was clear even at the time that it was a reference to the Vault 7 files, now alleged to have been leaked to WikiLeaks by Joshua Schulte; the first installment of files were released eight days earlier.

The next day, Adam Schiff, who as the then-Ranking HPSCI member, likely had been briefed on the leak, responded to Trump’s comments and suggested that, while Trump couldn’t have broken the law for revealing classified information, he should nevertheless try to avoid releasing it like this, without any kind of consideration of the impact of it.

Last night, the President stated on Fox News that “I just wanted people to know, the CIA was hacked, and a lot of things taken–that was during the Obama years.” In his effort to once again blame Obama, the President appears to have discussed something that, if true and accurate, would otherwise be considered classified information,

It would be one thing if the President’s statement were the product of intelligence community discussion and a purposeful decision to disclose information to the public, but that is unlikely to be the case. The President has the power to declassify whatever he wants, but this should be done as the product of thoughtful consideration and with intense input from any agency affected. For anyone else to do what the President may have done, would constitute what he deplores as “leaks.”

Trump did reveal information the CIA still considered classified. At the very least, by saying that CIA got hacked, he confirmed the Vault 7 documents were authentic files from the CIA, something the government was not otherwise confirming publicly at that time. (Compare Mike Pompeo’s oblique comments about the leak from a month later.)

His reference to the volume of stolen files may have been based on what the CIA had learned from reviewing the initial dump; court filings make it clear the CIA still did not know precisely what had been stolen.

His reference to a hack, rather than a leak, is an interesting word choice, as the compromise has usually been called a leak. But Schulte’s initial search warrants listed both Espionage and the Computer Fraud and Abuse Act, meaning the government was treating it as (partly) a hacking investigation. And some of the techniques he allegedly used to steal the files are the same that hackers use to obfuscate their tracks (which is unsurprising, given that Schulte wrote some of the CIA’s obfuscation tools).

Perhaps the most damning part of Trump’s statement, however, was the main one: that the theft had taken place under Obama. WikiLeaks’ initial release was totally noncommittal about when they obtained the files, but said it had been “recent[].” By making it clear that the government knew the theft had taken place in 2016 and not more “recently,” Trump revealed a detail that would have made it more likely Schulte would realize they believed he was the culprit (though he knew from the start he’d be a suspect), given that he’d left the agency just days after Trump was elected.

The most damning part of all of this, though, is the timing. Trump made these comments at an unbelievably sensitive time in the investigation.

Tucker did the interview while accompanying Trump to Detroit on March 15, 2017, which means the interview took place sometime between 10:50 AM and 3:30 PM (Tucker said the interview happened at Willow Run Airport, but this schedule says he flew into DTW). Unless it was given special billing, it would have aired at 9PM on March 15.

That means Trump probably made the comments as the FBI was preparing a search of Schulte’s apartment, the first step the FBI took that would confirm for Schulte that he was the main suspect in the leak. Trump’s comments likely aired during the search, before the moment Schulte left his apartment with two passports while the search was ongoing.

CIA had had a bit of advanced warning about the leak. In the lead-up to the leaks (at least by February 3), a lawyer representing Julian Assange, Adam Waldman, was trying to use the Vault 7 files to make a deal with the US government, at first offering to mitigate the damage of the release for some vaguely defined safe passage for Assange. The next day, WikiLeaks first hyped the release, presumably as part of an attempt to apply pressure on the US. Shortly thereafter, Waldman started pitching Mark Warner (who, with Richard Burr, could have granted Assange immunity in conjunction with SSCI’s investigation). On February 17, Jim Comey told Warner to stop his negotiations, though Waldman would continue to discuss the issue to David Laufman at DOJ even after the initial release. Weeks later, WikiLeaks released the initial dump of files on March 7.

An early WaPo report on the leak (which Schulte googled for its information about what the CIA knew before WikiLeaks published) claimed that CIA’s Internal Security had started conducting its own investigation without alerting FBI to the leak (though obviously Comey knew of it by mid-February). The same report quoted a CIA spox downplaying the impact of a leak it now calls “catastrophic.”

By March 13, the day the FBI got its first warrant on Schulte, the FBI had focused on Schulte as the primary target of the investigation. They based that focus on the following evidence, which appears to incorporate information from the CIA’s own internal investigation, an assessment of the first document dump, and some FBI interviews with his colleagues in the wake of the first release:

  • The FBI believed (and still maintains) that the files were stolen from the onsite backup server
  • Schulte was one of a small group of SysAdmins who had privileges to that server (in the initial warrant they said just three people did but have since revised the number to five)
  • The FBI believed (mistakenly) that the files were copied on March 7, 2016, a time when one of the other two known SysAdmins was offsite
  • Schulte had had a blow-up with a colleague that led to him souring on his bosses
  • During the period the CIA was investigating that blow-up, Schulte had reset his administrative privileges to restore his access to the backup server and one project he was working on
  • As part of his August security clearance renewal, some of Schulte’s colleagues said they thought he could be subject to coercion and was not adhering to rules on removable media
  • Just before he left, Schulte created two documents claiming to have raised concerns about the security of the CIA’s servers that (the government claims) he didn’t actually raise
  • Names identifying the two other SysAdmins who had access to the backup server, but not Schulte’s, were included in the initial release
  • In six days since the initial Vault 7 release, Schulte had contacted colleagues and told them he thought he’d be a suspect but was not the leaker

Having obtained a warrant based off that probable cause, on the afternoon of March 13, FBI agents went to conduct a covert search of Schulte’s apartment. The FBI was trying to conduct the search before a trip to Mexico Schulte was scheduled to take on March 16, which (as the affidavit noted) would have been only his second trip outside the US reflected in DHS records. But when the FBI got to Schulte’s apartment, they found a slew of computer devices (listed at PDF 116), making the covert search impractical. So overnight, they obtained a second warrant for an overt search; the FBI obtained that warrant at 1:36 AM on March 14. During that same overnight trip to the magistrate, the FBI also obtained warrants for Schulte’s Google, Reddit, and GitHub accounts.

There’s a lack of clarity about this detail in the public record: the warrant is dated March 14, but it is described as the “March 15 warrant.” The overt search continued through the night in question, so it could either be March 14-15 or March 15-16. The government’s response to Schulte’s motion to suppress the search says, “The Overt Warrant was signed during the early morning hours of March 14, 2017, and the FBI executed the warrant the same day.” But a May 5, 2017 affidavit (starting at PDF 129) says the overt search of Schulte’s apartment took place on March 15.

Whatever day the search happened, it appears that the search started when the lead agent approached Schulte in the lobby of Bloomberg, perhaps as he was leaving work, and asked if he had a role in the leak, which Schulte denied. (This conversation is one basis for Schulte’s false statements charge; the Bill of Particulars describing the interview says it took place on March 15.) The agent got Schulte to confirm he was traveling to Mexico on March 16, then got Schulte to let them into his apartment (Bloomberg is at 120 Park Avenue; Schulte lived at 200 E 39th Street, five blocks away). The search of Schulte’s apartment went through the night. Sometime between 10 and 11 PM, Schulte left his apartment, telling the FBI Agents he’d return around 11:30 PM. By 12:15 AM he hadn’t returned, so the lead FBI Agent went and found him leaving Bloomberg. They told him they had found classified information in his apartment, and asked for his passports. He went back to his workstation to retrieve them, and voluntarily handed them over. The affidavit describes Schulte being put on leave by Bloomberg on March 16, the last day he reported to work at Bloomberg (which would be consistent with the search taking place on the night of March 15-16).

If the search took place overnight on March 14-15, Trump’s statements might have reflected knowledge the search had occurred (and that FBI had found classified information in Schulte’s apartment that would sustain an arrest on false statements and mishandling classified information charges, if need be). If the search took place overnight on March 15-16 (which seems to be what the record implies), it would mean Trump made the comments before the search and they would have been aired on Fox News during it.

In other words, Trump may well have made the comments at a time when FBI was trying to avoid giving Schulte any advance notice because they were afraid he might destroy evidence.

In addition, Trump undoubtedly made the comments (and Schiff highlighted the significance of them) before Schulte had follow-up interviews on March 20 and 21, at which he denied, among other things, ever making CIA’s servers more vulnerable to compromise. If Schulte had read Trump’s comment he’d be more worried about anything akin to hacking.

The question is, how much of what Trump said reflected real knowledge of the investigation, and to what degree should he have known that blurting this out could be unbelievably damaging to the investigation?

Given Trump’s imprecision in speech, his comments could derive entirely from the Vault 7 release itself, or at least a really high level briefing (with pictures!) of the compromise and CIA’s efforts to mitigate it.

But there are two pieces of evidence that suggest Trump may have been briefed in more detail about Schulte as a target.

Jim Comey testified on June 8, 2017 that, in addition to asking him to, “let this [Flynn thing] go,” Trump had asked him about a classified investigation, but that conversation was entirely professional.

WARNER: Tens of thousands. Did the president ever ask about any other ongoing investigation?

COMEY: No.

WARNER: Did he ever ask about you trying to interfere on any other investigation?

COMEY: No.

WARNER: I think, again, this speaks volumes. This doesn’t even get to the questions around the phone calls about lifting the cloud. I know other members will get to that, but I really appreciate your testimony, and appreciate your service to our nation.

COMEY: Thank you, Senator Warner. I’m sitting here going through my contacts with him. I had one conversation with the president that was classified where he asked about our, an ongoing intelligence investigation, it was brief and entirely professional.

Obviously there were a ton of investigations and this conversation could have taken place after Trump made the public comments. But the Vault 7 investigation would have been one of the most pressing investigations in the months before Comey got fired.

More directly on point, in his Presumption of Innocence blog, Schulte describes the interactions with the FBI during the search — which are consistent with them taking place on March 15 — this way (he has not sought to suppress the statements he made that night, which suggests his claims of coercion aren’t strong enough to impress his attorneys):

The FBI set an artificial and misguided deadline on the night before I was to depart NYC for Cancun to prevent me from leaving the country. Despite my insistence with them that the notion someone would flee the country AFTER the publication literally made no sense—if it were me communicating with WikiLeaks then obviously I would have made damn sure to leave BEFORE it happened—they were persistent in their belief that I was guilty. The FBI literally told me that everyone ”up to the top” knew we were having this conversation and that “they” could not afford to let me leave the country. “They” could not afford another national embarrassment like Snowden. “They” would not, under any circumstances, allow me to leave the country. The FBI were prepared and willing to do anything and everything to prevent me from leaving the country including threaten my immediate arrest arrest unless I surrendered my passport. I did NOT initially consent, but the FBI held me against my will without any arrest warrant and even actively disrupted my attempts to contact an attorney. Intimidated, fearful, and without counsel, I eventually consented. I was immediately suspended from work

Schulte’s an egotist and has told obvious lies, especially in his public statements attempting to claim innocence. But if it’s true that the FBI agents told him everyone “up to the top” knew they were having the conversation with him on March 15, it might reflect knowledge that people at least as senior as Comey or Sessions or Pompeo knew the FBI was going to conduct an overt search with one goal being to prevent Schulte from leaving the country. And given the purported reference to Snowden and the way the entire government pursued him, it is not impossible that Trump had been asked to authorize Schulte’s arrest if he didn’t surrender his passports.

In other words, it is certainly possible that when Trump boasted that the CIA’s hacking tools had been stolen under Obama and not under his Administration (an interesting claim to begin with, given the delay in CIA alerting the FBI that WaPo reported), he had been briefed about Schulte within the last 48 hours or even that morning.

To be clear, I’m not suggesting that this comment was a deliberate attempt to sabotage the FBI investigation. Trump has a habit of mindlessly repeating whatever he has heard most recently, so if Trump were briefed on the investigative steps against Schulte on the 14th or 15th, it’s not surprising he brought it up when sitting with Tucker mid-day on the 15th, particularly given that they were discussing surveillance.

But imagine how this would look to the FBI as Trump started engaging in outright obstruction of the Russian investigation, particularly by firing Comey. There’s nothing in the public record that suggests a tie between Schulte’s leaks and Russia. But Schulte’s leaks (most notably the Marble Framework he authored) not only would have made it easier for Russia to identify CIA’s Russian targets, but they would have forced CIA to rebuild during a period it was trying to figure out what had happened in 2016 (and NSA would be in the same position, post Shadow Brokers). When the FBI was trying to keep their focus on Schulte secret for one more day so they could get to his apartment before he started destroying things, Trump sat before a TV camera and made a comment that might have alerted Schulte the FBI did, indeed, believe he was the culprit.

And Trump did so all to blame Obama for a catastrophic leak rather than himself.

Dan Coats Still Refusing to Provide the Evidence that Russia Didn’t Affect the Election

Last month, I noted a troubling exchange between Martin Heinrich, Dan Coats, and Richard Burr in the Global Threats Hearing.

Martin Heinrich then asked Coats why ODNI had not shared the report on election tampering even with the Senate Intelligence Committee.

Heinrich: Director Coats, I want to come back to you for a moment. Your office issued a statement recently announcing that you had submitted the intelligence community’s report assessing the threats to the 2018 mid-term elections to the President and to appropriate Executive Agencies. Our committee has not seen this report. And despite committee requests following the election that the ODNI brief the committee on any identified threats, it took ODNI two months to get a simple oral briefing and no written assessment has yet been provided. Can you explain to me why we haven’t been kept more fully and currently informed about those Russian activities in the 2018–

Chairman Richard Burr interrupts to say that, in fact, he and Vice Chair Mark Warner have seen the report.

Burr: Before you respond, let me just acknowledge to the members that the Vice Chairman and I have both been briefed on the report and it’s my understanding that the report at some point will be available.

Coats then gives a lame excuse about the deadlines, 45 days, then 45 days.

Coats: The process that we’re going through are two 45 day periods, one for the IC to assess whether there was anything that resulted in a change of the vote or anything with machines, uh, what the influence efforts were and so forth. So we collected all of that, and the second 45 days — which we then provided to the Chairman and Vice Chairman. And the second 45 days is with DHS looking, and DOJ, looking at whether there’s information enough there to take — to determine what kind of response they might take. We’re waiting for that final information to come in.

After Coats dodges his question about sharing the report with the Committee, Heinrich then turns to Burr to figure out when they’re going to get the information. Burr at least hints that the Executive might try to withhold this report, but it hasn’t gotten to that yet.

Heinrich: So the rest of us can look forward — so the rest of us can then look forward to reading the report?

Coats: I think we will be informing the Chairman and the Vice Chairman of that, of their decisions.

Heinrich: That’s not what I asked. Will the rest of the Committee have access to that report, Mr. Chairman?

[pause]

Heinrich: Chairman Burr?

Burr; Well, let me say to members we’re sort of in unchartered ground. But I make the same commitment I always do, that anything that the Vice Chairman and myself are exposed to, we’ll make every request to open the aperture so that all members will be able to read I think it’s vitally important, especially on this one, we’re not to a point where we’ve been denied or we’re not to a point that negotiations need to start. So it’s my hope that, once the final 45-day window is up that is a report that will be made available, probably to members only.

Coming as it did in a hearing where it became clear that Trump’s spooks are helpless in keeping Trump from pursuing policies that damage the country, this exchange got very little attention. But it should!

DOJ missed its 45 day plus 45 day deadline of reporting whether any election tampering had had an effect. But just by one day. The day after their deadline, the Big Dick Toilet Salesman Matt Whitaker and serial liar Kirstjen Nielsen gave Trump a report claiming that any tampering had not had any impact on the election.

Although the specific conclusions within the joint report must remain classified, the Departments have concluded there is no evidence to date that any identified activities of a foreign government or foreign agent had a material impact on the integrity or security of election infrastructure or political/campaign infrastructure used in the 2018 midterm elections for the United States Congress. This finding was informed by a report prepared by the Office of the Director of National Intelligence (ODNI) pursuant to the same Executive Order and is consistent with what was indicated by the U.S. government after the 2018 elections.

While the report remains classified, its findings will help drive future efforts to protect election and political/campaign infrastructure from foreign interference.

Then, today, CyberComm boasted that that they had helped deter Russia during the midterms.

Senators from both political parties on Thursday praised the military’s cyber force for helping secure last year’s midterm elections, with one suggesting it was largely due to U.S. Cyber Command that the Russians failed to affect the 2018 vote.

“Would it be fair to say that it is not a coincidence that this election went off without a hitch and the fact that you were actively involved in the protection of very important infrastructure?” Sen. Mike Rounds (R-S.D.) asked Gen. Paul Nakasone, the command’s leader, at a hearing of the Senate Armed Services Committee.

Military officials have said new authorities, approved over the last year, enabled CyberCom to be more aggressive — and effective — in what they privately say was an apparent success. Nakasone, who also heads the National Security Agency, stopped short of saying it was CyberCom that made the difference, telling Rounds that safeguarding the election was the agencies’ “number-one priority.”

But ODNI is still not providing SSCI — the people who are supposed to see such evidence — proof. Heinrich wrote Dan Coats a letter, signed by every member of SSCI,

Your office a statement in December that you had submitted the Intelligence Committee’s report assessing threats to the 2018 elections to the president and appropriate executive agencies. This month, the acting Attorney General and the Secretary of Homeland Security announced they had submitted their joint report evaluating the impact of any foreign interference on election infrastructure for the infrastructure of political organizations during the midterm elections.

While the agencies provided brief unclassified summaries of the reports’ findings, the Select Committee on Intelligence has not been provided either report. We request that you provide to all Committee Members and cleared staff both classified reports required by EO 13848 as soon as possible. Those reports are necessary for the Committee to meet its mission and charter to conduct vigorous oversight over the intelligence and intelligence-related activities of the United States Government.

They’re clearly hiding something. The question is whether it’s that Trump didn’t try to prevent tampering, or that some of the efforts — included the known effort to hack Claire McCaskill — actually did have an effect.