The National Security Letter Seamus Hughes Found When Looking for a Dan Richman Docket

/6 Comments/in , , , , /by

Not long after something happened in November to prevent four Dan Richman dockets from being unsealed in DC District, Judge Anthony Trenga ordered a docket about a National Security Letter from the same period as the Dan Richman investigation (which he referred in 2019 to then Magistrate Judge Michael Nachmanoff) to be unsealed.

Both the four Dan Richman dockets and the NSL docket remain substantially sealed.

As I have laid out before, when Magistrate Judge William Fitzpatrick first held a hearing about DOJ’s bid to breach Jim Comey’s privilege on November 5, he started the hearing by focusing on all the sealed documents. When he asked Loaner AUSA Tyler Lemons about the status of the underlying warrants, Lemons equivocated.

THE COURT: Mr. Lemons, what’s the status of that?

MR. LEMONS: Thank you, Your Honor. Your Honor, we have made a request to the issuing district as to those search warrants, for them to be unsealed. My understanding, last speaking with an AUSA in that district, is that motion has not been filed at this time. They are preparing to provide notice to other potentially interested parties, per their practice and the rules they have to abide by in that district. So we requested it, and our understanding is at this time that the warrants all remain completely under seal. That is the only reason why the government designated these search warrants as protected material and filed them under seal and understands why the defense filed them under seal. If it was in my power and ability here today, those search warrants would be totally unsealed. [my emphasis]

After the hearing Fitzpatrick ordered that the parties take steps to unseal both the underlying warrant dockets and the sealed filings about them.

ORDERED that the Government shall, on or before November 10, 2025, move in the issuing district to unseal the four 2019 and 2020 search warrants referenced in the Government’s Reply to Defendant’s Response to the Government’s Motion for Implementation of Filter Protocol (ECF 132), together with all attendant documents, or, in the alternative, file a motion in the issuing district setting forth good cause as to why the subject search warrants and all attendant documents should remain under seal, in whole or in part; and it is further

[snip]

ORDERED that, if necessary, the Court shall hold a hearing on the pending motions to seal (ECFs 56, 72, 109, and 133) on November 21, 2025, at 10:00 a.m. in Courtroom 500, and the materials subject to those motions shall remain UNDER SEAL until further order of the Court; and it is further

ORDERED that, to the extent the Government seeks to seal Exhibit A to Defendant’s Response to the Government’s Motion for Expedited Ruling (ECF No. 55-1), the Government shall file a supporting brief in accordance with Local Criminal Rule 49 on or before November 12, 2025; Defendant may file a response on or before November 19, 2025; and, if necessary, the Court shall hold a hearing on the Government’s sealing request on November 21, 2025, at 10:00 a.m. in Courtroom 500;

Over a month ago, by November 10, the Loaner AUSAs in EDVA should have filed to unseal the four warrant dockets in DC or they should have filed a motion in DC “setting forth good cause as to why the subject search warrants and all attendant documents should remain under seal.”

If the Loaner AUSAs followed that order, it would seem to suggest someone insisted on keeping the dockets in DC sealed.

Fitzpatrick listed those dockets in a footnote of his November 17 opinion (that is, a week after DOJ would have had to file to keep everything sealed) granting Comey access to the grand jury transcripts in his case.

2 Search warrant 19-sw-182 was issued on August 27, 2019, and authorized the search of Mr. Richman’s hard drive from February 1, 2017 to April 30, 2017. ECF 89-1.

Search warrant 19-sc-2097 was issued on October 22, 2019, and authorized the search of Mr. Richman’s Columbia University and Law School email accounts from March 1, 2016 to May 30, 2017. ECF 89-2.

Search warrant 20-sw-200 was issued on January 31, 2020, and authorized the search of Mr. Richman’s iCloud account from March 1, 2016 to May 30, 2017. ECF 89-3. Attachment B to the warrant specifically limits the information to be seized to “non-privileged communications.” Id.

Search warrant 20-sw-143 was issued on June 4, 2020, and authorized the search of the backup files for Mr. Richman’s iPad and iPhone from March 1, 2016 to May 30, 2017. ECF 89-4. Attachment B to the warrant specifically limits the information to be seized to “non-privileged communications.” Id.

I just checked. They’re still sealed.

Some weeks ago, I did what any resourceful person would do to try to solve a docket mystery: I asked Seamus Hughes (of CourtWatch fame) if he could find anything.

He didn’t find any docket at DC asking to keep the files sealed.

What he did find is at least as interesting.

He found a docket, described as National Security Letter 19-498157 and listing Bill Barr as the defendant, which was originally referred to Michael Nachmanoff when he was a Magistrate Judge, with a recent update. On December 10, Judge Anthony Trenga, citing a response from DOJ on November 14 (which is sealed), ordered the docket about a 2019-2020 National Security Letter to be unsealed.

Aside from that order though, it remains substantially sealed.

This docket may be totally unrelated to the Comey case.

But the table above shows how neatly the two overlap. The NSL docket was opened a month after a Dan Richman interview in November 2019, and it was closed before DOJ obtained warrants to seize the iPhone which they’ve since been snooping into.

Maybe Santa can help us unwrap this in time for Christmas.

Share this entry

Colleen Kollar-Kotelly’s Attempted Baby-Splitting Leads to Exploding Diaper

/21 Comments/in , , , , , , /by

I suppose I should have reminded readers, somewhere in my close tracking of Judge Colleen Kollar-Kotelly’s attempt to craft a nifty solution to a difficult Fourth Amendment question, that she authored a 2004 FISA opinion from which a decade of bulk collection on Americans arose.

I delayed doing so, in part, because Tulsi Gabbard has deprecated the link to the official version and so I need to go find a copy. But this post describes the substance of the opinion. This post describes how subsequent phone dragnet opinions relied on it. And this timeline explains how, after Kollar-Kotelly was just the second FISA Judge read into the unconstitutional Stellar Wind program, and after she raised concerns about it, a guy named Jim Comey refused to reauthorize it in its then current form, which led to a famous standoff in a hospital, much drama, but only limited (and still largely undisclosed!) changes in the program, before Kollar-Kotelly wrote an opinion authorizing bulk collection that would be the cornerstone for 11 more years of bulk collection.

Judge Colleen Kollar-Kotelly has a history with difficult Fourth Amendment decisions.

And she has a history with Jim Comey.

When we last reviewed this difficult Fourth Amendment question, Kollar-Kotelly had simply waved her hands over the original sins of unscoped seizures and overseized data targeting Dan Richman — which she deemed plausible Fourth Amendment violations but not something she had to deal with, she said, because she had found the later search of that likely unscoped data was itself a violation of the Fourth Amendment and so could apply a bunch of DC precedents that all addressed property that was, in the initial seizure, lawfully collected to data she agreed was plausibly also unlawfully collected. Then she ordered the government to send that unlawfully searched data to EDVA, where different precedents would apply, and where the government could get a warrant to access what they wanted.

In a motion to modify and clarify that was also, in a footnote, a motion for reconsideration, the government deftly asked to change the rules such that they would be able to keep the fruits of several iterations of unlawful searches, and Dan Richman would be gagged from revealing that’s what happened.

So here’s what Kollar-Kotelly — she of the history of difficult Fourth Amendment decisions and she with the two decade history with Jim Comey — has done since.

First, she issued an order bitching about the government’s last minute request and complaining that they didn’t raise these issues on the first go-around, but giving the government permission to keep anything derivative of those three iterations of unlawful seizures.

The Government’s [22] Motion, which was filed approximately one hour before the deadline for the filing of a certification of compliance set forth in this Court’s [20] Order, raises a variety of issues related to the handling of classified information and information that may be subject to the Government’s own privileges, including the attorney-client privilege and the deliberative process privilege. The Government could have-and should have-raised many of these issues earlier in its initial Response to Petitioner Richman’s [1] Motion for Return of Property, but it did not do so. The Court will clarify its [20] Order at greater length by separate order and, if appropriate, will request further briefing from the parties. For now, the Court notes three important clarifications:

[snip]

Further, this Court’s Order directed the return of Petitioner Richman’s own materials (and any copies of those materials), not any derivative files that the Government may have created. See Order, Dkt. No. 20, at 1 (directing the return of the original materials, copies of those materials, and any materials “directly obtained or extracted” from them); see also id. at 41 (explaining that the Court would not bar the Government from “using or relying on” the relevant materials in a separate investigation or proceeding). Accordingly, compliance with the Court’s Order will not intrude upon any of the Government’s privileges.

This order, by itself, would amount to permitting the government to use stuff tainted by a breach of attorney-client privilege (Jim Comey’s attorney-client privilege), something she has not dealt with at all.

Then yesterday, Kollar-Kotelly issued an order noting (in a footnote) the government request for reconsideration they buried in a footnote, but blowing it off …

1 In a footnote, the Government requests reconsideration of this Court’s merits ruling that the Government’s retention of the materials at issue violates Petitioner Richman’s Fourth Amendment right against unreasonable seizures. See Gov’t’s Mot., Dkt. No. 22, at 7 n.5. However, the primary focus of the Government’s [22) Emergency Motion is the proper scope of the remedy to be awarded. Accordingly, the Court focuses here on issues that are directly relevant to the issue of remedy.

… But also requiring (among other things) the parties to explain three things, with the following deadlines:

  • By 9:00 a.m. ET on Wednesday, December 17, 2025, the government should share its great ideas on how to keep all this data secure at EDVA.
  • By 10:00 a.m. ET on Wednesday, December 17, 2025, the government should explain what it has from the original searches.
  • By 2:00 p.m. ET on Wednesday, December 16, 2025, Richman should explain what he wants back, some of which may be influenced by the 10AM briefing.

The order pertaining to that 10AM explanation betrays how inadequate the original baby-splitting solution was, not least because Kollar-Kotelly doesn’t unpack that the stuff the government originally seized from Richman is evidence — or at least includes it.

Second, the Government argues in its [22] Emergency Motion that the Court’s Order “appears to require the Government to delete or destroy evidence originally, and lawfully, obtained pursuant to search warrants issued by the U.S. District Court for the District of Columbia in 2019 and 2020.” Gov’t’s Mot., Dkt. No. 22, at 5. To be clear, the Court has not ordered the Government to delete or destroy any evidence; instead, it has ordered the Government to return certain materials to Petitioner Richman, while depositing others with a third-party custodian for safekeeping. However, to ensure that the remedy awarded in this case is appropriately tailored to the facts, the Court would benefit from more factual details regarding the Government’s execution of the search warrants issued in this District in 2019 and 2020. Id. Accordingly, it is ORDERED that, no later than 10:00 a.m. ET on Wednesday, December 17, 2025, the Government shall file with the Court a brief response to the following questions:

(1) Does the Government have in its possession a complete copy of any of the following:

(i) the “forensic image” of Petitioner Richman’s personal computer hard drive that the Government was authorized to search under the warrant issued in this District on August 27, 2019;

(ii) the information disclosed by Columbia University to the Government pursuant to the warrant issued in this District on October 22, 2019;

(iii) the information disclosed by Apple to the Government pursuant to the warrant issued in this District on January 30, 2020; or

(iv) the “contents of a hard drive … containing backup files of one Apple iPad 4 and one Apple iPhone 5S” that the Government was authorized to search under the warrant issued in this District on June 4, 2020?

(2) Under each of the four search warrants at issue, the Government was authorized to seize only responsive material, which constituted a subset of the information it was permitted to search. Did the Government create a separate file, disk, hard drive, or any other segregated collection of responsive material for any of the following:

(i) the material seized from Petitioner Richman’s personal hard drive pursuant to the warrant issued in this District on August 27, 2019;

(ii) the material seized from Petitioner Richman’s Columbia University email accounts pursuant to the warrant issued in this District on October 22, 2019;

(iii) the material seized from Petitioner Richman’s iCloud account pursuant to the warrant issued in this District on January 30, 2020; or

(iv) the material seized from the backup files of Richman’s Apple iPad 4 and Apple iPhone 5S pursuant to the warrant issued in this District on June 4, 2020? [my emphasis]

As Kollar-Kotelly alludes to elsewhere, these questions should have been answered before she made her original decision. But she doesn’t acknowledge that she would have needed this information, in part, to understand whether the first two seizures violated the Fourth Amendment, which — if they do — would mean her application of multiple precedents that all assume the initial seizure was lawful would be totally inapt.

But there are two reasons why even these belated questions are inadequate to her purpose.

First, as Kollar-Kotelly noted in her own opinion, which she cited via William Fitzpatrick’s opinion which in turn cited this FBI declaration, when the FBI searched all this data in September, they searched a full extraction of Richman’s phone and iPad.

For this search, an FBI agent was instructed to review “a Blu-ray disc that contained a full Cellebrite extraction and Reader reports” for two of Petitioner Richman’s devices to identify “conversations between [Petitioner Richman] and [Mr. Comey].”

As the full quote from the FBI declaration explained, when Francis Nero did that search, he received a Blu-ray sealed with red evidence tape.

On or about September 12, 2025, while assigned to the Director’s Advisory Team, I was requested by Special Agent Spenser Warren to review a Blu-ray disc that contained a full Cellebrite extraction and Reader reports of an iPhone and iPad backups. I was requested to review the Cellebrite extraction for conversations between RICHMAN and JAMES COMEY. SA Warren handled this agent a manilla envelope sealed with red evidence tape that contained the Blu-ray disc with the Cellebrite extraction.

We know this full extraction contained attorney-client communications. Kollar-Kotelly doesn’t ask, in her second question above, how privileged communications were treated back in 2019 and 2020. She needed to ask whether the FBI only scoped the data not covered by Richman’s privilege declarations (which is what happened, if they scoped it at all) or whether they gave him scoped materials on which to make privilege declarations. Whichever it is, though, there needs to be a question 3, because the government never had the right to search privileged materials (except, arguably, on the original image itself, because such searches were not yet explicitly prohibited).

More importantly, if Spenser Warren handed Nero the full extraction, then it doesn’t matter what happened in step 2 of Kollar-Kotelly’s question above, because the government simply searched, without a warrant, unscoped data that should have been destroyed. That red evidence tape may well be what the government did to ensure that the FBI didn’t snoop on unscoped data. If so, the smoking gun in this chain of unlawful seizures was the decision, by someone on the Director’s Advisory Team, to search unscoped data without a warrant. That’s not covered by Kollar-Kotelly’s questions at all.

The other reason Kollar-Kotelly’s questions are inadequate is because of this disclosure (which didn’t make Fitzpatrick’s opinion and so may not be before her).

5 The Order also required the government to provide, in writing, by the same deadline: “Confirmation of whether the Government has divided the materials searched pursuant to the four 2019 and 2020 warrants at issue into materials that are responsive and non-responsive to those warrants, and, if so, a detailed explanation of the methodology used to make that determination; A detailed explanation of whether, and for what period of time, the Government has preserved any materials identified as non-responsive to the four search warrants; A description identifying which materials have been identified as responsive, if any; and A description identifying which materials have previously been designated as privileged.” ECF No. 161 at 1-2.

Despite certifying on November 6 that it had complied with the Court’s Order, ECF No. 163, the government did not provide this information until the evening of November 9, 2025, in response to a defense inquiry. The government told the defense that it “does not know” whether there are responsive sets for the first, third, and fourth warrants, or whether it has produced those to the defense, and said that in that regard, “we are still pulling prior emails” and the “agent reviewed the filtered material through relativity but there appears to be a loss of data that we are currently trying to restore.” [my emphasis]

On November 9, in response to the same questions Kollar-Kotelly asked in her order but posed by Fitzpatrick, the government told Comey — but not in writing! — that they had no fucking clue what happened with the first, third, and fourth warrants, because something happened with Relativity, the software on which these distinctions would have been preserved. So they had to pull prior emails to figure out what the fuck they were doing searches on.

The government may still have no fucking clue what they’re dealing with, because they asked for a 48-hour extension on both their own deadlines.

Richman agreed to that delay but only if he also got an extension.

Counsel for Petitioner has informed the Government that he takes no position on this request, but respectfully requests that the Court provide Petitioner an equivalent extension of time to file his brief, see ECF No. 27 at 3, should the Court grant the Government’s motion.

Late yesterday, Kollar-Kotelly issued a docket order granting the government its two-day extension on the easier question — how to keep this data secure at EDVA — but just a two hour extension to the harder deadline — what the fuck happened with this data. She did not, however, grant Richman an extension at all, so his response must now be filed two hours after the government’s response.

The Court is in receipt of the Government’s 28 Motion for Additional Time to Respond to this Court’s 27 Order for supplemental submissions, which the Government filed at 6:28 p.m. ET this evening. The Government’s 28 Motion is GRANTED IN PART and DENIED IN PART. The Government’s Motion is GRANTED as to the 9:00 a.m. deadline for the submission of “best practices on safekeeping evidence,” which is CONTINUED to 9:00 a.m. ET on Friday, December 19, 2025. The Motion is GRANTED IN PART and DENIED IN PART as to the Government’s deadline to respond to the factual questions presented in this Court’s 27 Order. The Government shall file brief responses to these questions no later than 12:00 p.m. ET on Wednesday, December 17, 2025. The Motion is otherwise DENIED. Petitioner Richman’s response deadline is unchanged.

Again, Kollar-Kotelly needed answers to these questions before she crafted the baby-splitting solution. Because if the original data was overseized and then not preserved in its scoped form (or if someone fiddled with Relativity in the interim to muddle what data was properly seized in the first search), then her application of DC precedent was inappropriate. At least some of this data was — as far as we know (though there may be other warrants) — always unlawfully seized.

That 2004 opinion Kollar-Kotelly wrote was an attempt to solve an enormous problem caused by unlawful government spying, but it served as the cornerstone for 11 more years of unlawful government spying. This particularly baby-splitting solution may lack the gravity of that earlier opinion, but in its currently muddled form, has the potential of causing another decade of problems.

Update: DOJ’s response is here. They actually admit to the problem with Relativity (though don’t name Relativity and try to obscure the timing of DOJ dropping it, which almost certainly has to post-date the January 6 investigation).

These responses are provided with the qualification that the search warrants were obtained five and six years ago.

[snip]

Search warrants directed at these materials were issued by the United States District Court for the District of Columbia. These warrants included language for following a filter process for attorney-client privileged information. As to the iCloud account and backup files for the iPad 4 and iPhone 5S, these materials were combined and provided to Richman and his counsel for filtering. The filtered version was then provided back to the government for review. Correspondence reviewed by the present investigative team indicates that the primary case agent then committed to reviewing the filtered version through an e-discovery program. Between 2020 and 2025, the Department of Justice stopped using this e-discovery program and a loss of data occurred. The government has attempted to restore this data but has not been successful.

The government has contacted the primary case agent. The primary case agent stated that he always followed and complied with the terms of a search warrant, and that his behavior in this case would have been no different. However, due to the passage of time [redacted], the primary case agent could not specifically describe the process followed in 2019 and 2020.

In a redaction in this passage and an earlier one (for which DOJ appears not to have filed a motion to seal), they must describe something that happened to the original lead case agent. That is, for some reason he can’t fully reconstruct what he did five years ago.

And they have yet to reconstruct what was lost in dropping Relativity.

In short, they’re basically saying these warrant returns are so old, neither the person who managed them nor the software paid to preserve them are available to do so any longer.

Their solution to that, DOJ says, is for them to have a filter AUSA and a filter Agent review it all to find out if there is a segregated version within the larger set.

Finally, as to the materials described in this section, the government respectfully requests that the Court allow a filter FBI agent and a filter AUSA to review only the previously filtered versions, which, according to FBI records, are contained on the relevant storage devices. The purpose of this limited review would be to determine whether any sort of segregated version of responsive material exists on the storage devices.

This should change Kollar-Kotelly’s entire approach. DOJ confesses they have no fucking clue whether the data they have is legal or not.

But it likely will not.

Update: Richman’s response is here. It goes big, demanding that all materials be taken away from the government.

Share this entry

The FISA 702 Canard at the Core of Trump Debates

/33 Comments/in , , , /by

By now you’ve heard about Peter Thiel’s batshit column, in which (with no explanation) he suggests Trump’s second term might bring about an apocálypsis that his first term did not, a revelation of all the secrets that, Thiel claims, “the media organisations, bureaucracies, universities and government-funded NGOs” have been keeping.

Among the secrets Thiel thinks Trump will tell in his second term that he did not in his first are:

  • Who else — potentially including “Fidel Castro, 1960s mafiosi, the CIA’s Allen Dulles” — worked with Lee Harvey Oswald to kill JFK.
  • How longtime Trump and Elon Musk friend Jeffrey Epstein died in a prison overseen by Bill Barr, whose family ties with Epstein go back even further.
  • Whether Anthony Fauci secretly believed and covered up that, “Covid spawned from US taxpayer-funded research, or an adjacent Chinese military programme?”
  • Joe Biden Administration’s hypothetical involvement in Brazil’s decision to uphold its data sovereignty, an Aussie law imposing age limits on Internet use, or the UK’s prosecution of violent rioters whom Thiel describes as guilty of no more than speech.
  • Whether Charles Littlejohn’s leak of Trump’s and others’ tax records was anomalous or whether the same thing happened to Hunter Biden. (I kid. Of course he ignored that it happened to Hunter.)
  • What’s behind a “50-year slowdown in scientific and technological progress in the US, the racket of crescendoing real estate prices, and the explosion of public debt” (in the same way he ignored that Hunter’s tax records had been leaked, Thiel also ignored how easy it would be to fix public debt if he and his buddies paid their fair share in taxes).

Nutty, right?

And right in the middle of these fevered conspiracy theories, intelligence contractor Peter Thiel wondered whether there’s such a thing as a right to privacy at all so long as Congress keeps reauthorizing FISA Section 702 under which the FBI continued to have violative queries incorporating US Person identifiers all the way through the Trump first term and in queries done as part of the January 6 investigation.

And on that same day, Tulsi Gabbard issued a statement reversing her opposition to Section 702, and in the process won the support of James Lankford and presumably some other hawkish Senators.

If confirmed as DNI, I will uphold Americans’ Fourth Amendment rights while maintaining vital national security tools like Section 702 to ensure the safety and freedom of the American people. My prior concerns about FISA were based on insufficient protections for civil liberties, particularly regarding the FBI’s misuse of warrantless search powers on American citizens. Significant FISA reforms have been enacted since my time in Congress to address these issues.

And all these Senators, reassured that Tulsi will continue America’s best spying advantage, will ignore all the other reasons she’s wildly unsuited for the position.

Thiel is not alone among those naively investing his hopes to end surveillance by ending 702. A slew of privacy activists have focused there, too.

It’s like none of these people remember that people close to Trump used Israeli surveillance contractor Black Cube to spy on Barack Obama’s Iran deal negotiators, Colin Kahl and Ben Rhodes.

It’s like none of these people remember that Trump had DHS — which has fewer protections for US persons than the FBI does and which was run by a Trump flunkie — to surveil journalists covering the Portland riots.

It’s like none of these people have thought through the implications of Trump’s baseless claim that Hizballah was somehow involved in January 6, which is that all the people already identified who participated in the riot will be searched under 702 for ties to Iran; searching for ties to foreign terrorist groups is literally the initial use case for 702.

It’s like none of these people have through through the implications of the immunity ruling, which would mean that Trump could spy on Daniel Ellsberg’s shrink or even his Democratic opponents, and John Roberts would still let him off the hook.

It’s like none of these people have yoked that reality to Trump’s chumminess with most of the most prolific sources for Section 702 — Facebook and Google, probably Amazon — providing him a way to get what he wants directly (to say nothing of whatever DMs Elon might find to be interesting), targeting the actual Americans rather than the people overseas with whom they interacted.

Craziest still, Thiel presents the concern that the government will continue to partner with companies run by Tech Bros like Peter Thiel and Elon Musk and Mark Zuckerberg and Tim Apple and Sundar Pichai to surveil the world (likely with the help of Palantir software) as some great conspiracy theory. But he doesn’t realize — or wants to pretend — that he and his Tech Bro buddies are the key villains here.

Do tell us your secrets, Peter. But first, come to grips with the fact that you are the conspiracy you’re wailing about.

Share this entry
[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

FISC Rules that [Redacted] Is Not Subject to FISA 702 for One of Its Services

/18 Comments/in /by

Last week ODNI declassified two FISA Court opinions pertaining to Section 702. The first was a 2022 FISA Court opinion (which dates to sometime after April 2022 orders were signed) written by Presiding Judge Rudolph Contreras. The second is a 2023 per curiam opinion (David Sentelle, Robert Miller, and Stephen Higginson) affirming the original Contreras one.

While the exact details of the appeal are heavily redacted, it’s clear that the opinion pertains to the definition of Electronic Communications Service Provider under the law. As a reminder, under 702, the government can given a US-based ESCP a “directive” ordering not just content, but also technical assistance. In general, such directives apply to both data in motion (so telecoms) and data at rest (so cloud providers).

One thing the opinions make clear is that the service provider provided at least two categories of service. The service provider seemed to only challenge one of those two categories of service and willingly accept directives for another. The FISCR opinion lays out that the definition of ECSP must be applied on a service to service basis.

A reexamination of subparagraphs (A), (B) and (C) confirms that it is the service being rendered-and nothing else about the provider-that is the crux of each definition. For “provider of electronic communication service,” and “provider of remote computing service,” only the specified communication service is statutorily defined. See 50 U.S.C. § 1881 (b )( 4 )(B) (relying on the definition of “electronic communication service” at 18 U .S.C. § 2510(15) to delineate providers of such); 50U.S.C.§1881(b)(4)(C) (relying on the definition of “remote computing service” at 18 U.S.C. § 2711 to delineate providers of such). Although the term “telecommunications carrier” is itself statutorily defined, that definition similarly relies on the definition of “telecommunications services,” except for one exclusion. See 47 U.S.C. § 153( 51) (‘” [T]elecommunications carrier’ means any provider of telecommunications services, except that such term does not include aggregators of telecommunications services . … “); 47 U .S.C. § 153(53) ( defining “telecommunications service”).

[snip]

What matters is the service that is being provided at a particular time (or as to a particular piece of electronic communication at a particular time), rather than … the service provider itself.” (internal quotations omitted)).

The issue, for the second service, seems to pertain to whether the service provider had access to the comms in question — whether in motion or at rest; such a dispute may be a question of encrypted communications to which the provider did not have access.

Contreras’ opinion treats each type of ECSP, data in motion and then data at rest, to determine that for the service in question (but not for others the service provider offers) it is not a an ECSP under Section 702.

Notably, a key part of the first part of Contreras’ analysis (on data in motion) relies on two opinions about cell phones.

see also Garcia v. City of Laredo, 702 F.3d 788, 793 (5th Cir. 2012) (a cell phone “does not provide an electronic communication service just because the device enables use of electronic communication services” ( emphasis in original); Loughnane v. Zukowski, Rogers, Flood & McArdle, No. 19 C 86, 2021 WL 1057278 at *4 (N.D. Ill. Mar. 18, 2021) (“a smartphone … does not provide the end-user the ability to send or receive wire or electronic communications;” it “merely enables the end-user to employ a wire or electronic communication service . . . which in turn provides [that] ability”) (emphasis in original). 15

And a later passages also pertains to personal devices.

Nonetheless, most courts have found that personal devices used to access web-based email services or similar communication platforms are not facilities through which an ECS is provided. 18

Under the second part of his analysis, Contreras focused on whether the service provider had access to communications (again, a discussion that might be consistent with encryption). In that section, there’s this curious discussion of the June 2021 Van Buren decision that limited the application of the Computer Fraud and Abuse Act, which pivoted on authority to access.

Van Buren interpreted a statutory provision that describes the elements of a crime. It is natural for “access” in that context to be confined to (wrongfully) entering a computer system or parts thereof. It would not sensibly extend to the opportunity or ability to enter a system, without actually doing so, just as it would not make sense for a passerby to be liable for trespass because he walked by an open door without going in. But it strikes the Court that, in other, even computer-related contexts, “access” could be used as a noun (as it is in Section 701(b)(4)(D)) to refer to the ability or opportunity to enter: “Frank has access to the database but be has not logged into it yet.”

FISCR likewise invoked the definition of access under Van Buren.

Context reinforces this understanding. See, e.g., Van Buren v. United States, 141 S. Ct. 1648, 1657- 58 (2021) (“When interpreting statutes, courts take note of terms that carry ‘technical meaning[s]. “‘). In Van Buren, the Supreme Court observed that ‘” [ a ]ccess’ is one such term, long can-ying a ‘well established’ meaning in the ‘ computational sense’- a meaning that matters when interpreting a statute about computers.” Id. at 1657 ( citation omitted).

Close to the end of the FISCR opinion, it seems to definitively define ECSP based on this access principle.

If an entity does not provide a communication service through which it has “access to wire or electronic communications either as such communications are transmitted or as such communications are stored;’ 50 U.S.C. § 188l(b)(4)(D), it is not an ECSP as defined by subparagraph (D), [half paragraph]

Then, FISCR notes that 702 is up for reauthorization this year, so if the government doesn’t like this principle, it can go ask Congress to change it.

Some company successfully argued that if they don’t have access to your data, they can’t be compelled to provide US spooks assistance to get to it.

Share this entry

Between the Annual Release of FISA Statistics and the Release of the FISA 702 Opinion, FBI Rolled Up Turla

/3 Comments/in , /by

I’m curious about the timing of the release of the FISC 702 opinion, dated April 21, 2022, approving Section 702 certificates that would last until April 21, 2023. I laid out a Modest Proposal in response to that opinion here.

In the past, the government has often released the prior year’s FISC opinion around the same time as it releases all the FISA transparency reports, which it released this year on April 28, 2023. But ODNI didn’t release the opinion itself until May 19, eight days after the FBI released a FISA-related audit that covers many of the same violative queries laid out in the FISC opinion and three weeks after the other transparency filings. The delayed release resulted in the release of significantly overlapping bad news twice, a week apart, at a time when the spooks already face an uphill climb to get 702 reauthorized before the end of the year.

One possible explanation for the delayed release is that there was a one-month delay in reapproval of new 702 certificates, meaning that ODNI held back the opinion until such time as a new opinion had replaced the old one.

But as I read, especially, a separate opinion released along with the 702 one, I couldn’t help but note that between the date when ODNI would customarily release the prior FISC authorization and the date it did, FBI rolled up the Turla malware.

May 4, 2023: Search warrant affidavit

May 8, 2023: Planned operation

May 9, 2023: DOJ Press releaseNSA press releaseJoint Cybersecurity Advisory

When I wrote my post on the operation, I laid out how, starting in 2016, the FBI had learned how Turla worked via voluntary monitoring of US-based victims from whose servers the malware was launching attacks in other countries.

A key part of the affidavit’s narrative describes that monitoring process. The FBI discovered that Turla compromised computers at US Victim A in San Jose, which let the FBI monitor how the malware worked. Using US Victim A, Turla compromised US Victim B in Syracuse, which in turn let the FBI monitor what happened from there. Using both US Victims A and B, Turla compromised US Victim D in Columbia, SC, which in turn let the FBI monitor traffic. Using Victim B, Turla compromised US Victim C, in Boardman, OR, which in turn let the FBI monitor traffic.

Over seven years, then, the FBI has been monitoring communications traffic from a growing number of US victim companies that Turla used as nodes. The affidavit emphasizes that these sites were used to attack overseas targets — like the presumed German and French targets mentioned in the affidavit. Aside from the journalist working for a US outlet (who could be stationed overseas), the affidavit doesn’t mention any US collection targets. Nor does it explain whence Turla targets US collection targets.

But there were two or three companies that refused to allow the FBI to engage in consensual monitoring of their victimized servers: Victim-E, Victim-F, and Victim-G, all of which were discovered in 2021 or 2022 (Victim-F went defunct and destroyed its computers).

According to the FBI search warrant, then, it launched a global operation to roll up the Turla Snake’s many nodes around the world without the benefit of at least two US-based nodes from which it could discover other victims. That didn’t make sense to me.

The other FISA opinion released with the 702 one sought authorization to conduct physical surveillance of two locations in the US used by an agent of a foreign power; the government uses physical surveillance to obtain data in rest on a server. DOJ first submitted the application in early 2021. FISC appointed former cybersecurity prosecutor and current tech attorney Marc Zwillinger and retired EDNY Magistrate James Orenstein as amici and conducted several rounds of briefing and a hearing. Orenstein would have still been a Magistrate in EDNY when the grand jury behind this operation was seated there in 2018; he retired in 2020.

The heavily redacted opinion itself is pretty short — just 6 pages. It explains that “the Court has little difficulty finding probable cause to believe that the intended targets … are agents of a foreign power.” It had a harder time with two other issues, though: proving that the premises to be searched “is or is about to be owned, used, possessed by … that foreign power.” Suggestions from Zwillinger and Orenstein provided limits to the order such that FISC presiding Judge Rudolph Contreras could meet that standard.

The government also noted that the data in the targeted location “might not be owned or used by” the agents of the foreign power in question. Contreras imposed a 60-day deadline for the government to destroy everything that was not.

With those limitations, Contreras approved the FISC order on September 27, 2021.

Both of these issues are common ones in cybersecurity surveillance. Hackers hijack others’ servers, and from that sanctuary, victimize others. And then hackers transport data that are the fruits of theft, not communications about such a crime, via these nodes. So one way or another, the opinion sounds like it could pertain to cybersecurity surveillance. The timing is what makes me wonder whether the order was withheld until the end of the Turla operation.

Zwillinger and Orenstein were appointed as amici in 2022 as well.

Note, there’s a technique that got authorized in the 702 opinion, first proposed in March 2021, which involved two different amici, Georgetown Professor Laura Donohue, who asked for the assistance of Dr. Wayne Chung, the Chief Technology Officer of BlueVoyant, a cybersecurity company. That discussion is even more heavily redacted. But the issues debated appear to include:

  • Whether the thing obtained using 702 was included in the definition of intelligence permitted for collection
  • Whether the assistance required in the US came from an Electronic Communications Service Provider (Victim A from the Turla operation was located in San Jose, and the Victim G that refused to cooperate was described as a cloud service provider located in Gaithersberg)
  • Whether the assistance from the ECSP is covered by 702
  • Whether the intended use of the information fit the definition of querying
  • Whether NSA should have used another provision of FISA
  • Whether all the targets were overseas
  • What kind of minimization procedures the kind of information that would be obtained required

The 702 application is even more obscure than the physical search one. But if the latter pertains to Turla, it’s not inconceivable that the former does too.

Share this entry

A Modest Proposal to Fix FBI’s FISA 702 Woes

/20 Comments/in , /by

There’s an easy way to fix the FBI’s FISA 702 woes: Simply provide a way for FBI to obtain probable cause warrants — from the FISA court, if need be — for any 702 data it wants to be able to query. Armed with those probable cause warrants, virtually all the queries that have been deemed violations in recent years will be compliant with the Fourth Amendment.

The FBI can go back to doing queries on all this information without having to worry about oversight on the back end.

Problem solved, Scoob.

Section 702 of FISA is up for reauthorization this year. Partly because Republicans are upset that Donald Trump is the serial subject of criminal investigations, and partly because a series of changes to FBI’s querying of 702 data has made FBI’s querying process (of all data) visible for the first time, resulting in persistent violations of the new querying standard, whether and how it will be reauthorized is going to be very contentious. The two sides are talking past each other and proposing yet more tweaks that won’t address two underlying causes to the problem. But my solution is an easy fix and will make all the current problems go away!

Don’t get me wrong: I think all sides would hate this solution. It would result in more surveillance and more criminal investigations of US persons. But it would solve the problem everyone thinks they have.

For the FBI, it would mean this material will become discoverable to potential future defendants. For civil libertarians, it would mean the FBI would revert to the status quo of about 2015, doing millions of usually fruitless queries on every assessment they did. But it would solve the legal problem before Congress. Which is a pretty good hint that the legal problem before Congress is not going to address the underlying reasons for the problem — and some potential solutions will make the underlying issues worse without serving US security.

I make my Modest Proposal for three reasons:

  • Virtually everyone engaged in the current debate is engaged in bad faith, because everyone has an incentive to ignore the fact that the violative queries are the way the program was designed from the start and the way the FBI runs everything else.
  • This Modest Proposal will demonstrate the degree to which current debates are ignoring two underlying problems, the way The Wall between intelligence and criminal evidence was eliminated in the wake of 9/11 and the degree to which the FBI runs on massive troves of data.
  • My Modest Proposal represents FBI’s likely response to current proposals for individualized warrants on query targets, rather than collection targets (indeed, some of this has already happened), so it’s a way for people to contemplate the obvious outcomes of the current impasse, including more spying on Americans with less oversight.

The system underlying Section 702 arose because the FBI missed the 9/11 terrorists and in the panic that ensued, the Bush Administration decided it needed to identify everyone in the US with ties to known or suspected terrorists overseas. The program operated illegally as part of Stellar Wind for several years. In 2004, Jack Goldsmith imposed some limitations (some of which remain secret and misunderstood). In 2005, James Risen and Eric Lichtblau started revealing what Stellar Wind had been. Between 2004 and 2008, the content collection part of Stellar Wind was legalized, first as the Protect America Act and then as Section 702. In both the public debates over that legislation and in a Yahoo challenge to its first PAA order, the Administration and a few members of Congress obscured — even lied — about the underlying intent to use the program to identify associates of targets in the United States. Then Snowden made what was already public public (along with the names of the then-recipients of standing orders). And in the years since, each FISA 702 certification has made more of this reality visible to the FISA Judges, who almost every year get all outraged and then nevertheless reapprove the program (in part, because both 702 and FISA applications don’t require the things that would really give FISC judges the means to implement real fixes).

I have laid out in recent years how this process has not worked and why we’d have the shitty opinion (again, this opinion is a year old) that we got, in part because it was obvious that Bill Barr was not making substantive changes:

The underlying problem is this: The point from the start was to allow the FBI to see who inside the United States had ties to first, suspected terrorists and then, people of intelligence interest (which includes but is not limited to suspected spooks, hackers, and weapons proliferators) overseas. It’s a great idea! But it also resulted in the FBI routinely searching on content obtained without a warrant with the intent of identifying the communications of Americans, a clear violation of the intent of the Fourth Amendment, but also what Congress and Presidents have demanded the FBI do to prevent another 9/11 or similar surprise.

On Friday, the DOJ released an opinion approving the delayed authorization of certificates first filed in October 2021 (months after my prediction that this process would continue to fail) that showed the FBI continued to commit egregious violations of the then-existing querying guidelines. (One problem with the 702 process is both the violations and the opinions have a significant lag time, and the lag time here has predictably led Republicans to blame Merrick Garland for violations that happened because Bill Barr — who is the grandfather of this entire system — didn’t make radical enough fixes in 2019.) Of specific note, it showed that the FBI had done queries in conjunction with the summer 2020 unrest, the January 6 attack, and a losing political campaign known to be targeted by a foreign intelligence service. That’s bad! In several cases, though, there was some foreign component to the investigation (indeed, three of the January 6 targets did find material, which is only supposed to happen if there’s some spooky tie, but it’s a violation because the FBI personnel in question didn’t know of those spooky ties in advance).

Numerous of the violative queries are actually pretty good uses of 702. In predicated criminal investigations against narcotics traffickers, for example, it’d be useful to learn of any unsuspected ties to an international trafficking network. In predicated domestic terrorism investigations, it’d be useful to know whether suspects are getting help or have associates hiding out overseas (as multiple people in the January 6 investigation are known to have); indeed the notion that we shouldn’t know this with white terrorists when we spent decades assuming we had to know it with brown terrorists is racist. In vetting people for clearance or use as informants, it’d be useful to know if they’ve got past ties to foreign spooks. But the way the current standard works, you’ll only be able to look if you already suspect such ties. As a result, the standard for associative querying is now far higher for international criminals than it is for domestic ones. In a globalized world, that seems like a stupid state to be in. But it’s also the result of ingesting a lot of content into FBI servers without a warrant.

Which brings me to one of the underlying problems this debate is not addressing: The FBI runs on databases. Back during the hellacious USA Freedom Act debates, I argued that all sides should work on a collect-and-query standard to the Fourth Amendment, one that reflected both the real privacy impact of what was dismissed as “just metadata” collected and stored in large volume, and to account for the vast amount of content collected and stored for years via search warrants. What we’re seeing described as violative queries are really just descriptions of how FBI analysts work — how they’ve been ordered to work since 9/11. Got some new identifiers in a narcotics investigation? Stick them into the database and see what you find! Investigating a new suspect in a domestic terrorism case? Stick his identifiers in the database and see what you find!

A dirty little secret is that, with three exceptions I can think of, the privacy impact on a US person by searches done on vast stores of material obtained with a warrant is not that different from searches done on vast stores of material on foreigners obtained via Section 702. It’s going to matter if the subject has incriminating or interesting ties to a past subject of surveillance, but because of the negligible cost of doing a search, millions of searches get done with no results. Most of the violative queries, in fact, result in nothing (which is one reason they went on for so long without attracting more attention).

One exception is that US law has entirely different standards for terrorism involving foreign organizations, including that people can be prosecuted for what in the domestic terrorism context would be protected by the First Amendment. Searches on content have repeatedly led to foreign terrorist investigations — though several appeals courts have reviewed such searches and found no big deal to them. Friday’s opinion cited all three in judging that the 702 program complies with the Fourth Amendment. Given the FBI’s success combatting domestic terrorism without such crutches, given the greater impact of domestic terrorism of late, we should reconsider the asymmetry of foreign terrorism investigations.

A second exception is that so much of our commerce is with China, but so much of China’s spying is economic, that US persons with legitimate economic ties to China undergo a great deal of scrutiny. There’s good reason to believe a number of US persons have been targeted for criminal investigation as a result, some in cases that have blown up in spectacular fashion.

A third exception is that the FBI uses (or probably, used) such searches to identify potential informants. And way back in 2002, John Yoo justified identifying derogatory information (like domestic abuse or rape) that had nothing to do with terrorism but could nevertheless be used to coerce someone to become an FBI informant. So there are definitely cases where someone will be coerced by the FBI not because of any crime they’ve committed (or at least, not because of any international crime), but because the FBI finds their network to be interesting and wants to get that person’s “cooperation” to learn more about it.

Side note: one premise of the Durham Report is that the use of informants, which the FBI considers a really low-impact investigative step, is actually really intrusive. I still believe nothing good will come out of the Durham Report, but a public debate about how intrusive the public and Congress believes the use of informants to be, which is dramatically different than what the FBI thinks, could lead to an adjustment of how it is treated in FBI’s Domestic Investigations Guide, would be one such good outcome.

Because only the target of a warrant has a Fourth Amendment interest, tons of communications of innocent people get swept up with every warrant, just as tons of communications of innocent people get swept up with every 702 directive. But as FISC imposes new requirements on FBI queries, the latter has started to be treated with far greater protection than the former. That makes sense from a legal perspective (because the former was collected with a probable cause warrant but the latter was not), but not from a privacy perspective. The privacy community has spent years getting worked up about the 702 queries while largely ignoring the privacy impact of all the other data on which these very same queries are run.

Another dirty little secret is that FISA allows the privacy community visibility on FBI behavior that the privacy community has to do a lot more work to get in the criminal context. So every three years the privacy community has an opportunity to make a big stink and raise money from donors, all while very similar criminal data is being queried zillions of times a year with little notice.

Which leads me to the second underlying problem here, The Wall. Whether true or not, one reason spooks used to excuse their failure to prevent 9/11 is that they weren’t permitted to use data collected using intelligence authorities in criminal investigations (which, in turn, made it harder to use intelligence information to coerce informants). So FISC was forced to permit the use of information collected using individualized FISA orders in criminal prosecutions (which only happens around ten times a year). But that approval was grand-fathered onto 702 collection. Because the FBI has a dual intelligence/law enforcement role, it was permitted to ask for a small percentage of the content collected under 702. But for years, that content got sucked into FBI databases and treated just like all the other content they had ingested, with the result that 702 content was queried zillions of times in usually fruitless searches a year. It is absolutely the FBI’s job to hunt down foreign hackers, terrorists, or spies using 702 data. But when those foreign hackers, terrorists, or spies network with Americans, because of the way The Wall came down after 9/11, that 702 data can be used to predicate investigations against Americans.

The legal contortions around justifying the way the barrier formerly known as The Wall have gotten really remarkable, always premised on the notion that what’s outside the US has national security implications but what’s inside does not. Again, in a globalized world — especially one in which domestic terrorism is a bigger threat than international terrorism — that’s a ridiculous stance. The stance arises from the definition of Presidential (and Executive) power, not from threats to the country.

The privacy community has decided they’re going to fight for an individualized warrant for every query, including “queries” that are part of combatting cyberattacks (including cyberattacks against corporate entities), which is what the IC credibly claims they’re increasingly using 702 for. They’re asking for this standard even though the FBI doesn’t have to get individualized warrants for queries of material obtained with a warrant.

My Modest Proposal would instead require the FBI to get a probable cause criminal warrant on the collection targets themselves for everything they otherwise would get under 702, targeted at the intelligence target, rather than the query target before they can query it. But once they’ve done so, they could put it in the same bucket on which the FBI does their zillion searches every year. Because, after all, at that point it would become the same kind of data. The FBI could keep other 702 data on entirely separate servers for use only with regards to the FBI’s foreign targets. There already is one such server at the FBI, because the FBI hasn’t been able to do drop down menus to record the purpose of queries to comply with the evolving query requirements.

I suspect that my Modest Proposal might be what results if this debate blows up — though it might happen with little notice. I say that because that’s precisely what has sometimes happened in the past when authorities surrounding surveillance techniques used in counterterrorism were made more onerous. Back in 2014, FISC required a higher standard to obtain prospective cell site location data than a number of states would, so in some cases, the FBI would choose to use criminal process rather than FISA process. Similarly, the reason the FBI never needed to rely on the Section 215 phone dragnet to find suspected terrorists in the US is that phone records are really easy to get in the US, and the FBI could accumulate enough of those phone records to get the coverage they needed. The number of individualized FISA orders has similarly dramatically shrank after the Carter Page fiasco — but that surveillance didn’t go away, it just went somewhere else, and much of that spying can be via other authorities.

Much of the content that the FBI obtains under 702 is cloud data from US providers, and the FBI has been able to do entire foreign focused national security investigations using criminal process, such as when the FBI indicted GRU hackers using much the same criminal process used to successfully prosecute Vladimir Klyushin. At least with regards to cloud providers, what you can’t get from a probable cause warrant, but that you get from 702, is prospective coverage, with new communications coming in on a timely basis in real time. But DOJ gets a shit-ton of stuff when they obtain warrants for cloud providers.

Such a Modest Proposal might require a kind of programmatic warrant — say, targeting all of GRU’s known identifiers. This kind of programmatic targeting was likely used for Section 215 when Obama imposed pre-approval for those queries. There would just be lots more of them, You’d have to create a FISC Magistrate to deal with the volume.

One more thing has changed in recent years that would make this feasible — which change would accelerate if the FBI had to use probable cause warrants to get the same data they’re currently getting under 702: The FBI has focused on a variety of crimes — foreign agent laws, sanctions violations, and cryptocurrency enabled crimes — that’d be the kinds of crimes they’d use if forced to get probable cause warrants on targets. If they were forced to go this route, there’d be more open investigations into people, including US persons.

It would ensure that data searched in any of the FBI’s zillion yearly searches was obtained using a warrant. But it wouldn’t at all limit the number of Americans exposed to such searches. And it would wildly limit the oversight on such searches.

Share this entry

The Yahoos in Brazil Identified in Sergey Cherkasov’s Complaint

/29 Comments/in , , /by

There’s a detail in Greg Miller’s profile of Sergey Cherkasov, the Russian accused of posing under an assumed Brazilian identity and using a SAIS degree to get an internship at the ICC, that confirms something I’ve long assumed: the US has had a hand in the recent roll-up of Russian spies, mostly in Europe.

He was due to start a six-month internship there last year — just as the court began investigating Russian war crimes in Ukraine — only to be turned away by Dutch authorities acting on information relayed by the FBI, according to Western security officials.

[snip]

His arrest last April came at the outset of an ongoing roll-up of Russian intelligence networks across Europe, a crackdown launched after Russia’s invasion of Ukraine that officials say has inflicted greater damage on Kremlin spy agencies than any other effort since the end of the Cold War.

The FBI and CIA have played extensive behind-the-scenes roles in this wave of arrests and expulsions, according to Western officials.

As Miller describes, the Dutch realized that Russians stationed in the Hague were preparing to welcome a new agent, but by then, the US already had an incredibly detailed dossier on him.

On March 31, as he boarded a flight to Amsterdam, neither Cherkasov nor his GRU handlers seemed aware of the net closing in on him. By then, the Dutch intelligence service had picked up its own signals that the Russian Embassy in The Hague was making preparations for the arrival of an important new illegal, according to a Western security official.

Authorities in the Netherlands then received a dossier from the FBI with so much detail about Cherkasov’s identity and GRU affiliation that they concluded the bureau and the CIA had been secretly monitoring Cherkasov for months if not years, according to a Western official familiar with the matter.

Until DOJ charged him last week, this had been largely a European story, with Dutch intelligence crowing about their success at foiling his plans and Bellingcat serially unpacking his public life (though CNN published this story at the time). Significantly, the Dutch published his legend and an explanation of how it might be used, with translations into Dutch and English from the original Portuguese.

As noted below, the US would later source its own possession of the legend to devices seized from Cherkasov on arrest in Brazil.

However, as Brazil gets closer to extraditing Cherkasov back to Russia on a trumped up narcotics trafficking charge, the US stepped in to make their own claim with the criminal charges: multiple counts of fraud, as well as acting as an unregistered foreign power. It’s not yet clear how Brazil will respond to the competing charges. Contrary to some reporting on the charges, DOJ has not yet indicted the case. The complaint has not yet been docketed.

Which is why I wanted to look at the sourcing for the complaint.

Many of the sources in the complaint come via way of Brazil, temporally after the Dutch deported him and the Brazilians arrested him, and so long past the time the US shared “a dossier” from the FBI reflecting months if not years of review. Brazil-sourced evidence includes:

  • A picture taken on Cherkasov’s 2011 immigration into Brazil
  • His Brazilian birth certificate
  • The details behind Brazil’s identity theft charges
  • Items collected — as if for the first time — from devices Cherkasov had with him when he arrived in Brazil, including:
    • The hard drive
    • Thumb drive 1
    • Thumb drive 2
    • Thumb drive 3, including:
      • March 2022 emails of unknown provider with details about a dead drop
      • Details about his dead drop site
      • March 2022 emails about paying for false Portuguese citizenship
      • March 2022 mails about establishing a meeting place
    • Samsung Galaxy Note phone
      • His mother’s Kaliningrad contact
      • 90 contacts with someone whose Telegram account and VKontakte account lead to a 2011 picture of Cherkasov in military uniform and a 2008 picture with friends
      • Contacts from one of those friends to a posted picture in military uniform (a picture also shown in the original Bellingcat profile)
  • Devices collected from the dead drop shared by Brazilian authorities
  • Correspondence between Brazil and Russia about Cherkasov
  • Audio messages between Cherkasov and his fiancée from immediately after his arrest in the Netherlands
  • Post-arrest communications between Cherkasov and his one-time fiancée, at least some of which were photographs of hand-written notes
  • Validation of Cherkasov’s ID in certain photos from FBI agents who met him in 2022 (though these meetings are not explicitly described to have taken place in Brazil)
  • A Bellingcat story debunking the Russian narcotics charges against Cherkasov

The focus on the phone, especially, cites evidence that would be fairly easily collected via other sources, but attributes that evidence to analysis the FBI did only downstream from the Brazilian arrest, and with the assent of Brazil. The complaint doesn’t explain whether these devices were encrypted or even what messaging applications were used, at least on the thumb drives including communications with his handlers. But there’s at least some reason to believe Brazil let FBI take the lead on exploiting those devices.

To be sure, there are items that the US could have collected in the US, whether before or after Cherkasov flew to the Hague, such as an Uber receipt timed to his travel to the dead drop in Brazil and IP addresses tied to US-based cloud providers like Yahoo and Google. Just once does the complaint reference using legal process — a 2017 video from a Moscow airport restaurant, obtained using legal process, reflecting Cherkasov saying goodbye to his mother — though it doesn’t describe what kind (it sounds like it could be iCloud content).

Still, the emphasis on material obtained with subpoenas and investigative steps done while Cherkasov has been in Brazilian custody — whether or not that was the first that FBI obtained such evidence — is one reason I’m interested in the outliers.

This is a document that could form basis to extradite Cherkasov to the US — it seems more than sufficient to make that case. But it’s also a document that might reflect on the kinds of investigations that have contributed to efforts to roll up spies outside of the US.

First, there are details about communications that Cherkasov had, while studying at Trinity College in Ireland and so not a US person at all — via known Section 702 participant, Yahoo!!! — with a tour agent who wrote recommendations for Cherkasov then later worked in Russia’s Consul General and, apparently, the General Consul himself.

CHERKASOV used the Yahoo 1 Account on multiple occasions to contact individual “C2” who was communicating with CHERKASOV from Brazil. C2 communicated with CHERKASOV on numerous matters, including financial matters, between at least July 22, 2016, and December 27, 2019. According to a translation of C2’s curriculum vitae, C2 worked in Brazil at “The General Consulate of the Russian Federation,” for “General Consul [M.G.]”

[snip]

35. Other emails show C2 took direction from another person, M.G., about financial payments that C2 sent to CHERKASOV. In correspondence between C2 and M.G., C2 refers to M.G. as “Mikhail” and the email address is identified in C2’s contacts as “MikhailRussia.” For example, on or about November 30, 2016, C2 forwarded M.G. correspondence from CHERKASOV that indicated another payment to CHERKASOV was imminent. M.G. responded by sending an email to C2 instructing C2 to make a payment to CHERKASOV: “Friend; thank you very much. Let’s do another one on the 14th of December.” According to further correspondence, CHERKASOV was able to receive the original transaction intended via MoneyGram. However, after corresponding to CHERKASOV that C2 would attempt to make transactions via Western Union the following day, financial records indicate C2 attempted to make two separate transactions via Western Union shortly after on December 16 and 18, 2016, for $842.65 and $867.55, respectively, but the funds were never transferred to CHERKASOV. CHERKASOV corresponded on December 19, 2016, that Western Union would not work properly and moving forward, the transactions should be made via Moneygram. C2 corresponded back to CHERKASOV on December 20, 2016, that C2 had sent €750 again via Moneygram to CHERKASOV.

36. C2 also stated in other emails that C2 previously owned a travel agency in Brazil, and that the Russian Federation was one of C2’s best clients. C2 later moved to the Russian Consulate after C2 closed the travel agency.

37. On or about March 8, 2017, C2 wrote a letter of recommendation for CHERKASOV for a university located in Canada. In the letter, C2 indicated FERREIRA worked as a travel consultant for C2 from May 2014 until March 2017, and as a senior event manager in

It’s possible that something Cherkasov did while at SAIS triggered a larger investigation that worked its way back to two likely Russian spies in Brazil. It’s also possible that the investigation started from known subjects in Brazil and thereby discovered Cherkasov.

But one thing these two references do — aside from identify the travel agent later made part of the official Russian delegation, aside from making Cherkasov’s tie to Russian government officials necessary for the 18 USC 951 charge — is put both Brazil and Russia on notice that the US is aware of these two suspected intelligence officers who were or are in Brazil.

Both C2 and the Consult General would have been legal targets for the entirety of the period in question and (as noted) Cherkasov was while he was in both Ireland or Brazil.

Another of the relatively few pieces of evidence unmoored from the Brazil arrest pertains to collection Cherksov shared after taking a SAIS trip to Israel. The details around the reporting — the single use email directing Cherkasov to fly to the Philippines to meet — definitely give the story spy drama.

Just as interesting, however, are the descriptions of the identifiable US (and Israeli) subjects targeted by Cherksov’s collection.

45. On or about January 16, 2020, CHERKASOV, using his D.C.-based phone number, texted with M.S. at a Philippines-based number for M.S. the following:

CHERKASOV: Hey [M],7 I arrived…Where do you want to meet?

[M.S.]: Grab a taxi and ask to drive via skyway.

CHERKASOV: On my way. Will be there in approx. 15 min.

[M.S.]: Ok. Here

CHERKASOV: I can’t find it

[M.S.]: Names?

CHERKASOV: Yea, I’ll text you then when I’m in the airport.

CHERKASOV: Texting you the names.

CHERKASOV: Sent you a list there. Now whom we met.

CHERKASOV: All people from the Jerusalem Embassy, literally every single one, even LGBTQ advisor. [N.G.]8 – security expert, local. I think he is a spook. [?.L.]9 kingmaker’ – [Israeli political] party leader

CHERKASOV: The previous list didn’t sent [sic], I’ll retype it.

CHERKASOV: Can I send it to you email?

CHERKASOV: This SMS shit kills me

[M.S.]: Sure.

46. On or about January 17, 2020, CHERKASOV sent M.S. an email with a screen shot of names, mostly U.S. persons (“USP”), stating the following: Just a list of interesting people that I was talking to you about Experts side: [USP 1]10– DoS, middle Eastern direction advisor the president admin, former [University 1] student.

[USP 2]11– FDD, military security adviros [sic] to the Congress Committee on Intelligence, [USP 3]’s12 assistant. [“TT1”] 13 group: [USP 4]14– [USP 5]15 chair, came only for a day though, [USP 6]16– main guy to call shots, Israeli expert came with small team of his own. [University 1, University 2] student leader: [USP 7]17– Anapolis [sic] Naval Academy Cyber Sec instructor

While just one of the people involved in Cherkasov’s targeting — his SAIS professor, Eugene Finkel — has explicitly spoken out about being duped by Cherkasov, virtually all of these people (and a bunch more described later in the complaint) are likely to be able to identify themselves.

There are a few I suspect I recognize and, if I’m right, they’ve been apologists for Trump’s propaganda about Russia.

Notably, this messaging involved a US-based phone, one not obviously included among the devices seized from Cherkasov when he returned to Brazil. The FBI Agent who wrote the affidavit couldn’t have obtained the messaging in real time — he or she has only worked at the FBI since 2021, and the messaging dates to early 2020. But the affidavit does reference “surveillance that I have conducted.”

In general, the FBI is revealing almost nothing obtained via sensitive sources and methods — that’s one reason the reliance on evidence obtained via Brazil is of interest to me. Given how the US has allowed European countries to take credit for these stings, I find it interesting that the US almost creates the misimpression that it only discovered Cherkasov — that it accessed his legend that the Dutch had upon his arrest — when he arrived in Brazil.

But in just a few spots, the affidavit gives a glimpse of what else the US Intelligence Community might know.

The US has not really taken much credit for helping a bunch of European countries roll up Russian spies (though they’re likely reminding them of the role Section 702 plays in the process). But this document, seemingly released because they had reason to exert legal pressure with a country that is fairly close to Russia, likely serves multiple purposes. While it doesn’t give away a lot, it does hint at far more.

Update, 4/6: The Guardian reported that two suspected Russian illegals, one presenting as Brazilian and the other presenting as Greek-Mexican, disappeared in January.

Halfway through a trip to Malaysia in January, Gerhard Daniel Campos Wittich stopped messaging his girlfriend back home in Rio de Janeiro and she promptly launched a frantic search for her missing partner.

A Brazilian of Austrian heritage, Campos Wittich ran a series of 3D printing companies in Rio that made, among other things, novelty resin sculptures for the Brazilian military and sausage dog key chains.

[snip]

The Brazilian foreign ministry and Facebook communities in Malaysia mobilised to look for the missing man. But Campos Wittich had simply disappeared.

Greece believes Campos Wittich was a Russian illegal with the surname Shmyrev, said the official, while his wife, “Maria Tsalla”, was born Irina Romanova. She married him in Russia before their missions began and took his surname, the Greeks claim. She left Athens in a hurry in early January, just after Campos Wittich left Brazil. Neither have returned.

If I’m right that the FBI chose to use the Cherkasov complaint in part to identify those in Brazil who were running illegals, it may be because the disappearance of another Brazilian illegal in January led the US Intelligence Community to believe Russia had figured out what the US knew.

Share this entry

Tucker’s Putin Envy

/110 Comments/in , , /by

There was a part of the Global Threats Report presented to both the Senate and House Intelligence Committees last week that deserves more attention. In the middle of the section on Russia’s influence operations, the report predicted that Russia will “try to strengthen ties to U.S. persons in the media and politics in hopes of developing vectors for future influence operations.”

It is the judgment of the intelligence community, per the report, that Russia is trying to cultivate “US persons in the media and politics” as part of its foundation for future influence operations.

Russia presents one of the most serious foreign influence threats to the United States, because it uses its intelligence services, proxies, and wide-ranging influence tools to try to divide Western alliances and increase its sway around the world, while attempting to undermine U.S. global standing, sow discord inside the United States, and influence U.S. voters and decisionmaking. Moscow probably will build on these approaches to try to undermine the United States as opportunities arise. Russia and its influence actors are adept at capitalizing on current events in the United States to push Moscow-friendly positions to Western audiences. Russian officials, including Putin himself, and influence actors routinely inject themselves into contentious U.S. issues, even if that causes the Kremlin to take a public stand on U.S. domestic political matters.

  • Moscow views U.S. elections as opportunities for malign influence as part of its larger foreign policy strategy. Moscow has conducted influence operations against U.S. elections for decades, including as recently as the U.S. midterm elections in 2022. It will try to strengthen ties to U.S. persons in the media and politics in hopes of developing vectors for future influence operations.
  • Russia’s influence actors have adapted their efforts to increasingly hide their hand, laundering their preferred messaging through a vast ecosystem of Russian proxy websites, individuals, and organizations that appear to be independent news sources. Moscow seeds original stories or amplifies preexisting popular or divisive discourse using a network of state media, proxy, and social media influence actors and then intensifies that content to further penetrate the Western information environment. These activities can include disseminating false content and amplifying information perceived as beneficial to Russian influence efforts or conspiracy theories. [italicized bold original, underline my emphasis]

This is not new news. Obviously Russia has been cultivating both journalists and politicians in recent years, often by inviting them for big shindigs in Russia, after which, over the course of years, they come to spout more and more Russian propaganda uncritically.

It’s is noteworthy that the IC stuck this detail amid discussions about election interference and Ukraine mobilization, because Russia has had renewed success of late getting entertainers and politicians to magnify inflammatory and often false claims about Ukraine.

The judgement came out the same week that Tucker Carlson (whose Ukraine invasion anniversary special was breathtaking even by his standards of propaganda) provided more details of the time, in summer 2021, he was informed that the NSA had discovered his back channel contacts to Putin.

The story starts when Tucker squeals that he’s envious of the podcasters because they got to go to Russia, but he might be arrested if he went. Throughout the show, his interviewers operate on the assumption that Russia is the threat to Tucker, but he suggests State or FBI is.

Tucker: Now I’m envious.

[snip]

Full Send: But everyone told us not to go obviously, but. We knew we were with good people. So after that, it was all good, but.

Tucker: Oh, I want to go. I’ve never been there!

Full Send: You feel it though, it is real scary. There’s like military checkpoints.

Tucker: Oh yeah!

Full Send: It’s … it’s serious shit.

Full Send 2: Would you have gone with him or no?

Tucker: I can’t go to Russia. I honestly think I would be arrested.

Full Send: Yeah, they get you.

Tucker: Which is outrageous because, I’m a journalist, and I’ve been all over the world. I feel like I’ve been everywhere except Russia. And Russia is a combatant in a war that’s changing the world, and like I should go see it. And I was planning it and then I got stopped by the US government from doing it.

Full Send: Oh, you were gonna go? What were going to do?

Tucker: Interview Putin. Why wouldn’t I?

Full Send: You had it set up? Damn!

Tucker: I was working on it and then they broke into my text messages — the NSA broke into my Signal account, which I didn’t know they could do —

Full Send: Oh so Signal’s not even safe!

Tucker: Signal is not safe. It’s not safe. Signal’s not safe.

Full Send: I know people think WhatsApp’s safe.

Tucker: WhatsApp?!?! WhatsApp is not — you know what’s safe? And ask any mafia Don. Park your car in front of the liquor store. Leave your phone in the vehicle, in your Caprice Classic, and walk out behind the liquor store, in the vacant lot back there with the WINOs, to talk to the person you want to talk to.

Full Send 2: How many times have you done that?

Tucker: Zero. Cause I’m like lazy. I’m like whoa! And I’m — actually I always say to myself, I’m not hiding anything. I don’t have a secret life. I’m pretty upfront. And some people like it and some people don’t. Of course, but, I’m not hiding anything. But I was definitely hiding my plan to go interview Putin, just because it’s an interview. It’s no one’s business.

Full Send 2: So how did that happen? How do you know the NSA broke into your Signal?

Tucker: Because they admitted it.

Full Send: Really?

Tucker: Oh yeah!

Full Send: Can you tell us about it? Like how did you find out?

Tucker: I got a call from somebody in Washington who’s — who would know. Just trust me. So I went up there for another reason. But this person said, you know, you going to come to Washington anytime soon? This was a year and a half ago, and I was like, yeah, actually I’m going to be up in a week. He’s like, meet me Sunday morning. So weird. Like, who does that? Just text me, you know what I mean? Just text me. No. So I go and this person’s like — and this is someone who would know — Um, are you planning a trip to go see Putin? This was the summer before the war started. I was like, how would you know that? I haven’t told anybody that, I mean, anybody. Not my brother, not my wife, nobody. Just because, you know, it’s one of a million things you’re working on, but that was one of them. I want to go interview Putin. Why wouldn’t I want to go interview Putin?

Full Send 2: Of course.

Tucker: I want to interview Xi, I want to interview everybody. Right? That’s kind of my job.

Full Send: We want to get Kim Jong Un on here one day.

Tucker: Of course! Of course! We met him.

Full Send: You did? We gotta talk about that. Holy shit.

Tucker: Yup. Super interesting. But anyway, um, how would you know that? Because NSA pulled your texts with this other person you were texting. How did you know that? And so I immediately, I was intimidated, I’m embarrassed to admit, but I was, I was completely freaked out by it. I called a US Senator, who I know — not that well, but it seems like a trustworthy person, and I told him the story, I just want to tell you this, and then I went on TV on Monday and I’m like this happened. And so they had — Congress asked NSA and NSA’s like, yes we did this, but for good reason. What would be a good reason to read my — you know, what? But the head of NSA, it’s fine, cause everyone’s in on it, Republicans and Democrats are all in on it. And by it I mean the assumption that there’s no privacy whatsoever, that they have a right to know everything you’re saying and thinking,

Full Send: That shit’s scary.

Tucker: And that’s just not a right as far as I’m concerned. By the way, if you have no privacy you have no freedom. [my emphasis]

Parts of Tucker’s commentary provides more detail on the incident than previous reporting did, which I covered here and here. As Jonathan Swan reported, the IC collected communications showing a back channel effort to set up a meeting with Putin.

Tucker Carlson was talking to U.S.-based Kremlin intermediaries about setting up an interview with Vladimir Putin shortly before the Fox News host accused the National Security Agency of spying on him, sources familiar with the conversations tell Axios.

[snip]

The intrigue: Two sources familiar with Carlson’s communications said his two Kremlin intermediaries live in the United States, but the sources could not confirm whether both are American citizens or whether both were on U.S. soil at the time they communicated with Carlson.

  • This is relevant because if one of them was a foreign national and on foreign soil during the communications, the U.S. government wouldn’t necessarily have had to seek approval to monitor their communications.

On Maria Bartiromo’s show in 2021, Tucker pointed to what was undoubtedly reporting done in the wake of his initial story — quite likely Swan’s own story (indeed, Tucker could well be one of Swan’s two sources) — and claimed it was proof the NSA was leaking information about him.

In the Bartiromo appearance, Tucker spoke in terms of a single email arranging an imminent trip to Russia.

In last week’s podcast, in addition to reiterating that Tucker is not trying to hide anything but oh yeah he was trying to hide his back channel to Putin, even from his spouse, Tucker adds two details: After he learned about it, he reached out to a (male) Senator to look into it, and the communications obtained include Signal texts, not just a single email.

In the past, I had suggested that Tucker’s tipster might be a member of Congress — a Gang of Eight member like Devin Nunes or Kevin McCarthy — or someone close to them (like Kash Patel). The fact that Tucker called a Senator in response (then Chair of the Senate Intelligence Committee Marco Rubio would make sense given the details he provides), and not someone he was closer to like Nunes, makes it more likely his initial tipster had a tie to the House. The focus on the Senate response may suggest this came up again in the Global Threats hearing, during the closed session.

The detail that, per Tucker, in addition to the email he sent about arranging a then-imminent trip to Russia, they also got Signal texts is more interesting, but it doesn’t mean he was the target or that they broke into his phone.

It does suggest that there could have been two different tracks going on: the discussion, over email, about a trip to Russia, one his producer knew about, and another more sensitive discussion going on via Signal.

We do know, however, that Tucker hasn’t hidden past interview preparation. Indeed, his outreach to Viktor Orbán was quite overt and gleeful. So his explanations about why he would want to hide preparation for a Putin interview don’t hold up.

Remember: When Tucker sent his now former investigative producer to try to FOIA this information from NSA (via a FOIA that was guaranteed to fail), he asked for 30 months of data, going back to January 1, 2019. That’s more than a single email to set up a meeting with Putin.

Rather than taking this as a tip that the back channels via which he was (at least) trying to set up a meeting with Putin are considered — even by Republican Senators — legitimate intelligence targets, possibly Russian spies, Tucker has instead spun up conspiracy theories. And that has, in turn, led him to suggest he faces a bigger threat from the US State Department than he would from Russian military checkpoints.

Update: On Twitter, MD suggested that Rand Paul may have been the Senator Tucker approached, given that he wrote a letter to General Nakasone. It’s an interesting possibility, especially given Russia’s cultivation of Rand and his father as well as the suggestion that whatever Senator he approached was ultimately satisfied with the explanation.

Share this entry

The Michael Flynn Complaint For Damages Against The US

/104 Comments/in , , , /by

As commenter David F. Snyder noted yesterday, yes Michael Flynn has filed a complaint for $50,000,000 damages against the US Government for all the perceived wrongs and grievances that he, his unhinged lawyers like Sidney Powell, and rabid MAGA Republicans have been carping about forever. A thread on this started out in Marcy’s “JUDGE UNSEALS DETAILS ON COOPERATING WITNESS IN DOUGLASS MACKEY CASE”, but I am going to bring it here so as to not pollute that post and give people a place to discuss Flynn.

I took a look at the docket for the fledgling case. It is filed in the Middle District of Florida, where Flynn resides. That is the only discernible nexus to MDFL as pretty much all facts, actors and witnesses would be in or about the DC District. Here is the docket entry for the complaint, which was actually filed on March 3, 2023:

NEW CASE ASSIGNED to Judge Mary S. Scriven and Magistrate Judge Christopher P. Tuite. New case number: 8:23-cv-0485-MSS-CPT. (SJB)

The complaint itself is attached to this Rolling Stone article by a detestable SCRIBD (seriously, nobody should ever convey documents by SCRIBD). It is 50 pages long, and I am not wasting my PACER account on it.

Marcy, in the earlier thread, said:

Not only does it not have legs, but if it survives the summary judgment stage (which is unlikely) it may catastrophically backfire on him.

I think that is right, but the case may not ever get that far. It may not even make it to a summary judgment motion, as it may well not make it past a 12b6 motion, which would be the initial attack by the government.

Couple of notes, the complaint alleges compliance with the FTCA (Federal Tort Claims Act), but claims the government never responded. Scriven is a Bush Jr. appointee and Tuite a Trump appointee to the magistrate bench. Sid Powell is noticeably absent from noticed attorneys, but Shawn Flynn, son of Michael’s brother, Gen. Charles Flynn, is listed. That could be interesting if Charles is to be a fact/damages witness, which would kind of be expected.

Very hard to see this matter gaining any real traction given all the facts and rulings against Flynn in the underlying criminal case in front of (now senior status) Judge Emmet Sullivan of DC District.

Share this entry

DOJ Rethinks — but in a Few Areas, Expands — Access to Media Content

/6 Comments/in , , , /by

In a story on the new media guidelines DOJ rolled out yesterday, Charlie Savage reveals what representatives of the press think they got in the new guidelines, in addition to a formal codification of broader restrictions on the use of legal process to find real journalists’ sources:

Those conversations led to several adjustments about potentially critical issues, like how “news gathering” is defined. According to participants, the Justice Department originally intended to define it in a way that was limited to the passive receipt of government secrets. But the final version now covers the act of pursuing information.

The language in question appears to cover things like encrypted dropboxes, something that journalists liked to compare (inaptly) to the charge against Julian Assange of attempting to hack a password for Chelsea Manning. Thus far, multiple criminal prosecutions show that dropboxes have not thwarted DOJ from prosecuting those who submitted documents into them.

Journalism includes reporting on classified information

A more important change is that the guidelines explicitly include reporting on classified information in its definition of newsgathering.

Newsgathering includes the mere receipt, possession, or publication by a member of the news media of government information, including classified information, as well as establishing a means of receiving such information, including from an anonymous or confidential source.

Savage describes that “is also said to have removed espionage from a list of criminal activities that are excluded from protected news gathering.” I’m not sure that’s right: 18 USC 793 and 798 were (along with Child Sexual Abuse Materials) included in the exceptions to 42 USC 2000aa, which I think is unchanged by this regulation.

What has been removed from the prior version (in addition to the inclusion of classified information in the definition of newsgathering) is an exception permitting the use of legal process in investigations of classified leaks. This language has been removed.

In investigations or prosecutions of unauthorized disclosures of national defense information or of classified information, where the Director of National Intelligence, after consultation with the relevant Department or agency head(s), certifies to the Attorney General the significance of the harm raised by the unauthorized disclosure and that the information disclosed was properly classified and reaffirms the intelligence community’s continued support for the investigation or prosecution, the Attorney General may authorize members of the Department, in such investigations, to issue subpoenas to members of the news media.

In other words, it wasn’t that there was an exception for the Espionage Act. Rather, there was language permitting searches in leak investigations that might be (and frequently have been in recent years) charged under the Espionage Act. That exception has been removed, and reporting on classified information has been explicitly included in the definition of newsgathering.

As we’ll see below, the regulation still authorizes searches in cases of suspected agents of a foreign power.

Expanded protection and a prohibition with exceptions instead of permission for exceptions

As Savage notes, however, the topline change is both a restructuring in the ways that a journalist’s sources might be accessed and the types of legal process covered. Whereas previously, the language on accessing source information included a presumption of access with a bunch of limits on use, as laid out in the prior regulation

The Department views the use of certain law enforcement tools, including subpoenas, court orders issued pursuant to 18 U.S.C. 2703(d) or 3123, and search warrants to seek information from, or records of, non-consenting members of the news media as extraordinary measures, not standard investigatory practices. In particular, subpoenas or court orders issued pursuant to 18 U.S.C. 2703(d) or 3123 may be used, after authorization by the Attorney General, or by another senior official in accordance with the exceptions set forth in paragraph (c)(3) of this section, only to obtain information from, or records of, members of the news media when the information sought is essential to a successful investigation, prosecution, or litigation; after all reasonable alternative attempts have been made to obtain the information from alternative sources; and after negotiations with the affected member of the news media have been pursued and appropriate notice to the affected member of the news media has been provided, unless the Attorney General determines that, for compelling reasons, such negotiations or notice would pose a clear and substantial threat to the integrity of the investigation, risk grave harm to national security, or present an imminent risk of death or serious bodily harm. [my emphasis]

The new regulation outright prohibits compulsory legal process except in certain exceptions.

(c) Compulsory legal process for the purpose of obtaining information from or records of a member of the news media acting within the scope ofnewsgathering. Compulsory legal process for the purpose of obtaining information from or records of a member of the news media acting within the scope of newsgathering is prohibited except under the circumstances set forth in paragraphs (c)(l) through (3).

In other words, these regulations importantly flip the presumption from one that permits the access of journalist records in certain situations to one that prohibits it except according to an enumerated exception.

And this revised regulation has broader language prohibiting the use of legal process. It now includes interception orders (like that used against NBC journalists who were sourced by Henry Kyle Frese), MLAT orders (like the Mexican one that targeted Zach Whittaker in 2020), and orders served on obscure third party providers of enterprise email hosting (like orders used against the WaPo and NYT in recent years).

“Compulsory legal process” consists of subpoenas, search warrants, court orders issued pursuant to 18 U.S.C. 2703(d) and 3123, interception orders issued pursuant to 18 U.S.C. 2518, civil investigative demands, and mutual legal assistance treaty requests-regardless of whether issued to members of the news media directly, to their publishers or employers, or to others, including third-party service providers of any of the forgoing, for the purpose of obtaining information from or records of members of the news media, and regardless of whether the compulsory legal process seeks testimony, physical or electronic documents, telephone toll or other communications records, metadata, or digital content.

In other words, the revision closes loopholes used under the Trump Administration.

What journalism isn’t

More generally, DOJ has reconceptualized the regulation though the use of exceptions.

Some of these are exceptions that permit the compelled process of a journalist, the most interesting new one of which entails evidentiary authentication with DAAG authorization.

(1) To authenticate for evidentiary purposes information or records that have already been published, in which case the authorization of a Deputy Assistant Attorney General for the Criminal Division is required;

This may be a response to the need to get journalists to validate videos they took on January 6.

DOJ has slightly reworked an existing section that at least used to be tailored to the definition covered by FISA (and FISA surveillance of journalists is in no way excluded from these regulations). It still includes the same language excepting an agent of a foreign power or someone who aids or abets one.

A foreign power or agent of a foreign power, as those terms are defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801);

In at least one of the reworked categories, the regulations represent an (entirely reasonable) expansion. The regulation includes this definition of terrorist activity — adding 18 USC 2339B, C, and D — which not only aren’t tied to State’s Foreign Terrorist Organization designations, but also includes (with C) funding for what could be domestic terrorism.

Committing or attempting to commit the crimes of providing material support or resources to terrorists or designated foreign terrorist organizations, providing or collecting funds to finance acts of terrorism, or receiving military-type training from a foreign terrorist organization, as those offenses are defined in 18 U.S.C. 2339A, 2339B, 2339C, and 2339D; or

Seamus Hughes pointed me to this case in which three white supremacists were prosecuted under 18 USC 2339A as an example of how this might apply to domestic terrorists. The new regulations add a review by the National Security Division head on these categories, but since John Demers approved the data collection on real journalists under the Trump Administration, that’s unlikely to be a very useful protection.

Another new exception — this time not associated with newsgathering — is for an investigation targeting a journalist’s non-journalist housemate or similar who is the subject of an investigation.

To obtain information or records of a non-member of the news media, when the nonmember is the subject or target of an investigation and the information or records are in a physical space, device, or account shared with a member of the news media;

But the biggest change is that, in addition to that tweaked list of national security exceptions, DOJ added a bunch of more common crimes that journalism doesn’t include:

(B) Except as provided in paragraph (b)(2)(ii)(A) of this section, newsgathering does not include criminal acts committed in the course of obtaining information or using information, such as: breaking and entering; theft; unlawfully accessing a computer or computer system; unlawful surveillance or wiretapping; bribery; extortion; fraud; insider trading; or aiding or abetting or conspiring to engage in such criminal activities, with the requisite criminal intent.

The distinctions are not entirely clearcut though. Of most concern, what distinguishes a journalist reporting on tech vulnerabilities and a hacker is that “requisite criminal intent,” and one often determines that by accessing content.

Incorporation of cases against recent not-journalism cases

Importantly, however, these crimes include a number of the cases that got journalists all hot and bothered but which, under the new rules, are very clearcut (Savage’s professed uncertainty about Project Veritas notwithstanding).

DOJ’s approach to Julian Assange didn’t begin change until he helped Edward Snowden flee to Russia and Assange wasn’t charged — initially, with attempting to help Chelsea Manning crack a password, itself included in one of the distinguishing crimes — until after he had aided and abetted Russia in a hack-and-leak campaign, one of the national security exceptions. The Espionage charges against Assange were filed after Russia attempted to exfiltrate Assange at the end of 2017. Any superseding indictment of Assange in the future would likely include an extortion claim and an aid-and-abet claim of Josh Schulte’s hacking of the CIA, for which Assange clearly expressed the criminal intent.

With regards to Project Veritas, the very first subpoena targeting their office manager (one obtained while Bill Barr was still Attorney General) listed 18 USC 873, blackmail — a kind of extortion — among the crimes under investigation, and their own defenses raised the possibility of extortion. Plus, Robert Kurlander’s statement of offense described trying to raise the price Project Veritas would pay for Ashley Biden’s diary because it was “literally a stolen diary.” So these new guidelines, applied retroactively, make the Project Veritas search an obvious exception.

The distinction between certain crimes and journalism would encompass three other, still undisclosed investigations into journalists last year described in DOJ’s report on legal process. The first was into insider trading:

In connection with an investigation of securities fraud and wire fraud relating to insider trading activities, a Deputy Assistant Attorney General authorized a U.S. Attorney’s Office to apply for a warrant to search the person, personal effects, and cellular telephones of a member of the news media who was the subject of the insider trading investigation. Investigators had established probable cause that the member of the news media had participated in the insider trading activities with three coconspirators and was in communication with the primary target of the investigation, a former U.S. Congressperson; and that the information seized pursuant to the search warrant would lead to further evidence. Investigators had pursued multiple avenues to obtain the evidence, without success, and had exhausted all investigative leads. The Department’s News Media Policy generally requires that the Attorney General must approve any application to search the communications records of a member of the news media, see 28 C.F.R. § 50.10(d)(1), but here, because the suspected criminal conduct was wholly outside the scope of the member of the news media’s newsgathering activities, a Deputy Assistant Attorney General for the Criminal Division authorized the search warrant applications pursuant to the “suspect exception” of the Privacy Protection Act (PPA), see 28 C.F.R. § 50.10(d)(4).

The second was into fraud and money laundering.

In connection with a fraud and money laundering investigation involving employees of a news media entity, a Deputy Assistant Attorney General authorized a U.S. Attorney’s Office to search stored electronic content of email accounts maintained by a member of the news media and its affiliate entity; and to issue a subpoena to a thirdparty service provider for information relating to accounts maintained by a member of the news media. The Department’s News Media Policy generally requires that the Attorney General must approve any application to search the communications records of a member of the news media, see 28 C.F.R. § 50.10(d)(1), but here, because the suspected criminal conduct was wholly outside the scope of the entities’ and employees’ newsgathering activities, a Deputy Assistant Attorney General for the Criminal Division authorized the search warrant applications pursuant to the “suspect exception” of the PPA, see 28 C.F.R. § 50.10(d)(4).

A third investigation last year into stalking that included the use of spyware and hacking.

In connection with an investigation of a member of the news media for stalking offenses, a Deputy Assistant Attorney General authorized a U.S. Attorney’s Office to apply for a warrant to search the email account of the member of the news media. Investigators had established probable cause that the member of the news media had engaged in harassment and stalking of multiple people, including through the installation and use of spyware and the hacking of social media accounts, as well as employing several means to damage the reputations of the parties the member of the news media was harassing and stalking. The U.S. Attorney’s Office established evidence that the information seized pursuant to the search warrant would lead to evidence regarding the member of the news media’s criminal conduct, which was wholly outside the scope of his newsgathering activities. The Department’s News Media Policy generally requires that the Attorney General must approve any application to search the communications records of a member of the news media, see 28 C.F.R. § 50.10(d)(1), but here, a Deputy Assistant Attorney General for the Criminal Division authorized the search warrant application pursuant to the “suspect exception” of the PPA, see 28 C.F.R. § 50.10(d)(4).

In other words, DOJ has used the lessons from the Trump DOJ’s hunt for journalistic sources, Julian Assange, Project Veritas, and three other undisclosed investigations (and who knows? Perhaps also to media outlets run by Neo-Nazis to help fundraise) to change how they conceive of journalism. All of those are reasonable exceptions from journalism.

There are a bunch of potential loopholes. If DOJ wants a journalist’s content, there are a great many ways they can still get it and because those exceptions would permit sustained secrecy about the searches might never be disclosed.

But these regulations, at a minimum, have established that reporting on classified information is part of journalism and have eliminated a lot of the loopholes to surveillance used to target journalists during the Trump Administration.

Share this entry