Michael Sussmann Archives - Page 4 of 11

Posts

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

May 20, 2022/101 Comments/in 2016 Presidential Election, Cybersecurity, emptywheel, Mueller Probe /by emptywheel

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work.

When Michael Sussmann attorney Sean Berkowitz was walking FBI Agent Scott Hellman through the six meetings he had with Durham’s team on Tuesday — meetings he first had as a witness about the investigation into the Alfa Bank allegations and later in preparation for his trial testimony — Berkowitz asked Hellman about how, sometime earlier this year, Andrew DeFilippis and Jonathan Algor asked him whether he could serve as their DNS expert for the trial.

Q And then, more recently, you met with Mr. DeFilippis and I think Johnny Algor, who is also at the table here, who’s an Assistant U.S. Attorney. Correct?

A. Yes.

Q. They wanted to talk to you about whether you might be able to act as an expert in this case about DNS data?

A. Correct.

To Hellman’s credit, he told Durham’s prosecutors — who have been investigating matters pertaining to DNS data for two years — that he only had superficial knowledge of DNS and so wasn’t qualified to be their expert.

Q. You said, while you had some superficial knowledge, you didn’t necessarily feel qualified to be an expert in this case, correct, on DNS data?

A. On DNS data, that’s correct.

It wasn’t until the third day of trial before Durham’s team presented any evidence about the alleged crime. Instead, Durham’s first two witnesses were their nominal expert, David Martin, and Hellman, who told Durham he wasn’t an expert but who offered opinions he neither had the expertise to offer nor had done the work to substantiate.

That’s important, because DeFilippis used him to provide an opinion only an expert should give. And virtually everything about his testimony — his claim to have relied on the data in the materials without looking at the thumb drives, an apparently made up claim about the timing of the analysis, and behaviors that the FBI normally finds suspicious — suggest he’s not only not a DNS expert qualified to assess this report, but his assessment of the white paper Sussmann shared also suffers from serious credibility issues.

The battle over an expert

The testimony of the nominal expert, David Martin, was remarkably nondescript, particularly given the fight that led up to his testimony. Durham’s team sprung even having an expert on Sussmann at a really late date: on March 30, after months of blowing off Sussmann’s inquiries if they would. Not only did they want Martin to explain to the jury what DNS and Tor are, Durham’s team explained, but they also wanted him to weigh in on the validity of conclusions drawn by researchers who had found the anomaly.

the authenticity vel non of the purported data supporting the allegations provided to the FBI and Agency-2;
the possibility that such purported data was fabricated, altered, manipulated, spoofed, or intentionally generated for the purpose of creating the false appearance of communications;
whether the DNS data that the defendant provided to the FBI and Agency-2 supports the conclusion that a secret communications channel existed between and/or among the Trump Organization, Alfa Bank, and/or Spectrum Health;

[snip]

the validity and plausibility of the other assertions and conclusions set forth in the various white papers that the defendant provided to the FBI and Agency-2;

As Sussmann noted in his motion to limit Martin’s testimony, he didn’t mind the testimony about DNS and Tor. He just didn’t want this trial to be about the accuracy of the data, especially without the lead time to prepare his own expert.

As the Government has already disclosed to the defense, should the defense attempt to elicit testimony surrounding the accuracy and/or reliability of the data that the defendant provided to the FBI and Agency-2, Special Agent Martin would explain the following:

That while he cannot determine with certainty whether the data at issue was cherry-picked, manipulated, spoofed or authentic, the data was necessarily incomplete because it was a subset of all global DNS data;

That the purported data provided by the defendant nevertheless did not support the conclusions set forth in the primary white paper which the defendant provided to the FBI;

That numerous statements in the white paper were inaccurate and/or overstated; and

That individuals familiar with these relevant subject areas, such as DNS data and TOR, would know that such statements lacked support and were inaccurate and/or overstated.

Based off repeated assurances from Durham that they weren’t going to make accuracy an issue in their case in chief, Judge Cooper ruled that the government could only get into accuracy questions if Sussmann tried to raise the accuracy of the data himself. But if he said he relied on the assurances of Rodney Joffe, it wouldn’t come in.

The government suggests that Special Agent Martin’s testimony may go further, depending on what theories Sussmann pursues in cross-examination or his defense case. Consistent with its findings above, the Court will allow the government’s expert to testify about the accuracy (or lack thereof) of the specific data provided to the FBI here only in certain limited circumstances. In particular, if Sussmann seeks to establish at trial that the data were accurate, and that there was in fact a communications channel between Alfa Bank and the Trump Campaign, expert testimony explaining why this could not be the case will become relevant. But, as the Court noted above, additional testimony about the accuracy of the data—expert or otherwise—will not be admissible just because Mr. Sussmann presents evidence that he “relied on Tech Executive-1’s conclusions” about the data, or “lacked a motive to conceal information about his clients.” Gov’s Expert Opp’n at 11. As the Court has already explained, complex, technical explanations about the data are only marginally probative of those defense theories. The Court will not risk confusing the jury and wasting time on a largely irrelevant or tangential issue. See United States v. Libby, 467 F. Supp. 2d 1, 15 (D.D.C. 2006) (excluding evidence under Rule 403 where “any possible minimal probative value that would be derived . . . is far outweighed by the waste of time and diversion of the jury’s attention away from the actual issues”).

Then, days before the trial, the issue came up again. Durham sent a letter on May 6 (ten days before jury selection), raising a bunch of new issues they wanted Martin to raise. Sussmann argued that Durham was trying to expand the scope of what his expert could present. Among his complaints, Sussmann argued that Durham was trying to make a materiality argument via his expert witness.

Third, the Special Counsel apparently intends to offer expert testimony about the materiality of the false statement alleged in this case. Indeed, the Special Counsel’s supplemental topic 9 regarding the importance of considering the collection source of DNS data is plainly being offered to prove materiality. But the Special Counsel did not disclose this topic in either his initial expert disclosure or Opposition, and the Court’s ruling did not permit such testimony. The Special Counsel should not now be allowed to offer an entirely new expert opinion under the guise of eliciting testimony regarding the types of conclusions that can be drawn from a review of DNS data.

Judge Cooper considered the issue Tuesday morning, before opening arguments. When asking why Martin had to present the concept of visibility, DeFilippis explained that Hellman–the Agent who’s not an expert on DNS but whom DeFilippis nevertheless had asked to serve as an expert on DNS–would talk about the import of knowing visibility to assess data.

THE COURT: Well, but isn’t the question here whether a case agent — is your case agent later going to testify that that was something that the FBI looked at or wanted to look at in this case and was unable to do so, and that that negatively affected the FBI’s investigation in some way? MR.

DeFILIPPIS: Yes, and I expect Special Agent Hellman, who will testify likely today, Your Honor, I expect that that is a concept that he will say was relevant to the determination that — determinations he was making as he drafted analysis of the data that came in. And, again, I don’t think we — for example, another way in which this comes up is that the FBI routinely receives DNS data from various private companies who collect that data, and it is always relevant sort of the breadth of visibility that those companies have. So it’s relevant generally, but also in this particular case the fact that the FBI did not have insight into the visibility or lack of visibility of that data certainly affected steps that the FBI took.

THE COURT: Okay. But Mr. Sussman has not been accused of misrepresenting who the source is. He’s simply — but rather who the client is. So how do you link that to the materiality of the alleged false statement?

MR. DeFILIPPIS: Because, Your Honor, I think we view them as intertwined. It was because — it was in part because Mr. Sussman said he didn’t have a client that made it more difficult for the FBI to get to the bottom of the source of this data or made it less likely they would, and so — and, again, I don’t think we expect to dwell for a long time on this, but I think the agents and the technical folks will say that that is part of why the origins of the data are extremely relevant when they took investigative steps here.

When Cooper noted Sussmann’s objection to Martin discussing possible spoofing of data, DeFilippis again answered not about what Martin would testify, but what Hellman would.

As DeFilippis explained, he claimed to believe that under Cooper’s ruling, the government could put in any little thing they wanted that they claimed had been part of the investigation.

And Special Agent Hellman, when he testifies today — now, Your Honor’s ruling we understand to permit us to put into evidence anything about what the FBI analyzed and concluded as its investigation unfolded because that goes to the materiality of the defendant’s statement. So Special Agent Hellman — through Agent Hellman we will offer into evidence a paper he prepared when the data first came in, and among its conclusions is that the data might — he doesn’t use the word “spoof” — but might have been intentionally generated and might have been fabricated. That was the FBI’s initial conclusion in what it wrote up.

So in order for the jury to understand the course of the FBI’s investigation and the conclusions that it drew at each stage, those concepts are at the center of it.

[snip]

MR. DeFILIPPIS: Okay. Your Honor, I’m sorry. We understood your ruling to be that the FBI’s conclusions as it went along were okay as long as we weren’t asserting the conclusion that it was, in fact, fabricated. You know, I mean, it’s difficult to chart the course of the FBI’s investigation unless we can elicit at each stage what it is that the FBI concluded.

Judge Cooper ordered that references to spoofing be removed — leading to a last minute redaction of an exhibit — but permitted a discussion of visibility to come in.

After all that fight, Martin’s testimony was not only bland, but it was recycled powerpoint. He not only admitted lifting the EFF description of Tor for his PowerPoint, but he included their logo.

Hellman delivers the non-expert expert opinion Durham was prohibited from giving

As I said, Martin was witness number one, Hellmann — the self-described non-expert in DNS — was witness number two.

Even though Hellman admitted, again, that he’s not a DNS expert, DeFilippis still had him go over what DNS is.

Q. How familiar or unfamiliar are you with what is known as DNS or Domain Name System data?

A. I know the basics about DNS.

Q. And in your understanding, on a very basic level, what is DNS?

A. DNS is basically how one computer would try and communicate with another computer.

After getting Hellman to explain how he purportedly got chain of custody signatures on September 20, 2016 for the materials Michael Sussmann dropped off with James Baker on September 19, DeFilippis walked Hellman through how, he claimed, he had concluded that the allegations Sussmann dropped off were unsupported. Hellman reviewed the data accompanying the white paper, Durham’s star cybersecurity witness claimed on the stand, and after reviewing that data, determined there was no allegation of a hack in the materials and therefore nothing for the Cyber Division to look at. And, as a report he wrote “within a day” summarized, he concluded the methodology was horrible.

As you read the following exchange, know that (as I understand it) some, if not most, of what Hellman describes as the methodology is wrong. Obviously, if Hellman’s understanding of the methodology is wrong, then the opinion that DeFilippis elicits from a guy who admitted he was not an expert on DNS but whom DeFilippis nevertheless asked to serve as his expert witness on DNS before inviting David Martin in to present slides lifted from the Electronic Frontier Foundation instead [Takes a breath] … If Hellman’s understanding of the methodology and the data he’s looking at is wrong, then his opinion about the methodology is going to be of little merit.

With that understanding, note the objection of Sean Berkowitz, who fought DeFilippis’ late hour addition of an expert that DeFilippis wanted to use to opine on the validity of the research, bolded below.

So we looked at the top part, which set out your top-line conclusion. You then have a portion of the paper that says, “The investigators who conducted the research appear to have done the following.” Now, Special Agent Hellman, it appears to be a pretty technical discussion, but can you just tell us, in that first part of the paper, what did you set out and what did you conclude?

A. It looks to be that they were looking for domains associated with Trump, and the way that they did that was they looked at a list of sort of all domains and looked for domains that had the word “Trump” in them as a way to narrow down the number of domains they were looking at.

And then they wanted to find, well, which of that initial set of Trump domains, which of them are email servers associated with those domains. And the way they did that was to search for terms associated with email, like “mail” or other email-related terms to then narrow down their list of domains even further to be Trump-associated domains that were email servers.

Q. And did you opine on the soundness of that methodology? In other words, did you express a view as to whether this was a good way to go about this project?

A. We did not — I did not feel that that was the most expeditious way to go about identifying email servers associated with the domain.

Q. And why was that?

A. You can name an email server anything you want. It doesn’t have to have the words “mail” or “SMTP” in it. And so by — if you’re just searching for those terms, I would wager to guess you would miss an actual email server because there are other — there are other more technical ways that you can use — basically look-up tools, Internet look-up tools where you can say, for any domain, tell me the associated email server. That’s essentially like a registered email server. But the way that they were doing it was they were just looking for key terms, and I think that it just didn’t make sense to me why they would go about identifying email servers that way as opposed to just being able to look them up.

Q. Was there anything else about the methodology used here by the writer or writers of this paper that you found questionable or that you didn’t agree with?

A. I think just the overall assumptions that were being made about that the server itself was actually communicating at all. That was probably one of the biggest ones.

Q. And what, if anything, did you conclude about whether you believed the authors of the paper or author of the paper was fairly and neutrally conducting an analysis? Did you have an opinion either way?

MR. BERKOWITZ: Objection, Your Honor.

THE COURT: Basis?

MR. BERKOWITZ: Objection on foundation. He asked him his opinion. He’s not qualified as an expert for that.

THE COURT: I’ll overrule it.

A. Sorry, can you please repeat the question?

Q. Sure. Did you draw a conclusion one way or the other as to whether the authors of this paper seemed to be applying a sound methodology or whether, to the contrary, they were trying to reach a particular result? Did you —

A. Based upon the conclusions they drew and the assumptions that they made, I did not feel like they were objective in the conclusions that they came to.

Q. And any particular reasons or support for that?

A. Just the assumption you would have to make was so far reaching, it didn’t — it just didn’t make any sense.

That’s how, as his second witness, Andrew DeFilippis introduced the opinion of a guy who admitted he wasn’t an expert on DNS that DeFilippis had asked to serve as an expert even though DeFilippis should have known that he didn’t have the expertise to offer expert opinions like this.

If Sussmann is found guilty, I would bet a great deal of money this stunt will be one part of a several pronged appeal, because Judge Cooper permitted DeFilippis to do precisely what Cooper had prohibited him from doing before trial, and he let him do it with a guy who by his own admission is not a DNS expert.

Cyber Division reaches a conclusion without looking at the thumb drives

Now let’s look at what Hellman describes his own methodology to be.

First, it was quick. DeFilippis seems to think that serves his narrative, as if this stuff was so crappy that it took a mere glimpse to discredit it.

Q. Special Agent Hellman, how long would you say it took you and Special Agent Batty to write this up?

A. Inside of a day.

Q. Inside of a day, you said?

Berkowitz walked Hellman through the timeline of it, and boy was it quick. There’s some uncertainty about this timeline, because John Durham’s office doesn’t feel the need to make clear whether exhibits they’re turning over in discovery reflect UTC or ET. But I think I’ve laid it out below (Berkowitz got it wrong in cross-examination, which DeFilippis used to attack his analysis).

As you can see, not only were FBI’s crack cybersecurity agents making a final conclusion about the data within a day but — by all appearances — they did so before they had ever looked at the thumb drives included with the white papers. From the record, it’s actually not clear when — if!!! — they looked at the thumb drives. But it’s certain they had their analysis finalized no more than one working day after they admitted they hadn’t looked at the thumb drive, which was itself after they had already decided the white paper was shit.

Timeline

September 20, 10:20AM: Nate Batty tells Jordan Kelly they’ll come from Chantilly to DC get the thumb drives

September 20, 10:31AM: Jordan Kelly tells Batty the chain of custody is “Sussman to Strzock to Sporre”

September 20, 12:29PM: Hellman and Nate Batty accept custody of the thumb drives

September 20, 1:30PM: Hour drive back to Chantilly, VA

September 20, 4:44PM: Hellman appears to explain the process of picking up the thumb drives to jrsmith, claiming to have spoken to Baker on the phone. jrsmith jokes about “doctor[ing] a chain of evidence form.”

September 20, 4:58: Hellman says the more he reads the report “it feels a little 5150ish,” suggesting (as he explained to Berkowitz on cross) the authors suffered from a mental disability, and Hellman complains that “it contains an absurd quantity of data” to which Batty responded, the data seemed “inserted to overwhelm and confuse the reader.”

September 21, 8:47AM: Batty tells Hellman their supervisor wants them to “write a brief summary of what we think about the DNC report.” Batty continues by suggesting that “we should at least plug the thumb drives into Frank’s computer and look at the files…”

9/22, 9:44AM: Curtis Heide, in Chicago, asks Batty to send the contents of the thumb drive so counterintelligence agents can begin to look at the evidence. The boys in Cyber struggle to do so for a bit.

9/22, 2:49PM: Batty asks Hellman what he did with the blue thumb drive.

9/22, 4:46PM: Batty sends “analysis of Trump white paper” to others.

In other words, the cyber division spent less than 28 hours doing this analysis.

Yes. The analysis was quick.

Hellman says his analysis is valid because he looked at the data

The hastiness of the analysis and the fact that Hellman didn’t look at the thumb drive before making initial conclusions about the research is fairly problematic, because when he discussed his own methodology, he described the data driving everything.

Q. Now, what principally, from the materials, did you rely on to do your analysis?

A. So it was really two things. It was looking at the data, the technical data itself. There was a summary that it came with. And then also we were comparing what we saw in the data, sort of the story that the data told us, and then looking at the narrative that it came with and comparing our assessment of the data to the narrative.

[snip]

Q. And in connection with that analysis, did you also take a look at the data itself that was underlying this paper?

A. Yes

[snip]

Q. And if we look at that first page there, Agent Hellman, what kind of data is this?

A. It appears to be — as far as I can tell, it looks to be — it’s log data. So it’s a log that shows a date and a time, a domain, and an IP address. And, I mean, that’s — just looking at this log, there’s not too much more from that.

Q. And do you understand this to be at least a part of the DNS data that was contained on the thumb drives that I think you testified about earlier?

A. Yes.

[snip]

A. It would have mattered — well, I think on one hand it would not have mattered from the technical standpoint. If I’m looking at technical data, the data’s going to tell me whatever story the data’s going to tell me independent of where it comes from. So I still would have done the same technical analysis.

But knowing where the data comes from helps to tell me — it gives me context regarding how much I believe in the data, how authentic it is, do I believe it’s real, and do I trust it. [my emphasis]

He repeated this claim on cross with Berkowitz.

I just disagreed with the conclusions they came to and the analysis that they did based upon the data that came along with the white paper.

When Berkowitz asked him why counterintelligence opened an investigation when Cyber didn’t, Hellman suggested that the people in CD wouldn’t understand how to read the technical logs.

A. Um, I think they’d probably be looking at it from the same vantage point, but if you’re not — you don’t have experience looking at technical logs, you may not have the capability of doing a review of those logs. You might rely on somebody else to do it. And perhaps counterintelligence agents are going to be thinking about other investigative questions. So I guess it would probably be a combination of both.

“If I’m looking at technical data,” DeFilippis’ star cybersecurity agent explained, “the data’s going to tell me whatever story the data’s going to tell me.”

Except he didn’t look at the technical data, at least not the data on the thumb drives, before he reached his initial conclusion.

Hellman makes a claim unsupported by the data in his own analysis

I’ll leave it to people more expert than me to rip apart Hellman’s own analysis of the white paper Sussmann shared with the FBI. In early consultations, I’ve been told he misunderstood the methodology, misunderstood how researchers used Trump’s other domains to prove that just one had this anomaly (that is, as a way to test their hypothesis), and misstated the necessity of some long-term feedback loop for this anomaly to be sustained. Again, the experts will eventually explain the problems.

One part of his report that I know damns his methodology, however, is where he says the researchers,

Searched “…global nonpublic DNS activity…” (unclear how this was done) and discovered there are (4) primary IP addresses that have resolved to the name “mail1.trump-email.com”. Two of these belong to DNS servers at Russian Alfa Bank. [my emphasis]

This is the point where every single person I know who assessed these allegations who is at least marginally expert on DNS issues stopped and said, “global nonpublic DNS activity? There are only a handful of people that could be!” See, for example, this Robert Graham post written in response to the original Slate story, perhaps the most influential critique of the allegations, probably even on Durham. Every marginally expert person I know has, upon reading something like that, tried to figure out who would have that kind of visibility on the data, because that kind of visibility, by itself, would speak to their expertise. Those marginally expert people did not have the means to identify the possible sources of the data. But a lot of them — including the NYTimes!! — were able to find people who had that kind of visibility to better understand the anomaly. When Hellman read that, he simply said, “unclear how this was done” and moved on.

Still, Hellman did not contest (or possibly even test) the analysis that said there were really just four IP addresses conducting look-ups with the Trump marketing server. Dozens of people have continued to test that result in the years since, and while there have been adjustments to the general result, no one has disproven that the anomaly was strongest between Alfa Bank and Trump’s marketing domain.

Where Hellman’s insta-analysis really goes off the rails, however, is in his assertion that, “it appears that the presumed suspicious activity began approximately three weeks prior to the stated start date of the investigation conducted by the researcher.”

I’m not a DNS expert, but I’m pretty good at timelines, and by my read here are the key dates in the white paper.

May 4, 2016: Beginning date for look-up analysis

July 28, 2016: Lookup for hostnames yielding Trump

September 4, 2016: End date for look-up analysis

September 14, 2016: Updated search for look-ups covering June 17 through September 14

The start date reflected in this white paper is July 28, 2016. Three weeks before that would be July 7, 2016, a date that doesn’t appear in the white paper. The anomaly started 85 days before the start date reflected in this white paper (and the start date for the research began months earlier, but still over three weeks after the May 4 start date).

I don’t understand where he got that claim. But DeFilippis repeated it on the stand, as if it were reflected in the data, I guess believing it makes his star cybersecurity agent look good.

DeFilippis’ star cybersecurity agent has some credibility problems

There are a few more problems with the credibility of Hellman, DeFilippis’ star cybersecurity agent who is not a DNS expert. One of those is that he compared notes with his boss before first testifying.

Q: And you also spoke with Nate Batty around that time, Right?

A: Yes.

Q: Did you talk to him before the first interview to kind of get ready for it?

A: I think so, but I don’t remember.

Q: Is that something that you encourage witnesses to do, to talk to other witnesses to see if your recollections are consistent?

A: No.

In addition, notwithstanding that Batty was told that Sussmann was in the chain of control, Batty claimed to believe the source was “anonymous” and Hellmann claimed to believe it was sensitive–a human source. Even after comparing notes their stories didn’t match.

There are other problems with Hellman’s memory of the events, notably that in his first interview — the one he did shortly after comparing notes with Batty — he claimed that Baker had told him he was unable to identify the source of the data.

Q. And when you went to Mr. Baker’s office, do you remember what, if anything, was said during that discussion or during that interaction?

A. I remember being in the office, but I don’t distinctly recall what the conversation was. I do remember after the fact, though, that I was frustrated that I was not able to identify who had provided these thumb drives, this information to Mr. Baker. He was not willing to tell me.

At the very least, this presents a conflict with Baker’s testimony, but it’s also another testament to how variable memories can be four years, much less six years, after the fact.

Hellman also claimed, when asked on cross, that the first time he had ever seen the reference to a “DNC report” in September 21 Lync notes he received was two years ago, when he was first interviewed.

A: The first time I saw this was two years ago when I was being interviewed by Mr. DeFilippis, and I don’t recall ever seeing it. I never had any recollection of this information coming from DNC. I don’t remember DNC being a part of anything we read or discussed.

Q: Okay. When you say, the first time you saw it was two years ago when you met with Mr. DeFilippis, that’s not accurate. Right? You saw it on September 21st, 2016. Correct?

A: It’s in there. I don’t have any memory of seeing it.

And when Sean Berkowitz asked about Hellman the significance of seeing the reference to a “DNC report” first thing on September 21, he described that DeFilippis suggested to him that it was likely just a typo for DNS.

Q. What’s your explanation for it?

A. I have no recollection of seeing that link message. And there is — I have absolutely no belief that either me or Agent Batty knew where that data was coming from, let alone that it was coming from DNC. The only explanation that popped or was discussed was that it could have been a typo and somebody was trying to refer to DNS instead of DNC.

Q. So you think it was a typo?

A. I don’t know.

Q. When you said the only one suggesting it — isn’t it true that it was Mr. DeFilippis that suggested to you that it might have been a typo recently?

A. That’s correct.

When asked about a topic for which there was documentary evidence Hellman had seen in real time that he claimed not to remember, Andrew DeFilippis offered up an explanation that Hellman then offered on the stand.

On the stand, DeFilippis also tried to get Hellman to call a marketing server a spam server, though Hellman resisted.

Once you look closely, I don’t think Hellman’s testimony helps Durham all that much. What it proves, however, is that DeFilippis attempted to coach testimony.

One final thing. DeFilippis got his star cybersecurity agent to observe that the researchers didn’t include their name or other markers on their report, as if that’s a measure of unreliablity.

Q. Now, let me ask you, were you able to determine from any of these materials who had actually drafted the paper alleging the secret channel?

A. No.

Q. In other words, was it contained anywhere in the documents?

Here’s what Hellman’s own report looks like:

There’s a unit — ECOU1 — but the names of the individual agents appear nowhere in the report. The report is not dated. It does not specifically identify the white papers and thumb drives by control numbers, something key to evidentiary analysis.

It has none of the markers of regularity you’d expect from the FBI. Hellman’s own analysis doesn’t meet the standards that DeFilippis uses to measure reliability.

This long-time Grand Rapids resident is furious that Hellman judged there was no hack

Everything above I write as a journalist who has tried to understand this story for almost six years. Between that and 18 years of covering national security cases, I hope I now have sufficient familiarity with it to know there are real problems with Hellman’s analysis.

But let me speak as someone who lived in Grand Rapids for most of this period, and had friends who had to deal with the aftermath of Spectrum Health appearing at the center of a politically contentious story.

Hellman had, as he testified, two jobs. First, he was supposed to determine whether there were any cyber equities, then he was supposed to do some insta-analysis of the data without first looking at the thumb drives.

According to Hellman, there was no hack.

I was asked to perform two tasks in tandem with Special Agent Batty, and our tasks were, number one, to look at this data, look at the data and look at the narrative that it came with and identify were there any what’s known as cyber equities. And by that it was, was there any allegation of a hacking. That’s what cyber division does. We investigate hacking. So was there an allegation that somebody or some company or some computer had been hacked. That was first.

[snip]

As I mentioned, the first piece was we had to identify was there any real allegation of hacking; and there was not. That was our first task by our supervisor. There was not.

[snip]

The allegation was that someone purported to find a secret communication channel between the Trump organization and Russia. And so we identified first that, no, we didn’t think that there was any cyber equity, meaning that there was probably nothing more for cyber to investigate further, if there was no hacking crime.

Except here’s what the white paper says about Spectrum, that Grand Rapids business that was swept up in this story.

The Spectrum Health IP address is a TOR exit node used exclusively by Alfa Bank. ie., Alfa Bank communications enter a Tor node somewhere in the world and those communications exit, presumably untraceable, at Spectrum Health There is absolutely no reason why Spectrum would want a Tor exit node on its system. (Indeed, Spectrum Health would not want a TOR node on its system because, by its nature, you never know what will come out of a TOR node, including child pornography and other legal content.)

We discovered that Spectrum Health is the victim of a network intrusion. Therefore, Spectrum Health may not know it has a TOR exit node on its network. Alternatively, the DeVos family may have people at Spectrum who know there is a TOR node. i.e., could have been placed there with inside help.

When faced with some anomalous activity that seemed to tie into the weird DNS traffic, the experts suggested that maybe the Spectrum hack related to the DNS anomaly.

To be clear, this Tor allegation is the the weakest part of this white paper. You will hear about this to no end over the next week. It was technically wrong.

But the allegation in the white paper is that maybe a recent hack of Spectrum Health is why it had this anomalous traffic with Trump’s marketing server. There’s your hack!!

Had the people at FBI’s cybersecurity side actually treated this as a possible compromise, it might have addressed the part of this story that never made any sense. And we might not, now, six years later, be arguing about what might explain it.

Let me be clear: I do think the white paper overstated its conclusions. I don’t think secret communication is the most obvious explanation here.

But there are hacks and then there are hacks in the testimony of DeFilippis’ star cybersecurity agent.

Update: Corrected an attribution to Batty instead of Hellman.

Update: Fixed my own timeline.

Update: Added link to Robert Graham’s analysis.

Update: This may be where Hellman gets his erroneous three week claim. There were two histograms included with the report. One, the close-up, does start around July 7.

But the broader scope shows look-ups earlier, very actively in June, but with a few stray ones in May.

~~The government didn’t include the pages and pages of logs that Batty complained about in this exhibit. Had they, it would be clear to jurors that this claim is false.~~

Update: Correction on two points. First, I think I’ve finally got the Lync exchange above correct between Batty and Hellman. As noted, Hellman complains that “it contains an absurd quantity of data” to which Batty responded, the data seemed “inserted to overwhelm and confuse the reader.”

Second, I was wading through exhibits this morning and found the exhibit of 19 pages of logs. Here’s just a subset of them, including logs that go back to May 2016. Hellman didn’t look even at the printed page of log files closely enough to realize his claim about three weeks was wrong. These data weren’t intended to overwhelm the reader. They were there to show how the anomaly accelerated during the election.

Brittain Shaw’s Privileged Attempt to Misrepresent Eric Lichtblau’s Privilege

May 20, 2022/11 Comments/in 2016 Presidential Election, Mueller Probe, Press and Media /by emptywheel

In the first words of her opening argument in the Michael Sussmann case, Durham prosecutor Brittain Shaw argued that this case is all about Sussmann’s privilege, his purported ability to exploit high level ties at DOJ to seed what she claims would be a smear campaign against the guy who was, in fact, hiding secret communications with the Kremlin and soliciting hacks of his opponent.

The evidence will show that this is a case about privilege: the privilege of a well-connected D.C. lawyer with access to the highest levels of the FBI; the privilege of a lawyer who thought that he could lie to the FBI without consequences; the privilege of a lawyer who thought that for the powerful the normal rules didn’t apply, that he could use the FBI as a political tool.

The really painful irony of this case, though, is that Sussmann is being significantly hamstrung because of privilege, attorney-client privilege, because it is limiting his ability to present evidence about what really happened.

When Judge Christopher Cooper ruled that a subset of emails that had been protected under privilege were not, after all, he explained that, the documents, “do not strike the Court as being particularly revelatory.” Even so, Sussmann and Fusion can’t, ethically, simply offer up emails over which the Democrats are claiming privilege. There’s good reason to believe if they could, they could show that significant parts of Durham’s conspiracy theory have been based on imagining that Democrats were hiding the worst possible plotting behind privilege claims, when in fact the reality was much more mundane.

Take two exhibits from the trial as an example. Durham is making much of a September 15, 2016 email from Marc Elias to top people on the campaign. Its subject line was “Alfa article.” But it appears to be sharing an article about “testimony of an oil trader.” If Sussmann could share it, it might simply show that Elias had seen an article about corruption and seen some tie with the Alfa Bank allegations. He can’t, because Elias is the one who made that connection.

Meanwhile, two exhibits Sussmann introduced into evidence show Robby Mook — who is not a lawyer — sharing Sidney Blumenthal “intelligence” with him that the Trump campaign was freaking out because they had gotten advance word of a NYT article about Trump’s ties with Russia.

The Trump campaign is having “a major league freak-out,” according to a Republican source who has been reliable in the past. What is causing the Trump “freak-out” is anticipation of an investigative story to be published by the New York Times. The subject is described as “Russia” and “a disaster.” “That is completely the story of everything going on since Thursday,” insists the source. The Times story, says the source, accounts for Tramp’s extraordinarily defensive aggressive reactions–his declaration that he will sue the New York Times, his personal tweeting attack on Maureen Dowd as “wacky” and a neuSidney rotic dope,” (though the source says “that’s just him anyway”), his call for the assassination of HRC, and the campaign’s push to the media of the flat-out lie that I was behind birtherism in 2008. On Saturday night, Trump tweeted: “My lawyers want to sue the tailing @nytimes so badly for irresponsible intent. I said no (for now), but they are watching. Really disgusting.” Trump did not specify why the Times might be guilty of”irresponsible intent,” which in any case lacks any legal weight. Earlier on Saturday, he tweeted that the Times was “a laughingstock rag.” The atmosphere inside the campaign is described as chaotic, frenetic and “spontaneous.” Bannon and Bossie are said to be grasping at anything to throw back in order to distract from and fend off the coming story. Journalistic sources have independently said that reporters at the Times are working on a Tromp-Russia story.

It wouldn’t be a high profile political trial, I guess, if Sid Blumenthal didn’t make a showing. Note that Mike Flynn’s Mueller interviews show him responding to some Sid Blumenthal stuff in precisely this period, so it’t clear Sid was talking to Republicans.

Anyway, that part — Blumenthal sharing with Mook — was not privileged. And that part makes it clear that Elias was right to be concerned about Trump suing if the Hillary campaign made factual observations about his ties with Russia. It also may (though this is uncertain) back Sussmann’s understanding that Eric Lichtblau was close to publishing the Alfa story, so close that Trump’s moles at the NYT had alerted him to it. But whatever Mook said about it to Elias, the campaign’s lawyer guarding against lawsuits, is privileged, as whatever Elias said to Sussmann and the Fusion guys when he forwarded Mook’s comment would be.

Whatever was said may have influenced Sussmann’s decision to go to the FBI, though, as this was shortly before he texted Jim Baker and asked to meet.

In his testimony, Elias stated that he had not given Sussmann permission to go to the FBI with the Alfa Bank story. He doesn’t think he knew until shortly afterwards, though could have learned before (the Blumenthal story may serve to explain a call that Sussmann knows prosecutors plan to dramatically reveal).

You testified that you became aware that Mr. Sussmann went to the FBI. Correct?

A. Yes.

Q. And your testimony was that you think that you were told right after, although there’s a possibility it was right before?

A. Yes.

Q. Your best recollection is which of those?

A. Is after.

Q. Okay. Did you tell him to go to the FBI?

A. No.

Q. Did he seek your permission to go to the FBI?

A. No.

Q. Did you authorize him to go to the FBI?

A. No.

Q. Are you aware of anyone at the Clinton Campaign that authorized Mr. Sussmann to go to the FBI to share the possibility of The New York Times story?

A. Not that I’m aware of. No.

Q. Did you consent to his going to the FBI?

A. No, not that I remember. No.

Elias even explained what a colossally bad idea it would be for a candidate whose campaign had been badly damaged by Jim Comey to go to the FBI.

A. First of all, the FBI had in my view not been particularly helpful in investigating or doing anything to prevent the leaks of the emails. The exfiltration is one thing, you know, the stealing of the emails. But the publication of the emails, it was not just this one time. I mean, we were dealing with multiple publications of emails. And it was not just this one client.

And I think my sense was that the FBI was not for a variety of reasons going to do anything that was going to be — like stop bad things from happening, which would be one reason to go for the FBI.

The second, which is more unique to the Clinton Campaign, is that I think he was then the FBI director, but James Comey had taken public stances in around that time period that were in my view unfair and putting a thumb on the scale against Secretary Clinton.

So I’m not sure that I would have thought that the FBI was going to be — give a fair shake to anything that they viewed as anti-Trump or pro-Clinton.

And then the final thing is that if The New York Times was going to run this story, like that’s the goal. Right? The New York Times runs the story. If you get the FBI involved, any number of things could prevent that from happening. Right?

In the most extreme instance, the FBI can go to the publication and say: Please don’t. But the second is, the newspaper itself might then want to do further reporting on the FBI investigation and delay its story. Right?

So, like, even in a world in which, like, the FBI is being helpful — not being helpful; even in a world in which the FBI is doing stuff, the media may not run the story because they want to get the full picture because they view the FBI piece of it as an essential piece of the story.

It’s certainly possible that, given this advance warning of a Trump shit-storm, Sussmann decided it would be best to give FBI a head’s up. Sussmann, however, can’t ethically share the communications between Elias and him, even if it would help him. That’s how privilege works.

With that in mind, consider what Shaw said in Durham’s bid to keep Eric Lichtblau off the stand (this appears to have been filed two days after Judge Cooper ordered it, but one of the Durham lawyers has had a family emergency so they may have gotten an extension).

After explaining that prosecutors need to question Lichtblau about things the scope of which have been specifically excluded in the trial, a footnote claims that they won’t violate Judge Cooper’s rules about such things (they have, serially, during the trial).

The government should be permitted to cross-examine Lichtblau about any communications he had with other individuals, including, but not limited to, Fusion GPS personnel and computer researchers, regarding the alleged connections between the Trump Organization and Alfa bank. To the extent Sussmann, Fusion GPS, or others (including computer researchers) approached or communicated with Lichtblau concerning Alfa Bank or related matters, the government should be permitted to question Lichtblau about such exchanges, as they are relevant to the defendant’s communications with Lichtblau on these same issues and are probative of the defendant’s alleged actions on behalf of clients (Rodney Joffe and the Clinton Campaign). The government also intends to cross-examine Lichtblau on issues pertaining to the credibility and reliability of his testimony. 1

[snip]

If Fusion GPS (which was hired by the defendant’s firm on behalf of the Hillary for America Campaign) and other persons known to Joffe and/or Sussmann similarly supplied opposition research-type information to Lichtblau regarding the Trump Organization as a part of a coordinated effort, this would be relevant to demonstrate that Sussmann was not acting merely as a concerned citizen trying to help the FBI when he met with FBI General Counsel and that his contrary representations were false. Indeed, the Government is aware that Sussmann and Joffe did enlist and/or task one or more other computer researchers to communicate with the media (including Lichtblau) concerning these matters

1 The government will abide by the Court’s order of May 7, 2022 and, in accordance with that order, will not “put on extensive evidence” about the accuracy of the data provided by Sussmann or his clients to the FBI, Lichtblau, or others. See Op. & Order (“In Limine Order”) at 5, ECF No. 121. [my emphasis]

Here, Shaw states as fact that the computer research was opposition research. It was not.

I am 100% certain that if Lichtblau could testify about all the people he spoke with on this story, he could explain that many if not most of the people involved — as well as a bunch of other people, including at least one whom prosecutors have affirmatively claimed did not have a role in chasing down this anomaly — believed the anomaly was real and were motivated out of a genuine alarm about the Russian attack that year. Yes, the NYT found people who pushed back (more so after the FBI killed the story). But that’s what makes Lichtblau’s work reporting, not opposition research.

If Lichtblau is able to testify, he could also provide a key piece of important context to evidence the government has already presented. Yesterday, Jim Baker described how, starting on September 21, he reached out to Sussmann for the name of the reporter working on the story.

Baker provided Lichtblau’s name to Bill Priestap before noon on September 22. But Lichtblau didn’t meet with the FBI until Monday, September 26.

We know that in between, the FBI called Cendyn, leading them to alter their DNS address, and the NYT called a representative for Alfa Bank which later — NYT believed, at least — led Alfa to alter their DNS address. The NYT believed that there was a response from Alfa that indicated they were trying to hide this activity.

A key part of Durham’s claim is that NYT wasn’t close to publishing when Sussmann went to the FBI and that Sussmann was, instead, trying to provide urgency for the story. That doesn’t accord with my understanding and it doesn’t accord with what Dexter Filkins has written. Durham can keep telling it so long as Lichtblau doesn’t testify.

One thing that happened, though — in addition to initial contacts that would have alerted Lichtblau that the FBI didn’t want him to publish — was the response to those calls after Sussmann and Joffe decided to share Lichtblau’s name. There was new news that Lichtblau had to try to understand that created a new delay.

As with Sussmann, it would be nice for Lichtblau if he could describe all the efforts he made to verify the story. If he could, it would demonstrably undercut several of the claims Durham is making. He can’t, because he has separate confidentiality agreements with those other sources.

Shaw, who accuses Sussmann of being privileged, completely flips how privilege works on its head (including by mis-citing the David Tatel concurrence in the Judy Miller subpoena, which as I understand it would support Lichtblau making the call about the scope of his testimony). She ties it to a topic rather than a privileged relationship to accuse Lichtblau of trying to selectively pick which parts of the story he can tell.

The D.C. Circuit has “declined to adopt a selective waiver doctrine” in the context of attorney-client communications that “would allow a party voluntarily to produce documents covered by the attorney-client privilege to one party and yet assert the privilege as a bar to production to a different party.” United States v. Williams Companies, Inc., 562 F.3d 387, 394 (D.C. Cir. 2009). “The client cannot be permitted to pick and choose among his opponents, waiving the privilege for some and resurrecting the claim of confidentiality to obstruct others.” Permian Corp. v. United States, 665 F.2d 1214, 1221 (D.C. Cir. 1981). Privilege holders must instead “treat the confidentiality of attorney-client communications like jewels—if not crown jewels” because courts “will not distinguish between various degrees of ‘voluntariness’ in waivers of the attorney-client privilege.” In re Sealed Case, 877 F.2d 976, 980 (D.C. Cir. 1989).

This principle—which restricts a privilege of “ancient lineage and continuing importance,” In re Sealed Case, 877 F.2d at 980—necessarily governs the novel and qualified reporter’s privilege advanced in this case. Sussmann subpoenaed Lichtblau to appear as a witness and Lichtblau has not moved to quash. Lichtblau and defendant Sussmann cannot “tactical[ly] employ[]” the asserted privilege to pick and choose the topics that may be put to Lichtblau on the witness stand. Permian Corp., 665 F.2d at 1221. Privileges are not “tool[s] for selective disclosure.” Ibid

I get why someone in the grips of a fevered conspiracy theory would make this argument. Durham believes that everyone involved with the Alfa Bank story was part of the same malicious conspiracy targeting poor Donald Trump, even though DOJ has in its possession abundant proof that’s false. Yet even in this case, Cooper has distinguished between the privileged relationships that Joffe has with what the Democrats have, and he has also pointed to affirmative evidence that this wasn’t one big conspiracy.

But Shaw would have you believe that Lichtblau’s privilege obligations are tied to a project, a story, and not a bunch of individuals, many of whom he had existing relationships with well before this story.

A lawyer not in the grip of a fevered conspiracy theory, however, would understand that that kind of privilege doesn’t make you special, it creates an obligation, even if the obligation prevents you from using your profession from helping yourself.

emptywheel’s Continuing Obsession with Sticky Notes, Michael Sussmann Trial Edition

May 20, 2022/15 Comments/in 2016 Presidential Election, Mueller Probe /by emptywheel

Longtime readers of emptywheel are no doubt familiar with my obsession with the weird prevalence of sticky notes that appear on exhibits used by prosecutors Bill Barr appointed to launch politicized witch hunts. These posts provide a background, but the tl;dr is that I caught the Jeffrey Jensen crew adding dates on sticky notes, some inaccurate, to FBI notes as part of the effort to kill the Mike Flynn prosecution.

The Jeffrey Jensen “Investigation:” Post-It Notes and Other Irregularities (September 26, 2020)

Shorter DOJ: We Made Shit Up … Please Free Mike Flynn (October 27, 2020)

John Durham Has Unaltered Copies of the Documents that Got Altered in the Flynn Docket (December 3, 2020)

John Durham Is Hiding Evidence of Altered Notes (April 5, 2022)

As I noted here, there some reason to believe Durham’s evidence comes from the same collection of documents as Jeffrey Jensen’s.

Durham released the trial versions of Bill Priestap and Trisha Anderson’s notes yesterday. So without further commentary (for now), I’d like to post how these notes appeared in the filing he used to get the notes admitted in the first place with what the jury will see.

Priestap notes motion version

Priestap notes trial exhibit version

Anderson notes motion version

Anderson notes trial exhibit version

John Durham’s Lies with Metadata

May 19, 2022/85 Comments/in 2016 Presidential Election, Mueller Probe /by emptywheel

I’d like to thank John Durham for showing us back in April how he was going to mislead the jury with metadata.

He appears to have done just that, yesterday, with several exhibits entered into evidence. And I fear that unless Durham’s lie is corrected, he will gravely mislead the jury.

As I pointed out in April, because of the email system at Fusion GPS, the first email in any thread they produced to Durham renders as UTC; the rest render as ET. So, for the emails on which one could check, the first email in every thread they released in April was four hours later than the time the email was actually sent.

Durham has revealed that his exhibit has irregularities in the emails pertaining to a key issue: whether Fusion sent out a link to April Lorenzen’s i2p site before Mark Hosenball sent it to them.

This shows up in the timestamps. In the exhibit, the lead email for each appearance appears to be set to UTC, whereas the sent emails included in any thread appear to be set to ET.

For example, in this screencap, the time shown for Mark Hosenball’s response to Peter Fritsch (the pink rectangle) is 1:35 PM, which is presumably Eastern Time.

In this screencap, the very same response appears to be sent at 5:36PM, which is presumably UTC.

Both instances of Peter Fritsch’s email (the green rectangle), “that memo is OTR–tho all open source,” show at 1:33PM, again, Eastern Time.

To be clear: this irregularity likely stems from Fusion’s email system, not DOJ’s. It appears that the email being provided itself is rendered in UTC, while all the underlying emails are rendered in the actual received time.

That means if you show someone only the first email in a thread, you will be misrepresenting what time that email was sent.

That’s what Durham did yesterday with a bunch of Fusion-produced emails he submitted during Laura Seago’s testimony, including (but not limited to):

Over and over, Andrew DeFilippis showed these to Laura Seago and asked her to state what date and time the emails were.

MR. DeFILIPPIS: Okay. And, Your Honor, if there’s no objection from the defense, we’ll offer Government’s Exhibit 612.

MR. BERKOWITZ: No objection.

THE COURT: So moved.

Q. Okay. So what is the date and time of this email?

A. October 5, 2016, at 5:23 p.m.

Q. And the “Subject” line?

A. “Re: so is this safe to look at” — excuse me — “so this is safe to look at.”

While these emails appear to have been produced to Durham at a later time (their Bates numbers from Fusion are about 3000 pages off some of the earlier ones), they’re from the same series and produced by the same custodian, so we should assume that the same anomaly that existed on the earlier ones exists here.

Seago hasn’t seen these emails for years and — because they were treated as privileged — she can only see the first email in a thread, even if there are replies in that thread (and there clearly are, in some of them). She had no way of knowing if she was looking at UTC time!

But Andrew DeFilippis surely does. Indeed, he’s prepping an attack on Sussmann for not understanding that Durham turned over Lync files from the FBI without making clear they, also, get produced in UTC. So he’s aware of which exhibits he has sent to Sussmann without clarifying the correct time. Yet over and over again, DeFilippis asked Seago what time these emails were sent, even though he likely knows (especially since these are files that are no longer privileged, so he has seen those that are threads) that he was deceiving her.

And the timing of these Fusion emails — and possibly some earlier ones exchanged with Rodney Joffe — almost certainly matter.

As I showed in my earlier post, because Durham didn’t fix the anomaly in these emails, they have created the false impression that an October 5 email from Mark Hosenball that shared public links to Tea Leaves’ files came in after Fusion sent it out to Eric Lichtblau. They appear to be prepping another deceit, this one conflating a link that Hosenball sent with one Seago found on Reddit.

Assuming the emails released yesterday share this same anomaly, here’s how the timeline would work out. I’ve bolded the ones that would be grossly misleading taken out of order.

5:23PM (could be 1:23?): Seago to Fritsch, Is this safe?

1:31PM: [not included] Fritsch to Hosenball email with Alfa Group overview

1:32PM: Fritsch sends Isikoff the September 1, 2016 Alfa Group overview (full report included in unsealed exhibit)

1:33PM [not included] Fritsch to Hosenball, “that memo is OTR — tho all open source”

1:35/1:36PM: Hosenball replies, “yep got it, but is that from you all or from the outside computer experts?”

1:37PM: Fritsch responds,

the DNS stuff? not us at all

outside computer experts

we did put up an alfa memo unrelated to all this

1:38PM: [not included] Hosenball to Fritsch:

is the alfa attachment you just sent me experts or yours ? also is there additional data posted by the experts ? all I have found is the summary I sent you and a chart… [my emphasis]

1:41PM: [not included] Fritsch to Hosenball:

alfa was something we did unrelated to this. i sent you what we have BUT it gives you a tutanota address to leave questions. 1. Leave questions at: [email protected]

1:41PM: [not included] Hosenball to Fritsch:

yes I have emailed tuta and they have responded but haven’t sent me any new links yet. but I am pressing. but have you downloaded more data from them ?

1:43PM: [not included] Fritsch to Hosenball, “no”

1:44PM: Fritsch to Lichtblau:

fyi found this published on web … and downloaded it. super interesting in context of our discussions

[mediafire link] [my emphasis]

2:23PM: [not included] Lichtblau to Fritsch, “thanks. where did this come from?”

2:27PM: [not included] Hosenball to Fritsch:

tuta sent me this guidance

[snip]

Since I am technically hopeless I have asked our techie person to try to get into this. But here is the raw info in case you get there first. Chrs mh

2:32PM: Fritsch to Lichtblau:

no idea. our tech maven says it was first posted via reddit. i see it has a tutanota contact — so someone anonymous and encrypted. so it’s either someone real who has real info or one of donald’s 400 pounders. the de vos stuff looks rank to me … weird

6:33PM (likely 2:33PM): Fwd Alfa Fritsch to Seago

6:57PM (like 2:57PM): Re alfa Seago to Fritsch

7:02PM (likely 3:02): Re alfa Seago to Fritsch

3:27PM: [not included] Fritsch to Hosenball cc Simpson: “All same stuff”

3:58PM: [not included] Hosenball to Fritsch, asking, “so the trumpies just sent me the explanation below; how do I get behind it?”

4:28PM: [not included] Fritsch to Hosenball, “not easily, alas”

4:32PM: Fritsch to Hosenball, cc Simpson:

Though first step is to send that explanation to the source who posted this stuff. I understand the trump explanations can be refuted.

What Durham will completely and utterly misrepresent if it doesn’t clarify this anomaly (and this is the second time they have declined to) is that Seago and Mark Hosenball both accessed different packages of the Tea Leaves materials, one of which then got sent out to Lichtblau. Between 2:33 and 2:57, Seago appears to have compared the files and told Fritsch, who then told Hosenball, that the packages were “all the same stuff.”

The Founding Fantasy of Durham’s Prosecution of Michael Sussmann: Hillary’s Successful October Surprise

May 18, 2022/62 Comments/in 2016 Presidential Election, Mueller Probe /by emptywheel

I’m still waiting on the second transcript from the Michael Sussmann trial, after which point I’ll lay out what Andrew DeFilippis already did to give Sussmann cause for appeal, if he were to lose.

Until then, I want to share the unbelievably crazypants belief that Durham’s prosecutors are attempting to sell to a jury. AUSA Brittain Shaw laid out the framework Durham’s team will use this way:

So what will the evidence show? The evidence will show that defendant’s lie was all part of a bigger plan, a plan that the defendant carried out in concert with two clients, the Hillary Clinton Campaign and Internet executive Rodney Joffe. It was a plan to create an October surprise on the eve of the presidential election, a plan that used and manipulated the FBI, a plan that the defendant hoped would trigger negative news stories and cause an FBI investigation, a plan that largely succeeded.

How did the defendant execute this plan? Through his two clients.

First, the Clinton Campaign. You’re going to hear that in the summer of 2016, as the presidential election was heating up, the defendant was working at a major D.C. law firm which was acting as legal counsel for the Clinton Campaign. You’re also going to find as part of — hear that as part of their campaign efforts they were hired and were paying an investigative firm called Fusion GPS that was hired to do what’s called opposition research.That’s where the defendant’s plan took shape, and the evidence will show that the plan had three parts: a look, a leak, and a lie.

[claims about Fusion GPS and Rodney Joffe’s efforts, the latter of which, especially, are badly wrong]

First the look. The evidence will show that as Sussmann and Joffe met and coordinated with representatives of the Clinton Campaign and Fusion GPS, they looked for more data. You will hear that Joffe instructed people at his companies to scour Internet traffic for any derogatory information they could find about Trump or his associates’ online Internet activities, including potential ties to Alfa-Bank or to Russia. And you will see that Fusion GPS did the same using their access to other information.

Second, the leak. You will hear from the evidence that the defendant and Joffe then leaked the Alfa-Bank allegations to a reporter at the New York Times with the hope and expectation that he would run a story about it.

Third, the lie. You will see that when the reporter didn’t publish this story right away, the defendant and others decided to bring this information to the FBI and to create a sense of urgency, to also tell the FBI that a major news organization was running a story within days. That’s when the defendant requested the meeting with the FBI general counsel and told him that he was not doing this for any client.

The evidence will show you that the defendant had at least two reasons to lie.

First you’re going to hear that the defendant was a cyber security lawyer who had been hired earlier that year by the Democratic National Committee to represent them in relation to a computer hack where they’d been the victim. Because of this, the defendant was in frequent contact with the FBI about the hack investigation. They considered him to be the DNS — I mean, the DNC attorney for that matter. Because they viewed him as the DNC lawyer for the hack, the defendant knew that if he came in and told them that he was representing a political candidate at this time, weeks before an election, they might not meet with him right away, let alone open an investigation.

Second, the defendant knew that if he could get the FBI to investigate the matter and reach out to the press to try to stop the story, that that would make the story more attractive to the press, and they would report on it. [my emphasis]

I get that this is supposed to be catchy for jurors. But this is a child’s fantasy (and Sussmann’s lawyer, Michael Bosworth, noted that Sussmann going to the FBI was, “The exact opposite of what the Clinton Campaign would want”).

Start with Shaw’s claims about “the look.” Not only is it false that Joffe was looking for new information after such time as Sussmann was aware of it, not only won’t the witnesses Durham plans to call explain all of where the data came from, but already, DOJ has submitted two exhibits showing that the focus on late data gathering was on Alfa Bank, not Trump. And those late data collection efforts even included dcleaks (I’m virtually certain that Durham has not provided Sussmann discovery on all the things, such as the FBI’s suspicions that Roger Stone had advance awareness of the dcleaks operation, for them to submit evidence about it).

Next, Shaw calls sharing information with a journalist who had called a lawyer known to be grappling with serial hacks by Russia and asked about Russian hacks, “a leak,” as if there’s something untoward about sharing information with the press, as if Sussmann would “leak” information and then go tell the FBI about “leaking” it, which he did. This is just word salad!

Then Shaw claimed that Sussmann lied to provide urgency to the story. Based on my understanding, Shaw is wrong about the NYT’s plans for publication of the story. My understanding is that Dean Baquet would have happily published the story in September, when Eric Lichtblau was ready to publish and when Sussmann helped kill the story, but by October, he would only publish if reporters could prove substantive communications had taken place. That’s consistent with what Dexter Filkins reported.

The F.B.I. officials asked Lichtblau to delay publishing his story, saying that releasing the news could jeopardize their investigation. As the story sat, Dean Baquet, the Times’ executive editor, decided that it would not suffice to report the existence of computer contacts without knowing their purpose. Lichtblau disagreed, arguing that his story contained important news: that the F.B.I. had opened a counterintelligence investigation into Russian contacts with Trump’s aides.

So none of her basic claims are true.

But the thing that is breathtakingly ridiculous is Shaw’s claim that Sussmann’s purported plan to create, “an October surprise on the eve of the presidential election … largely succeeded.”

What Sussmann got for his troubles of helping to kill the story in September was a story at Slate rather than NYT, immediate pre-election pushback from several entities (including me), and a NYT story that made multiple claims that were true at the time but that we now know to be false.

The story claimed there was no tie between Trump and the Russian government; but Trump and Michael Cohen were lying to cover up (among other things) a call with the Kremlin about doing a real estate deal with a sanctioned bank and a former GRU officer.

The story claimed there was no secret email communication between Trump and Russia, but Trump’s rat-fucker was communicating with the GRU persona behind the hack and (as noted) may have had advance knowledge of precisely the information operation that Joffe and the researchers were investigating in August 2016.

The story claimed that Russia hacked Trump only to disrupt the election, when subsequent reports have concluded Russia had by that point come to favor Trump (though, I suspect, that was partly because they knew how damaging Trump would be for the country).

Democrats I know place varying blame for Hillary’s loss. Virtually all put the FBI’s sabotage of her campaign as the most important cause (of which Devlin Barrett’s October Surprise, the successful leak of a criminal investigation into Hillary as compared to the opposite here, was a small part). Shaw asserted that, “the FBI is our institution that should not be used as a political tool for anyone,” and yet the Clinton email investigation, the Clinton Foundation investigation, and Durham’s own investigation are all more obvious — and wildly more successful — efforts to use the FBI as a political tool than sharing an anomaly with the FBI and helping to kill a story about it.

But no matter who Democrats blame for Hillary’s loss, most point to that NYT story as one of the most damaging stories of the campaign.

And Durham’s entire prosecution is based on the opposite, that the story that most infuriates Democrats was, instead, entirely the point.

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

May 16, 2022/47 Comments/in 2016 Presidential Election, emptywheel, Mueller Probe /by emptywheel

In this post, I laid out the elements of the offense, a single count of a false statement to the FBI, which will drive the outcome of the Michael Sussmann trial, in which jury selection begins today. As I showed, John Durham has to prove that:

Michael Sussmann said what Durham has accused him of saying, which is that he was not sharing information with the FBI on behalf of any client
Sussmann said that on September 19, not just September 18
Sussmann meant his statement to be understood to mean that no client of his had an interest in the data, as opposed to that he was not seeking any benefit for a client from the FBI
The lie made a difference in how the FBI operates

In this post I’d like to say a bit about the expected witnesses. Before I do, remember the scope of the trial, as laid out in several rulings from Judge Cooper.

Durham can only raise questions about the accuracy of the Alfa Bank anomaly if Sussmann does so first
He generally can only discuss how the data was collected via witnesses; with one exception, Cooper has ruled the emails between Rodney Joffe and researchers to be inadmissible in a trial about whether Sussmann lied
While Cooper found that 22 of 38 Fusion emails over which Democrats had claimed privilege were not privileged, he also ruled that because Andrew DeFilippis got cute in delaying his request for such a review, Durham can’t use those emails or pierce any related claims of privilege at trial
That leaves the unprivileged emails between Fusion and journalists, which Cooper has ruled admissible; he even considered changing his decision and letting a tweet from Hillary come in as evidence (though note that the emails Durham got pre-approved barely overlap with the emails Durham wants to use at trial, so there still could be problems admitting individual emails at trial)
Cooper ruled the communications between Rodney Joffe, the person who shared the DNS anomaly with Michael Sussmann, and Laura Seago, his connection with Fusion, were privileged
Cooper ruled that Sussmann can elicit testimony from witnesses, including Robby Mook and Marc Elias, about how Trump’s request that Russia hack Hillary some more made him not just a campaign opponent, but a threat to national security

As I noted, a dispute over the final jury instructions suggests that Durham is beating a tactical retreat from his charged claim that Sussmann lied to cover up that he was representing both Hillary and Rodney Joffe.

Mr. Sussmann proposes modifying the last sentence as follows, as indicated by underlining: Specifically, the Indictment alleges that, on or about September 19, 2016, Mr. Sussmann, did willfully and knowingly make a materially false, fictitious, and fraudulent statement or representation in a matter before the FBI, in violation of 18 U.S.C. § 1001(a)(2), namely, that Mr. Sussmann stated to the General Counsel of the FBI that he was not acting on behalf of any client in conveying particular allegations concerning Donald Trump, when, in fact, he was acting on behalf of specific clients, namely, Rodney Joffe and the Clinton Campaign.5 The government objects to the defense’s proposed modification since it will lead to confusion regarding charging in the conjunctive but only needing to prove in the disjunctive.

Durham wants to be able to get a guilty verdict if the jury decides that Sussmann was hiding Hillary but not hiding Joffe. What Durham will really need to prove won’t be finalized until sometime next week, meaning both sides will be arguing their cases without knowing whether Durham will have to prove that 1) the allegations pertained to Donald Trump personally 2) Sussmann had two clients 3) he lied to hide both of them, or whether he has to prove only that Sussmann lied to hide one or more client.

Durham’s tactical retreat is likely dictated by the scope set by Cooper and will dictate the witnesses he wants to call.

This post laid out whom, as of last week, each side planned to call. Remember that it’s not uncommon for a defendant not to put any witnesses on the stand (though I would be surprised if that happened in this case). Normally, the scope of a witness’ testimony is set by the Direct examination of them. So, for example, if Durham puts Marc Elias on the stand to talk exclusively about his decision to hire Fusion GPS, then Sussmann could not ask him questions about other topics. But Sussmann incorporated Durham’s entire witness list, and Cooper ruled that he would rather not have to call people twice. So for at least the Democratic witnesses, Sussmann will have the ability to ask about things that Durham would really prefer not to appear before the jury even though Durham called that witness as a government witness. Because Durham doesn’t understand much of what really went on here, that may be a really useful thing for Sussmann to exploit.

Summary Witness: It is typical for prosecutors to call one of their FBI agents at trial as a sort of omniscient narrator who can both introduce a vast swath of evidence (such as records the accuracy of which have been stipulated for emails that can be introduced without witness testimony) and provide some interpretation of what it all means. Usually, that agent is not the lead agent, because the lead agent knows things that the prosecutor wants to keep from the defendant and the public, either details of an ongoing investigation or major investigative fuck-ups that haven’t been formally disclosed to the defendant. As of last week, DeFilippis maintained that, “It may be an agent who’s our summary witness, but we’re not looking to put a case agent on the stand.” That suggests there is no agent on his team that is sufficiently compartmented from his secrets to take the stand. Judge Cooper seemed a bit surprised by that.

Jim Baker: Jim Baker is the single witness to Michael Sussmann’s alleged crime. Durham is going to have a challenge walking him through the version of this story Durham wants to tell, not least because the materiality parts of it — whether Baker thought it unusual to hear from Sussmann, whether he thought it mattered who Sussmann’s client was — are also recorded in Baker’s past sworn testimony. Given the late discovery of a text showing that Sussmann wrote Baker on September 18 telling him he wanted to benefit the FBI, and given the even later discovery of March 2017 notes recording that the FBI understood that Sussmann did have an (undisclosed) client, Sussmann doesn’t even have to trash Baker to call into question his memory: he can allow Baker to admit he can’t separate out what happened in which of at least five communications he had with Sussmann that week, the sum total of which show that Sussmann wasn’t hiding the existence of a client, did represent that he was trying to help the FBI, and did help the FBI. The cross-examination of Baker will, however, be an opportunity for Sussmann to implicate Durham’s investigative methods, both for building an entire case around Baker after concluding, years earlier, that he wasn’t credible, and then, for refreshing Baker’s memory only with the notes that said what Durham wanted Baker to say, and not what the FBI ultimately came to know.

Bill Priestap and Tisha Anderson, Mary McCord and Tasha Gauhar: This trial is expected to feature two sets of witnesses — the first set called by Durham and the second called by Sussmann — who will be asked to reconstruct from their own notes what was said in a meeting attended by Baker. Priestap and Anderson will say that the day of Baker’s meeting with Sussmann, they wrote down that Sussmann didn’t have a client (but not in the words Sussmann is known to have used or the words that Durham has charged). McCord and Gauhar will say that in March 2017, Andy McCabe stated, in front of Baker and with no correction, that the FBI did know Sussmann had a client. The only notes in question that use the same phrase — “on behalf of” — that Durham used in the indictment say that Sussmann did say he was meeting with FBI on behalf of someone. I expect at least several of these witnesses will be asked materiality questions: If they didn’t ask who the client is, doesn’t that prove it didn’t matter? The notes of everyone involved, importantly, emphasized the import of Sussmann sharing an imminent newspaper article. Sussmann will also ask Priestap how and why he asked the NYT to hold the Alfa Bank story.

Agents Heide, Sands, and Gaynor, plus Agent Martin: Durham plans to call three of the FBI Agents who investigated the anomaly — for a couple of hours each, in the case of Heide and Sands — to talk about how they did so. Let me suggest that not only is this overkill, it may backfire in spectacular fashion, because the March 2017 notes make it clear that these agents did not take very basic steps to chase this anomaly down and Heide, at least, is not a cyber agent (in the same period he was also investigating George Papadopoulos). In addition to having those hours and hours of testimony, Durham will call Agent Martin, ostensibly to explain what one could learn from the anomaly, though there’s still a fight about the scope of his testimony, particularly with respect to misleading claims he would make about the scope of the data accessed to find the anomaly in the first place.

Antonakakis, Dagon, DeJong, and Novick: According to what DeFilippis said last week, in the wake of Cooper’s ruling excluding all but one of the researchers’ emails, he likely will not call David Dagon, may or may not call Manos Atonakakis, but will call two employees of Rodney Joffe whom, DeFilippis claims, were “tasked by” Joffe, in the first case to pull some but not all of the data researchers used to test the anomaly, and in the second case to do research that may not have been presented to the FBI. If these decisions hold, his presentation of the data will be, as I understand it, affirmatively false. For that reason, Sussmann might have been able to challenge Durham’s reliance on these witnesses in the absence of others; that Sussmann is not doing so may suggest he knows that the witnesses won’t do what Durham thinks they will. If Durham persists in this plan, it means he’ll have FBI agents spend 5 hours describing how they chased down an anomaly, without ever really explaining what the anomaly is (and how it could have easily been investigated using about two different steps that the FBI didn’t take). Perhaps (given his tactical retreat), Durham may want to eliminate virtually all discussion of the anomaly at the heart of this case. Alternately, this is a tactical move to force Sussmann to call David Dagon (whom Durham has immunized) or Manos Antonakakis (whose status is unknown) in hopes that they’ll help him make his YotaPhone case or explain the full scope of the data accessed (particularly if he gets Martin to make misleading comments about that topic first). But if Durham forgoes his chance to call the researchers and Sussmann does so himself, it may allow Sussmann to rebut Durham’s claims about what the anomaly was and what went into the two white papers presented to the FBI. In addition, Sussmann can have these witnesses explain how far before the involvement of the Democrats this research started and how Trump’s open invitation to Russia to do more hacking meant the anomaly posed a possible national security threat worthy of sharing with the FBI.

Robby Mook, Marc Elias, and Debbie Fine: Rather than talking about the anomaly, Durham wants to talk about the Hillary campaign. At least as of last week (before Cooper excluded some of this stuff on privilege and belated privilege challenges), Durham will definitely call Mook, may call Elias, but may rely instead on a Hillary lawyer named Debbie Fine, who was on daily calls with Fusion. Durham wants to claim,

[T]he strategy, as the Government will argue at trial, was to create news stories about this issue, about the Alfa-Bank issue; and second, it was to get law enforcement to investigate it; and perhaps third, your Honor, to get the press to report on the fact that law enforcement was investigating it.

Sussmann, by contrast, knows he has a witness or witnesses who will rebut that.

[I]t’s not the truth; and in fact, it’s the opposite of the truth. We expect there to be testimony from the campaign that, while they were interested in an article on this coming out, going to the FBI is something that was inconsistent with what they would have wanted before there was any press. And in fact, going to the FBI killed the press story, which was inconsistent with what the campaign would have wanted.

As suggested above, Elias is a witness Sussmann will call even if Durham does not. Among other things, Sussmann will have Elias explain what it was like to have Donald Trump openly asking Russia to hack Hillary some more.

Laura Seago: Before Cooper ruled on privilege issues, DeFilippis (who doesn’t know how to pronounce her last name) said he would call Seago. She was the pivot point between Fusion and Rodney Joffe. According to Fusion attorney Joshua Levy, Seago knows little about the white paper from Fusion that Sussmann shared with the FBI. “Seago didn’t contribute to it, doesn’t know who did, doesn’t know who researched it, doesn’t know who wrote it, doesn’t know its purpose; and the government’s aware of all that.” So it’s unclear how useful she’ll be as a witness.

Eric Lichtblau: As I noted the other day, Durham is trying to prevent Lichtblau from testifying unless he’s willing to testify to all his sources for the Alfa Bank story (which would include a bunch of experts never named in any charging documents). My guess is that Cooper will rule that forcing Lichtblau to talk about communications with Fusion would be cumulative, though he might force Lichtblau to talk about an in-person meeting he had at which Fusion shared information that did not derive from Joffe. If Sussmann succeeds in getting Lichtblau’s testimony, however, he will be able to talk about what a serious story this was and what a disastrous decision agreeing to hold the story was for his own career and, arguably, for democracy.

Perkins Coie billing person and McMahon: As Durham has repeatedly confessed, most of the substance of his conspiracy theory is based off billing records. But there’s a dispute about whether Sussmann fully billed his meeting with Baker (Sussmann has noted, for example, that he paid for his own taxi to and from the meeting). Durham will have a Perkins Coie person explain how they track billing and will call a former DNC person with whom Sussmann had lunch immediately before his Baker meeting, either because Sussmann said something to him about the Baker meeting, or because he needs to rule out that Sussmann billed for the lunch meeting but not Baker.

Agent Grasso: In addition to the hours and hours of testimony about how the FBI did investigate the anomaly, Durham also wants to call an Agent Grasso, with whom Joffe shared a piece of the Alfa Bank allegations directly. This may actually be an important witness for Durham, because it might show that the packaged up allegations shared with Baker were substantially different than what Joffe was sharing when his identity was not hidden.

Kevin P: Durham only plans to call one of the two CIA personnel at the meeting in January 2017 (ironically meaning a meeting in March 2017 will get far more focus than a meeting that played a central role in the indictment). It sounds like Sussmann will get the one person to validate an email from another person who also recorded Sussmann saying he had a client.

Agent Gessford: One FBI Agent Sussmann will call will authenticate emails Sussmann will use with other witnesses to show what FBI’s understanding of Sussmann’s activities were in 2016. Not only will he use these emails to prove that the FBI knew well he was representing Hillary on cyber issues, but he will likely also use these emails to talk about what it looks like for a campaign to be systematically attacked through the entirety of a campaign by a hostile nation-state, which will make the potential seriousness of the Alfa Bank anomaly quite clear.

Agent Giardina: This is someone the scope of whose testimony Durham may have actually tried to limit by calling him himself. Sussmann will have Giardina explain that after the Frank Foer article, he tried to open an investigation, which Sussmann will use to prove that the FBI would have opened an investigation whether or not he shared the tip with the FBI.

Jonathan Moffa: Moffa, a senior FBI agent involved in the Crossfire Hurricane and Alfa Bank investigations will address materiality. He’ll explain how, given the UNSUB investigation open to find out who in Trump’s camp got a heads up to the hack-and-leak investigation, it was inevitable they would chase down this tip and treat it, like the CH investigation itself, as a Full Investigation.

DOJ IG Michael Horowitz: On paper, Horowitz’s testimony will be limited to explaining how an anonymous tip from Joffe via Sussmann is supposed to work, which is that someone in a position to direct a tip to the right person does so and succeeds in addressing a national security concern. Joffe provided a tip to Horowitz in January 2017 that — we can assume given Horowitz’s testimony — proved to be valuable. This tip will also demonstrate that DNS research is not as limited as Agent Martin will claim it is. But given the way that Durham has failed to understand basic aspects of Horowitz’s investigation, including ones that disproved large swaths of Durham’s conspiracy theories, this testimony might be somewhat contentious.

Update, 5/22: Very belatedly added Moffa after writing this post.

The Sussman Trial

May 15, 2022/35 Comments/in Elections /by bmaz

Here is the Sussmann indictment as filed by Durham. It is an absurd 27 pages long. I could have written it in 2-3 pages, including signature page.

As you can see, excepting all the run on horse manure Durham penned, the indictment is for a single count of false statement under 18 USC §1001. That is it. One lousy count. That is it.

I will save you the niceties and simply quote you the DOJ guidance on §1001, and here it is:

Section 1001’s statutory terms are violated if someone:

“falsifies, conceals or covers up by any trick, scheme or device a material fact,”
“makes any false, fictitious or fraudulent statements or representations,”
“makes or uses any false writing or document knowing the same to contain any false, fictitious or fraudulent statement or entry”
and, for cases arising after the 1996 amendments, the item at issue was material.
Whether the above acts are criminal depends on whether there is an affirmative response to each of the following questions:

Was the act or statement material?
Was the act within the jurisdiction of a department or agency of the United States? and
Was the act done knowingly and willfully?
[cited in JM 9-42.001]

907. Statements Warranting Prosecution. False Statement ›
Updated January 21, 2020

We all think this trial is a cutout for Trump and Trumpism. It is not. Sussman’s ass lies in the lurch. There is a live defendant. Actual jury trials are about what is charged. One count of §1001 is charged here. Keep your eye on that ball. Criminal trials are about crimes, and elements of crimes. This one will be too.

Will KleptoCapture Catch John Durham, Along with the Russian Spies and Oligarchs?

May 15, 2022/28 Comments/in 2016 Presidential Election, emptywheel, Foreign Influence, Mueller Probe /by emptywheel

I’ve been right about a lot of things regarding John Durham’s investigation (though not, apparently, that he would supersede the indictment against Michael Sussmann — maybe he was afraid of getting no-billed if he corrected the things in the indictment he has since discovered to be false?).

Perhaps the most prescient observation I’ve made, though, was that Durham had no fucking clue where to look for evidence related to his already-charged allegations.

I’ve seen reason to believe Durham doesn’t understand the full scope of where he needs to look to find evidence relevant to that case.

I said that in November. Since that time in the Sussmann case, Durham has had to publicly confess he had not:

Searched for Jim Baker’s phones, one of which he had been told about years before
Checked DOJ IG for highly exculpatory notes
Discovered DOJ IG had other exculpatory information
Asked Baker to check his own iCloud account for texts he had with Sussmann in September 2016
Pulled other records at the FBI showing that Sussmann’s meeting with Baker ended up benefitting the FBI by allowing them to kill an NYT story
Interviewed any full-time Hillary staffer before accusing Sussmann of coordinating with the Hillary campaign

Effectively, Durham spent most of three years speaking to those who would confirm his conspiracy theories, and not consulting the actual evidence. It took until six months after Durham charged Sussmann before Durham tested Sussmann’s sworn explanation for his Baker meeting — and when he checked, he found the evidence backed Sussmann’s explanation.

Six months after indicting Igor Danchenko, Durham asked to extend discovery another month

It’s that record that makes me so interested in Durham’s second bid to extend deadlines for classified discovery in the Igor Danchenko case.

After Danchenko argued he couldn’t be ready for an April 18 trial date, Durham proposed a March 29 deadline for prosecutors to meet classified discovery; that means Durham originally imagined he’d be done with classified discovery over six weeks ago. A week before that deadline, Durham asked for a six week delay — to what would have been Friday. Danchenko consented to the change and Judge Anthony Trenga granted it. Then on Monday, Durham asked for another extension, this time for another month.

When Durham asked for the first delay, he boasted they had provided Danchenko 60,000 unclassified documents and promised “a large volume” of classified discovery that week (that is, before the original deadline).

To date, the government has produced over 60,000 documents in unclassified discovery. A portion of these documents were originally marked “classified” and the government has worked with the appropriate declassification authorities to produce the documents in an unclassified format.

[snip]

Nevertheless, the government will produce a large volume of classified discovery this week

This more recent filing boasts of having provided just one thousand more unclassified documents and a mere 5,000 classified documents — for a case implicating two known FISA orders and several past and current counterintelligence investigations.

To date, the Government has produced to the defense over 5,000 documents in classified discovery and nearly 61,000 documents in unclassified discovery. The Government believes that the 5,000 classified documents produced to date represent the bulk of the classified discovery in this matter.

Danchenko waited six weeks and got almost nothing new.

See this post for an explanation of all the classified information that Danchenko should be able to demand and the onerous process that using it requires, called Classified Information Procedures Act. Even in November, I showed that Danchenko could likely make a case that he should get discovery from the FBI and NSA, and probably CIA and Treasury. There is no way Durham is getting through this case with just 5,000 classified documents.

As he noted in his opposition to this latest request for an extension, with each request, Durham’s proposed schedule was shrinking the time afforded Danchenko to review classified discovery before providing a list of the classified information he wanted to use at trial (called a CIPA 5 notice), first from 60 days to 40, and then from 40 days to 22.

On March 22, 2022, the Special Counsel filed a Consent Motion to Adjourn the Classified Discovery and CIPA Schedule. Dkt. 44. In his Motion, the Special Counsel sought to extend the deadline to produce classified discovery from March 29, 2022, to May 13, 2022. Id. at 2. The Special Counsel’s motion also sought to extend the dates for various CIPA filings and hearings. Id. Importantly, the Special Counsel’s proposed schedule reduced the amount of time within which Mr. Danchenko had to file his Section 5(a) written notice from approximately 60 days after the close of classified discovery to approximately 40 days.

[snip]

On May 9, 2022, the Special Counsel filed his Second Motion to Adjourn the Classified Discovery and CIPA Schedule. Dkt. 48. In his motion, the Special Counsel now tells the Court that he can provide the outstanding classified discovery by “no later than” June 13, 2022. See id. at 2. He also proposes a June 29, 2022, deadline for Defendant’s Section 5(a) written notice. Id. Therefore, the Special Counsel has essentially asked this Court to enter an Order that will now decrease Mr. Danchenko’s time within which to file his Section 5(a) written notice from approximately 40 days after the close of classified discovery to approximately 22 days.

[snip]

Mr. Danchenko would be substantially prejudiced by the Special Counsel’s proposed schedule because it significantly shortens the time period within which Mr. Danchenko can review any final classified productions and file his CIPA Section 5(a) notice. That is of particular concern to Mr. Danchenko because the Special Counsel has not provided sufficient notice of how much additional classified discovery may be forthcoming other than his “belie[f]” that the “bulk” of the classified discovery has already been produced.

Shrinking Danchenko’s deadlines would make the additional discovery that is still outstanding far less useful. In the Sussmann case, for example, it took over a month for Sussmann’s team to find the documents that disprove Durham’s case buried among 22,000 other documents provided on his extended deadline. So while Durham might be trying to comply with discovery obligations, arguing that the proper solution to his struggles fulfilling discovery is to shrink Danchenko’s own time to review the evidence suggests he’s not doing so in good faith.

Judge Trenga must have agreed. While he granted the government’s request for an extension, he gave Danchenko 42 days to submit his CIPA 5 notice.

A Russian dog named Putin ate Durham’s classified homework

I’ve noted how the post-invasion sanctions on Alfa Bank deprived John Durham of a second investigative team, Alfa Bank’s Skadden Arps lawyers, whose filings a judge observed seemed to be “written by the same people” as Durham’s.

But the aftermath of Putin’s attempt to overthrow Ukraine may be causing Durham even bigger problems in the Danchenko case.

When Durham asked for an extension of his CIPA deadline in the Sussmann case days after Russia extended its invasion of Ukraine, he explained that the people who had to write declarations in support of CIPA (usually agency heads like CIA Director William Burns or NSA Director Paul Nakasone) were busy dealing with the response to Ukraine.

However, the Government’s submission includes not only the Government’s memorandum but also one or more supporting declarations from officials of the U.S. intelligence community. The Government’s review of potentially discoverable material is ongoing, and these officials cannot finalize their declarations until that review is complete.

Moreover, recent world events in Ukraine have further delayed the Government’s review and the officials’ preparation of the supporting declaration(s). As a result, the Government respectfully submits that a modest two-week adjournment request to its CIPA Section 4 filing deadline is appropriate and would not impact any other deadlines, to include the currently scheduled trial date

Effectively, this request moved the CIPA deadline from a week before Durham’s classified discovery deadline to a week after; yet Durham just committed, once again, to finalizing his CIPA 4 submission almost a week before his classified discovery deadline in the Danchenko case.

That’s important because Durham overpromised when he said he could finish a CIPA filing before the discovery deadline. Durham filed a supplement to his CIPA 4 notice on May 7 (nine days before trial) that, unless Judge Cooper ruled orally at a closed hearing last week, remains outstanding. That’s not entirely unusual in a case that relies on classified information, but if Cooper were to rule this classified information was necessary for Sussmann’s defense, it would give Sussmann no time to actually prepare to use it.

Durham cited the Ukraine response again on March 22, a month after Russia launched its failed attempt to take Kyiv, when he asked for an extension on his classified discovery deadline.

However, recent world events in Ukraine have contributed to delays in the production of classified discovery. The officials preparing and reviewing the documents at the FBI and intelligence agencies are heavily engaged in matters related to Ukraine.

Importantly, these people focusing on keeping us safe from Russian aggression rather than, as Durham is, making us safe for Russian aggression, are different than the people cited in the Sussmann case. These aren’t senior officials, but instead those “preparing and reviewing the documents at the FBI and intelligence agencies.” That’s not William Burns, that’s FBI counterintelligence agents, among others.

In last week’s request for an extension, Durham didn’t mention Ukraine, but his reference to “overseas activities” suggests the response to Ukraine remains the problem.

However, recent world events continue to contribute to delays in the processing and production of classified discovery. In particular, some of the officials preparing and reviewing the documents at the FBI and intelligence agencies continue to be heavily engaged in matters related to overseas activities.

Unsurprisingly, Danchenko asked Trenga to require Durham to provide some kind of explanation for why “overseas activities,” probably Ukraine, continue to delay classified discovery in a case criminalizing an attempt to fight Russia’s attack on democracy in 2016.

Moreover, the Special Counsel has failed to adequately explain how “recent world events” (Dkt. 48 at 2) have specifically made it impossible for him to meet his discovery obligations. While it seems unlikely that the same government officials charged with declassifying discovery are also responding to events overseas, it certainly is possible. But, even if that is the case, the Special Counsel must offer more explanation than he has, especially in light of the fact that his prior motion to extend the discovery deadline was based on the events in Ukraine, and the ongoing nature of that conflict must or should have been considered when he requested the May 13 deadline.

Sadly, Trenga didn’t order up an explanation for why this delay, probably Ukraine-related, is causing so many difficulties for Durham’s prosecution of Danchenko.

KleptoCapture threatens at least one and possibly up to three key Durham figures

One reason I would have liked Trenga to force Durham to explain how a dog named Putin ate his classified homework is because the public response to Russia’s attempt to conquer Ukraine has already implicated three figures who are key to Durham’s case. While I need to update it, this post attempts to capture everything that the US government and some partners have done since the expanded invasion.

Dmitry Peskov

Perhaps the response least damaging to Durham’s case — but one that will affect discovery — involves Dmitry Peskov. As I explained in this post, Durham made Peskov’s relationship with Chuck Dolan and Olga Galkina a key part of his indictment against Danchenko.

In his role as a public relations professional, [Dolan] spent much of his career interacting with Eurasian clients with a particular focus on Russia. For example, from in or about 2006 through in or about 2014, the Russian Federation retained [Dolan] and his then-employer to handle global public relations for the Russian government and a state-owned energy company. [Dolan] served as a lead consultant during that project and frequently interacted with senior Russian Federation leadership whose names would later appear in the Company Reports, including the Press Secretary of the Russian Presidential Administration (“Russian Press Secretary-I”), the Deputy Press Secretary (“Russian Deputy Press Secretary-I”), and others in the Russian Presidential Press Department.

[snip]

In anticipation of the June 2016 Planning Trip to Moscow, [Dolan] also communicated with [Peskov] and Russian Deputy Press Secretary-I, both of whom worked in the Kremlin and, as noted above, also appeared in the Company Reports.

[snip]

Additionally, on or about July 13, 2016, [Galkina] sent a message to a Russia-based associate and stated that [Dolan] had written a letter to Russian Press Secretary-1 in support of [Galkina]’s candidacy for a position in the Russian Presidential Administration.

On March 3, the State Department added Peskov to the sanctions list under a 2021 Executive Order President Biden signed, in part, to target those who (among other things), “undermine the conduct of free and fair democratic elections and democratic institutions in the United States and its allies and partners.” On March 11, Treasury added Peskov’s family members to the sanctions list. The package used to sanction Peskov would have been the product of intelligence reports circulated within the US government.

While the legal reason Peskov was sanctioned pertained to his official role in the Russian government (and the lavish lifestyles his family enjoys even with his civil service salary), State also described Peskov as “the chief propagandist of the Russian Federation.” That, by itself, would be unremarkable. But if — as even Durham alludes — Peskov had a role in feeding Galkina disinformation for the Steele dossier, particularly if he crafted disinformation to maximally exploit Michael Cohen’s secret call with Peskov’s office in January 2016, that could be a part of the sanctions package against Peskov. If it were, then it would be centrally important discovery for Danchenko.

Oleg Deripaska

Then there’s Oleg Deripaska. This post lays out in depth the reasons why Danchenko would have reason to demand information on Deripaska’s role in the dossier, including:

Evidence about whether Oleg Deripaska was Christopher Steele’s client for a project targeting Paul Manafort before the DNC one

All known details of Deripaska’s role in injecting disinformation into the dossier, up through current day

Details of all communications between Deripaska and Millian

Given his blissful ignorance of the actual results of the Mueller investigation and the DOJ IG Carter Page investigation, Durham was always going to have a nasty discovery surprise in complying with such requests. Plus, a search last October of two Deripaska-related properties made clear that the most likely source of disinformation in the dossier was under aggressive criminal investigation for sanctions violations.

A recent Bloomberg story reported that that criminal investigation has now been moved under and given the prioritization of the KleptoCapture initiative started in response to the Ukraine war.

Deripaska has been sanctioned since 2018 for his ties to Vladimir Putin, and the seizures at a Washington mansion and New York townhouse linked to him predate the invasion of Ukraine. But the investigation of Deripaska’s assets is now part of an escalating U.S. crackdown on ultra-rich Russians suspected of laundering money and hiding assets to help finance Putin’s regime.

The raids were key steps to unearth information that may determine whether — and how — Deripaska moved money around. Among the mishmash of items taken from the New York and Washington properties were half a dozen works of fine art, sunglasses, hiking boots, housewares, financial records, telephone bills and other documents, according to the people, who asked not to be identified because the investigation hasn’t been made public.

The Deripaska inquiry is now part of a special U.S. Department of Justice task force dubbed “KleptoCapture,” according to New York federal prosecutor Andrew Adams, who is heading up the group.

“As Russia and its aggression continues, we have our eyes on every piece of art and real estate purchased with dirty money,” Deputy Attorney General Lisa Monaco said at a recent news conference.

If DOJ plans on indicting Deripaska — for sanctions violations and anything else on which the statute of limitations has not expired — they might delay discovery cooperation with Durham until they do so. And if such a hypothetical indictment mentioned Deripaska’s role in facilitating the 2016 election interference and/or successful efforts to exploit the dossier to undermine the Russian investigation, it might make Durham’s charges against Danchenko unsustainable, even if he is able to otherwise fulfill his discovery requirements. Durham’s theory of prosecution is that Danchenko is the big villain that led to FBI confusion over the dossier, but Deripaska seems to have had a far bigger role in that.

Sergei Millian

Finally, there’s Sergei Millian, who happened to meet with Deripaska in 2016 at an event, the St. Petersburg International Economic Forum, that played a key role in the election operation.

In the same week Millian met Deripaska, a bunch of cybersecurity experts first started looking for evidence of Russian hacking in DNS data and Igor Danchenko was in Moscow meeting with Chuck Dolan and his other named Steele dossier sources.

As the DOJ IG Report and declassified footnotes make clear, FBI opened a counterintelligence investigation into Millian in October 2016. All the evidence indicates that the investigation did not arise from Crossfire Hurricane and, given that Millian’s ID was hidden in the dossier reports shared with NYFO on their way to HQ, and given that other information on Millian was fed into DC, not NY, was probably predicated completely independent of Crossfire Hurricane.

In addition, we learned that [Millian] was at the time the subject of an open FBI counterintelligence investigation. 302 We also were concerned that the FISA application did not disclose to the court the FBI’s belief that this sub-source was, at the time of the application, the subject of such an investigation. We were told that the Department will usually share with the FISC the fact that a source is a subject in an open case. The OI Attorney told us he did not recall knowing this information at the time of the first application, even though NYFO opened the case after consulting with and notifying Case Agent 1 and SSA 1 prior to October 12, 2016, nine days before the FISA application was filed. Case Agent 1 said that he may have mentioned the case to the OI Attorney “in passing,” but he did not specifically recall doing so. 303

301 As discussed in Chapter Four, [Millian] [redacted]

302 According to a document circulated among Crossfire Hurricane team members and supervisors in early October 2016, [Millian] had historical contact with persons and entities suspected of being linked to RIS. The document described reporting [redacted] that [Millian] “was rumored to be a former KGB/SVR officer.” In addition, in late December 2016, Department Attorney Bruce Ohr told SSA 1 that he had met with Glenn Simpson and that Simpson had assessed that [Millian] was a RIS officer who was central in connecting Trump to Russia.

303 Although an email indicates that the OI Attorney learned in March 2017 that the FBI had an open case on [Millian], the subsequent renewal applications did not include this fact. According to the OI Attorney, and as reflected in Renewal Application Nos. 2 and 3, the FBI expressed uncertainty about whether this sub‐source was Person 1. However, other FBI documents in the same time period reflect that the ongoing assumption by the Crossfire Hurricane team was that this sub‐source was [Millian].

Plus, Mueller found plenty on Millian to raise separate issues of concern.

Given several other counterintelligence cases developed in NYFO, the predication likely had more to do with Russia’s effort to use cultural and other diaspora groups as a way to covertly extend Russian influence.

And in fact, Millian’s group — the Russian American Chamber of Commerce — has already made a cameo appearance in one such prosecution, that against Elena Branson, a complaint that was rolled out in the same week as the sanctions against Peskov.

a. On or about January 30, 2013, BRANSON received an email from an individual using an email address ending in “mail.ru.” Based on my review of publicly available information, I have learned that this individual was a Senior Vice President of the Russian American Chamber of Commerce in the USA. This email had the subject line “Problem.” and the text of the email included, among other things, a portion of the FARA Unit’s website with background on FARA. In response, BRANSON wrote, in part, “I am interested in the number of the law, its text in English[.]” The sender then responded with “Lena, read …” and copied into the email background on FARA and portions of the statute.

This awareness and flouting of registration requirements is the kind of thing that often features in prosecutions for 18 USC 951 violations. And, at least in the case of Branson, the statute of limitations can extend so long as the person in question continues to play a role in US politics, though in Branson’s case, she only fled the country 18 months ago.

If the FBI believed Millian was an unregistered foreign agent who fled to avoid an investigation in 2017, his ongoing involvement in efforts to gin up an investigation into the investigation — particularly claims that, even according to Durham, misinterpreted facts his own prosecutors filed and thereby contributed to death threats against witnesses in the investigation — then it wouldn’t rule out an investigation into Millian himself, an investigation that would have preceded Durham’s reckless reliance on him (or rather, Millian’s unvetted Twitter feed) as a star witness against Danchenko.

Even Millian’s public claim (albeit one offered by someone the FBI considers an embellisher) that he called the White House directly to elicit this investigation could be of interest.

We can now say with great certainty that Durham didn’t check the most obvious sources of evidence against key players involved in the Steele dossier, such as DOJ IG’s backup files in the Carter Page investigation that is the primary focus of Durham’s Danchenko indictment. That makes it highly likely he never bothered to see whether other parts of DOJ considered key players in the Steele dossier to be actual threats to democracy.

One of those key players is undoubtedly Oleg Deripaska. And the renewed focus on Russian influence operations may expand beyond that.

To Celebrate Its Third Birthday, the Durham Investigation Will Attempt to Breach Eric Lichtblau’s Reporter’s Privilege

May 13, 2022/27 Comments/in 2016 Presidential Election, Mueller Probe, Press and Media /by emptywheel

Happy Birthday to Johnny D and his merry band of prosecutors! Today marks your third birthday! Quite a milestone for an investigation that has just one conviction — a gift wrapped up with a bow from Michael Horowitz — to show for those three years.

John Durham, however, had something much more ambitious planned to mark the milestone, it appears.

As Sean Berkowitz noted earlier this week, Sussmann’s team wants to call Eric Lichtblau as a witness in next week’s trial. They were able to get Lichtblau to agree to testify based on the understanding he would only testify about conversations with Michael Sussmann and Rodney Joffe. But Durham’s team — I guess to assert the newfound brattiness of a three-year-old — refused to limit their cross-examination to those who had waived confidentiality.

There is an issue here that I want to alert you to. We reached out to Mr. Lichtblau’s counsel, actually counsel for The New York Times, to explore their willingness in light of the First Amendment issues to testify at the trial. And we told him that both Mr. Sussmann and Mr. Joffe would waive any privilege associated with the press privilege; and that gave The New York Times comfort that, notwithstanding their normal policy of objecting, they would allow him to testify about his interactions with

Mr. Sussmann and Mr. Joffe, communications between the two as well as communications with the FBI that wouldn’t be protected by privilege because the FBI reached out to them to ask them to hold the story.

They did tell us that they would object to questioning Mr. Lichtblau about independent research he did in support of the story, you know, people he spoke with to verify sources and other types of things that were not communicated to Mr. Sussmann.

We told him from our perspective that seemed like a fair line to draw, and we would not get into that.

He’s reached out to the Government on that issue, and it appears there may be — again, I don’t want to speak for the Government — but it appears that they may not be in a position today to give The New York Times that assurance. And so we expect The New York Times sometime this week will be filing a motion on that issue to tee it up for your Honor.

I know you’re welcoming all this additional paper.

THE COURT: One more intervenor in the mix.

MR. BERKOWITZ: “All the news that’s fit to print.”

As a motion submitted by Lichtblau yesterday and a declaration from his lawyer Chad Bowman lays out, after Sussmann and Rodney Joffe waived their confidentiality with Lichtblau by April 21, Durham then took eleven days to consider whether they were willing to limit Lichtblau’s testimony to his conversations with the two of them. Predictably, Andrew DeFilippis was not.

On April 21, 2022, I spoke by telephone with Andrew DeFilippis in the Special Counsel’s Office, as well as several of his colleagues. I asked whether the prosecution similarly would be willing to limit examination to direct communications between Mr. Sussmann and Mr. Lichtblau, a journalist, particularly given the Department of Justice’s new policy restricting the use of compulsory process to obtain information from reporters, as memorialized in the Office of the Attorney General’s July 21, 2021 Memorandum, a true and correct copy of which is attached as Exhibit B and which is also available online at at https://www.justice.gov/ag/page/file/1413001/download. Mr. DeFilippis stated that the prosecution needed time to consider the request.

On May 2, 2022, during a follow-up telephone call, Mr. DeFilippis stated that the prosecution was unable to give “any assurance” that their cross-examination questioning of Mr. Lichtblau would be confined to his discussions with Mr. Sussmann. In particular, Mr. DeFilippis stated that certain of Mr. Lichtblau’s email communications with third parties were within the prosecutions possession, and that the prosecution might want to examine Mr. Lichtblau about other, unknown aspects of his reporting. He also indicated a view that any reporter’s privilege would be pierced by a trial subpoena.

This is, by all appearances, a naked attempt to keep a very devastating witness off the stand. There’s no way, even under prior guidelines, Durham would have been able to get Lichtblau’s testimony; particularly given that they’ve got the communications in question, they couldn’t show a need to get his testimony.

That’s all the more true given Merrick Garland’s prohibition on requiring testimony from reporters.

But Lichtblau’s testimony is pretty critical for Sussmann, not least because he’ll make it clear he reached out to Sussmann and that the interest in reporting on Russian hacking was in no way tied to animus towards Trump. Plus, he would explain what an impact that acceding to the request from FBI to hold the story was for his career.

Durham has long tried to hide that after the FBI requested, Sussmann and Joffe acceded to help kill the story. It kills his conspiracy theory. It corroborates Sussmann’s stated motivation for sharing the DNS anomaly, that he was trying to help the FBI. Particularly given that both Sussmann and Joffe have Fifth Amendment reasons not to want to testify, Lichtblau would provide a way to get the full extent of that process into the trial.

But Durham wants to prevent it from coming into evidence unless Lichtblau is willing to pay a needless price for doing so.

Scene-Setter for the Sussmann Trial, Part One: The Elements of the Offense

May 13, 2022/46 Comments/in 2016 Presidential Election, emptywheel, Mueller Probe /by emptywheel

In the first of what will be a number of “scene-setters” for the Michael Sussmann trial next week, Devlin Barrett makes two significant errors. First, he misrepresents what Sussmann said in a text to James Baker on September 18, 2016.

In a text message setting up the meeting, Sussmann claimed he was not representing any particular client in bringing the matter to the FBI’s attention.

Here’s what the text says:

Jim – it’s Michael Sussmann. I have something time-sensitive (and sensitive) I need to discuss. Do you have availibilty [sic] for a short meeting tomorrow? I’m coming on my own – not on behalf of a client or company – want to help the Bureau. Thanks.

[I’m unclear whether the misspelling of “availability” is Sussmann’s or Durham’s.]

The distinction between “representing” and “on behalf of” will be a core issue litigated in this trial (as I’ll lay out below), which makes Barrett’s sloppiness affirmatively misleading.

Second, Barrett serially accepts Durham’s framing — that the cybersecurity researchers who started identifying the Alfa Bank anomaly months before Rodney Joffe ever talked to Michael Sussmann were doing “campaign research.”

The two-week trial will delve into the murky world of campaign research, lawyers and the role the FBI played in that election, as Trump and Hillary Clinton vied for the presidency, and federal agents pursued very different investigations surrounding each of them.

[snip]

Prosecutors signaled this week that they plan to call a host of current and former law enforcement officials to describe how the FBI pursued the Alfa Bank accusations, and to paint Sussmann as part of a “joint venture” that included Joffe, Clinton’s campaign, research firm Fusion GPS and cybersecurity experts.

[snip]

Cooper, however, has limited how deeply Durham’s team may go into the particulars of any alleged joint venture among Democratic operatives, ruling that he will not allow “a time-consuming and largely unnecessary mini-trial to determine the existence and scope of an uncharged conspiracy to develop and disseminate the Alfa Bank data.”

Barrett does this in spite of the fact that Durham has repeatedly said the only evidence he has supporting his joint venture conspiracy theory (even assuming it were illegal) is billing records. While Barrett cites the gist of Cooper’s ruling excluding Durham’s unsubstantiated claims of a “joint venture,” he doesn’t quote Cooper noting that, “some evidence suggests that Fusion GPS employees had no connection to the gathering or compilation of the Alfa Bank data.” Effectively, an experienced DOJ reporter has fallen for Durham’s use of unsubstantiated materiality claims to frame a prosecution that didn’t charge the underlying conspiracy. That’s a real disservice to readers who don’t know the difference between uncharged materiality claims and a charged conspiracy.

So here’s my effort to explain to newbies what the trial is about. Durham has to prove that:

Michael Sussmann said what Durham claims Sussmann did to James Baker on September 19, 2016
What he said was a lie
The alleged lie was material to the functioning of the FBI

Durham has to prove that Sussmann said what Durham claims he did on September 19, 2016

From the start, Durham has been uncertain what lie Sussmann told. As Sussmann pointed out in a motion for a bill of particulars right from the get-go, at various points in the indictment, Durham claimed that Sussmann’s lie was:

“that he was not doing his work on the aforementioned allegations ‘for any client'” (one)
“that he was not acting on behalf of any client” (one, two)
that he was not “acting on behalf of any client conveying particular allegations concerning a Presidential candidate” (one)

That is, repeatedly in the indictment, Durham was conflating the “work” of chasing down the allegations (which is not at issue in this prosecution at all) with the meeting where Sussmann shared those allegations with the FBI. The last formulation is what Durham charged, but as we’ll see, unless Durham supersedes this indictment today, he may have problems with that formulation as well.

Almost six months after Durham charged Sussmann for lying about sharing allegations on September 19, he got rock-solid proof — a text from Sussmann to Baker that Durham only found because Sussmann kept asking Durham to go back and look for these records — that Sussmann said, he was “coming on my own – not on behalf of a client or company – want to help the Bureau,” on September 18.

That rock-solid proof actually presents two problems for Durham. First, it raises the possibility that, even if the jury decides this was a lie, Durham can only prove Sussmann said it on September 18, not September 19. But the text also suggests what Sussmann may have meant by “on behalf of:” who benefits. He was not seeking a benefit for a client, he was trying to benefit the FBI.

That interpretation is consistent with what Sussmann said under oath in 2017, and it is an interpretation that Durham did not test before he charged Sussmann.

I was sharing information, and I remember telling him at the outset that I was meeting with him specifically, because any information involving a political candidate, but particularly information of this sort involving potential relationship or activity with a foreign government was highly volatile and controversial. And I thought and I remember telling him that it would be a not-so-nice thing ~ I probably used a word more stronger than “not so nice” – to dump some information like this on a case agent and create some sort of a problem. And I was coming to him mostly because I wanted him to be able to decide whether or not to act or not to act, or to share or not to share, with information I was bringing him to insulate or protect the Bureau or — I don’t know. just thought he would know best what to do or not to do, including nothing at the time.

And if I could just go on, I know for my time as a prosecutor at the Department of Justice, there are guidelines about when you act on things and when close to an election you wait sort of until after the election. And I didn’t know what the appropriate thing was, but I didn’t want to put the Bureau or him in an uncomfortable situation by, as I said, going to a case agent or sort of dumping it in the wrong place. So I met with him briefly and

[snip]

so I told him this information, but didn’t want any follow-up, didn’t ~ in other words, I wasn’t looking for the FBI to do anything. I had no ask. I had no requests. And I remember saying, I’m not you don’t need to follow up with me. I just feel like I have left this in the right hands, and he said, yes. [my emphasis]

As has been explained over and over, Jim Baker’s testimony about what Sussmann said to him on September 19 (as opposed to what Sussmann texted him on September 18) has been all over the map:

An October 3, 2018 Baker interview Baker said he didn’t recall Sussmann saying he was there on behalf of Hillary.
An October 18, 2018 Baker interview Baker said that in that first meeting, he did not recall Sussmann saying he was acting on behalf of a specific client.
A July 15, 2019 Baker interview Baker said Sussmann was sharing information from cybersecurity experts.
A June 2020 Durham interview Baker said it did not seem like Sussmann was representing a client (and he was not aware that Sussmann represented the DNC.
Three more Durham interviews with Baker on this subject that align with the indictment.

Durham will argue that he got Baker’s testimony to match what he, Durham, claims to be sure is the truth by refreshing his memory with notes that Bill Priestap and Trisha Anderson took, the former when Baker told him about the meeting immediately afterwards and the latter in circumstances that are less clear.

The Priestap notes say four things:

Represent DNC, Clinton Foundation etc
Been approached by prominent cyber people
NYT, Wash Post, or WSJ on Friday
[Written slantways for reasons Priestap could not explain] said not doing this for any client

The Anderson notes say two things:

No specific client but group of cyber academics talked with him about research
Article this Friday, NYT/WPost [the notes fade out]

None of those notes say “on behalf of,” Anderson’s don’t address whether Sussmann offered up the claim or not, and Priestap seems to have written “not doing this for any client” after the fact, as if it wasn’t part of Baker’s initial telling.

None of those notes make it clear what part of the information Baker passed on came from the meeting itself and what part came from the text he had received the day before (and indeed, Priestap’s slantways note may suggest the detail about a client could have come later). Durham only has a refreshed memory of what Baker knew by September 19, not which parts he learned on September 18 and which he learned on September 19.

Literally six months after indicting Sussmann, Durham gave him different sets of notes recording how Andy McCabe explained the allegations to Dana Boente on March 6, 2017.

One set, from Tashina Gauhar’s notes, says this:

“Attorney” Brought to FBI on behalf of his client

Also advised others in media > NYT

Another set, from Mary McCord’s notes, says this:

First brought to FBI att by atty

[snip]

Attorney brought to Jim Baker + d/n say who client was. Said computer researchers saw the [activity?]. Said media orgs had the info, including NY Times.

These notes admittedly reflect what the FBI came to understand, possibly in the September 19 meeting, possibly hours after the September 19 meeting, possibly days, possibly months. But as McCord recorded it, the emphasis remained on the computer researchers and the NYT. That emphasis is important for materiality questions.

Durham has to prove what Sussmann said was a lie

Next, Durham has to prove that what Sussmann said was an intentional lie.

Probably, Durham will use the formulation Sussmann sent in his September 18 text, “I’m coming on my own – not on behalf of a client or company – want to help the Bureau,” since that’s the only thing he has real proof of. This is why Sussmann tried to nail down Durham on what “on behalf of” shortly after being charged. Because it could mean, “on the orders of,” “for a client I am retained by,” or “seeking some benefit or ask for.”

But Sussmann’s explanation, “want to help the Bureau,” tied as it is to some benefit for the FBI, presents new problems for Durham. As noted above, that’s precisely what Sussmann said in sworn testimony back in 2017, when he had no reason to believe there would ever be a special prosecutor checking his claims and at a time he no longer had that text to check. Sussmann framed it in terms of giving the FBI maximal flexibility during campaign season.

Importantly, Sussmann did take steps to help the Bureau, by (with Joffe’s assent), helping the FBI kill the story the NYT was close to publishing. Which is another thing Sussmann described when he testified under oath in 2017 and another thing Durham didn’t bother to investigate before indicting.

I just wanted to tell you about a phone call that I had with him 2 days after I met with him, just because I had forgotten it When I met with him, I shared with him this information, and I told him that there was also a news organization that has or had the information. And he called me 2 days later on my mobile phone and asked me for the name of the journalist or publication, because the Bureau was going to ask the public — was going to ask the journalist or the publication to hold their story and not publish it, and said that like it was urgent and the request came from the top of the Bureau. So anyway, it was, you know, a 5-minute, if that, phone conversation just for that purpose.

Along with the September 18 text showing Sussmann told Baker he wanted to help the FBI, there were several texts reflecting that when Baker asked Sussmann for the name of the outlet that was reporting on the Alfa Bank allegations, Sussmann told Baker he had to ask someone before sharing the name.

Those text messages include, among other things, texts indicating that Mr. Sussmann asked to meet with Mr. Baker in September 2016 not on behalf of a client but to help the Bureau; texts indicating that Mr. Sussmann told Mr. Baker he had to check with someone (i.e., his client) before giving him the name of the newspaper that was about to publish an article regarding the links between Alfa Bank and the Trump Organization; and other texts, including a copy of a tweet that then-President Trump posted regarding Mr. Sussmann.

Then, Sussmann and Baker spoke on the phone several times on September 21 and 22.

Mr. Sussmann and Mr. Baker also had several phone conversations over the course of that week, including on Wednesday, September 21 and on Thursday, September 22.

We’ll learn more details at the trial, but we know that Baker and Bill Priestap called the NYT and got them to kill the story.

One reason this is important is because — as Sussmann’s attorney noted in a recent hearing — this is the opposite of what Sussmann would have done if he was working on behalf of the campaign.

We expect there to be testimony from the campaign that, while they were interested in an article on this coming out, going to the FBI is something that was inconsistent with what they would have wanted before there was any press. And in fact, going to the FBI killed the press story, which was inconsistent with what the campaign would have wanted.

The decision to go to the FBI contravened Hillary’s best interest.

The other reason those exchanges are important is because, as Sussmann pointed out, the best explanation for how Andy McCabe (that “top of the Bureau” that decided to take steps to kill the story) came to learn that Sussmann did have a client was via those exchanges.

The FBI could not have come to that belief based on conversations they had with Mr. Sussmann after his phone calls with Mr. Baker the week of September 19, 2016, because the FBI chose not to interview Mr. Sussmann about the information he provided to Mr. Baker, and the FBI chose not to ask Mr. Sussmann about or interview the cyber experts whom Mr. Sussmann identified as the source of the information he shared with the FBI.

Indeed, that timeline may explain why Baker’s memories about this are so inconsistent: because what Sussmann told him on September 18, what he told him on September 19, and what he told him on September 21 have all blended into one.

In any case, though, the best evidence suggests the FBI probably learned Sussmann had a client within three days of the time Sussmann first brought the allegations to the FBI (because that was the last he spoke with the FBI). That undermines Durham’s claim that Sussmann was hiding some big conspiracy. Within days, he appears to have made it obvious he did have a client.

Durham has to prove the alleged lie was material to the functioning of the FBI

I’m not going to get too far into the work Durham will have to do to prove that Sussmann’s lie — if he can prove what Sussmann said, if he can prove Sussmann said it on September 19 and not September 18, and if he can prove it really was a lie — had the ability to affect the decisions the FBI could have made.

Sussmann has many ways to attack Durham’s materiality argument. He’ll do so by proving:

FBI knew he represented the Democrats (indeed, that’s what Priestap’s notes say)
FBI knew of his ties to Joffe
His characterization that this came from cybersecurity experts was true
After the Franklin Foer piece was published, a separate FBI Agent attempted to open an investigation (showing what would have happened if Sussmann had not shared the information and just let NYT publish)

If I were him, I would also point to all the evidence (including from the March 2017 notes) that what most mattered to the FBI was not whom his client was but that the NYT was going to publish this.

But, given the timeline laid out by Sussmann’s texts and calls with James Baker, I’d make one more point. All the evidence suggests that FBI knew he had a client by September 22 — probably by September 21.

The FBI Agents who will describe the steps they took will apparently describe making a second call to Cendyn on September 23.

That is, the timeline will show that FBI learned Sussmann had a client before they even spoke to Cendyn a second time.

If Sussmann’s client or clients mattered, the FBI learned about them so early in the process that it would not have affected the overall investigation.

Durham’s tactical retreat

I know a lot of people think Durham has a slam-dunk case with that September 18 text, but that’s simply not the case — though as always, you never know what a jury is going to decide.

But I think that Durham is already planning a tactical retreat.

As Sussmann noted in a recent filing summarizing conflicting views on jury instructions, Durham’s indictment describes Sussmann’s alleged lie this way:

[O]n or about September 19, 2016, the defendant stated to the General Counsel of the FBI that he was not acting on behalf of any client in conveying particular allegations concerning a Presidential candidate, when in truth, and in fact, and as the defendant knew well, he was acting on behalf of specific clients, namely, Tech Executive-1 and the Clinton Campaign.

Never mind that Durham characterized the allegations as pertaining to “a Presidential candidate,” which presents other problems for Durham, he has also accused Sussmann of lying about having two clients.

Mr. Sussmann proposes modifying the last sentence as follows, as indicated by underlining: Specifically, the Indictment alleges that, on or about September 19, 2016, Mr. Sussmann, did willfully and knowingly make a materially false, fictitious, and fraudulent statement or representation in a matter before the FBI, in violation of 18 U.S.C. § 1001(a)(2), namely, that Mr. Sussmann stated to the General Counsel of the FBI that he was not acting on behalf of any client in conveying particular allegations concerning Donald Trump, when, in fact, he was acting on behalf of specific clients, namely, Rodney Joffe and the Clinton Campaign.5 The government objects to the defense’s proposed modification since it will lead to confusion regarding charging in the conjunctive but only needing to prove in the disjunctive.

4 Authority: Indictment.

5 Authority: Indictment.

Durham’s language about “conjunctive” versus “disjunctive” will likely be the matter for heated debate next week. Particularly in the wake of Cooper’s decision that the materials from the researchers won’t come in as evidence, Durham seems to be preparing to prove only that Sussmann lied about representing Hillary, and not about Joffe. Sussmann, meanwhile, seems to believe that Durham will have to prove that his alleged lie was intended to hide both alleged clients.

The problem with Durham’s fall-back position is that if Sussmann really were representing Hillary at that FBI meeting, he wouldn’t have killed the NYT story that would have helped her campaign.

Update: Corrected date on Sussmann’s HPSCI interview, which was 2017.