Planes, Trains, and Automobiles: The Metadata of Insurrection

Kevin Douglas Creek, whose arrest was announced yesterday, is your garden variety January 6 defendant accused of assaulting cops in the extended fighting on the West Terrace that day.

But his arrest affidavit is a lesson in all the ways that insurrectionists, or any other travelers, leave a path of metadata that can be tracked later.

While the FBI described that someone reported comments Creek made in a visit to the Northside Forsyth Hospital days after the riot — Creek said that, “he was gassed before in the military where he never experienced the types of effects he was experiencing this time” — it appears that no one tracked down that tip directly (many of those who were gassed on January 6 would have only weak trespassing cases against them).

It seems likely that Creek was identified anew based off his Be on the Lookout pictures captured from two alleged assaults against cops. The affidavit doesn’t say he was identified through facial recognition, but the inclusion of the two clearest BOLO pictures of him in the affidavit suggests that’s likely.

Investigators often use driver’s license pictures to match for facial recognition, and indeed, this affidavit describes validating Creek’s BOLO to his Georgia driver’s license (though not the use of facial recognition to get there).

Your affiant reviewed a driver’s license photo issued to Creek and the Facebook profile photos posted by Kevin Creek and also compared these to images and videos of AFO-296. By comparing these photographs to the videos and images from the U.S. Capitol, your affiant believes the images are all consistent with Kevin Douglas Creek.

Once they IDed Creek as a suspect, they started accumulating proof of his travel. While Creek drove to insurrection, Air Marshals at Atlanta’s airport nevertheless witnessed Creek entering his F-150 at the airport, which tied him to his license plate.

Your affiant reviewed records obtained from open sources and verified that a F-150 Supercrew with license plate ending in XXX5830 is registered to Creek. Federal Air Marshals have also observed Kevin Creek entering this vehicle at the Hartfield Jackson International Airport in Atlanta, Georgia.

Once they tied Creek to his license plate, they tracked his drive to DC.

This license plate was run by an FBI-Atlanta Task Force Officer through Leonardo, a Automatic License Plate reader in Georgia. Leonardo automatic plate reader captured Creek driving to D.C. from Georgia on at 8:44 am on January 5, 2021 and returning at 6:11 pm on January 7, 2021. On both occasions, the reader registered the license plate on I-85 in Franklin County, Georgia.

Given Franklin County’s location on the border with South Carolina, Georgia’s license plate reader probably picked up Creek on his way into South Carolina on I-85 on January 5 and on his way back into Georgia on January 7.

Along the way, his credit card purchases showed him buying gas going and returning.

For example, on January 5, 2021, Creek used his credit card at Shell Oil in Petersburg, VA, Quinns in Arlington, VA and at Panera Bread in Burlington, NC. On January 7, 2021, Creek used his credit card at QT in Anderson, SC and at BP in North Chester, VA.

His credit card not only placed him at what was then a Courtyard in Arlington, but showed that he took the metro into the city on January 6.

Travel records obtained from Washington Metropolitan Area Transit Authority confirm that on January 6, 2021 at 8:15am, Creek’s credit card was used to purchase four metro cards. These metro cards were used to traveled from Rosslyn Station McPherson Sq Station at approximately 8:17 am. At 11:07 am, one metro card was used to return to Rosslyn Station from McPherson Station. The other 3 cards returned from Arch-Navy Memorial Station to Rosslyn Station at 4:37 pm.

This tipped off the FBI that three people were traveling with Creek. Creek told the FBI whom he traveled with in an interview on May 21, but if he hadn’t, the FBI would have been able to use surveillance video from the hotel and the Metro to figure out who the others were, especially the two that appear to have left the Capitol with him shortly before 4:37PM.

At the beginning of this investigation, there was a focus on how many rioters had IDed themselves on social media. In Creek’s case, he may have deleted his live streaming from the attack before anyone chased down the tip based off his hospital visit (FBI ran some kind of GeoFence off of people live streaming to Facebook from inside the Capitol, but it’s not clear Creek ever entered the building).

An open source search was conducted to identify any social media accounts in the name of Kevin Creek. A search of Facebook revealed an account with the handle Kevin Creek. This Facebook profile shared a photo of a “Nailed It Roofing and Restoration” business card. Nailed It Roofing and Restoration is registered with the Georgia Corporations Division with a registered agent of Kevin Douglas Creek.

[snip]

Initially, Creek told affiant he was live streaming January 6th and posted the stream and photos on his Facebook account. Creek deleted those photos once he returned home. Creek stated he may have heard about the protest from his twitter account (handle @KevinDCreek) but stated he could not remember for certain.

As described then, the only lead the FBI got from Creek’s Facebook was the tie to his business, “Nailed It Roofing and Restoration.”

But even without leaving boasts on Facebook for the FBI to find, Creek nevertheless left a clear trail of metadata in his wake as he traveled to insurrection.

Update, June 18: The government is not opposing a motion to revoke Creek’s detention order, citing (among other things), his “significant cooperation with law enforcement” since he was first interviewed.

image_print
50 replies
  1. Buford says:

    Thank to all of you folks here for what I claim to be one of the best blogs in sorting out one of the worst times in our history…
    my one and only question is, are the others, who have not been arrested or identified, going to learn from this? I don’t think we have seen the end of the insurrection, and are they learning how to do it better now they know some of the methods the FBI uses?

      • TooLoose LeTruck says:

        That’s my great fear too…

        They’re not done trying…

        And I’m waiting for a small band of very serious crackpot generals to decide it’s their turn to try…

        • ThomasH says:

          I wonder what Stanley Kubrick would make of this scenario? Gen. Jack D. Ripper in the trumpian era?

        • TooLoose LeTruck says:

          “Our precious bodily fluids, Mandrake…”

          That’s who comes to mind over and over again, whenever I see Flynn talking…

        • Raven Eye says:

          Not even crackpot flag/general officers: Any current or former staff officer with REAL operational planning experience.

          Folks have watched videos of a reasonably organized stack proceeding into the Capitol, and commented about how good the planning was. What they actually witnessed was a level of training. The overall planning sucked. We know this because their plan failed to achieve its objectives (if the plan actually had any objectives).

          One of the problems was that guys like Steward Rhodes seem to have been involved in the operations. But Rhodes is more like one of those Communist political commissars attached to Soviet military units. Great for a pep rally, but you should try to keep those folks in the back corner of the operations center.

          There is a future 1-2 punch that is worrisome, especially when you consider that the nutters aren’t in a time crunch:

          1. The seditionists adopt better OPSEC. What if they start sharing their planning products via U.S. Mail? As simple as encrypted media in an innocuous item in a flat-rate box (a riff on the Hope Diamond), or go whole hog and use double-wrapped packages sealed with “fiber-reinforced asphalt-backed packing tape” (used for lower levels of classified material).

          2. Real planners who know both deliberate planning and time sensitive planning. Many, if not most, of the insurrection’s hiccups came from events and situations that could have been (given a little more time) covered in planning assumptions. Just being in the military, or even being a military officer, doesn’t mean you’re a good planner. I’ve come across many perfectly acceptable officers in operations and support billets who couldn’t plan their way out of a dark closet with both hands and a flashlight.

          So while things didn’t go right for the seditionists on 1/6, what a teaching moment! Sucks to be you if you got caught and your life is now messed up. Thank you for your service. But there are thousands of nutters out there waiting for orders. And some of those may have seen that 1/6 might turn in to a fustercluck and decided to sit that one out.

        • BalifartheLost says:

          I Agree with the bad planning assessment, however I think volume of bad planning may still be a significant developing problem.
          They say Rush Limbaugh inspired a dozen copycats spewing thing veiled racism and right wing crap.
          What if Roger Stone, who just spent covid lockdown with some very trustworthy(to his interests) Proud Boys, has the same awful level of success.

        • timbo says:

          Yep. That’s the real worry. And why the bomber needs to be identified and caught IMO. Opsec seems to have been better in the case of the bomber so far…and we need to find out how and why that person was specifically there on Jan 5 and 6.

        • subtropolis says:

          I read something just last week (forgot source) stating that there is now a tentative second (or same?) suspect re those pipe bombs. FBI took an interest in someone who’d appeared to be scouting those areas beforehand. The person was tracked, as it happens, taking a metro out of DC. No other specifics were available, understandably.

        • rosalind says:

          David Neiwert up with a very disturbing event unfolding in Oregon w/Ammon Bundy’s “army” once again setting up a situation to provoke a Federal response. How Biden handles this one is gonna be critical.

          “At an encampment near the floodgates, Bundy’s “People’s Rights Network” has been slowly gathering forces, recruiting supporters from a tent dubbed the “Water Crisis Info Center,” selling Patriot merchandise and propaganda supporting their cause, and holding meetings at which speakers decry the federal government. Organizers have been explicit in announcing their intentions—namely, to break the lock on the gates to the facility and use a crane to remove the large metal bulkheads that keep the water from flowing into the “A” canal that manages the lake’s levels.”

          https://www.dailykos.com/stories/2021/6/8/2034257/–Ammon-s-Army-sets-up-camp-in-southern-Oregon-with-another-armed-federal-standoff-in-mind

        • timbo says:

          “Local support” from whom? The local native people are in support of the federal policy from what I could gather…or, rather, it’s better for them than the former federal policy at any rate.

        • TooLoose LeTruck says:

          Sadly, I think the serious, serious water wars are rapidly approaching…

          I live in the Bay Area… it’s only mid-June and I’m already scared about fires coming…

          Unfortunately, I’m afraid this state of affairs is here to stay for the foreseeable future…

        • P J Evans says:

          Lots of sympathy – I’m in L.A. The potential evac area for one fire last season had one boundary at the major street half a mile north of me. It’s urban – large lots on that side, smaller stuff on mine..

        • notjonathon says:

          Yes, look what happened to Santa Rosa. Fires escaped the mountains and burned through solid urban areas.

        • P J Evans says:

          Two fire stations within a mile, straight streets, several of them four lanes – we can get out, with notice. Waterdropping would help.

        • Raven Eye says:

          One of the Bundy themes is some drivel about giving the land back to the people. He and his followers conveniently forget that if the land was “de-federalized” they would be no better than third in line — behind Native Americans and the states. (Come to think of it, Bundy might be no better than fourth in line. When “big land” is offered up, big money starts circling around it.) I’ve sometimes wondered what it would look like if some western lands and waters were returned to the original occupants.

          Also, agreements on the Klamath River have been the product of complex negotiations stretching over years. There is now more consensus (albeit grudgingly at times) regarding the future of the Klamath than there ever has been.

        • Leoghann says:

          What Ammon Bundy means by “the people” is something different than what anyone understands who is not cognizant of LDS history. His family was among the Mormon pioneers who first settled in the western territories in 1847-50. Almost as soon as families arrived in the area of the Great Salt Lake, they were dispatched to explore and settle the surrounding territory. Over the next decade, an area that included Utah, Nevada, Colorado, Wyoming, and parts of Montana, Idaho, Nebraska, and Arizona, was settled by Mormon pioneer families. Together, the area they settled was called the territory of Deseret.

          Over the years, particularly in the 1850’s, disagreements with the federal government, mostly (officially) over the issue of polygamy, resulted in the group being punished by the federalization of land. Typically the settlers kept their land, but lost the right to govern it. Most of the Mormons’ Deseret was called by the US government the Utah Territory, but that was whittled down to the current state of Utah, which was granted statehood in 1896, when the LDS renounced polygamy.

          When Mormon traditionalists talk about returning the land to the people, they mean a return to the grand state of Deseret, and the “right” of the members of the LDS church and the original white settlers to govern it.

        • Raven Eye says:

          There is a bunch of right-wing whiners (RWW?) in Oregon who want certain red counties to leave Oregon to become part of “Greater Idaho”.

          I’m all for it.
          — It will raise the average IQ in Oregon.
          — It will leave the most productive counties in Oregon.
          — And it will ensure (+99% certainty) that DC would become a state — and that Puerto Rico might stop messing around with the issue and also seek statehood.

        • TooLoose LeTruck says:

          And then there are those ridiculous clowns in Washington who want to form their own state, Liberty!

          And don’t forget their ringleader, the truly spectacularly craptastic Matt Shea, who “called for the killing of non-Christian males if a war were to occur and they do not agree to follow fundamentalist biblical law.”

        • Tracy Lynn says:

          Not to outdo you in the clown car competition, in far northern Calif. people have been advocating for years to create the State of Jefferson. The reach of Jefferson was from north of the Oregon border south to Modesto, skirting the Bay Area, of course.

        • TooLoose LeTruck says:

          Yeaaaah…

          Now that you mention it, I have heard of that – the Great State of Jefferson!

          Perhaps it’d be the Peoples’ Republic of Jefferson?

          Jeffersonistan?

          Jeffersonia?

          And maybe, when the Great State of Jefferson is finally formed, along w/ Liberty!, they can secede from the US and form their own nation…

          It hurts to think about this after a while…

          Kind of like watching a slow motion accident happening and not being able to do anything about it…

        • P J Evans says:

          AFAICT, they’ve all failed civics and economics – they don’t seem to be aware how much the more urban counties support them through taxes and fees. (They want some of the counties in northern CA, and they want to have one coastal county – Coos – which doesn’t have major anything.)

    • subtropolis says:

      A couple of months after the insurrection, I began to wonder whether some group of idiots might take it upon themselves to take hostages in a bid to spring those who remain incarcerated for Jan. 6. And, lo, here’s a bunch of PBs who were booted from a baseball game after unfurling a banner, which read, in part, “free all political prisoners”.

      https://www.orlandosentinel.com/news/florida/os-ne-trump-proud-boys-signs-ejections-miami-marlins-baseball-game-20210610-ryf4zmw7czfq7fyxr64z6qugmu-story.html

      The comparison between the white homeland assholes and ISIS may not be perfect but it’s close in some ways. After all, history does not repeat itself, but rhymes.

  2. CD54 says:

    The template for metadata suggested by Creek’s here seems an obvious first digital sift — at least that’s what the computer lady on Criminal Minds would do (while you waited).

  3. Midtowngirl says:

    Between the insightful journalism, and the keenly intelligent discussions that follow, I always learn so much with every visit. My brain thanks each and every one of you!
    I’d like to float a few questions; if anyone cares to provide some insight, that would be great.

    The granular details found in Creek’s charging document – the credit card purchases and Metro card use – aren’t included in most other defendants’ Statement of Facts.
    Is there any significance to that?
    Are all cases investigated to such depth?
    Or are these sort of resources allocated to investigating the most serious offenders?

    Also, the DOJ press release announcing Proud Boy Shawn Price’s arrest stated “The case is being prosecuted by the U.S. Attorney’s Office for the District of Columbia and the Department of Justice National Security Division’s Counterterrorism Section.”

    Are all of the more serious breach cases being co-prosecuted NSD Counterterrorism? Or is that an indication of a particular charge (i.e. Conspiracy), or another factor?

      • emptywheel says:

        The inclusion of NSD, even for people currently charged as lone offenders, is a tell of some greater concern. But then some of these people may have their charges superseded into a conspiracy indictment.

        • timbo says:

          Hmm. I’m a bit cautious about exactly what including NSD actually signifies in reality where actual court cases may go to trial, given the high bar of having to get beyond reasonable doubt to convict. NSD needs a reason to exist, prosecutors need to make their indictments and charges appear to be meaningful. Hopefully the federal court system is up to actually getting to the truth on these matters if there’s any hype on the part of the prosecution going on here. Basically, defense attorneys are going to earn their pay in this sort of environment.

    • Peterr says:

      (1) Prosecutors generally show what they need to support their indictment, and not everything they know. If someone was bragging on Facebook about being in the Capitol and beating up cops (complete with photos), you don’t need granular details like these.

      (2) It says that some insurrectionists were more circumspect about their participation than others, but says little about the prosecutor’s approach.

      (3) Every invasion of the US Capitol on the day of a constitutionally-required ceremony has been investigated to this depth. (That is, useful comparisons are hard to come by for this case.)

      (4) The higher up a target is in a major conspiracy, the more resources get thrown at trying to identify the target and hold them to account.

  4. Rugger9 says:

    OT. It appears Glenn Beck has slithered out of his den to “unpologize” for his 2009 remarks about President Obama. I note this as an indication of just how empowered the MAGA cult feels these days. I’ll enjoy the smackdown when it hits.

    To the surprise of no one, it appears special envoy Volker lied to Schiff’s committee about the Ukraine extortion. He was sitting in on Rudy’s [taped, oops] telecon and I’d like Schiff to haul Volker back in to explain himself. Volker’s a private citizen now.

    Lastly, it appears the Feebs are arresting more rioters, including (allegedly) some of Roger Stone’s 3P security team. I knew this insurrection investigation would get to Stone eventually one way or another.

    • Eureka says:

      Another of Hostetter’s fellow speakers 1/5, besides the usual suspects (Stone, Alexander, Jones, etc.) was Joe Flynn, brother of Michael and Charles. A fact I was ever-wont, but neglected, to remind our resident trolls who persisted in trying to isolate the Flynn problem to Michael.

  5. CharlieY says:

    As always, thanks for the insight and depth. A single quibble, though, about the word “metadata”. What appears all throughout the filing is data. He was identified and tied to his actions by data. Good, old-fashioned data. Metadata is data about the data. While it may have helped to know that 40 percent of transit purchases have an attached credit card ID (metadata), what got him was that his credit card bought a particular MetroCard at a particular station (data).

    • Tom R. says:

      You raise an excellent point. Actually two points:
      — At the /terminological/ level, there are two definitions of “metadata”. The common-sense definition agrees with the dictionary definition and with the technical definition used in the science and engineering community … but not with the legal definition. This discrepancy is itself deceptive and abusive.

      — At the /conceptual/ level, we have a much deeper problem. Let’s set aside the terminology issue and talk about [MD], which you can pronounce however you like; metadata or monkey-data or whatever. The point is, [MD] is a legal concept, created in order to blow a hole in the 4th amendment. That is to say, the law pretends my [MD] was never really mine; therefore it can be snatched without a warrant. IMHO this is abusive. Because the legal definition of [MD] is quite broad, it is grossly abusive.

      Let’s be clear: [MD] is data. It is the same as any other data. Similarly, there is no meaningful distinction between “content data” and “non-content data”. Traffic analysis is very powerful. Looking at more general types of [MD] is even more powerful.

      It is straightforward to have a conversation that consists entirely of [MD]. For example, I might write an email where the subject line is “Let’s meet at Big Suzy’s at noon to sign the contract” and you might reply with a subject line “OK, see you there”.

      On the other side of the same coin, the legal fiction that everybody willingly gives up up their [MD] so there is no expectation of privacy is ridiculous. There are lots of things I can do to encrypt and otherwise protect my data, including my [MD].

      There’s a lot more that could be said about this, but I’ll stop here.

      • Tom R. says:

        Correction: In email headers, the “Subject” line is considered content, so I should not have chosen that example. Sorry.

        AFAIK all other header lines are treated as noncontent.

        It remains true that you can send email messages consisting entirely of noncontent. It is also straightforward to construct header lines that have no clear meaning; an eavesdropper cannot tell whether they contain to/from information, subject information, cover traffic, and/or anything else.

        A reasonably up-to-date albeit somewhat one-sided discussion of third-party doctrine can be found here:
        https://www.bu.edu/jostl/files/2020/08/2-Gee.pdf

  6. earlofhuntingdon says:

    Metadata is also very revealing: it is now as or more informative as traditional content. For one thing, it reveals connections with other actors raw content does not.

Comments are closed.