Posts

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Please donate to help defray the cost of trial transcripts. As most of you know, I now live in Ireland. I had considered traveling to DC to cover the Sussmann trial but have issues I need to deal with here. So I’m hoping to cover as much of it as I can (with an obvious delay) via trial transcripts. But they are expensive! So if you appreciate this coverage, please consider a one-time  or recurring donation to defray the cost of transcripts. Thanks!

When Michael Sussmann attorney Sean Berkowitz was walking FBI Agent Scott Hellman through the six meetings he had with Durham’s team on Tuesday — meetings he first had as a witness about the investigation into the Alfa Bank allegations and later in preparation for his trial testimony — Berkowitz asked Hellman about how, sometime earlier this year, Andrew DeFilippis and Jonathan Algor asked him whether he could serve as their DNS expert for the trial.

Q And then, more recently, you met with Mr. DeFilippis and I think Johnny Algor, who is also at the table here, who’s an Assistant U.S. Attorney. Correct?

A. Yes.

Q. They wanted to talk to you about whether you might be able to act as an expert in this case about DNS data?

A. Correct.

To Hellman’s credit, he told Durham’s prosecutors — who have been investigating matters pertaining to DNS data for two years — that he only had superficial knowledge of DNS and so wasn’t qualified to be their expert.

Q. You said, while you had some superficial knowledge, you didn’t necessarily feel qualified to be an expert in this case, correct, on DNS data?

A. On DNS data, that’s correct.

It wasn’t until the third day of trial before Durham’s team presented any evidence about the alleged crime. Instead, Durham’s first two witnesses were their nominal expert, David Martin, and Hellman, who told Durham he wasn’t an expert but who offered opinions he neither had the expertise to offer nor had done the work to substantiate.

That’s important, because DeFilippis used him to provide an opinion only an expert should give. And virtually everything about his testimony — his claim to have relied on the data in the materials without looking at the thumb drives, an apparently made up claim about the timing of the analysis, and behaviors that the FBI normally finds suspicious — suggest he’s not only not a DNS expert qualified to assess this report, but his assessment of the white paper Sussmann shared also suffers from serious credibility issues.

The battle over an expert

The testimony of the nominal expert, David Martin, was remarkably nondescript, particularly given the fight that led up to his testimony. Durham’s team sprung even having an expert on Sussmann at a really late date: on March 30, after months of blowing off Sussmann’s inquiries if they would. Not only did they want Martin to explain to the jury what DNS and Tor are, Durham’s team explained, but they also wanted him to weigh in on the validity of conclusions drawn by researchers who had found the anomaly.

  • the authenticity vel non of the purported data supporting the allegations provided to the FBI and Agency-2;
  • the possibility that such purported data was fabricated, altered, manipulated, spoofed, or intentionally generated for the purpose of creating the false appearance of communications;
  • whether the DNS data that the defendant provided to the FBI and Agency-2 supports the conclusion that a secret communications channel existed between and/or among the Trump Organization, Alfa Bank, and/or Spectrum Health;

[snip]

  • the validity and plausibility of the other assertions and conclusions set forth in the various white papers that the defendant provided to the FBI and Agency-2;

As Sussmann noted in his motion to limit Martin’s testimony, he didn’t mind the testimony about DNS and Tor. He just didn’t want this trial to be about the accuracy of the data, especially without the lead time to prepare his own expert.

As the Government has already disclosed to the defense, should the defense attempt to elicit testimony surrounding the accuracy and/or reliability of the data that the defendant provided to the FBI and Agency-2, Special Agent Martin would explain the following:

  • That while he cannot determine with certainty whether the data at issue was cherry-picked, manipulated, spoofed or authentic, the data was necessarily incomplete because it was a subset of all global DNS data;
  • That the purported data provided by the defendant nevertheless did not support the conclusions set forth in the primary white paper which the defendant provided to the FBI;
  • That numerous statements in the white paper were inaccurate and/or overstated; and
  • That individuals familiar with these relevant subject areas, such as DNS data and TOR, would know that such statements lacked support and were inaccurate and/or overstated.

Based off repeated assurances from Durham that they weren’t going to make accuracy an issue in their case in chief, Judge Cooper ruled that the government could only get into accuracy questions if Sussmann tried to raise the accuracy of the data himself. But if he said he relied on the assurances of Rodney Joffe, it wouldn’t come in.

The government suggests that Special Agent Martin’s testimony may go further, depending on what theories Sussmann pursues in cross-examination or his defense case. Consistent with its findings above, the Court will allow the government’s expert to testify about the accuracy (or lack thereof) of the specific data provided to the FBI here only in certain limited circumstances. In particular, if Sussmann seeks to establish at trial that the data were accurate, and that there was in fact a communications channel between Alfa Bank and the Trump Campaign, expert testimony explaining why this could not be the case will become relevant. But, as the Court noted above, additional testimony about the accuracy of the data—expert or otherwise—will not be admissible just because Mr. Sussmann presents evidence that he “relied on Tech Executive-1’s conclusions” about the data, or “lacked a motive to conceal information about his clients.” Gov’s Expert Opp’n at 11. As the Court has already explained, complex, technical explanations about the data are only marginally probative of those defense theories. The Court will not risk confusing the jury and wasting time on a largely irrelevant or tangential issue. See United States v. Libby, 467 F. Supp. 2d 1, 15 (D.D.C. 2006) (excluding evidence under Rule 403 where “any possible minimal probative value that would be derived . . . is far outweighed by the waste of time and diversion of the jury’s attention away from the actual issues”).

Then, days before the trial, the issue came up again. Durham sent a letter on May 6 (ten days before jury selection), raising a bunch of new issues they wanted Martin to raise. Sussmann argued that Durham was trying to expand the scope of what his expert could present. Among his complaints, Sussmann argued that Durham was trying to make a materiality argument via his expert witness.

Third, the Special Counsel apparently intends to offer expert testimony about the materiality of the false statement alleged in this case. Indeed, the Special Counsel’s supplemental topic 9 regarding the importance of considering the collection source of DNS data is plainly being offered to prove materiality. But the Special Counsel did not disclose this topic in either his initial expert disclosure or Opposition, and the Court’s ruling did not permit such testimony. The Special Counsel should not now be allowed to offer an entirely new expert opinion under the guise of eliciting testimony regarding the types of conclusions that can be drawn from a review of DNS data.

Judge Cooper considered the issue Tuesday morning, before opening arguments. When asking why Martin had to present the concept of visibility, DeFilippis explained that Hellman–the Agent who’s not an expert on DNS but whom DeFilippis nevertheless had asked to serve as an expert on DNS–would talk about the import of knowing visibility to assess data.

THE COURT: Well, but isn’t the question here whether a case agent — is your case agent later going to testify that that was something that the FBI looked at or wanted to look at in this case and was unable to do so, and that that negatively affected the FBI’s investigation in some way? MR.

DeFILIPPIS: Yes, and I expect Special Agent Hellman, who will testify likely today, Your Honor, I expect that that is a concept that he will say was relevant to the determination that — determinations he was making as he drafted analysis of the data that came in. And, again, I don’t think we — for example, another way in which this comes up is that the FBI routinely receives DNS data from various private companies who collect that data, and it is always relevant sort of the breadth of visibility that those companies have. So it’s relevant generally, but also in this particular case the fact that the FBI did not have insight into the visibility or lack of visibility of that data certainly affected steps that the FBI took.

THE COURT: Okay. But Mr. Sussman has not been accused of misrepresenting who the source is. He’s simply — but rather who the client is. So how do you link that to the materiality of the alleged false statement?

MR. DeFILIPPIS: Because, Your Honor, I think we view them as intertwined. It was because — it was in part because Mr. Sussman said he didn’t have a client that made it more difficult for the FBI to get to the bottom of the source of this data or made it less likely they would, and so — and, again, I don’t think we expect to dwell for a long time on this, but I think the agents and the technical folks will say that that is part of why the origins of the data are extremely relevant when they took investigative steps here.

When Cooper noted Sussmann’s objection to Martin discussing possible spoofing of data, DeFilippis again answered not about what Martin would testify, but what Hellman would.

As DeFilippis explained, he claimed to believe that under Cooper’s ruling, the government could put in any little thing they wanted that they claimed had been part of the investigation.

And Special Agent Hellman, when he testifies today — now, Your Honor’s ruling we understand to permit us to put into evidence anything about what the FBI analyzed and concluded as its investigation unfolded because that goes to the materiality of the defendant’s statement. So Special Agent Hellman — through Agent Hellman we will offer into evidence a paper he prepared when the data first came in, and among its conclusions is that the data might — he doesn’t use the word “spoof” — but might have been intentionally generated and might have been fabricated. That was the FBI’s initial conclusion in what it wrote up.

So in order for the jury to understand the course of the FBI’s investigation and the conclusions that it drew at each stage, those concepts are at the center of it.

[snip]

MR. DeFILIPPIS: Okay. Your Honor, I’m sorry. We understood your ruling to be that the FBI’s conclusions as it went along were okay as long as we weren’t asserting the conclusion that it was, in fact, fabricated. You know, I mean, it’s difficult to chart the course of the FBI’s investigation unless we can elicit at each stage what it is that the FBI concluded.

Judge Cooper ordered that references to spoofing be removed — leading to a last minute redaction of an exhibit — but permitted a discussion of visibility to come in.

After all that fight, Martin’s testimony was not only bland, but it was recycled powerpoint. He not only admitted lifting the EFF description of Tor for his PowerPoint, but he included their logo.

Hellman delivers the non-expert expert opinion Durham was prohibited from giving

As I said, Martin was witness number one, Hellmann — the self-described non-expert in DNS — was witness number two.

Even though Hellman admitted, again, that he’s not a DNS expert, DeFilippis still had him go over what DNS is.

Q. How familiar or unfamiliar are you with what is known as DNS or Domain Name System data?

A. I know the basics about DNS.

Q. And in your understanding, on a very basic level, what is DNS?

A. DNS is basically how one computer would try and communicate with another computer.

After getting Hellman to explain how he purportedly got chain of custody signatures on September 20, 2016 for the materials Michael Sussmann dropped off with James Baker on September 19, DeFilippis walked Hellman through how, he claimed, he had concluded that the allegations Sussmann dropped off were unsupported. Hellman reviewed the data accompanying the white paper, Durham’s star cybersecurity witness claimed on the stand, and after reviewing that data, determined there was no allegation of a hack in the materials and therefore nothing for the Cyber Division to look at. And, as a report he wrote “within a day” summarized, he concluded the methodology was horrible.

As you read the following exchange, know that (as I understand it) some, if not most, of what Hellman describes as the methodology to be is wrong. Obviously, if Hellman’s understanding of the methodology is wrong, then the opinion that DeFilippis elicits from a guy who admitted he was not an expert on DNS but whom DeFilippis nevertheless asked to serve as his expert witness on DNS before inviting David Martin in to present slides lifted from the Electronic Frontier Foundation instead [Takes a breath] … If Hellman’s understanding of the methodology and the data he’s looking at is wrong, then his opinion about the methodology is going to be of little merit.

With that understanding, note the objection of Sean Berkowitz, who fought DeFilippis’ late hour addition of an expert that DeFilippis wanted to use to opine on the validity of the research, bolded below.

So we looked at the top part, which set out your top-line conclusion. You then have a portion of the paper that says, “The investigators who conducted the research appear to have done the following.” Now, Special Agent Hellman, it appears to be a pretty technical discussion, but can you just tell us, in that first part of the paper, what did you set out and what did you conclude?

A. It looks to be that they were looking for domains associated with Trump, and the way that they did that was they looked at a list of sort of all domains and looked for domains that had the word “Trump” in them as a way to narrow down the number of domains they were looking at.

And then they wanted to find, well, which of that initial set of Trump domains, which of them are email servers associated with those domains. And the way they did that was to search for terms associated with email, like “mail” or other email-related terms to then narrow down their list of domains even further to be Trump-associated domains that were email servers.

Q. And did you opine on the soundness of that methodology? In other words, did you express a view as to whether this was a good way to go about this project?

A. We did not — I did not feel that that was the most expeditious way to go about identifying email servers associated with the domain.

Q. And why was that?

A. You can name an email server anything you want. It doesn’t have to have the words “mail” or “SMTP” in it. And so by — if you’re just searching for those terms, I would wager to guess you would miss an actual email server because there are other — there are other more technical ways that you can use — basically look-up tools, Internet look-up tools where you can say, for any domain, tell me the associated email server. That’s essentially like a registered email server. But the way that they were doing it was they were just looking for key terms, and I think that it just didn’t make sense to me why they would go about identifying email servers that way as opposed to just being able to look them up.

Q. Was there anything else about the methodology used here by the writer or writers of this paper that you found questionable or that you didn’t agree with?

A. I think just the overall assumptions that were being made about that the server itself was actually communicating at all. That was probably one of the biggest ones.

Q. And what, if anything, did you conclude about whether you believed the authors of the paper or author of the paper was fairly and neutrally conducting an analysis? Did you have an opinion either way?

MR. BERKOWITZ: Objection, Your Honor.

THE COURT: Basis?

MR. BERKOWITZ: Objection on foundation. He asked him his opinion. He’s not qualified as an expert for that.

THE COURT: I’ll overrule it.

A. Sorry, can you please repeat the question?

Q. Sure. Did you draw a conclusion one way or the other as to whether the authors of this paper seemed to be applying a sound methodology or whether, to the contrary, they were trying to reach a particular result? Did you —

A. Based upon the conclusions they drew and the assumptions that they made, I did not feel like they were objective in the conclusions that they came to.

Q. And any particular reasons or support for that?

A. Just the assumption you would have to make was so far reaching, it didn’t — it just didn’t make any sense.

That’s how, as his second witness, Andrew DeFilippis introduced the opinion of a guy who admitted he wasn’t an expert on DNS that DeFilippis had asked to serve as an expert even though DeFilippis should have known that he didn’t have the expertise to offer expert opinions like this.

If Sussmann is found guilty, I would bet a great deal of money this stunt will be one part of a several pronged appeal, because Judge Cooper permitted DeFilippis to do precisely what Cooper had prohibited him from doing before trial, and he let him do it with a guy who by his own admission is not a DNS expert.

Cyber Division reaches a conclusion without looking at the thumb drives

Now let’s look at what Hellman describes his own methodology to be.

First, it was quick. DeFilippis seems to think that serves his narrative, as if this stuff was so crappy that it took a mere glimpse to discredit it.

Q. Special Agent Hellman, how long would you say it took you and Special Agent Batty to write this up?

A. Inside of a day.

Q. Inside of a day, you said?

Berkowitz walked Hellman through the timeline of it, and boy was it quick. There’s some uncertainty about this timeline, because John Durham’s office doesn’t feel the need to make clear whether exhibits they’re turning over in discovery reflect UTC or ET. But I think I’ve laid it out below (Berkowitz got it wrong in cross-examination, which DeFilippis used to attack his analysis).

As you can see, not only were FBI’s crack cybersecurity agents making a final conclusion about the data within a day but — by all appearances — they did so before they had ever looked at the thumb drives included with the white papers. From the record, it’s actually not clear when — if!!! — they looked at the thumb drives. But it’s certain they had their analysis finalized no more than one working day after they admitted they hadn’t looked at the thumb drive, which was itself after they had already decided the white paper was shit.

Timeline

September 20, 10:20AM: Nate Batty tells Jordan Kelly they’ll come from Chantilly to DC get the thumb drives

September 20, 10:31AM: Jordan Kelly tells Batty the chain of custody is “Sussman to Strzock to Sporre”

September 20, 12:29PM: Hellman and Nate Batty accept custody of the thumb drives

September 20, 1:30PM: Hour drive back to Chantilly, VA

September 20, 4:44PM: Hellman appears to explain the process of picking up the thumb drives to jrsmith, claiming to have spoken to Baker on the phone. jrsmith jokes about “doctor[ing] a chain of evidence form.”

September 20, 4:58: Hellman says the more he reads the report “it feels a little 5150ish,” suggesting (as he explained to Berkowitz on cross) the authors suffered from a mental disability, and Batty responds complains that “it contains an absurd quantity of data … inserted to overwhelm and confuse the reader.”

September 21, 8:47AM: Batty tells Hellman their supervisor wants them to “write a brief summary of what we think about the DNC report.” Batty continues by suggesting that “we should at least plug the thumb drives into Frank’s computer and look at the files…”

9/22, 9:44AM: Curtis Heide, in Chicago, asks Batty to send the contents of the thumb drive so counterintelligence agents can begin to look at the evidence. The boys in Cyber struggle to do so for a bit.

9/22, 2:49PM: Batty asks Hellman what he did with the blue thumb drive.

9/22, 4:46PM: Batty sends “analysis of Trump white paper” to others.

In other words, the cyber division spent less than 28 hours doing this analysis.

Yes. The analysis was quick.

Hellman says his analysis is valid because he looked at the data

The hastiness of the analysis and the fact that Hellman didn’t look at the thumb drive before making initial conclusions about the research is fairly problematic, because when he discussed his own methodology, he described the data driving everything.

Q. Now, what principally, from the materials, did you rely on to do your analysis?

A. So it was really two things. It was looking at the data, the technical data itself. There was a summary that it came with. And then also we were comparing what we saw in the data, sort of the story that the data told us, and then looking at the narrative that it came with and comparing our assessment of the data to the narrative.

[snip]

Q. And in connection with that analysis, did you also take a look at the data itself that was underlying this paper?

A. Yes

[snip]

Q. And if we look at that first page there, Agent Hellman, what kind of data is this?

A. It appears to be — as far as I can tell, it looks to be — it’s log data. So it’s a log that shows a date and a time, a domain, and an IP address. And, I mean, that’s — just looking at this log, there’s not too much more from that.

Q. And do you understand this to be at least a part of the DNS data that was contained on the thumb drives that I think you testified about earlier?

A. Yes.

[snip]

A. It would have mattered — well, I think on one hand it would not have mattered from the technical standpoint. If I’m looking at technical data, the data’s going to tell me whatever story the data’s going to tell me independent of where it comes from. So I still would have done the same technical analysis.

But knowing where the data comes from helps to tell me — it gives me context regarding how much I believe in the data, how authentic it is, do I believe it’s real, and do I trust it. [my emphasis]

He repeated this claim on cross with Berkowitz.

I just disagreed with the conclusions they came to and the analysis that they did based upon the data that came along with the white paper.

When Berkowitz asked him why counterintelligence opened an investigation when Cyber didn’t, Hellman suggested that the people in CD wouldn’t understand how to read the technical logs.

A. Um, I think they’d probably be looking at it from the same vantage point, but if you’re not — you don’t have experience looking at technical logs, you may not have the capability of doing a review of those logs. You might rely on somebody else to do it. And perhaps counterintelligence agents are going to be thinking about other investigative questions. So I guess it would probably be a combination of both.

“If I’m looking at technical data,” DeFilippis’ star cybersecurity agent explained, “the data’s going to tell me whatever story the data’s going to tell me.”

Except he didn’t look at the technical data, at least not the data on the thumb drives, before he reached his initial conclusion.

Hellman makes a claim unsupported by the data in his own analysis

I’ll leave it to people more expert than me to rip apart Hellman’s own analysis of the white paper Sussmann shared with the FBI. In early consultations, I’ve been told he misunderstood the methodology, misunderstood how researchers used Trump’s other domains to prove that just one had this anomaly (that is, as a way to test their hypothesis), and misstated the necessity of some long-term feedback loop for this anomaly to be sustained. Again, the experts will eventually explain the problems.

One part of his report that I know damns his methodology, however, is where he says the researchers,

Searched “…global nonpublic DNS activity…” (unclear how this was done) and discovered there are (4) primary IP addresses that have resolved to the name “mail1.trump-email.com”. Two of these belong to DNS servers at Russian Alfa Bank. [my emphasis]

This is the point where every single person I know who assessed these allegations who is at least marginally expert on DNS issues stopped and said, “global nonpublic DNS activity? There are only a handful of people that could be!” Every marginally expert person I know has, upon reading something like that, tried to figure out who would have that kind of visibility on the data, because that kind of visibility, by itself, would speak to their expertise. Those marginally expert people did not have the means to identify the possible sources of the data. But a lot of them — including the NYTimes!! — were able to find people who had that kind of visibility to better understand the anomaly. When Hellman read that, he simply said, “unclear how this was done” and moved on.

Still, Hellman did not contest (or possibly even test) the analysis that said there were really just four IP addresses conducting look-ups with the Trump marketing server. Dozens of people have continued to test that result in the years since, and while there have been adjustments to the general result, no one has disproven that the anomaly was strongest between Alfa Bank and Trump’s marketing domain.

Where Hellman’s insta-analysis really goes off the rails, however, is in his assertion that, “it appears that the presumed suspicious activity began approximately three weeks prior to the stated start date of the investigation conducted by the researcher.”

I’m not a DNS expert, but I’m pretty good at timelines, and by my read here are the key dates in the white paper.

May 4, 2016: Beginning date for look-up analysis

July 28, 2016: Lookup for hostnames yielding Trump

September 4, 2016: End date for look-up analysis

September 14, 2016: Updated search for look-ups covering June 17 through September 14

The start date reflected in this white paper is July 28, 2016. Three weeks before that would be July 7, 2016, a date that doesn’t appear in the white paper. The anomaly started 85 days before the start date reflected in this white paper (and the start date for the research began months earlier, but still over three weeks after the May 4 start date).

I don’t understand where he got that claim. But DeFilippis repeated it on the stand, as if it were reflected in the data, I guess believing it makes his star cybersecurity agent look good.

DeFilippis’ star cybersecurity agent has some credibility problems

There are a few more problems with the credibility of Hellman, DeFilippis’ star cybersecurity agent who is not a DNS expert. One of those is that he compared notes with his boss before first testifying.

Q: And you also spoke with Nate Batty around that time, Right?

A: Yes.

Q: Did you talk to him before the first interview to kind of get ready for it?

A: I think so, but I don’t remember.

Q: Is that something that you encourage witnesses to do, to talk to other witnesses to see if your recollections are consistent?

A: No.

In addition, notwithstanding that Batty was told that Sussmann was in the chain of control, Batty claimed to believe the source was “anonymous” and Hellmann claimed to believe it was sensitive–a human source. Even after comparing notes their stories didn’t match.

There are other problems with Hellman’s memory of the events, notably that in his first interview — the one he did shortly after comparing notes with Batty — he claimed that Baker had told him he was unable to identify the source of the data.

Q. And when you went to Mr. Baker’s office, do you remember what, if anything, was said during that discussion or during that interaction?

A. I remember being in the office, but I don’t distinctly recall what the conversation was. I do remember after the fact, though, that I was frustrated that I was not able to identify who had provided these thumb drives, this information to Mr. Baker. He was not willing to tell me.

At the very least, this presents a conflict with Baker’s testimony, but it’s also another testament to how variable memories can be four years, much less six years, after the fact.

Hellman also claimed, when asked on cross, that the first time he had ever seen the reference to a “DNC report” in September 21 Lync notes he received was two years ago, when he was first interviewed.

A: The first time I saw this was two years ago when I was being interviewed by Mr. DeFilippis, and I don’t recall ever seeing it. I never had any recollection of this information coming from DNC. I don’t remember DNC being a part of anything we read or discussed.

Q: Okay. When you say, the first time you saw it was two years ago when you met with Mr. DeFilippis, that’s not accurate. Right? You saw it on September 21st, 2016. Correct?

A: It’s in there. I don’t have any memory of seeing it.

And when Sean Berkowitz asked about Hellman the significance of seeing the reference to a “DNC report” first thing on September 21, he described that DeFilippis suggested to him that it was likely just a typo for DNS.

Q. What’s your explanation for it?

A. I have no recollection of seeing that link message. And there is — I have absolutely no belief that either me or Agent Batty knew where that data was coming from, let alone that it was coming from DNC. The only explanation that popped or was discussed was that it could have been a typo and somebody was trying to refer to DNS 12 instead of DNC.

Q. So you think it was a typo?

A. I don’t know.

Q. When you said the only one suggesting it — isn’t it true that it was Mr. DeFilippis that suggested to you that it might have been a typo recently?

A. That’s correct.

When asked about a topic for which there was documentary evidence Hellman had seen in real time that he claimed not to remember, Andrew DeFilippis offered up an explanation that Hellman then offered on the stand.

On the stand, DeFilippis also tried to get Hellman to call a marketing server a spam server, though Hellman resisted.

Once you look closely, I don’t think Hellman’s testimony helps Durham all that much. What it proves, however, is that DeFilippis attempted to coach testimony.

One final thing. DeFilippis got his star cybersecurity agent to observe that the researchers didn’t include their name or other markers on their report, as if that’s a measure of unreliablity.

Q. Now, let me ask you, were you able to determine from any of these materials who had actually drafted the paper alleging the secret channel?

A. No.

Q. In other words, was it contained anywhere in the documents?

Here’s what Hellman’s own report looks like:

There’s a unit — ECOU1 — but the names of the individual agents appear nowhere in the report. The report is not dated. It does not specifically identify the white papers and thumb drives by control numbers, something key to evidentiary analysis.

It has none of the markers of regularity you’d expect from the FBI. Hellman’s own analysis doesn’t meet the standards that DeFilippis uses to measure reliability.

This long-time Grand Rapids resident is furious that Hellman judged there was no hack

Everything above I write as a journalist who has tried to understand this story for almost six years. Between that and 18 years of covering national security cases, I hope I now have sufficient familiarity with it to know there are real problems with Hellman’s analysis.

But let me speak as someone who lived in Grand Rapids for most of this period, and had friends who had to deal with the aftermath of Spectrum Health appearing at the center of a politically contentious story.

Hellman had, as he testified, two jobs. First, he was supposed to determine whether there were any cyber equities, then he was supposed to do some insta-analysis of the data without first looking at the thumb drives.

According to Hellman, there was no hack.

I was asked to perform two tasks in tandem with Special Agent Batty, and our tasks were, number one, to look at this data, look at the data and look at the narrative that it came with and identify were there any what’s known as cyber equities. And by that it was, was there any allegation of a hacking. That’s what cyber division does. We investigate hacking. So was there an allegation that somebody or some company or some computer had been hacked. That was first.

[snip]

As I mentioned, the first piece was we had to identify was there any real allegation of hacking; and there was not. That was our first task by our supervisor. There was not.

[snip]

The allegation was that someone purported to find a secret communication channel between the Trump organization and Russia. And so we identified first that, no, we didn’t think that there was any cyber equity, meaning that there was probably nothing more for cyber to investigate further, if there was no hacking crime.

Except here’s what the white paper says about Spectrum, that Grand Rapids business that was swept up in this story.

The Spectrum Health IP address is a TOR exit node used exclusively by Alfa Bank. ie.,  Alfa Bank communications enter a Tor node somewhere in the world and those communications exit, presumably untraceable, at Spectrum Health There is absolutely no reason why Spectrum would want a Tor exit node on its system. (Indeed, Spectrum Health would not want a TOR node on its system because, by its nature, you never know what will come out of a TOR node, including child pornography and other legal content.)

We discovered that Spectrum Health is the victim of a network intrusion. Therefore, Spectrum Health may not know it has a TOR exit node on its network. Alternatively, the DeVos family may have people at Spectrum who know there is a TOR node. i.e.,  could have been placed there with inside help.

When faced with some anomalous activity that seemed to tie into the weird DNS traffic, the experts suggested that maybe the Spectrum hack related to the DNS anomaly.

To be clear, this Tor allegation is the the weakest part of this white paper. You will hear about this to no end over the next week. It was technically wrong.

But the allegation in the white paper is that maybe a recent hack of Spectrum Health is why it had this anomalous traffic with Trump’s marketing server. There’s your hack!!

Had the people at FBI’s cybersecurity side actually treated this as a possible compromise, it might have addressed the part of this story that never made any sense. And we might not, now, six years later, be arguing about what might explain it.

Let me be clear: I do think the white paper overstated its conclusions. I don’t think secret communication is the most obvious explanation here.

But there are hacks and then there are hacks in the testimony of DeFilippis’ star cybersecurity agent.

Update: Corrected an attribution to Batty instead of Hellman.

Update: Fixed my own timeline.

John Durham’s Lies with Metadata

Please donate to help defray the cost of trial transcripts. As most of you know, I now live in Ireland. I had considered traveling to DC to cover the Sussmann trial but have issues I need to deal with here. So I’m hoping to cover as much of it as I can (with an obvious delay) via trial transcripts. But they are expensive! So if you appreciate this coverage, please consider a one-time  or recurring donation to defray the cost of transcripts. Thanks!

I’d like to thank John Durham for showing us back in April how he was going to mislead the jury with metadata.

He appears to have done just that, yesterday, with several exhibits entered into evidence. And I fear that unless Durham’s lie is corrected, he will gravely mislead the jury.

As I pointed out in April, because of the email system at Fusion GPS, the first email in any thread they produced to Durham renders as UTC; the rest render as ET. So, for the emails on which one could check, the first email in every thread they released in April was four hours later than the time the email was actually sent.

Durham has revealed that his exhibit has irregularities in the emails pertaining to a key issue: whether Fusion sent out a link to April Lorenzen’s i2p site before Mark Hosenball sent it to them.

This shows up in the timestamps. In the exhibit, the lead email for each appearance appears to be set to UTC, whereas the sent emails included in any thread appear to be set to ET.

For example, in this screencap, the time shown for Mark Hosenball’s response to Peter Fritsch (the pink rectangle) is 1:35 PM, which is presumably Eastern Time.

In this screencap, the very same response appears to be sent at 5:36PM, which is presumably UTC.

Both instances of Peter Fritsch’s email (the green rectangle), “that memo is OTR–tho all open source,” show at 1:33PM, again, Eastern Time.

To be clear: this irregularity likely stems from Fusion’s email system, not DOJ’s. It appears that the email being provided itself is rendered in UTC, while all the underlying emails are rendered in the actual received time.

That means if you show someone only the first email in a thread, you will be misrepresenting what time that email was sent.

That’s what Durham did yesterday with a bunch of Fusion-produced emails he submitted during Laura Seago’s testimony, including (but not limited to):

Over and over, Andrew DeFilippis showed these to Laura Seago and asked her to state what date and time the emails were.

MR. DeFILIPPIS: Okay. And, Your Honor, if there’s no objection from the defense, we’ll offer Government’s Exhibit 612.

MR. BERKOWITZ: No objection.

THE COURT: So moved.

Q. Okay. So what is the date and time of this email?

A. October 5, 2016, at 5:23 p.m.

Q. And the “Subject” line?

A. “Re: so is this safe to look at” — excuse me — “so this is safe to look at.”

While these emails appear to have been produced to Durham at a later time (their Bates numbers from Fusion are about 3000 pages off some of the earlier ones), they’re from the same series and produced by the same custodian, so we should assume that the same anomaly that existed on the earlier ones exists here.

Seago hasn’t seen these emails for years and — because they were treated as privileged — she can only see the first email in a thread, even if there are replies in that thread (and there clearly are, in some of them). She had no way of knowing if she was looking at UTC time!

But Andrew DeFilippis surely does. Indeed, he’s prepping an attack on Sussmann for not understanding that Durham turned over Lync files from the FBI without making clear they, also, get produced in UTC. So he’s aware of which exhibits he has sent to Sussmann without clarifying the correct time. Yet over and over again, DeFilippis asked Seago what time these emails were sent, even though he likely knows (especially since these are files that are no longer privileged, so he has seen those that are threads) that he was deceiving her.

And the timing of these Fusion emails — and possibly some earlier ones exchanged with Rodney Joffe — almost certainly matter.

As I showed in my earlier post, because Durham didn’t fix the anomaly in these emails, they have created the false impression that an October 5 email from Mark Hosenball that shared public links to Tea Leaves’ files came in after Fusion sent it out to Eric Lichtblau. They appear to be prepping another deceit, this one conflating a link that Hosenball sent with one Seago found on Reddit.

Assuming the emails released yesterday share this same anomaly, here’s how the timeline would work out. I’ve bolded the ones that would be grossly misleading taken out of order.

5:23PM (could be 1:23?): Seago to Fritsch, Is this safe?

1:31PM: [not included] Fritsch to Hosenball email with Alfa Group overview

1:32PM: Fritsch sends Isikoff the September 1, 2016 Alfa Group overview (full report included in unsealed exhibit)

1:33PM [not included] Fritsch to Hosenball, “that memo is OTR — tho all open source”

1:35/1:36PM: Hosenball replies, “yep got it, but is that from you all or from the outside computer experts?”

1:37PM: Fritsch responds,

the DNS stuff? not us at all

outside computer experts

we did put up an alfa memo unrelated to all this

1:38PM: [not included] Hosenball to Fritsch:

is the alfa attachment you just sent me experts or yours ? also is there additional data posted by the experts ? all I have found is the summary I sent you and a chart… [my emphasis]

1:41PM: [not included] Fritsch to Hosenball:

alfa was something we did unrelated to this. i sent you what we have BUT it gives you a tutanota address to leave questions.  1. Leave questions at: [email protected]

1:41PM: [not included] Hosenball to Fritsch:

yes I have emailed tuta and they have responded but haven’t sent me any new links yet. but I am pressing. but have you downloaded more data from them ?

1:43PM: [not included] Fritsch to Hosenball, “no”

1:44PM: Fritsch to Lichtblau:

fyi found this published on web … and downloaded it. super interesting in context of our discussions

[mediafire link] [my emphasis]

2:23PM: [not included] Lichtblau to Fritsch, “thanks. where did this come from?”

2:27PM: [not included] Hosenball to Fritsch:

tuta sent me this guidance

[snip]

Since I am technically hopeless I have asked our techie person to try to get into this. But here is the raw info in case you get there first. Chrs mh

2:32PM: Fritsch to Lichtblau:

no idea. our tech maven says it was first posted via reddit. i see it has a tutanota contact — so someone anonymous and encrypted. so it’s either someone real who has real info or one of donald’s 400 pounders. the de vos stuff looks rank to me … weird

6:33PM (likely 2:33PM): Fwd Alfa Fritsch to Seago

6:57PM (like 2:57PM): Re alfa Seago to Fritsch

7:02PM (likely 3:02): Re alfa Seago to Fritsch

3:27PM: [not included] Fritsch to Hosenball cc Simpson: “All same stuff”

3:58PM: [not included] Hosenball to Fritsch, asking, “so the trumpies just sent me the explanation below; how do I get behind it?”

4:28PM: [not included] Fritsch to Hosenball, “not easily, alas”

4:32PM: Fritsch to Hosenball, cc Simpson:

Though first step is to send that explanation to the source who posted this stuff. I understand the trump explanations can be refuted.

 

 

What Durham will completely and utterly misrepresent if it doesn’t clarify this anomaly (and this is the second time they have declined to) is that Seago and Mark Hosenball both accessed different packages of the Tea Leaves materials, one of which then got sent out to Lichtblau. Between 2:33 and 2:57, Seago appears to have compared the files and told Fritsch, who then told Hosenball, that the packages were “all the same stuff.”

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

Please donate to help defray the cost of trial transcripts. As most of you know, I now live in Ireland. I had considered traveling to DC to cover the Sussmann trial but have issues I need to deal with here. So I’m hoping to cover as much of it as I can (with an obvious delay) via trial transcripts. But they are expensive! So if you appreciate this coverage, please consider a one-time  or recurring donation to defray the cost of transcripts. Thanks!

Andrew DeFilippis has done several arguably unethical things in an attempt to win the Michael Sussmann trial.

He repeatedly attempted to get Marc Elias to repeat something Elias shouldn’t have said in the first place: that the only way to understand whether Sussmann had gone to the FBI to benefit the Hillary campaign would be to ask him (in response to which stunt Sussmann is asking for a mistrial).

DeFilippis also set up a ploy to get a non-expert to offer opinions that only an expert should offer (more on that later).

At times (such as during Neustar employee Steve DeJong’s testimony), DeFilippis seemed more focused on eliciting testimony that might help him make a case against Rodney Joffe than obtain a guilty verdict against Sussmann.

And in direct examination yesterday of Fusion’s Laura Seago (my reading of the transcript is here), he did both, violating Judge Cooper’s orders in an attempt to set up his ongoing investigation in a way that did nothing to help him win the trial against Sussmann.

For all the anticipation for it, Seago’s testimony was not all that helpful to Durham’s team. She described having about as much awareness of which Democratic entity Fusion’s ultimately client was as the FBI did on Carter Page’s FISA applications. She indicated that the Alfa Bank allegations were just one of a whole bunch of possible ties to Russia that Trump had. She described how, to the extent Fusion could assess the Alfa Bank allegations, they found them credible. In discussing Fusion’s pitch to Franklin Foer on the Alfa Bank story, she described the other major data scientists who had backed the Alfa Bank allegations, identities that Durham has always suppressed because they kill his conspiracy theory.

Q. And what was discussed? What did you say, and what did they say?

A. I really don’t remember the specifics six years on. We talked about the allegations between the Trump organization and Alfa-Bank. We talked about highly credible computer scientists who seemed to think that these allegations were credible.

Q. And by that, are you referring to Mr. Joffe or somebody else?

A. There were others that ended up being cited in Mr. Foer’s article. He cited L. Jean Camp and Paul Vixie, who invented the DNS system.

During cross-examination by Sussmann lawyer Sean Berkowitz, Seago made it clear she didn’t tell Foer about the FBI investigation into these matters.

Q. And with respect to your meeting with Mr. Foer, did you tell Mr. Foer that the FBI was investigating these allegations?

A. No. I had no knowledge of that investigation.

Q. So before your meeting with Franklin Foer, did you have any information that the FBI was involved in any way?

A. No.

Q. All right. Did Mr. Fritsch or anyone else at the meeting say, “The FBI is looking into this”?

A. Not that I can remember.

Also on cross, Seago described that her impression from having dealt with Joffe is that he really did believe the allegations too.

Q. And your impression of Mr. Joffe that was made at that meeting was that he was — he seemed reliable?

A. Yes.

Q. And he seemed well-placed to have knowledge and information about the server issues?

A. Yes, he did.

Q. And you understood that Mr. Joffe supported the suggestion that there was at least potential contact between Trump servers and Alfa-Bank servers?

A. Yes, I did.

MR. DeFILIPPIS: Objection, Your Honor.

THE COURT: Overruled.

Q. You answered the question?

A. Yes, I did understand that.

But it was in DeFilippis’ treatment of emails that Judge Cooper granted Durham’s team access to, but did not permit them to use at trial, where he got particularly obnoxious. Remember: while Durham’s team maintained from the start that the privilege claims behind these emails were not proper (because they were largely about communicating with the press, not about providing research assistance to the Democrats), the reason they didn’t get access to them was their own incompetence. They didn’t ask for a privilege review until right before trial.

DeFilippis has no one to blame but himself, but in true right wing fashion, he’s lashing out.

Perhaps in an attempt to make some drama out of documents that Cooper described “not very revelatory,” DeFilippis walked Seago through all the ones she was privy to, including those with Joffe that Cooper ruled were privileged.

Generally, such exchanges went something like this:

Q. Ms. Seago, does this appear to be part of the same chain as the prior email exchanges?

A. It has the same “Subject” line and says “Re,” so that is what it appears to be. I have no independent recollection of this email.

Q. And what, if any, connection in your mind did the Alfa Bank issue have to New York? I ask because “New York” is in the “Subject” line. Any sense?

A. I don’t know.

Q. And the attachment on this email, any sense of what that was?

A. I don’t know.

Note: there’s no reason to believe Seago has reviewed these emails recently.

That was all setup for DeFilippis’ last set of questions:

Q. Did you ever receive instructions that you couldn’t disclose your affiliation with Fusion GPS to the media?

A. No. I don’t remember hiding that affiliation from the media ever.

Q. Do you ever remember hiding or considering hiding that affiliation from anyone?

A. No.

Q. How certain are you of that?

A. I’m quite certain. You know, we don’t go around advertising who we are and where we work, but I certainly don’t lie to people, and I don’t lie to the press about where I work.

Q. Okay. So you’re fairly certain you never sought to conceal that?

A. Not that I can recall.

Immediately after Seago left the stand, DeFilippis asked for a bench conference (the DC Court adopted phones for the purpose during COVID and all the judges love them, so they’re keeping them). Seago’s answer to the question, DeFilippis noted, was inconsistent with the content of the email, which referenced Tea Leaves.

MR. DeFILIPPIS: Your Honor, could we speak to you on the phone?

THE COURT: Excuse me?

MR. DeFILIPPIS: Could we speak to you on the phone?

THE COURT: Yes. (The following is a bench conference outside the hearing of the jury)

MR. DeFILIPPIS: Your Honor, can you hear me now?

THE COURT: Yes.

MR. DeFILIPPIS: So we have an issue with regard to Ms. Seago’s testimony. The government followed carefully Your Honor’s order with regard to the Fusion emails that were determined not to be privileged but that the government had moved on.

As Your Honor may recall, there was an email in there in which Ms. Seago talks very explicitly about seeking to approach someone associated with the Alfa-Bank matter and concealing her affiliation with Fusion in the email. When we asked her broadly whether she ever did that, she definitively said no when I, you know, revisited it with her. So it raises the prospect that she may be giving false testimony.

And so we were — you know, I considered trying to refresh her with that, but I didn’t understand that to be in line with Your Honor’s ruling. So the government is — we’d like to consider whether we should be — we’d like Your Honor to consider whether we should be able to at least recall her and refresh her with that document?

THE COURT: I don’t remember that question, but the subject matter was concealing Fusion or her identities in conversations with the press. If I recall correctly, that email related to “tea leaves,” correct?

MR. DeFILIPPIS: Your Honor, I thought I had phrased it more broadly. We can go to the transcript.

THE COURT: Mr. Berkowitz?

MR. BERKOWITZ: Judge, I’m not familiar with the specifics. I’m happy to take a look at the transcript. I certainly got the impression he was asking if she had ever concealed Fusion as an entity from the press. That was what was asked in her deposition, and she answered the same way in her deposition. One thing, just to note, some of our paralegals can hear Mr. DeFilippis talking, so I suggest, just as a reminder, to keep your voices down.

MR. DeFILIPPIS: Sure, sure.

THE COURT: All right. Let me look at the transcript.

(Pause)

THE COURT: Can you hear me?

MR. DeFILIPPIS: Yes, Your Honor.

THE COURT: All right. Looking at the transcript, I think you did ask a more open-ended question. She said, “I don’t remember hiding that affiliation from the media ever.” And then you followed up, “Do you ever remember hiding or considering hiding that affiliation from anyone?” And she answered, “No.” I would — so I think that she — I think the email is inconsistent with her answer, Mr. Berkowitz. But the question now is whether they can refresh her with that email notwithstanding the Court’s order. And now she’s gone.

How are we going to do that even if we were to allow it? Is it worth the candle of calling her back?

MR. DeFILIPPIS: Your Honor, I understand she’s still in the building.

MR. BERKOWITZ: Your Honor, is this email privileged?

MR. DeFILIPPIS: This was one of the emails that was determined not to be privileged by Your Honor.

MR. BERKOWITZ: So why didn’t they impeach her with it when they had the chance?

MR. DeFILIPPIS: Your Honor, the reason is because I didn’t want to violate Your Honor’s order that we couldn’t use those affirmatively.

THE COURT: Well, I think the time to have asked the Court whether using the document to refresh was consistent with the order was before she was tendered and dismissed. So I think you waived your opportunity. All right? So we’re going to move on.

Frankly, I think using the formerly privileged emails to impeach was beyond the scope of Cooper’s order, too. This was an affirmative use of the email!

But this was nothing more than a perjury trap, and with it an attempt to get the content of the email DeFilippis had been prohibited from using before the jury. Cooper didn’t allow it in, though he shouldn’t have allowed that line of questions in either (had such questions been permitted, then Seago should have been permitted to refresh her own memory of them).

Probably, DeFilippis will consider charging her with perjury over this. I think the fact that both Judge Cooper and Berkowitz had the impression that the question pertained solely to outreach to the press, Seago’s reiteration that, “I don’t lie to the press about where I work,” reinforcing that understanding, plus her last minute caveat, “Not that I can recall,” would make such a case as flimsy as this one. Probably, DeFilippis will use this exchange as part of his bid to get access to some subset of the 1,500 other not very revelatory emails that Democrats have claimed privilege over.

But this was a stunt. It wasn’t about getting, or sharing, the truth with the jury (and any scenario in which I can imagine Seago trying to hide her identity with Tea Leaves would suggest a more distant relationship than even I imagined Fusion had, though I would love to know what it was).

When a prosecutor engages in as many stunts as DeFilippis has, it’s a confession he knows the facts are not on his side.

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

Please donate to help defray the cost of trial transcripts. As most of you know, I now live in Ireland. I had considered traveling to DC to cover the Sussmann trial but have issues I need to deal with here. So I’m hoping to cover as much of it as I can (with an obvious delay) via trial transcripts. But they are expensive! So if you appreciate this coverage, please consider a one-time  or recurring donation to defray the cost of transcripts. Thanks!

In this post, I laid out the elements of the offense, a single count of a false statement to the FBI, which will drive the outcome of the Michael Sussmann trial, in which jury selection begins today. As I showed, John Durham has to prove that:

  • Michael Sussmann said what Durham has accused him of saying, which is that he was not sharing information with the FBI on behalf of any client
  • Sussmann said that on September 19, not just September 18
  • Sussmann meant his statement to be understood to mean that no client of his had an interest in the data, as opposed to that he was not seeking any benefit for a client from the FBI
  • The lie made a difference in how the FBI operates

In this post I’d like to say a bit about the expected witnesses. Before I do, remember the scope of the trial, as laid out in several rulings from Judge Cooper.

  • Durham can only raise questions about the accuracy of the Alfa Bank anomaly if Sussmann does so first
  • He generally can only discuss how the data was collected via witnesses; with one exception, Cooper has ruled the emails between Rodney Joffe and researchers to be inadmissible in a trial about whether Sussmann lied
  • While Cooper found that 22 of 38 Fusion emails over which Democrats had claimed privilege were not privileged, he also ruled that because Andrew DeFilippis got cute in delaying his request for such a review, Durham can’t use those emails or pierce any related claims of privilege at trial
  • That leaves the unprivileged emails between Fusion and journalists, which Cooper has ruled admissible; he even considered changing his decision and letting a tweet from Hillary come in as evidence (though note that the emails Durham got pre-approved barely overlap with the emails Durham wants to use at trial, so there still could be problems admitting individual emails at trial)
  • Cooper ruled the communications between Rodney Joffe, the person who shared the DNS anomaly with Michael Sussmann, and Laura Seago, his connection with Fusion, were privileged
  • Cooper ruled that Sussmann can elicit testimony from witnesses, including Robby Mook and Marc Elias, about how Trump’s request that Russia hack Hillary some more made him not just a campaign opponent, but a threat to national security

As I noted, a dispute over the final jury instructions suggests that Durham is beating a tactical retreat from his charged claim that Sussmann lied to cover up that he was representing both Hillary and Rodney Joffe.

Mr. Sussmann proposes modifying the last sentence as follows, as indicated by underlining: Specifically, the Indictment alleges that, on or about September 19, 2016, Mr. Sussmann, did willfully and knowingly make a materially false, fictitious, and fraudulent statement or representation in a matter before the FBI, in violation of 18 U.S.C. § 1001(a)(2), namely, that Mr. Sussmann stated to the General Counsel of the FBI that he was not acting on behalf of any client in conveying particular allegations concerning Donald Trump, when, in fact, he was acting on behalf of specific clients, namely, Rodney Joffe and the Clinton Campaign.5 The government objects to the defense’s proposed modification since it will lead to confusion regarding charging in the conjunctive but only needing to prove in the disjunctive.

Durham wants to be able to get a guilty verdict if the jury decides that Sussmann was hiding Hillary but not hiding Joffe. What Durham will really need to prove won’t be finalized until sometime next week, meaning both sides will be arguing their cases without knowing whether Durham will have to prove that 1) the allegations pertained to Donald Trump personally 2) Sussmann had two clients 3) he lied to hide both of them, or whether he has to prove only that Sussmann lied to hide one or more client.

Durham’s tactical retreat is likely dictated by the scope set by Cooper and will dictate the witnesses he wants to call.

This post laid out whom, as of last week, each side planned to call. Remember that it’s not uncommon for a defendant not to put any witnesses on the stand (though I would be surprised if that happened in this case). Normally, the scope of a witness’ testimony is set by the Direct examination of them. So, for example, if Durham puts Marc Elias on the stand to talk exclusively about his decision to hire Fusion GPS, then Sussmann could not ask him questions about other topics. But Sussmann incorporated Durham’s entire witness list, and Cooper ruled that he would rather not have to call people twice. So for at least the Democratic witnesses, Sussmann will have the ability to ask about things that Durham would really prefer not to appear before the jury even though Durham called that witness as a government witness. Because Durham doesn’t understand much of what really went on here, that may be a really useful thing for Sussmann to exploit.

Summary Witness: It is typical for prosecutors to call one of their FBI agents at trial as a sort of omniscient narrator who can both introduce a vast swath of evidence (such as records the accuracy of which have been stipulated for emails that can be introduced without witness testimony) and provide some interpretation of what it all means. Usually, that agent is not the lead agent, because the lead agent knows things that the prosecutor wants to keep from the defendant and the public, either details of an ongoing investigation or major investigative fuck-ups that haven’t been formally disclosed to the defendant. As of last week, DeFilippis maintained that, “It may be an agent who’s our summary witness, but we’re not looking to put a case agent on the stand.” That suggests there is no agent on his team that is sufficiently compartmented from his secrets to take the stand. Judge Cooper seemed a bit surprised by that.

Jim Baker: Jim Baker is the single witness to Michael Sussmann’s alleged crime. Durham is going to have a challenge walking him through the version of this story Durham wants to tell, not least because the materiality parts of it — whether Baker thought it unusual to hear from Sussmann, whether he thought it mattered who Sussmann’s client was — are also recorded in Baker’s past sworn testimony. Given the late discovery of a text showing that Sussmann wrote Baker on September 18 telling him he wanted to benefit the FBI, and given the even later discovery of March 2017 notes recording that the FBI understood that Sussmann did have an (undisclosed) client, Sussmann doesn’t even have to trash Baker to call into question his memory: he can allow Baker to admit he can’t separate out what happened in which of at least five communications he had with Sussmann that week, the sum total of which show that Sussmann wasn’t hiding the existence of a client, did represent that he was trying to help the FBI, and did help the FBI. The cross-examination of Baker will, however, be an opportunity for Sussmann to implicate Durham’s investigative methods, both for building an entire case around Baker after concluding, years earlier, that he wasn’t credible, and then, for refreshing Baker’s memory only with the notes that said what Durham wanted Baker to say, and not what the FBI ultimately came to know.

Bill Priestap and Tisha Anderson, Mary McCord and Tasha Gauhar: This trial is expected to feature two sets of witnesses — the first set called by Durham and the second called by Sussmann — who will be asked to reconstruct from their own notes what was said in a meeting attended by Baker. Priestap and Anderson will say that the day of Baker’s meeting with Sussmann, they wrote down that Sussmann didn’t have a client (but not in the words Sussmann is known to have used or the words that Durham has charged). McCord and Gauhar will say that in March 2017, Andy McCabe stated, in front of Baker and with no correction, that the FBI did know Sussmann had a client. The only notes in question that use the same phrase — “on behalf of” — that Durham used in the indictment say that Sussmann did say he was meeting with FBI on behalf of someone. I expect at least several of these witnesses will be asked materiality questions: If they didn’t ask who the client is, doesn’t that prove it didn’t matter? The notes of everyone involved, importantly, emphasized the import of Sussmann sharing an imminent newspaper article. Sussmann will also ask Priestap how and why he asked the NYT to hold the Alfa Bank story.

Agents Heide, Sands, and Gaynor, plus Agent Martin: Durham plans to call three of the FBI Agents who investigated the anomaly — for a couple of hours each, in the case of Heide and Sands — to talk about how they did so. Let me suggest that not only is this overkill, it may backfire in spectacular fashion, because the March 2017 notes make it clear that these agents did not take very basic steps to chase this anomaly down and Heide, at least, is not a cyber agent (in the same period he was also investigating George Papadopoulos). In addition to having those hours and hours of testimony, Durham will call Agent Martin, ostensibly to explain what one could learn from the anomaly, though there’s still a fight about the scope of his testimony,  particularly with respect to misleading claims he would make about the scope of the data accessed to find the anomaly in the first place.

Antonakakis, Dagon, DeJong, and Novick: According to what DeFilippis said last week, in the wake of Cooper’s ruling excluding all but one of the researchers’ emails, he likely will not call David Dagon, may or may not call Manos Atonakakis, but will call two employees of Rodney Joffe whom, DeFilippis claims, were “tasked by” Joffe, in the first case to pull some but not all of the data researchers used to test the anomaly, and in the second case to do research that may not have been presented to the FBI. If these decisions hold, his presentation of the data will be, as I understand it, affirmatively false. For that reason, Sussmann might have been able to challenge Durham’s reliance on these witnesses in the absence of others; that Sussmann is not doing so may suggest he knows that the witnesses won’t do what Durham thinks they will. If Durham persists in this plan, it means he’ll have FBI agents spend 5 hours describing how they chased down an anomaly, without ever really explaining what the anomaly is (and how it could have easily been investigated using about two different steps that the FBI didn’t take). Perhaps (given his tactical retreat), Durham may want to eliminate virtually all discussion of the anomaly at the heart of this case. Alternately, this is a tactical move to force Sussmann to call David Dagon (whom Durham has immunized) or Manos Antonakakis (whose status is unknown) in hopes that they’ll help him make his YotaPhone case or explain the full scope of the data accessed (particularly if he gets Martin to make misleading comments about that topic first). But if Durham forgoes his chance to call the researchers and Sussmann does so himself, it may allow Sussmann to rebut Durham’s claims about what the anomaly was and what went into the two white papers presented to the FBI. In addition, Sussmann can have these witnesses explain how far before the involvement of the Democrats this research started and how Trump’s open invitation to Russia to do more hacking meant the anomaly posed a possible national security threat worthy of sharing with the FBI.

Robby Mook, Marc Elias, and Debbie Fine: Rather than talking about the anomaly, Durham wants to talk about the Hillary campaign. At least as of last week (before Cooper excluded some of this stuff on privilege and belated privilege challenges), Durham will definitely call Mook, may call Elias, but may rely instead on a Hillary lawyer named Debbie Fine, who was on daily calls with Fusion. Durham wants to claim,

[T]he strategy, as the Government will argue at trial, was to create news stories about this issue, about the Alfa-Bank issue; and second, it was to get law enforcement to investigate it; and perhaps third, your Honor, to get the press to report on the fact that law enforcement was investigating it.

Sussmann, by contrast, knows he has a witness or witnesses who will rebut that.

[I]t’s not the truth; and in fact, it’s the opposite of the truth. We expect there to be testimony from the campaign that, while they were interested in an article on this coming out, going to the FBI is something that was inconsistent with what they would have wanted before there was any press. And in fact, going to the FBI killed the press story, which was inconsistent with what the campaign would have wanted.

As suggested above, Elias is a witness Sussmann will call even if Durham does not. Among other things, Sussmann will have Elias explain what it was like to have Donald Trump openly asking Russia to hack Hillary some more.

Laura Seago: Before Cooper ruled on privilege issues, DeFilippis (who doesn’t know how to pronounce her last name) said he would call Seago. She was the pivot point between Fusion and Rodney Joffe. According to Fusion attorney Joshua Levy, Seago knows little about the white paper from Fusion that Sussmann shared with the FBI. “Seago didn’t contribute to it, doesn’t know who did, doesn’t know who researched it, doesn’t know who wrote it, doesn’t know its purpose; and the government’s aware of all that.” So it’s unclear how useful she’ll be as a witness.

Eric Lichtblau: As I noted the other day, Durham is trying to prevent Lichtblau from testifying unless he’s willing to testify to all his sources for the Alfa Bank story (which would include a bunch of experts never named in any charging documents). My guess is that Cooper will rule that forcing Lichtblau to talk about communications with Fusion would be cumulative, though he might force Lichtblau to talk about an in-person meeting he had at which Fusion shared information that did not derive from Joffe. If Sussmann succeeds in getting Lichtblau’s testimony, however, he will be able to talk about what a serious story this was and what a disastrous decision agreeing to hold the story was for his own career and, arguably, for democracy.

Perkins Coie billing person and McMahon: As Durham has repeatedly confessed, most of the substance of his conspiracy theory is based off billing records. But there’s a dispute about whether Sussmann fully billed his meeting with Baker (Sussmann has noted, for example, that he paid for his own taxi to and from the meeting). Durham will have a Perkins Coie person explain how they track billing and will call a former DNC person with whom Sussmann had lunch immediately before his Baker meeting, either because Sussmann said something to him about the Baker meeting, or because he needs to rule out that Sussmann billed for the lunch meeting but not Baker.

Agent Grasso: In addition to the hours and hours of testimony about how the FBI did investigate the anomaly, Durham also wants to call an Agent Grasso, with whom Joffe shared a piece of the Alfa Bank allegations directly. This may actually be an important witness for Durham, because it might show that the packaged up allegations shared with Baker were substantially different than what Joffe was sharing when his identity was not hidden.

Kevin P: Durham only plans to call one of the two CIA personnel at the meeting in January 2017 (ironically meaning a meeting in March 2017 will get far more focus than a meeting that played a central role in the indictment). It sounds like Sussmann will get the one person to validate an email from another person who also recorded Sussmann saying he had a client.

Agent Gessford: One FBI Agent Sussmann will call will authenticate emails Sussmann will use with other witnesses to show what FBI’s understanding of Sussmann’s activities were in 2016. Not only will he use these emails to prove that the FBI knew well he was representing Hillary on cyber issues, but he will likely also use these emails to talk about what it looks like for a campaign to be systematically attacked through the entirety of a campaign by a hostile nation-state, which will make the potential seriousness of the Alfa Bank anomaly quite clear.

Agent Giardina: This is someone the scope of whose testimony Durham may have actually tried to limit by calling him himself. Sussmann will have Giardina explain that after the Frank Foer article, he tried to open an investigation, which Sussmann will use to prove that the FBI would have opened an investigation whether or not he shared the tip with the FBI.

DOJ IG Michael Horowitz: On paper, Horowitz’s testimony will be limited to explaining how an anonymous tip from Joffe via Sussmann is supposed to work, which is that someone in a position to direct a tip to the right person does so and succeeds in addressing a national security concern. Joffe provided a tip to Horowitz in January 2017 that — we can assume given Horowitz’s testimony — proved to be valuable. This tip will also demonstrate that DNS research is not as limited as Agent Martin will claim it is. But given the way that Durham has failed to understand basic aspects of Horowitz’s investigation, including ones that disproved large swaths of Durham’s conspiracy theories, this testimony might be somewhat contentious.

Three Years into the Durham Investigation, a Jury Will Get to Hear about Trump’s Request that Russia Hack Hillary

There was a funny exchange in yesterday’s pre-trial hearing in the Michael Sussmann case. In the part of the hearing focused on objections to exhibits, Andrew DeFilippis raised the newspaper articles that — I noted — were necessary background to understand the mindset that led Sussmann and Rodney Joffe to believe that the Alfa Bank DNS anomaly raised national security concerns.

These articles explain why it was reasonable, not just for the Democrats’ cybersecurity lawyer who was spending most of his days trying to fight back against a persistent Russian hack, but also for the researchers and Rodney Joffe to try to first look for more Russian hacking (including that victimizing Republicans), and when they found an anomaly, to try to chase it down and even to bring it to the FBI for further investigation. Several threads of these articles — pertaining to Trump’s request that Russia hack Hillary and to Manafort’s corruption — were explicitly invoked in discussions that Durham wants to claim must arise from political malice.

In the hearing, DeFilippis predictably complained that prosecutors didn’t want this to become a trial on Donald Trump’s ties to Russia.

MR. DeFILIPPIS: The last category we had identified were a number of news articles about — again, on the face of — the headlines of the articles about — “Donald Trump’s ties to Russia,” I think, was the primary theme of the news articles.

We just — number one, they’re news articles, which we don’t think have, you know, probative weight here. Number two, we do not want to make this a trial on Donald Trump’s ties to Russia.

And again, we don’t have a lot of context for which it would be — why the defense would want to offer all of those. But I think our initial reaction is they would be a distraction.

Sussmann’s attorney Sean Berkowitz noted that prosecutors — who have made several newspaper articles the central point of their case — aren’t so much opposed to newspaper articles as evidence as they’re opposed to articles about Trump and Russia.

MR. BERKOWITZ: So as we understand the objection, your Honor, it’s not to articles generally. They have articles on their exhibit list. It’s to articles that talk about the issues with Trump and Russia in the summer of 2016.

Judge Christopher Cooper correctly noted that it would be unfair to send a bunch of articles back with the jury to read.

THE COURT: I think it’s broader than that. It’s sending back multiple newspaper articles to the jury with all sorts of stuff in them, and the jury is spending its time reading newspaper articles.

Berkowitz noted that they’re really trying to get to the mindset of Sussmann and Joffe, particularly their response to Trump’s request that Russia hack Hillary some more.

MR. BERKOWITZ:  The articles that we think are relevant, your Honor, relate to what’s going on in the world in July and August of 2016, which provide context and animate what’s going on for Mr. Sussmann and Mr. Joffe and why there are potential national security issues associated with this.

As you’ll remember, you know, on July 27th, at a press conference — again, this is shortly before the researchers start looking into issues, according to the Government — Trump has a press conference that says: Russia, if you’re listening, I hope that you’re able to find the 30,000 emails that are missing. I think you’ll probably be rewarded mightily by our press.

That fact being out there and well known provides context for the work that’s done and the motivation potentially to go to the FBI as to why it would be relevant that there were connections between — potential connections between Trump and Russia.

[snip]

But the fact that this was what was going on in the world at this time we think is very relevant to the state of mind and the rationale behind this as well as the opposition research that was going on.

Cooper cut off Berkowitz before he could explain how this related to the DNC hack. But he suggested that such information could instead come in via questioning of Robby Mook, Marc Elias, and James Baker.

THE COURT: — Mr. Elias, Mr. Mook, Mr. Baker perhaps can all certainly testify to that. Right?

MR. BERKOWITZ: I think that they certainly could, your Honor.

As I’ve noted, that the main redacted part of Elias’ declaration explaining why they hired Fusion for Russian-related research was introduced via a reference to Trump asking Russia to hack Hillary.

Because both sides have separate scope of testimony they’d like to elicit from Elias, he’ll be asked both sets when prosecutors call him.

I’m sure Elias has quite a lot he’d like to say about serving as General Counsel for a candidate whose opponent was soliciting help — and appears to have gotten it — from a hostile foreign country.

Friday is the three year anniversary of the Durham investigation. Tuesday, the likely day both sides will make opening arguments, marks the five year anniversary of the Mueller investigation.

And on that day, a jury will finally hear an argument about how reasonable it was to believe Donald Trump posed a threat to the United States after he asked Russia to help hack his opponent.

Judge Cooper Probes Andrew DeFilippis’ Conspiracy Theory about “Worker Bees” in a “Cabal”

I’m certain that the hearing in the Michael Sussmann case the other day was not laugh-out-loud funny in real time. I’m certain that when Judge Christopher Cooper rules on what can and cannot come in, some of the conspiracy theory that John Durham is pursuing may come in to substantiate the motive he alleges Michael Sussmann had for allegedly hiding the existence of a client in a meeting with FBI General Counsel James Baker. I also recognize that Durham may moot many of these issues by bringing one or several interlocutory appeals before the trial to buy time to continue to spin his conspiracy theories some more.

But when I was reading the part of the transcript pertaining to whether Durham will be able to introduce researcher emails at trial, I started laughing out loud when Judge Cooper said this:

You could call Mr. Joffe.

The comment came after the discussion earlier in the hearing about what kind of evidence Durham might present to prove that Sussmann had a privileged relationship with both the Hillary campaign and Rodney Joffe.

It came after the discussion about whether Durham should be forced to immunize Rodney Joffe or not. That discussion had a lot more nuance than reports I had seen, including that Cooper floated the idea of prohibiting any Durham questions to Joffe about the allegations — that he had Sussmann share information showing the use of a YotaPhone by someone who was sometimes in Donald Trump’s presence — that Durham claims would be the basis of a contract fraud charge against Joffe if the data actually were only available as part of a DARPA contract that didn’t already, for very good cybersecurity reasons, encourage the tracking of such things.

THE COURT: What if the Court were to grant your motion in limine to keep out the information that he provided later to the CIA, and all the YotaPhone stuff is not in the case? Do you believe that Mr. Joffe would — and seeing that that appears to be the basis of the government’s position that there is some continuing exposure, do you think Mr. Joffe would see fit to change his position?

And the hearing, and so therefore this discussion on the conspiracy theory, came before Cooper turns to adjudicating Durham’s bid to pierce privilege claims, a bid which — I have already noted — makes a solid case that Durham should immunize Joffe rather than Fusion GPS’ Laura Seago, whom he plans to call as a witness.

So between the time when Cooper considered ways to make Joffe’s testimony available to Sussmann and the time when he turns to Durham’s false claim that the only possible way of accessing testimony about communications between Joffe and Seago is by calling Seago, the judge noted that one way of accomplishing what Durham claims to want to accomplish, rather than by introducing hearsay emails, would be to call Joffe.

Cooper made the comment to lay out that, if Durham really wanted to present the mindset researchers had as they attempted to understand a DNS anomaly involving a Trump marketing server and Alfa Bank, he could simply call the researchers directly.

And these emails, regardless of the words of any particular one, you’re offering them to show that the researchers had concerns about the data, right? And so you’re offering them for the truth of that proposition, that the folks who were in on this common venture had concerns about the data that Mr. Sussmann wanted to keep in the dark and, therefore, did not reveal to Mr. Baker why he was there. And so, the truth of the emails is that we have concerns.

Now, you know, if that’s a — if that’s an acceptable basis — if that’s relevant, right, you could certainly call those researchers. You could call Mr. Joffe. They could testify about how — you know, what was going on in, you know, those few weeks in August or whenever.

So, A, you know, why do you need the emails? [my emphasis]

In response to that, Andrew DeFilippis tried to spin that the government wasn’t trying to introduce the emails for the truth, but to show the existence of what he claims amounts to a conspiracy. In doing so, DeFilippis described that the emails were critical to tie Joffe to the effort to collect the data.

All we’re saying is that the existence of that written record itself might have provided a motive for Mr. Joffe or Mr. Sussmann to tell the lie that we allege he did. Now, that is the government’s secondary argument. The principal argument we’re making, Your Honor, is that these emails show a back-and-forth that tie Mr. Joffe to the data that went into the FBI, that tie Mr. Joffe to the white papers that went into the FBI, and tie Mr. Joffe to the entire effort which, absent that —

THE COURT: Mr. Joffe or Mr. Sussmann?

MR. DeFILIPPIS: First Mr. Joffe. And the reason why that’s important, Your Honor, is, again, because the defendant is alleged to have lied about whether, among other things, he had a relationship with Mr. Joffe, an attorney- client relationship. [my emphasis]

Cooper’s response — Mr. Joffe or Mr. Sussmann — nodded to the fact that Sussmann’s state of mind, not Joffe’s, is what’s on trial. Though shortly thereafter, he noted that the charged lie wasn’t even an attempt to hide Joffe personally.

THE COURT: Well, let’s just — you know, words matter, and let’s just be clear. He wasn’t asked “Are you here on behalf of Mr. Joffe?” and said no. He didn’t say “I’m not here on behalf of Mr. Joffe.”

He said generally, allegedly, he’s not here on behalf of a client, so at this point I’m not sure how relevant Mr. Joffe actually is at the time of the statement.

Indeed, much later, Sussmann’s lawyer noted that there’s no contest Sussmann told Baker he had gotten the allegations from cybersecurity experts.

What do we know is undisputed? That Mr. Baker will testify that Mr. Sussmann said the information was from cyber experts, okay? Not whether it was a client or not, but it was from cyber experts.

Cooper’s discussion of Durham’s conspiracy theory continued through DeFilippis’ effort to acknowledge that he’s not alleging collecting political dirt is illegal — though it may be “improper” — and then admitting this is not a “standard drug case.”

I have not seen one case where the charge is not conspiracy and the alleged conspiracy in which the statements are being made in furtherance of it is not criminal or improper in any way. Would this be the first time?

MR. DeFILIPPIS: Your Honor, I think — so we would not expressly allege to the jury that it was criminal. There are aspects of it that may be improper.

[snip]

And I think, Your Honor, that most — that this hasn’t come up often should not cause the Court to hesitate just because these facts are a bit different than your standard drug case or, you know, your standard criminal case.

And it continued to DeFilippis’ effort to describe why people whose actions preceded the alleged formation of a conspiracy and other people who expressed reservations about joining into this alleged conspiracy would be included in what Cooper dubbed “a cabal.”

THE COURT: Okay. So who was part of this joint venture, in your view?

MR. DeFILIPPIS: So, Your Honor, it would be three principal categories of people. We have the researchers and company personnel who supported Mr. Joffe once they were tasked by Mr. Joffe.

THE COURT: Okay, but they were just tasked. You’ve made the point yourself that some of them, you know, had concerns. Some of them had issues with the data. Some had concerns that what they were doing was proper or not until they were satisfied that it was.

MR. DeFILIPPIS: That’s true, Your Honor, but —

THE COURT: How are they members of this cabal?

[snip]

MR. DeFILIPPIS: — just to distill it down as to each category of people. The thrust of this joint venture was that there was a decision and an effort to gather derogatory Internet-based data about a presidential candidate — about a presidential candidate among these folks. There were the researchers who began doing that, it seems, before Perkins Coie became fully involved, and there are emails we will offer that show that data was being pulled in late July and August. So the researchers were the engine of this joint venture in the sense that they were doing the work, and they were doing — and the emails make clear they were doing it for the express purpose of finding derogatory information in Internet data. So that’s one category. [my emphasis]

I mean, even ignoring the fact that the record shows these researchers were not, in fact, analyzing data for “the express purpose of finding derogatory information in Internet data” — indeed, if one actually cares about national security, their actions might be better understood as an effort to protect Donald Trump from his dishonest campaign manager with a history of laundering money from Putin-linked oligarchs through Cyprus — DeFilippis admitted right here that the research into the data preceded the moment when DeFilippis wants to make it criminal (but not criminal in “your standard drug case” sense).

But Durham’s frothy lead prosecutor wants to treat cybersecurity research as — in Cooper’s word! — a cabal.

DeFilippis then went on to call some of the top cybersecurity researchers in the US, who found and started trying to understand an anomaly on their own volition, “the worker bees who are bringing the data and funneling it into this effort.”

Maybe I have a twisted sense of humor. But I was guffawing at this point.

Judge Cooper, however, capped DeFilippis’ effort with the same question:

THE COURT: And assuming that I agree that it’s relevant, you could get that in by calling witnesses without the emails, correct?

Everything that DeFilippis wants to do — even before he wants to get Laura Seago (who, Sussmann attorney Sean Berkowitz revealed later, would testify that she doesn’t even know about key parts of DeFilippis’ conspiracy theory, starting with Christopher Steele’s involvement) to offer the non-unique testimony about her conversations with Joffe — is best done by calling Joffe as a witness.

I’m not the only one, it seems, who recognizes that some of what Durham wants to do actually depends on calling Joffe as a witness.

Michael Sussmann’s Lawyers Complain of “Wildly Untimely” Notices from John Durham [Updated, with Confirmation]

Republished given confirmation that Durham is trying to point to privilege claims to insinuate wrong-doing. 

On March 31, there was a combined motions and status hearing in the Michael Sussmann case. The parties started by arguing Sussmann’s motion to dismiss (response; reply) based on a claim his alleged lie was not material. Here’s my live-tweet of the hearing.

Judge Christopher Cooper observed that the dispute was “Well briefed and argued on both sides” and promised to rule quickly. But the odds are still really good that he’ll rule against Sussmann because the standard for materiality is so thin. So that argument was perhaps more interesting for a few details that came out in the process, such as that the claim is that Sussmann offered up that he had no client, and that in all the discovery Sussmann has received, there’s no evidence anyone every asked the source of the DNS data he shared with the government even while they repeatedly recognized that Sussmann was a lawyer for the DNC.

We don’t think Baker or anyone else at FBI ever asked, btw, where’d this info come from. If source mattered so much, you’d think someone would have said, where’d this come from, how’d they get it.

Both details would help Sussmann defeat a materiality claim at trial, but Cooper can’t take it into account.

It was in the status discussion where things got more interesting. Cooper asked why he hadn’t seen any 404(b) notices (which is notice that the government wants to use otherwise incriminating information to prove its case in chief, often to prove motive), and AUSA Andrew DeFilippis said they had provided it to the defense. Sussmann’s lawyer, Sean Berkowitz, described that they were going to file motions in limine about the notices, but observed that “one was untimely,” meaning Durham’s team missed the March 18 deadline.

DeFilippis then asked for extra time to deal with Sussmann’s CIPA 5 motion, which is where he asks for classified information to be declassified to use at trial. Sussmann had little problem with that.

Then Berkowitz complained about an expert the government just informed Sussmann they wanted to call — an FBI agent whose primary purpose would be to explain the DNS and Tor technologies at the core of the tip Sussmann shared with the FBI. Cooper quipped, “aren’t we going to have the jury understand the technical” aspects of the trial, and suggested he, himself, needed such a tutorial as well. Berkowitz noted that that deadline had passed weeks ago and the late notice didn’t give Sussmann enough time to qualify their own expert to respond.

The real issue, it soon became clear, was that the government wants to reserve the right to use this witness to rebut any claim Sussmann would make that the data was “real.” DeFilippis argued they need to be able to rebut Sussmann’s claim that the allegation he made was “unsupported.” “That’s different,” Judge Cooper noted, “than whether the data was accurate.”

It’s clear, based on what DeFilippis said, that he intends to conflate accurate data — a real, still unexplained anomaly — with an unpersuasive hypothesis about what that anomaly might be. DeFilippis countered that if the data were “cherry picked or fabricated” — neither of which he has charged — then it might suggest a motive for Sussmann to lie. But Berkowitz argued that the only thing that matters it that Sussmann believed the data was accurate. Importantly, Durham’s indictment falsely suggests that Sussmann was privy to some of the researchers discussion about this.

Berkowitz’s frustration with all that was nothing compared to his fury that, just the night before, prosecutors had told them that they intended to use a motion in limine (which is supposed to deal with what evidence can and cannot be introduced at trial) to try to breach privilege claims that various witnesses have made. As Cooper noted, that’s not a motion in limine, it’s a motion to compel.

Berkowitz: We learned last night that SC is challenging privilege. Only last night we learned they do intend to challenge privilege in motion in limine. Wildly untimely. Implicates underlying case.

DeFilippis: We’ve been working with asserted privilege holders. Those holders would be Tech Executive-1, Clinton campaign, another political organization. We have tried to understand theory of privilege. Unable to get comfort. We now intend to call witnesses from [Fusion] and [Perkins Coie].

Cooper: Not a motion in limine, it is a motion to compel.

Berkowitz: This issue is an issue that has been discussed for well over a year. Honestly to only now bring it up, 6 weeks before trial. Violations of due process, we’re going to get new info, it’s an ambush.

It’s really hard to view this as anything but a stunt to try to save Durham’s conspiracy theories.

In a normal situation involving a big law firm like Perkins Coie, well-lawyered people associated with the Hillary campaign (because of PC’s role as Sussmann’s former employer, Hillary and the DNC would count as separate entities), as well as Fusion GPS (which has been fighting similar issues from Russian oligarchs for years now), such privilege claims would take at least three months to work out.

For sake of comparison, John Eastman’s privilege fight, for a legal argument with none of the formal retainer agreements like those PC has, for emails inappropriately stored on Chapman University’s cloud, in which there’s substantive evidence — now affirmed by a judge — that Eastman himself has criminal exposure, has been going on since January 20, and it is nowhere near done.

As Berkowitz notes, the trial is six weeks away.

The most likely outcome of this effort would either be a delay of the trial and/or some inconclusive outcome, which Durham would undoubtedly use to sow more conspiracy theories without charging them, pointing to Democrats’ defense of privilege to insinuate the privilege claims must hide some proof of conspiracy.

But it looks all the more intentional given the now-famous delayed waiver motion Durham went through in February. The waivers covered by Durham’s filing include several of the witnesses he has belatedly said he wants to pierce privilege now:

  • Whether Perkins Coie (which Latham represented along with Sussmann in the Durham investigation) knew how Sussmann was billing his time
  • Perkins Coie’s past claims about the DNC’s activities
  • The advice Kathryn Ruemmler gave Sussmann when Kash Patel raised his meeting with the FBI in a December 2017 HPSCI appearance
  • What Latham told a PR firm regarding public statements about the meeting in 2018

That is, more than six weeks before telling Sussmann that, after not formally attempting to pierce privilege in the last year, Durham now wants to do so, Durham made Sussmann waive any conflict with all the privileged relationships that Durham wants to pierce.

As I noted at the time, Durham was asking Sussmann to waive conflicts even without having pierced privilege.

Latham also provided Perkins Coie advice regarding a PR statement that, Durham admits, he’s not been able to pierce the privilege of and he knows those who made the statement had no knowledge that could implicate the statement in a conspiracy.

He’s now trying to do that. It’s really hard to believe that’s a coinkydink.

And unlike the attorney-client waiver used in the Paul Manafort case, Durham is not citing independent proof that Sussmann lied to his lawyers. Unlike the waiver with Eastman or with Michael Cohen’s hush payments, Durham is not citing participation in a conspiracy.

This is still a false statements case that Durham is sure, absent the evidence to charge it, is a conspiracy. And now at the last minute, he’s attempting to salvage that conspiracy.

Update: A motion in limine from Sussmann confirms I was totally right about Durham’s ploy. He wants to submit privilege logs to the jury — privilege logs to which Sussmann is not the privilege holder and therefore is helpless to waive — to insinuate that he’s covering something up.

Again, there can be no mistake as to the purpose for the Special Counsel’s tactics here. The animating theory of the Special Counsel’s Indictment is that, in meeting with the FBI and Agency-2, Mr. Sussmann sought to conceal that he was secretly working on behalf of the Clinton Campaign and Mr. Joffe. Lacking actual evidence of Mr. Sussmann’s guilt, the Special Counsel seeks instead to convict Mr. Sussmann by insinuating to the jury that such evidence must exist— by inviting them to draw the inference that, because Mr. Sussmann’s alleged clients and co-conspirators have chosen to withhold information relating to the very same relationship the Special Counsel alleges they and Mr. Sussmann sought to conceal, that information must be inculpatory.

Permitting the Special Counsel to prejudice Mr. Sussmann and to shirk his burden of proof by leading the jury to an adverse inference would be impermissible under any circumstance. But it is particularly egregious here, because Mr. Sussmann is not the privilege holder. The Special Counsel’s tactics would accordingly penalize Mr. Sussmann for another party’s invocation of their own right to assert the privilege, a decision that was not his to make. Convicting him on the basis of such fundamentally unfair circumstances would amount to a miscarriage of justice.

Donald Trump Suggested Michael Sussmann Should Be Killed because Rodney Joffe “Spied” on Barack Obama

Michael Sussmann has filed his response to John Durham’s transparent attempt to inflame the frothers. In it, he notes what I did: Durham used an unrelated filing (one that, Sussmann’s filing noted, had already been addressed between the parties) to make claims that were not charged.

Importantly, he notes that Durham misrepresented the dates of the anomalous data found at the Executive Office of the Presidency that Sussmann presented at a February 9, 2017 meeting with the CIA. The data predates the Donald Trump inauguration.

In his Motion, the Special Counsel included approximately three pages of purported “Factual Background.” See Dkt. No. 35 at 2–5. Approximately half of this Factual Background provocatively—and misleadingly1 —describes for the first time Domain Name System (“DNS”) traffic potentially associated with former President Donald Trump, including data at the Executive Office of the President (“EOP”), that was allegedly presented to Agency-2 in February 2017. See id. at 3–4. These allegations were not included in the Indictment; these allegations post-date the single false statement that was charged in the Indictment; and these allegations were not necessary to identify any of the potential conflicts of interest with which the Motion is putatively concerned. Why then include them? The question answers itself.

1 For example, although the Special Counsel implies that in Mr. Sussmann’s February 9, 2017 meeting, he provided Agency-2 with EOP data from after Mr. Trump took office, the Special Counsel is well aware that the data provided to Agency-2 pertained only to the period of time before Mr. Trump took office, when Barack Obama was President. Further—and contrary to the Special Counsel’s alleged theory that Mr. Sussmann was acting in concert with the Clinton Campaign—the Motion conveniently overlooks the fact that Mr. Sussmann’s meeting with Agency-2 happened well after the 2016 presidential election, at a time when the Clinton Campaign had effectively ceased to exist. Unsurprisingly, the Motion also omits any mention of the fact that Mr. Sussmann never billed the Clinton Campaign for the work associated with the February 9, 2017 meeting, nor could he have (because there was no Clinton Campaign). [my emphasis]

Not only must Durham know the true dates of the data involved but so — as I’ve noted — must Kash Patel, who has known about this issue for four years. That means Patel insinuated that Hillary’s associates hacked Trump, knowing full well the claim was false.

And it led the former President to claim that those involved should be killed.

Sussmann has asked Judge Christopher Cooper to strike the improper language from the motion.

He has also provided yet more evidence that Durham didn’t take basic investigative steps necessary to vet the allegations he made in the indictment before actually indicting Sussmann. Durham didn’t interview any Clinton Campaign staffer to find out whether Sussmann coordinated with the campaign until after the indictment.

[T]he Special Counsel has been investigating for years, and some of the Special Counsel’s “ongoing” investigation seems to be work that should have been completed before indicting Mr. Sussmann. For example, the Special Counsel has alleged that Mr. Sussmann met with the FBI on behalf of the Clinton Campaign, but it was not until November 2021—two months after Mr. Sussmann was indicted—that the Special Counsel bothered to interview any individual who worked full-time for that Campaign to determine if that allegation was true. It is not.

As I noted earlier, Durham had to admit that he had no basis to substantiate claims of coordination with the Hillary Campaign in a filing last year. But that was October. It was not until after he had to confess he had overblown that claim in the indictment that Durham first interviewed a Hillary staffer.

In his filing, Sussmann makes it clear he intends to move to dismiss the indictment.

In addition, Mr. Sussmann reserves all rights to submit appropriate motions and seek appropriate relief concerning this conduct should the Indictment not be dismissed and should the case proceed to trial, including by seeking extensive voir dire about potential jurors’ exposure to prejudicial media resulting from the Special Counsel’s irresponsible actions.

If he keeps to the original filing deadline, that motion will be submitted this Friday. While not normally a basis to dismiss an indictment, Sussmann will be able to present entire swaths of proof that Durham didn’t take basic investigative steps before accusing Sussmann of things that turned out not to be true.

And now he’ll be able to point back to this filing to show that Durham misrepresented basic facts that might get someone killed.

Update: I managed a whole appearance on MSNBC without potty mouth.