Posts

In Discussion of Unmasking Admiral Rogers Gets Closer to Admitting Types of Section 702 Cybersecurity Use

Last Friday, Director of National Intelligence Dan Coats, Director of NSA Mike Rogers, and FBI Director Christopher Wray did an event at Heritage Foundation explaining why we need Section 702 and pretending that we need it without reasonable reforms. I attended Wray’s talk — and even got my question on cybersecurity asked, which he largely dodged (I’ll have more about two troubling things Wray said later). But I missed Rogers’ talk and am just now catching up on it.

In it, he describes a use of Section 702 that goes further than NSA usually does to describe how the authority is used in cybersecurity.

So what are some examples where we’ll unmask? Companies. Cybersecurity. So we’ll report that US company 1 was hacked by the following country, here’s how they got in, here’s where they are, here’s what they’re doing. Part of our responsibility on the US government side is the duty to warn. So how do you warn US company 1 if you don’t even know who US company 1 is? So one of the reasons we do unmasking is, so for example we can take protective to ensure this information is provided to the appropriate individuals.

What Rogers describes is an active hack, by a nation-state (which suggests that rule may not have changed since the 2015 report based off 2012 Snowden documents that said NSA could only use 702 against nation-state hackers). The description is not necessarily limited to emails, the type of data NSA likes to pretend it collects in upstream (though it could involve phishing). And the description even includes what is going on at the victim company.

Rogers explains that the NSA would unmask that information so as to be able to warn the victim — something that (via the FBI) happened with the DNC, but something which didn’t happen with a number of other election related hacks.

Of course, Reality Winner is facing prison for having made this clear. The FISA-derived report she is accused of leaking shows how the masking works in practice.

In the case of VR Systems, the targeted company described, it’s not entirely clear whether NSA (though FBI) warned them directly or simply warned the states that used it. But warnings, complete with their name, were issued. And then leaked to the press, presumably by people who aren’t facing prison time.

In any case, this is a thin description of NSA’s use of 702 on cybersecurity investigations. But more detail in unclassified public than has previously been released.

 

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

702 Reauthorization: The Anti-Leak Package

As part of the draft Section 702 Reauthorization released this week, the House Judiciary Committee included what I’ll call the anti-leak package. They’re not actually presented in the same Title, but I want to consider them as a group as a way to consider whether they’ll do anything to make leaking less useful than internal whistleblowing.

The package consists of three things:

  • Increased penalties for improperly handling classified information
  • New protections for FBI whistleblowers and contractor whistleblowers
  • A GAO report on whether classification works

Increased penalties for improperly handling classified information

The first part of the package changes 18 USC 1924, which criminalizes unauthorized retention of classified documents, to make knowingly retaining classified information a felony, while creating a new misdemeanor for negligently retaining classified information.

SEC. 302. PENALTIES FOR UNAUTHORIZED REMOVAL AND RETENTION OF CLASSIFIED DOCUMENTS OR MATERIAL.

Section 1924 of title 18, United States Code, is amended—

(1) in subsection (a), by striking ‘‘one year’’ and inserting ‘‘five years’’;

(2) by redesignating subsections (b) and (c) as subsections (c) and (d), respectively; and 13 (3) by inserting after subsection (a) the following new subsection (b):

(b) Whoever, being an officer, employee, contractor, or consultant of the United States, and, by virtue of his office, employment, position, or contract, becomes possessed of documents or materials containing classified information of the United States, negligently removes such documents or materials without authority and knowingly retains such documents or materials at an unauthorized location shall be fined under this title or imprisoned for not more than one year, or both.

I think this was done to make what Hillary Clinton did a clear felony, so Republicans can squawk about it, rather than solving any real problem.

Which is a pity. Because those who want to write new laws criminalizing the retention and leaking of classified information (something I’m not advocating, but I understand the sentiment), it might be useful to write laws that address the problems we’re actually seeing.

For example, the Espionage Act should be rewritten to make it clear it only applies to real Espionage — the secret sharing of “national defense information” (which should be better defined) with an adversary for some kind of personal benefit. By all means, create something else that applies to the Edward Snowdens and Chelsea Mannings of the world, if you feel the need to. But in that law, do something to ensure that the David Petraeuses of the world — who leaked information to get laid and tell nice stories about himself — don’t get a wrist slap, while people who at least believe their acts to be benefitting the country face life imprisonment.

The degree to which the Espionage statute specifically, and leak prosecutions generally, have become the means to pursue arbitrary retaliation against people who don’t hew a party line undermines the legitimacy of the classification system, which (in my opinion, as someone who has covered most recent leak prosecutions) just leads to more leaking.

In related news, one of the reasons why magistrate Brian Epps Cobb denied Reality Winner bail yesterday is because she admires Snowden and Assange.

In addition, this week’s news that an NSA TAO hacker brought files home and used them on his machine running Kaspersky, thereby alerting Russia to them, suggests the need to consider the impact of even negligent improper handling, because it can have an impact akin to that of Snowden if it is compromised.

Finally, there should be some controls over abuse of Original Classification Authority, both in Prepublication Reviews, to prevent the selective censorship of important stories. And there should be some recognition that OCAs are often not the only source of information (which is one of the problems with the Hillary emails — her staffers were reporting widely known facts that the CIA later claimed a monopoly on, thereby making the information “classified”).

Perhaps the GAO review, below, can go some distance to making this happen.

New protections for contractor whistleblowers

There’s a section that extends the (still inadequate) whistleblower protections of the National Security Act to contractors, while adding protection (just for contractors!) for the reporting of “evidence of another employee or contractor employee accessing or sharing classified information without authorization.” It also adds additional reporting vehicles for FBI contractors (to DOJ or FBI’s Office of Professional Responsibility, to FBI’s Inspection Division, or to the Office of Special Counsel).

The bill also adds contractors to those you can’t retaliate against by stripping of security clearance if they’ve made a protected disclosure.

Contractor is defined as “an employee of a contractor, subcontractor, grantee, subgrantee, or personal services contractor, of a covered intelligence community element.”

As I said, this is just the protection extended to intelligence community employees, with enforcement by the President, the same guy who orders up the illegal activities (such as torture or domestic spying) of the IC.

Plus, I’m not sure the language protects against two other problems that have happened with contractors. First, the loss of a contract, which doesn’t seem to be included in the definition of personnel decisions. So an agency could retaliate not by denying a promotion, but simply denying a contract. And, for similar reasons, I’m not sure the language prevents a contractor from retaliating against one of their employees directly, particularly if they’re threatened with losing work.

As I said, I’m not sure on this. I await analysis from the people who work whistleblower issues all the time.

That said, while this is an important improvement that will extend the same inadequate protection that IC employees get to IC contractors, I think it doesn’t necessarily protect against some known kinds of retaliation.

A GAO report on whether classification works

Perhaps most interestingly, the bill asks GAO to conduct on a story on why we’re having so much leakage.

SEC. 303. COMPTROLLER GENERAL STUDY ON UNAUTHORIZED DISCLOSURES AND THE CLASSIFICATION SYSTEM.

(a) STUDY.—The Comptroller General of the United States shall conduct a study of the unauthorized disclosure of classified information and the classification system of the United States.

(b) MATTERS INCLUDED.—The study under subsection (a) shall address the following:

(1) Insider threat risks to the unauthorized disclosure of classified information.

(2) The effect of modern technology on the unauthorized disclosure of classified information, including with respect to—

(A) using cloud storage for classified information; and

(B) any technological means to prevent or detect such unauthorized disclosure.

(3) The effect of overclassification on the unauthorized disclosure of classified information.

(4) Any ways to improve the classification system of the United States, including with respect to changing the levels of classification used in such system.

(5) How to improve the authorized sharing of classified information, including with respect to sensitive compartmented information.

(6) The value of polygraph tests in determining who is authorized to access classified information.

(7) Whether each element of the intelligence community (as defined in section (4) of the National Security Act of 1947 (50 U.S.C. 3003(4))—

(A) applies uniform standards in determining who is authorized to access classified information; and

(B) provides proper training with respect to the handling of classified information.

(c) COOPERATION.—The heads of the intelligence community shall provide to the Comptroller General information the Comptroller General determines necessary to carry out the study under subsection (a).

(d) REPORT.—Not later than 180 days after the date of the enactment of this Act, the Comptroller General shall submit to the Committee on the Judiciary and the Permanent Select Committee on Intelligence of the House of Representatives and the Committee on the Judiciary and the Select Committee on Intelligence of the Senate a report containing the study under subsection (a). (e) FORM.—The report under subsection (d) shall be submitted in unclassified form, but may include a classified annex.

I really like the idea of doing such a report (though am not sure GAO can get it done in just 6 months, especially since I’m sure some agencies will filibuster any cooperation). And what a novelty, to finally consider whether polygraphs actually do what they’re claimed to do (rather than get people to confess to dirt that can later be used against them or leaked to China in an OPM hack).

As mentioned above, a really thorough such study should also look specifically at the Prepublication Review process, which is one of the most notorious forms of arbitrary use of classification.

It should also try to quantify how much classification does (abusively) hide mismanagement or law-breaking, especially in the FOIA process.

A truly thorough study would have to include leaks by members of Congress, up to and including the Gang of Four — but that’s never going to happen and so that means of leakage will remain untouched.

A study should also not only review recent leak prosecutions, with a particularly focus on the selectivity with which they’ve been taken, but compare leak prosecutions with the efficacy of internal measures (like stripping someone of clearance), which ODNI has been using more in recent years, at least before Reality Winner.

And a study should do a macro review of the initiatives put in place since Chelsea Manning’s leaks, to review overall compliance (we know NSA and CIA had not fully complied as of last year), and to measure whether those initiatives have done any good.

Finally, for the classified version, the report should include a full measure of how much internal spying is being targeted at government employees and contractors in various CI programs, and whether those are overseen adequately (they’re absolutely not).

Will this all do any good?

As I said, I’m the one lumping these together into a package, not the bill’s authors. I did so, though, to better weigh whether this will do any good — whether we’ll move the balance on necessary discussions for democracy being weighed against genuine need to protect secrets. I think an actual assessment is worthwhile.

But ultimately, I suspect our leak problem stems, in large part, from the degree to which classification (and clearances and leak prosecutions) have all been designed to give the Executive Branch unfettered ability to run an arbitrary system of secrets that does as much to serve nexuses of power as it does to keep the country safe.  Secrets, in DC, have become the coin of power, not the necessary tool to ensure a vibrant and secure democracy.

And I’m not sure this effort will do much to change that.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

In Reality Winner Case, Government Warns of Recruitment by Media Outlets that “Procure the Unauthorized Disclosure of Classified Info”

As I’ve reported recently Reality Winner has claimed both that her interview with the FBI was not consensual and that she should be released on bail like people who’ve leaked more sensitive documents, including David Petraeus. Significantly, Winner made claims about her interview and DOJ’s lack of related accusations to suggest the leak of the single document to the Intercept is all they’ve got on her.

The government responded to Winner’s claims — in their response to her request for bail — with a whole new set of claims not included in other documents (on top of making fairly ridiculous claims to suggest Winner should be detained when those who had access — and in the case of David Petraeus, leaked — far more classified information were not).

In the response itself, they raise issues that are fair and significant. But they all seem designed to suggest that Winner must be treated more harshly than Petraeus because she’s more likely to be “recruited” by “non-governmental organizations and media outlets that advocate and procure the unauthorized disclosure of classified information.”

At the same time, the Defendant is an attractive candidate for recruitment by well-funded foreign intelligence services and non-governmental organizations and media outlets that advocate and procure the unauthorized disclosure of classified information.

Consider how the government treats different media outlets.

The Washington Post

First, the government’s description of Winner’s phone searches suggest Winner sent the document to a “print news outlet” in addition to the Intercept, and kept looking at both to see if they published the document.

  • On May 9, the Defendant searched for the secure mailing address of a Print News Outlet, viewed a document called “How to Share Documents and News Tips with [Print News Outlet] Journalists” on the Print News Outlet’s website, searched for an Online News Outlet and “secure drop,” and viewed the Online News Outlet’s page containing instructions for the anonymous transmission of leaked information.
  • On May 12, a few days after she mailed the leaked document, the Defendant searched online for the Print News Outlet referenced on May 9, as well as the Online News Outlet to which she transmitted the leaked document, and viewed the homepages of both publications.
  • On May 13, the Defendant searched for the Print News Outlet, viewed its homepage, and then searched “[IC component] leak” and “[IC component] leak [Foreign Country]” on multiple occasions.
  • On May 14, the Defendant searched for and viewed the Print News Outlet’s homepage, and then searched within the Print News Outlet’s website for the name of the relevant IC component. She also searched for and viewed the Online News Outlet’s homepage.
  • On May 22, the Defendant viewed both the Print News and Online News Outlets’ websites, and she searched for the name of the relevant IC component within both websites.

The Washington Post’s “confidential tips” page comes up on a search for “How to Share Documents and News Tips” (though the page does not now have that name). That suggests Winner shared a copy of this document with the WaPo as well as the Intercept. But the focus in these materials on a completed crime is exclusively focused on the Intercept (which also is not named).

The interview transcript released with this filing does not, apparently, discuss Winner’s leak to what appears to be the WaPo, aside from asking if she sent the leaked document anywhere else, to which she said “no.” The agents interviewing her tipped her that the document had been sent to an online news source that she “subscribes” to. So FBI may not have mentioned WaPo because WaPo did nothing with the story — or at least nothing with a source who then informed the government, which is how the Intercept got exposed — meaning the FBI did not yet know about it. Or perhaps the FBI was just far more interested in the fact that Winner leaked to the Intercept.

Wikileaks and Anonymous

The filing does its most significant damage in repeating Winner’s support for WikiLeaks, Edward Snowden, and Anonymous. According to the filing, at the same time she was looking for clearance jobs in November 2016 (at the end of her deployment), she was researching anonymous and Wikileaks.

The Defendant’s duplicity is starkly illustrated by the fact that she researched opportunities to access classified information (multiple searches for jobs requiring a security clearance on ClearanceJobs.com) at the same time in November 2016 that she searched for information about anti-secrecy organizations (Anonymous and Wikileaks).

And in March, she told her sister she was “on Assange’s [and Snowden’s] side.”

On March 7, 2017, the Defendant searched for online information about Vault 7, Wikileaks’s alleged compromise of classified government information. Later on March 7, 2017, the Defendant engaged in the following Facebook chat with her sister in which she expressed her delight at the impact of the alleged compromise reported by Wikileaks:

SISTER: OMG that Vault 7 stuff is scary too

WINNER: It’s so awesome though. They just crippled the program.

SISTER: So you’re on Assange’s side

WINNER: Yes. And Snowden

It’s not just that Winner is reading Wikileaks and Snowden-leaked documents (which the government would be happy to use to villainize a leaker in any case). She’s cheering the destruction of CIA (and by association, NSA) capabilities. Which is not something the more prolific leaker David Petraeus did.

The curious declassification of an FBI interview about leaking

Before I get into how these materials treat the Intercept, let me take a detour to talk about the declassification of Winner’s interview which, because it discusses her work at NSA, includes a lot of information that must be classified.

As a number of outlets noted (I believe Politico reported it first), when the transcript of her FBI interview was first released, it included Winner’s social security number and date of birth — a no-no for PACER documents. It included her home computer password. It also revealed Winner worked on collection targeting Iranian Aerospace Forces Group, a remarkable disclosure given that the government says Winner can’t be released because she’ll be targeted by foreign governments (in addition to “non-governmental organizations and media outlets that advocate and procure the unauthorized disclosure of classified information”); they’ve just put a bullseye on her back for Iran. It also reveals she used to work for a drone mission. It includes the code name and the street name of her NSA location.

For either privacy and security reasons, those are remarkable disclosures.

Now consider what they did redact.

There’s a reference to Russian hacking (or the election), and Winner’s description of something akin to that. There’s a few more references, perhaps on the election, again redacted.

Perhaps the most interesting (and understandable) redaction is her explanation for why she thought the collection points on Russian hackers were already compromised.

[sigh] I had figured that, uhm, [half line redacted] that it didn’t matter anyway. Uhm honestly, uh, I just figured that whatever we were using had already been compromised, and this report was just going to be like a – one drop in the bucket.

All of which is to say the classification decisions here are pretty random.

Which is all the more interesting given the fact that the document has no declassification notes, describing who declassified it and for what purpose. If I’m Winner’s lawyers, I’m on the phone with former ISOO head Bill Leonard (who has served as an expert witness in past leak cases), asking him to testify that in a case about mishandling classified information, the government didn’t handle this document in rigorous fashion.

The Intercept: hiding the name, the motive, and a few more details

Which brings me to the decisions about redactions on parts of the transcript that pertain to the Intercept.

It hides the Intercept’s name, but also several references to her motive, including one very long description (on PDF 69)

More interesting, it redacts details about how she mailed it to the Intercept.

And redacts another passage where she describes how she found the address to send it to the Intercept — the actual details of which are included in the passage on her phone searches, above.

It redacts another passage asking whether she included anything in the envelope to the Intercept.

All of which is to say that in submissions that claim Winner is a particular risk because she might be “recruited” by NGOs and “media outlets that advocate and procure the unauthorized disclosure of classified information,” it is still hiding key details about Winner’s descriptions of her actions with respect to the Intercept.

After reading this transcript, I’m actually surprised the government hasn’t (yet) taken a harsher approach, perhaps charging her for a leak to the WaPo or for lying, initially, to the FBI (not charging her for lying to the FBI is one way, I guess, where she is getting the treatment David Petraeus got).

That may suggest they’re entertaining going after the Intercept here, for “recruiting” Reality Winner — a replay of the tactic they tried with Chelsea Manning years ago, only this time with an Attorney General and a Congress rushing to invent new categories of non-state hostile intelligence services to criminalize some kinds of publishing.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Government Decides Reality Winner Leaked Just One Document After All

Back in June, I noted that one of the reasons the government convinced a judge to deny Reality Winner bail was that she had leaked documents, plural.

There’s no written record for this yet, but it appears from one of the less-shitty reports on the hearing that the claim is based on three things: First, Winner stuck a thumb drive in a Top Secret computer last year.

Winner inserted a portable hard drive in a top-secret Air Force computer before she left the military last year. She said authorities don’t know what happened to the drive or what was on it.

Second, because Solari portrayed the 25-year old translator’s knowledge as a danger unto itself (more ridiculously, she painted Winner’s knowledge of Tor — which Winner didn’t use to look up sensitive information — as a means by which she might flee).

“We don’t know how much more she knows and how much more she remembers,” Solari said. “But we do know she’s very intelligent. So she’s got a lot of valuable information in her head.”

And finally, because Winner told her mother, in a conversation from jail that was recorded, that she was sorry about the documents, plural.

Solari said Winner also confessed to her mother during a recorded jailhouse phone call, saying: “Mom, those documents. I screwed up.”

Solari apparently emphasized the latter point as a way to suggest Winter might still have documents to leak.

Solari stressed that Winner referred to “documents” in the plural, and that federal agents were looking to see whether she may have stolen other classified information.

The idea is that because Winner used the plural and she only leaked one document, there must be more she’s planning on leaking.

Except that doesn’t appear right.

It appears Winner actually already leaked two documents. [my emphasis]

I showed that Winner actually leaked two documents to the Intercept.

Curiously, it appears the prosecutor in this case, Jennifer Solari, has changed her mind. Attached to a motion to reconsider bail, Winner’s lawyers have noted that weeks after claiming Winner had to be jailed because she told her mom she had stolen multiple documents, Solari listened to the transcript and decided Winner only referred to a document, singular.

The following is new evidence that was not available at the time of the initial detention hearing (and could not have reasonably been available given the mere three days between the initial appearance and detention hearing), all of which have a material bearing on the issue of release. • While repeatedly alleging that Ms. Winner disclosed numerous “documents” at the initial detention hearing—a fact that the Court specifically noted in its findings to support detention the Government has, via email to this Court, retracted those assertions. The Government now alleges there was only one document, rather than numerous documents, at issue. [See Exhibit A (email correspondence from Assistant United States Attorney Jennifer Solari to defense counsel and the Court dated June 29, 2017); Doc. 29 p. 105; see also Doc. 72].

In her email informing the defense of this, Solari explained,

Before the hearing, I had only heard a portion of the call in which the defendant asked her mother to “play that angle” regarding the alleged circumstances of her FBI interview. I proffered information about the other jail calls based upon verbal summaries I was provided by the FBI just before the hearing. Now that I’ve heard the recordings myself, I’d like to clarify some of the information for the court and counsel.

Solari goes on to suggest that another correction — regarding why Winner had her mom transfer money — came from an inference the FBI agent made.

I’m glad Solari corrected these issues — prosecutors often double down in such instances. I’d certainly scrutinize the other claims made by the FBI agents in the case after this.

Apparently, the government also left other details out of its story when painting Winter as an opsec genius to deny her bail. For example, in addition to pointing out how many people use Tor, her lawyers revealed that she had used it to access Wikileaks once.

The Government failed to explain, however, that Ms. Winner told the Government during her interrogation on June 3, 2017, that she used Tor once for looking at WikiLeaks.

It also notes that the superseding indictment still just charges Winner for the one document.

Finally, it compares her treatment with all of the other alleged leakers who got bail (including David Petraeus).

It’s unclear whether this will win her release. But it certainly suggests the government overstated her threat in her bail hearing.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

How to Read the DHS Targeted States Information

Yesterday, DHS informed the states that had their registration databases targeted by Russian hackers last year. There has been an outright panic about the news since states started revealing they got notice, so I thought it worthwhile to describe what we should take away from the notice and subsequent reporting:

  • “Most” of the 21 targeted states were not successfully hacked
  • Some targeted states were successfully hacked
  • Not all swing states were targeted, not all targeted states are swing states
  • These hacks generally do not involve vote tallying
  • These hacks do not involve hacking voting machines
  • These hacks do not involve other voter suppression methods — whether by GOP or Russians
  • Notice needs to improve

The AP has done good work tracking down which states got notice they were targeted, identifying the 21 targeted states. Those targeted states were:

  1. Alabama
  2. Alaska
  3. Arizona
  4. California
  5. Colorado
  6. Connecticut
  7. Delaware
  8. Florida
  9. Illinois
  10. Iowa
  11. Maryland
  12. Minnesota
  13. North Dakota
  14. Ohio
  15. Oklahoma
  16. Oregon
  17. Pennsylvania
  18. Texas
  19. Virginia
  20. Washington
  21. Wisconsin

 

“Most” of the 21 targeted states were not successfully hacked

This list of 21 states does not mean that Russians successfully hacked 21 states. All it means is Russians probed 21 states. And the AP says “most” were not successful. WI, WA, and MN have said the attacks on them were not successful.

Thus, for “most” of these states, the impact is the same as the reports that Russians were attempting, unsuccessfully, to phish engineers in the energy industry: it is cause for concern, but unless new intelligence becomes available, it means that for those “most” states these probes could not affect the election.

Some targeted states were successfully probed

Of course, by saying that “most” attacks were not successful, you’re admitting that “some” were. We only know IL and AZ to have successfully been breached.

This means this story may not be done yet: reporters, especially state based ones, are going to have to get their voting officials to provide details about the attacks and it may take some FOIA work.

Mind you, a successful hack still doesn’t mean that the election was affected (as I believe to be the understanding with respect to AZ, though there is more dispute about IL). It might be that the hackers just succeeded in getting into the database. It may be that they succeeded only in downloading the voter registration database — which in many states, is readily available, and which is nowhere near the most interesting available data for targeting in any case.

In my opinion, the most effective way to affect the outcome of the election via voter registration databases is not to download and use it for targeting, but instead, to alter the database, selectively eliminating or voiding the registration of voters in targeted precincts (which of course means the hackers would need to come in with some notion of targets). Even changing addresses would have the effect of creating lines at the polls.

Altering the database would have the same effect as an existing GOP tactic does. In many states, GOP secretaries of state very aggressively purge infrequent voters. Particularly for transient voters (especially students, but poorer voters are also more likely to move from year to year), a voter may not get notice they’ve been purged. This has the effect of ensuring that the purged voter cannot vote, and also has the effect of slowing the voting process for voters who are registered.  In other words, that’s the big risk here — that hackers will do things to make it impossible for some voters to vote, and harder for others to do so.

Not all swing states were targeted, not all targeted states are swing states

The list of targeted states is very curious. Some targeted states are obvious swing states — WI, PA, FL, and VA were four of the five states where the election was decided. But MI is not on there, and NC, another close state, is not either.

In addition, a lot of these states are solidly red, like AL and OK. A lot of them are equally solidly blue, like CA and CT. So if the Russians had a grand scheme here, it was not (just) to flip swing states.

These hacks generally do not involve vote tallying

DHS has said that these hacks do not involve vote tallying. That means these disclosed probes, even assuming they were successful, are not going to explain what may seem to be abnormalities in particular states’ tallies.

These hacks do not involve hacking voting machines

Nor do these hacks involve hacking voting machines (which is covered, in any case, by the denial that it involves vote tallying).

Yes, voting machines are incredibly vulnerable. Yes, it would be child’s play for a hacker — Russian or American — to hack individual voting machines. With limited exceptions, there been no real assessment of whether individual machines got hacked (though it’d generally be easier to affect a local race that way than the presidential).

These hacks do not involve other voter suppression methods — whether by GOP or Russians

This list of 21 targeted states does not represent the known universe of Russian voting-related hacking.

It does not, for example, include the targeting of voting infrastructure contractors, such as VR Systems (which Reality Winner faces prison for disclosing). There’s good reason to at least suspect that the VR Systems hack may have affected NC’s outcome by causing the most Democratic counties to shift to paper voting books, resulting in confusion and delays in those counties that didn’t exist in more Republican ones.

And they don’t include any Russian social media-related support or suppression, which we’re getting closer to having proof of right now.

Importantly, don’t forget that we know Republicans were engaging in all these techniques as well, with far better funding. Russians didn’t need to hack WI and NC given how much organized suppression of voters of color took place. Republican secretaries of state had the power to purge voters on trumped up excuses without engaging in any hacking.

Do not let the focus on Russian tampering distract from the far more effective Republican suppression.

Notice needs to be improved

Finally, the other big story about this is that some states only got notice they were targeted yesterday, some even after having partnered with DHS to assess their voting infrastructure.

DHS has used classification, in part, to justify this silence, which is an issue the Intelligence Committees are trying to address in next year’s authorization. But that’s particularly hard to justify that many of these same states have run elections since.

Mind you, we’re likely to see this debate move to the next level — to demanding that state officials disclose full details about their state’s infrastructure to citizens.

In any case, if we’re to be able to use democratic pressure to ensure the infrastructure of democracy gets better protected, we’re going to need more notice.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Twitter Asked to Tell Reality Winner the FBI Had Obtained Her Social Media Activity

Last week, the Augusta Chronicle reported that the government had unsealed notice that it had obtained access to Reality Winner’s phone and social media metadata. Altogether, the government obtained metadata from her AT&T cell phone, two Google accounts, her Facebook and Instagram accounts, and her Twitter account. Of those providers, it appears that only Twitter asked to tell Winner the government had obtained that information. The government obtained the 2703(d) order on June 13. On June 26, Twitter asked the FBI to rescind the non-disclosure order. In response, FBI got a 180-day deadline on lifting the gag; then on August 31, the FBI asked the court to unseal the order for Twitter, as well as the other providers.

The applications all include this language on Winner’s use of Tor, and more details about using a thumb drive with a computer last November.

During the search of her home, agents found spiral-bound notebooks in which the defendant had written information about setting up a single-use “burner” email account, downloading the TOR darkweb browser at its highest security setting, and unlocking a cell phone to enable the removal and replacement of its SIM card. Agents also learned, and the defendant admitted, that the defendant had inserted a thumb drive into a classified computer in November 2016, while on active duty with the U.S. Air Force and holding a Top Secret/SCI clearance. The defendant claimed to have thrown the thumb drive away in November 2016, and agents have not located the thumb drive.

Given that the FBI applied for and eventually unsealed the orders in all these cases, it provides a good way to compare what the FBI asks for from each provider — which gives you a sense of how the FBI actually uses these metadata requests to get a comprehensive picture of all the aliases, including IP addresses, someone might use. The MAC and IP addresses, in particular, would be very valuable to identify any of her otherwise unidentified device and Internet usage. Note, too, that AT&T gets asked to share all details of wire communications sent using the phone — so any information, including cell tower location, an app shares with AT&T would be included in that. AT&T, of course, tends to interpret surveillance requests broadly.

Though note: the prosecutor here pretty obviously cut and paste from the Google request for the social media companies, given that she copied over the Google language on cookies in her Twitter request.

AT&T

AT&T Corporation is required to disclose the following records and other information, if available, to the United States for each Account listed in Part I of this Attachment, for the time period beginning June 1, 2016, through and including June 7, 2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses. Electronic Serial Numbers (“ESN”), Mobile Electronic Identity Numbers (“MEIN”), Mobile Equipment Identifier (“MEID”), Mobile Identification Numbers (“MIN”), Subscriber Identity Modules (“SIM”), Mobile Subscriber Integrated Services Digital Network Number (“MSISDN”), International Mobile Subscriber Identifiers (“IMSl”), or International Mobile Equipment Identities (“IMEI”));
7. Other subscriber numbers or identities (including the registration Internet Protocol (“IP”) address); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to wire and electronic communications sent from or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers), and including information regarding the cell towers and sectors through which the communications were sent or received.

Records of any accounts registered with the same email address, phone number(s), or method(s) of payment as the account listed in Part I.

Google

Google is required to disclose the following records and other information, if available, to the United States for each account or identifier listed in Part 1 of this Attachment (“Account”), for the time period beginning June 1, 2016, through and including June 7,2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Internet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Internet Protocol addresses;
2. Information about each communication sent or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers);
3. Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address as either of the accounts listed in Part 1; and Records of any accounts that are linked to either of the accounts listed in Part 1 by machine cookies (meaning all Google user IDs that logged into any Google account by the same machine as either of the accounts in Part

Facebook/Instagram

Facebook, Inc. is required to disclose tbe following records and other information, if available, to the United States for each account or identifier listed in Part 1 of this Attachment (“Account”),
for the time period beginning June 1, 2016, through and including June 7, 2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Intemet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Intemet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Intemet Protocol addresses;
2. Information about each communication sent or received by tbe Account, including tbe date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers). Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address as either of the accounts listed in Part I; and
3. Records of any accounts that are linked to either of the accounts listed in Part I by machine cookies (meaning all Facebook/Instagram user IDs that logged into any Facebook/Instagram account by the same machine as either of the accounts in Part I).

Twitter

Twitter, Inc. is required to disclose the following records and other information, if available, to the United States for each account or identifier listed in Part 1 of this Attachment (“Account”), for the time period beginning June 1,2016, through and including June 7,2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Internet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Internet Protocol addresses;
2. Information about each communication sent or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers).
3. Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address the account listed in Part I; and
4. Records of any accounts that are linked to the account listed in Part I by machine cookies (meaning all Google [sic] user IDs that logged into any Google [sic] account by the same machine as the account in Part I).

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Reality Winner Claims NSA’s Collection on Russians Had Already Been Compromised

I guess today is Reality Winner day.

As Trevor Timm describes, Winner is trying to get comments she made in an interview with the FBI thrown out, arguing she was for legal purposes in custody yet did not receive a Miranda warning. In support of that argument, she submitted a declaration describing what happened to her that day — basically how 10 male FBI agents showed up to search her house, with two taking her to a back room to interrogate her.

In addition to all the details about how many male FBI agents there were and how they had her stand in the fenced yard when they were done interrogating her, she describes how she answered when they asked whether she believed she had compromised sources and methods.

16. Law enforcement specifically asked me whether I believed the disclosure of the document compromised the “sources and methods” contained in the document, to which I advised that it was likely those “sources and methods” had already been compromised.

17. I specifically told law enforcement that, “whatever we were using had already been compromised, and that this report was just going to be like a one drop in the bucket.”

Critics will argue that this wasn’t Winner’s operational judgment to make, though it does reveal that even in this interview, she attested that she didn’t think her leak would damage intelligence.

But I’m interested in her claim that these collection points were already burned.

While many people complain that the IC has withheld too much information about the Russian hack, there are some details that have been released that are downright surprising. Sure, we don’t know who leaked the Steele dossier, but it may have led to the exposure (and possible execution) of his sources. We do know, however, that DOJ itself revealed (in the Yahoo indictment) that it collected email conversations of FSB officers among themselves. We’ve heard vague reporting, too, that Russians figured out they were tapped and went silent accordingly. One early report I got about Russia’s involvement in the DNC hack explained that the suspected hackers rolled up a good deal of their infrastructure after it was exposed.

But Winner (who’s an analyst, remember, not a technical person) claims, that “whatever we were using had already been compromised” with apparent confidence.

Which raises questions whether that’s based on actual knowledge of how Russians were responding to our spying.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

NYT’s Churlish Vote Hacking Story Should Name Reality Winner

NYT has a story reporting that that there has been almost no forensic analysis to find out whether Russian attempts to tamper with localized voting infrastructure had any effect on the election.

After a presidential campaign scarred by Russian meddling, local, state and federal agencies have conducted little of the type of digital forensic investigation required to assess the impact, if any, on voting in at least 21 states whose election systems were targeted by Russian hackers, according to interviews with nearly two dozen national security and state officials and election technology specialists.

It’s a worthwhile story that advances the current knowledge about these hacks in several ways. It reveals that several other election services companies got breached.

Beyond VR Systems, hackers breached at least two other providers of critical election services well ahead of the 2016 voting, said current and former intelligence officials, speaking on condition of anonymity because the information is classified. The officials would not disclose the names of the companies.

It reveals a local investigation (which had already been reported) into one county that used VR systems, Durham, North Carolina, did not conduct the forensic analysis necessary to rule out a successful hack.

In Durham, a local firm with limited digital forensics or software engineering expertise produced a confidential report, much of it involving interviews with poll workers, on the county’s election problems. The report was obtained by The Times, and election technology specialists who reviewed it at the Times’ request said the firm had not conducted any malware analysis or checked to see if any of the e-poll book software was altered, adding that the report produced more questions than answers.

And it describes other counties that experienced the same kind of poll book irregularities that Durham had.

In North Carolina, e-poll book incidents occurred in the counties that are home to the state’s largest cities, including Raleigh, Winston-Salem, Fayetteville and Charlotte. Three of Virginia’s most populous counties — Prince William, Loudoun, and Henrico — as well as Fulton County, Georgia, which includes Atlanta, and Maricopa County, Arizona, which includes Phoenix, also reported difficulties. All were attributed to software glitches.

That said, the headline and the second framing paragraph (following the “After a presidential campaign scarred by Russian meddling” one above) suggest no one else has been looking at this question.

The assaults on the vast back-end election apparatus — voter-registration operations, state and local election databases, e-poll books and other equipment — have received far less attention than other aspects of the Russian interference, such as the hacking of Democratic emails and spreading of false or damaging information about Mrs. Clinton. Yet the hacking of electoral systems was more extensive than previously disclosed, The New York Times found.

That’s particularly churlish given that NYT’s story so closely resembles a superb NPR story published on August 10.

Both stories focus on Durham County, NC. Both stories start with an extended description of how things went haywire as people showed up to vote. Both rely heavily on someone who worked Election Protection’s help lines on election day, Susan Greenhalgh.

It’s not just NPR. One of NYT’s other premises, that no one knew how many states were affected, was reported back in June by Bloomberg (which gave an even higher number for the total of states affected). Another detail — that local officials still don’t know whether they’ve been hacked because they don’t have clearance — has been reported by Motherboard and NPR, among others.

And, like both the NPR Durham story and the Bloomberg one, NYT also invokes the Intercept’s report on this from June.

Details of the breach did not emerge until June, in a classified National Security Agency report leaked to The Intercept, a national security news site.

But unlike Bloomberg (and like NPR) NYT doesn’t mention that Reality Winner is in jail awaiting trial, accused of having leaked that document (as I noted about the Bloomberg article, it’s highly likely the multiple “current and former government officials” who served as sources for this story won’t face the same plight Winner is).

I get that outlets may have a policy against naming someone in a case like this. But if you’re going to claim people aren’t paying attention to this issue, it’s the least you can do to actually inform readers that someone risked her freedom to bring attention to the matter, and the government has successfully convinced a judge to prohibit her from even discussing why leaking the document was important.

By all means, let’s have more analysis of whether votes were affected. But let’s make sure the people who are actually trying to generate more attention get the credit they deserve.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Report from North Carolina Makes Reality Winner Leak Far More Important

According to NPR, the poll books in six precincts in Durham County, NC, went haywire on election day, which led the entire county to shift to paper poll books.

When people showed up in several North Carolina precincts to vote last November, weird things started to happen with the electronic systems used to check them in.

“Voters were going in and being told that they had already voted — and they hadn’t,” recalls Allison Riggs, an attorney with the Southern Coalition for Social Justice.

The electronic systems — known as pollbooks — also indicated that some voters had to show identification, even though they did not.

[snip]

At first, the county decided to switch to paper pollbooks in just those precincts to be safe. But Bowens says the State Board of Elections & Ethics Enforcement got involved “and determined that it would be better to have uniformity across all of our 57 precincts and we went paper pollbooks across the county.”

That move caused a whole new set of problems: Voting was delayed — up to an hour and a half — in a number of precincts as pollworkers waited for new supplies. With paper pollbooks, they had to cut voters’ names out and attach them to a form before people could get their ballots.

The company that provided the software for the poll books is VR Systems — the company that the document Reality Winner leaked showed had been probed by Russian hackers.

But Susan Greenhalgh, who’s part of an election security group called Verified Voting, worried that authorities underreacted. She was monitoring developments in Durham County when she saw a news report that the problem pollbooks were supplied by a Florida company named VR Systems.

“My stomach just dropped,” says Greenhalgh.

She knew that in September, the FBI had warned Florida election officials that Russians had tried to hack one of their vendor’s computers. VR Systems was rumored to be that company.

Because of the publicity surrounding the VR targeting — thanks to the document leaked by Winner — NC has now launched an investigation.

Lawson says the state first learned of the hack attempt when The Intercept, an online news site, published its story detailing Russian attempts to hack VR Systems. The leaked report said hackers then sent emails to local election offices that appeared to come from VR — but which actually contained malicious software.

[snip]

So now, months after the election, the state has launched an investigation into what happened in Durham County. It has secured the pollbooks that displayed the inaccurate information so forensic teams can examine them.

So this may be the first concrete proof that Russian hackers affected the election. But we’ll only find out of that’s true thanks to Winner’s leak.

Except she can’t raise that at trial.

Last week, Magistrate Judge Brian Epps imposed a protection order in her case that prohibits her or her team from raising any information from a document the government deems to be classified, even if that document has been in the public record. That includes the document she leaked.

The protective order is typical for leak cases. Except in this case, it covers information akin to information that appeared in other outlets without eliciting a criminal prosecution. And more importantly, Winner could now point to an important benefit of her leak, if only she could point to the tie between her leak and this investigation in North Carolina.

With the protection order, she can’t.

Note one more implication of this story.

In addition to the Presidential election last year, North Carolina had a surprisingly close Senate election, in which Senate Intelligence Committee Chair Richard Burr beat Deborah Ross by 6%. Admittedly, the margin was large — over 200,000 votes. But Durham County is the most Democratic county in the state.

Burr, of course, is presiding over one of the four investigations into the Russian hacks. And while I don’t think this story, yet, says that Burr won because of the hack, if the investigations shows VR was hacked in the state and it affected throughput in the most Democratic county, then it means Burr benefitted as clearly from the Russian hacks as Trump did.

The SSCI investigation has been going better than I had imagined. But this seems like a conflict of interest.

Update: I originally said the entire state switched to paper pollbooks. That’s incorrect: just Durham County did, which makes the issue even more important.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Maddow’s Forgery and Mistaken Timing

Much of Rachel Maddow’s reporting on the Russian scandal has been overly drawn out and breathless. But you should watch this piece (which is not only overly drawn out and breathless, but doesn’t emphasize the most important point).

Rachel describes how, on June 7, her tip line received a smoking gun document, appearing to be a Top Secret NSA document, laying out collusion between a Trump campaign official she doesn’t name (I’m going to wildarseguess, for a lot of reasons, it is Mike Flynn) and the Russians who hacked the election. She describes multiple reasons her team determined the document to be a fake: some misspellings, a declassification date that is wrong, some spacing weirdness, and that the campaign official is actually named, rather than masked as US Citizen 1.

But she also describes how the printer dots and a seeming crease on the document appear to replicate those that appear in the document Reality Winner is alleged to have provided to the Intercept.

Which is interesting, because as she shows about 14 minutes in (but doesn’t emphasize enough), the document sent to her tip line appears to have been created between the time Reality Winner went to jail and the time the Intercept published the document (unless I missed it, she doesn’t say precisely when they got the document, just that it was the same week as the Intercept published it Update: Corrected above). The creation date appears to be three and a half hours before the publication date at the Intercept. [Update: but not the creation date for the document, see below.]

Rachel surmises, correctly, I think, that the person sent the document both to discredit her own reporting (in much the same way reliance on fake documents discredited Dan Rather’s reporting of George Bush’s real Air National Guard scandal) as well as to discredit the notion that the Trump campaign, and the person named in particular, colluded with the Russians. This was an attempt to undercut potentially real news with deliberately faked news, fed through a selected outlet.

That would mean one of two things. Either the person who created the document faked the metadata (or created the document from Alaska or someplace west of there). Or the person received a copy of the very same document, including the crease, either from Reality Winner or from the Intercept or one of their sources, and then used it as a template to create a fake NSA document (or had visibility into the FBI’s investigation about this document). If it’s the latter, then the number of people who might be involved is rather small.

I’ve suggested there are reasons to wonder whether Winner was directed towards this document. I’d say there are more questions now about whether that’s the case.

Update: as PaulMD notes on Twitter, the document Rachel received actually has the very same creation time as the document the Intercept uploaded.

Update: Glenn Greenwald is pretty pissed about Rachel’s insinuations.

Update: Changed the title given the mistaken timing in the Rachel story.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.