Posts

“ur submission form is too fucking slow, spent the whole day uploading 1 gb.”

As I noted, one of the Roger Stone-related warrant applications released last week includes more details on the communications between the Guccifer 2.0 persona and WikiLeaks leading up to the DNC release. Emma Best examines the filing from a perspective of how someone, purportedly with no prior relationship to WikiLeaks, would go about transferring even a marginally significant submission to WikiLeaks. Almost a month of back-and-forth transpires between the first contact with Guccifer 2.0 and the successful transfer of the DNC files.

A key exchange, however, happened on July 6, 2016. After Guccifer 2.0 inquires whether WikiLeaks received some documents Guccifer 2.0 sent, the persona gets cranky because it took so long to upload a 1 GB file to WikiLeaks submission system. [I’m using Best’s conversion of this filing into a nifty transcription.]

Guccifer 2.0: “fuck, [I] sent 4 docs on brexit on jun 29, an archive in gpg[.] ur submission form is too fucking slow, [I] spent the whole day uploading 1 gb”

WikiLeaks: “We can arrange servers l00x as fast. The speed restrictions are to anonymise the path. Just ask for custom fast upload point in an email.”

Guccifer 2.0: “will u be able to check ur email?”

WikiLeaks: “We’re best with very large data sets. e.g. 200gb. these prove themselves since they’re too big to fake”

Almost two weeks into this exchange, WikiLeaks says they can arrange for a custom server to transfer larger data sets — of around 200 GB.

These exchanges should, to a significant extent, be considered theater. Both sides of this conversation knew that the FBI would be watching all DMs between WikiLeaks and the Guccifer 2.0 persona. So it can’t be taken as a definitive indication of how any files get sent.

Still, it shows how WikiLeaks would respond, using the public communication accounts, to a request to submit data in July 2016.

That’s significant because it shows how things might have proceeded, two months earlier, when Joshua Schulte allegedly sent 1TB of data to WikiLeaks on May 1, 2016.

While the prosecution in Schulte’s case provided forensic evidence to explain when he stole the CIA files and sent them to WikiLeaks, key gaps remain (perhaps most notably, how he got the files out of his building, though that may be because of certain classification decisions). And because Schulte used Tails and wiped his devices afterwards, there’s no record of him actually sending the files.

Here’s how prosecutor Matthew Laroche described that process in his closing arguments.

Just as a general matter, you know this information was transmitted to WikiLeaks because they posted it on the internet. They obviously got it, and the question is when did he send it?

And that’s answered by what he did on the 30th and May 1. Let’s look at the evening of the 30th.

At 6:47 p.m., he is searching for Google history and Google view browsing history. He is concerned about what he’s been searching for. On the evening, that night, he is searching for digital disk-wipe utility on several occasions, and at 10:52 p.m., he visits a website Kill Your Data Dead With These Tips and Tools. The defendant is interested in finding out how to securely delete information that might connect him to the leak, anything that he might’ve brought home with the leak on it, anything that he might’ve used to transfer it.

And at 10:55 p.m., he runs a similar search for SSD wipe utility. And you’ll remember all those hard drives that were recovered from his home. He was wondering how to wipe them to make sure that there was no evidence of his activities.

Now, overnight, he continues working.

At 12:19 a.m., the defendant mounted his D drive onto his virtual machine, the same D drive that had those encrypted files, data2.bkp through data6.bkp. They’re in his D drive. He mounts his D drive.

Then, overnight, he is constantly looking at his computer. On at least four occasions, he is unlocking his virtual machine in the middle of the night: 1:57 a.m.; 2:34 a.m.; 2:56 a.m.; 3:18 a.m. He is doing that because he is transferring data and he wants to make sure it’s happened correctly. And you know that is the case because of the Google searches he runs at of the end the night and the early morning.

At 3:18 a.m., just after he unlocks his screen saver, the defendant searches for How Long Does It Take to Calculate MD5?

Remember, calculating an MD5 is a way to confirm that what you transferred from one place to another is the same, that it went correctly, that there were no errors. You calculate an MD5 to confirm that what you transferred transferred correctly, and that’s what he’s looking for at 3:18 a.m.

Then at 3:21 a.m., the defendant visits a website, How Can I verify That a 1TB File — one terabyte file — transferred correctly?

That description is based off this forensic testimony from Michael Berger.

Prosecutors described this as happening overnight. Overnight transmission of a 1TB file using WikiLeaks’ public submission site would be utterly impossible given the state of it at the time and the volume of data Schulte was transferring, and probably impossible regardless of how much time someone spent. Overnight transmission of 1TB of data using Tails, even to a dedicated server, would be difficult enough. Best describes that, “1 TB over Tor in one night is unlikely.”

The government timeline does have Schulte in possession of the data earlier than that, potentially giving him a week to transfer the data, with this process describing just the end of the process.

Still, the way this would happen, normally, would be for WikiLeaks to set up a dedicated server to accept the files. And that would take prior communication. Such communication likely would have happened over Jabber, not Twitter (Schulte’s opsec was piss poor in many ways but he did use Jabber).

Such a prior conversation is entirely consistent with testimony provided elsewhere, where prosecutors focused on the website’s alternative submission process.

But the seeming necessity for prior communication before this transfer happened suggests Schulte’s alleged theft and transfer of the files might not have been as reactive a decision as portrayed in his prosecution.

It would take premeditation to send WikiLeaks a 1TB file, whatever the timing. Prosecutors may know that, and have an explanation for when such prior communications happened, but they’re withholding those details for any of a number of reasons. Or it may be a big hole in this story. Schulte insists he didn’t do it and a jury failed to convict.

One way or another, however, the state of the WikiLeaks’ submission system as it existed in 2016 presents a big gap in prosecutors’ current story.

Update: Two important details for those trying to figure out how long this transfer would really take. First, Schulte ran a commercial server specifically focused on video streaming at the time, so his upload speeds would not limit the transfer time at all. Second, Schulte at least claimed that hiding data for exfiltration was his speciality. That by itself wouldn’t help him send stuff to WikiLeaks, at least not without prior contact. But it does mean that the means by which he transferred this file relied on tools he has developed at CIA.

The State of Play: Joshua Schulte and Julian Assange

Last year, it looked like the Joshua Schulte trial, rescheduled in the fall to start January 13, would be done before the extradition hearing for Julian Assange started. Two things changed since then: Schulte got a delay until February 3, and then last month, Assange convinced Judge Vanessa Baraitser to split his extradition hearing into two, the first part lasting a week starting Monday, and then resuming on May 18 for three more weeks.

As a result, both men are in court during the same week, intersecting in interesting ways.

Thus far, Assange’s argument is threefold:

  1. His prosecution is hopelessly political, merely retaliation by the hated President that Assange helped elect, Donald Trump
  2. The evidence in the case against Assange is so weak as to be abusive
  3. A person cannot be extradited for political crimes like the Espionage Act

The first argument is a load of horseshit covering up the fact that the timing of the treatment of WikiLeaks as a non-state hostile intelligence service, the increased surveillance of Assange, and the initial December 21, 2017 charge all stem from WikiLeaks’ burning the CIA by publishing all its hacking tools. It’s horseshit, but it garners a lot of enthusiasm among WikiLeaks supporters who like to conveniently forget that, whatever Assange’s motivations were in 2010 (when he engaged in the acts he is charged with), he nevertheless helped Russia help Trump get elected. That said, even though the claims about what changed in 2017 are horseshit, it doesn’t change that the existing charges against Assange pose a real danger to journalism.

The second argument is far stronger. For each of the theories of prosecution under which Assange is charged — attempting to help Chelsea Manning crack a password, soliciting certain files via WikiLeaks’ wish list, and publishing a bunch of files in which the names of US and British sources were later revealed — Assange has at least a credible defense. Assange never succeeded, and could not have succeeded, in cracking that password. Manning didn’t leak the precise files that WikiLeaks had on its wish list (though did leak some of the same sets). WikiLeaks originally went to some effort to redact the names of sources, only to have a Guardian journalist release the password revealing them. Mind you, the extradition hearing is not the trial itself, so for these defenses to be relevant, WikiLeaks has to prove that the case against Assange is abusively weak.

The third argument, which is being argued today, is a more interesting legal question. Assange claims that the existing Anglo-US extradition treaty, passed in 2003, still prohibits extradition for political offenses like theEspionage Act. The US argues that Assange’s extradition is governed by the Extradition Act of 2003, which did not include such a bar (and also disagrees that these are political crimes). The lawyers are even arguing about the Magna Carta! Judge Vanessa Baraitser seems inclined to side with the US on this point, but the question will surely be appealed. Mind you, one of the charges against Assange, CFAA, is in no way a political offense, and the UK has not barred its own citizens, much less foreign citizens hanging out in foreign embassies, from being extradited on the charge (though several hackers, most recently Lauri Love, have challenged their extradition to the US for CFAA on other grounds).

Yesterday, Assange’s defense spent a good deal of time making the second argument. The US didn’t respond. Rather, it said it would deal with those issues in the May hearing.

Meanwhile, the Schulte trial is wrapping up, with Schulte doing little to mount a defense, but instead preparing an appeal. Yesterday, Schulte asked that an instruction on the defendant not testifying be added to the jury instructions (normally, these are included from the start, but Schulte has been claiming he would testify all this time). Today, Schulte told the court that Steve Bellovin won’t testify because he never got access to all the data Judge Paul Crotty ruled he couldn’t have access to (not mentioning, however, that the restrictions stemmed from Crotty’s own CIPA judgment).

I’m still unclear on the status of the witness, Michael. Schulte is trying to submit his CIA investigative report in lieu of finishing cross-examination (which is where things had left off). But it still seems possible that Crotty would require his testimony to be resumed, giving the government another opportunity to redirect his testimony. This is all likely happening today, but given that there’s so little coverage of the trial, we won’t know until Thursday.

Before all this happened, however, the jailhouse informant provided very damning testimony against Schulte, not only describing how Schulte obtained a phone (swapping an iPhone for a Samsung that he could load all the apps he wanted on it), but also claiming that Schulte said, “Russia had to help him with what he was doing,” launching an information war.” I had learned of similar allegations of ties or willingness to forge them with Russia via several sources in the past. And Schulte’s own jailroom notebooks include hints of the same, such as a bullet point describing how Russia could help the US “destroy itself.”

And his final plan — which the informant alerted his handlers to just before Schulte launched it — included some “Russia pieces.”

As part of the same plan to get fellow SysAdmins to leak all their secrets to WikiLeaks, then, Joshua Schulte was also hoping to encourage Russia to attack the US.

I’ve long said the Vault 7 case, if it were ever added to Julian Assange’s charges (including an extortion charge, which would also not be a political crime), would be far more damning and defensible than the ones currently charged. Filings from November suggested that the government had come to think of Schulte’s leaks to WikiLeaks as the last overt act in an ongoing conspiracy against the United States.

And by 2018, Schulte had come to see leaking to WikiLeaks as part of the same plan encouraging Russian attacks on the US, precisely the allegation WikiLeaks has spent years trying to deny, especially in the wake of Assange’s cooperation in Russia’s election year operation.

It’s not clear whether the US will add any evidence to the original 2010 charges against Assange before May (though Alexa O’Brien has pointed to where additional evidence might be), but the statement they’re waiting until then to rebut the solid defense that WikiLeaks is now offering suggests they might. That might reflect a hope that more coercion against Chelsea Manning will produce that additional evidence (she has renewed her bid to be released, arguing that such coercion has obviously failed). Or it might suggest they’ve got plans to lay out a broader conspiracy if and when Schulte is convicted.

Assange’s lawyers pushed for the delay to May in the first place. If the US government uses the extra time to add charges related to Vault 7, though, the delay may make a significant difference in the posture of the case.

Why Roger Stone Threatened to Sue emptywheel!

Remember when Roger Stone threatened to sue me? It was in response to this post, in which I noted that Don McGahn had been helping Stone rat-fuck for Trump for years.

Well, it turns out that that’s the topic of something the government would like to introduce as evidence about why he lied to HPSCI.

As I noted, a debate over whether the government can introduce 404(b) evidence at trial — often used to show motive — has been going on under seal. But a snippet of the topic got aired in yesterday’s hearing on such issues. And one of the things the government wants to introduce under 404(b) is that, in addition to all the lies Stone told HPSCI laid out in his indictment, he also told further lies about his coordination with the Trump campaign.

Separately, Jackson also held off in ruling on Stone’s bid to block DOJ from talking about other alleged false statements he made before the House committee during the September 2017 testimony that led Mueller to press charges.

During Wednesday’s hearing she fretted that raising Stone’s statements could prolong the trial and confuse jurors over allegations that the government didn’t choose to prosecute.

DOJ attorney Michael Marando argued that the government’s allegations needs to be heard in the context of Stone’s overall motivations.

“He went in with a calculated plan to lie, to separate himself from the campaign in order to shield the lie about his connections to WikiLeaks. He had to create that space,” Marando said.

One of those lies pertains to Stone’s communication with the campaign about the activities of his PAC.

Assistant U.S. Attorney Michael J. Marando argued that Stone falsely denied communicating with Trump’s campaign about his political-action-committee-related activities, and that the lie revealed his calculated plan to cover up his ties to the campaign and obstruct the committee’s work.

Rogow disagreed, calling the allegation more prejudicial than revealing and saying that it would divert jurors into a matter that Stone was not charged with.

Note, this is likely why he wants to call Steve Bannon, which other news outlets are inexplicably quite surprised about; Stone asked Bannon for funding from Rebekah Mercer for this stuff. And, as I noted in the post in question, Don McGahn helped Stone avoid charges for voter intimidation for his PAC activities. So I guess Stone wanted to sue me because I laid out proof that he lied to HPSCI about something that served the larger purpose of distancing his rat-fucking from the campaign.

Amy Berman Jackson ruled on most of the motions in limine as follows:

Government motion to introduce two categories of 404(b) evidence: Under advisement

Government motion to introduce two newspaper articles related to such evidence: Denied, with the opportunity to submit redacted versions if the evidence is submitted

Government motion to exclude claims of prosecutorial misconduct: Granted, but Stone can introduce impeachment information

Government motion to exclude evidence of Russian interference: Granted

Stone motion to introduce evidence challenging claims that WikiLeaks obtained stolen documents from Russia: Denied

Stone motion to subpoena Crowdstrike for its reports to the DNC: Denied

Stone motion for a recording of his HPSCI testimony: Moot

Government motion to introduce upload dates for videos: Granted

Government motion to introduce an excerpt of Godfather II: Deferred

Government motion to partially redacted a grand jury transcript: Granted, along with permission to file a motion in limine to limit the same witnesses’ court testimony

ABJ ordered the two sides to figure out what portion of the HPSCI report they need to submit at trial, as well as what communications between Randy Credico and Stone should be excluded

DOJ Says It Never Offered Accused Vault 7 Leaker Joshua Schulte a Plea Deal

As the Joshua Schulte prosecution has inched along against the backdrop of the Julian Assange indictment, I’ve heard chatter about his plans: that the two sides might prosecute the child porn charges and leave the leak untried; that the government was trying to get him to cooperate against Assange.

In the former case, the opposite now seems more likely. Last week, Judge Paul Crotty granted Schulte’s motion to sever his child porn and copyright charges from his Espionage ones. But the minute order states that the Espionage charges will be tried first, in November, with the child porn charges tried some time after that. That’s true, even though the Espionage charges are far more complex to try than the child porn ones. If the government wanted to use the child porn charges to put Schulte away indefinitely and avoid the difficulties of an Espionage trial, they’d try those first. (Update: at the hearing where this was decided, the defense said they wanted the Espionage trial to go first, and all other parties agreed.)

As to the latter, Schulte himself has sown the belief he was being offered a plea deal. In one version of his “Presumption of Innocence” blog, for example, he claimed (falsely, given the warrants he himself released) the government never obtained any evidence implicating him in the leak, and was just pursuing the child pornography charges to “break” him so he’ll cooperate against WikiLeaks.

I’m arrested and charged with a crime that had nothing to do with the initial search warrant and that I was completely innocent. The U.S. Attorney unethically and immorally misleads the court regarding what the initial investigation was about, when they found the illicit materials, and the fact that they did not think I was involved for 5 months until their initial investigation came up empty. I’m denied bail and thrown into prison immediately and they use the situation as leverage telling my attorney every day that he can make this huge embarrassment and misunderstanding all go away if only I would agree to cooperate on the WikiLeaks investigation and admit to it. They admit, unabashedly that these entire charges are nothing more than a ruse, an attempt at leverage to break me.

A version of this claim was repeated in a piece the Intercept did yesterday claiming to track how (a select group of) leakers got identified by the FBI.

Of the four Espionage Act cases based on alleged leaks in the Trump era, the most unusual concerned Joshua Schulte, a former CIA software developer accused of leaking CIA documents and hacking tools known as the Vault 7 disclosures to WikiLeaks. Schulte’s case is different from the others because, after the FBI confiscated his desktop computer, phone, and other devices in a March 2017 raid, the government allegedly discovered over 10,000 images depicting child sexual abuse on his computer, as well as a file and chat server he ran that included logs of him discussing child sexual abuse images and screenshots of him using racist slurs. Prosecutors initially charged Schulte with several counts related to child pornography and later with sexual assault in a separate case, based on evidence from his phone. Only in June 2018, in a superseding indictment, did the government finally charge him under the Espionage Act for leaking the hacking tools. He has pleaded not guilty to all charges.

Schulte was identified as the suspect just like all the other people profiled in the story were: because he was one of the few people who had access to the files that got leaked and his Google searches mapped out a damning pattern of research involving the leak, among other things. In his case, WikiLeaks itself did several things to add to the evidence he was the source. It is true that Schulte was charged with the porn charges first and that it took 15 months for the government to ultimately charge the leak, but the theory of Schulte’s role in the leak has remained largely unchanged since a week after the first files were dropped.

Schulte again suggested he might get a plea deal in his lawsuit against then Attorney General Jeff Sessions for imposing Special Administrative Measures against him when he raised 5K1 letters that might allow someone to avoid mandatory minimum sentencing.

But in last week’s opposition to Schulte’s motion to suppress most of the warrants against him — including some on the grounds that they relied on poisonous fruit of attorney-client privileged material — the government denies ever offering a plea deal.

Schulte claims that the FBI read his thoughts on severance (which the Government has consented to) or a plea offer (which the Government has not made), but none of those “thoughts” are referenced in any subsequent search warrant.

The claim that the government left unredacted a reference to Schulte’s views on a plea deal does not appear in the unredacted version of Schulte’s motion to suppress, but given his lawyers’ claim that his journals were intended to be a discussion of his legal remedies, it may be an attempt to suppress the Presumption of Innocence notes cited above (even though Schulte made the same notes public).

Mr. Schulte’s narrative writings and diary entries contain information he “considered to be relevant to his potential legal remedies.”

There’s lot of room for a discussion short of a plea offer that might be true even given the government claim that “the Government has not made” any offer (such as that one of the series of attorneys who have represented Schulte has recommended that he seek a deal).

But the detail is particularly interesting given the timing of his trial and something the government claimed the last time Chelsea Manning and her lawyers tried to get her out of jail. It insisted they want Manning’s testimony for subjects and charges not included in Assange’s current indictment, and said the submission of the extradition request against Assange does not preclude future charges based on those offenses.

As the government’s ex parte submissions reflect, Manning’s testimony remains relevant and essential to an ongoing investigation into charges or targets that are not included in the superseding indictment. See Gov’t’s Ex Parte Mem. (May 23, 2019). The offenses that remain under investigation are not time barred, see id., and the submission of the government’s extradition request in the Assange case does not preclude future charges based on those offenses, see Gov’t’s Supplement to Ex Parte Mem. (June 14, 2019).

Barring a delay because of Classified Intelligence Protect Act proceedings, Schulte will face trial on the Espionage charges in November, three months before the next hearing in Assange’s extradition. And while there’s no hint in Schulte’s case that WikiLeaks played a role in the front end of Schulte’s alleged leak, there’s abundant evidence that they continued to cooperate with him in the aftermath and even in the initial release itself. Indeed, that’s some of the most damning evidence against Schulte.

Schulte seems to think he could cooperate against Assange and face lesser charges. If the government told the truth last week, he may have little prospect to diminish what would amount to a life sentence if he’s found guilty.

The Dance between Joshua Schulte and WikiLeaks

Way back when Joshua Schulte was first charged for leaking the CIA’s hacking tools to WikiLeaks, I noted a loose coincidence between WikiLeaks’ release, for the first time, of some of CIA’s hacking source code rather than just development notes and the activity on Tor that led to Schulte getting his bail revoked. Since then, however, court documents have laid out a number of other interactions between Schulte and WikiLeaks. This post lays all of those out.

The government currently maintains that Schulte stole the CIA’s hacking tools in late April 2016 and sent them (it’s unclear whether they believe he sent them directly to WikiLeaks or not), using Tails, in early May. In court documents (the most informative warrant affidavit starts at PDF 129, though the FBI would revise some of its understanding of events after that time), that timeline is based off the searches Schulte did in Google (!!!) mapping out his actions.

April 24, 2016: Schulte searches for a SATA adapter (which lets you connect a computer hard drive via a USB connection); Schulte searches how to partition a drive

April 28, 2016: Schulte searches, for a second time, on how to restrict other admins from seeing parts of a LAN

April 30, 2016: Schulte researches how to delete Google history, Western Digital disk wipe, and Samsung ssd wipe (the search of Schulte’s apartment would find both Western Digital and Samsung drives)

May 1, 2016, 3:20AM: Schulte searches on “how can I verify that a 1 tb file transferred correctly?”

May 4, 2016: Schulte searches on “can you use dban on ssd,” referring to a wiping software called Darik’s Boot and Nuke

May 6, 2016: Schulte researches Tor

May 8, 2016: Schulte researches how to set up a Tor bridge

In August 2016, Schulte for the first time started tracking WikiLeaks coverage via a number of Google searches, but without visiting the site. He also researched Tails for a second time, as well as throwaway email.

Schulte’s first trackable visit to the WikiLeaks site itself was on March 7, 2017, the day of the first Vault 7 release (though WikiLeaks had started hyping it earlier, starting in February 2017).

From that first release on March 7 through September 7, WikiLeaks would release another Vault 7 release fairly regularly, often every week, other times at two week intervals and, at one point in June, releasing files on consecutive days. WikiLeaks then released the one and only Vault 8 file — source code rather than development notes — on November 9.

In general, that rhythm of releases is not obviously remarkable, though of course it took place against the background of serial efforts to get Julian Assange a pardon in the US.

But it intersects with the investigation of Schulte laid out in search warrant applications and other filings in a few key ways. As I’ll show in a follow-up, it’s clear that Schulte provided WikiLeaks with a story about the files to offer a rationale for their publication, so it’s clear that he did more than provide the files as a dead drop. After the first files dropped, he realized he’d be the prime suspect. Court filings reveal that he contacted a number of his former colleagues (using Google!), trying to find out what they knew about the investigation, acknowledging that he would be a key suspect, and denying he had done the leak.

Then, between the first and the second Vault 7 release, on March 15, the FBI interviewed Schulte as they were searching his apartment. As part of that interview, Schulte lied to the FBI so as to be able to leave his apartment with the CIA diplomatic passport he had never returned (he had plane tickets to leave the country the following day). When he left his apartment, he told FBI Agents he’d be back in roughly an hour. He went to Bloomberg (where he still worked), stashed his passports there, and got on his work computer. 45 minutes after the time he said he’d return, the FBI found him leaving the lobby of Bloomberg, and on threat of arrest, got him to surrender his passports. After all this happened, Bloomberg did an analysis of what Schulte had done on his work computer and phones in this period; FBI seized his work hard drive in May 2017. If Schulte had on-going communications with WikiLeaks, this would have provided an opportunity to reach out to them to tell them he was under imminent threat of arrest.

From that point forward, the FBI asked Schulte new questions based off what had been released by WikiLeaks. Most notably, on June 29, they asked Schulte whether he altered Brutal Kangaroo, a file released by WikiLeaks just a week earlier, outside the CIA.

The rhythm of WikiLeaks’ regular releases continued through August 24, when Schulte was arrested for child porn, with a file released that day, and another file released on September 7, while he was in jail. But after Schulte was released on bail after a September 13 hearing, WikiLeaks released no more Vault 7 files.

An April 2019 Bill of Particulars released last month strongly suggests there may be a tie between Schulte’s Tor activities starting on November 16, 2017. The document suggests that Schulte may have met with someone on November 8, 2017, then lied to the FBI or prosecutors about it 8 days later. Among the four lies the government described to substantiate False Statements and Obstruction charges in his indictment, it explains,

On or about November 16, 2017, Schulte falsely described his trip to a court appearance from the vicinity of Grand Central Terminal to the vicinity of the courthouse, and also falsely claimed to have been approached on the way to that court appearance by an unknown male who allegedly stated, in substance and in part, that he knew that Schulte had been betrayed and bankrupted by the U.S. Government.

This incident almost certainly happened on November 8. As noted, he was arrested on August 24, 2017. He was denied bail at first (so remained in jail). But when he was arraigned on the first (child porn) indictment on September 13, he was granted bail, including house arrest. While he would have had to check in with Parole Officers, the next “court appearance” he had (because the first status hearing got delayed a few times) — and the only court appearance before November 16 — was on November 8. He’d have gone to his first and second arraignment from jail; he was only out on bail to travel to a court appearance from his home for that first status conference.

It seems likely that an FBI surveillance team tracked Schulte on that day doing something suspect between the time he left his home and arrived at the courthouse. The mention of Grand Central suggests he may have met someone there, though that’s not dispositive because his apartment was just a few blocks away. But Schulte’s description of meeting a man he didn’t know, which the government alleges is false, seems like the kind of lie you’d tell if you were covering for meeting a man you did know. As noted, that probably happened on November 8.

On November 9, WikiLeaks released their single Vault 8 file.

Then, Schulte was asked, by some “law enforcement agents and/or prosecutor[] at the U.S. Attorney’s Office” about the incident on November 16.

That same day that he was interviewed about the incident on the way to the courthouse, November 16, he got on Tor for the first of five times, as laid out in his detention memo.

Separately, since the defendant was released on bail, the Government has obtained evidence that he has been using the Internet. First, the Government has obtained data from the service provider for the defendant’s email account (the “Schulte Email Account”), which shows that the account has regularly been logged into and out of since the defendant was released on bail, most recently on the evening of December 6, 2017. Notably, the IP address used to access the Schulte Email Account is almost always the same IP address associated with the broadband internet account for the defendant’s apartment (the “Broadband Account”)—i.e., the account used by Schulte in the apartment to access the Internet via a Wi-Fi network. Moreover, data from the Broadband Account shows that on November 16, 2017, the Broadband Account was used to access the “TOR” network, that is, a network that allows for anonymous communications on the Internet via a worldwide network of linked computer servers, and multiple layers of data encryption. The Broadband Account shows that additional TOR connections were made again on November 17, 26, 30, and December 5.

[snip]

First, there is clear and convincing evidence that the defendant has violated a release condition—namely, the condition that he shall not use the Internet without express authorization from Pretrial Services to do so. As explained above, data obtained from the Schulte Email Account and the Broadband Account strongly suggests that the defendant has been using the Internet since shortly after his release on bail. Especially troubling is the defendant’s apparent use on five occasions of the TOR network.

When it ultimately came time to explain away this use of Tor, Schulte pointed to a series of posts that would form part of what the government claims Schulte called an “information war” attempting to discredit the US government. That was first made broadly available when WikiLeaks posted it on June 19, 2018, the day after Schulte was charged with leaking the Vault 7 files.

The government alleges that a copy posted to Facebook later that year, on September 25, 2018, was posted by Schulte from his jail cell himself, using a contraband cell phone, which makes the WikiLeaks tweet part of Schulte’s deliberate information campaign from jail.

And around the same time Schulte posted his diaries from jail, the government claims, Schulte was prepping to send Wikileaks materials from a fake FBI agent attesting that the Bureau had framed Schulte by planting child porn on his computer.

iii. A document that appears to be an article for release by WikiLeaks.org (“WikiLeaks”), in which a purported FBI “whistleblower” claimed to have provided the discovery in this case to WikiLeaks and that the FBI had planted evidence of child pornography on Schulte’s computer to frame him (the “Fake FBI Document”).

[snip]

What appears to be a “to-do” list dated September 12, 2018, in which Schulte wrote that on September 17 and 18, he would “DL Disc. UL WL,” and.that on September 19, 20, and 21, he would “schedule tweets[.]” I believe that here, “DL Disc. UL WL” means that Schulte planned to download his discovery (”DL Disc.”) from the Schulte Laptop and upload that discovery to WikiLeaks (“UL WL”). As noted above, in another place in the Schulte Cell Documents, Schulte drafted the Fake FBI Document, a purported statement by a supposed FBI “whistleblower” who provided Schulte’s discovery to WikiLeaks and claimed that the FBI had planted evidence of child pornography on Schulte’s computer.

As I’ll show, Schulte gave WikiLeaks several claims it used to introduce the series in March 2017.

Then, several key events — an incident that probably occurred on November 8 which the government accuses Schulte of trying to cover up, WikiLeaks’ sole release of source code from the CIA, the interview at which Schulte allegedly lied about the November 8 incident, and some activity on Tor — makes it more likely the events are more than a coincidence.

And then WikiLeaks contributed early to Schulte’s “Information War,” and Schulte may have expected he could get WikiLeaks to cooperate again, with even more blatant disinformation.

That’s a fairly remarkable degree of coordination at a time when WikiLeaks was trying to coerce an Assange pardon and Schulte was (according to the government) trying to lie his way out of a great deal of legal trouble.

The Parts of the Mueller Report withheld from Roger Stone Show the Centrality of His WikiLeaks Activities to Trump’s Obstruction

Along with denying most of Roger Stone’s frivolous challenges to his prosecution, Amy Berman Jackson also partly granted his motion to get some of the redacted Mueller Report. As she laid out, she permitted the government to withhold grand jury information, sources and methods, stuff that would harm the reputation of others, and prosecutorial deliberations.

But the Court was of the view that the Report of the Special Counsel should receive separate consideration since a great deal of deliberative material within the Report had already been released to the public.

[snip]

Having considered the defendant’s motion, the government’s response and supplemental submissions, and the Report itself, the Court has determined that the defense should have the limited access he requested to some, but not all, of the redacted material.32 Insofar as defendant’s motion to compel seeks any material that was redacted from the public report on the basis that its release would infringe upon the personal privacy of third parties or cause them reputational harm; pursuant to Federal Rule of Criminal Procedure 6(e); or on the basis of national security or law enforcement concerns, including information that if revealed, could potentially compromise sensitive information gathering sources, methods, or techniques or harm ongoing intelligence or law enforcement activities, the Court will deny the motion.33 With respect to material that was withheld solely on the basis that its release could affect the ongoing prosecution of this case, the Court has concluded that the material to be specified in the order issued with this opinion should be provided to counsel for the defendant subject to the terms and conditions of the Protective Order in this case.

As she described, the government “submit[ed] unredacted portions of the Report that relate to defendant ‘and/or “the dissemination of hacked materials.”‘” Then she and the government conducted a sealed discussion about what could be released to Stone. In addition to her opinion, she submitted an order describing which specific pages must now be released to Stone.

We can compare what the government identified as fitting her order — this includes anything that fits the order, whether redacted or not — with what she has ordered released to Stone (note, the government either did not include Appendix D, showing referrals, or ABJ didn’t mention it, because in addition to an unredacted reference to Stone, there are referrals that the FOIA copies show to be related to Stone; nor did it include questions to Trump).

ABJ has not ordered the government to turn over anything pertaining to how GRU got stolen documents to WikiLeaks. This is precisely the kind of thing Stone is trying to get with his demands for Crowdstrike reports; after ABJ pointed out if they really wanted the reports, they would have tried subpoenaing Crowdstrike and they are now launching an attempt to do that. That ABJ has not ordered the government to turn this material over does not bode well for Stone’s plans to make this trial about the hack-and-leak rather than his lies. I would not be surprised if Stone made a second effort to get this information.

She has permitted the government to withhold all the prosecutorial decisions covered by her order except the one pertaining to Stone’s own lies. In addition, she let the government withhold one line about how they hadn’t determined whether or not Stone and Corsi had managed to optimize the release of the Podesta emails in October (though she did give Stone the more detailed discussion of that).

But ABJ has not included any of the references in the main part of Volume II in her order (presumably to protect Trump’s reputation!). That Volume includes three references to Trump and the campaign’s enthusiasm for or attempts to optimize the WikiLeaks releases through Stone, the reference to Richard Burr leaking news of the targets of the investigation (including Stone) to the White House before Jim Comey got fired, and three instances describing Trump floating pardons to Stone or otherwise encouraging him to remain silent.

It also includes the page on which this passage appears:

After Flynn was forced to resign, the press raised questions about why the President waited more than two weeks after the DOJ notification to remove Flynn and whether the President had known about Flynn’s contacts with Kislyak before the DOJ notification.244 The press also continued to raise questions about connections between Russia and the President’s campaign.245 On February 15, 2017, the President told reporters, “General Flynn is a wonderful man. I think he’s been treated very, very unfairly by the media.”246 On February 16, 2017, the President held a press conference and said that he removed Flynn because Flynn “didn’t tell the Vice President of the United States the facts, and then he didn’t remember. And that just wasn’t acceptable to me.” 247 The President said he did not direct Flynn to discuss sanctions with Kislyak, but “it certainly would have been okay with me if he did. I would have directed him to do it if I thought he wasn’t doing it. I didn’t direct him, but I would have directed him because that’s his job.”248 In listing the reasons for terminating Flynn, the President did not say that Flynn had lied to him.249 The President also denied having any connection to Russia, stating, “I have nothing to do with Russia. I told you, I have no deals there. I have no anything.”250 The President also said he “had nothing to do with” WikiLeaks’s publication of information hacked from the Clinton campaign.251 [my emphasis]

Clearly, it was included for Trump’s public denials — at the moment he fired Flynn in an attempt to stop the Russian investigation — of having anything to do with WikiLeaks’ publication of materials stolen from Hillary’s campaign. It is, on its face, a reference to the publication of the stolen emails, and as such qualifies under ABJ’s order. At that level, it is unremarkable.

But the government is treating it not as Trump making empty denials, but instead to make a claim specifically disavowing any involvement in WikiLeaks’ publication of stolen emails. Mueller’s team put the claim right next to a claim we know to be false, a claim designed to hide his Trump Tower deals. And he put all that amid a discussion of why he first did not, and then did, fire Mike Flynn.

Now consider something else: While it doesn’t appear in the Mueller Report at all, one thing Flynn told prosecutors was that after WikiLeaks started dumping John Podesta’s emails, he took part in conversations during which the campaign discussed reaching out to WikiLeaks.

The defendant also provided useful information concerning discussions within the campaign about WikiLeaks’ release of emails. WikiLeaks is an important subject of the SCO’s investigation because a Russian intelligence service used WikiLeaks to release emails the intelligence service stole during the 2016 presidential campaign. On July 22, 2016, WikiLeaks released emails stolen from the Democratic National Committee. Beginning on October 7, 2016, WikiLeaks released emails stolen from John Podesta, the chairman of Hillary Clinton’s 2016 presidential campaign. The defendant relayed to the government statements made in 2016 by senior campaign officials about WikiLeaks to which only a select few people were privy. For example, the defendant recalled conversations with senior campaign officials after the release of the Podesta emails, during which the prospect of reaching out to WikiLeaks was discussed.

There’s nothing in the public record that suggests Flynn knew of Trump’s efforts, during the campaign, to build a Trump Tower. But he did know about Trump’s efforts to optimize WikiLeaks’ releases of stolen emails. And Trump would have known that when he considered the impact of Flynn’s ties to Russia being investigated by the FBI.

And the treatment of that references as a real denial — as Trump evincing guilt even as he fired Flynn — sure makes the Flynn firing more interesting.

Federal Judge Destroys the Hopes of RICO Salvation in DNC Lawsuit

Yesterday, Clinton-appointed Judge John Koeltl dismissed with prejudice the DNC’s lawsuit against Russia, Trump’s flunkies, and WikiLeaks alleging they conspired against the party in 2016. He also ruled against a Republican demand to sanction the DNC for sustaining their claim in the wake of Robert Mueller finding that he “did not establish” a conspiracy between Trump and Russia. Koeltl’s decision is unsurprising. But his decision is interesting nevertheless for what it reveals about his legal assessment of the events of 2016, not least because of the ways it does and does not parallel Mueller’s own decisions.

The scope of the two analyses is different: The Democrats alleged RICO and some wiretapping charges, as well as the theft of trade secrets; Mueller considered campaign finance crimes and a quid pro quo. A short version of the difference and similarity in outcome is that:

  1. Mueller charged the GRU officers who hacked the DNC for the hack (which DOJ has been doing for five years, but which has never been contested by a state-hacker defendant); by contrast, Judge Koeltl ruled that Russia’s hackers could not be sued under the Foreign Sovereign Immunities Act (which is what the Mystery Appellant tried to use to avoid responding to a subpoena); notably, Elliot Broidy’s attempt to blame Qatar for his hack serves as precedent here. For the DNC, this meant the key players in any claimed conspiracy could not be sued.
  2. While Democrats made a bid towards arguing that such a conspiracy went beyond getting Trump elected to getting Trump to enact policies that would benefit Russia, Koeltl treated any Trump role as just that, attempting to get Trump elected. This meant that (for example) Stone’s alleged criminal obstruction after Trump got elected was not deemed part of any conspiracy.
  3. As Mueller did with both the hack-and-leak itself but also with any campaign finance violation associated with getting hacked documents as assistance to a campaign, Koeltl ruled that the Supreme Court’s decision in Bartnicki meant the First Amendment protected everyone besides the Russians from liability for dissemination of the stolen documents.
  4. DNC’s RICO fails because, while the Trump campaign itself was an association, the DNC claim that there was an Association in Fact under RICO fails because the ties between individuals were too scattered and their goals were not the same. Moreover, the goal of the Trump associates — to get Trump elected — is in no way illegal.

The most important part of the decision — both for how it protects journalism, what it says about the EDVA charges against Julian Assange, and what it means for similar hack-and-leak dumps going forward — is Koeltl’s First Amendment analysis, in which he argued that even WikiLeaks could not be held liable for publishing documents, even if they knew they were stolen.

Like the defendant in Bartinicki, WikiLeaks did not play any role in the theft of the documents and it is undisputed that the stolen materials involve matters of public concern. However, the DNC argues that this case is distinguishable from Bartnicki because WikiLeaks solicited the documents from the GRU knowing that they were stolen and coordinated with the GRU and the Campaign to disseminate  the documents at times favorable to the Trump Campaign. The DNC argues that WikiLeaks should be considered an after-the-fact coconspirator for the theft based on its coordination to obtain and distribute the stolen materials.

As an initial matter, it is constitutionally insignificant that WikiLeaks knew the Russian Federation had stolen the documents when it published them. Indeed, in Bartnicki the Supreme Court noted that the radio host either did know, or at least had reason to know, that the communication at issue was unlawfully intercepted.

[snip]

And, contrary to the DNC’s argument, it is also irrelevant that WikiLeaks solicited the stolen documents from Russian agents. A person is entitled [sic] publish stolen documents that the publisher request from a source so long as the publisher did not participate in the theft. … Indeed, the DNC acknowledges that this is a common journalistic practice.

[snip]

WikiLeaks and its amici argue that holding WikiLeaks liable in this situation would also threaten freedom of the press. The DNC responds that this case does not threaten freedom of the press because WikiLeaks did not engage in normal journalistic practices by, for example, “asking foreign intelligence services to steal ‘new material’ from American targets.” … The DNC’s argument misconstrues its own allegations in the Second Amended Complaint. In the Second Amended Complaint, the DNC states that “WikiLeaks sent GRU operatives using the screenname Guccifer 2.0 a private message asking the operatives to ‘[s]end any new material (stolen from the DNC] her for us to review.'” … This was not a solicitation to steal documents but a request for material that had been stolen. [citations removed]

Koeltl analyzes whether the Democratic claim that GRU also stole trade secrets — such as their donors and voter engagement strategies — changes the calculus, but judges that because those things were newsworthy, “that would impermissibly elevate a purely private privacy interest to override the First Amendment interest in the publication of matters of the highest public concern.”

Koeltl goes on to note that the analysis would be the same for Trump’s associates, even though they make no claim (as WikiLeaks does) to being part of the media.

[E]ven if the documents had been provided directly to the Campaign, the Campaign defendants, the Agalarovs, Stone, and Mifsud, they could  have published the documents themselves without liability because they did not participate in the theft and the documents are of public concern. … Therefore, the DNC cannot hold these defendants liable for aiding and abetting publication when they would have been entitled to publish the stolen documents themselves without liability. [citations removed]

That analysis is absolutely right, and even while Democrats might hate this outcome and be dismayed by what this might portend about a repeat going forward, it is also how this country treats the First Amendment, both for those claiming to be journalists and those making no such claim.

All that said, there are several aspects of this analysis worth noting.

This is a DNC suit, not a suit by all harmed Democrats

First, this is a suit by the DNC. Neither Hillary nor John Podesta are parties. “Podesta’s emails had been stolen in a different cyberattack,” Koeltl said, “there is not allegation they were taken from the DNC’s servers.” Had they been, they would have had to have been prepared to submit to discovery by Trump and his associates.

Including Podesta might have changed the calculus somewhat, though Koeltl does not deal with them (though he does suggest they would not have changed his calculus).

They might change the calculus, however, because (as Emma Best has noted) WikiLeaks did solicit something — the transcripts of Hillary’s speeches — that was subsequently obtained in the Podesta hack. The DNC did not include that in their complaint and that might have changed Koeltl’s analysis or, at a minimum, tested one of the theories the government is currently using in the Assange prosecution.

Similarly, while there is now evidence in the record that suggests Stone may have had advanced knowledge even of the July 2016 DNC dump, the allegations that would show him having had an impact on the release of documents pertains to the release of the Podesta emails. Jerome Corsi (who was added in the DNC’s second complaint but not as a conspirator) claimed that he had helped Stone optimize the Podesta release in an attempt to drown out the Access Hollywood video, but Mueller was not able to corroborate that.

More tantalizingly, a filing in Stone’s case shows that in at least one warrant application, the government cited some conversation in which he and others — possibly Corsi and Ted Malloch — were discussing “phishing with John Podesta.” That’s not something that will be public for some time. But even if it suggested that Stone may have had more knowledge of the Podesta hack then let on, it would be meaningless in a suit brought by the DNC.

No one knows why Manafort shared polling data and his plans to win the Rust Belt (indirectly) with Oleg Deripaska

The second DNC complaint mentions, but does not explain, that Paul Manafort had Rick Gates send polling data to Konstantin Kilimnik intended to  be share with oligarchs including Oleg Deripaska.

At some point during the runup to the 2016 election, Manafort “shar[ed] polling data . . . related to the 2016 presidential campaign” with an individual connected to Russian military intelligence. This data could have helped Russia assess the most effective ways to interfere in the election, including how best to use stolen Democratic party materials to influence voters.

[snip]

In March 2016, the Trump Campaign also hired Manafort. As noted above, Manafort was millions of dollars in debt to Deripaska at the time. He was also broke.55 Yet he agreed to work for the Trump Campaign for free. A few days after he joined the Trump Campaign, Manafort emailed Kilimnik to discuss how they could use Manafort’s “media coverage” to settle his debt with Deripaska.56 Manafort had multiple discussions with Kilimnik in the runup to the 2016 election, including one in which Manafort “shar[ed] polling data . . . related to the 2016 presidential campaign.”57 This data could have helped Russia assess the most effective ways to interfere in the election, for instance, by helping it determine how best to utilize information stolen from the DNC .

[snip]

Manafort lied about sharing polling data with Kilimnik related to Trump’s 2016 campaign.226

The Mueller Report’s further details on the sharing, including Manafort’s review of his strategy to win the Rust Belt, came too late for the complaint. And as such, Koeltl doesn’t really deal with that allegation (which would likely require naming others as conspirators in any case), and instead treats any conspiracy as limited to the hack-and-leak.

Thus, he does not treat the hints of further coordination, nor is there currently enough public evidence for the DNC to get very far with that allegation. This is a ruling about an alleged hack-and-leak conspiracy, not a ruling about any wider cooperation to help Trump win the election.

No one knows what happened to the stolen DNC analytics

Finally, while the DNC complaint extensively described the September hack of its analytics hosted on AWS servers — a hack that took place after Stone scoffed at the analytics released to date by Guccifer 2.0 — Koeltl doesn’t treat that part of the hack in detail because it was never publicly shared with anyone.

The Second Amended Complaint does not allege that any materials from the September 2016 hack were disseminated to the public and counsel for the DNC acknowledged at the argument of the current motions that there is no such allegation.

The DNC included the analytics in their trade secret discussion, but given that Russia had FSIA immunity, and given that the GOP is not known to have received any of this, Koeltl did not consider the later theft (which is not known to have had the same public interest value as the claimed trade secrets that got leaked).

The SAC asserts: “The GRU could have derived significant economic value from the theft of the DNC’s data by, among other possibilities, selling the data to the highest bidder.” There is no allegation that the Russian Federation did in fact sell the DNC’s data, and any claims against the Russian Federation under the federal and state statutes prohibiting trade secret theft are barred by the FSIA.

Finally, given that it was not released publicly Koeltl does not consider how the GRU hack of analytics after Stone’s discussion of analytics with Guccifer 2.0 might change the analysis on whether Stone was involved prior to any hacks.

Similarly, Stone is alleged to have contacted WikiLeaks through Corsi for the first time on July 25, 2016 and spoke to GRU officers in August 2016 — months after the April 2016 hack. Stone is not alleged to have discussed stealing the DNC’s documents in any of these communications, or to have been aware of the hacks until after they took place.

[snip]

DNC does not raise a factual allegation that suggests that any of the defendants were even aware that the Russian Federation was planning to hack the DNC’s computers until after it had already done so.

Again, there’s too little know about the purpose of this part of the hack (which virtually no one is aware of, but which would have been particularly damaging for the Democrats), and as such the DNC would not be in a position to allege it in any case. But it is a key part of the hack that shifts the timeline Koeltl addressed.

Which ultimately leaves Koeltl’s final judgment about the DNC attempt to obtain some kind of remedy for having Trump welcome and capitalize on a foreign state’s actions to tamper in the election. “Relief from the alleged activities of the Russian Federation,” Koeltl said, “should be sought from the political branches of the Government and not from the courts.”

One of the few ways to do that is to impeach.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Accused Vault 7 Leaker Joshua Schulte Planned to Have WikiLeaks Publish Disinformation to Help His Defense

When WikiLeaks announced its publication of the CIA’s hacking tools in March 2017, the first tool it highlighted was an effort called Umbrage, which it claimed the CIA used to “misdirect attribution.”

UMBRAGE

The CIA’s hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a “fingerprint” that can be used by forensic investigators to attribute multiple different attacks to the same entity.

This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution.

The CIA’s Remote Devices Branch‘s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from.

UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.

Experts noted at the time that Umbrage served mostly to save time by reusing existing code. Nevertheless, the representation that the CIA would sometimes use other nation’s tools was immediately integrated into conspiracy theories denying that Russia carried out the 2016 hacks on Democrats. Because the CIA sometimes obscured its own hacks, denialists have said since, the CIA must have been behind the 2016 hacks, part of a Deep State operation to frame Russia and in so doing, undermine Trump.

Documents released this week reveal that Joshua Schulte, who is accused of leaking those documents to WikiLeaks, believed he could get WikiLeaks to publish disinformation to help his case.

Several documents submitted this week provide much more clarity on Schulte’s case. On Monday, the government responded to a Schulte effort to have his communications restrictions (SAMs) removed; their brief not only admitted — for what I believe to be the first time in writing — that the CIA is the victim agency, but described an Information War Schulte attempted to conduct from jail using contraband phones and a slew of social media accounts.

Yesterday, in addition to requesting that Schulte’s child porn charges be severed from his Espionage ones, his defense team moved to suppress the warrants used to investigate his communication activities in jail based on a claim the FBI violated Schulte’s attorney-client privilege. During the initial search, agents reviewed notebooks marked attorney-client with sufficient attention to find non-privileged materials covered by the search warrant, and only then got a privilege team to go through the notebooks in more detail. The privilege team confirmed that 65% of the contents of the notebooks was privileged. In support of the suppression motion, Schulte’s lawyers released most of the warrants used to conduct those searches, including the downstream one used to access three ProtonMail accounts discovered by the government and another downstream one used to access his ten social media accounts (see below for a list of all of Schulte’s accounts). Effectively, they’re arguing that the FBI would have never found this unbelievably incriminating communications activity, which will make it fairly easy for the government to prove that Schulte is the Vault 7 leaker without relying on classified information, without accessing those notebooks marked privileged.

But along the way, the documents released this week show that the guy accused of leaking that Umbrage file that denialists have relied on to claim the 2016 hack was a false flag operation framing Russia himself planned false flag activities to proclaim his innocence.

The government’s SAMs response describes in cursory fashion and the affidavits for the warrants as a whole describe in more detail how Schulte planned to adopt two fake identities — a CIA officer and an FBI Agent — to proclaim his innocence. The idea behind the latter was to corroborate two claims Schulte posted on his JoshSchulte WordPress sites on October 1, 2018 — that the FBI had planted the child porn discovered on his computer.

i. “I now believe the government planted the CP after their search warrants turned up empty-not only to save their jobs and investigation, but also to target and decimate my reputation considering my involvement in significant information operations and covert action.”

As noted above, in the Fake FBI Document in the Schulte Cell Documents, a purported FBI “whistleblower” claimed that the FBI had placed child pornography on Schulte’s computer after its initial searches of the device were unsuccessful in recovering evidence. See supra~ 14(a)(iii).

ii. “So who’s responsible for Vault 7? The CIA’s own version of the FBI’s Peter Strzok and Lisa Page,”

As noted above, in the September Tweet in the Schulte Cell Documents, a purported former CIA colleague of Schulte (but who was in fact simply Schulte himself) claimed that two other CIA former colleagues, one of whom Schulte described as the “Peter Strzok of the CIA,” had conspired to blame Schulte for Vault 7, WikiLeaks’ disclosure of the CIA material.

As noted above, two of the documents found in Schulte’s cell mixed in with the attorney-client material show how Schulte planned to create false identities to spread the same stories. One was an article he planned to send to WikiLeaks, claiming to be from an FBI whistleblower describing how Schulte was framed.

iii. A document that appears to be an article for release by WikiLeaks.org (“WikiLeaks”), in which a purported FBI “whistleblower” claimed to have provided the discovery in this case to WikiLeaks and that the FBI had planted evidence of child pornography on Schulte’s computer to frame him (the “Fake FBI Document”).

The documents also include his plans to release a fake CIA tweet claiming he was framed for the Vault 7 leak.

iv. Drafts of a tweet (the “Fake CIA Tweet”) that appear to have been drafted around August 30, 2018,3 in which Schulte pretending to be a former CIA colleague claimed that two other former CIA colleagues, both of whom Schulte referred to by full name and one of whom he described as the “Peter Strzok of the CIA,” had “set up” Schulte and used him as a “scapegoat” for “Vault 7,” which is the name of WikiLeaks serial disclosures of CIA material that began on or about March 7, 2017 and which forms the basis of some of the current charges against Schulte. On the following page of the Schulte Cell Documents appears the text “Just to authenticate me fast” followed by other apparent draft tweets that discussed the CIA’s alleged activities and methods, some of which appear to be classified (the “Fake Authentication Tweets”).4 . . I believe that Schulte planned to potentially publish the Fake Authentication Tweet before the Fake CIA Tweet in an effort to purportedly verify the author’s employment with the CIA and knowledge of the information in the Fake CIA Tweet.

Finally, the FBI also found Schulte’s to do list of how he planned to share both the fake FBI document and his discovery with WikiLeaks.

What appears to be a “to-do” list dated September 12, 2018, in which Schulte wrote that on September 17 and 18, he would “DL Disc. UL WL,” and.that on September 19, 20, and 21, he would “schedule tweets[.]” I believe that here, “DL Disc. UL WL” means that Schulte planned to download his discovery (”DL Disc.”) from the Schulte Laptop and upload that discovery to WikiLeaks (“UL WL”). As noted above, in another place in the Schulte Cell Documents, Schulte drafted the Fake FBI Document, a purported statement by a supposed FBI “whistleblower” who provided Schulte’s discovery to WikiLeaks and claimed that the FBI had planted evidence of child pornography on Schulte’s computer.

From a legal standpoint, Schulte’s lawyers have disclosed all these warrant materials in an urgent effort to suppress everything the government found after first accessing his notebooks from jail. The FBI investigation proceeded from those notebooks to the WordPress site showing him claiming something identical to disinformation he was packaging up to share with WikiLeaks. They also got from those notebooks to ProtonMail accounts where Schulte offered to share what may or may not be classified information with a journalist. The reason why the defense is pushing to suppress this — one of the only challenges they’re making in his prosecution thus far — is because the stuff Schulte did in prison is utterly damning and seems to confirm both his familiarity with WikiLeaks and his belief that he needed to create disinformation to claim to be innocent.

We’ll see whether this Fourth and Sixth Amendment challenge works.

But along the way, the defense has released information — the provenance of which they’re not disputing in the least — that shows that Schulte planned to use WikiLeaks to conduct a disinformation campaign. But it wouldn’t be the first time Schulte had gotten WikiLeaks to carry out his messaging. A year ago today — in the wake of Schulte being charged with the Vault 7 leak — WikiLeaks linked to the diaries that Schulte was writing and posting from his jail cell, possibly showing that Schulte continued to communicate with WikiLeaks — either via a family member or directly — even after he had been put in jail. Those diaries are among the things seized in the search.

In a follow-up, I think I can show that Schulte did succeed in using WikiLeaks as part a disinformation campaign.

Social media accounts Joshua Schulte accessed from jail

ProtonMail: annon1204, presumedguilty, freejasonbourne

Twitter: @freejasonbourne (created September 1, 2018 and used through October 2, 2018)

Buffer (used to schedule social media posts): (created September 3, 2018, used through September 7, 2018)

WordPress: joshschulte.wordpress.com, presumptionofslavery.wordpress.com, presumptionofinnocence.net (all created August 14, 2018)

Gmail: [email protected], [email protected] (created April 15, 2018), [email protected],

Outlook: [email protected]

Facebook: ‘who is JOHN GALT? (created April 17, 2018)

Update: The government also believed at the time that an account in the name Conj Khyas was used by Schulte to receive classified information at his annon1204 account. It was not listed in these warrants, but would amount to a 14th account.

The Congressional Research Service’s (Dated) Take on Julian Assange’s Indictment: DOJ May Argue He Aided Russian Spying

Project on Government Secrecy just released a Congressional Research Service report, which was originally written on April 22, on Julian Assange’s arrest.

It’s a fairly balanced and thorough document, including quotes from The Intercept. But it’s dated, with the body of the report integrating neither his superseding indictment (though an update does note it happened) nor Sweden’s stance — reopening but not asking for extradition on — the rape investigation.

There’s one big thing that the report misses, which is relevant for its analysis, even dated as it is. It describes, correctly, that Assange was originally indicted in March 2018. But it doesn’t note that the complaint was obtained on December 21, 2017. That seems particularly pertinent given that it happened on the same day as (and therefore may be the legal reason why) the UK denied Ecuador’s attempt to make Assange a diplomat.

Ecuador previously had been unsuccessful in its attempts secure arrangements for Assange to leave the embassy through legal channels. In 2017, the country made Assange an Ecuadorian citizen. Later that year, Ecuador’s foreign minister designated Assange as a diplomat in what observers interpreted to be an effort to confer the VCDR’s personal diplomatic protections on Assange, allowing him to leave the embassy and take up a diplomatic post in Russia without fear of arrest during his travel. But U.K. officials denied Assange diplomatic accreditation, and Ecuador withdrew its diplomatic designation shortly thereafter. Ecuador also suspended Assange’s citizenship as part of its decision to allow his arrest.

For a document meant to provide Congress a balanced report on his arrest, it seems pertinent to suggest that Ecuador may have failed in its efforts to secure this diplomatic solution because the US intervened quickly.

And that, in turn, seems relevant to the one point that I haven’t seen discussed in other coverage of Assange’s arrest: whether DOJ got around cautions against indicting journalists in its media policy by relying on the language that such cautions do not apply when there are reasonable grounds to believe that the media person in question is aiding, abetting, or conspiring in illegal activities with a foreign power.

The news media policy also provides that it does not apply when there are reasonable grounds to believe that a person is a foreign power, agent of a foreign power, or is aiding, abetting, or conspiring in illegal activities with a foreign power or its agent. The U.S. Intelligence Community’s assessment that Russian state-controlled actors coordinated with Wikileaks in 2016 may have implicated this exclusion and other portions of the news media policy, although that conduct occurred years after the events for which Assange was indicted. The fact that Ecuador conferred diplomatic status on Assange, and that this diplomatic status was in place at the time DOJ filed its criminal complaint, may also have been relevant. Finally, even if the Attorney General concluded that the news media policy applied to Assange, the Attorney General may have decided that intervening events since the end of the Obama Administration shifted the balance of interests to favor prosecution. Whether the Attorney General or DOJ will publicly describe the impact of the news media policy is unclear.

That is, CRS suspects that DOJ may have gotten around cautions against arresting members of the media by using the exception in AG Guidelines,

(ii) The protections of the policy do not extend to any individual or entity where there are reasonable grounds to believe that the individual or entity is –

(A) A foreign power or agent of a foreign power, as those terms are defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801);

Which would in effect mean they were arguing that Assange fulfills this language from FISA.

(B) acts for or on behalf of a foreign power which engages in clandestine intelligence activities in the United States contrary to the interests of the United States, when the circumstances indicate that such person may engage in such activities, or when such person knowingly aids or abets any person in the conduct of such activities or knowingly conspires with any person to engage in such activities;

It would be unsurprising to see DOJ argue that for Assange’s activities in 2016. After all, they’ve described him in terms often used with co-conspirators in the GRU indictment (though didn’t obtain that indictment until long after Assange was charged and indicted). They similarly describe WikiLeaks as the recipient of Vault 7 documents in the Joshua Schulte superseding indictments; but while that gets perilously close to alleging Schulte was leaking documents on behalf of a foreign power, they don’t charge that (and, again, that superseding indictment was obtained months after the Assange one).

None of that means Assange was acting as — or abetting — the actions of a foreign power in 2010. That may ultimately be what they want to argue, that he was conspiring with Russia way back in 2010. But they haven’t charged or alleged that yet. Indeed, even Mike Pompeo’s accusations from 2017 — that WikiLeaks was a non-state intelligence service — don’t seem to reach the language in these exceptions.

And none of that makes this language any less dangerous for journalists. A lot of journalists published documents stolen from the DNC in 2016 long after it was broadly accepted that Russia had stolen them. That would mean any of those journalists might be accused of knowingly abetting Russia’s election year efforts.

In other words, prosecuting Assange because he knowingly abetted Russian efforts (especially if DOJ can only prove that for 2016, not the 2010 actions they’ve charged him with) still doesn’t pass the “New York Times” test.

The Three Theories of Prosecution for Julian Assange

In this post, I laid out what the 17 new charges against Julian Assange are. In this, I’ll look more closely at three theories of criminalization here:

  • Theory One: Charging Assange for causing Chelsea Manning to leak classified information by soliciting it generally or specifically (and/or discussing its value before she obtained it)
  • Theory Two: Charging Assange for offering to help crack a password and attempting to obtain the documents that would have been available using it
  • Theory Three: Charging Assange for leaking the identities of US government informants in three different databases

Theory One: Obtaining and disclosing documents that were solicited (Counts 2-4 and 6-14)

Effectively, for three sets of documents, they’ve charged Assange for causing Chelsea Manning to obtain (Charges 2 through 4), Assange obtaining himself (Charges 6 through 8), causing Manning to disclose documents she did not have authorized possession of (Charges 9 through 11), and  causing Manning to disclose legally obtained documents (Charges 12 through 13) for three sets of documents: The Gitmo Detainee Assessment Briefs, the State Department Cables, and the Iraq Rules of Engagement.

Assange is not being charged for publishing anything under this theory (that’s not true under Theory Three). He’s being charged with causing Manning to obtain and disclose them to him.

To accuse Assange of causing Manning to do these things, they show how a Most Wanted Leaks list posted on WikiLeaks until September 2010 resembles what Manning looked for on DOD’s networks and what she sent to Assange.

In addition, they show that Manning and Assange discussed some of these leaks before she obtained them.

For example, on March 7, 2010, Manning asked ASSANGE how valuable the Guantanamo Bay detainee assessment briefs would be. After confirming that ASSANGE thought they had value, on March 8, 2010, Manning told ASSANGE that she was “throwing everything [she had] on JTF GTMO [Joint Task Force, Guantanamo] at [Assange] now.” ASSANGE responded, “ok, great!”

[snip]

Manning later told ASSANGE in reference to the Guantanamo Bay detainee assessment briefs that “after this upload, thats all i really have got left.” I

It argued that Manning downloaded the State Department cables in response to the request for bulk databases on the Wish List.

Further, following ASSANGE’s “curious eyes never run dry” comment, and consistent with WikiLeaks’s solicitation of bulk databases and classified materials of diplomatic significance, as described in paragraphs 2,4-5, between on or about March 28, 2010, and April 9, 2010, Manning used a United States Department of Defense computer to download over 250,000 U.S. Department of State cables, which were classified up to the SECRET level. Manning subsequently uploaded these cables to ASSANGE and WikiLeaks through an SFTP connection to a cloud drop box operated by WikiLeaks, with an X directory that WikiLeaks had designated for Marining’s use. ASSANGE and WikiLeaks later disclosed them to the public.

And it showed that the Iraq Rules of Engagement were on the Wish List.

As of November 2009, WikiLeaks’s “Most Wanted Leaks” for the United States included the following:

[snip]

b. “Military and Intelligence” documents, including documents that the list described as classified up to the SECRET level, for example, “Iraq and Afghanistan Rules of Engagement 2007-2009 (SECRET);”

[snip]

Following ASSANGE’s “curious eyes never run dry” comment, on or about March 22,2010, consistent with WikiLeaks’s “Most Wanted Leaks” solicitation of “Iraq and Afghanistan US Army Rules of Engagement 2007-2009 (SECRET),” as described in paragraphs 4-5, Manning downloaded multiple Iraq rules of engagement files from her Secret Internet Protocol Network computer and burned these files to a CD, and provided them to ASSANGE and WikiLeaks.

Thus, for each of these, the government is saying that soliciting specific classified (or protected) materials amounts to Espionage. This is the theory of prosecution I argued would criminalize people like Jason Leopold, who was clearly engaged in journalism when he specifically asked about a specific Suspicious Activity Report from a source.

Theory Two: Attempted hacking to attempt to obtain the documents available via the hack (Counts 5 and 18)

For one vaguely defined set of documents, DOJ has charged Assange for attempting to help Manning crack a password (which was the single previous charge, which is now Charge 18) in order to attempt to obtain unidentified documents on SIPRNet.

15. In furtherance of this scheme, ASSANGE agreed to assist Manning in cracking a password hash stored on United States Department of Defense computers connected to the Secret Internet Protocol Network, a United States government network used for classified documents and communications, as designated according to Executive Order No. 13526 or its predecessor orders.

I believe (though am not certain) that that’s what the documents charged in Count 5 are about.

Between in or about November 2009 and in or about May 2010, in an offense begun and committed outside of the jurisdiction of any particular state or district of the United States, the defendant, JULIAN PAUL ASSANGE, who will be first brought to the Eastern District of Virginia, and others unknown to the Grand Jury, knowingly and unlawfully attempted to receive and obtain documents, writings, and notes connected with the national defense—^namely, information stored on the Secret Internet Protocol Network classified up to the SECRET level— for the purpose of obtaining information respecting the national defense, knowing and having reason to believe, at the time that he attempted to receive and obtain them, that such materials would be obtained, taken, made, and disposed of by a person contrary to the provisions of Chapter 37 of Title 18 of the United States Code.

This theory also doesn’t charge Assange with publishing information. Rather than charging him for soliciting leaks (Theory One), it charges him with helping to obtain documents Manning was not authorized to obtain by attempting to crack a password to get Administrators privileges.

Releasing the names of informants (Counts 15-17)

For each of three sets of US government informants, there’s also a charge tied to the informants’ identities disclosed in bulk databases.

35. Also following Manning’s arrest, during 2010 and 2011, ASSANGE published via the WikiLeaks website the documents classified up to the SECRET level that he had obtained from Manning, as described in paragraphs 12, 21, and 27, including approximately 75,000 Afghanistan war-related significant activity reports, 400,000 Iraq war-related significant activities reports, 800 Guantanamo Bay detainee assessment briefs, £ind 250,000 U.S. Department of State cables.

36. The significant activity reports from the Afghanistan and Iraq wars that ASSANGE published included names of local Afghans and Iraqis who had provided information to U.S. and coalition forces. The State Department cables that WikiLeaks published included names of persons throughout the world who provided information to the U.S. government in circumstances in which they could reasonably expect that their identities would be kept confidential. These sources included journalists, religious leaders, human rights advocates, and political dissidents who were living in repressive regimes and reported to the United States the abuses of their own government, and the political conditions within their countries, at great risk to their own safety. By publishing these documents without redacting the human sources’ names or other identifying information, ASSANGE created a grave and imminent risk that the innocent people he named would suffer serious physical harm and/or arbitrary detention.

For each database, the indictment looks at several instances of the individuals whose identities were released. It then lays out evidence that Assange knew and did not care that by publishing these identities he would be endangering people.

This is the theory of prosecution that does criminalize the publication of true information. And it criminalizes something that journalists do, at times, do.

The government often tries to classify identities that should not be (as they did with Gina Haspel, to hide her role in torture, for example). When journalists learn these identities they sometimes do choose to ignore admonitions against publication, for good reason. That’s what Assange is accused of doing here, but only on a mass scale. But if this is successful, there’s nothing that will prevent the government from charging people for disclosing classified identities at a smaller scale.

I’m also not sure how, as a foreign citizen, this doesn’t invite retaliation against the US for identifying classified identities of other countries.