How Josh Schulte Got Judge Jesse Furman to Open a File in Internet Explorer

/26 Comments/in , , /by

Something puzzles me about both Josh Schulte trials (as noted yesterday, the jury found Schulte guilty of al charges against him yesterday).

In both, the government introduced a passage from his prison notebooks advocating the use of the tools he has now been found guilty of sharing with WikiLeaks in an attack similar to NotPetya. [This is the version of this exhibit from his first trial.]

Vault 7 contains numerous zero days and malware that could be [easily] deployed repurposed and released onto the world in a devastating fashion that would make NotPetya look like Child’s play.

Neither time, however, did prosecutors explain the implications of this passage, which proved both knowledge of the non-public files released to WikiLeaks and a desire that they would be used, possibly by Russia, as a weapon.

Here’s how AUSA Sidhardha Kamaraju walked FBI Agent Evan Schlessinger through explaining it on February 26, 2020, in the first trial.

Q. Let’s look at the last paragraph there.

A. “Vault 7 contains numerous zero days and malware that could easily be deployed, repurposed, and released on to the world in a devastating fashion that would make NotPetya look like child’s play.”

Q. Do you know what NotPetya is?

A. Yes, generally.

Q. What is it?

A. It is a version of Russian malware.

Here’s how AUSA David Denton walked Agent Shlessinger through that same exact script this June 30 in the second trial.

Q. And the next paragraph, please.

A. “Vault 7 contains numerous zero days and malware that could easily be deployed,” struck through “repurposed and released onto the world in a devastating fashion that would make NotPetya look like child’s play.”

Q. Sir, do you know what NotPetya is?

A. Yes, generally.

Q. Generally, what is a reference to?

A. Russian malware.

The placid treatment of that passage was all the more striking in this second trial because it came shortly after Schulte had gone on, at length, mocking the claim from jail informant Carlos Betances that Schulte had expressed some desire for Russia’s help to do what he wanted to do, which in context (though Betances wouldn’t know it) would be to launch an information war.

Q. OK. Next, you testified on direct that I told you the Russians would have to help me for the work I was doing, right?

A. Yes, correct.

Q. OK. So the Russians were going to send paratroopers into New York and break me out of MCC?

MR. LOCKARD: Objection.

THE COURT: Sustained.

BY MR. SCHULTE: Q. What is your understanding of how the Russians were going to help?

A. No, I don’t know how they were going to help you. You were the one who knew that.

Q. What work was I doing for Russia?

A. I don’t know what kind of work you were doing for Russia, but I know you were spending long periods of time in your cell with the phones.

Q. OK.

A. With a sheet covering you.

Q. OK. But only Omar ever spoke about Russia, correct?

A. No. You spoke about Russia.

Q. Your testimony is you never learned anything about Omar and Russian oligarchs?

A. No.

Denton could easily have had Schlessinger point out that wanting to get a CIA tool repurposed in Russian malware just like the Russians had integrated stolen NSA tools to use in a malware attack of unprecedented scope would be pretty compelling malicious cooperation with Russia. It would have made Schulte’s mockery with Betances very costly. But Denton did not do that.

In fact, the government entirely left this theory of information war out of Schulte’s trial. In his closing argument for the second trial, for example, Michael Lockard explicitly said that Schulte’s weapon was to leak classified information, not to launch cyberattacks.

Mr. Schulte goes on to make it even more clear. He says essentially it is the same as taking a soldier in the military, handing him a rifle, and then begin beating him senseless to test his loyalty and see if you end up getting shot in the foot or not. It just isn’t smart.

Now, Mr. Schulte is not a soldier in the military, he is a former CIA officer and he doesn’t have a rifle. He has classified information. That is his bullet.

To be sure, that’s dictated by the charges against Schulte. Lockard was trying to prove that Schulte developed malicious plans to leak classified information, not that he developed malicious plans to unleash a global cyberattack that would shut down ports in the United States. But that’s part of my point: The NotPetya reference was superfluous to the charges against Schulte except to prove maliciousness they didn’t use it for.

I may return to this puzzle in a future post. For now, though, I want to use it as background to explain how, that very same day that prosecutors raised Schulte’s alleged plan to get CIA hacking tools used to launch a global malware attack, Schulte got Judge Jesse Furman to open a document in Internet Explorer.

One of the challenges presented when a computer hacker like Schulte represents himself (pro se) is how to equip him to prepare a defense without providing the tools he can use to launch an information war. It’s a real challenge, but also one that Schulte exploited.

In one such instance, in February, Schulte argued the two MDC law library desktops available to him did not allow him to prepare his defense, and so he needed a DVD drive to transfer files including “other binary files,” the kind of thing that might include malware.

Neither of these two computers suffices for writing and printing motions, letters, and other documents. The government proposes no solution — they essentially assert I have no right to access and use a computer to defend myself in this justice system.

I require an electronic transfer system; printing alone will not suffice, because I cannot print video demonstratives I’ve created for use at trial; I cannot print forensics, forensic artifacts, and other binary files that would ultimately be tens of thousands of useless printed pages. I need a way to transfer my notes, documents, motion drafts, demonstrative videos, technical research, analysis, and countless other documents to my standby counsel, forensic expert, and for filing in this court.

The government had told Schulte on January 21 that he could not have a replacement DVD drive that his standby counsel had provided in January because it had write-capabilities; as they noted in March, not having such a drive was not preventing him from filing a blizzard of court filings. Ultimately, in March, the government got Schulte to let them access the laptop to add a printer driver to his discovery laptop. Schulte renewed his request for a write-capable DVD, though, in April.

Schulte continued to complain about his access to the law library for months, sometimes with merit, and other times (such as when he objected to the meal times associated with his choice to fast during Ramadan) not.

The continued issues, though, and Schulte’s claims of retaliation by prison staffers, are why I was so surprised that when, on June 1, Sabrina Shroff reported that a guard had broken Schulte’s discovery laptop by dropping it just weeks before trial, she didn’t ask for any intervention from Judge Furman. Note, she attributes her understanding of what happened to the laptop to Schulte’s parents (who could only have learned that from Schulte) and the prison attorney (who may have learned of it via Schulte as well). In response, as Shroff had tried to do with the write-capable DVD, she was just going to get him a new laptop.

We write to inform the Court that a guard at the MDC accidently dropped Mr. Schulte’s laptop today, breaking it. Because the computer no longer functions, Mr. Schulte is unable to access or print anything from the laptop, including the legal papers due this week. The defense team was first notified of the incident by Mr. Schulte’s parents early this afternoon. It was later confirmed in an email from BOP staff Attorney Irene Chan, who stated in pertinent part: “I just called the housing unit and can confirm that his laptop is broken. It was an unfortunate incident where it was accidentally dropped.”

Given the June 13, 2022 trial date, we have ordered him a new computer, and the BOP, government, and defense team are working to resolve this matter as quickly as possible. We do not seek any relief from the Court at this time.

Only, as I previously noted, that’s not what happened to the laptop, at all. When DOJ’s tech people examined the laptop, it just needed to be charged. As they were assessing it, though,  they discovered he had a 15GB encrypted partition on the laptop and had been trying to use wireless capabilities.

First, with respect to the defendant’s discovery laptop, which he reported to be inoperable as of June 1, 2022 (D.E. 838), the laptop was operational and returned to Mr. Schulte by the end of the day on June 3, 2022. Mr. Schulte brought the laptop to the courthouse on the morning of June 3 and it was provided to the U.S. Attorney’s Office information technology staff in the early afternoon. It appears that the laptop’s charger was not working and, after being charged with one of the Office’s power cords, the laptop could be turned on and booted. IT staff discovered, however, that the user login for the laptop BIOS1 had been changed. IT staff was able to log in to the laptop using an administrator BIOS account and a Windows login password provided by the defendant. IT staff also discovery an encrypted 15-gigabyte partition on the defendant’s hard drive. The laptop was returned to Mr. Schulte, who confirmed that he was able to log in to the laptop and access his files, along with a replacement power cord. Mr. Schulte was admonished about electronic security requirements, that he is not permitted to enable or use any wireless capabilities on the laptop, and that attempting to do so may result in the laptop being confiscated and other consequences. Mr. Schulte returned to the MDC with the laptop.

1 The BIOS is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process. The BIOS settings can determine, for example, whether external ports and wireless capabilities are enabled or disabled.

This had all the markings of a hacker — someone who had once envisioned launching a cyberattack as part of his information war from jail — trying to prepare just such an attack.

Weeks later, during the trial, the government intimated that they might punish Schulte for that stunt, but were just trying to get through trial.

We have not taken any action in response to that, because we’re in the middle of trial and we’re loath to do things that would disrupt the trial at this point.

Along the way, though, Schulte’s laptop access continued to grow — for perfectly justifiable reasons tied to the trial, but which appears to have resulted in the discovery laptop (the one with the encrypted partition that he had apparently tried to access WiFi on) being in the same place as a second exhibit laptop, perhaps the very laptop originally intended to replace the one that wasn’t really broken at all. On June 13, Judge Furman ordered the Marshals to let Schulte keep his laptop at breaks. On June 15, Schulte got Furman to order the Marshals to let him use his second laptop, “just like the discovery laptop.”

MR. SCHULTE: OK. So the first thing is I think the marshals just need permission or authorization from you for me to be able to use the second laptop for my exhibits.

THE COURT: Use in the courtroom?

MR. SCHULTE: Yeah, be able to access and use it likeI use the other. I think there was court order for me to be able to use this laptop so they need authorization from you for me to use the second laptop.

THE COURT: And the second laptop is something that standby counsel procured? What is it?

MR. SCHULTE: Yes.

THE COURT: Any objection, Mr. Denton? Any concerns?

MR. DENTON: I think as long as it is something that’s used just here in the courtroom, that’s fine, your Honor. I think to the extent that it was going with the defendant anywhere else other than the courtroom, we would want to make sure that we applied the same security procedures that were applied to his original laptop.

THE COURT: Is it just to be used in this courtroom?

MR. SCHULTE: Yes. That’s correct. It is being locked, I think, in the FBI marshal’s room by the SCIF.

On June 17, Schulte asked Furman to issue a specific order to MDC to ensure he’d be able to “go to the law library and access the laptop.” Again, these are generally understandable accommodations for a defendant going pro se. But they may have placed his discovery laptop (normally used in MDC in Brooklyn) in close proximity to his exhibit laptop used outside of a SCIF in Manhattan.

With that in the background, on June 24, prosecutors described that just days earlier, Schulte had provided them code he wanted to introduce as an exhibit at trial. There were evidentiary problems — this was a defendant representing himself trying to introduce his own writing without taking the stand — but the real issue was his admission he was writing (very rudimentary) code on his laptop. As part of that explanation, the government also claimed that MDC had found Schulte tampering with the law library computer.

The third, however, and most sort of problematic category are the items that were marked as defense exhibits 1210 and 1211, which is code and then a compiled executable program of that code that appear to have been written by the defendant. That raises an evidentiary concern in the sense that those are essentially his own statements, which he’s not entitled to offer but, separately, to us, raises a substantial security concern of how the defendant was able to, first, write but, more significantly, compile code into an executable program on his laptop.

You know, your Honor, we have accepted a continuing expansion of the defendant’s use of a laptop that was originally provided for the purpose of reviewing discovery, but to us, this is really a bridge too far in terms of security concerns, particularly in light of the issues uncovered during the last issue with his laptop and the concerns that the MDC has raised to us about tampering with the law library computer. We have not taken any action in response to that, because we’re in the middle of trial and we’re loath to do things that would disrupt the trial at this point. The fact that defendant is compiling executable code on his laptop raises a substantial concern for us separate from the evidentiary objections we have to its introduction.

THE COURT: OK. Maybe this is better addressed to Mr. Schulte, but I don’t even understand what the third category would be offered for, how it would be offered, what it would be offered for.

MR. DENTON: As best we can tell, it is a program to change the time stamps on a file, which I suppose would be introduced to show that such a thing is possible. I don’t know. We were only provided with it on Tuesday. Again, we think there are obvious issues with its admissibility separate and apart from its relevance, but like I said, for us, it also raises the security concern that we wanted to bring to the Court’s attention.

[snip]

MR. SCHULTE: But for the code, the government produced lots of source code in discovery, and this specific file is, like, ten, ten lines of source code as well as —

THE COURT: Where does it come from? Did you write it?

MR. SCHULTE: Yes, I wrote it. That’s correct.

Schulte didn’t end up introducing the script he wrote. Instead, he asked forensics expert Patrick Leedom if he knew that Schulte had used the “touch” command in malware to alter file times.

Q. Do you know about the Linux touch command?

A. Yes.

Q. This command can be used to change file times, right?

A. Yes, it can.

Q. That includes access times, right?

A. Yes.

Q. And from reviewing my workstation, you know that I developed Linux malware tools for the CIA, right?

A. I know you worked on a few tools. I don’t know if they were Linux-specific or not, but —

Q. And you knew from that that I wrote malware that specifically used the touch command to change file times, right?

In the end, then, it turned out to be just one of many instances during the trial where Schulte raised the various kinds of malware he had written to hide his tracks, infect laptops, and jump air gaps, instances that appeared amidst testimony — from that same jail informant, Carlos Betonces — that Schulte had planned to launch some kind of key event in his information war from the (MCC) law library.

Q. That we — you testified that we were going to do something really big and needed to go to the law library, right?

A. You were paying $200 to my friend named Flaco to go to the library, yes.

Q. I paid someone money?

A. No. They were paying. And Flaco refused to take it downstairs. And the only option left was that they had to go down and take it themselves.

Q. OK. So Omar offered to pay money for Flaco to take some phone down, right?

A. That’s not how Flaco told me. That’s not the way Flaco described it. He said that both of them were offering him money.

Q. All right. But there were cameras in the law library, correct?

THE INTERPRETER: I’m sorry. Can you repeat the question?

Q. There were cameras in the law library, correct?

A. I don’t know.

Q. OK. But your testimony on direct was that me and Omar needed to send some information from the phone, right?

A. Let me explain it to you again. Not information. It’s that you had to do something in the, in the library. That’s what I testified about.

Q. OK. What did I have to do in the law library, according to you?

A. Well, you’re very smart. You must know the question. There was something down there that you wanted to use that you couldn’t use upstairs.

Q. OK. You also testified something about a USB drive, right?

A. Yes.

Q. You testified, I believe, that me and Omar wanted a USB device, right?

A. Yeah. You asked me all the time when the drive was going to arrive. When was it coming? When was it coming?

Q. OK. But there were already USB hard drives given to prisoners in the prison, right?

A. Not to my understanding.

Q. You don’t — you never received or saw anyone using a USB drive with their discovery on it?

A. No, because I — no, I hardly ever went down to the law library.

Q. All right. And then you said, you testified that you slipped a note under the guard’s door?

A. Yes.

Q. And that was about, you said something was going to happen in the law library, right?

THE INTERPRETER: Could you repeat the question, please?

MR. SCHULTE: Yes.

Q. You said that the note said something was going to happen in the law library, right?

A. Yes.

Which finally brings us to the Internet Explorer reference. During his cross-examination of FBI Agent Schlessinger on June 30, Schulte attempted to introduce the return from the warrant FBI served on WordPress after discovering Schulte was using the platform to blog from jail. The government objected, which led to an evidentiary discussion after the jury left for the weekend. The evidentiary discussion pertained to how to introduce the exhibit — which was basically his narrative attacking the criminal justice system — without also disclosing the child porn charges against Schulte referenced within them.

Schulte won that discussion. On the next trial day, July 6, Furman ruled for Schulte, and Schulte said he’d just put a document that redacted the references to his chid porn and sexual assault charges on a CD to share with the government.

MR. SCHULTE: Yes. I just — if I can get the blank CD from them or something I can just give it to them and they can review it.

But back on June 30, during the evidentiary discussion, Judge Furman suggested that the 80- or 90-page document that the government was looking at was something different than the file he was looking at.

That was surprising to Furman.

So was the fact that his version of the document opened in Internet Explorer.

MR. DENTON: Your Honor, on Exhibit 410 we recognize the Court has reserved judgment on that. I want to put sort of a fourth version in the hopper. At least in the version we are looking at, it is a 94-page 35000-word document. To the extent that the only thing the Court deems admissible is sort of the fact that there were postings that did not contain NDI, we would think it might be more appropriate to stipulate to that fact rather than put, essentially, a giant manifesto in evidence not for the truth. So I want to put that option out there given the scope of the document.

[snip]

MR. DENTON: Understood, your Honor. I think at that point, even if we get past the hearsay and the not for the truth problems, then there is a sort of looming 403 problem in the sense that it is a massive document that is essentially an manifesto offered for a comparatively small point. I think at that point it is risk of confusing the jury and potentially inflaming them if people decide to sit down and to read his entire screed, it significantly outweighs the fairly limited value it serves. But, we recognize the Court has reserved on this so I don’t need to belabor the point now.

THE COURT: Unless I am looking at something different, what I opened as Defendant’s Exhibit 410 — it opened for me in Internet Explorer, for some reason and I didn’t even think Internet Explorer existed anymore — and it does not appear to be 84 pages. So, I don’t even know if I am looking at what is being offered or not. But, let me add another option, which is if the government identifies any particular content in here that it thinks should be excluded under 403, then you are certainly welcome to make that proposal as well in the event that I do decide that it should come in in more or less its entirety with the child porn redacted. And if you think that there is something else that should be redacted pursuant to 403, I will consider that. All right?

MR. DENTON: We will make sure we are looking at the same thing and take a look at it over the weekend, your Honor.

To be clear: The reason this opened in IE for Furman is almost certainly that the document was old — it would date to October 2018 — and came in a proprietary form that Furman’s computer didn’t recognize. So for some reason, his computer opened it in IE.

That said, it’s not clear that the discrepancy on the page numbers in the file was ever addressed. Schulte just spoke to one of the prosecutors and they agreed on how it would be introduced.

And if a developer who had worked on malware in 2016 wanted an infection vector, IE might be one he’d pick. That’s because Microsoft stopped supporting older versions of IE in 2016, the year Schulte left the CIA. And WordPress itself was a ripe target for hacking in 2018. Schulte himself might relish using a Microsoft vector because the expert in the trial, Leedom, has moved onto Microsoft since working as a consultant to the FBI.

I have no idea how alarmed to be about all this. The opinions from experts I’ve asked have ranged from “dated file” to “he’d have to be lucky” to “unlikely but potentially terrifying” to “no no no no!” And Schulte is the kind of guy who lets grudges fester so badly that avenging the grudge becomes more important than all else.

So I wanted to put this out there so smarter people can access the documents directly — and perhaps so technical staff from the courthouse can try to figure out why that document opened in Internet Explorer.

Note: As it did with the first trial, Calyx Institute made the transcripts available. This time, however, they were funded by Germany’s Wau Holland Foundation. WHF board member Andy Müller-Maguhn has been named in WikiLeaks operations and was in the US during some of the rough period when Schulte is alleged to have leaked these documents. 

On Oath Keeper Jeremy Brown’s Asymmetric Treatment

/82 Comments/in /by

CNN got a lot of people in a tizzy by incorrectly claiming that a 404b notice filed Friday included new information about the Oath Keeper conspiracy (this story, from Kyle Cheney, makes no claim this is new information). None of the general allegations — that Jessica Watkins had explosives making recipe at her house, that Thomas Caldwell had a list targeting a Georgia election official, that the Oath Keepers did a variety of training sessions before the insurrection — are new. They’ve shown up in detention motions going back to January 2021.

Perhaps the most inflammatory allegation, regarding former Special Forces guy Jeremy Brown, describes that the grenade discovered in Brown’s RV when the FBI searched his property in September was in the RV as it drove to DC for the insurrection.

Jeremy Brown is currently an unindicted co-conspirator in the Oath Keeper conspiracy.2 In November 2020, Brown led the Florida chapter of the Oath Keepers in a training on “unconventional warfare.” See ECF No. 167 at ¶ 22. During this period, he messaged extensively with Florida-based co-conspirators on Signal.3 For example, on November 9, he messaged, “As I am sure you all have plenty of ammo and guns. What I suspect we are not deep on are burner phones and phone cards. These will be needed in great numbers as part of a clandestine comms plan.”

In preparation for January 6, 2021, Brown continued to participate on Signal chats with Rhodes and various Florida Oath Keepers, including Meggs, Kenneth Harrelson and Caleb Berry, regarding transportation to Washington, D.C. on January 6:

We have a RV an Van going. Plenty of Gun Ports left to fill. We can pick you up… If you can, come to my house anytime Saturday. You can stop by and drop stuff off, or stay the night. This way we can load plan, route plan, and conduct PCIs (Pre Combat Inspections). I would LIKE to depart by 0645 on Sunday morning, Jan 3rd. Push through to the NC linkup on the 3rd, RON (Rest Over Night) there, then push to DC on the 4th. This will give us the 4th/5th to set up, conduct route recons, CTR (Close Target Reconnaissance) and any link ups needed with DC elements.

On January 4, 2021, Brown supplied a helmet to Florida Oath Keeper Berry, who met Brown at Brown’s house, and then caravanned with Berry, Meggs, Harrelson and other Florida Oath Keepers first to North Carolina, where they rendezvoused with additional Oath Keepers, and then to the Washington, D.C. area.

The same day, January 4, Meggs informed Jessica Watkins and other co-conspirators via Signal that Brown would be assisting in the Washington, D.C. operation, writing, “Jessica you have 4 working the detail from Ohio. Padimaster you have 6 confirmed for detail from SC. If correct that gives us 27 man team I like it!! Perfect mi with 4-5 medics in the group. I’ll keep working on overall contact between Natl/congress team and stop the steal team for scheduling etc… Kenneth Harrelson runs the ground team. Whippit and Jeremy Brown will assist him especially when we are moving!” Upon arrival in the Washington, D.C. area, Brown deposited various weapons at the Comfort Inn hotel in Virginia that served as the staging area for the QRF. During this same period, Meggs informed Berry that Brown possessed explosives in his Recreational Vehicle (“RV”). 4

The government subsequently seized explosives from Brown. On September 30, 2021, pursuant to an authorized search warrant, the government seized two illegal short barrel firearms from Brown’s residence and military ordinance grenades from Brown’s RV—the same RV that Brown used to travel to Washington, D.C. on January 6.

4 The government is unaware whether Brown deposited the explosives at the Comfort Inn in Virginia or retained them in his RV, which he parked in College Park, Maryland.

Substantially that same information appeared in a detention dispute for Brown in February.

These details have, probably, gone largely unnoticed because Brown is, thus far, only charged for trespassing in conjunction with January 6; he is charged in Florida for his arsenal and some classified documents he kept from his service in Afghanistan. That trial is currently scheduled to start August 1.

Let that be a lesson not to sleep on the misdemeanor cases, because some of them are quite important!

His inclusion in this 404b notice, however, does raise questions about his asymmetric treatment, thus far. He didn’t enter the building — but that’s true of Thomas Caldwell (who is accused of playing a leadership role) or Bennie Parker (who is not) as well. If he is treated as an unindicted co-conspirator, then why isn’t he a charged conspirator?

Indeed, Brown — who is representing himself but who as of recently had two pro bono lawyers expecting to share his discovery without filing notices of appearance — asked just that question in a status hearing on June 23. He noted that the full Oath Keeper team had been added to his case and was demanding the discovery from the sedition case, wanting to share it with those unnamed pro bono standby attorneys. He demanded to know whether he would be charged with sedition.

At the hearing, prosecutor Louis Manzo said there was no plan to add him to the sedition trial scheduled for September. When Brown noted that that didn’t preclude him being added to the lesser Oath Keeper conspiracy, Manzo said that as of now DOJ had no plan to add him to either of the existing conspiracies, though wanted to avoid committing to it.

Obviously, that could change. DOJ only recently added the field leader for the day, Michael Greene/Simmons to the lesser conspiracy. And if he were acquitted in the Florida trial, DOJ would likely charge him in DC to keep him detained — they believed he was dangerous even before the insurrection.

But I can’t help but wonder whether DOJ has some other plan for him.

Update: To clarify something for those claiming this asymmetry reflects a lack of seriousness on DOJ’s part, what DOJ has done is charge Brown with crimes that could represent ~80 years in jail (though would more likely end up in the 10-20 year range), all without having to risk him fucking up the main sedition case, even while allowing DOJ to use his actions against the accused seditionists. That is, this may reflect a way to hold Brown accountable in a way that gives him the least ability to fuck up the main case.

The Josh Schulte Trial Moves to Deliberations

/7 Comments/in , , /by

Yesterday, the two sides in the Josh Schulte case presented their closing arguments.

It is always difficult to read how a jury will view a case, and in this case (in part for reasons I’ll lay out below) that’s all the more true. I could imagine any of a range of outcomes: full acquittal, acquittal on some charges, guilty on most but not all charges, or another hung jury (though I think it likely he’ll win acquittal on at least one or two charges).

This is what the jury will be deliberating about. The short version: Judge Furman seems very skeptical of the obstruction charge against Schulte, quite persuaded by the government’s CFAA charges, but very impressed by Schulte’s closing argument.

The charges

After his first mistrial, DOJ obtained a superseding indictment designed to break his alleged crimes into explicitly identifiable crimes, presumably to prevent the jury from getting confused about what specific actions allegedly constitute a crime, as the first jury appears to have done.

The indictment is generally broken into Espionage tied to files taken directly from the CIA’s servers (Counts One and Two), Espionage tied to stuff Schulte allegedly tried to send out from jail (Counts Three and Four), CFAA for hacking the CIA servers (Counts Five through Eight), and obstruction (Count Nine). I’ve put the legal code below, but here’s how Judge Furman described the charges in his draft jury instructions.

Specifically, Count One charges the defendant with illegal gathering of national defense  information or “NDI.” Specifically, it charges that, on or about April 20, 2016, the defendant, without authorization, copied backup files of certain electronic databases (what I will refer to as the “Backup Files”) housed on a classified computer system maintained by the CIA (namely “DEVLAN”).

Count Two charges the defendant with illegal transmission of unlawfully possessed documents, writings, or notes containing NDI. Specifically, it charges that, between April and May 2016, the defendant, without authorization, retained copies of the Backup Files and communicated them to a third party not authorized to receive them, the organization WikiLeaks.

Count Five charges the defendant with unauthorized access to a computer to obtain classified  information. Specifically, it charges that, between April 18 and April 20, 2016, the defendant accessed a 16 computer without authorization and exceeded his authorized access to obtain the Backup Files and subsequently transmitted them to WikiLeaks without authorization.

Count Six charges the defendant with unauthorized access to a computer to obtain information form a department or agency of the United States. Specifically, it charges that, on or about April 20, 2016, the defendant, accessed a computer without authorization or in excess of his authorized access, and copied the Backup Files.

Count Seven charges the defendant with causing transmission of a harmful computer command. Specifically, it charges that, on or about April 20, 2016, the defendant transmitted commands on DEVLAN to manipulate the state of the Confluence virtual server on DEVLAN.

Count Eight charges the defendant with causing transmission of a harmful computer command. Specifically, it charges that, on or about April 20, 2016, the defendant transmitted commands on DEVLAN to delete log files of activity on DEVLAN.

Counts Three and Four charge the defendant with crimes relating to the unlawful disclosure or attempted disclosure of NDI while he was in the Metropolitan Correctional Center (“MCC”), the federal jail.

Count Three charges that, in or about September 2018, the defendant had unauthorized possession of documents, writings, or notes containing NDI related to the internal computer networks of the CIA, and willfully transmitted them to a third party not authorized to receive them.

Count Four charges that, between July and September 2018, the defendant had unauthorized possession of documents, writings, and notes containing NDI related to tradecraft techniques, operations, and intelligence gathering tools used by the CIA, and attempted to transmit them to a third party or parties not authorized to receive them.

Finally, Count Nine charges the defendant with obstruction of justice. Specifically, it charges that between March and June 2017, the defendant made certain false statements to agents of the FBI during their investigation of the WikiLeaks leak.

Here’s that language with the legal statutes included:

Count One, 18 USC 793(d) and 2 (WikiLeaks Espionage), Illegal gathering of National Defense Information: For copying the DevLAN backup files on or about April 20, 2016.

Count Two, 18 USC 793(e) and 2 (WikiLeaks Espionage), Illegal transmission of unlawfully possessed NDI: For transmitting the backup files to WikiLeaks in or about April and May 2016.

Count Three, 18 USC 793(e) and 2 (MCC Espionage), Illegal transmission of unlawfully possessed NDI: For sending this information about DevLAN to Shane Harris in or about September 2018.

In reality, two groups — EDG and COG and at least 400 people had access. They don’t include COG who was connected to our DEVLAN through HICOC, an intermediary network that connected both COG and EDG. . . . There is absolutely NO reason they shouldn’t have known this connection exists. Step one is narrowing down the possible suspects and to completely disregard an ENTIRE GROUP and HALF the suspects is reckless. All they needed to do was talk to ONE person on Infrastructure branch or through ANY technical description / diagram of the network.”

Count Four, 18 USC 793(e) and 2 (MCC Espionage), Attempted illegal transmission of unlawfully possessed NDI: For staging a tweet and preparing to send out information about CIA’s hacking tools from at least July 2018 through October 2018. (Here’s the version of Exhibit 809 used at the first trial.)

Government Exhibit 801, page 3: “Which brings me to my next point — Do you know what my speciality was at the CIA? Do you know what I did for fun? Data hiding and crypto. I designed and wrote software to conceal data in a custom-designed file system contained with the drive slackspace or hidden partitions. I disguised data. I split data across files and file systems to conceal the crypto—analysis tools could NEVER detect random or pseudo-random data indicative of potential crypto. I designed and wrote my own crypto—how better to foll bafoons [sic] like forensic examiners ad the FBI than to have custom software that doesn’t fit into their 2-week class where they become forensic ‘experts.’”

Government Exhibit 809, page 8: “[tool from vendor report] — Bartender for [redacted] [vendor].”

Government Exhibit 809, page 10: “Additionally, [Tool described in vendor report] is in fact Bartender. A CIA toolset for [operators] to configure for [redacted] deployment.”

Government Exhibit 809, page 11: “[@vendor] discussed [tool] in 2016, which is really the CIA’s Bartender tool suite. Bartender was written to [redacted] deploy against various targets. The source code is available in the Vault 7 release.”

Count Five, 18 USC 1030(a)(1) and 2 (CFAA), Unauthorized access to a computer to obtain classified information: For hacking into the DevLAN backup files.

Count Six, 18 USC 1030(a)(2)(B) and 2 (CFAA), Unauthorized access of a computer to obtain classified information from a department or agency, for hacking into and copying the backup files.

Count Seven, 18 USC 1030(a)(5)(A) and 2 (CFAA), Causing transmission of harmful computer code: For the reversion of Confluence on April 20, 2016.

Count Eight, 18 USC 1030(a)(5)(A) and 2 (CFAA), Causing transmission of harmful computer code: For deleting log files on DevLAN on April 20, 2016.

Count Nine, 18 USC 1503, obstruction: For lying about having taken the backup files, keeping a copy of the letter he sent to the CIA IG, having classified information in his apartment, taking information from the CIA and transferring it to an unclassified network, making DevLAN vulnerable to theft, housing information from the CIA on his home computer, and removing classified information from the CIA.

The law

Based on orders Judge Jesse Furman issued and his response to Schulte’s Rule 29 motions for an acquittal after trial, it seems he views some of the charges to be stronger than others.

Espionage, WikiLeaks charges: Furman didn’t say much about the charges tied to Schulte allegedly obtaining and sharing the Vault 7 and 8 content with WikiLeaks. The transmission charge is the one that is most circumstantial (because the government made no claims about how Schulte got the stolen files out of the CIA and didn’t fully commit to how Schulte sent them to WikiLeaks), and so is one a jury might unsurprisingly find reasonable doubt on.

Espionage, MCC charges: There are two weaknesses to the MCC charges. First, Furman allowed Schulte to argue that because the Bartender information was already made public by WikiLeaks — a topic on which Schulte elicited helpful testimony — it was no longer National Defense Information (there’s more discussion on this issue here). There’s some question whether the Hickock information was NDI as well. But also, in the Bartender case, there’s a question about whether drafting a Tweet in a notebook is a significant enough step to be found guilty.

Obstruction: Furman seems quite skeptical the government has proven their case on obstruction and came close to ruling for Schulte on his Rule 29 motion on it. He ordered the two sides to brief whether the government had provided sufficient evidence of this charge. And in the conference on the instructions, he challenged whether things Schulte said on March 15, 2017 before receiving a grand jury subpoena could be included in an obstruction charge. As Schulte pointed out, too, his false statements from later interviews got less focus in this trial.

CFAA: Furman did rule against Schulte’s Rule 29 motions on the CFAA charges, suggesting he finds the evidence here much stronger. Schulte as much as admitted he had taken the steps DOJ claims he did to revert the confluence files, effectively admitting to one of the charges as written (and that’s what the government focused on in their rebuttal). That said, if he were found guilty on the CFAA charges, Schulte would mount an interesting appeal under SCOTUS’ Van Buren ruling, issued since his last trial, which held that you can’t be guilty of CFAA if you had authorized access. Schulte laid the groundwork to argue that while he didn’t have access to Atlassian, the CIA had not revoked his access as an Administrator to ESXi, which is what he used to be able to do the reversion.

Emotion

In Schulte’s first trial, it seems clear the jury hung based on nullification of one juror, who (according to some jurors) refused to deliberate fairly. DOJ stupidly presented the case in a way that emphasized the human resource dispute, and not the leak. And in a contest of popularity between the CIA and WikiLeaks, the CIA is never going to win 12 votes unanimously, certainly not in SDNY.

I had thought that Schulte would be able to recreate that dynamic with this trial, by once again portraying himself as the unfair victim of CIA bullying. But in at least one case, I think that attempt backfired (by showing Schulte to be precisely the insubordinate prick that the CIA claims him to be).

That said, given Furman’s response, Schulte did brilliantly portray the investigation into him as being biased. So he may win the emotional battle yet again. After he finished, Furman suggested that if Schulte were acquitted, he might have a future as a defense attorney.

THE COURT: You may be seated. All right. Mr. Schulte, that was very impressive, impressively done.

MR. SCHULTE: Thank you.

THE COURT: Depending on what happens here, you may have a future as a defense lawyer. Who knows?

Tactics

In a recent New Yorker profile of Schulte, Sabrina Shroff described how by going pro se, Schulte would be able to push boundaries that she herself could not.

When you consider the powerful forces arrayed against him—and the balance of probabilities that he is guilty—Schulte’s decision to represent himself seems reckless. But, for the C.I.A. and the Justice Department, he remains a formidable adversary, because he is bent on destroying them, he has little to lose, and his head is full of classified information. “Lawyers are bound,” Shroff told me. “There are certain things we can’t argue, certain arguments we can’t make. But if you’re pro se ”—representing yourself—“you can make all the motions you want. You can really try your case.”

Schulte did this repeatedly. He did so with classified information, as when he tried to get “Jeremy Weber” to admit to a report by a still-classified group that Weber was not aware of and which the government insists, to this day, does not exist undermined the attribution of the case (this is based off an out of context text that Weber was not privy to).

Q. Were there many forensic reports filed by AFD about the leak?

A. Not that I’m aware of.

Q. OK. But at some point you learned that AFD determined the backups from the Altabackups must have been stolen, correct?

MR. LOCKARD: Objection.

THE COURT: Sustained. (Defendant conferred with standby counsel)

BY MR. SCHULTE: Q. You reviewed the AFD reports, correct?

MR. LOCKARD: Objection.

THE COURT: Sustained. Let’s move on, Mr. Schulte. (Defendant conferred with standby counsel)

THE COURT: And please keep your voice down when conferring with standby counsel.

… with investigative details (both into his own and a presumed ongoing investigation into WikiLeaks) he has become privy to, such as when he suggested that a SysAdmin named Dave had lost a Stash backup.

Q. Speaking with the admins, you’re talking Dave, Dave C., right; he was one of those?

A. Yeah, Dave.

Q. And he was an employee who put the Stash on a hard drive, correct?

A. I know I’ve heard some of that. I don’t know exactly the situation around that, but —

Q. But that, basically this hard drive with Stash was lost, correct?

MR. DENTON: Objection.

THE COURT: Sustained.

… with testimony presented as questions, as here when Schulte tried to get Special Agent Evanchec to testify that his retention of an OIG email was an honest mistake.

Q. So in your career, classifying documents, sometimes people make honest mistakes when they classify documents, correct?

MR. LOCKARD: Objection.

A. I think that’s —

THE COURT: Sustained.

BY MR. SCHULTE: Q. Have you ever made a mistake classifying a document, sir?

MR. LOCKARD: Objection.

THE COURT: Sustained.

BY MR. SCHULTE: Q. Do you know if someone makes an honest mistake in classifying a document, if they can be charged with a crime?

MR. LOCKARD: Objection.

THE COURT: Sustained.

… and with speculative claims about alternative theories, such as here when he mocked jail informant Carlos Betances’ claim that Schulte said he needed Russian help for what he wanted to accomplish.

Q. OK. Next, you testified on direct that I told you the Russians would have to help me for the work I was doing, right?

A. Yes, correct.

Q. OK. So the Russians were going to send paratroopers into New York and break me out of MCC?

MR. LOCKARD: Objection.

THE COURT: Sustained.

Over and over, prosecutors objected when Schulte made such claims, and most often their objections were sustained. But I think it highly unlikely jurors will be able to entirely unhear many of the speculative claims Schulte made, and so while some of the claims Schulte presented in such fashion were outright false, the jury is unlikely to be able to fully ignore that information.

The unsaid

There are three things that didn’t happen at the trial that I’m quite fascinated by.

First, after delaying the trial for at least four months so as to be able to use Steve Bellovin as his expert, Schulte didn’t even submit an expert report for him. There are many possible explanations for this — that Schulte didn’t like what Bellovin would have said, that Schulte used Bellovin, instead, as a hyper-competent forensic source to check his own theories but never intended to call him, or finally, that Schulte correctly judged he could serve as his own expert in questioning witnesses. That said, the fact that he didn’t use Bellovin makes the delay far more curious.

There are numerous instances — one example is a gotcha that Schulte staged about a purported error (but not a far more significant real error) one of the FBI agents in the case made about Schulte’s Google searches — that were actually quite incriminating. The government, unsurprisingly, didn’t distract from their main case to lay this out though. But I hope to return to some of these details because, while they are irrelevant to the verdict against Schulte (and I want to make clear are distinct from the jury’s ultimate decision about his innocence), they do provide interesting details about Schulte’s actions.

Finally, the government fought hard for the right to be able to present a Schulte narrative about what happened that he shared with his cousin, Shane Presnall, but didn’t introduce it at trial. Effectively, in the document Schulte exposed the real identity of one or more of his colleagues to his cousin. I’m not sure whether the government didn’t rely on this because they wanted to avoid the possibility Presnall would testify, they wanted to limit damage already done to the covert status of the CIA employees, or they didn’t want jeopardy to attach to the document (meaning they could use it in further charges in case of an acquittal). But I’d sure like to know why DOJ didn’t rely on it.

Note: As it did with the first trial, Calyx Institute made the transcripts available. This time, however, they were funded by Germany’s Wau Holland Foundation. WHF board member Andy Müller-Maguhn has been named in WikiLeaks operations and was in the US during some of the rough period when Schulte is alleged to have leaked these documents. 

South Carolinians Converging at the East Door … and Hampton Inn

/38 Comments/in , , /by

I’d like to look at how two men from South Carolina who stayed at the Hampton Inn together, George Tenney and Robbie Norwood, serially played key roles in opening the East Door on January 6.

As I noted in a post last July, Tenney was arrested with a former Marine named Darrell Youngers, though the subsequent investigation seems to have confirmed that they first met that day. The two of them entered the Capitol together at 2:19PM and went fairly directly to the East door by 2:24PM, where Tenney was the first to attempt to open that door to admit the thousands who had assembled outside. After tussling with the cops for a bit, the two gave up and left the Capitol.

Youngers was charged with just trespassing, but Tenney was charged with three felonies — obstruction, civil disorder, and assault — reflecting in part his contact with the cops and presumably also his premeditation in the weeks leading up to January 6.

When the men first started talking about pleading guilty, Youngers’ lawyer suggested they were sharing information with the government (though that doesn’t show up in their guilty pleas).

On March 30, Youngers pled guilty to parading, the trespassing charge most misdemeanor defendants plead to. His statement of offense focused on three things: Tenney’s efforts to open the East doors (and the contact he had with cops in doing so), Youngers’ own description of the “multiple doors” involved in breaching the Capitol, and an interview he and Tenney gave with William Norwood later that night.

12. YOUNGERS and Tenney proceeded to the area inside the Rotunda Doors. Tenney tried to force open the Rotunda Doors to allow more rioters to enter the Capitol, and he had contact with multiple federal employees in the course of doing so. Tenney and others succeeded in getting the Rotunda Doors open, allowing others to enter the Capitol.

13. YOUNGERS and Tenney eventually moved into the Rotunda. Before leaving the area of the Rotunda Doors, YOUNGERS said, “Two stories. Two floors. Multiple doors. The Capitol Building’s been breached.” YOUNGERS and Tenney retreated to the Rotunda and made their way to the area near Senate Wing Doors, exiting the Capitol Building through a window at approximately 2:32 p.m.

14. That evening, YOUNGERS gave an interview from a hotel room with Tenney and William Robert Norwood III, where they wore masks and head coverings to conceal their identities.

Here’s that interview, which Youngers, Norwood, and Tenney (from left to right) gave while masked.

Norwood — who according to his first bail hearing used to be in a militia, about three years ago — was arrested months earlier than the other two. He had been turned in by family members shortly after the attack after he bragged (falsely) about assaulting a cop. He does appear to know Tenney from South Carolina, but entered the Capitol separately, four minutes after him at 2:23. In a second motion for detention, the government alleged that Norwood led rioters to Nancy Pelosi’s office before joining the later effort to open the East door — the one that led to the Oath Keepers and others breaching the building. After allegedly asking his estranged wife to lie about his case, he was detained, though he and the government are in plea discussions.

Youngers’ plea agreement included the standard language January 6 misdemeanor pleas include, consisting of either a social media review and/or an interview with the FBI, suggesting (though the inclusion of such boilerplate is not reliable) he had not yet done so.

Your client agrees to allow law enforcement agents to conduct an interview of your client regarding the events in and around January 6, 2021 prior to sentencing. Your client can accomplish this through an in-person meeting with a law enforcement agent to allow the law enforcement agent to look through social media accounts on your client’s phone or other device.

The plea agreement Tenney entered into last Thursday, however, lacks that language, which may suggest he already did one or some interviews with the FBI. If Tenney did, he didn’t get much of a deal: he pled to two of the felonies against him: civil disorder and obstruction, avoiding only an assault charge for wrestling with cops. Depending on whether DOJ succeeds in persuading Judge Thomas Hogan to apply an 8-level enhancement for official victim/property damage, Tenney’s sentencing guidelines will be 21 to 27 months (without the enhancement) or 41 to 51 months (with it) — the latter of which would be one of the stiffest sentences to date for a prosecution that didn’t involve assaulting a cop, but which might be appropriate for the tactically critical role that opening that East door played in occupying the Capitol.

But I’m more interested in Tenney’s statement of offense, particularly how it compares to his and Youngers’ arrest affidavit. That is, I’m interested in any sign that DOJ has learned why and how Tenney came to head right through the Capitol to the East side to open that door, where thousands were waiting, or whether Norwood’s subsequent successful efforts (as part of a larger group) to open the East doors was related.

With Tenney’s guilty plea, the government has included slightly more language from December 28 indicating that Tenney was coordinating with people who were planning for all eventualities.

In two bail proceedings the government focused on Norwood’s lies about leaving the vest and helmet he stole at the hotel. But he also appears to have lied about with whom he was staying at the Hampton, claiming he stayed with an older couple from Ohio rather than people close to his same age from nearby in South Carolina.

Finally, NORWOOD claimed that upon leaving the Capitol grounds, he and his wife met an older couple from Ohio, who invited them to stay in their hotel room at the Hampton Inn for the night. NORWOOD claimed that he left the police vest and helmet inside the hotel room, but he could not provide interviewing agents with any further details about the hotel.

After Norwood was interviewed. by the FBI, he let Tenney know about it, because Tenney told the FBI that he knew about it in an (similarly misleading) interview little over two weeks later.

TENNEY said that he was only inside the Capitol Building for three or four minutes before he and the people he was with realized that something bad was happening, prompting them to leave. He indicated that he did not think he was doing anything wrong at the time, but, in hindsight, wishes he had not gone inside the Capitol Building. TENNEY further stated that he did not engage in any violence inside or cause property damage. Instead, he said, he told people to stop damaging things and helped officers who had fallen to the ground to get back on their feet.

[snip]

During his February 9 interview, TENNEY also mentioned two other names: “Darnell,” (YOUNGERS’ first name is “Darrell”) and a person he identified as “Robbie” from Greenville, S.C., whom he said had already been interviewed by the FBI. TENNEY admitted to having met “Robbie” in the crowd at the January 6 rally, before he entered the Capitol.

In an interview after his arrest, Norwood admitted sharing a hotel room with Tenney.

In a subsequent interview on February 26, 2021, Norwood mentioned sharing a hotel room the night of January 6 with an individual named “George,” which is TENNEY’s first name.

What happened in that hotel room appears to be some of the substance of what Norwood was trying to convince his estranged wife to renege her testimony on months later, leading up to January (when prosecutors first asked Judge Emmet Sullivan to revoke Norwood’s bail).

The content of the defendant’s text messages with his estranged wife, appended as attachments to Pretrial’s Violation Report, show what appears to be a sustained campaign by the defendant to coerce, intimidate, threaten, and corruptly persuade a potential government witness to recant her statements to law enforcement and to obstruct justice. Communications between the estranged wife and defense counsel, which are also appended as attachments to Pretrial’s Violation Report, provide context for the text messages between the defendant and his estranged wife: “Robert Norwood has been trying to [coerce] me into emailing you, stating that, anything from my statements to the FBI were not true. However, I do not feel comfortable lying [sic] about anything. . . . I do not feel comfortable in anything that he was telling me to do.”

[snip]

The estranged wife’s communications with Norwood and with Norwood’s counsel show that the defendant has, at the very least, been pressuring his estranged wife to recant her statements to the FBI, to not be truthful, and to “keep [her] mouth shut.” ECF No. 29, Att. 3. In fact, when the estranged wife texted the defendant, “I will tell the whole truth,” the defendant responded, “No you won’t . . . You’ll tell them you reached out to me and made the offer. That I didn’t respond to you . . . Do not throw me under the bus . . . What part of spousal privilege don’t you get???” Id. Additionally, when the estranged wife texted the defendant, “I refuse to write another bogus f***ing email,” the defendant responded, “It’s not bogus, and it will help us both. . . . Do what you said you already did. You lied to me. STUP F***ING LYING ABOUT EVERYTHING AND HELP ME LIKE YOU SAID YOU WOULD.”

To be clear: it’s not clear what relationship there is between Tenney and Norwood, aside from their shared hotel room and proximity in South Carolina. It’s their shared focus on the East door.

At 2:24, after making a beeline through the Capitol, Tenney was the first person to open the East door.

And about fourteen minutes later, Norwood similarly helped open the East door.

Then later that night, the two men donned masks and told their stories of the day, stories that presumably explain how both came to help rioters amassed on the East side of the building open a second front of attack.

By December 28, 2020, Tenney knew of plans to siege the Capitol. On January 6, he and fellow South Carolinian Norwood both played key roles in that siege.

So what happened in between?

Thanks to @CapitolHunters for pointing me to this video, which takes forever to download, which shows both breaches, and to talk me through some of the other people of interest who have yet to be arrested.

Amid Claims of Witness Tampering, Revisiting Peter Navarro’s Alleged Contempt

/97 Comments/in , , /by

Last week, Steve Bannon engaged in a stunt, claiming that a Carl Nichols order requiring DOJ to provide official documents on things like executive privilege and testimonial immunity must cover DOJ’s declination decision with respect to Mark Meadows and Dan Scavino.

The stunt itself isn’t all that interesting.

Bannon claimed that he refused to testify in part on the same basis that Mark Meadows and Dan Scavino did, and so understanding how DOJ had distinguished them (whose prosecution DOJ declined) from him (who got charged) would reflect official policy.

The letters Trump lawyer Justin Clark sent to Meadows and Scavino made one difference clear, however (which the Bannon filing obliquely acknowledges). In instructing Meadows and Scavino to refuse to testify to the January 6 Committee as much as possible, Clark included language invoking testimonial immunity, on top of Executive Privilege.

Furthermore, President Trump believes that Mr. Meadows is immune from compelled congressional testimony on matters related to his official responsibilities. See Testimonial Immunity Before Congress of the Former Counsel to the President, [citing the Don McGahn OLC opinion]

The letter that Clark sent Bannon on the same day, October 6, had no such language on testimony immunity.

Indeed, after Robert Costello kept making claims about Trump instructing Bannon not to testify, Clark emailed him twice more, the first time to resend the same letter, and the second time to explicitly say that they didn’t think Bannon had testimonial immunity.

In light of press reports regarding your client I wanted to reach out. Just to reiterate, our letter referenced below didn’t indicate that we believe there is immunity from testimony for your client. As I indicated to you the other day, we don’t believe there is. Now, you may have made a different determination. That is entirely your call. But as I also indicated the other day other avenues to invoke the privilege — if you believe it to be appropriate — exist and are your responsibility.

Effectively, Trump’s team told Bannon to stall, but gave him no legal tools to do so. Bannon didn’t entirely ignore testimonial immunity. In a footnote, he accused Carl Nichols of misapplying the law with respect to immunity and privilege.

Finally, on this question, the Court’s oral Order of June 15, 2022, appears to indicate a view by the Court that Justin Clark’s view on the question of “immunity” is either relevant or somehow undercuts the invocation of executive privilege. It certainly is not relevant – immunity, unlike, executive privilege is not a legal concept for the President to invoke or confer and his view on “immunity” is of no consequence at all on the question of whether executive privilege was invoked. It was.

But he said the common invocation of Executive Privilege was itself enough to merit a more formal comparison (ignoring, of course, that Meadows provided some materials to the Committee that did not involve the President, whereas Bannon withheld even his public podcasts).

Though some of the news reports he cites name Peter Navarro, Bannon doesn’t invoke his case. In Navarro’s now-withdrawn lawsuit against the Committee, he invoked both testimonial immunity and Executive Privilege. But he cites no letter from Trump; instead, he relies on the same Don McGahn OLC opinion Bannon invoked in his filing. Of course, by the time Navarro was subpoenaed — February 9, as compared to the September 23 subpoenas for Bannon, Meadows, and Scavino (as well as Kash Patel) — SCOTUS had already ruled against Trump’s privilege claim.

So it may be that DOJ’s decision tree regarding charges looks like this:

Bannon’s filing may be a stunt, but he may be right that DOJ didn’t charge Meadows and Scavino because they could claim to have been covered by both Executive Privilege and testimonial immunity (and in Meadows’ case, even attempted to comply with non-privileged materials).

Given the evidence in Tuesday’s hearing that Trump and his associates continued to try to influence Cassidy Hutchinson’s testimony at least through March 7, I want to return to something I noted before: because Navarro didn’t lawyer up, whatever communications he exchanged with Trump’s lawyers would not be privileged.

After Bannon got indicted for contempt, DOJ obtained the call records for his lawyer, Robert Costello’s, communications going all the way back to when Costello’s previous representation of Bannon ended. If they did that with Navarro, they could get more than the call records, though.

Whatever else DOJ did with their charging decision, they also allowed themselves the greatest visibility into ongoing obstruction, while sustaining the case in chief.

The Men Disputing Cassidy Hutchinson’s Retelling of Trump’s SUV Lunge Got Warnings about Plans to Flood the Capitol

/432 Comments/in , , /by

Since Cassidy Hutchinson’s startling testimony on Tuesday, credulous journalists have reported anonymous sources pushing back against one of her most dramatic stories: that when told he was not going to the Capitol on January 6, Donald Trump lunged towards the steering wheel of the SUV taking him back to the White House and then went after the clavicle of the head of his detail, Bobby Engel.

On top of being anonymous, the pushback never disputed Hutchinson’s claim: that she was told this story by Tony Ornato, the Secret Service Officer that Trump elevated into an important political position at the White House, Deputy Chief of Staff, in front of Engel, who did not dispute the story. Plus, Alyssa Farrah has described that Ornato, in the past, has disputed things she said under oath (about Trump’s stunt in Lafayette Square), without himself going under oath.

Nevertheless, that anonymous pushback has distracted from a far more alarming detail in Tuesday’s testimony that Ornato and Engel have not disputed, neither on or off the record: that they got warnings about plans to occupy buildings in DC and, implicitly, warnings about Proud Boy involvement.

That revelation came just before Hutchinson affirmed a detail I’ve been almost alone in reporting for over a year: Not just Roger Stone, but also Rudy Giuliani, had links to the Proud Boys.

Cheney: US Secret Service was looking at similar information and watching the planned demonstrations. In fact, their Intelligence Division sent several emails to White House personnel, like Deputy Chief of Staff Tony Ornato and the head of the President’s protective detail Robert Engel, including certain materials listing events like those on the screen.

Cheney: The White House continued to receive updates about planned demonstrations, including information regarding the Proud Boys organizing and planning to attend events on January 6. Although Ms. Hutchinson has no detailed knowledge of any planning involving the Proud Boys for January 6, she did note this:

{video}

Hutchinson: I recall hearing the word[s], “Oath Keeper,” hearing the word[s], “Proud Boys,” closer to the planning of the January 6 rally when Mr. Giuliani would be around.

The reference to Ornato and Engel is among the first in Tuesday’s hearing: while Cheney had previewed Hutchinson’s interactions with Ornato and the Secret Service in her introduction, this reference was the first substantive description of Ornato’s activities. That description, as well as Hutchinson’s explanation of how she told Trump’s National Security Advisor Robert O’Brien that Ornato had had a conversation with Mark Meadows about the warnings of violence, came even before Cheney cued Hutchinson to explain what an important role the Deputy Chief of Staff played.

Some time later, the hearing revealed texts between Hutchinson and Ornato reflecting the latter’s awareness that Trump’s supporters were trying to avoid the metal detectors.

Importantly, Cheney mentioned something about this text exchange that doesn’t appear in the texts shown on the screen: a discussion between the two of them — Hutchinson and Ornato — about an “OTR,” an “off the record” movement to get Trump to the Capitol. The Committee appears to be withholding precisely what those texts say — involving Trump personally, and so colorably covered under Executive Privilege.

That may not be the only thing the Committee withheld from its presentation: note in my transcription above that Cheney doesn’t say Ornato and Engel received the warnings that were flashed on the screen. She says they received, “certain materials listing events like those on the screen.” [my emphasis] Particularly given the reports that the Committee met in a secure facility in advance of this hearing, that phrasing could allow for other records, records too sensitive to show publicly, tying the Proud Boys to plans to occupy buildings on January 6.

The story of Trump lunging in the SUV is a distraction, and Ornato, a loyal Trumpster, is likely using his pushback to distract from far more damning details of Hutchinson’s testimony:

  • Both Engel and Ornato had warnings of plans to occupy buildings
  • Hutchinson linked Rudy Giuliani in advance of the attack to both militias that attacked the Capitol
  • Ornato discussed these warnings in advance with Mark Meadows, who pushed Hutchinson away twice during the early moments of the attack
  • In spite of foreknowledge of a plan to occupy buildings and the involvement of militias, Ornato nevertheless continued to plan to take Trump to the Capitol

Secret Service loyalists, for all their anonymous pushback, are denying none of these far more damning details, details that put them — and Meadows and Trump — in far more complicit position with respect to the attack.

“All Texts Demanded!” Right Wingers No Longer Worried about “Wiped” Phones, John Eastman Edition…

/30 Comments/in , , /by

As noted in the last thread, more than twelve hours later on the same day that federal agents conducted a search on Jeffrey Clark’s home in Virginia, FBI agents seized John Eastman’s phone as he was leaving a restaurant in Santa Fe. He has launched a bozo lawsuit attempting to get the phone back. And as part of that, he released the warrant used to seize his phone.

Orin Kerr has a long thread treating the bozo lawsuit seriously herenoting among other things that Constitutional law professor John Eastman forgot he was in New Mexico and therefore in the Tenth Circuit, not the Ninth. File411 has a post treating it like the bozo suit it is here.

But I’m interested in the warrant itself. As many people have noted (including Eastman himself), the warrant is from DOJ IG’s Cyber Division, not DC USAO. CNN has a helpful explanation for that: at least on the Eastman search, DOJ IG is engaged in fairly unusual coordination with the USAO (which explains all the squirreliness about which Federal agents had searched Clark’s home).

Federal agents from the Justice Department’s Office of Inspector General, which is coordinating with the wider FBI and US attorney investigation into January 6, 2021, last week raided the home of former DOJ official Jeffrey Clark, a source familiar previously told CNN. That search — during which the Justice Department inspector general’s participation had not been previously reported — came the same day as Eastman’s.

The inspector general investigates accusations of legal violations by Justice Department employees and has the ability to conduct searches and seizures. After investigating, the inspector general can refer possible criminal matters to prosecutors.

That makes a reference in the search warrant more interesting. This is just a seizure warrant, not a warrant authorizing the search of the phone. And it states that agents will bring the phone either the DOJ IG forensic lab in Northern Virginia or to some unidentified location in DC; it doesn’t mention the FBI’s Quantico facility, though that is also in NoVA and even experts on DOJ IG aren’t aware of any dedicated forensic lab DOJ IG has.

This warrant would be consistent with use in parallel investigations, the DC (or Main) investigation into Trump and Eastman as well as a DOJ IG investigation into January 6 that Michael Horowitz announced in early 2021. I’ve been wondering whether DOJ IG’s investigation(s), which can be quite slow, have delayed the review of DOJ’s conduct. This may be the solution: coordinated investigations. In his January 2021 announcement, Horowitz addressed that concern.

The DOJ OIG is mindful of the sensitive nature of the ongoing criminal investigations and prosecutions related to the events of January 6. Consistent with long-standing OIG practice, in conducting this review, the DOJ OIG will take care to ensure that the review does not interfere with these investigations or prosecutions.

In other words, this seizure may actually reflect at least two underlying search warrants, and as such may be an attempt to obscure (like the original Rudy Giuliani warrants would have) the focus of the underlying January 6 investigation. That is, DOJ IG could hand Eastman a warrant for an investigation into Jeffrey Clark, and that would be sufficient to answer his demands for a warrant, even if there were a more substantive warrant for the DCUSAO investigation.

That’s why the timing is of interest. As File411 notes, it was authorized on June 17, so after the Big Lie January 6 Committee hearing, but five days before it was executed on June 22. If this warrant was a response to the January 6 Committee hearings, it wasn’t a response to the hearing focused on Jeffrey Clark, but rather on one focused on Eastman.

In the days ahead, you will hear wailing about how poor Constitutional attorney John Eastman had his privacy abridged — that’s the point of the bozo lawsuit, just like Russian oligarchs do. But the very same people who’ll be whining were huge fans of DOJ IG’s best known cyber worka 2018 report explaining why the FBI’s text archiving system hadn’t captured 19,000 texts between Peter Strzok and Lisa Page.

Trump Strzok Text

That investigation, like this one, appears to be focused on a DOJ employee who has already resigned (though the earlier report was started when Strzok and Page were still at FBI). And given the seizure of devices, it may be focused on inappropriate politicization of DOJ — the allegation at the core of investigations into Strzok and Page, yet for which DOJ IG never substantiated proof.

Both Rudy and Trump are on the record supporting such DOJ IG investigations into phones for evidence of improper politicization. Chances are they’re going to be less enthusiastic now that the subjects of the investigation are John Eastman and Jeffrey Clark.

Jeffrey Clark: Physics Takes Over the Investigation Now

/155 Comments/in , , /by

Last Thursday was an exciting day for those who have doubted Merrick Garland’s DOJ was really investigating top officials for matters pertaining to January 6.

Not only did multiple outlets describe Republicans involved in the fake elector scheme receiving subpoenas or even, in at least three cases, search warrants for their devices, but Jeffrey Clark’s home in Virginia was also searched on Wednesday. As part of that, according to the hysterical account Clark gave on Tucker Carlson, whatever agency did the search used an electronics sniffing dog and seized all the electronics in the house.

And that makes it a really good time to talk some more about how investigations work in the era of encrypted applications. It’s likely to be months — likely at least six months — until anything comes out of last week’s seizures.

The reason has to do with physics (and law).

We can be fairly certain that Clark — and probably some of the fake electors on whom warrants were served — used Signal or other encrypted apps. That’s because Mark Meadows and Scott Perry were conducting some of this conspiracy over Signal too, as was made clear in a slide in Thursday’s hearing.

Indeed, one reason Clark may have been raided is because he makes an easier target, for now, than Meadows or the Members of Congress who were involved. All of Clark’s communications directly with then President Trump bypassed DOJ’s contact guidelines and most can be shown to be part of a plot to overturn the election, whereas many of Meadows’ communications will be protected by Executive Privilege and Perry’s by Speech and Debate (though as I keep repeating, DOJ will be able to piggyback off the privilege review that the January 6 Committee has done).

To obtain Signal conversations that haven’t been saved to the cloud, one needs at least one of the phones that was involved in the conversation. That assumes the texts were not deleted. In the James Wolfe investigation, the FBI demonstrated some ability to recover deleted Signal texts, but in the Oath Keeper investigation, their Signal deletions forced investigators to seize a whole bunch of phones to reconstruct all parts of the communications.

By law, the government should have some of these Signal texts accessible. Under the Presidential Records Act, Mark Meadows had a legal obligation to share any such texts with the Archives. But because he replaced his phone in the months after the insurrection, at a time he knew of the criminal investigation, he may not have been able to comply. If DOJ can prove that he deleted Signal texts, he might be on the hook for obstructing the DOJ investigation.

So one thing DOJ may have been trying to do, by seizing the phones of at least four players in the fake electors plot on the same day, was to obtain phones sufficient to reconstruct any Signal threads about the plot. Those served subpoenas, both in this and an earlier round of subpoenas, will have to turn over Signal texts too, if they meet the terms of the subpoena. If DOJ were trying to reach the far higher bar of obtaining a warrant against someone protected by Speech and Debate or other privileges — like Perry — they likely would need to use such threads to meet that higher bar.

So back to the physics.

The table below shows how the investigations into a number of high profile investigative subjects have proceeded. While there are exceptions (investigations where the FBI has some excuse or urgency to conduct an interview, as with Mike Flynn and George Papadopoulos, are different), investigators often first obtain readily accessible cloud content with a gag order, then use the information from a person’s cloud content to obtain probable cause for a warrant to seize phones. Under that pattern, the phone seizure will alert a subject of an investigation to that investigation. In most cases (the first round of January 6 arrests and Roger Stone are exceptions, each for different reasons), the search of phones precedes any arrest by months if not years.

Whereas, during the Mueller investigation, the FBI could exploit phones in four months time, of late, it has been taking closer to six months to exploit cell phones, even without any kind of special review. Part of this delay is physics: if a person uses any kind of secure password, it takes the FBI time to crack that password (and still more time if someone uses additional security features, as Enrique Tarrio did). In many cases, the DOJ will have to use a filter team to exclude data that is somehow privileged; in all cases, DOJ will then do a scope review, ensuring that the investigative team only gets material responsive to the warrant. When a special review is required, such as the attorney-client privilege review for Rudy or the “journalistic” review for Project Veritas, that process can take much longer. Because DOJ will have to conduct a fairly exhaustive filter review for an attorney like Clark, it might take closer to nine months to exploit the devices seized last week.

This pattern suggests several things about the investigation into Jeffrey Clark (and the fake electors). First, DOJ likely obtained their first probable cause warrants against Clark and the fake electors months ago, probably pretty close to the time (though hopefully before) Lisa Monaco confirmed the investigation into the fake electors in January. In Clark’s case, an investigation may have come from a referral from DOJ IG. So contrary to what many outlets have reported, such as this example from James Risen at the Intercept, the searches of Clark and others are not proof that an investigation is beginning or that DOJ only recently established probable cause. Rather, they suggest DOJ has been investigating covertly for months, at least long enough to obtain probable cause that even more evidence exists on these phones.

But it’s also likely that it will take DOJ some months — until Christmas at least — to exploit Clark’s phone. This investigation will not move as quickly as you might think or hope that this point, and that’s partly dictated by the constraints of cracking a password — math and physics.

All that said, several prongs of an investigation that could implicate Trump may be much further on. As I’ll show in a follow-up (and as I’ve mentioned in the past), the investigation into Stop the Steal is undoubtedly much further on than people assume given Ali Alexander’s grand jury appearance last week. And the FBI has ways of getting content via the Archives, much as they obtained content from Trump’s transition from GSA, that bypass pattern laid out above.

What the government had to have been able to prove before it searched Clark and others last week was not just that that had probable cause against those subjects, but that the cloud content otherwise available to them showed that aspects of the crime were committed using materials only available on people’s phones, likely encrypted messaging apps.

Update: Several people have asked why there would be a privilege review for Clark’s phone, since he would have been a government attorney through January 6. I’m not certain there would be, but if a warrant covered the time since January 6 (which I think likely given what DOJ has done with warrants elsewhere), then any lawyering he has done since he left would be privileged.

Update: As noted in comments, also on Wednesday, the FBI seized John Eastman’s phone. The warrant is from DOJ IG, not DC USAO and bears a 2022 case number. DOJ IG opened an investigation into Clark in 2021, but perhaps something they saw in the Jan6 Committee hearings led to a new prong of the investigation, leading to this search? Given the squirreliness regarding what agency did the search of Eastman, I wonder if both these investigative steps were DOJ IG.

Background material

This annotated file shows the unsealed Mueller warrants, with labels for those warrants that have been identified.

This post shows how the Michael Cohen investigation started with Russian-related warrants in the Mueller investigation then moved to SDNY, including a crucial detail about preservation orders for Cohen’s Trump Organization emails served on Microsoft.

This post shows how the investigation into George Papadopoulos developed; his is the outlier here, in that overt actions took place closer to the beginning of the investigation — but in his case, DOJ used a series of informants against him to obtain information.

This post describes how Trump’s team only discovered Mueller had obtained transition devices three months after Mueller obtained them, via Mike Flynn’s statement of offense.

This post shows that the seizure of Roger Stone’s phones with his January 2019 arrest was just one step in an ongoing investigation.

This post uses the Michael Cohen example to explain how the Rudy investigation might work.

This post shows how the investigation into Project Veritas developed.

This post shows how it took almost an entire year to crack Enrique Tarrio’s password, with a filter team delaying access for another month.

This post describes how the sheer volume of Stewart Rhodes’ Signal texts delayed his arrest.

Bill Barr’s Attempt to Corrupt EDNY May Have Saved the Republic

/40 Comments/in , , /by

Almost all of the witnesses the January 6 Committee has relied on are deeply conflicted people. The same Trump attorney, Justin Clark, who allegedly coached Steve Bannon to withhold information from the Committee about communications with Rudy Giuliani and Mike Flynn appeared on video claiming to have qualms about using fake electors in states where the campaign did not have an active legal challenge. Ivanka claimed to believe Bill Barr’s claims that voter fraud couldn’t change the election, but the Committee just obtained video of her saying otherwise. And Bill Barr himself has gotten credit for fighting Trump’s false claims of voter fraud even though he spent months laying the groundwork for those claims by attacking mail-in ballots.

But yesterday’s hearing was something else.

After Liz Cheney invited watchers to imagine what it would be like to have a DOJ that required loyalty oaths from lawyers who work there — a policy that Alberto Gonzales had started to implement in the Bush-Cheney Administration — Adam Kinzinger led former Acting Deputy Attorney General Richard Donoghue through a narrative about the Republican Party and the Department of Justice they might like to belong to.

The whole thing was a flashback. In May 2007, I was tipped off to cover Jim Comey’s dramatic retelling of the first DOJ effort to push back on Presidential — and Vice Presidential, from Liz Cheney’s father — pressure by threatening to quit. Only years later, I learned how little the 2004 Hospital Hero stand-off really achieved. So I’m skeptical of yesterday’s tales of heroism from the likes of Jeff Rosen and Steve Engel.

But that’s also because their record conflicts with some of the things they said.

For example, check out what Engel — someone who played an absolutely central role in Bill Barr’s corruption of the Mueller investigation, and who wrote memos that killed the hush payment investigation into Trump and attempted to kill the whistleblower complaint about Volodymyr Zelenskyy — had to say about politicization of investigations.

Kinzinger: Mr. Engel, from your perspective, why is it important to have a [White House contact] policy like Mr. Rosen just discussed?

Engel: Well, it’s critical that the Department of Justice conducts its criminal investigations free from either the reality or any appearance of political interference. And so, people can get in trouble if people at the White House are speaking with people at the Department and that’s why, the purpose of these policies, is to keep these communications as infrequent and at the highest levels as possible just to make sure that people who are less careful about it, who don’t really understand these implications, such as Mr. Clark, don’t run afoul of those contact policies.

Or consider how Special Counsels were described, as Kinzinger got the witnesses to discuss how wildly inappropriate it would have been to appoint Sidney Powell to investigate vote fraud. Here’s how Engel explained the limited times there’d be a basis to appoint one:

Kinzinger: So during your time at the Department, was there ever any basis to appoint a Special Counsel to investigate President Trump’s election fraud claims?

Engel: Well, Attorney General Barr and [inaudible] Jeffrey Rosen did appoint a Special Counsel. You would appoint a Special Counsel when the Department — when there’s a basis for an investigation, and the Department, essentially, has a conflict of interest.

Engel is presumably referring to John Durham with that initial comment. But Durham fails both of those tests: there was never a basis for an investigation, and for most of the time Durham has been Special Counsel, he’s been investigating people outside the Department that present absolutely no conflict for the Department. [Note: it’s not clear I transcribed this properly. The point remains: Rosen and Barr appointed a Special Counsel that violated this standard.]

In other words, so much of what Engel and Rosen were describing were abuses they themselves were all too happy to engage in, up until the post-election period.

Which is why I’m so interested in the role of Richard Donoghue, who moved from EDNY to Main Justice in July 2020, to be replaced by trusted Bill Barr flunkie Seth DuCharme. It happened at a time when prosecutors were prepared to indict Tom Barrack, charges that didn’t end up getting filed until a year later, after Merrick Garland and Lisa Monaco had been confirmed. The 2020 move by Barr looked just like other efforts — with Jessie Liu in DC and Geoffrey Berman in SDNY — to kill investigations by replacing the US Attorney.

That is, by all appearances, Donoghue was only the one involved in all these events in 2020 and 2021 because Barr was politicizing prosecutions, precisely what Engel claimed that DOJ, during his tenure, attempted to avoid.

That’s interesting for several reasons. First, in the context of explaining the January 3 stand-off in the White House, Donoghue described why environmental lawyer Jeffrey Clark was unqualified to be Attorney General.

Donoghue: Mr. President, you’re talking about putting a man in that seat who has never tried a criminal case. Who has never conducted a criminal investigation.

Well, neither had regulatory lawyer Jeffrey Rosen (or, for that matter, Billy Barr). That is, in explaining why Clark should not be Attorney General,  Donoghue expressed what many lawyers have likewise said about Barr, most notably during Barr’s efforts to undermine the Mike Flynn prosecution (the tail end of which Donoghue would have been part of, though DuCharme was likely a far more central player in that).

In the collective description of the showdown at the White House on January 3, it sounds like before that point, Donoghue was the first one who succeeded in beginning to talk Trump out of replacing Rosen, because it was not in Trump’s, or the country’s, interest.

Mr. President, you have a great deal to lose. And I began to explain to him what he had to lose. And what the country had to lose, and what the Department had to lose. And this was not in anyone’s best interest. That conversation went on for some time.

Donoghue also seems to have been the one to explain the impact of resignations in response to a Clark appointment.

Mr. President within 24, 48, 72 hours, you could have hundreds and hundreds of resignations of the leadership of your entire Justice Department because of your actions. What’s that going to say about you?

To be clear: Rosen would have pushed back in any case. As he described,

On the one hand, I wasn’t going to accept being fired by my subordinate, so I wanted to talk to the President directly. With regard to the reason for that, I wanted to try to convince the President not to go down the wrong path that Mr. Clark seemed to be advocating. And it wasn’t about me. There was only 17 days left in the Administration at that point. I would have been perfectly content to have either of the gentlemen on my left or right to replace me if anybody wanted to do that. But I did not want for the Department of Justice to be put in a posture where it would be doing things that were not consistent with the truth, were not consistent with its own appropriate role, or were not consistent with the Constitution.

But Rosen had already presided over capitulations to Trump in the past, including events relating to the first impeachment and setting up a system whereby Rudy Giuliani could introduce Russian-brokered disinformation targeting Joe Biden into DOJ, without exposing Rudy himself to Russian Agent charges. Repeatedly in yesterday’s hearing, I kept asking whether the outcome would have been the same if Donoghue hadn’t been there.

Plus, by all appearances, Donoghue was the one providing critical leadership in the period, including going to the Capitol to ensure it was secured.

Kinzinger: Mr. Donoghue, we know from Mr. Rosen that you helped to reconvene the Joint Session, is that correct?

Donoghue: Yes sir.

Kinzinger: We see here in a video that we’re going to play now you arriving with your security detail, to help secure the Capitol. Mr. Donoghue, thirty minutes after you arrived at the Capitol, did you lead a briefing for the Vice President?

Donoghue: I’m not sure exactly what the time frame was, but I did participate in a call and participate in a briefing with the Vice President as well as the Congressional leadership that night. Yes.

Kinzinger: Where’d you conduct that call at?

Donoghue: I was in an office, I’m not entirely sure where it was. My detail found it, because of the acoustics in the Rotunda were such that it wasn’t really conductive to having a call so they found an office, we went to that office, and I believe I participated in two phone calls, one at 1800 and one at 1900 that night, from that office.

Kinzinger: What time did you actually end up leaving the Capitol?

Donoghue: I waited until the Senate was back in session which I believe they were gaveled in a few minutes after 8PM. And once they were back in session and we were confident that the entire facility was secured and cleared — that there were no individuals hiding in closets, or under desks, that there were no IEDs or other suspicious devices left behind — I left minutes later. I was probably gone by 8:30.

Kinzinger: And Mr. Donoghue, did you ever hear from President Trump that day?

Donoghue: No. Like the AAG, the acting AG, I spoke to Pat Cipollone and Mark Meadows and the Vice President and the Congressional leadership but I never spoke to the President that day.

So it seems possible, certainly, that one of the few things that held DOJ together in this period is Donoghue, seemingly installed there as part of yet another Bill Barr plot to corrupt DOJ.

Congresswoman Cheney, who in her opening statement talked about how outrageous it was for Trump to demand that DOJ make an announcement about an investigation into voter fraud (but who voted against the first impeachment for extorting Volodymyr Zelenskyy for exactly such an announcement), ended the hearing by inviting those who had put their trust into Donald Trump to understand that he had abused that trust.

Rudy Giuliani Launched a Lynch Mob over a Ginger Mint

/172 Comments/in , , /by

I find it harder to describe the details of yesterday’s January 6 Committee hearing, covering pressure Trump put on states to alter the vote, than the earlier hearings. That’s because the testimony about Trump’s bullying of those who upheld democracy — particularly election worker Shaye Moss and Arizona Speaker of the House Rusty Bowers — elicited so much emotion. This is what Trump has turned great swaths of the Republican Party into: bullies attacking those who defend democracy.

Trump’s bullies attacking anyone defending democracy

Bowers described how a mob, including an armed man wearing a 3%er militia patch, came to his house as his daughter fought a terminal illness.

Moss described how a mob descended on her granny’s house, hunting for her and her mother, Ruby Freeman. At least one member of the mob targeting those two Black women who chose to work elections betrayed self-awareness off their regressive stance: Moss testified that one of the threats targeted at her said, “Be glad it’s 2020 and not 1920.”

And Adam Schiff got Moss to explain a detail that formed the core of a video Rudy Giuliani used to summon his mob. Rudy had claimed that when Ms. Freeman passed Shaye something, it was a thumb drive to replace votes.

It was actually a ginger mint.

Schiff: In one of the videos we just watched, Mr. Giuliani accused you and your mother of passing some sort of USB drive to each other. What was your mom actually handing you on that video?

Moss: A ginger mint.

Moss testified that none of the people who had been working with her full time on elections in Fulton County, Georgia are still doing that work. They’ve all been bullied out of working to uphold democracy.

Tying the state violence to the January 6 violence

Early in the hearing, Schiff tied these threats of violence to Stop the Steal, the organization behind the purported speakers that formed the excuse to bring mobs to the January 6 attack. He explained, “As we will show, the President’s supporters heard the former President’s claims of fraud and the false allegations he made against state and local officials as a call to action.” Shortly thereafter, investigative counsel Josh Roselman showed a video from Ali Alexander predicting at a protest in November 2020, “we’ll light the whole shit on fire.”

Much later in the hearing, Schiff tied the takeover of state capitals to the January 6 riot with a picture of Jacob Chansley invading Capitols in both AZ and DC.

Chansley already pled guilty to attempting to obstruct the vote certification, and one of the overt acts he took was to leave Mike Pence this threatening note on the dais.

So one thing the hearing yesterday did was to tie the threats of violence in the states to the expressions of violence on January 6.

Showing obstruction of the vote certification, including documents

A second video described the fake electors scheme, developing several pieces of evidence that may help DOJ tie all this together in conspiracy charges.

The video included testimony from Ronna McDaniel acknowledging the RNC’s involvement. (Remember that McDaniel joined in the effort to censure Liz Cheney when she learned the committee had subpoenaed Kathy Berden, the lead Michigander on that fake certificate; Berden has close ties to McDaniel.)

Essentially he turned the call over to Mr. Eastman who then proceeded to talk about the importance of the RNC helping the campaign gather these contingent electors in case any of the legal challenges that were ongoing changed the result of any of the states. I think more just helping them reach out and assemble them. But the — my understanding is the campaign did take the lead and we just were … helping them in that role.

The video also cited Trump’s own campaign lawyers (including Justin Clark, who represented Trump in conjunction with Steve Bannon’s refusal to testify) describing that they didn’t believe the fake electors scheme was prudent if the campaign no longer had legal challenges in a given state.

In a videotaped deposition, former campaign staffer Robert Sinners described himself and other workers as, “useful idiots or rubes at that point.” When ask how he felt upon learning that Clark and Matt Morgan and other lawyers had concerns about the fake electors, Sinners explained, “I’m angry because I think in a sense, no one really cared if … if people were potentially putting themselves in jeopardy.” He went on, “I absolutely would not have” continued to participate, “had I known that the three main lawyers for the campaign that I’ve spoken to in the past and leading up were not on board.”

And electors in individual states claimed to have been duped into participating, too. Wisconsin Republican Party Chair Andrew Hitt described that, “I was told that these would only count if a court ruled in our favor.” So using them as an excuse to make challenges on January 6, “would have been using our electors, well, it would have been using our electors in ways that we weren’t told about and we wouldn’t have supported.”

In the wake of yesterday’s hearing, one of MI’s fake electors, Michele Lundgren, texted reporters to claim that they had not been permitted to read the first page of the form they signed, which made the false claims.

As the video showed the fake certificates next to the real ones, Investigative Counsel Casey Lucier explained that,

At the request of the Trump campaign, the electors from these battleground states signed documents falsely asserting that they were the duly elected electors from their state, and submitted them to the National Archives and to Vice President Pence in his capacity as President of the Senate.

[snip]

But these ballots had no legal effect. In an email produced to the Select Committee, Dr. Eastman told a Trump campaign representative [Boris Epshteyn] that it did not matter that the electors had not been approved by a state authority. Quote, the fact that we have multiple slates of electors demonstrates the uncertainty of either. That should be enough. He urged that Pence act boldly and be challenged.

Documents produced to the Select Committee show that the Trump campaign took steps to ensure that the physical copies of the fake electors’ electoral votes from two states were delivered to Washington for January 6. Text messages exchanged between Republican Party officials in Wisconsin show that on January 4, the Trump campaign asked for someone to fly their fake electors documents to Washington.

A staffer for Wisconsin Senator Ron Johnson texted a staffer for Vice President Pence just minutes before the beginning of the Joint Session. This staffer stated that Senator Johnson wished to hand deliver to the Vice President the fake electors votes from Michigan and Wisconsin. The Vice President’s aide unambiguously instructed them not to deliver the fake votes to the Vice President.

Lucier made it clear, though, that these fake electors were delivered to both Congress (Johnson) and the Executive Branch (the Archives).

This video lays out critical steps in a conspiracy to obstruct the vote certification, one that — because it involves a corrupt act with respect to fraudulent documents — would even meet Judge Carl Nichols’ standard for obstruction under 18 USC 1512(c)(2).

The Court therefore concludes that § 1512(c)(2) must be interpreted as limited by subsection (c)(1), and thus requires that the defendant have taken some action with respect to a document, record, or other object in order to corruptly obstruct, impede or influence an official proceeding.

Understand, many of these people are awful and complicit (and bmaz will surely be by shortly to talk about what an asshole Rusty Bowers is). But with respect to the fake electors scheme, the Committee has teed up a parade of witnesses who recognize their own criminal exposure, and who are, as a result, already rushing to blame Trump for all of it. We know DOJ has been subpoenaing them for evidence about the lawyers involved — not just Rudy and Eastman, but also Justin Clark.

DOJ has also been asking about Boris Epshteyn. He showed up as the recipient of an email from Eastman explaining that it didn’t matter that the electors had no legal legitimacy.

As Kyle Cheney noted, the Committee released that email last month, albeit with Epshteyn’s name redacted.

The Republican Party has not just an incentive, but a existential need at this point, to blame Trump’s people for all of this, and it may do wonders not just for obtaining cooperative and cooperating witnesses, but also to change how Republicans view the January 6 investigation.

Exposing Pat Cipollone’s exceptional unwillingness to testify

Liz Cheney continued to use the hearings to shame those who aren’t cooperating with the Committee. In her opening statement, she played the video of Gabriel Sterling warning of violence, where he said, “All of you who have not said a damn word [about the threats and false claims] are complicit in this.”

Then after Schiff talked about the threat to democracy in his closing statement …

We have been blessed beyond measure to live in the world’s greatest democracy. That is a legacy to be proud of and to cherish. But it is not one to be taken for granted. That we have lived in a democracy for more than 200 years does not mean we shall do so tomorrow. We must reject violence. We must embrace our Constitution with the reverence it deserves, take our oath of office and duties as citizens seriously, informed by the knowledge of right and wrong and armed with no more than the power of our ideas and the truth, carry on this venerable experiment in self-governance.

Cheney focused on the important part played by witnesses who did what they needed to guard the Constitution, twice invoking God.

We’ve been reminded that we’re a nation of laws and we’ve been reminded by you and by Speaker Bowers and Secretary of State Raffensperger, Mr. Sterling, that our institutions don’t defend themselves. Individuals do that. And we’ve [been] reminded that it takes public servants. It takes people who have made a commitment to our system to defend our system. We have also been reminded what it means to take an oath, under God, to the Constitution. What it means to defend the Constitution. And we were reminded by Speaker Bowers that our Constitution is indeed a divinely inspired document.

That set up a marked contrast with the list of scofflaws who’ve obstructed the Committee.

To date more than 30 witnesses called before this Committee have not done what you’ve done but have invoked their Fifth Amendment rights against self-incrimination. Roger Stone took the Fifth. General Michael Flynn took the Fifth. John Eastman took the Fifth. Others like Steve Bannon and Peter Navarro simply refused to comply with lawful subpoenas. And they have been indicted. Mark Meadows has hidden behind President Trump’s claims of Executive Privilege and immunity from subpoena. We’re engaged now in litigation with Mr. Meadows.

Having set up that contrast, Congresswoman Cheney then spent the entire rest of her closing statement shaming Pat Cipollone for refusing thus far to testify.

The American people in our hearings have heard from Bill Barr, Jeff Rosen, Richard Donoghue, and many others who stood up and did what is right. And they will hear more of that testimony soon.

But the American people have not yet heard from Mr. Trump’s former White House counsel, Pat Cipollone. Our Committee is certain that Donald Trump does not want Mr. Cipollone to testify here. Indeed, our evidence shows that Mr. Cipollone and his office tried to do what was right. They tried to stop a number of President Trump’s plans for January 6.

Today and in our coming hearings, you will hear testimony from other Trump White House staff explaining what Mr. Cipollone said and did, including on January 6.

But we think the American people deserve to hear from Mr. Cipollone personally. He should appear before this Committee. And we are working to secure his testimony.

In the wake of this, someone “close to Cipollone” ran to Maggie Haberman and sold her a bullshit story, which she dutifully parroted uncritically.

Cheney had just laid out that the “institutional concerns” had been waived by other lawyers (and were, legally, in the case of Bill Clinton). And any privilege issue went out the window when Sean Hannity learned of the White House Counsel complaints. Plus, White House Counsel lawyer Eric Herschmann has testified at length, including about matters — such as the call Trump made to Vice President Pence shortly before the riot — involving Trump personally.

Given Cheney’s invocation of those who pled the Fifth, I wonder she suspects that Cipollone’s reluctance has less to do with his claimed excuses, and more to do with a concern that he has personal exposure.

He may! After all, he presided over Trump’s use of pardons to pay off several key players in the insurrection, including three of the people Cheney invoked to set up this contrast: Flynn, Stone, and Bannon (though I suspect Cipollone had checked out before the last of them). And these pardons — and the role of pardons in the planning for January 6 more broadly — may expose those involved, potentially including Cipollone, in the conspiracy.

Whether or not Cheney shames Cipollone into testifying, including with her appeal to religion, he may not have the same luxury of refusing when DOJ comes calling.