Posts

Three Questions Not Asked of Steve Bannon

/22 Comments/in , /by

The Roger Stone trial is done for the week, with Randy Credico getting through his testimony (though probably without substantiating the witness tampering charge tied to him), with Margaret Kunstler confirming that Credico had never provided information from Assange to Stone through her, and with a very short appearance from Steve Bannon.

Bannon’s appearance was most interesting, in my opinion, for what he wasn’t asked. Here’s CNN’s coverage.

Prosecutor Michael Marando asked Bannon what he made of Stone’s August 18 email — introduced in Aaron Zelinsky’s opening — telling Bannon, ““I do know how to win this but it ain’t pretty.” Bannon responded by calling Stone some lame euphemism for “rat-fucker,” and observed that Stone is highly experienced in such things. But Bannon was not asked whether there was any follow-up to the email. That’s particularly interesting given the possibility that it pertains to another investigation, albeit one not related to the core Russian issues.

As expected, Marando asked Bannon about his emails to Roger Stone on October 4, 2016.

Tuesday, October 4, 2016
FROM: Steve Bannon
TO: Roger Stone
EMAIL:

What was that this morning???

Tuesday, October 4, 2016
FROM: Roger Stone
TO: Steve Bannon
EMAIL:
Fear. Serious security concern. He thinks they are going to kill him and the London police are standing done.

However —a load every week going forward.

Roger stone

Tuesday, October 4, 2016
FROM: Steve Bannon
TO: Roger Stone
EMAIL:

He didn’t cut deal w/ clintons???

Marando used Bannon’s request to Stone as a way to premise that Bannon believed that Stone was the campaign point person on any outreach to WikiLeaks.

But Bannon wasn’t asked about the last email in that thread, which asked Bannon to tell Rebecca Mercer to send him some money. That’s significant, because the government wants to show that Stone lied to HPSCI about discussing his dark money shenanigans with the campaign (but that he cleaned that lie up). Since that exchange amounts to Stone telling Trump’s campaign manager what he was up to, I had thought Bannon might be asked to elaborate on that. He was not.

Finally, Bannon was not asked about his response to an email Paul Manafort sent to Jared Kushner and David Bossie on November 5, 2016 about how to “secure the victory.”

Later, in a November 5, 2016 email to Kushner entitled “Securing the Victory,” Manafort stated that he was “really feeling good about our prospects on Tuesday and focusing on preserving the victory,” and that he was concerned the Clinton Campaign would respond to a loss by “mov[ing] immediately to discredit the [Trump] victory and claim voter fraud and cyber-fraud, including the claim that the Russians have hacked into the voting machines and tampered with the results.”

Bannon responded to that email by saying, (PDF 258)

We need to avoid this guy like the plague

They are going to try and say the Russian worked with wiki leaks to give this victory to us

Paul is nice guy but can’t let word out he is advising us

Of course, this is the Roger Stone trial, not any of Paul Manafort’s multiple trials. So it’s unsurprising that this didn’t come up. But, particularly given the way it reflected a tie between Russia, WikiLeaks, and Manafort, it might have.

Especially given that, when Bannon was asked about this on a February 14, 2018, he appears to have invoked Stone in his not entirely truthful answer.

Candidate Trump never said to Bannon that he was in contact with [5 letter name redacted for ongoing proceeding] or Manafort. Bannon knew they were going to win, and in this email he wanted to avoid Manafort because Bannon believed that if people could link them to Manafort, they could then try to link them to Russia.

That redacted name could not be Gates, the other 5-letter name associated with Manafort, because he remained on the campaign after Manafort left. And the FOIA exemption is most consistent with a Stone redaction.

In other words, a month after Bannon had the exchange about WikiLeaks with Roger Stone that did show up in the trial, he tied Stone, Manafort, WikiLeaks, and Russia together in his mind.

None of this (besides, I guess, the lack of follow-up on the August 18 email) is particularly surprising. But it is notable that Bannon wasn’t asked about a range of tangential issues, even issues that will be aired in different ways at the trial.

The Narrative and Legal Tensions Set on Day One of Roger Stone’s Trial

/16 Comments/in , /by

I tried to travel to DC to cover the Roger Stone trial, but it didn’t happen. So I’m working second-hand to get details I’d like to have.

But I’ve got three questions from day one of Roger Stone’s trial that go to both the narrative tension prosecutors are setting and, probably, some legal traps as well. I won’t lay all of them out, but here are three.

Aaron Zelinsky introduces only the calls on which (prosecutors claim) they don’t know what happened

Aaron Zelinsky, one of the only remaining Mueller prosecutors still on this team, did the opening. He went after Trump from the start, making it clear that Stone lied to protect Trump. He described previously unknown calls between Stone and Trump on June 14 — after the WaPo reported on the DNC hack, on June 30 — after Guccifer 2.0 posted an FAQ claiming not to be Russian, and on August 31 — just before emailing Corsi and telling him to go meet Assange.

Unless I missed it, neither Zelinsky nor the former FBI Agent who took the stand first mentioned the August 3 call Stone already admitted. That was the same day that Stone wrote Manafort and told him “I have an idea to save Trump’s ass.” That’s also one of the days when (in an email to Sam Nunberg the next day) Stone claimed to have spoken with Julian Assange.

More interestingly, Zelinsky didn’t mention that Rick Gates would testify to witnessing Trump take a call — almost certainly from Roger Stone — after which he told Gates that there were more WikiLeaks emails coming. He didn’t mention a similar, earlier call Michael Cohen witnessed, where Stone predicted the WikiLeaks emails would dump later in the week of July 18 or 19, but it’s not clear whether Cohen will testify (which would explain why Zelinsky wouldn’t mention it).

In other words, Zelinsky didn’t mention the most damning calls we know of.

That’s probably about creating narrative tension — saving the best for last — but also making visible the problem with Stone’s obstruction. We don’t know what was said on those calls because Stone (and Trump, in his written answers to Mueller) denied they even existed.

What’s up with Jerome Corsi?

Zelinsky made it clear that Gates (who we knew about), Credico (who’s the key witness, and probably beginning his testimony tomorrow), and Steve Bannon (about whom I had my doubts) will testify.

The sense I got from reporters at the trial, however, is that the government would not call Jerome Corsi.

I mean, why would you? He entered into a cooperation agreement, then blew it up. He’s a batshit conspiracy theorist. When Stone submitted his exhibit list back in September, the government even challenged the relevance of both Stone’s John Podesta-related emails (an August 15 one, as well as the more famous “time in the barrel” one), as well as a contact with Corsi that must pertain to their effort to start crafting a cover story even in August.

All that suggests the government doesn’t want to get into the most damning aspects of Stone’s interactions with Corsi, but instead just wants to make it clear that Stone’s earlier communications with him makes it clear he lied to the House Intelligence Committee about Credico to hide (the government suggests) what he was up to with Corsi.

Meanwhile, Stone’s defense — such as it exists — amounts to arguing that Credico and Corsi were just pulling a fast one on poor little Rog, pretending they had ties to WikiLeaks but lying about it. That’s all well and good with Credico, who has admitted he was fluffing his ties with WikiLeaks. It is likely also true that Corsi was.

But how will Stone prove that Corsi was overstating his access to Assange if you don’t call him to testify?

Nevertheless, it seems like Corsi will be the giant black hole of this trial, with his referral for lying to the grand jury and all the other reasons why he’s a disaster witness hanging in the background.

Why did Mueller refer what appears to be a follow-up on a Bannon email that will be litigated at this trial elsewhere?

One email Zelinsky did promise we’d learn more about, however, is an August 18 one (some outlets date this to August 16, but it appears to be exhibit 28) that Stone sent to Bannon promising, “I do know how to win this but it ain’t pretty.”

That seems to suggest that the email is the one discussed in hearings on how Paul Manafort breached his plea agreement, in part, by lying to investigators on another investigation.

Effectively, Manafort was asked some questions in a proffer session before his plea on September 13, in response to which he offered information that implicated someone with a 7-character name. [These dates are in the government’s January 15 filing at 23.] Then, in a debriefing on October 5, he changed his story to make it less incriminating — and to match the story the subject of the investigation was telling to the FBI at the time (last fall). When pressed by his lawyers, Manafort mostly changed his story back to what it had been. But the head fake made Manafort useless as a witness against this person.

Judge Amy Berman Jackson summed up this change this way:

The allegation is that the defendant offered a version of events that downplayed [redacted; “the President’s” or “the Candidate”s might fit] role and/or his knowledge. Specifically, his knowledge of any prior involvement of the [16-17 character redaction] that was inconsistent with and less incriminating of [7 character redaction] than what he had already said during the proffer stage and now consistent with what Mr. [7 character redaction] himself was telling the FBI.

This investigation pertains to events that happened “prior to [Manafort] leaving the campaign (on August 19).” [January 15 filing at 26]

As Andrew Weissman described in the breach hearing, Manafort’s version of the story first came when prosecutors, “were asking questions about an e-mail that Mr. [5 character name] had written about a potential way of saving the candidate. That’s sort of paraphrasing it. And this was a way of explaining, or explaining away that e-mail.” In the Janaury 15 filing, this conversation arises to explain “a series of text messages.” [See 25]

Weissmann describes that the revised story Manafort told was, “quite dramatically different. This is not I forgot something or I need to augment some details of a basic core set of facts.” Manafort’s original story involved Mr. [7 character redaction] providing information about a [redacted] who was doing something. Manafort appears to have made a representation about what Mr. [7 character name] believed about that (likely important to proving intent).

But in the second session, Manafort appears to have shifted the blame, implicating Mr. [5 character name] whom, “Mr. Manafort had previously said, I did not want to be involved in this at all,” but leaving out what Mr. [7 character name] had said. Manafort’s testimony effectively left out that when Mr. [5 character name] had called previously, Manafort had said, “I’m on it, don’t get involved.” It appears that Weissmann surmised that Manafort changed the story because his version would make it central to the question of criminality [this might be a reference to being related to the Mueller investigation], so he revised it in an attempt to avoid providing anything that might be helpful to implicating Mr. [7 character name].

Effectively, in the wake of an email written by someone with a 5-character name (so stone would fit) in the days before Manafort resigned on August 19 (so either August 16 or 18 would fit) that promised, “a potential way of saving the candidate,” someone else (my wildarseguess is Kushner) got involved. But once he got his plea agreement, Manafort changed his story to blame the guy who sent the email (in this scenario, Stone) and not the other guy.

There’s just one problem with this presumption that the email Zelinsky described and the one invoked in this investigation are one and the same.

By September of 2018, this was a separate investigation being conducted by “another district.”

The investigation is in another district.  The initial government 12/7 filing says that explicitly at 8. The breach filing at 112 says they had the other investigative team “come here.”

I find it perplexing that some other US Attorney’s office — even DC — would be investigating the aftermath of the Stone to Bannon email discussed today, when such an email (if it related to Stone and WikiLeaks) would be central to what Mueller was still investigating. Corsi hadn’t blown up his plea deal yet. And Bannon’s interview where he presumably told truths he didn’t tell in February 2018 wasn’t until October 26. I mean, I have theories. I can come up with theories for just about anything. But still, why would this email be central to Zelinsky’s opening in a trial where Steve Bannon will testify unless it remained solidly within Mueller’s purview in October 2018?

Anyway, these are the big questions I take away from the first day of Stone’s trial. I think they suggest both narrative and legal plot twists that no one is expecting.

What Prosecutors Need to Show to Prove Roger Stone Guilty

/86 Comments/in , , /by

There has been some absolutely shitty coverage in advance of Roger Stone’s trial that doesn’t even understand the indictment. So to try to minimize the bad coverage, I’m going to lay out what the prosecutors need to prove to show that Roger Stone is guilty.

Stone is accused of telling 5 lies to the House Intelligence Committee, plus intimidating Randy Credico in an attempt to talk him out of testifying honestly. Together, those actions will prove the obstruction charges.

I’ve mapped out each of the lies, below, with what the government needs to do to prove they’re lies, and the evidence the government has already said it’ll offer to prove that. The italicized sentences come from the indictment; where I didn’t otherwise replace it, Organization 1 is WikiLeaks.

Stone has emails with others mentioning Julian Assange and knew that when he testified

STONE testified falsely that he did not have emails with third parties about the head of Organization 1, and that he did not have any documents, emails, or text messages that refer to the head of Organization 1.

The government needs to show not only that he had emails with others (and documents and texts) talking about Julian Assange but that he knew that when he testified.

The emails and texts they’ll use to prove this include:

  • A July 25, 2016 email to Corsi with the subject line, “Get to [the head of Organization 1].” The body of the message read, “Get to [the head of Organization 1] [a]t Ecuadorian Embassy in London and get the pending [Organization 1] emails . . . they deal with Foundation, allegedly.” On or about the same day, Person 1 forwarded STONE’s email to an associate who lived in the United Kingdom and was a supporter of the Trump Campaign (GX35)
  • A July 31, 2016 email to Corsi with the subject line, “Call me MON.” saying that Ted Malloch, “should see Assange.” (GX 36)
  • An August 2, 2016 email from Corsi to Stone stating that, “Word is friend in embassy plans 2 more dumps. One shortly after I’m back. 2nd in Oct. Impact planned to be very damaging. … Time to let more than [the Clinton Campaign chairman] to be exposed as in bed w enemy if they are not ready to drop HRC. That appears to be the game hackers are now about. Would not hurt to start suggesting HRC old, memory bad, has stroke – neither he nor she well. I expect that much of next dump focus, setting stage for Foundation debacle.” (GX 37)
  • An August 19, 2016 text from Credico saying, “I’m going to have [Assange] on my show next Thursday.” (GX 46)
  • An August 21, 2016, text from Credico saying, “I have [Assange on Thursday so I’m completely tied up on that day.” (GX 46)
  • An August 26, 2016 text exchange with Credico where Credico said, “[Assange] talk[ed] about you last night,” Stone asked what Assange said, and Credico responded, “He didn’t say anything bad we were talking about how the Press is trying to make it look like you and he are in cahoots.” (GX 47)
  • August 27, 2016 text messages from Credico saying, “We are working on a [Assange] radio show,” and that, “[Assange] has kryptonite on Hillary.”
  • A September 18, 2016, email to Credico asking, “Please ask [Assange] for any State or HRC e-mail from August 10 to August 30—particularly on August 20, 2011 that mention [the subject of the article] or confirm this narrative.” (GX 48)
  • A September 19, 2016, text to Credico writing, “Pass my message . . . to [Assange].” Credico responded, “I did.” (GX 49-57)
  • An October 1, 2016, text from Credico claiming, “big news Wednesday . . . now pretend u don’t know me . . . Hillary’s campaign will die this week.” (GX 58)
  • An October 2, 2016, email from Stone to Credico saying “WTF?,” linking an article saying that Assange was canceling “highly anticipated Tuesday announcement due to security concerns.” Credico responded, “head fake.” (GX 59)
  • An October 2, 2016, text to Credico stating, “Did [Assange] back off.” On October 3, 2016, Credico responded, “I can’t tal[k] about it.” Then said, “I think it[’]s on for tomorrow.” Credico added later that day, “Off the Record Hillary and her people are doing a full-court press they [sic] keep [the head of Organization 1] from making the next dump . . . That’s all I can tell you on this line . . . Please leave my name out of it.” (GX 58)
  • An October 3, 2016 email or text, probably to Erik Prince, stating, “Spoke to my friend in London last night. The payload is still coming.”
  • An October 3, 2016 email from Matthew Boyle asking, “Assange – what’s he got? Hope it’s good.” Stone responded, “It is. I’d tell [Bannon] but he doesn’t call me back.” (GX 31)
  • An October 4, 2016 email between Bannon and Stone asking what Assange had. (GX 32)
  • An October 4 2016 text, probably from Prince, saying “hear[d] anymore from London,” to which Stone replied, “Yes – want to talk on a secure line – got Whatsapp?” (GX 32)
  • An October 7, 2016 text from Bannon assistant Alexandra Preate saying “well done.” (GX44)

The government also has to prove that Stone knew he had all these comms. One way they’ll do so is by showing they were still in Stone’s possession when they searched his home. Another way they’ll prove it is by showing that Stone shared many of them, on the record, with reporters as he was trying to walk back his story.

Stone’s references to an intermediary are not to Credico

STONE testified falsely that his August 2016 references to being in contact with the head of WikiLeaks were references to communications with a single “go-between,” “mutual friend,” and “intermediary,” who STONE identified as Credico.

The government has to prove that 1) Credico could not have been the intermediary Stone referred to publicly in early August and 2) there was at least one other person that Stone was using as an attempted intermediary to Assange.

To prove this, first of all, the government will show that there were no communications between Credico and Stone until Credico told Stone that he was going to have Assange on his show on August 19, which was after Stone repeatedly claimed to have an intermediary.

The government will also show that Stone had communications with Corsi that amount to treating him as an intermediary. It will do this by showing the following communications:

  • A July 25, 2016 email to Corsi with the subject line, “Get to [the head of Organization 1].” The body of the message read, “Get to [the head of Organization 1] [a]t Ecuadorian Embassy in London and get the pending [Organization 1] emails . . . they deal with Foundation, allegedly.” On or about the same day, Person 1 forwarded STONE’s email to an associate who lived in the United Kingdom and was a supporter of the Trump Campaign
  • A July 31, 2016 email to Corsi with the subject line, “Call me MON.” saying that Ted Malloch, “should see Assange.”
  • An August 2, 2016 email from Corsi to Stone stating that, “Word is friend in embassy plans 2 more dumps. One shortly after I’m back. 2nd in Oct. Impact planned to be very damaging. … Time to let more than [the Clinton Campaign chairman] to be exposed as in bed w enemy if they are not ready to drop HRC. That appears to be the game hackers are now about. Would not hurt to start suggesting HRC old, memory bad, has stroke – neither he nor she well. I expect that much of next dump focus, setting stage for Foundation debacle.”

The government will further show that Stone knew Credico couldn’t be the intermediary because he spoke to both Credico and Corsi about that. For example, they’ll show

  • On January 6, 2017, Credico texted Stone, “Well I have put together timelines[] and you [] said you have a back-channel way back a month before I had [the head of Organization 1] on my show . . . I have never had a conversation with [the head of Organization 1] other than my radio show . . . I have pieced it all together . . .so you may as well tell the truth that you had no back-channel or there’s the guy you were talking about early August.” (GX 61)
  • On November 30, 2017, after Stone asked Corsi to write something about about Credico, Corsi asked, “Are you sure you want to make something out of this now? Why not wait to see what [Person 2] does. You may be defending yourself too much—raising new questions that will fuel new inquiries. This may be a time to say less, not more.” (GX 41)

The government may show there was another intermediary (probably the source Corsi refused to give up when he stopped cooperating) — and in fact, this prosecution may be an attempt to force Stone to admit that.

Stone asked for favors from his intermediaries to Assange

STONE testified falsely that he did not ask the person he referred to as his “go-between,” “mutual friend,” and “intermediary,” to communicate anything to the head of Organization 1 and did not ask the intermediary to do anything on STONE’s behalf.

The government will need to prove that he asked for favors from intermediaries. This will show, at least:

  • The July 25, 2016 email to Corsi with the subject line, “Get to [the head of Organization 1].” The body of the message read, “Get to [the head of Organization 1] [a]t Ecuadorian Embassy in London and get the pending [Organization 1] emails . . . they deal with Foundation, allegedly.” On or about the same day, Person 1 forwarded STONE’s email to an associate who lived in the United Kingdom and was a supporter of the Trump Campaign. This was a request not for information about emails, but the emails themselves.
  • A September 18, 2016, email to Credico asking, “Please ask [Assange] for any State or HRC e-mail from August 10 to August 30—particularly on August 20, 2011 that mention [the subject of the article] or confirm this narrative.”
  • A September 19, 2016, text to Credico writing, “Pass my message . . . to [Assange].” Credico responded, “I did.”

The government will prove he remembered that when he testified because after he testified, he threatened Margaret Kunstler, through whom Credico asked Assange for help. I suspect they have additional proof on this front.

Stone communicated with an intermediary about Assange

STONE testified falsely that he and the person he referred to as his “go-between,” “mutual friend,” and “intermediary” did not communicate via text message or email about WikiLeaks.

The government can prove this with both the Credico and Corsi communications (though I suspect it knows of more). As above, they can prove Stone knew he had these communications because he offered them up to people and indicated he knew of them in real time to Corsi.

Stone discussed his outreach via an intermediary with the Trump campaign

STONE testified falsely that he had never discussed his conversations with the person he referred to as his “go-between,” “mutual friend,” and “intermediary” with anyone involved in the Trump Campaign.

The government needs to show Stone passed on information he represented as coming from an intermediary to Assange to the Trump campaign. To prove this the government will show:

  • Starting in June, Stone told Trump campaign officials that emails were coming.
  • Around July 18, Stone called Trump at his Trump Organization phone (patched through via Rhona Graff) and told Trump the emails would be coming out that week.
  • Sometime after the July 22 release, Stone called Trump on his cell phone and told him more emails were coming; after Trump hung up, he told Rick Gates (who was driving with him to Laguardia) that more emails were coming.
  • In October, Stone claimed to have information from WikiLeaks to both Bannon and Erik Prince.

The government will prove Stone remembered this with comms with Credico and Corsi, making it clear he was protecting Trump (any one of his pleading emails telling Trump he was protecting him since then would do the trick, as well).

The government will also show that Stone was discussing his campaign finance shenanigans with the campaign, and lied about that to HPSCI, before he cleaned up his testimony.

Stone tried to prevent Credico from telling HPSCI that he was not Stone’s intermediary

The government will show abundant communications, including from third parties, to document the pressure Stone put on Credico to lie for him. That includes:

  • A November 19, 2017 text instructing Credico to, “‘Stonewall it. Plead the fifth. Anything to save the plan’ . . . Richard Nixon.” (GX 63)
  • Multiple texts, starting on December 1, 2017, instructing Credico to do a Frank Pentangeli.” (GX 69)
  • On December 1, 2017, Stone texted Credico stating, “And if you turned over anything to the FBI you’re a fool.” Later that day, Credico responded, “You need to amend your testimony before I testify on the 15th.” Stone responded, “If you testify you’re a fool. Because of tromp I could never get away with a certain [sic] my Fifth Amendment rights but you can. I guarantee you you are the one who gets indicted for perjury if you’re stupid enough to testify.” (GX 69)
  • On or about December 24, 2017, Credico texted Stone, “I met [the head of Organization 1] for f[i]rst time this yea[r] sept 7 . . . docs prove that. . . . You should be honest w fbi . . . there was no back channel . . . be honest.” Stone replied approximately two minutes later, “I’m not talking to the FBI and if your smart you won’t either.” (GX 69)
  • On April 9, 2018, emailed Credico, “You are a rat. A stoolie. You backstab your friends-run your mouth my lawyers are dying Rip you to shreds.” Stone also threatened to take Bianca away: “take that dog away from you,” and then added, “I am so ready. Let’s get it on. Prepare to die [expletive].” (GX 112-114)
  • When Credico emailed Stone on May 21, 2018, “You should have just been honest with the house Intel committee . . . you’ve opened yourself up to perjury charges like an idiot.” Stone replied, “You are so full of [expletive]. You got nothing. Keep running your mouth and I’ll file a bar complaint against your friend [Margaret Kunstler].” (GX 124-126)

The government will also show that when Stone got in trouble for 2007 for leaving a threat for Eliot Spitzer’s father, he blamed it on Credico.

Government Confirms that WikiLeaks Didn’t Release All the Vault 7 Files

/4 Comments/in , , /by

Accused Vault 7 hacker Joshua Schulte’s lawyers seem really intent on preventing the government from using evidence obtained while he was using a contraband phone at MCC in his trial for the main leak of CIA’s hacking tools to WikiLeaks.

They’ve already challenged warrants obtained using evidence found in notebooks marked as attorney-client privileged information but then released after a wall team review; in my NAL opinion, that challenge is the most likely of any of his motions to succeed. Last week, they also moved to sever the two MCC charges from the main Espionage ones (they’ve already severed the child porn and copyright violation charges from the Espionage ones), explaining that two of his attorneys, including his lead attorney Sabrina Shroff, would testify to something about discussions from May and June 2018 that would address his state of mind when he leaked and tried to leak CIA materials later in 2018.

To defend against the government’s allegations, Mr. Schulte would call two of his attorneys—Matthew B. Larsen and Sabrina P. Shroff—to present favorable testimony bearing on his state of mind.

This pertains, in some way, to the government’s claim that Schulte wrote classified information in his prison notebooks as part of a plan to leak it.

The government has indicated that its evidence on the MCC Counts will include portions of notebooks seized from Mr. Schulte’s cell, in which he allegedly documented his plans to transmit classified information.

[snip]

Defense counsel expects that at trial, the government will seek to introduce excerpts of Mr. Schulte’s writings in his notebooks as evidence of his specific intent to violate the law.

If they succeed at severing count four from the main Espionage charges, it might make it harder to link what Schulte was doing in jail with what he was allegedly doing over two years earlier. As I noted when Schulte’s team first challenged the MCC warrants, it’s clear why they’re doing this: the MCC evidence indicates he had an ongoing relationship with WikiLeaks.

The FBI investigation proceeded from those notebooks to the WordPress site showing him claiming something identical to disinformation he was packaging up to share with WikiLeaks. They also got from those notebooks to ProtonMail accounts where Schulte offered to share what may or may not be classified information with a journalist. The reason why the defense is pushing to suppress this — one of the only challenges they’re making in his prosecution thus far — is because the stuff Schulte did in prison is utterly damning and seems to confirm both his familiarity with WikiLeaks and his belief that he needed to create disinformation to claim to be innocent.

The government, in a fairly scathing response to Schulte’s motion to sever the trials, confirms that it believes the MCC charges include evidence that help support the main charges on leaking the files to WikiLeaks (what the government calls CIA counts). The government had a “reverse proffer” on December 18, 2018 and laid out all the evidence against Schulte, including pointing out that (as I described) the material seized from MCC helped prove the CIA charges.

About six weeks later, on December 18, 2018, the Government met with defense counsel (the “Reverse Attorney Proffer”). At this meeting, the Government described for defense counsel the theory of the Government’s case with respect to the charges in the Second Superseding Indictment, and answered defense counsel’s questions about the charged counts, including the new counts. The Government also explicitly noted during the Reverse Attorney Proffer that it believed that the material recovered pursuant to the MCC Warrants was relevant evidence with respect to not only the MCC Counts, but also the CIA Counts.

Having laid out the interconnectedness of these charges, the government then explains at some length why having different attorneys defend Schulte in the CIA and MCC counts would cause delays in both, because replacement counsel would need to familiarize themselves with both sets of charges. Now, as I noted, there’s unclassified information that Schulte clearly shared with WikiLeaks both before and while he was in jail. But right there in the middle of this passage is the revelation that Schulte identified classified information in his prison notebooks that he shared with WikiLeaks but that WikiLeaks has not yet published.

Regardless, Schulte’s proposal—further severed trials and new counsel for the MCC Counts—would neither prevent trial delay nor resolve the ethical issue. Rather, it is likely to exacerbate both. First, appointing new counsel on the MCC Counts is likely to cause, rather than prevent, further trial delay and would complicate Schulte’s defense across all counts. Because of the interconnectedness of the MCC Counts and the CIA Counts, as well as the child pornography and copyright counts, new counsel would need to become familiar with the evidence as to all counts in order to appropriately advise and defend Schulte. Indeed, new counsel might determine that the best course with respect to the MCC Counts would be to seek to negotiate a plea that resolves those charges along with some combination of the CIA Counts, child pornography counts, and/or copyright count. Those negotiations could not occur until new counsel was fully familiar with all aspects of the case. This would take a substantial amount of time given that new counsel would have to be cleared and that a substantial portion of the evidence is classified and, thus, must be reviewed in sensitive compartmented information facilities. Moreover, even after new counsel became familiar with the case, it is possible that new counsel might have different views than current counsel concerning a variety of trial strategy decisions, including, among others, the desirability of Schulte testifying, which could impact one or all of the severed trials and would need to be coordinated among all of Schulte’s attorneys. As a result, trial on the CIA Counts could not proceed until new counsel for the MCC Counts was familiar with the entire case. In short, the appointment of new counsel would likely further complicate this case and lead to substantial delays.

Second, severing the CIA Counts from the MCC Counts also would not resolve the purported ethical issue. Even if the trials were severed, evidence of Schulte’s prison conduct, including the Schulte Cell Documents, would still be admissible at the trial addressing the CIA Counts as both direct evidence and Rule 404(b) evidence of those crimes. For example, in the Schulte Cell Documents, Schulte specifically identifies certain classified information that was provided to WikiLeaks but which WikiLeaks has not yet published, which is direct evidence that Schulte transmitted classified information to WikiLeaks as charged in the WikiLeaks Counts. Similarly, Schulte’s prison conduct is also admissible as to the WikiLeaks Counts for a variety of Rule 404(b) purposes including to show, among other things, consciousness of guilt, motive, opportunity, intent, absence of mistake, and modus operandi.5

5 Similarly, during a trial addressing the MCC Counts, the Government would introduce evidence relating to the CIA Counts as direct evidence to complete the story of the crime and, in the alternative, as Rule 404(b) evidence. For example, evidence related to the CIA Counts would establish Schulte’s motive for committing and ability to commit the MCC Counts, as well as his knowledge that the information he unlawfully transmitted was classified national defense information. As a result, even a trial on the MCC Counts would entail introduction of much of the evidence from the Espionage Trial. [my emphasis]

The government doesn’t say whether it knows that WikiLeaks received this information because it found it after seizing Julian Assange’s computers or some other way.

The detail that Schulte referred to information that the government apparently knows WikiLeaks received — but that WikiLeaks has never published — is interesting for an entirely different reason.

On top of asking to sever two more charges, Schulte is also asking for a delay in trial, from November to January. The government says it’s cool with that delay, so long as there won’t be any further delay.

The Government understands that the defendant is seeking to adjourn the Espionage Trial until January 13, 2020. Although the Government is prepared to start trial as scheduled on November 4, 2019, the Government does not oppose the defendant’s adjournment request with the understanding that the defendant will not seek another adjournment of the Espionage Trial absent exceptional and unforeseen circumstances[.]

This story on Jeremy Hammond’s subpoena in EDVA clarifies something about which there has been a great deal of confusion. The US can still add charges against Julian Assange at least until his extradition hearing, which starts on February 25.

Nick Vamos, former head of extradition at the Crown Prosecution Service in England, said the treaty between the two countries still allows for the U.S. to add charges to the Assange case, but that will become more difficult and problematic for the American prosecutors as they get closer to the scheduled extradition hearing in February.

The discussion today has focused on the Stratfor hacks that Hammond is serving time for. Because the five year statute of limitations for CFAA would normally have tolled by now, they are likely pursuing some kind of conspiracy charges, for a conspiracy that continued past 2012.

But given the seeming cooperation while Schulte was in jail and the knowledge that WikiLeaks sat on — or used — one of the other files provided by Schulte, if the government is planning on more conspiracy charges, chances are good that Vault 7 will eventually be included in them.

Revisiting the First Time President Trump Blabbed Out Classified Information for Political Gain

/18 Comments/in , , , , /by

I’d like to revisit what might be the first time in his presidency that Donald Trump blabbed out highly classified information for political gain. Trump appears to have endangered the investigation into CIA’s stolen hacking tools, all to blame Obama for the leak.

It happened on March 15, 2017, during an interview with Tucker Carlson.

Amid a long exchange where Tucker challenges Trump, asking why he claimed — 11 days earlier — that Obama had “tapped” Trump Tower without offering proof, Trump blurted out that the CIA was hacked during the Obama Administration.

Tucker: On March 4, 6:35 in the morning, you’re down in Florida, and you tweet, the former Administration wiretapped me, surveilled me, at Trump Tower during the last election. Um, how did you find out? You said, I just found out. How did you learn that?

Trump: I’ve been reading about things. I read in, I think it was January 20th, a NYT article, they were talking about wiretapping. There was an article, I think they used that exact term. I read other things. I watched your friend Bret Baier, the day previous, where he was talking about certain very complex sets of things happening, and wiretapping. I said, wait a minute, there’s a lot of wiretapping being talked about. I’ve been seeing a lot of things. Now, for the most part I’m not going to discuss it because we have it before the committee, and we will be submitting things before the committee very soon, that hasn’t been submitted as of yet. But it’s potentially a very serious situation.

Tucker: So 51,000 people retweeted that, so a lot of people thought that was plausible, they believe you, you’re the president. You’re in charge of the agencies, every intelligence agency reports to you. Why not immediately go to them and gather evidence to support that?

Trump: Because I don’t want to do anything that’s going to violate any strength of an agency. You know we have enough problems. And by the way, with the CIA, I just want people to know, the CIA was hacked and a lot of things taken. That was during the Obama years. That was not during, us, that was during the Obama situation. Mike Pompeo is there now, doing a fantastic job. But we will be submitting certain things, and I will be perhaps speaking about this next week. But it’s right now before the Committee, and I think I want to leave it at that. I have a lot of confidence in the committee.

Tucker: Why not wait to tweet about it until you can prove it? Does it devalue your words when you can’t provide evidence?

Trump: Well because the NYT wrote about it. You know, not that I respect the NYT. I call it the failing NYT. They did write on January 20 using the word wiretap. Other people have come out with —

Tucker: Right, but you’re the President. You have the ability to gather all the evidence you want.

Trump: I do, I do. But I think that frankly we have a lot right now and I think if you watch, uh, if you watched the Brett Baier and what he was saying and what he was talking about and how he mentioned the word wiretap, you would feel very confident that you could mention the name. He mentioned it and other people have mentioned it. But if you take a look at some of the things written about wiretapping and eavesdropping, and don’t forget when I say wiretap, those words were in quotes, that really covers, because wiretapping is pretty old fashioned stuff. But that really covers surveillance and many other things. And nobody ever talks about the fact that it was in quotes but that’s a very important thing. But wiretap covers a lot of different things. I think you’re going to find some very interesting items over the next two weeks. [my emphasis]

It was clear even at the time that it was a reference to the Vault 7 files, now alleged to have been leaked to WikiLeaks by Joshua Schulte; the first installment of files were released eight days earlier.

The next day, Adam Schiff, who as the then-Ranking HPSCI member, likely had been briefed on the leak, responded to Trump’s comments and suggested that, while Trump couldn’t have broken the law for revealing classified information, he should nevertheless try to avoid releasing it like this, without any kind of consideration of the impact of it.

Last night, the President stated on Fox News that “I just wanted people to know, the CIA was hacked, and a lot of things taken–that was during the Obama years.” In his effort to once again blame Obama, the President appears to have discussed something that, if true and accurate, would otherwise be considered classified information,

It would be one thing if the President’s statement were the product of intelligence community discussion and a purposeful decision to disclose information to the public, but that is unlikely to be the case. The President has the power to declassify whatever he wants, but this should be done as the product of thoughtful consideration and with intense input from any agency affected. For anyone else to do what the President may have done, would constitute what he deplores as “leaks.”

Trump did reveal information the CIA still considered classified. At the very least, by saying that CIA got hacked, he confirmed the Vault 7 documents were authentic files from the CIA, something the government was not otherwise confirming publicly at that time. (Compare Mike Pompeo’s oblique comments about the leak from a month later.)

His reference to the volume of stolen files may have been based on what the CIA had learned from reviewing the initial dump; court filings make it clear the CIA still did not know precisely what had been stolen.

His reference to a hack, rather than a leak, is an interesting word choice, as the compromise has usually been called a leak. But Schulte’s initial search warrants listed both Espionage and the Computer Fraud and Abuse Act, meaning the government was treating it as (partly) a hacking investigation. And some of the techniques he allegedly used to steal the files are the same that hackers use to obfuscate their tracks (which is unsurprising, given that Schulte wrote some of the CIA’s obfuscation tools).

Perhaps the most damning part of Trump’s statement, however, was the main one: that the theft had taken place under Obama. WikiLeaks’ initial release was totally noncommittal about when they obtained the files, but said it had been “recent[].” By making it clear that the government knew the theft had taken place in 2016 and not more “recently,” Trump revealed a detail that would have made it more likely Schulte would realize they believed he was the culprit (though he knew from the start he’d be a suspect), given that he’d left the agency just days after Trump was elected.

The most damning part of all of this, though, is the timing. Trump made these comments at an unbelievably sensitive time in the investigation.

Tucker did the interview while accompanying Trump to Detroit on March 15, 2017, which means the interview took place sometime between 10:50 AM and 3:30 PM (Tucker said the interview happened at Willow Run Airport, but this schedule says he flew into DTW). Unless it was given special billing, it would have aired at 9PM on March 15.

That means Trump probably made the comments as the FBI was preparing a search of Schulte’s apartment, the first step the FBI took that would confirm for Schulte that he was the main suspect in the leak. Trump’s comments likely aired during the search, before the moment Schulte left his apartment with two passports while the search was ongoing.

CIA had had a bit of advanced warning about the leak. In the lead-up to the leaks (at least by February 3), a lawyer representing Julian Assange, Adam Waldman, was trying to use the Vault 7 files to make a deal with the US government, at first offering to mitigate the damage of the release for some vaguely defined safe passage for Assange. The next day, WikiLeaks first hyped the release, presumably as part of an attempt to apply pressure on the US. Shortly thereafter, Waldman started pitching Mark Warner (who, with Richard Burr, could have granted Assange immunity in conjunction with SSCI’s investigation). On February 17, Jim Comey told Warner to stop his negotiations, though Waldman would continue to discuss the issue to David Laufman at DOJ even after the initial release. Weeks later, WikiLeaks released the initial dump of files on March 7.

An early WaPo report on the leak (which Schulte googled for its information about what the CIA knew before WikiLeaks published) claimed that CIA’s Internal Security had started conducting its own investigation without alerting FBI to the leak (though obviously Comey knew of it by mid-February). The same report quoted a CIA spox downplaying the impact of a leak it now calls “catastrophic.”

By March 13, the day the FBI got its first warrant on Schulte, the FBI had focused on Schulte as the primary target of the investigation. They based that focus on the following evidence, which appears to incorporate information from the CIA’s own internal investigation, an assessment of the first document dump, and some FBI interviews with his colleagues in the wake of the first release:

  • The FBI believed (and still maintains) that the files were stolen from the onsite backup server
  • Schulte was one of a small group of SysAdmins who had privileges to that server (in the initial warrant they said just three people did but have since revised the number to five)
  • The FBI believed (mistakenly) that the files were copied on March 7, 2016, a time when one of the other two known SysAdmins was offsite
  • Schulte had had a blow-up with a colleague that led to him souring on his bosses
  • During the period the CIA was investigating that blow-up, Schulte had reset his administrative privileges to restore his access to the backup server and one project he was working on
  • As part of his August security clearance renewal, some of Schulte’s colleagues said they thought he could be subject to coercion and was not adhering to rules on removable media
  • Just before he left, Schulte created two documents claiming to have raised concerns about the security of the CIA’s servers that (the government claims) he didn’t actually raise
  • Names identifying the two other SysAdmins who had access to the backup server, but not Schulte’s, were included in the initial release
  • In six days since the initial Vault 7 release, Schulte had contacted colleagues and told them he thought he’d be a suspect but was not the leaker

Having obtained a warrant based off that probable cause, on the afternoon of March 13, FBI agents went to conduct a covert search of Schulte’s apartment. The FBI was trying to conduct the search before a trip to Mexico Schulte was scheduled to take on March 16, which (as the affidavit noted) would have been only his second trip outside the US reflected in DHS records. But when the FBI got to Schulte’s apartment, they found a slew of computer devices (listed at PDF 116), making the covert search impractical. So overnight, they obtained a second warrant for an overt search; the FBI obtained that warrant at 1:36 AM on March 14. During that same overnight trip to the magistrate, the FBI also obtained warrants for Schulte’s Google, Reddit, and GitHub accounts.

There’s a lack of clarity about this detail in the public record: the warrant is dated March 14, but it is described as the “March 15 warrant.” The overt search continued through the night in question, so it could either be March 14-15 or March 15-16. The government’s response to Schulte’s motion to suppress the search says, “The Overt Warrant was signed during the early morning hours of March 14, 2017, and the FBI executed the warrant the same day.” But a May 5, 2017 affidavit (starting at PDF 129) says the overt search of Schulte’s apartment took place on March 15.

Whatever day the search happened, it appears that the search started when the lead agent approached Schulte in the lobby of Bloomberg, perhaps as he was leaving work, and asked if he had a role in the leak, which Schulte denied. (This conversation is one basis for Schulte’s false statements charge; the Bill of Particulars describing the interview says it took place on March 15.) The agent got Schulte to confirm he was traveling to Mexico on March 16, then got Schulte to let them into his apartment (Bloomberg is at 120 Park Avenue; Schulte lived at 200 E 39th Street, five blocks away). The search of Schulte’s apartment went through the night. Sometime between 10 and 11 PM, Schulte left his apartment, telling the FBI Agents he’d return around 11:30 PM. By 12:15 AM he hadn’t returned, so the lead FBI Agent went and found him leaving Bloomberg. They told him they had found classified information in his apartment, and asked for his passports. He went back to his workstation to retrieve them, and voluntarily handed them over. The affidavit describes Schulte being put on leave by Bloomberg on March 16, the last day he reported to work at Bloomberg (which would be consistent with the search taking place on the night of March 15-16).

If the search took place overnight on March 14-15, Trump’s statements might have reflected knowledge the search had occurred (and that FBI had found classified information in Schulte’s apartment that would sustain an arrest on false statements and mishandling classified information charges, if need be). If the search took place overnight on March 15-16 (which seems to be what the record implies), it would mean Trump made the comments before the search and they would have been aired on Fox News during it.

In other words, Trump may well have made the comments at a time when FBI was trying to avoid giving Schulte any advance notice because they were afraid he might destroy evidence.

In addition, Trump undoubtedly made the comments (and Schiff highlighted the significance of them) before Schulte had follow-up interviews on March 20 and 21, at which he denied, among other things, ever making CIA’s servers more vulnerable to compromise. If Schulte had read Trump’s comment he’d be more worried about anything akin to hacking.

The question is, how much of what Trump said reflected real knowledge of the investigation, and to what degree should he have known that blurting this out could be unbelievably damaging to the investigation?

Given Trump’s imprecision in speech, his comments could derive entirely from the Vault 7 release itself, or at least a really high level briefing (with pictures!) of the compromise and CIA’s efforts to mitigate it.

But there are two pieces of evidence that suggest Trump may have been briefed in more detail about Schulte as a target.

Jim Comey testified on June 8, 2017 that, in addition to asking him to, “let this [Flynn thing] go,” Trump had asked him about a classified investigation, but that conversation was entirely professional.

WARNER: Tens of thousands. Did the president ever ask about any other ongoing investigation?

COMEY: No.

WARNER: Did he ever ask about you trying to interfere on any other investigation?

COMEY: No.

WARNER: I think, again, this speaks volumes. This doesn’t even get to the questions around the phone calls about lifting the cloud. I know other members will get to that, but I really appreciate your testimony, and appreciate your service to our nation.

COMEY: Thank you, Senator Warner. I’m sitting here going through my contacts with him. I had one conversation with the president that was classified where he asked about our, an ongoing intelligence investigation, it was brief and entirely professional.

Obviously there were a ton of investigations and this conversation could have taken place after Trump made the public comments. But the Vault 7 investigation would have been one of the most pressing investigations in the months before Comey got fired.

More directly on point, in his Presumption of Innocence blog, Schulte describes the interactions with the FBI during the search — which are consistent with them taking place on March 15 — this way (he has not sought to suppress the statements he made that night, which suggests his claims of coercion aren’t strong enough to impress his attorneys):

The FBI set an artificial and misguided deadline on the night before I was to depart NYC for Cancun to prevent me from leaving the country. Despite my insistence with them that the notion someone would flee the country AFTER the publication literally made no sense—if it were me communicating with WikiLeaks then obviously I would have made damn sure to leave BEFORE it happened—they were persistent in their belief that I was guilty. The FBI literally told me that everyone ”up to the top” knew we were having this conversation and that “they” could not afford to let me leave the country. “They” could not afford another national embarrassment like Snowden. “They” would not, under any circumstances, allow me to leave the country. The FBI were prepared and willing to do anything and everything to prevent me from leaving the country including threaten my immediate arrest arrest unless I surrendered my passport. I did NOT initially consent, but the FBI held me against my will without any arrest warrant and even actively disrupted my attempts to contact an attorney. Intimidated, fearful, and without counsel, I eventually consented. I was immediately suspended from work

Schulte’s an egotist and has told obvious lies, especially in his public statements attempting to claim innocence. But if it’s true that the FBI agents told him everyone “up to the top” knew they were having the conversation with him on March 15, it might reflect knowledge that people at least as senior as Comey or Sessions or Pompeo knew the FBI was going to conduct an overt search with one goal being to prevent Schulte from leaving the country. And given the purported reference to Snowden and the way the entire government pursued him, it is not impossible that Trump had been asked to authorize Schulte’s arrest if he didn’t surrender his passports.

In other words, it is certainly possible that when Trump boasted that the CIA’s hacking tools had been stolen under Obama and not under his Administration (an interesting claim to begin with, given the delay in CIA alerting the FBI that WaPo reported), he had been briefed about Schulte within the last 48 hours or even that morning.

To be clear, I’m not suggesting that this comment was a deliberate attempt to sabotage the FBI investigation. Trump has a habit of mindlessly repeating whatever he has heard most recently, so if Trump were briefed on the investigative steps against Schulte on the 14th or 15th, it’s not surprising he brought it up when sitting with Tucker mid-day on the 15th, particularly given that they were discussing surveillance.

But imagine how this would look to the FBI as Trump started engaging in outright obstruction of the Russian investigation, particularly by firing Comey. There’s nothing in the public record that suggests a tie between Schulte’s leaks and Russia. But Schulte’s leaks (most notably the Marble Framework he authored) not only would have made it easier for Russia to identify CIA’s Russian targets, but they would have forced CIA to rebuild during a period it was trying to figure out what had happened in 2016 (and NSA would be in the same position, post Shadow Brokers). When the FBI was trying to keep their focus on Schulte secret for one more day so they could get to his apartment before he started destroying things, Trump sat before a TV camera and made a comment that might have alerted Schulte the FBI did, indeed, believe he was the culprit.

And Trump did so all to blame Obama for a catastrophic leak rather than himself.

Roger Stone Once Again Limits His Denials

/14 Comments/in , , /by

In addition to the government showing that Roger Stone is a disorganized crime figure the other day, Roger Stone submitted a curious filing of his own, in yet another apparent attempt to feed denialist propaganda.

A week earlier, the government made a detailed argument that Stone, in his sustained bid to make his trial an attempt to challenge the government evidence that Russia hacked the DNC, misunderstood what the case was about. All that matters, the government argues, is whether Stone’s lies materially affected the House Intelligence investigation into the Russian tampering.

Stone’s false statements also had a natural tendency to (and in fact did) affect HPSCI’s investigative steps, priorities, and direction—regardless of Russia’s 2016 activities. See United States v. Safavian, 649 F.3d 688, 691-92 (D.C. Cir. 2011) (statements material if they “were capable of influencing the course of the FBI’s investigation”). For example, HPSCI did not subpoena the written communications that Stone claimed not to exist, and HPSCI did not investigate the other intermediary (Person 1) when Stone claimed that Person 2 was his sole intermediary. Moreover, Organization 1’s activities and coordination with Stone were relevant to evaluating the Intelligence Community’s work, to assessing any risks that Organization 1 may pose, and to considering any future actions that should be taken to deter coordination with state and non-state actors seeking to influence American elections. None of these understandings of materiality depends in any way on whether Russia in fact participated in the hacks or transmitted the hacked materials to Organization 1, and therefore Stone’s evidence on that subject is not relevant to the materiality inquiry.4

As part of that discussion, in a footnote, they engage in some counterfactuals to show how, even if some alternative scenarios, including the main one suggested by Stone, were true, his lies would still be material.

4 Even under Stone’s crabbed view of materiality and HPSCI’s investigation, Stone’s statements were still material, regardless of Russia’s exact role. Stone now primarily focuses only on evidence about whether Russia transferred the stolen files. But even if Organization 1 received the files elsewhere, it does not follow that Organization 1 has no connection to Russia’s election interference. For example, Organization 1 could theoretically have received the files from someone who received them from Russia; Russia could theoretically have coordinated its other election interference activities with Organization 1’s posting of stolen documents even if Russia was not Organization 1’s source; and individuals associated with the Trump Campaign could theoretically have played a role coordinating the two. Under any view, Stone’s communications with and about Organization 1 were material, regardless of Russia’s exact role.

As you read this “theoretical” scenario, remember that the campaign considered reaching out to WikiLeaks after the John Podesta files got released. And Roger Stone was — at least in 2018 — among those Trump flunkies who were trying to get Julian Assange a pardon.

The government presents this as theoretical, but it demonstrates, correctly, that WikiLeaks’ role in the operation matters whether or not the person who dealt them one or another set of files was a Russian intelligence officer.

Stone spends much of his response claiming (nonsensically) that because the government wants to introduce a Julian Assange video to establish dates for the public record surrounding certain details (in that case, when it was publicly knowable that WikiLeaks would release more files), it makes the issue of how Russia got the files to WikiLeaks central. In the hands of better lawyers — or at least, lawyers who weren’t playing for a pardon — this argument might have merit. In Stone’s case it doesn’t, in part because he failed to describe what evidence he wanted to introduce, and in part because he doesn’t understand what files Bill Binney, one of his intended witnesses, is talking about (they’re not the John Podesta emails, and so are irrelevant to Stone’s lies).

The government objects to Roger Stone presenting two witnesses who will testify, and demonstrate, that WikiLeaks did not receive the relevant DNC and DCCC data from the Russian state. That evidence will establish that the relevant data was “leaked” to WikiLeaks, not transferred to WikiLeaks by the Russian State. The government claims such evidence will be irrelevant, unfairly prejudicial, and cause delay and would turn the subject matter into a “mini-trial.” The government states: “If a person chooses to make false statements to the government, he or she takes the risk that the false statement is material.” (Motion at 14). But, the government takes the same risk: that the alleged false statements might be deemed immaterial by the jury. 1

Stone should be permitted to present evidence that his answers did not materially affect the congressional investigation because the Indictment makes clear that the investigation was of a “Russian state hack.”

But along the way, Stone includes his own footnote where he (perhaps in an effort to present a quote that denialists like Aaron Maté can quote without context, as Maté has done repeatedly as the useful idiot of both Stone and Concord Management) misrepresents the government’s theoretical as instead genuine curiosity.

1 The government wonders if the Russian state hacked and stole the relevant data and then someone else coordinated the delivery of the data to WikiLeaks. See Dkt. #172 n. 4. The government, nor the Mueller report proved or disproved this scenario. But if WikiLeaks did not receive the data from the Russian state then Stone’s communications with WikiLeaks were immaterial.

Stone is absolutely right that the government doesn’t prove or disprove this scenario. The Mueller Report notes explicitly that,

The Office cannot rule out that stolen documents were transferred to WikiLeaks through intermediaries who visited during the summer of 2016. For example, public reporting identified Andrew Müller-Maguhn as a WikiLeaks associate who may have assisted with the transfer of these stolen documents to WikiLeaks.

The prosecutors in his case aren’t tasked with answering that question. Indeed, if pressed, they could argue that Stone’s lies might well have served to hide firsthand knowledge of how the Podesta emails did get to WikiLeaks, which would make them even more material.

From a legal standpoint, Stone’s argument is unlikely to work, even if it were argued with more legal rigor.

What I’m interested in, however, is how Stone homes in on just one part of the scenario, the hand-off of files to WikiLeaks. The government actually laid out three parts to its theoretical: WikiLeaks got the files stolen by Russia from a cut-out, but also coordinated with Russia on “other election interference activities,” and individuals associated with the Trump campaign played a role coordinating the handoff of the files and WikiLeaks’ other coordination with Russia.

  • Organization 1 could theoretically have received the files from someone who received them from Russia;
  • Russia could theoretically have coordinated its other election interference activities with Organization 1’s posting of stolen documents even if Russia was not Organization 1’s source;
  • Individuals associated with the Trump Campaign could theoretically have played a role coordinating the two.

It’s a series of tantalizing hypotheticals! And while the first two (the second of which is pretty oblique) could independently be true, the last one implies the two would not be independent, but that, instead, someone “associated” with the Trump campaign coordinated the first two steps.

But of course, the government presents all this as a theoretical possibility, not (as Stone falsely claims) as a question they’re seeking, here, to answer.

Stone, however, only deals with the first part of that scenario: “the Russian state hacked and stole the relevant data and then someone else coordinated the delivery of the data to WikiLeaks.” He doesn’t address the possibility that WikiLeaks had some other kind of role. And he definitely doesn’t address the possibility that someone “associated” with the Trump campaign had a role in coordinating the two. In a gesture towards addressing a government hypothetical (in part) that some individual associated with the Trump campaign might have coordinated other election year activities, Stone suggests that the only way the communications of a Trump associate with WikiLeaks would be material would be if the communications involved actual transfer of emails.

This is something Stone has long been doing — making narrowly tailored denials that don’t address some tantalizing possibilities: in this case, that Stone had a role arranging something else with WikiLeaks.

And all the while, Stone drops a suggestion that overstates the uncertainty of what the government knows.

DOJ Says It Never Offered Accused Vault 7 Leaker Joshua Schulte a Plea Deal

/7 Comments/in , /by

As the Joshua Schulte prosecution has inched along against the backdrop of the Julian Assange indictment, I’ve heard chatter about his plans: that the two sides might prosecute the child porn charges and leave the leak untried; that the government was trying to get him to cooperate against Assange.

In the former case, the opposite now seems more likely. Last week, Judge Paul Crotty granted Schulte’s motion to sever his child porn and copyright charges from his Espionage ones. But the minute order states that the Espionage charges will be tried first, in November, with the child porn charges tried some time after that. That’s true, even though the Espionage charges are far more complex to try than the child porn ones. If the government wanted to use the child porn charges to put Schulte away indefinitely and avoid the difficulties of an Espionage trial, they’d try those first. (Update: at the hearing where this was decided, the defense said they wanted the Espionage trial to go first, and all other parties agreed.)

As to the latter, Schulte himself has sown the belief he was being offered a plea deal. In one version of his “Presumption of Innocence” blog, for example, he claimed (falsely, given the warrants he himself released) the government never obtained any evidence implicating him in the leak, and was just pursuing the child pornography charges to “break” him so he’ll cooperate against WikiLeaks.

I’m arrested and charged with a crime that had nothing to do with the initial search warrant and that I was completely innocent. The U.S. Attorney unethically and immorally misleads the court regarding what the initial investigation was about, when they found the illicit materials, and the fact that they did not think I was involved for 5 months until their initial investigation came up empty. I’m denied bail and thrown into prison immediately and they use the situation as leverage telling my attorney every day that he can make this huge embarrassment and misunderstanding all go away if only I would agree to cooperate on the WikiLeaks investigation and admit to it. They admit, unabashedly that these entire charges are nothing more than a ruse, an attempt at leverage to break me.

A version of this claim was repeated in a piece the Intercept did yesterday claiming to track how (a select group of) leakers got identified by the FBI.

Of the four Espionage Act cases based on alleged leaks in the Trump era, the most unusual concerned Joshua Schulte, a former CIA software developer accused of leaking CIA documents and hacking tools known as the Vault 7 disclosures to WikiLeaks. Schulte’s case is different from the others because, after the FBI confiscated his desktop computer, phone, and other devices in a March 2017 raid, the government allegedly discovered over 10,000 images depicting child sexual abuse on his computer, as well as a file and chat server he ran that included logs of him discussing child sexual abuse images and screenshots of him using racist slurs. Prosecutors initially charged Schulte with several counts related to child pornography and later with sexual assault in a separate case, based on evidence from his phone. Only in June 2018, in a superseding indictment, did the government finally charge him under the Espionage Act for leaking the hacking tools. He has pleaded not guilty to all charges.

Schulte was identified as the suspect just like all the other people profiled in the story were: because he was one of the few people who had access to the files that got leaked and his Google searches mapped out a damning pattern of research involving the leak, among other things. In his case, WikiLeaks itself did several things to add to the evidence he was the source. It is true that Schulte was charged with the porn charges first and that it took 15 months for the government to ultimately charge the leak, but the theory of Schulte’s role in the leak has remained largely unchanged since a week after the first files were dropped.

Schulte again suggested he might get a plea deal in his lawsuit against then Attorney General Jeff Sessions for imposing Special Administrative Measures against him when he raised 5K1 letters that might allow someone to avoid mandatory minimum sentencing.

But in last week’s opposition to Schulte’s motion to suppress most of the warrants against him — including some on the grounds that they relied on poisonous fruit of attorney-client privileged material — the government denies ever offering a plea deal.

Schulte claims that the FBI read his thoughts on severance (which the Government has consented to) or a plea offer (which the Government has not made), but none of those “thoughts” are referenced in any subsequent search warrant.

The claim that the government left unredacted a reference to Schulte’s views on a plea deal does not appear in the unredacted version of Schulte’s motion to suppress, but given his lawyers’ claim that his journals were intended to be a discussion of his legal remedies, it may be an attempt to suppress the Presumption of Innocence notes cited above (even though Schulte made the same notes public).

Mr. Schulte’s narrative writings and diary entries contain information he “considered to be relevant to his potential legal remedies.”

There’s lot of room for a discussion short of a plea offer that might be true even given the government claim that “the Government has not made” any offer (such as that one of the series of attorneys who have represented Schulte has recommended that he seek a deal).

But the detail is particularly interesting given the timing of his trial and something the government claimed the last time Chelsea Manning and her lawyers tried to get her out of jail. It insisted they want Manning’s testimony for subjects and charges not included in Assange’s current indictment, and said the submission of the extradition request against Assange does not preclude future charges based on those offenses.

As the government’s ex parte submissions reflect, Manning’s testimony remains relevant and essential to an ongoing investigation into charges or targets that are not included in the superseding indictment. See Gov’t’s Ex Parte Mem. (May 23, 2019). The offenses that remain under investigation are not time barred, see id., and the submission of the government’s extradition request in the Assange case does not preclude future charges based on those offenses, see Gov’t’s Supplement to Ex Parte Mem. (June 14, 2019).

Barring a delay because of Classified Intelligence Protect Act proceedings, Schulte will face trial on the Espionage charges in November, three months before the next hearing in Assange’s extradition. And while there’s no hint in Schulte’s case that WikiLeaks played a role in the front end of Schulte’s alleged leak, there’s abundant evidence that they continued to cooperate with him in the aftermath and even in the initial release itself. Indeed, that’s some of the most damning evidence against Schulte.

Schulte seems to think he could cooperate against Assange and face lesser charges. If the government told the truth last week, he may have little prospect to diminish what would amount to a life sentence if he’s found guilty.

On CNN’s WikiLeaks Exclusive: Remember the Other Document Dumps

/51 Comments/in , , /by

CNN has a report on leaked security records describing some of the visitors and improved computer equipment Julian Assange got in 2016, as Russia was staging the election hack-and-leak. The story is a better expose of how increased pressure from the US and a change of president in Ecuador dramatically changed Assange’s freedom to operate in the Ecuadorian Embassy in London, with many details of the internal Ecuadorian politics, as it is proof of anything pertaining to the hack-and-leak.

As for the latter, the story itself insinuates ties between WikiLeaks and Russia’s hack-and-leak operation by matching the profile of Assange’s known (and dramatically increased number of) visitors in 2016 with the timing of those visits. Those people are:

  • A Russian national named Yana Maximova, about whom CNN states almost nothing is known, who visited at key moments in June 2016 (though CNN doesn’t provide the specific dates)
  • Five meetings in June 2016 with senior staffers from RT, including two visits from their London bureau chief, Nikolay Bogachikhin
  • German hacker Andrew Müller-Maguhn
  • German hacker Bernd Fix (who visited with Müller-Maguhn a few times)

These visitors have, in generally, been identified before, and with the exception of Müller-Maguhn, CNN doesn’t give the precise dates when people visited Assange, instead providing only screen shots of entry logs (which, CNN notes, key visitors wouldn’t be on). The exception is Müller-Maguhn, whose pre-election visits the TV version lists as:

  • February 19 and 20, 2016
  • March 14, 2016
  • May 8, 2016
  • May 23, 2016
  • July 7, 2016
  • July 14, 2016
  • July 28, 2016
  • August 3, 2016
  • August 24, 2016
  • September 1, 2016
  • September 19, 2016
  • October 21, 2016
  • October 31, 2016

And, yes, some of those visits match the known Russian hack-and-leak timeline in enticing ways, such as that Müller-Maguhn, who told WaPo that, “he was never in possession of the material before it was put online and that he did not transport it,” showed up the same day Mueller documents describe WikiLeaks obtaining an archive that had been uploaded (“put”) online and by that means transferred to WikiLeaks.

But that would be entirely consistent with Müller-Maguhn helping to process the emails — something the Mueller team determined did not violate US law — not serving as a mule. Not that Müller-Maguhn would be best used as a mule in any case.

The descriptions of the changes in computer and other gear are more interesting: with Assange bumping up his resources on June 19, a masked visitor dropping off a package outside the embassy on July 18, and exempt WikiLeaks personnel removing a ton of equipment on October 18, as Ecuador finally threatened to shut WikiLeaks down.

Shortly after WikiLeaks established contact with the Russian online personas, Assange asked his hosts to beef up his internet connection. The embassy granted his request on June 19, providing him with technical support “for data transmission” and helping install new equipment, the documents said.

[snip]

Days later, on July 18, while the Republican National Convention kicked off in Cleveland, an embassy security guard broke protocol by abandoning his post to receive a package outside the embassy from a man in disguise. The man covered his face with a mask and sunglasses and was wearing a backpack, according to surveillance images obtained by CNN.

[snip]

The security documents lay out a critical sequence of events on the night of October 18. Around 10 p.m., Assange got into a heated argument with then-Ecuadorian Ambassador Carlos Abad Ortiz. Just before midnight, Abad banned any non-diplomatic visitors to the embassy and left the building. Behind the scenes, Assange communicated with the foreign minister in Quito.

Within an hour of Abad’s departure, he called the embassy and reversed the ban.

By 1 a.m., two WikiLeaks personnel arrived at the embassy and started removing computer equipment as well as a large box containing “about 100 hard drives,” according to the documents.

Security officials on site wanted to examine the hard drives, but their hands were tied. The Assange associates who removed the boxes were on the special list of people who couldn’t be searched. The security team sent a memo back to Quito raising red flags about this late-night maneuver and said it heightened their suspicions about Assange’s intentions.

Again, none of that proves a knowing tie with Russian intelligence. But it does show an interesting rhythm during that year.

But this schedule doesn’t consider the other things going on with WikiLeaks in 2016. At almost the same time that WikiLeaks released the DNC emails, after all, they also released the AKP email archive.

More interesting still, according to the government’s current allegations about Joshua Schulte’s actions in leaking the CIA’s hacking tools to WikiLeaks, he made a copy of the CIA’s backup server on April 20, then transmitted the files from it to … someone (I suspect these may not have gone directly to WikiLeaks) … in late April to early May.

But then for some reason, on August 4, Schulte for the first time ever started conducting Google searches on WikiLeaks, without visiting the WikiLeaks site until the first release of the Vault 7 leaks.

Meanwhile, WikiLeaks claimed in August 2016  — and ShadowBrokers invoked that claim, in January 2017 — that WikiLeaks had obtained a copy of the original ShadowBrokers files released on August 13, 2016. A Twitter account claiming to be ShadowBrokers reiterated this claim late last year.

Consider the continued presence of highly skilled hackers at the Embassy and the removal of tons of computer equipment as Ecuador cracked down from the viewpoint of what happened to all of NSA and CIA’s hacking tools, rather than what happened with John Podesta’s risotto recipe. Add in the fact that the government seems to think Schulte altered the air gap tool he allegedly wrote for CIA outside of CIA.

To the extent they provide these dates (again, they do so with specificity only for Müller-Maguhn, and only before the election; not to mention, his emails appear to fit a fairly regular twice-monthly pattern), a few of them are quite intriguing. But there was a whole lot else going on with WikiLeaks that year that might be even more important for describing the true nature of WikiLeaks.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The Gina Haspel Honorary 2020 Intelligence Authorization Might Criminalize Linked In Resumes

/10 Comments/in , , /by

The Intelligence Authorization for 2018-2020 is actually not named after CIA Director Gina Haspel. But it might as well be for the way it bears the marks of the first female head of an Intelligence Agency. It offers 12 weeks of paid parental leave for Intelligence personnel (a good thing!) and it also imposes a new rule prohibiting someone nominated to a Senate-confirmed position from making classification determinations about information needed to assess the nominees record, as Haspel did when she hid information on her role in the torture program during her own confirmation process.

But the Haspel related part of the authorization that has (rightly) gotten the most attention — such as in this NYT piece — is a move designed to dramatically expand the types of people covered under the Intelligence Identities Protection Act, which currently prohibits sharing the identities of classified intelligence officers who’ve spent time overseas in the last five years, to cover everyone — past or present — whose relationship with US intelligence is classified.

Most of the concern about the measure focuses — as highlighted in Ron Wyden’s concerns laid out in the bill report — on avoiding accountability for torture (his comment implicitly applies to both Haspel and torture architects Mitchell and Jessen).

I am concerned about a new provision related to the Intelligence Identities Protection Act (IIPA). In 2010, I
worked to pass legislation to increase the penalties for violations of the IIPA. This bill, however, expands the bill so that it applies indefinitely, including to individuals who have been in the United States for decades and have become senior management or have retired. I am not yet convinced this expansion is necessary and am concerned that it will be employed to avoid accountability. The CIA’s request that the Committee include this provision, which invoked “incidents related to past Agency programs, such as the RDI [Rendition, Detention and Interrogation] investigation,” underscores my concerns.

While I agree with Wyden that the intent of this measure is about shielding the CIA from accountability, I think the measure would have two other unintended consequences.

First, I think it more likely that Julian Assange will beat some of the charges against him. (Let me be very clear, for the charges this would affect — which I lay out under Theory Three here — I think this is a good thing.) The justification for the change liberated by Charlie Savage actually mentions WikiLeaks by name.

Undercover Agency officers face ever-evolving threats, including cyber threats. Particularly with the lengths organizations such as WikiLeaksare willing to go to obtain and release sensitive national security information, as well as incidents related to past Agency programs, such as the RDI investigation, the original congressional reasoning mentioned above for a narrow definition of “covert agent” no longer remains valid.

This language raises real questions for me about whether CIA really understands WikiLeaks, not least because WikiLeaks is not going to greater lengths than other media outlets to facilitate the sharing of information (what happens before and after that is another issue).

But one way or another, if this bill were to pass, it would pass after Assange got charged with disclosing databases of sensitive identities. (The timing on this is rather suspect: SSCI passed the authorization on May 14, Burr reported it to the full Senate on May 22, and Assange’s superseding indictment was approved by the grand jury on May 23.) It would be child’s play for Assange’s attorneys (and he has very good attorneys) to argue that the timing is proof that disclosing the identities of most of the people in those databases — who were sources rather than CIA officers — was not illegal at either the time he did it or the time he was charged for it. In addition, passing this bill would reiterate Congress’ belief, now in 2019, that it believes only US citizens should be protected in this way; Assange is accused of disclosing the identities of foreigners, not Americans.

So this law, if it passes, would likely make it easier for Assange to beat these charges, but make anyone else doing it — even if for good reasons and after considering the risk — a criminal.

It’s the other presumably unintended consequence of this bill that I think is even more problematic. It would criminalize all sorts of ways that former intelligence officials publicly identify themselves. The current law includes an exception for those who identify themselves as covert agents, meaning the expanded definition should not be used to prevent people from disclosing their own past affiliation with the agency (to the extent their Non-Disclosure Agreements don’t prohibit it).

It shall not be an offense under section 601 for an individual to disclose information that solely identifies himself as a covert agent.

It also generally requires malice on the part of the person releasing identities. Nevertheless, given the way that the government already uses past classified work to restrict people for the rest of their life, it is not inconceivable that the government would come to use this law to punish others who provide platforms for former intelligence personnel to talk about that openly, like Linked In. Imagine a situation, for example, where the IC deems making it easier for former intelligence professionals to find better paying jobs in the private sector to be, “a pattern of activities intended to identify and expose covert agents and with reason to believe that such activities would impair or impede the foreign intelligence
activities of the United States.” In such a situation, Linked In might be charged under a newly expanded IIPA.

Given the vast number of former intelligence personnel who move into the private sector and the degree to which it has become commonplace to discuss those past affiliations openly, the criminalization of sharing of those identities poses a particular risk. That’s definitely not the point of this bill. But by lowering the bar for who counts as covert and making covert status permanent, it certainly could be used for such ends in the future.

Joshua Schulte Keeps Digging: His Defensible Legal Defense Continues to Make a Public Case He’s Guilty

/5 Comments/in , , /by

To defend him against charges of leaking the CIA’s hacking tools to WikiLeaks, Sabrina Shroff has made it clear that Joshua Schulte is the author of the CIA’s lies about its own hacking.

In a motion to suppress all the earliest warrants against Schulte submitted yesterday, Shroff makes an unintentionally ironic argument. In general, Shroff (unpersuasively) argues some things the government admitted in a Brady letter sent last September are evidence of recklessness on the part of the affiant on those earliest warrants, FBI Agent Jeff Donaldson. She includes most of the items corrected in the Brady letter, including an assertion Donaldson made, on March 13, 2017, that Schulte’s name did not appear among those published by WikiLeaks: “The username used by the defendant was published by WikiLeaks,” the prosecutors corrected the record in September 2018. To support a claim of recklessness, Schroff asserted in the motion that someone would just have to search on that username on the WikiLeaks site to disprove the initial claim.

Finally, the Brady letter explained that a key aspect of the affidavit’s narrative—that Mr. Schulte was the likely culprit because WikiLeaks suspiciously did not publicly disclose his identity—was false. Mr. Schulte’s identity (specifically, his computer username “SchulJo”) was mentioned numerous times by WikiLeaks, as a simple word-search of the WikiLeaks publication would have shown. See Shroff Decl. Exh. F at 7

If you do that search on his username — SchulJo — it only readily shows up in one file, the Marble Framework source code.

That file was not released until March 31, 2017. So the claim that Schulte’s name did not appear in the WikiLeaks releases was correct when Donaldson made it on March 13. That claim — like most of the ones in the Brady letter — reflect the incomplete knowledge of an ongoing investigation, not recklessness or incompetence (Schulte has written elsewhere that he believed the FBI acted rashly to prevent him from traveling to Mexico, which given other details of this case — including that he hadn’t returned his CIA diplomatic passport and snuck it out of his apartment when the FBI searched his place, they were right to do).

By sending her reader to discover that Schulte’s name appears as the author of the Marble Framework, she makes his “signature” that of obfuscation — hiding who actually did a hack.

Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.

Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection.

[snip]

The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, — but there are other possibilities, such as hiding fake error messages.

Marble was one of the files WikiLeaks — and DNC hack denialists — would point to to suggest that CIA had done hacks (including the DNC one) and then blamed them on Russia. In other words, in her attempt (again, it is unpersuasive) to claim that FBI’s initial suspicions did not reach probable cause, she identifies Schulte publicly not just with obfuscation about a breach’s true culprits, but with the way in which the Vault 7 leak — ostensibly done out of a whistleblower’s concern for CIA’s proliferation of weapons — instead has served as one prong of the propaganda covering Russia’s role in the election year hack.

That’s just an ironic effect of Shroff’s argument, not one of the details in yesterday’s releases that — while they may legally serve to undermine parts of the case against her client — nevertheless add to the public evidence that he’s not only very likely indeed the Vault 7 culprit, but not a terribly sympathetic one at that.

Back when FBI first got a warrant on Schulte on March 13, 2017, they had — based on whatever advanced notice they got from Julian Assange’s efforts to use the files to extort a pardon from the US government and the week of time since WikiLeaks had released the first and to that date only set of files on March 7 — developed a theory that he was the culprit. The government still maintains these core details of that theory to be true (this Bill of Particulars Schulte’s team released yesterday gives a summary of the government’s theory of the case as of April 29):

  • The files shared with WikiLeaks likely came from the server backing up the CIA’s hacking tools, given that the files included multiple versions, by date, of the files WikiLeaks released
  • Not that many people had access to that server
  • Schulte did have access
  • Not only had Schulte left the CIA in a huff six months before the WikiLeaks release — the only  person known to have had access to the backup server at the time who had since left — but he had been caught during the period the files were likely stolen restoring his own administrator privileges to part of the server after they had been removed

But, after it conducted further investigation and WikiLeaks published more stolen files, the government came to understand that several other things that incriminated Schulte were not true.

[T]he government appears to have abandoned the central themes of the March 13 affidavit: namely, that the CIA information was likely stolen on March 7–8, 2016, that Mr. Schulte was essentially “one of only three people” across the entire CIA who could have taken it, and that WikiLeaks’s supposed effort to conceal his identity was telltale evidence of his culpability

There’s no indication, however, that Donaldson was wrong to believe what he did when he first obtained the affidavit; Shroff claims recklessness, but never deals with the fact that the FBI obtained new evidence. Moreover, for two of the allegations that the government later corrected — the date the files were stolen and the number of people who had access to the server, Donaldson admitted those were preliminary conclusions in his initial affidavit (which Shroff doesn’t acknowledge):

It is of course possible that the Classified Information was copied later than March 8, 2016, even though the creation/modification dates associated with it appear to end on March 7, 2016.

[snip]

Because the most recent timestamp on the Classified Information reflects a date of March 7, 2016, preliminary analysis indicates that the Classified Information was likely copied between the end of the day on March 7 and the end of the day on March 8.

[snip]

It is, of course, possible that an employee who was not a designated Systems Administrator could find a way to gain access to the Back-Up Server. For example, such an employee could steal and use–without legitimate authorization–the username and password of a designated Systems Administrator. Or an employee lacking Systems Administrator access could, at least theoretically, gain access to the Back-Up Server by finding a “back- door” into the Back-Up Server.

Between the two corrections, the revised information increases the number of possible suspects from two to five, out of 200 people who would have regular access to the files. A footnote to a later affidavit (PDF 138) describes that on April 5, 2017, FBI received information that suggested the number might be higher or lower. (I suspect Schulte argued in a classified filing submitted yesterday that even more people could have accessed it, not least because he has been arguing that in his various writings posted to dockets and other things,)

But, even though the Brady letter corrects the dates on which Schulte reinstated his administrator privileges for the Back-Up server slightly (he restored his own access on April 11, not April 14, which is when his managers discovered he had done so), Shroff only addresses his loss of privileges as innocent, without addressing that he got that access back on his own improperly.

More importantly, the motion doesn’t address, at all, that Schulte kicked everyone else off one of his programs, the Brutal Kangaroo tool used to hack air gapped networks using thumb drives. Nor does it address allegations against Schulte made in August 2016 as part of his clearance review, including that his demeanor changed for the worse around February 2016, he might be “subject to outside coercion,” and he tended not to abide by “guidelines concerning when and what kinds of media or data (such as external drives) could be connected or uploaded to CIA computer systems.” There are other details in the affidavit — such as Schulte’s attempt to learn what his former colleagues knew of the investigation — that support probable cause too (these may be among the things Shroff addresses in a classified filing).

That is, the probable cause that Schulte was the culprit was pretty strong even with the errors in the original affidavit, and none of the errors suggests malice or incompetence or even the recklessness Shroff alleges.

Shroff is right that the March 13 affidavit doesn’t offer as much probable cause to tie Schulte’s home to the crime; but that’s the magistrate’s fault and fairly standard for computer crimes, not the FBI’s. Shroff obscures the effect of FBI obtaining a second warrant to actually search the 150 storage media and computer devices they found in his home (a list of what they seized starts on PDF 116), as well as a second warrant to obtain child porn.

It is also true, as the defense argues, that the evidence to search for child porn was thin. But given that the government had a warrant to search the computer in question, and given precedents about child porn, that may not matter (though I think it is more likely to succeed than the rest of this). In any case, by the time of the main searches on child porn, three different magistrates had signed off on these searches.

This is a totally understandable attempt to get some of this evidence suppressed. But along the way the affidavits released yesterday provide a slew of damaging new details such as:

  • Schulte conducted a ton of searches on Google in April 2016 about detecting USB insertion, copying big files, deleting files, preventing other admins from seeing what someone was doing on a LAN
  • Schulte made a snapshot of (part of?) the LAN on April 20, 2016
  • In early May, Schulte researched how to use Tor and Tails, which the government alleges he used to send the files
  • On August 4, 2016 — the day after Snowden sent this tweet — Schulte did a Google search for WikiLeaks for the first time ever (note, I believe the Snowden tweet may have been preparation for the misleading IG report on him released the following month)

  • Between then and March 7, Schulte searched on WikiLeaks over 20 more times, reading hundreds of articles on it; but he didn’t visit WikiLeaks for the first time until March 7, 2017, the first day the files posted; he also searched for that Snowden tweet

In short, just Schulte’s Google searches alone provide very strong evidence that he’s the Vault 7 leaker. Which explains why his attorneys are making what will probably be an unsuccessful attempt to claim the Google searches were overly broad and lacked probable cause (something Schulte wrote elsewhere seems to reflect that he has been told this will be treated under a Good Faith exception).

Schulte has been trying to disclose all these materials for over a year. But they really don’t help his case.