Posts

GoToInsurrection and Other Astounding Oath Keeper Social Media Habits

DOJ has now charged the following Oath Keeper associates:

Between all the charges, prosecutors have laid out a breathtaking scope of social media use by the militia:

  • A leadership list on Signal they appear to have obtained from either Watkins and/or Kelly Meggs
  • Open channels on Zello, possibly separate ones for each large event
  • Telephony chats and texts, including during January 6
  • MeWe accounts
  • Way too much blabbing on Facebook, followed by a foolish belief they could delete such content
  • Parler for further blabbing
  • Stripe for payment processing (possibly for dues)
  • GoToMeeting for operational planning

Plus, most of the people arrested thus far had their cell phones on, pinging cell towers, while they were in the Capitol (thus far, two of the accused did not enter the Capitol).

It’s the GoToMeeting revelation, in Harrelson’s affidavit, that gets me:

Pursuant to legal process, the government obtained records from Go To Meeting showing that a user named “gator 6” was the organizer for a meeting titled “dc planning call” on January 3, 2021. The user “gator 6” accessed the meeting from a mobile device using the same IP address ending in 158 [as Harrelson used to access Apple servers], and the user listed themselves as living in Titusville, Florida. Between September 30, 2020, and January 3, 2021, the user with the same IP address ending in 158 attended or organized approximately 30 meetings on Go To Meeting affiliated with the Oath Keepers, using the names “gator 6,” “hotel 26,” or kenneth harrelson.”

GoToMeeting is basically spyware for your computer, because it has to access so many features of your computer to work. As a default it collects a great deal of data on participants, and can be set to collect more. It is end-to-end encrypted, but with legal process FBI might be able to get a great deal of information from GTM, if the Oath Keepers kept it.

Between these twelve people, then, DOJ has served legal process on enough databases to create a veritable dossier on the Oath Keepers. While some of these comms (such as the Zello comms) are ephemeral, Facebook and GoToMeeting and Stripe are data vacuums.

With a database like this, the government can be choosy about which Oath Keepers they arrest. Reportedly, DOJ says they may add 6 more people to their collection of Oath Keeper defendants.

Indeed, it’s not really clear why they’ve charged the last three — Minuta, James, and Harrelson — before charging the last several members of the Stack that entered the Capitol together.

Harrelson was not part of the Stack, but the affidavit justifying his arrest shows him — and another guy — in communication as the Stack came up the Capitol steps, with Harrelson interacting with Graydon Young inside the Capitol. But his organizing efforts in Florida would put him in close touch with the Meggses (Kelly leads the Florida chapter) and James (who lives in Alabama but seems to be tied to the Florida chapter), along with Young (who lives in Titusville).

These Florida Oath Keepers were providing “security” for Roger Stone well before the January insurrection, including an event in Florida. (MoJo had a summary of who provided security when yesterday.)

As for Minuta, in addition to serving as Stone’s security on January 5 and 6, he also was abusive to cops before entering the Capitol and on his way out, when he promised the Second Amendment option came next. Like Young, Minuta is also accused of deleting Facebook, probably just as unsuccessfully.

In James’ case, DOJ seems particularly interested in the communications he had with Minuta, called Person Five in the affidavit even though he was already arrested by the time it was approved.

While James stood with the other Oath Keepers, at least one of them (who will be referred to below as “Person Five”)2 aggressively berated and taunted U.S. Capitol police officers responsible for protecting the Capitol and the representatives inside.

[snip]

Records indicate that phone number XXX-XXX-4304 (associated with James) exchanged a number of phone calls throughout November and December 2020 with a person who will be referred to herein as Person Five.

On November 13 and 14, 2020, for example, phone number XXX-XXX-4304 (associated with James) exchanged approximately eight calls with the number associated with Person Five. Your affiant is aware that certain Oath Keepers attended rallies in Washington, D.C., held on November 14, 2020, at which some Oath Keepers, to include Person Five, operated as a personal security detail for one or more speakers at the events.

Later, on or around November 20 and December 11, 2020, records indicate that phone number XXX-XXX-4304 (associated with James) exchanged two phone calls with Person Five. Your affiant is aware that certain Oath Keepers attended rallies in Washington, D.C., held on December 12, 2020, to protest the results of the 2020 election—at which some Oath Keepers, to include Person Five, operated as a personal security detail for speakers at the events.

Finally, records indicate that, on or around January 5, 2021, phone number XXXXXX-4304 (associated with James) exchanged six calls with the number associated with Person Five. That day, James, Person Five, and other individuals wearing apparel with the Oath Keepers name and/or insignia provided security to a speaker at the “Stop the Steal” events planned for that day.

Note that Minuta was hanging out with Proud Boy Dominic Pezzola in that December MAGA event.

James’ affidavit ends with this group photo, identifying Connie Meggs, two still uncharged Stack participants, four uncharged people who tracked with James and Minuta during the insurrection, Kelly Meggs, and another Stack member.

Both the Minuta and James affidavits focus on Oath Keeper head Stewart Rhodes, described as Person One, as does this detailed filing opposing bail for Caldwell.

James stayed in touch with others during the time of active investigation:

Since January 6, 2021, phone number XXX-XXX-4304 (known to be associated with James) has exchanged multiple phone calls and text messages with the number associated with Person Five. The number associated with James has also placed at least one call as recently as February 2021, to a phone number known to be associated with Kelly Meggs, the now-arrested self-described Florida Oath Keeper leader.

Thus far, DOJ isn’t explaining why Minuta, James, and Harrelson were arrested in the weeks after FBI started exploiting the Signal chats that organized Oath Keeper efforts on January 6 and, particular, Kelly Meggs’ communications.

But because the Oath Keepers were such promiscuous users of all kinds of social media tools, the FBI has a remarkable collection of data about the group’s activities since last fall. And they’ve picked these guys to arrest.

Update: In his detention hearing today, the FBI focused on James’ providing security for Stone.

The FBI agent who testified at Thursday’s hearing said several firearms were found during a search warrant executed at James’ home. All of the firearms were legal, and none were confiscated. They included a shotgun, a hunting rifle, a few “AR-15 style rifles,” and two pistols, the agent said.

James was paid $1,500 for security at two events, including a “Stop the Steal” rally on January 6, according from testimony from his wife, Audrey James. Stone and other pro-Trump figures held several events in Washington in addition to the official rally that Trump spoke at shortly before the attack.

Audrey James said she was sent “around $1,500 total” directly from the Oath Keepers over a mobile app. She stated the funds were paid out over a couple of months to assist her and her children during Joshua James’ absence to Texas and Washington, DC, while he was providing security. She said she didn’t know where the money originated from.

This story, by itself, presents real problems with the story Stone told. He raised funds for “security” in advance of the insurrection, but then said he couldn’t find paid security so relied on volunteers.

FBI Seems Confident in the Granularity of Their Capitol Cell Tower Dumps

In the grand scheme of schemes leading up to the January 6 insurrection, Larry Stackhouse appears to play a minuscule role. Like over a hundred other people, according to his arrest warrant, he walked inside the Capitol and now, weeks after his colleagues reported him to the FBI, he is getting charged with misdemeanor trespassing as a result.

I’m interested in him, though, because of the evidence against him. First, there are the co-workers who, because of their obvious exhaustion with Stackhouse’s vocal support for Donald Trump, might be easy to discredit:

On approximately February 5 and 11, 2021, a witness (“W 1”) was interviewed by law enforcement. WI reported to law enforcement that it was “common knowledge” among those who worked with Larry Stackhouse (“STACKHOUSE”), that STACKHOUSE had entered the Capitol on January 6, 2021. WI stated that STACKHOUSE had called out of work on January 5 and 6, 2021 and that STACKHOUSE had previously been reprimanded at work for displaying political signs and attires in support of former President Trump, which violated their employer’s policies. WI initially stated that STACKHOUSE had been identified by his employer as being associated with “hate groups” from his social media, but later clarified that the employer had no information that STACKHOUSE supported hate groups. Rather, STACKHOUSE was a strong supporter of President Trump who had expressed that support at work in a manner inconsistent with the employer’s policies.

Unlike most referring friends, families, and disgruntled colleagues that serve as witnesses for these affidavits, W1 doesn’t claim to have seen Stackhouse post anything to social media from his trip.

The affidavit does cite social media from Stackhouse. But it’s a picture posted to Telegram from outside the Capitol, which is not a crime.

The affidavit cites “videos and images” from inside the Capitol showing Stackhouse, but the only one included is not all that clear.

The only other piece of evidence substantiating the affidavit — the one I’m interested in — is the claim that Stackhouse’s phone was picked up on an AT&T cell site consistent with being inside the Capitol.

According to records obtained through a search warrant which was served on AT&T on January 6, 2021, in and around the time of the incident, the device associated with cellular telephone number ***-***-6199 was identified as having utilized a cell site consistent with providing service to a geographic area that includes the interior of the U.S. Capitol building.

Given the date, this must be a cell tower dump — the FBI didn’t have their first tip on Stackhouse until a month later (which would also mean the FBI obtained that dump on the day of the attack). And while the FBI uses careful language that a cell tower dump only shows what the service area includes, using it as the third data point to substantiate an otherwise thin arrest warrant suggests they’re pretty confident that it includes only the Capitol (because, again, standing outside is not a crime).

Likewise, the FBI used cell site data (this time, from Verizon) to substantiate an otherwise thin part of the affidavit against someone who does matter to grander schemes: Roberto Minuta, the Oath Keeper who went from providing “security” for Roger Stone to storming the Capitol.

Minuta is charged with three crimes: Obstruction of the vote count (easily substantiated with parts of the larger Oath Keeper conspiracy) obstruction of the investigation for deleting his Facebook account on January 13, and the trespass crime everyone gets charged with.

There are unsurprisingly, given the focused attention to the Oath Keepers’ movements that day, more pictures of Minuta inside or existing the Capitol than of Stackhouse, tied together by the goggles Minuta wore and, in several frames, his Oath Keeper badge.

At least in what the FBI chose to reveal in this affidavit (other filings suggest they have far more collected on him and a range of his associates), the other piece of evidence included proving that Minuta entered the Capitol — rather than yelled at cops outside — is his use of a Verizon cell site consistent with being inside the Capitol.

Eventually, Minuta unlawfully breached the Capitol building itself. According to records obtained through a search warrant, which was served on Verizon, the cellphone associated with XXX-XXX-4147 was identified as having used a cell site consistent with providing service to a geographic area that includes the interior of the United States Capitol building on January 6, 2021, the day of the attack on the Capitol.

Unlike with Stackhouse, the government needs to ensure Minuta’s prosecution is water-tight, as he is a key link between the raid itself and Trump flunkies like Roger Stone, and he and several of the Oath Keeper defendants have already shown a desire to undermine the entire premise of the investigation.

As I have noted elsewhere, the granularity of the cell tower data is a critical factor in assessing the privacy impact of its use in the investigation (reiterating that reported broader cell tower dumps taken in an effort to identify the elusive pipe bomber do pose more concern). And these claims will undoubtedly be tested.

Still, the FBI seems to have confidence that these cell sites were not just serving traffic “consistent with” being inside the Capitol, but probably even “exclusive to” being inside.

Update: In an arrest affidavit for Jared Adams, arrested for trespass crimes, the FBI conveniently included a map of how the Google GeoFence works, as well as a description of how they moved from Instagram to Adams’ Google account.


First they used his Instagram to get his Gmail account.

Instagram records confirmed that the Instagram account jokerschild1994 is associated with ADAMS, with an e-mail address of [email protected], and T-Mobile phone number ***-***-5569. Records provided by Facebook (username jared.adams.35325) include the same e-mail address and phone number. Records lawfully provided by Google reveal that the mobile device associated with [email protected] belonged to a Google account registered in the name of Jared Hunter ADAMS. The Google account also lists a recovery SMS phone number that matches ***-***5569, the same number as identified above. Information from law enforcement databases indicates that ADAMS lives in Plain City, Ohio. The FBI reviewed ADAMS’ application for an Ohio driver’s license, which contains the same phone number (***-***-5569)). In addition, three managers of apartment complexes where ADAMS either lived or applied for an apartment between 2017 and July 2019 also confirmed his phone number.

Then they used the Google account to geolocate Adams within the specific space of the Capitol (using, as earlier affidavits relying on Google GeoFence have, GPS, WiFi, and Bluetooth).

According to records lawfully obtained from Google, a mobile device associated with [email protected] was present at the U.S. Capitol on January 6, 2021. Google estimates device location using sources including GPS data and information about nearby Wi-Fi access points and Bluetooth beacons. This location data varies in its accuracy, depending on the source(s) of the data. As a result, Google assigns a “maps display radius” for each location data point. Thus, where Google estimates that its location data is accurate to within 10 meters, Google assigns a “maps display radius” of 10 meters to the location data point. Finally, Google reports that its “maps display radius” reflects the actual location of the covered device approximately 68% of the time. In this case, Google location data shows that a device associated with [email protected] was within the U.S. Capitol from approximately 2:53 p.m. until approximately 4:40 p.m. for a total approximate time inside the U.S. Capitol of one hour and 47 minutes. Google records show that the “maps display radius” for this location data was less than 100 feet, which encompasses an area that is partially within the U.S. Capitol Building.

As illustrated in the map below, the listed locations encompass areas that are partially within the U.S. Capitol Building during 2:53 p.m. until 4:40 p.m. Specifically, Google location data shows that a device associated with [email protected] was within the U.S. Capitol at the times and locations shown in the map below (at the locations reflected by each darker blue circle), with the “maps display radius” reflected in the map below (as reflected in a lighter blue ring around each darker blue circle). In addition, as illustrated in the map below, the listed locations were entirely within areas of the U.S. Capitol Grounds which were restricted on January 6, 2021.

This reflects the same 68% confidence as an earlier use of the Geofence.

The FBI then used the GeoFence information to pull security footage showing him in the place where Google said he was. They then got his former roommate to ID him from a photo.