On CNN’s WikiLeaks Exclusive: Remember the Other Document Dumps

CNN has a report on leaked security records describing some of the visitors and improved computer equipment Julian Assange got in 2016, as Russia was staging the election hack-and-leak. The story is a better expose of how increased pressure from the US and a change of president in Ecuador dramatically changed Assange’s freedom to operate in the Ecuadorian Embassy in London, with many details of the internal Ecuadorian politics, as it is proof of anything pertaining to the hack-and-leak.

As for the latter, the story itself insinuates ties between WikiLeaks and Russia’s hack-and-leak operation by matching the profile of Assange’s known (and dramatically increased number of) visitors in 2016 with the timing of those visits. Those people are:

  • A Russian national named Yana Maximova, about whom CNN states almost nothing is known, who visited at key moments in June 2016 (though CNN doesn’t provide the specific dates)
  • Five meetings in June 2016 with senior staffers from RT, including two visits from their London bureau chief, Nikolay Bogachikhin
  • German hacker Andrew Müller-Maguhn
  • German hacker Bernd Fix (who visited with Müller-Maguhn a few times)

These visitors have, in generally, been identified before, and with the exception of Müller-Maguhn, CNN doesn’t give the precise dates when people visited Assange, instead providing only screen shots of entry logs (which, CNN notes, key visitors wouldn’t be on). The exception is Müller-Maguhn, whose pre-election visits the TV version lists as:

  • February 19 and 20, 2016
  • March 14, 2016
  • May 8, 2016
  • May 23, 2016
  • July 7, 2016
  • July 14, 2016
  • July 28, 2016
  • August 3, 2016
  • August 24, 2016
  • September 1, 2016
  • September 19, 2016
  • October 21, 2016
  • October 31, 2016

And, yes, some of those visits match the known Russian hack-and-leak timeline in enticing ways, such as that Müller-Maguhn, who told WaPo that, “he was never in possession of the material before it was put online and that he did not transport it,” showed up the same day Mueller documents describe WikiLeaks obtaining an archive that had been uploaded (“put”) online and by that means transferred to WikiLeaks.

But that would be entirely consistent with Müller-Maguhn helping to process the emails — something the Mueller team determined did not violate US law — not serving as a mule. Not that Müller-Maguhn would be best used as a mule in any case.

The descriptions of the changes in computer and other gear are more interesting: with Assange bumping up his resources on June 19, a masked visitor dropping off a package outside the embassy on July 18, and exempt WikiLeaks personnel removing a ton of equipment on October 18, as Ecuador finally threatened to shut WikiLeaks down.

Shortly after WikiLeaks established contact with the Russian online personas, Assange asked his hosts to beef up his internet connection. The embassy granted his request on June 19, providing him with technical support “for data transmission” and helping install new equipment, the documents said.

[snip]

Days later, on July 18, while the Republican National Convention kicked off in Cleveland, an embassy security guard broke protocol by abandoning his post to receive a package outside the embassy from a man in disguise. The man covered his face with a mask and sunglasses and was wearing a backpack, according to surveillance images obtained by CNN.

[snip]

The security documents lay out a critical sequence of events on the night of October 18. Around 10 p.m., Assange got into a heated argument with then-Ecuadorian Ambassador Carlos Abad Ortiz. Just before midnight, Abad banned any non-diplomatic visitors to the embassy and left the building. Behind the scenes, Assange communicated with the foreign minister in Quito.

Within an hour of Abad’s departure, he called the embassy and reversed the ban.

By 1 a.m., two WikiLeaks personnel arrived at the embassy and started removing computer equipment as well as a large box containing “about 100 hard drives,” according to the documents.

Security officials on site wanted to examine the hard drives, but their hands were tied. The Assange associates who removed the boxes were on the special list of people who couldn’t be searched. The security team sent a memo back to Quito raising red flags about this late-night maneuver and said it heightened their suspicions about Assange’s intentions.

Again, none of that proves a knowing tie with Russian intelligence. But it does show an interesting rhythm during that year.

But this schedule doesn’t consider the other things going on with WikiLeaks in 2016. At almost the same time that WikiLeaks released the DNC emails, after all, they also released the AKP email archive.

More interesting still, according to the government’s current allegations about Joshua Schulte’s actions in leaking the CIA’s hacking tools to WikiLeaks, he made a copy of the CIA’s backup server on April 20, then transmitted the files from it to … someone (I suspect these may not have gone directly to WikiLeaks) … in late April to early May.

But then for some reason, on August 4, Schulte for the first time ever started conducting Google searches on WikiLeaks, without visiting the WikiLeaks site until the first release of the Vault 7 leaks.

Meanwhile, WikiLeaks claimed in August 2016  — and ShadowBrokers invoked that claim, in January 2017 — that WikiLeaks had obtained a copy of the original ShadowBrokers files released on August 16, 2016. A Twitter account claiming to be ShadowBrokers reiterated this claim late last year.

Consider the continued presence of highly skilled hackers at the Embassy and the removal of tons of computer equipment as Ecuador cracked down from the viewpoint of what happened to all of NSA and CIA’s hacking tools, rather than what happened with John Podesta’s risotto recipe. Add in the fact that the government seems to think Schulte altered the air gap tool he allegedly wrote for CIA outside of CIA.

To the extent they provide these dates (again, they do so with specificity only for Müller-Maguhn, and only before the election; not to mention, his emails appear to fit a fairly regular twice-monthly pattern), a few of them are quite intriguing. But there was a whole lot else going on with WikiLeaks that year that might be even more important for describing the true nature of WikiLeaks.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The Gina Haspel Honorary 2020 Intelligence Authorization Might Criminalize Linked In Resumes

The Intelligence Authorization for 2018-2020 is actually not named after CIA Director Gina Haspel. But it might as well be for the way it bears the marks of the first female head of an Intelligence Agency. It offers 12 weeks of paid parental leave for Intelligence personnel (a good thing!) and it also imposes a new rule prohibiting someone nominated to a Senate-confirmed position from making classification determinations about information needed to assess the nominees record, as Haspel did when she hid information on her role in the torture program during her own confirmation process.

But the Haspel related part of the authorization that has (rightly) gotten the most attention — such as in this NYT piece — is a move designed to dramatically expand the types of people covered under the Intelligence Identities Protection Act, which currently prohibits sharing the identities of classified intelligence officers who’ve spent time overseas in the last five years, to cover everyone — past or present — whose relationship with US intelligence is classified.

Most of the concern about the measure focuses — as highlighted in Ron Wyden’s concerns laid out in the bill report — on avoiding accountability for torture (his comment implicitly applies to both Haspel and torture architects Mitchell and Jessen).

I am concerned about a new provision related to the Intelligence Identities Protection Act (IIPA). In 2010, I
worked to pass legislation to increase the penalties for violations of the IIPA. This bill, however, expands the bill so that it applies indefinitely, including to individuals who have been in the United States for decades and have become senior management or have retired. I am not yet convinced this expansion is necessary and am concerned that it will be employed to avoid accountability. The CIA’s request that the Committee include this provision, which invoked “incidents related to past Agency programs, such as the RDI [Rendition, Detention and Interrogation] investigation,” underscores my concerns.

While I agree with Wyden that the intent of this measure is about shielding the CIA from accountability, I think the measure would have two other unintended consequences.

First, I think it more likely that Julian Assange will beat some of the charges against him. (Let me be very clear, for the charges this would affect — which I lay out under Theory Three here — I think this is a good thing.) The justification for the change liberated by Charlie Savage actually mentions WikiLeaks by name.

Undercover Agency officers face ever-evolving threats, including cyber threats. Particularly with the lengths organizations such as WikiLeaksare willing to go to obtain and release sensitive national security information, as well as incidents related to past Agency programs, such as the RDI investigation, the original congressional reasoning mentioned above for a narrow definition of “covert agent” no longer remains valid.

This language raises real questions for me about whether CIA really understands WikiLeaks, not least because WikiLeaks is not going to greater lengths than other media outlets to facilitate the sharing of information (what happens before and after that is another issue).

But one way or another, if this bill were to pass, it would pass after Assange got charged with disclosing databases of sensitive identities. (The timing on this is rather suspect: SSCI passed the authorization on May 14, Burr reported it to the full Senate on May 22, and Assange’s superseding indictment was approved by the grand jury on May 23.) It would be child’s play for Assange’s attorneys (and he has very good attorneys) to argue that the timing is proof that disclosing the identities of most of the people in those databases — who were sources rather than CIA officers — was not illegal at either the time he did it or the time he was charged for it. In addition, passing this bill would reiterate Congress’ belief, now in 2019, that it believes only US citizens should be protected in this way; Assange is accused of disclosing the identities of foreigners, not Americans.

So this law, if it passes, would likely make it easier for Assange to beat these charges, but make anyone else doing it — even if for good reasons and after considering the risk — a criminal.

It’s the other presumably unintended consequence of this bill that I think is even more problematic. It would criminalize all sorts of ways that former intelligence officials publicly identify themselves. The current law includes an exception for those who identify themselves as covert agents, meaning the expanded definition should not be used to prevent people from disclosing their own past affiliation with the agency (to the extent their Non-Disclosure Agreements don’t prohibit it).

It shall not be an offense under section 601 for an individual to disclose information that solely identifies himself as a covert agent.

It also generally requires malice on the part of the person releasing identities. Nevertheless, given the way that the government already uses past classified work to restrict people for the rest of their life, it is not inconceivable that the government would come to use this law to punish others who provide platforms for former intelligence personnel to talk about that openly, like Linked In. Imagine a situation, for example, where the IC deems making it easier for former intelligence professionals to find better paying jobs in the private sector to be, “a pattern of activities intended to identify and expose covert agents and with reason to believe that such activities would impair or impede the foreign intelligence
activities of the United States.” In such a situation, Linked In might be charged under a newly expanded IIPA.

Given the vast number of former intelligence personnel who move into the private sector and the degree to which it has become commonplace to discuss those past affiliations openly, the criminalization of sharing of those identities poses a particular risk. That’s definitely not the point of this bill. But by lowering the bar for who counts as covert and making covert status permanent, it certainly could be used for such ends in the future.

Joshua Schulte Keeps Digging: His Defensible Legal Defense Continues to Make a Public Case He’s Guilty

To defend him against charges of leaking the CIA’s hacking tools to WikiLeaks, Sabrina Shroff has made it clear that Joshua Schulte is the author of the CIA’s lies about its own hacking.

In a motion to suppress all the earliest warrants against Schulte submitted yesterday, Shroff makes an unintentionally ironic argument. In general, Shroff (unpersuasively) argues some things the government admitted in a Brady letter sent last September are evidence of recklessness on the part of the affiant on those earliest warrants, FBI Agent Jeff Donaldson. She includes most of the items corrected in the Brady letter, including an assertion Donaldson made, on March 13, 2017, that Schulte’s name did not appear among those published by WikiLeaks: “The username used by the defendant was published by WikiLeaks,” the prosecutors corrected the record in September 2018. To support a claim of recklessness, Schroff asserted in the motion that someone would just have to search on that username on the WikiLeaks site to disprove the initial claim.

Finally, the Brady letter explained that a key aspect of the affidavit’s narrative—that Mr. Schulte was the likely culprit because WikiLeaks suspiciously did not publicly disclose his identity—was false. Mr. Schulte’s identity (specifically, his computer username “SchulJo”) was mentioned numerous times by WikiLeaks, as a simple word-search of the WikiLeaks publication would have shown. See Shroff Decl. Exh. F at 7

If you do that search on his username — SchulJo — it only readily shows up in one file, the Marble Framework source code.

That file was not released until March 31, 2017. So the claim that Schulte’s name did not appear in the WikiLeaks releases was correct when Donaldson made it on March 13. That claim — like most of the ones in the Brady letter — reflect the incomplete knowledge of an ongoing investigation, not recklessness or incompetence (Schulte has written elsewhere that he believed the FBI acted rashly to prevent him from traveling to Mexico, which given other details of this case — including that he hadn’t returned his CIA diplomatic passport and snuck it out of his apartment when the FBI searched his place, they were right to do).

By sending her reader to discover that Schulte’s name appears as the author of the Marble Framework, she makes his “signature” that of obfuscation — hiding who actually did a hack.

Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.

Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection.

[snip]

The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, — but there are other possibilities, such as hiding fake error messages.

Marble was one of the files WikiLeaks — and DNC hack denialists — would point to to suggest that CIA had done hacks (including the DNC one) and then blamed them on Russia. In other words, in her attempt (again, it is unpersuasive) to claim that FBI’s initial suspicions did not reach probable cause, she identifies Schulte publicly not just with obfuscation about a breach’s true culprits, but with the way in which the Vault 7 leak — ostensibly done out of a whistleblower’s concern for CIA’s proliferation of weapons — instead has served as one prong of the propaganda covering Russia’s role in the election year hack.

That’s just an ironic effect of Shroff’s argument, not one of the details in yesterday’s releases that — while they may legally serve to undermine parts of the case against her client — nevertheless add to the public evidence that he’s not only very likely indeed the Vault 7 culprit, but not a terribly sympathetic one at that.

Back when FBI first got a warrant on Schulte on March 13, 2017, they had — based on whatever advanced notice they got from Julian Assange’s efforts to use the files to extort a pardon from the US government and the week of time since WikiLeaks had released the first and to that date only set of files on March 7 — developed a theory that he was the culprit. The government still maintains these core details of that theory to be true (this Bill of Particulars Schulte’s team released yesterday gives a summary of the government’s theory of the case as of April 29):

  • The files shared with WikiLeaks likely came from the server backing up the CIA’s hacking tools, given that the files included multiple versions, by date, of the files WikiLeaks released
  • Not that many people had access to that server
  • Schulte did have access
  • Not only had Schulte left the CIA in a huff six months before the WikiLeaks release — the only  person known to have had access to the backup server at the time who had since left — but he had been caught during the period the files were likely stolen restoring his own administrator privileges to part of the server after they had been removed

But, after it conducted further investigation and WikiLeaks published more stolen files, the government came to understand that several other things that incriminated Schulte were not true.

[T]he government appears to have abandoned the central themes of the March 13 affidavit: namely, that the CIA information was likely stolen on March 7–8, 2016, that Mr. Schulte was essentially “one of only three people” across the entire CIA who could have taken it, and that WikiLeaks’s supposed effort to conceal his identity was telltale evidence of his culpability

There’s no indication, however, that Donaldson was wrong to believe what he did when he first obtained the affidavit; Shroff claims recklessness, but never deals with the fact that the FBI obtained new evidence. Moreover, for two of the allegations that the government later corrected — the date the files were stolen and the number of people who had access to the server, Donaldson admitted those were preliminary conclusions in his initial affidavit (which Shroff doesn’t acknowledge):

It is of course possible that the Classified Information was copied later than March 8, 2016, even though the creation/modification dates associated with it appear to end on March 7, 2016.

[snip]

Because the most recent timestamp on the Classified Information reflects a date of March 7, 2016, preliminary analysis indicates that the Classified Information was likely copied between the end of the day on March 7 and the end of the day on March 8.

[snip]

It is, of course, possible that an employee who was not a designated Systems Administrator could find a way to gain access to the Back-Up Server. For example, such an employee could steal and use–without legitimate authorization–the username and password of a designated Systems Administrator. Or an employee lacking Systems Administrator access could, at least theoretically, gain access to the Back-Up Server by finding a “back- door” into the Back-Up Server.

Between the two corrections, the revised information increases the number of possible suspects from two to five, out of 200 people who would have regular access to the files. A footnote to a later affidavit (PDF 138) describes that on April 5, 2017, FBI received information that suggested the number might be higher or lower. (I suspect Schulte argued in a classified filing submitted yesterday that even more people could have accessed it, not least because he has been arguing that in his various writings posted to dockets and other things,)

But, even though the Brady letter corrects the dates on which Schulte reinstated his administrator privileges for the Back-Up server slightly (he restored his own access on April 11, not April 14, which is when his managers discovered he had done so), Shroff only addresses his loss of privileges as innocent, without addressing that he got that access back on his own improperly.

More importantly, the motion doesn’t address, at all, that Schulte kicked everyone else off one of his programs, the Brutal Kangaroo tool used to hack air gapped networks using thumb drives. Nor does it address allegations against Schulte made in August 2016 as part of his clearance review, including that his demeanor changed for the worse around February 2016, he might be “subject to outside coercion,” and he tended not to abide by “guidelines concerning when and what kinds of media or data (such as external drives) could be connected or uploaded to CIA computer systems.” There are other details in the affidavit — such as Schulte’s attempt to learn what his former colleagues knew of the investigation — that support probable cause too (these may be among the things Shroff addresses in a classified filing).

That is, the probable cause that Schulte was the culprit was pretty strong even with the errors in the original affidavit, and none of the errors suggests malice or incompetence or even the recklessness Shroff alleges.

Shroff is right that the March 13 affidavit doesn’t offer as much probable cause to tie Schulte’s home to the crime; but that’s the magistrate’s fault and fairly standard for computer crimes, not the FBI’s. Shroff obscures the effect of FBI obtaining a second warrant to actually search the 150 storage media and computer devices they found in his home (a list of what they seized starts on PDF 116), as well as a second warrant to obtain child porn.

It is also true, as the defense argues, that the evidence to search for child porn was thin. But given that the government had a warrant to search the computer in question, and given precedents about child porn, that may not matter (though I think it is more likely to succeed than the rest of this). In any case, by the time of the main searches on child porn, three different magistrates had signed off on these searches.

This is a totally understandable attempt to get some of this evidence suppressed. But along the way the affidavits released yesterday provide a slew of damaging new details such as:

  • Schulte conducted a ton of searches on Google in April 2016 about detecting USB insertion, copying big files, deleting files, preventing other admins from seeing what someone was doing on a LAN
  • Schulte made a snapshot of (part of?) the LAN on April 20, 2016
  • In early May, Schulte researched how to use Tor and Tails, which the government alleges he used to send the files
  • On August 4, 2016 — the day after Snowden sent this tweet — Schulte did a Google search for WikiLeaks for the first time ever (note, I believe the Snowden tweet may have been preparation for the misleading IG report on him released the following month)

  • Between then and March 7, Schulte searched on WikiLeaks over 20 more times, reading hundreds of articles on it; but he didn’t visit WikiLeaks for the first time until March 7, 2017, the first day the files posted; he also searched for that Snowden tweet

In short, just Schulte’s Google searches alone provide very strong evidence that he’s the Vault 7 leaker. Which explains why his attorneys are making what will probably be an unsuccessful attempt to claim the Google searches were overly broad and lacked probable cause (something Schulte wrote elsewhere seems to reflect that he has been told this will be treated under a Good Faith exception).

Schulte has been trying to disclose all these materials for over a year. But they really don’t help his case.

Hope Hicks’ Very Well Lawyered Efforts to Protect Trump

Last week, Hope Hicks sat for a mostly tactical interview with the House Judiciary Committee. Democrats used her testimony to establish a record of just how ridiculous the White House claims to absolutely immunity are by getting her on the record refusing to answer both utterly pertinent questions and innocuous ones, like where her desk in the White House was.

While she dutifully refused — on the orders of White House Counsel — to answer questions about her time in the White House, she actually slipped in two answers: revealing that after Trump had his own people in charge of the Intelligence Community, he “he had greater confidence in their assessments” that Russia hacked the DNC and that she learned of the Letter of Intent to build a Trump Tower Moscow in fall 2017. Those are questions White House lawyers would have otherwise prohibited; I’m not sure how it’ll change the use of this hearing as evidence in the lawsuit to get her to actually testify.

Her answers with regards to the period prior to inauguration reveal what she would (and will) be like if she ever actually testifies. In those exchanges, Hicks comes off like a very well lawyered witness who was willing to shade as aggressively as possible to protect Trump.  That was most obvious in her answers about WikiLeaks, first in response to questions from Sheila Jackson Lee. In that exchange, the press secretary of a presidential campaign claimed not to have a strategy surrounding messaging the campaign engaged in on a daily basis.

Ms. Jackson Lee. I’m going to have one or two questions and — I’ve done it again — one or two questions in a number of different areas. Let me first start with the report. According to the report, by late summer of 2016 the Trump campaign was planning a press strategy, a communications campaign and messaging, based on the possible release of Clinton emails by WikiLeaks. Who was involved in that strategy?

Ms. Hicks. I don’t recall.

Ms. Jackson Lee. I thought you were intimately involved in the campaign.

Ms. Hicks. I was. It’s not something I was aware of.

Ms. Jackson Lee. What about the communications campaign, who was involved there? Do you not recall or do you not know?

Ms. Hicks. To my recollection, it’s not something I was aware of.

[snip]

Ms. Jackson Lee. Who specifically was engaged with the Russian strategy, messaging strategy, post the convention, late summer 2016?

Ms. Hicks. I’m sorry. I don’t understand the question. I’m not aware of a Russian messaging strategy.

Side note: She would later admit that there was a group of people during the Transition responding to allegations of Russian interference and a somewhat different group of people responding to allegations they tried to make contact with Russia. But that covered the Transition and, with the exception of Jason Miller (who deleted his Twitter account the other day after attacking Jerry Nadler), didn’t include communications people.

Back to her exchange with Jackson Lee, who persisted in finding out how the campaign responded to WikiLeaks’ releases. That’s when Hicks described the campaign’s daily focus on optimizing WikiLeaks releases as using publicly available information, even while insisting it was not part of a strategy.

Ms. Jackson Lee. So specifically it goes to the release of the various WikiLeaks information. Who was engaged in that?

Ms. Hicks. So, I mean, I assume you’re talking about late July?

Ms. Jackson Lee. Late July, late summer, July, August 2016.

Ms. Hicks. So there were several people involved. It was — I think a “strategy” is a wildly generous term to describe the use of that information, but —

Ms. Jackson Lee. But you were engaged in the campaign. What names, what specific persons were involved in that strategy of the impact of Russia and the issuance of the WikiLeaks effort late summer?

Ms. Hicks. Again, you —

Ms. Jackson Lee. Were you involved? Were you part of the strategy? You have a communications emphasis.

Ms. Hicks. I’m sorry. I’m just not understanding the question. You’re talking about a Russian strategy. The campaign didn’t have a Russian strategy. There was an effort made by the campaign to use information that was publicly available, but I’m not aware of a Russian strategy, communications or otherwise.

Ms. Jackson Lee. Well, what names were engaged in the strategy that you remember, messaging based on the possible release of Clinton emails by WikiLeaks, which is what I said?

Ms. Hicks. Sorry. I’d like to confer with my counsel. Thanks.

Ms. Jackson Lee. Thank you.

[snip]

Ms. Jackson Lee. Yes. I’m going to read from my earlier comment. According to the report, by late summer of 2016 the Trump campaign was planning a press strategy, a communications campaign, and messaging based on the possible release of Clinton emails by WikiLeaks, volume 1, 54. Were you involved in deciding how the campaign would respond to press questions about WikiLeaks?

Ms. Hicks. I assume that I was. I have no recollection of the specifics that you’re raising here.

Ms. Jackson Lee. With that in mind, would you agree that the campaign benefited from the hacked information on Hillary Clinton?

Ms. Hicks. This was publicly available information.

Ms. Jackson Lee. Were you — would you agree that the campaign benefited from the hacked information on Hillary Clinton?

Ms. Hicks. I don’t know what the direct impact was of the utilization of that information.

Ms. Jackson Lee. Well, let me follow up with, did this information help you attack the opponent of Mr. Trump?

Ms. Hicks. I take issue with the phrase “attack.” I think it allowed the campaign to discuss things that would not otherwise be known but that were true.

Hicks never did answer Jackson Lee’s question about how the campaign optimized the releases, but Norm Eisen (who was hired for precisely this purpose) came back to it. Ultimately Hicks described integrating WikiLeaks releases into Trump speeches.

Q Okay. Ms. Hicks, you were asked by Ms. Jackson Lee about a statement in the Mueller report that by late summer of 2016 the Trump campaign was planning a press strategy, a communications campaign, and messaging based on the possible release of Clinton emails by WikiLeaks, and you answered to the effect that it was wildly inaccurate to call it a strategy. Do you remember that answer?

A I believe I said that I wasn’t aware of any kind of coordinated strategy like the one described in the report and quoted by Ms. Jackson Lee. Regardless, the efforts that were under way, to take publicly available information and use that to show a differentiation between Mr. Trump as a candidate and Mrs. Clinton as a candidate, I would say that it would be wildly generous to describe that as a coordinated strategy.

Q How would you describe it? A I would describe it just as I did, which is taking publicly available information to draw a contrast between the candidates.

Q What do you remember about any specific occasions when that was discussed?

[snip]

Q Tell me what you remember, everything you remember about that.

A The things I remember would be just the days that — that news was made, right? That there was a new headline based on new information that was available, and how to either incorporate that into a speech or make sure that our surrogates were aware of that information and to utilize it as talking points in any media availabilities, interviews, and what other opportunities there might be to, again, emphasize the contrast between candidates.

Q Did you ever discuss that with Mr. Trump during the campaign?

A Again, I don’t recall a — I don’t recall discussions about a coordinated strategy. But more specifically, to your last point about when there were moments that allowed for us to capitalize on new information being distributed, certainly I’m sure I had discussions with him.

She would go on to admit that the communications team discussed the WikiLeaks releases on a daily basis. But she maintained that — in spite of the evidence that Trump, with whom she spent extensive amounts of time, knew of the emails ahead of time — she did not

EISEN When is the first that you remember learning that WikiLeaks might have documents relevant to the Clinton campaign? A Whenever it became publicly available. I think my first recollection is just prior to the DNC Convention. Q And what was your reaction when you learned that?

A I don’t recall. I think before I described a general feeling surrounding this topic of not happiness, but a little bit of relief maybe that other campaigns had obstacles to face as well.

Q And I know we’ve touched on this but I just want to make sure we get it into the record. What’s your first recollection of discussing this issue with Mr. Trump?

Eisen did get her to admit that Eric Trump sent her the oppo research file on his father, though she claimed to be uncertain about when that happened. Once again, when asked a substantive question about something embarrassing to Trump, she conferred with her lawyer, Robert Trout, before answering.

Q And did Eric Trump ever discuss anything relating to WikiLeaks or other releases of hacked information with you? A May I confer with my counsel, please.

[Discussion off the record.]

Ms. Hicks. Can you repeat the question, please?

Mr. Eisen. Can I have the court reporter read back the question, please?

Reporter. Did Eric Trump ever discuss anything relating to WikiLeaks or other releases of hacked information with you?

Ms. Hicks. I believe I received an email from Eric or some written communication regarding an opposition research file that was, I guess, leaked on the internet. I believe it was publicly available when he sent it to me. It was about Donald Trump.

BY MR. EISEN: Q And do you know if it was publicly available when he sent it to you?

A I don’t recall. That’s my recollection.

Q What’s the basis for your belief that it was publicly available?

A I believe there was a link that was included, and I was able to click on that and access the information.

Q How did he transmit that to you?

A I don’t remember if it was an email or a text message.

Q Was there also a document attached to that transmission?

A I don’t remember.

Q Do you remember the date?

A Spring of 2016.

Q Spring of 2016.

Note, the oppo file was first released publicly on June 15, 2016. That’s still spring, but barely.

In any case, while most of the coverage has focused on the White House efforts to prevent Hicks from answering questions, her responses on WikiLeaks make it clear she herself was unwilling to answer basic questions as well.

Which is why this exchange about the Joint Defense Agreement as part of which her attorney got paid half a million dollars by the RNC is telling.

Ms. Scanlon. Okay. Do you now or have you had any joint defense agreements with anyone in connection with your activities either during the campaign or since then?

Mr. Trout. Objection.

Ms. Hicks. Be privileged with my counsel.

Mr. Trout. I’m not going to answer that.

Ms. Scanlon. I believe you’re not going to answer, but is she going to answer it?

Mr. Trout. No.

Ms. Scanlon. Okay. On what basis?

Mr. Trout. On privilege.

Ms. Scanlon. What kind of privilege.

Mr. Trout. Joint defense privilege.

Ms. Scanlon. The fact of having a joint defense agreement is not —

Mr. Trout. I will — it will be privileged

Hicks is absolutely entitled to keep details of her legal representation secret. But this — like some of the questions she refused to answer about her time in the White House — is public information. As such, her non-responsiveness about the degree to which she has compared answers with Trump is as obvious an obstruction tactic as the White House absolute immunity effort.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Accused Vault 7 Leaker Joshua Schulte Planned to Have WikiLeaks Publish Disinformation to Help His Defense

When WikiLeaks announced its publication of the CIA’s hacking tools in March 2017, the first tool it highlighted was an effort called Umbrage, which it claimed the CIA used to “misdirect attribution.”

UMBRAGE

The CIA’s hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a “fingerprint” that can be used by forensic investigators to attribute multiple different attacks to the same entity.

This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution.

The CIA’s Remote Devices Branch‘s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from.

UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.

Experts noted at the time that Umbrage served mostly to save time by reusing existing code. Nevertheless, the representation that the CIA would sometimes use other nation’s tools was immediately integrated into conspiracy theories denying that Russia carried out the 2016 hacks on Democrats. Because the CIA sometimes obscured its own hacks, denialists have said since, the CIA must have been behind the 2016 hacks, part of a Deep State operation to frame Russia and in so doing, undermine Trump.

Documents released this week reveal that Joshua Schulte, who is accused of leaking those documents to WikiLeaks, believed he could get WikiLeaks to publish disinformation to help his case.

Several documents submitted this week provide much more clarity on Schulte’s case. On Monday, the government responded to a Schulte effort to have his communications restrictions (SAMs) removed; their brief not only admitted — for what I believe to be the first time in writing — that the CIA is the victim agency, but described an Information War Schulte attempted to conduct from jail using contraband phones and a slew of social media accounts.

Yesterday, in addition to requesting that Schulte’s child porn charges be severed from his Espionage ones, his defense team moved to suppress the warrants used to investigate his communication activities in jail based on a claim the FBI violated Schulte’s attorney-client privilege. During the initial search, agents reviewed notebooks marked attorney-client with sufficient attention to find non-privileged materials covered by the search warrant, and only then got a privilege team to go through the notebooks in more detail. The privilege team confirmed that 65% of the contents of the notebooks was privileged. In support of the suppression motion, Schulte’s lawyers released most of the warrants used to conduct those searches, including the downstream one used to access three ProtonMail accounts discovered by the government and another downstream one used to access his ten social media accounts (see below for a list of all of Schulte’s accounts). Effectively, they’re arguing that the FBI would have never found this unbelievably incriminating communications activity, which will make it fairly easy for the government to prove that Schulte is the Vault 7 leaker without relying on classified information, without accessing those notebooks marked privileged.

But along the way, the documents released this week show that the guy accused of leaking that Umbrage file that denialists have relied on to claim the 2016 hack was a false flag operation framing Russia himself planned false flag activities to proclaim his innocence.

The government’s SAMs response describes in cursory fashion and the affidavits for the warrants as a whole describe in more detail how Schulte planned to adopt two fake identities — a CIA officer and an FBI Agent — to proclaim his innocence. The idea behind the latter was to corroborate two claims Schulte posted on his JoshSchulte WordPress sites on October 1, 2018 — that the FBI had planted the child porn discovered on his computer.

i. “I now believe the government planted the CP after their search warrants turned up empty-not only to save their jobs and investigation, but also to target and decimate my reputation considering my involvement in significant information operations and covert action.”

As noted above, in the Fake FBI Document in the Schulte Cell Documents, a purported FBI “whistleblower” claimed that the FBI had placed child pornography on Schulte’s computer after its initial searches of the device were unsuccessful in recovering evidence. See supra~ 14(a)(iii).

ii. “So who’s responsible for Vault 7? The CIA’s own version of the FBI’s Peter Strzok and Lisa Page,”

As noted above, in the September Tweet in the Schulte Cell Documents, a purported former CIA colleague of Schulte (but who was in fact simply Schulte himself) claimed that two other CIA former colleagues, one of whom Schulte described as the “Peter Strzok of the CIA,” had conspired to blame Schulte for Vault 7, WikiLeaks’ disclosure of the CIA material.

As noted above, two of the documents found in Schulte’s cell mixed in with the attorney-client material show how Schulte planned to create false identities to spread the same stories. One was an article he planned to send to WikiLeaks, claiming to be from an FBI whistleblower describing how Schulte was framed.

iii. A document that appears to be an article for release by WikiLeaks.org (“WikiLeaks”), in which a purported FBI “whistleblower” claimed to have provided the discovery in this case to WikiLeaks and that the FBI had planted evidence of child pornography on Schulte’s computer to frame him (the “Fake FBI Document”).

The documents also include his plans to release a fake CIA tweet claiming he was framed for the Vault 7 leak.

iv. Drafts of a tweet (the “Fake CIA Tweet”) that appear to have been drafted around August 30, 2018,3 in which Schulte pretending to be a former CIA colleague claimed that two other former CIA colleagues, both of whom Schulte referred to by full name and one of whom he described as the “Peter Strzok of the CIA,” had “set up” Schulte and used him as a “scapegoat” for “Vault 7,” which is the name of WikiLeaks serial disclosures of CIA material that began on or about March 7, 2017 and which forms the basis of some of the current charges against Schulte. On the following page of the Schulte Cell Documents appears the text “Just to authenticate me fast” followed by other apparent draft tweets that discussed the CIA’s alleged activities and methods, some of which appear to be classified (the “Fake Authentication Tweets”).4 . . I believe that Schulte planned to potentially publish the Fake Authentication Tweet before the Fake CIA Tweet in an effort to purportedly verify the author’s employment with the CIA and knowledge of the information in the Fake CIA Tweet.

Finally, the FBI also found Schulte’s to do list of how he planned to share both the fake FBI document and his discovery with WikiLeaks.

What appears to be a “to-do” list dated September 12, 2018, in which Schulte wrote that on September 17 and 18, he would “DL Disc. UL WL,” and.that on September 19, 20, and 21, he would “schedule tweets[.]” I believe that here, “DL Disc. UL WL” means that Schulte planned to download his discovery (”DL Disc.”) from the Schulte Laptop and upload that discovery to WikiLeaks (“UL WL”). As noted above, in another place in the Schulte Cell Documents, Schulte drafted the Fake FBI Document, a purported statement by a supposed FBI “whistleblower” who provided Schulte’s discovery to WikiLeaks and claimed that the FBI had planted evidence of child pornography on Schulte’s computer.

From a legal standpoint, Schulte’s lawyers have disclosed all these warrant materials in an urgent effort to suppress everything the government found after first accessing his notebooks from jail. The FBI investigation proceeded from those notebooks to the WordPress site showing him claiming something identical to disinformation he was packaging up to share with WikiLeaks. They also got from those notebooks to ProtonMail accounts where Schulte offered to share what may or may not be classified information with a journalist. The reason why the defense is pushing to suppress this — one of the only challenges they’re making in his prosecution thus far — is because the stuff Schulte did in prison is utterly damning and seems to confirm both his familiarity with WikiLeaks and his belief that he needed to create disinformation to claim to be innocent.

We’ll see whether this Fourth and Sixth Amendment challenge works.

But along the way, the defense has released information — the provenance of which they’re not disputing in the least — that shows that Schulte planned to use WikiLeaks to conduct a disinformation campaign. But it wouldn’t be the first time Schulte had gotten WikiLeaks to carry out his messaging. A year ago today — in the wake of Schulte being charged with the Vault 7 leak — WikiLeaks linked to the diaries that Schulte was writing and posting from his jail cell, possibly showing that Schulte continued to communicate with WikiLeaks — either via a family member or directly — even after he had been put in jail. Those diaries are among the things seized in the search.

In a follow-up, I think I can show that Schulte did succeed in using WikiLeaks as part a disinformation campaign.

Social media accounts Joshua Schulte accessed from jail

ProtonMail: annon1204, presumedguilty, freejasonbourne

Twitter: @freejasonbourne (created September 1, 2018 and used through October 2, 2018)

Buffer (used to schedule social media posts): (created September 3, 2018, used through September 7, 2018)

WordPress: joshschulte.wordpress.com, presumptionofslavery.wordpress.com, presumptionofinnocence.net (all created August 14, 2018)

Gmail: [email protected], [email protected] (created April 15, 2018), [email protected],

Outlook: [email protected]

Facebook: ‘who is JOHN GALT? (created April 17, 2018)

Update: The government also believed at the time that an account in the name Conj Khyas was used by Schulte to receive classified information at his annon1204 account. It was not listed in these warrants, but would amount to a 14th account.

Detaining Chelsea Manning: Other People, Times, and Patterns

Friday, the government responded to Chelsea Manning’s request to be freed in light of Julian Assange’s superseding indictment, in which she argued the grand jury couldn’t use any of her testimony to shore up the existing indictment against Assange.

The government has now indicted Mr. Assange on 18 very serious counts, without the benefit of or apparent need for Ms. Manning’s testimony. The government’s extradition packet must be submitted in finalized form very soon. Any investigation of him after that point will be nugatory. United States v. Moss, 756 F.2d 329, 331-32 (4th Cir. 1985), see also United States v. Kirschner, 823 F. Supp. 2d 665, 667 (E.D. Mich. 2010)(finding that posti-ndictment questioning about the same conduct but different charges than those in the indictment was permissible, but questioning leading only to further information about the same charges would be impermissible). Any further investigation of unindicted targets will likewise be futile, as charges would be time-barred, and in any case, it is perfectly understood that Ms. Manning has no useful information about any parties other than the person behind the online handle “pressassociation.” She is not possessed of any that is not equally available to them, and in any case, her absence has posed no obstacle to indictment and superseding indictment.

The government response suggests this assertion — that there are no charges that they need Manning’s testimony for — is incorrect.

As the government’s ex parte submissions reflect, Manning’s testimony remains relevant and essential to an ongoing investigation into charges or targets that are not included in the superseding indictment. See Gov’t’s Ex Parte Mem. (May 23, 2019). The offenses that remain under investigation are not time barred, see id., and the submission of the government’s extradition request in the Assange case does not preclude future charges based on those offenses, see Gov’t’s Supplement to Ex Parte Mem. (June 14, 2019). Manning’s speculations about the direction of the grand-jury investigation, the purpose of her testimony, and the need for it are insufficient to show otherwise. [My emphasis]

The formulation here is curious, for the reasons laid out below.

Not time barred: Assange was first indicted on March 6, 2018, two days short of the 8-year anniversary of the alleged attempt to crack a password that was the basis for the conspiracy to violate CFAA charge. That suggests they were relying on the claim that the international character of the alleged CFAA charge extended the SOL to eight years, though they could also claim the conspiracy was ongoing if both Manning and Assange were believed to continue to engage in a conspiracy (though given that the conspiracy was defined as hacking, it would seem to be limited to the time until Manning’s arrest on May 27, 2010). I think — but am not sure — that if further charges are not time-barred, the government is either relying on a continued conspiracy, perhaps based off the conspiracy to receive national defense information in the superseding indictment, which because it was charged under espionage has a ten year statute of limitations, or arguing that the conspiracy to violate CFAA extended to other people.

Possibility of additional charges “based on those offenses”: To continue to coerce Manning for charges pertaining to Assange, the government has to argue (and claims it has, in two ex parte filings) that it is seeking additional charges. If I understand how the UK’s extradition process works, unless it gets a waiver, the US government can’t add additional crimes against Assange on top of what it already charged in the extradition packet, but some people say it’s possible to add on instances of the same charges until such time as he’s extradited. That may mean it wants to lard on espionage charges.

Targets not included in the superseding indictment: Manning claims she only has information about “pressassociation” — that is, Assange. But the government may believe there are other people involved in this. It would be unsurprising if the government were homing on other key WikiLeaks figures (I’ve had people wonder whether the government would go after Jake Appelbaum, for example, and there’s another figure people have been chatting about). Recall, too, that the government interviewed David House during this process, extending the time frame and the actions to publicity to supporting Manning that would extend into the period when she was jailed and prosecuted.

Charges not included in the superseding indictment: If there are other people the government is targeting for crimes the statutes of limitation for which haven’t expired (or as part of the conspiracy including Assange and Manning in any kind of continuation), then the government could just charge them.

All that said, there’s something funny with the timing. Manning’s request suggested that Assange was charged sometime between May 14 and 16 — which would put it after she got the subpoena from the new grand jury but before a court hearing on May 16.

Some time between May 14 and May 16, 2019, Julian Assange was charged in a superseding indictment with 17 Counts relating to offenses under the Espionage Act. This indictment was also obtained without the benefit of or apparent need for Ms. Manning’s testimony.

The government corrected that in their response.

Manning claims that Assange was charged in the superseding indictment at some point “between May 14 and May 16, 2019.” Mot. to Reconsider Sanctions 2. That representation is inaccurate. The face of the indictment reflects that it was returned in open court on May 23, 2019, and the signature page bears the same date. See Superseding Indictment, United States v. Julian Paul Assange, No. 1:18-cr-111-CMH (E.D. Va. May 23, 2019) (Dkt. No. 31) (Exhibit B).

Meanwhile — perhaps to show that it had briefed Judge Anthony Trenga about the ongoing investigation before he approved the current contempt finding — the government also unsealed a bench memo submitted back on May 15. That memo also argued they still needed Manning’s testimony — but it was based on the 1-count indictment against Assange.

This indictment against Assange does not affect Manning’s obligation to appear and testify before the grand jury. Under the law, the government cannot use grand jury proceedings for the ‘sole or dominant purpose’ of preparing for trial on an already pending indictment.” United States v. Alvarado,840 F.3d I E4, lE9 (4th Cn. 2016) (quoting United States v. Moss,756 F.2d329,332 (4th Cir. l9E5)). Yet it is equally well settled that, even after returning an indictment, the grand jury may continue investigating new charges or targets that are related to the pending indictment, See id at I89-90; United States v. Bros. Co$t/. Co. of Ohio,2l9 F.3d 300, 314 (4th Cir. 20OO); Moss,7 56 F .2d at 332. At the same time it files this memorandum, the government is filing an ex parte pleading that describes the nature of the grand jury’s ongoing investigation in this matter. See Gov’t’s Ex Parte Submission Regarding Nature of Grand-Jury Investigation (May 14, 2019). As that filing reflects, Manning has testimony that is directly relevant and important to an ongoing investigation into charges or targets that arc not included in the pending indictment. See id. Thus, the recently unsealed indictment against Assange does not provide Manning with just cause for refusing to comply with the Court’s order to testify in front of the grand jury.

That said, they’ve updated that argument in sealed form. As bolded above, though, the government has briefed the court three times on why it still needs Manning’s testimony:

  • May 14, 2019 (not noted in the docket, but possibly docket 3)
  • May 23, 2019 (docket #10)
  • June 14, 2019 (docket #22)

On the day of Assange’s superseding indictment, the government explained to Judge Trenga that the “charges or targets” they were still investigating were “not included in the superseding indictment” and also said they weren’t time-barred. On the day of Friday’s extradition hearing, the government told Trenga that “the government’s extradition request in the Assange case does not preclude future charges based on those offenses.”

All of which might conflict with the public reports that the government will not charge Assange with any further charges. Or it might mean that there are other people that the government wants to weave into these conspiracy charges.

One final point. In the May 15 bench memo, the government discounts Manning’s objections to grand juries (appealing to how they’re supposed to work rather than how they do), and then insinuates she’s refusing to testify out of self-interest.

In addition to their description of what happened when she went before the grand jury, their description of what they deem her self-interested motive not to testify is the only other part of the narrative that remains redacted.

Which is to say the government has some notion of Manning’s motives that — aside from being placed amid a discussion that demonstrably fails to understand her claims about grand juries — they imagine she’s doing all this to benefit herself. That may be true. It may be, for example, that testifying about what she now understands to have happened nine years ago would change the public understanding of what she did. But the government is not willing to share what that is.

On Joshua Schulte and Julian Assange’s 10 Year Old Charges

The WaPo has confirmed what Natasha Bertrand earlier reported: the extradition package for Julian Assange will only include the 10 year old charges related to the publication of Chelsea Manning’s leaks, not any of WikiLeaks more controversially handled charges. I’ve been meaning to write a post on how this is the stupidest available approach, which will satisfy neither those who regard him as a villain, will expose other journalists to similarly dangerous charges, and possibly even fuck up the security establishment’s entire effort to exact some revenge against Assange. I hope to return to that when I get some deadlines and travel done, but suffice it to say this is a big hot mess.

To be clear, I actually think it’s not eleven-dimensional chess on the part of Bill Barr to save Trump some embarrassment once Roger Stone’s trial reveals the extent to which Trump’s campaign tried to “collude” with WikiLeaks (though it will not only have that effect, but make it harder for DNC to sustain its lawsuit against the GOP and WikiLeaks for their actions in the 2016 election). Rather, I think this is an attempt to prosecute Assange with the least cost on the security establishment, being run by people who are utterly tone deaf to the costs it will incur elsewhere.

But I do want to say several things about why and how DOJ is not charging Assange in the Vault 7 leak.

Bertrand noted that I thought that the EDVA charges would be related to Vault 7.

Still, just several months ago, numerous experts felt confident that prosecutors would also hit Assange with charges over Vault 7. Prominent national security journalist Marcy Wheeler predicted in Februarythat DOJ would “very clearly go after Assange” for the Vault 7 disclosure, and that a sealed indictment against him in the Eastern District of Virginia was likely related to that leak — the CIA is, after all, headquartered in Virginia, as ABC noted. Assange himselfreportedly expressed concern that prosecutors would charge him with crimes related to Vault 7.

She didn’t provide even the full context of my tweet, much less my post, arguing that Assange’s efforts to extort a pardon using the Vault 7 files would be something obviously unconnected to journalism. The superseding indictment does mention Assange’s use of “insurance files” to ensure his ability to publish documents in his possession, but no charges were attached to that, which later uses of the tactic and the Vault 7 pardon effort would have supported.

Which is to say the government could have charged Assange for something specifically excluded from Bartnicki’s protection of the publication of stolen materials, but did not. Again, the government has chosen to go about this in the stupidest way possible.

That said, I’m not surprised they’re not going after Assange for the Vault 7 leak itself.

As it is, the CIA has been inexcusably uncooperative with Joshua Schulte’s discovery efforts. At times. some pretty aggressive prosecutors have seemed almost apologetic about it. Schulte has staked a lot on trying to expose details of his initial warrants, and while his later behavior seems to suggest there was something to their targeting of him (or, at the very least, his post-indictment behavior has been self-destructive), at the very least the CIA may have participated in some epically bad parallel construction. They may be trying to hide that as much as the actual details of CIA’s hacking program.

Meanwhile, the government and Schulte have been discussing severing his charges from last year — which include one charge of contempt and a charge of attempted leak of classified information — from everything else.

As the Court is aware, trial in this matter is currently set for April 8, 2019. (See Minute Entry for August 8, 2018 Conference). To afford the parties sufficient time to prepare the necessary pretrial motions, including suppression motions and motions pursuant to the Classified Information Procedures Act (“CIPA”), the parties respectfully request that the Court adjourn the trial until November 4, 2019. The parties are also discussing a potential agreement concerning severance, as well as the order of the potentially severed trials. The parties will update the Court on severance and a pretrial motion schedule at or before the conference scheduled for April 10, 2019.

That might be something they tried to base a plea off of: they’d have video evidence to back their case, so it might avoid the CIPA process CIA is unwilling to engage in.

Back in May, Schulte’s team submitted a motion to vacate his SAMs (Special Administrative Measures limit a prisoner’s communication with others). It was based off the case the government made prior to his superseding indictment and left out all the allegations the government made about the 13 email and social media accounts Schulte was allegedly running from his jail cell, and as such deliberately understated why the government wanted the SAMs. The government asked for and got an extension to respond until Monday — notably, after all decisions about Assange would have had to have been made. Any response (unless it’s sealed) will have to provide more details about what happened last fall, so if they’re trying to get a plea deal, it might come this week in lieu of that SAMs response.

But the question would be what that plea agreement would look like.

Finally, the government is going to have to provide some explanation for why Chelsea Manning remains in jail for contempt. Unless they can claim they’re going after other people related to WikiLeaks, they should not be able to keep her jailed.

The Logic of Assange’s EDVA Indictment Is Inconsistent with Mueller’s Apparent Logic on Assange’s Declination

As Emma Best has noted, shortly before GRU targeted John Podesta in a spear-phishing attack, WikiLeaks offered a reward for Hillary’s speech transcripts like the excerpts that were released as part of the John Podesta release.

Hours before Russian hacking operations targeted Hillary Clinton’s campaign in the spring of 2016, WikiLeaks discussed offering a monetary reward for transcripts of her speeches at Goldman Sachs. Soon after, Russian hackers launched a spear phishing campaign that resulted in John Podesta’s email account being compromised. Emails containing excerpts from the speeches were included in the first day of the Podesta email releases. A week later, emails containing the transcripts themselves were released. WikiLeaks heralded these transcripts as their “holy grail.”

The story began on March 9, 2016, when WikiLeaks sent a tweet with a poll asking if they should add Hillary Clinton’s Goldman Sachs speeches to their ”Most Wanted” page for six figure rewards for materials. When the poll completed twenty four hours later, 93% of respondents said that WikiLeaks should offer a reward for the speeches. The Russian hackers at Fancy Bear may have been listening and been inspired by WikiLeaks’ comment. Unpublished targeting data collected by Secureworks shows the hacking campaign began earlier than the Mueller indictment reveals. A week and a half later, after dozens of attempts to penetrate the accounts of Podesta and other Clinton staffers and associates, Fancy Bear sent the phishing email that successfully tricked Podesta into compromising his account and the Goldman Sachs speeches along with it.

Secureworks’ unpublished breakdown of the Russian spear phishing and hacking effort, which AP described last year, shows that the campaign to penetrate the account began hours after WikiLeaks teased the possibility of offering a reward for the information. The tweet first mentioning the potential of a reward for the Goldman Sachs transcripts was sent at 8:16 P.M. Moscow time. At 11:56 AM the next day, less than sixteen hours later, Russian hackers began a campaign that would target “over 300 individuals affiliated with the Clinton Campaign, DCCC, and DNC.“ Podesta’s emails accounts were targeted in the days that followed and successfully compromised a week later, resulting in the exfiltration of nearly 60,000 emails.

Under what I’ve called Theory One of the superseding Julian Assange indictment, WikiLeaks’ publication of a wish list that was subsequently fulfilled would qualify it (or Julian Assange) for a conspiracy charge. Given what we’ve seen of Roger Stone’s actions, it might qualify him for a conspiracy charge as well (though we still don’t know via what means he contacted WikiLeaks).

But this 2.5 page redaction in the Mueller Report appears to explain why they didn’t charge WikiLeaks (and so by association, Stone) in that conspiracy.

We don’t know what that redaction says, though the unredacted footnote makes it clear that in the case of emails stolen from Hillary, DOJ determined that sharing of stolen property does not constitute a crime.

We do, however, have a sense of how the Attorney General understands this declination, because he used it to exonerate Trump, even in spite of Trump’s active role in pushing Roger Stone to optimize the WikiLeaks releases for the campaign. In one of his explanations for the WikiLeaks declination — one that may more directly allude to Stone’s involvement — Bill Barr said that publication of stolen emails would not be criminal “unless the publisher also participated in the underlying hacking conspiracy.”

The Special Counsel also investigated whether any member or affiliate of the Trump campaign encouraged or otherwise played a role in these dissemination efforts.  Under applicable law, publication of these types of materials would not be criminal unless the publisher also participated in the underlying hacking conspiracy.  Here too, the Special Counsel’s report did not find that any person associated with the Trump campaign illegally participated in the dissemination of the materials.

In the case of election interference, then, Barr does not consider the publication of documents identified on a wish list that hackers subsequently steal to amount to joining a conspiracy.

But in the case of Chelsea Manning’s leak, his DOJ does.

There’s obviously a distinction: John Podesta’s risotto recipes are not classified, whereas much of the stuff (but not all) Manning leaked was. But the role of a wish list is not functionally different, and Russian officers were charged both for hacking and dissemination.

I’m still working on a post describing how unbelievably stupid the EDVA case is, both for the press and for DOJ’s hopes to lay a precedent.

But at least at a structural level, the prosecution is also inconsistent with the decisions DOJ made about WikiLeaks on the election year operation.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The Three Theories of Prosecution for Julian Assange

In this post, I laid out what the 17 new charges against Julian Assange are. In this, I’ll look more closely at three theories of criminalization here:

  • Theory One: Charging Assange for causing Chelsea Manning to leak classified information by soliciting it generally or specifically (and/or discussing its value before she obtained it)
  • Theory Two: Charging Assange for offering to help crack a password and attempting to obtain the documents that would have been available using it
  • Theory Three: Charging Assange for leaking the identities of US government informants in three different databases

Theory One: Obtaining and disclosing documents that were solicited (Counts 2-4 and 6-14)

Effectively, for three sets of documents, they’ve charged Assange for causing Chelsea Manning to obtain (Charges 2 through 4), Assange obtaining himself (Charges 6 through 8), causing Manning to disclose documents she did not have authorized possession of (Charges 9 through 11), and  causing Manning to disclose legally obtained documents (Charges 12 through 13) for three sets of documents: The Gitmo Detainee Assessment Briefs, the State Department Cables, and the Iraq Rules of Engagement.

Assange is not being charged for publishing anything under this theory (that’s not true under Theory Three). He’s being charged with causing Manning to obtain and disclose them to him.

To accuse Assange of causing Manning to do these things, they show how a Most Wanted Leaks list posted on WikiLeaks until September 2010 resembles what Manning looked for on DOD’s networks and what she sent to Assange.

In addition, they show that Manning and Assange discussed some of these leaks before she obtained them.

For example, on March 7, 2010, Manning asked ASSANGE how valuable the Guantanamo Bay detainee assessment briefs would be. After confirming that ASSANGE thought they had value, on March 8, 2010, Manning told ASSANGE that she was “throwing everything [she had] on JTF GTMO [Joint Task Force, Guantanamo] at [Assange] now.” ASSANGE responded, “ok, great!”

[snip]

Manning later told ASSANGE in reference to the Guantanamo Bay detainee assessment briefs that “after this upload, thats all i really have got left.” I

It argued that Manning downloaded the State Department cables in response to the request for bulk databases on the Wish List.

Further, following ASSANGE’s “curious eyes never run dry” comment, and consistent with WikiLeaks’s solicitation of bulk databases and classified materials of diplomatic significance, as described in paragraphs 2,4-5, between on or about March 28, 2010, and April 9, 2010, Manning used a United States Department of Defense computer to download over 250,000 U.S. Department of State cables, which were classified up to the SECRET level. Manning subsequently uploaded these cables to ASSANGE and WikiLeaks through an SFTP connection to a cloud drop box operated by WikiLeaks, with an X directory that WikiLeaks had designated for Marining’s use. ASSANGE and WikiLeaks later disclosed them to the public.

And it showed that the Iraq Rules of Engagement were on the Wish List.

As of November 2009, WikiLeaks’s “Most Wanted Leaks” for the United States included the following:

[snip]

b. “Military and Intelligence” documents, including documents that the list described as classified up to the SECRET level, for example, “Iraq and Afghanistan Rules of Engagement 2007-2009 (SECRET);”

[snip]

Following ASSANGE’s “curious eyes never run dry” comment, on or about March 22,2010, consistent with WikiLeaks’s “Most Wanted Leaks” solicitation of “Iraq and Afghanistan US Army Rules of Engagement 2007-2009 (SECRET),” as described in paragraphs 4-5, Manning downloaded multiple Iraq rules of engagement files from her Secret Internet Protocol Network computer and burned these files to a CD, and provided them to ASSANGE and WikiLeaks.

Thus, for each of these, the government is saying that soliciting specific classified (or protected) materials amounts to Espionage. This is the theory of prosecution I argued would criminalize people like Jason Leopold, who was clearly engaged in journalism when he specifically asked about a specific Suspicious Activity Report from a source.

Theory Two: Attempted hacking to attempt to obtain the documents available via the hack (Counts 5 and 18)

For one vaguely defined set of documents, DOJ has charged Assange for attempting to help Manning crack a password (which was the single previous charge, which is now Charge 18) in order to attempt to obtain unidentified documents on SIPRNet.

15. In furtherance of this scheme, ASSANGE agreed to assist Manning in cracking a password hash stored on United States Department of Defense computers connected to the Secret Internet Protocol Network, a United States government network used for classified documents and communications, as designated according to Executive Order No. 13526 or its predecessor orders.

I believe (though am not certain) that that’s what the documents charged in Count 5 are about.

Between in or about November 2009 and in or about May 2010, in an offense begun and committed outside of the jurisdiction of any particular state or district of the United States, the defendant, JULIAN PAUL ASSANGE, who will be first brought to the Eastern District of Virginia, and others unknown to the Grand Jury, knowingly and unlawfully attempted to receive and obtain documents, writings, and notes connected with the national defense—^namely, information stored on the Secret Internet Protocol Network classified up to the SECRET level— for the purpose of obtaining information respecting the national defense, knowing and having reason to believe, at the time that he attempted to receive and obtain them, that such materials would be obtained, taken, made, and disposed of by a person contrary to the provisions of Chapter 37 of Title 18 of the United States Code.

This theory also doesn’t charge Assange with publishing information. Rather than charging him for soliciting leaks (Theory One), it charges him with helping to obtain documents Manning was not authorized to obtain by attempting to crack a password to get Administrators privileges.

Releasing the names of informants (Counts 15-17)

For each of three sets of US government informants, there’s also a charge tied to the informants’ identities disclosed in bulk databases.

35. Also following Manning’s arrest, during 2010 and 2011, ASSANGE published via the WikiLeaks website the documents classified up to the SECRET level that he had obtained from Manning, as described in paragraphs 12, 21, and 27, including approximately 75,000 Afghanistan war-related significant activity reports, 400,000 Iraq war-related significant activities reports, 800 Guantanamo Bay detainee assessment briefs, £ind 250,000 U.S. Department of State cables.

36. The significant activity reports from the Afghanistan and Iraq wars that ASSANGE published included names of local Afghans and Iraqis who had provided information to U.S. and coalition forces. The State Department cables that WikiLeaks published included names of persons throughout the world who provided information to the U.S. government in circumstances in which they could reasonably expect that their identities would be kept confidential. These sources included journalists, religious leaders, human rights advocates, and political dissidents who were living in repressive regimes and reported to the United States the abuses of their own government, and the political conditions within their countries, at great risk to their own safety. By publishing these documents without redacting the human sources’ names or other identifying information, ASSANGE created a grave and imminent risk that the innocent people he named would suffer serious physical harm and/or arbitrary detention.

For each database, the indictment looks at several instances of the individuals whose identities were released. It then lays out evidence that Assange knew and did not care that by publishing these identities he would be endangering people.

This is the theory of prosecution that does criminalize the publication of true information. And it criminalizes something that journalists do, at times, do.

The government often tries to classify identities that should not be (as they did with Gina Haspel, to hide her role in torture, for example). When journalists learn these identities they sometimes do choose to ignore admonitions against publication, for good reason. That’s what Assange is accused of doing here, but only on a mass scale. But if this is successful, there’s nothing that will prevent the government from charging people for disclosing classified identities at a smaller scale.

I’m also not sure how, as a foreign citizen, this doesn’t invite retaliation against the US for identifying classified identities of other countries.

The Charges Against Julian Assange

As expected, EDVA rolled out a bunch more charges, under the Espionage Act, against Julian Assange. I’m going to do a follow-up post on how stupid the way they’ve done this is, but first wanted to lay out the charges.

The indictment charges Assange with 17 new counts (in addition to the single CFAA charge they’ve already charged him with, which is now Count 18).

  • Count 1: Conspiracy to Obtain, Receive, and Disclose National Defense Information (18 USC §793(g)
  • Count 15: Unauthorized Disclosure of National Defense Information — informants in Afghan Significant Activity Reports (18 USC §793(e))
  • Count 16: Unauthorized Disclosure of National Defense Information — informants in Iraq Significant Activity Reports (18 USC §793(e))
  • Count 17: Unauthorized Disclosure of National Defense Information –informants in State Department Cables (18 USC §793(e))
  • Count 18: Conspiracy to Commit Computer Intrusion (18 USC §641, 793(c) and 793(e)

Then there are a set of throw-everything-at-the-wall charges that charges Manning giving three sets of files — the Detainee Assessment Briefs, the State Department Cables, and the Iraq Rules of Engagement — to Assange in four different ways.

The attempt, Count 5, is related to the files Chelsea Manning would have gotten had the password crack been successful.

So effectively, there are three main sets of documents, the Gitmo Detainee Assessment Briefs, the State Department Cables, and the Iraq Rules of engagement, for which EDVA has charged Assange for causing Manning to obtain them, Assange obtaining them himself, causing Manning to disclose documents she had legal access to to Assange, and causing Manning to disclose documents she had unauthorized possession of to Assange. (It’s worth noting that three of these four steps are replicated in the existing Joshua Schulte indictment.)

Then there are three sets of informants that Assange disclosed — those not redacted in the Afghan Significant Activity Reports, those not redacted in the Iraq Significant Activity Reports, and those not redacted in the State Department cables.

Then there are the two charges associated with what Manning would have gotten had Assange succeeded in cracking that password — the CFAA charge and the attempt to obtain charge.

Finally, there’s an overriding conspiracy.

image_print