Posts

The Alfa Bank Dark Net at Noon

/23 Comments/in , /by

Before its John Doe nuisance lawsuits got shut down by Vladimir Putin’s invasion of Ukraine, Alfa Bank made several claims that led me to chase down a minor – but potentially important – part of the Alfa Bank story.
Someone totally uninvolved in the Michael Sussman/Fusion/April Lorenzen effort played a role in making their efforts public in 2016: “Phil,” the guy about whom I went to the FBI in 2017. As I told the FBI, I suspected he had played a role in the Guccifer 2.0 and Shadow Brokers operations.

This post will focus on what Alfa Bank got wrong. A follow-up post will look at why, if John Durham made the same error, it may matter for the Michael Sussmann case.

Someone exposes Tea Leaves’ research via Krypt3ia

At issue is this post on the eponymously-named InfoSec blog Krypt3ia. As the post describes, someone tipped Krypt3ia off to a WordPress site and a purported i2p site (also called an “eepsite”) that laid out a version of the claims that Michael Sussmann had shared with the FBI and the NYT in September 2016.

Those claims are at the heart of the false statement charge against Sussmann.

Along with the basic allegations about weird DNS look-ups between servers from Alfa Bank and Spectrum Health and a Trump marketing server, those sites also revealed that after the NYT called Alfa Bank for comment about the DNS anomaly in September 2016, the Trump DNS address changed. This is the digital equivalent of someone changing their phone number after discovering they were being surveilled. The seeming response by Trump to the NYT call to Alfa for comment has always been regarded as the smoking gun showing human acknowledgement of the communications (a report from Alfa Bank attempted, unpersuasively, to contest that).

By connecting to a Russian-hosted proxy service, the Krypt3ia post about all this added an element of Russian mystery to the story. But that’s it. The post offered no other new content.

The Krypt3ia post is more important for the function it played than its content. Krypt3ia’s post served to make the contents of a publicly available but difficult to find i2p site – believed to be created by data scientist April Lorenzen, but written under the pseudonym Tea Leaves – accessible.

In response to tips from source(s) of his, Krypt3ia focused attention on a series of communications, none tied in his post to a then-identified person. First, someone alerted him to the WordPress site. That site spoke of Tea Leaves as a third person; there was never a pretense that it was Tea Leaves or Lorenzen. Krypt3ia learned of that WordPress site because someone approached Krypt3ia, purportedly asking for help finding an incomplete i2p address listed in the post.

I caught wind of the site when someone asked me to look at an i2p address that they couldn’t figure out and once I began to read the sites [sic] claims I thought this would be an interesting post.

That tip led Krypt3ia to find what was actually a proxy allowing access to a real i2p site – the one that injected an air of Russian mystery to the story.

First off, the i2p address in the WordPress site is wrong from the start. Once I dug around I found that the real address was gdd.i2p.xyz which is actually a site hosted on a server in Moscow on Marosnet.

That led Krypt3ia to ask whether anyone at NYT wanted to verify the claim that Trump Organization seemingly took action after NYT called Alfa.

I also have to wonder about this whole allegation that a NYT reporter asked about this.

Say, any of you NYT’s people out there care to respond?

Ask and you shall receive! Someone–as I lay out below, I have confirmed that this was “Phil”–put Krypt3ia in touch with a NYT reporter.

First off, someone in my feed put me in touch with the NYT and a reporter has confirmed to me that what the site says about NYT reaching out and asking about the connections, then the connections going bye bye is in fact true.

[snip]

The biggest takeaway is that the NYT confirmed that they asked the question and shit happened. They are still looking into it.

In an update, someone purporting to be Tea Leaves responded to Krypt3ia via an untraceable Tutanota email account, and in response, Krypt3ia posed a bunch of questions, only to get no answer. That non-answer was a key reason why Krypt3ia later treated the allegations as a fraud – an opinion that Alfa Bank, at least, used to bolster their own claims of fraud.

As Krypt3ia mused in real time, it seemed that the entire point of the tips he was receiving was focusing attention on the allegations themselves. Except, if your goal was to release a story that might swing an election, it was a really weird way of doing so.

One does wonder though just who might be trying this tac to attempt to cause Donny trouble. It seems a half assed attempt at best or perhaps they were not finished with it yet.. But then why the tip off email to someone who then got in touch with me? Someone I spoke to about this alluded to maybe that was the plan, for me to blog about this from the start..

[snip]

I have to say it though, these guys are trying to get the word out but in a strange way. I mean this eepsite is now hosted in Czechoslovakia, staying with the Baltic flavor but why not broadcast this more openly? Why does the WordPress site have the wrong address to start and then the other eepsite disappears after a little poking and prodding?

There are at least four unattributed or unattributable communications that appeared in this post: an email to someone who, in turn, got in touch with Krypt3ia; a tip about the WordPress site (presumably from the person who got the email) and through it to the i2p gateway; the contact with the unnamed NYT reporter; and the email from someone claiming to be Tea Leaves via a service that made it impossible to prove it was the person who originally adopted that pseudonym.

Notably, this all happened between October 5, 2016 – before the Podesta drop and the DHS attribution of the DNC hack to Russia – and the days after it. Krypt3ia was checking out the i2p proxy on October 7, at 3:08PM ET – less than half an hour before DHS would release an unprecedented attribution statement, followed shortly by the Access Hollywood video, followed shortly by the first Podesta email drop. Krypt3ia wrote his post the following day.

i2p sites aren’t supposed to get noticed

To understand why using Krypt3ia to get noticed is so weird, you need to understand a little about i2p.

i2p is a network like Tor that provides obscurity and security. Even today, it’s far less accessible than Tor (and was even more so in 2016). Krypt3ia could credibly access it, but I couldn’t have. Reporter Eric Lichtblau or Fusion GPS’ Laura Seago probably couldn’t have either. Normally you need either a special browser or a gateway to to access an eepsite. Importantly, the public DNS routing information that was at the heart of the project that discovered the Alfa Bank anomalies doesn’t exist for i2p. You can’t just Google for a site.

If data scientist April Lorenzen put her research on an i2p site, as alleged, she may have done so to limit who noticed it and her role in it.

It didn’t work out that way.

(Note, because the Durham investigation remains ongoing, I am not contacting her or her lawyers for comment or others who are obviously still the focus of Durham’s investigation.)

Krypt3ia didn’t link directly to her i2p site at first. He started by linking a gateway, which would be accessible to mere mortals who don’t have an i2p browser or technical prowess. His second link may have been a different gateway – again, a link readily accessible to people without using special software. It was one of these links that got sent around by journalists and researchers.

That’s what I mean about content versus function: Krypt3ia added no new content to this story. He did, however, make parts of it accessible to people – like reporters – who would otherwise never have found it.

A comment purportedly from Lorenzen sent to Krypt3ia’s site, playing on Tea Leaves’ name, expressed (or feigned) surprise at finding what the email called a mirror (but which was a proxy).

Thank you to https://krypt3ia .wordpress.com for pointing out a possible mirror of this (the original, what you are reading, http://gdd.i2p). We did not know about gdd.i2p.xyz until hearing about it from Krypt3ia. So we did a little research and see that i2p.xyz has been around for years and appears to mirror a lot of *.i2p sites. *i2p.xyz probably functions as an alternative for everybody that doesn’t have the skills to reach an i2p site :)

Next question, why would somebody first mirror – and then drop their mirror – of our http://gdd.i2p website. The following is just speculation: maybe normally i2p.xyz just mirrors everything but oops! Something hot – drop the mirror. I don’t know. I didn’t try to visit it. Mirrors of course could choose to alter content and measure who visits. We have no such opportunity to see who is visiting our real i2p site.

Whoever wrote the email, it emphasized how the proxy was different from the “real i2p site:” The proxy “functions as an alternative for everybody who that doesn’t have the skills to reach an i2p site,” but it also can “measure who visits” whereas a “real i2p site” cannot.

Whatever the story behind the Krypt3ia post, it had the effect of making it clear that researchers who believed they could find hackers by looking at public DNS data couldn’t hide what they were doing, even on networks designed to be untrackable. It had the effect of making it clear their efforts to look for Russian hackers in DNS data had been seen.

Alfa Bank alleges the Krypt3ia notice is part of an imagined conspiracy targeting the bank

It also appears to have convinced Alfa Bank that Krypt3ia was a key cog in the publication of this story. Their lawsuit claimed that,

The scientists and researchers who obtained the nonpublic DNS data deliberately leaked portions of that data to other scientists and researchers and, ultimately, to the media.

Depositions in the Alfa Bank lawsuit make it clear that Alfa believed (presumably because of those characteristics about i2p) that Fusion GPS must have been behind the effort to alert Krypt3ia to the research site and, via his post, to alert the public.

In a February 10 bid to overcome privilege claims that Fusion GPS’ Laura Seago had previously made, Alfa Bank lawyer Margaret Krawiec argued that Seago must have breached any privilege by sharing information from the publicly posted Tea Leaves information. Krawiec’s logic was that someone internal to the privilege claims asserted by Perkins Coie must have told Seago where the i2p site was, because otherwise there would be no way she could find it.

Krawiec: So, your honor, let me jump in there because one of the things that happened is that we were trying to understand how it was that Ms. Seago knew that this data had been published on the internet because it was published in an obscure place in the internet by this Tea Leaves that I told you about.

And then what Fusion did was – so we asked about that. We said, “How did you know where to look for that data? Who told you?” Cut off, instruction not to answer, privileged. But guess what they did with those links of that data? They took that data that someone told them because no one would have known to find it where it was unless someone told them.

And they wouldn’t tell us who told them or how they found it, but then they took all those links – the supposed public source research – and disseminated it to seven or eight media outlets saying you have to check this out. This is big stuff.

Fusion’s lawyer Joshua Levy countered that the link and the site itself were public.

Levy: If you – if you take the example that Alfa-Bank’s lawyer just presented to the Court, the link that someone at Fusion had circulated to a reporter, that link is a link to the internet. It’s a publicly available link, right?

The link – it’s, it’s like sending a New York Times article to a reporter at the Washington Post. Have you – have you seen this article? You should look at it. It’s interesting. Here’s a link. It happens to do with the subject matter which (indiscernible) is fascinated, [sic] but it’s a publicly available link.

Ms. Seago may have had communications internally at Fusion about that link. Those are privileged communications, but the link itself is available online for the Court, for me, for Ms. Krawiec. It’s public. There’s, there’s nothing confidential about that link.

Alfa’s lawyer responded by arguing that because an i2p site was so difficult to find, Seago’s knowledge of its location must have come from privileged information, and because she subsequently shared a link to a gateway with journalists, she had waived privilege.

Krawiec: Your Honor, I can tell you that where this link was when it was on the internet, you, myself, Mr. Levy, no one could have found that by doing a basic Google search. They were instructed where to find it in this obscure location.

And all we were trying to understand is who instructed them because the person who posted it was Tea Leaves, the anonymous computer scientist who had this computer data.

Alfa’s lawyer argued, not unreasonably, that because Tea Leaves’ site could not have been discovered by a Google search, someone connected to Tea Leaves must have told Fusion where it was, and because Fusion, in turn, shared a link to it, any privilege around Fusion’s discussions about Tea Leaves had therefore been breached.

Alfa’s focus on how Tea Leaves’ i2p site became public continued during a February 14 deposition of Peter Fritsch. In it, Alfa raised an email from Seago to Fritsch describing that Krypt3ia had become aware of Tea Leaves’ work, in response to which questions Fritsch pled the Fifth. By the time Krypt3ia posted, it seems likely, Fusion already knew April Lorenzen was involved.

But in the Seago hearing, Fusion lawyer Joshua Levy stated clearly that, “Our client didn’t move that specific communication –” pushing Tea Leaves’ information (from the context, it’s unclear to me whether this was a link directly to a gateway to Tea Leaves i2p site or one that involved Krypt3ia). Elsewhere Levy explained that Mark Hosenball had sent the link to Fusion which, in turn, sent it out to other journalists.

Fusion’s claims are consistent with them knowing of Lorenzen’s work before the Krypt3ia post, but having nothing to do with the Krypt3ia post and/or public links directly to Lorenzen’s site.

“Phil” hooked Krypt3ia up with the NYT

Alfa Bank seems to doubt Fusion’s denials that they were behind all those levels of notice to Krypt3ia.

I have no idea who first alerted Krypt3ia to the WordPress site or the i2p site, and he says he doesn’t remember who did. I do know who hooked him up with the NYT.

As I noted when I criticized this story in 2016, I was pitched the Alfa Bank story, like the NYT. But unlike the NYT, I was not pitched it by the people Durham is trying to put in jail like Sussmann, the researchers, or Fusion GPS. I was pitched it by the guy whom I’ve referred to by the pseudonym “Phil,” the person I went to the FBI about in 2017. (This is a pseudonym and he has not been charged by DOJ.)

Not only did he pitch me on it, but he told me he was the one to have hooked Krypt3ia up with the NYT reporter.

The rest of our exchange is below…

The claim that Phil had introduced Krypt3ia to a NYT reporter was credible. At the time I knew of several NYT reporters he claimed to have ties to (at Phil’s request, I had introduced him to one of them, and I’ve confirmed his contacts with others since). He also publicly interacted with Krypt3ia on Twitter.

But I had never checked whether Phil had really introduced the NYT to Krypt3ia until the Alfa Bank filing that blamed that tie on Fusion.

Nicole Perloth has confirmed it was Phil. As she described, Phil basically pushed Krypt3ia on her. “Nicole: Krypt is a person who can be an invaluable resource on this,” specifically addressing Krypt3ia‘s expertise on the dark web, even while asking her to keep him (Phil) updated on when the story would be published.

When I asked Krypt3ia if it was possible that the same person alerted him to the i2p site as had connected him to a NYT journalist, he said he did not remember.

Do you know if the person who connected you with the NYT reporter was the same was the one who pointed out the mirror? As per your post? Or don’t you remember?

Honestly don’t remember. Did not take notes or anything, thought it all bullshit and some kind of game of disinformation.

Whether or not Phil had a role in first tipping Krypt3ia off to the i2p proxy, he had a role in making the NYT aware of a series of moving versions of that site, starting with the one in Russia.

Importantly, this is not the only attempt to broker these allegations that remains publicly unexplained. There’s another unexplained package of these allegations – a “mediafire” package first posted on Reddit – raised in the Alfa suit that Fusion disclaimed credit for.

At least one person pushing this story was (as far as I know) completely unrelated to the efforts Durham and Alfa have focused on. Given that April Lorenzen used a pseudonym for her efforts, it would have been easy to hijack those efforts. So until April Lorenzen certifies that all the communications posted under the name “Tea Leaves” out there are hers (including the comment attached to a Tutanota email in Krypt3ia’s post), neither should anyone assume she’s responsible for all of them.

Alfa Bank believed that the public notice of the Tea Leaves i2p site was proof that Fusion, and only Fusion, was dealing these allegations. The opposite is the case.

To be sure: that might have mattered if Vladimir Putin’s invasion hadn’t killed the Alfa Bank lawsuit. But Phil’s role in the Krypt3ia post doesn’t much matter to the Sussmann indictment. Sussmann’s alleged lie was on September 19, 2016, 16 days before the communications leading to the Krypt3ia post started. Nothing Phil did on October 8 and thereafter, it seems, could affect that alleged lie.

That said, Durham’s sprawling single-count indictment does include allegations about Sussmann’s outreach to the press that post-dates Phil’s involvement and may rely on it. Most notably, a paragraph describing that Sussmann emailed Lichtblau on October 10 encouraging him to send an opinion piece criticizing the NYT for its Trump coverage mentions that, “At or around that time, and according to public sources, [Lichtblau] was working on an article concerning the [Alfa Bank] allegations, but [Lichtblau’s] editors at [NYT] had not yet authorized publication of the article.” [my emphasis] Krypt3ia’s comment, “the NYT confirmed that they asked the question and shit happened. They are still looking into it” – a comment that indirectly involved Phil – is one of those public sources.

At the time, Phil was pushing a NYT article more aggressively than what Durham describes Sussmann doing, and he played at least some role in the public sources that reported NYT was working on an article.

So Phil’s involvement adds an important detail about how these claims were made public in the weeks leading up to the election, but none of that changes whether or not Sussmann lied to cover up Hillary and/or Rodney Joffe’s role in all this.

Update: I’ve corrected the post to reflect that the original site, hosted in Russia, was a proxy, not a mirror. Thanks to @i2p at geti2p.net for the corrections starting in this exchange.

Texts

The following includes all the Signal texts included in the exchange regarding the Alfa Bank DNS anomalies.

Two comments on these texts: I’m not sure what I meant in the text sent on October 9 at 10:51AM. I suspect I mistyped. I suspect I was trying to explain Betsy and Dick DeVos’ traditional role in the Republican party – money – was less urgent to Trump in October 2016 than some kind of credible Republican policy platform. 

I stand by everything else I said in these texts, though admit my observation about the adversity between UAE and Russia turned out to be hilariously and epically wrong, particularly as it pertained to Prince.

John Durham Keeps Chasing Possible Russian Disinformation

/59 Comments/in , /by

Yesterday, the two sides in the Michael Sussmann case submitted the proposed jury questions they agree on and some they disagree on.

Durham objects to questions about security clearances and educational background (presumably Durham wants to make it harder for Sussmann to get people who understand computers and classification on the jury).

Sussmann objects to questions about April Lorenzen’s company and Georgia Tech.

He also objects to a question that assumes, as fact, that the Hillary campaign and the DNC “promoted” a “collusion narrative.”

I suspect Sussmann’s objections to these questions are about direct contact. For all of Durham’s heaving and hollering, while Sussmann definitely met with Fusion GPS, of the researchers, the indictment against Sussmann only shows direct contact with David Dagon. Everything else goes through Rodney Joffe. Plus, a document FOIAed by the frothy right shows that Manos Antonakakis believes what is portrayed in the indictment is at times misleading and other times false, which I assume he’ll have an opportunity to explain at trial.

As regards the campaign, as I already noted, when Sussmann asked Durham what proof the Special Counsel had that he was coordinating with the campaign, Durham pointed to Marc Elias’ contacts with the campaign and, for the first time (over a month after the indictment), decided to interview a Clinton staffer.

Sussmann will probably just argue that Durham’s plan to invoke these things simply reflects Durham’s obstinate and improper treatment of a single false statement charge as a conspiracy the Special Counsel didn’t have the evidence to charge.

But Durham’s inclusion of it makes me suspect that Durham wants to use an intelligence report that even at the time analysts noted, “The IC does not know the accuracy of this allegation or the extent to which the Russian intelligence analysis may reflect exaggeration or fabrication.” Nevertheless, John Ratcliffe, who has a history of exaggeration for career advancement, declassified, unmasked Hillary’s name, and then shared with Durham.

If Durham does intend to use this, though, it would likely mean Durham would have to share parts of the Roger Stone investigation file with Sussmann. That’s because the report in question ties the purported Clinton plan to Guccifer 2.0.

And as the FBI later discovered, there was significant evidence that Roger Stone had been informed of the Guccifer 2.0 persona before it went public.

That information, along with a bunch of other things revealed about Stone’s activities before this Russian report, suggest the Russian report may actually be an attempt to protect Stone, one that anticipated Stone’s claims in the days after the report that Guccifer 2.0 was not Russian.

Unless Durham finds a way to charge conspiracy in the next two months, Judge Christopher Cooper would do well to prevent Durham from continuing his wild conspiracy theorizing. Because it’s not clear Durham knows where the strings he is pulling actually lead.

John Durham Says Election-Hack Victims Should Wait Until After the Election to Report Tips

/46 Comments/in , , , /by

Even as Russia assaults a peaceful democracy (which invasion, in a separate filing, Durham calls, “recent world events in Ukraine”), John Durham suggests that a political campaign victimized by Russia should expect to wait until after the election before the FBI opens an investigation into a cybersecurity anomaly potentially implicating her opponent.

Durham even asserts that such a cybersecurity anomaly is not a cybersecurity matter, but instead a political one.

Almost six years after Trump’s request, “Russia are you listening,” was met with a renewed Russian attack on Hillary Clinton, John Durham continues to treat Hillary’s attempts to run a campaign while being attacked as a greater threat than that nation-state attack by Russia.

Durham’s latest contortions come in a response to Micheal Sussmann’s motion to dismiss the indictment.

Sussmann argued that the alleged lie he told (motions to dismiss must accept the alleged facts as true), could not have affected the single decision facing the FBI when he shared information about a DNS anomaly: whether to open an investigation or not.

Following the Supreme Court’s clear instruction in Gaudin, in order to assess the materiality of the false statement that Mr. Sussmann is alleged to have made, this Court must ask what statement he is alleged to have made to the FBI; what decision the FBI was trying to make; and whether the false statement could have influenced that decision. Here, even accepting all the allegations in the Indictment as true—and the evidence would prove otherwise—the only decision the FBI was trying to make was the decision whether or not to commence an investigation into the allegations of suspicious internet data involving the Trump Organization and Russian Bank-1. Ample precedent—and the Special Counsel’s own allegations in this case—make clear that Mr. Sussmann’s purported false statement did not influence, and was not capable of influencing, that decision.

Predictably and reasonably, Durham’s response cited the precedent that leaves it up to juries to determine whether something is material or not.

In any event, the defendant’s arguments on the materiality of his statement are also premature. The Supreme Court in Gaudin held that materiality is an essential element of Section 1001 that must be resolved by a jury.

As I noted back in October, “Prosecutors will argue that materiality is a matter for the jury to decide.”

Prosecutors also noted what I did: a long list of precedents about materiality that Sussmann cited in his motion are all post-trial challenges to materiality, not pretrial motions to dismiss.

The defendant cites to multiple cases where the Supreme Court and Circuit Courts have held that the false statements and misrepresentations at issue were immaterial as a matter of law. See Def. Mot. at 7-10. But critically, all of those cases involved post-conviction appeals or motions to vacate the conviction after the Government presented its case at trial. Accordingly, none of these cases support the defendant’s requested relief here – that is, that the court dismiss the Indictment before trial because it fails to sufficiently allege that the defendant’s false statement is material. What the cases do show is that courts have routinely declined to usurp the jury’s role in making the determination on whether a false statement is material.

For those two reasons, Sussmann’s motion to dismiss is unlikely to succeed, and should instead be viewed as an opening bid to frame his defense and establish issues for appeal.

Those two arguments are all Durham really needed to respond to Sussmann’s motion to dismiss. Instead of leaving it with responsible lawyering, however, Durham instead launches into an illogical attempt to criminalize tip reporting.

Take his attempt to dismiss Rodney Joffe’s real cybersecurity expertise. In the three months since he charged Sussmann, Durham belatedly (at Sussmann’s request) discovered how closely Joffe had worked with the FBI on other investigations. As Sussmann scoffed in an earlier filing, “The notion that the FBI would have been more skeptical of the information had it known of Tech Executive-1’s involvement is, in a word, preposterous.” Now that Durham has discovered the close ties between Joffe and the FBI, he claimed that that history of reliability was itself something the FBI needed to know.

Namely, as the defendant’s motion reveals (Def. Mot. at 18-19, fn. 8), Tech Executive-1 had a history of providing assistance to the FBI on cyber security matters, but decided in this instance to provide politically-charged allegations anonymously through the defendant and a law firm that was then-counsel to the Clinton Campaign. Given Tech Executive-1’s history of assistance to law enforcement, it would be material for the FBI to learn of the defendant’s lawyer-client relationship with Tech Executive-1 so that they could evaluate Tech Executive-1’s motivations. As an initial step, the FBI might have sought to interview Tech Executive-1. And that, in turn, might have revealed further information about Tech Executive-1’s coordination with individuals tied to the Clinton Campaign, his access to vast amounts of sensitive and/or proprietary internet data, and his tasking of cyber researchers working on a pending federal cybersecurity contract.

Durham’s claim that “learning” how much data Joffe had access to (which is something the FBI undoubtedly knew — it is surely the reason why FBI partnered with him, because the volume of data Neustar had made their observations more useful) would make them more skeptical of the DNS tip is nonsensical. In fact, elsewhere (in tracking all the YotaPhone requests in the US over a three year period), Durham treated it as presumptively reliable.

Plus, Durham made no mention here of one of a number of the other things he belatedly learned: that the September 2016 tip Sussmann shared with FBI General Counsel James Baker was not the only one Joffe had shared via Sussmann anonymously. He shared a tip anonymously during this same time period with DOJ IG. Durham has no way of knowing, either, whether those two were the only ones, but his revised theory of materiality depends on an anonymous tip like this one being unique.

Similarly, Durham struggled to explain (including by citing an inapt precedent) why the FBI would need to be told that Sussmann represented Hillary when, in notes of Baker’s retelling of the meeting, Bill Priestap wrote that Sussmann represented the DNC and Clinton Foundation.

As he did with Joffe, Durham tried to flip Sussmann’s expertise, arguing that the former prosecutor’s recognized qualification as a cybersecurity expert, something that would help him assess whether DNS data were anomalous or not, is precisely why the Perkins Coie lawyer needed to disclose he was working for Hillary.

In an effort to downplay the materiality of this false statement, the defendant asserts that the FBI General Counsel was aware that the defendant represented the DNC. See Def. Mot at 18. But the Government expects that evidence at trial will establish that the FBI General Counsel was aware that the defendant represented the DNC on cybersecurity matters arising from the Russian government’s hack of its emails, not that he provided political advice or was participating in the Clinton Campaign’s opposition research efforts. Indeed, the defendant held himself out to the public as an experienced national security and cybersecurity lawyer, not an election lawyer or political consultant. Accordingly, when the defendant disclaimed any client relationships at his meeting with the FBI General Counsel, this served to lull the General Counsel into the mistaken, yet highly material belief that the defendant lacked political motivations for his work.

There are many crazy assumptions built into this statement: that, had Sussmann identified Hillary as his client, it would have required him to reveal her motives as political rather than security-related to the FBI, breaching privilege; that reporting an anomaly potentially involving Trump after Trump had begged Russia to further hack Hillary would not be a sound decision from a cybersecurity standpoint; that researching the context of an anomaly, such as Alfa Bank’s ties to Putin, is not part of cybersecurity. Effectively, Durham has unilaterally decided that pursuing this anomaly was a political act, with no basis in law or fact.

Which is how Durham espoused the claim that the FBI, facing an unprecedented attack by Russia on American elections in 2016, might have delayed investigation of a part of it that might have implicated one of the contestants.

The defendant’s false statement to the FBI General Counsel was plainly material because it misled the General Counsel about, among other things, the critical fact that the defendant was disseminating highly explosive allegations about a then-Presidential candidate on behalf of two specific clients, one of which was the opposing Presidential campaign. The defendant’s efforts to mislead the FBI in this manner during the height of a Presidential election season plainly could have influenced the FBI’s decision-making in any number of ways. The defendant’s core argument to the contrary rests on the flawed premise that the FBI’s only relevant decision was binary in nature, i.e., whether or not to initiate an investigation. But defendant’s assertion in this regard conveniently ignores the factual and practical realities of how the FBI initiates and conducts investigations. For example, the Government expects that evidence at trial will prove that the FBI could have taken any number of steps prior to opening what it terms a “full investigation,” including, but not limited to, conducting an “assessment,” opening a “preliminary investigation,” delaying a decision until after the election, or declining to investigate the matter altogether.

[snip]

Moreover, the Department of Justice and the FBI maintain stringent guidelines on dealing with matters that bear on U.S. elections. Given the temporal proximity to the 2016 U.S. presidential election, the FBI also might have taken any number of different steps in initiating, delaying, or declining the initiation of this matter had it known at the time that the defendant was providing information on behalf of the Clinton Campaign and a technology executive at a private company.

[snip]

And the evidence will show that it would have been all the more material here because the defendant was providing this information on behalf of the Clinton Campaign less than two months prior to a hotly contested U.S. presidential election. [my emphasis]

The first paragraph here is really telling, given Durham’s public complaint that the Crossfire Hurricane team should have opened the investigation as a preliminary investigation, not a full investigation (the investigation into Mike Flynn, specifically, wasn’t opened as a full investigation, but none of the techniques used would have otherwise been unavailable, not least because there was already a full investigation opened on Carter Page). This is an argument Durham may reprise in his report: That it was unreasonable for Hillary Clinton to ask the FBI to inquire into Trump’s campaign after he publicly asked a foreign country for help (even ignoring the tip from Australia).

Durham seems to think Hillary should have had no assistance from law enforcement when her opponent publicly asked Russia to hack her some more if people close to her found more reason to be concerned. He even mocked Sussmann as too powerful to choose to use anonymity.

[W]hile the defendant’s motion seeks to equate the defendant with a “jilted ex-wife [who] would think twice about reporting her ex-husband’s extensive gun-smuggling operation,” this comparison is absurd. Def. Mot. at 24

Far from finding himself in the vulnerable position of an ordinary person whose speech is likely to be chilled, the defendant – a sophisticated and well-connected lawyer – chose to bring politically-charged allegations to the FBI’s chief legal officer at the height of an election season.”

This also betrays pure insanity. The anomaly involving Trump could always have reflected disloyal insiders compromising the candidate, as could the YotaPhones potentially in use in Trump headquarters. In fact, Page did compromise Trump when he went to Russia in December 2016 and tell Russians there that he was representing Trump on matters pertaining to Ukraine, just as Mike Flynn did by selling his access to Trump to Turkey, just as Tom Barrack is accused of doing with the Emirates. The reason why Sussmann was providing this information less than two months before an election is because cybersecurity researchers had gone looking because there was an ongoing multi-faceted cybersecurity attack, one that continued right through the election, one that could have victimized Trump as well as Hillary.

Which brings me to the one point Sussmann made that Durham completely ignored. In his response, Durham’s response uses the word “purported” to describe the DNS allegations from Sussmann five times:

  1. The defendant provided the FBI General Counsel with purported data and “white papers” that allegedly demonstrated a covert communications channel between the Trump Organization and a Russia-based bank
  2. the purported data and white papers
  3. the purported DNS traffic that Tech Executive-1 and others had assembled
  4. the defendant provided data which he claimed reflected purportedly suspicious DNS lookups by these entities of internet protocol (“IP”) addresses affiliated with a Russian mobile phone provider (“Russian Phone Provider-1”)
  5. examine the origins of the purported data

What Durham did not do is ever address this point from Sussmann:

Indeed, the defense is aware of no case in which an individual has provided a tip to the government and has been charged with making any false statement other than providing a false tip. But that is exactly what has happened here.

In the fall of 2016, Michael Sussmann, a prominent national security lawyer, voluntarily met with the Federal Bureau of Investigation (“FBI”) to pass along information that raised national security concerns. He met with the FBI, in other words, to provide a tip. There is no allegation in the Indictment that the tip he provided was false. And there is no allegation that he believed that the tip he provided was false. Rather, Mr. Sussmann has been charged with making a false statement about an entirely ancillary matter—about who his client may have been when he met with the FBI—which is a fact that even the Special Counsel’s own Indictment fails to allege had any effect on the FBI’s decision to open an investigation.

[snip]

Again, nowhere in the Indictment is there an allegation that the information Mr. Sussmann provided was false. Nowhere is there an allegation that Mr. Sussmann knew—or should have known—that the information was false. And nowhere is there an allegation that the FBI would not have opened an investigation absent Mr. Sussmann’s purported false statement.

I could fund an entire Special Counsel investigation if I had $5 for every time in this prosecution Durham has used the word “purported.” For almost six months, his entire prosecution has been premised on this anomaly not being “real,” meaning unexplained traffic that might represent something serious.

And yet he has not charged that (though he seems to have bullied April Lorenzen, perhaps because he needs her to be something other than she was). Instead, he just keeps doing the work for which actual evidence is normally required by repeating the word “purported” over and over.

This motion to dismiss will likely fail, because juries get to decide what is material. But contrary to Durham’s claims, unless and until he can prove that Sussmann, Jofffe, and Lorenzen didn’t believe this was a real anomaly worth investigating given all the other attacks that, Sussmann especially, knew were ongoing, then he really will be prosecuting someone for reporting a valid national security concern.

John Durham Drops Claim that Rodney Joffe “Mined” EOP Data for Derogatory Information on Trump from Boilerplate

/30 Comments/in , /by

On Friday, John Durham’s team did two things. Publicly, they responded to Michael Sussmann’s motion to dismiss his indictment. I’ll deal with both those later, but the short summary is that Sussmann argued his alleged lie could not have been material, whereas Durham (predictably) cited precedent saying that’s a matter for the jury to decide.

Under seal, Durham’s team responded on Friday to a sealed motion to intervene in the Sussmann case and expunge references filed by Rodney Joffe’s attorneys.

Presumably, Joffe objected to the unsubstantiated and uncharged claims that Durham had made in a conflicts motion that led the former President to suggest Sussmann and Joffe should be put to death.

We may not find out about the substance of this dispute for some time. But it may already be reflected in Durham’s filings.

In his response to Sussmann, Durham obstinately repeated most of the inflammatory claims first floated in the conflicts memo that elicited the calls for death and other lies from Durham’s sources and witnesses. But there are two passages that Durham took out.

Durham removed the two passages italicized below.

The Government’s evidence at trial will also establish that among the Internet data Tech Executive-1 and his associates exploited was domain name system (“DNS”) Internet traffic pertaining to (i) a particular healthcare provider, (ii) Trump Tower, (iii) Donald Trump’s Central Park West apartment building, and (iv) the Executive Office of the President of the United States (“EOP”). (Tech Executive-1’s employer, Internet Company-1, had come to access and maintain dedicated servers for the EOP as part of a sensitive arrangement whereby it provided DNS resolution services to the EOP. Tech Executive-1 and his associates exploited this arrangement by mining the EOP’s DNS traffic and other data for the purpose of gathering derogatory information about Donald Trump.)

The Indictment further details that on February 9, 2017, the defendant provided an updated set of allegations – including the Russian Bank-1 data and additional allegations relating to Trump – to a second agency of the U.S. government (“Agency-2”). The Government’s evidence at trial will establish that these additional allegations relied, in part, on the purported DNS traffic that Tech Executive-1 and others had assembled pertaining to Trump Tower, Donald Trump’s New York City apartment building, the EOP, and the aforementioned healthcare provider. In his meeting with Agency-2, the defendant provided data which he claimed reflected purportedly suspicious DNS lookups by these entities of internet protocol (“IP”) addresses affiliated with a Russian mobile phone provider (“Russian Phone Provider-1”). The defendant further claimed that these lookups demonstrated that Trump and/or his associates were using supposedly rare, Russian-made wireless phones in the vicinity of the White House and other locations. The Special Counsel’s Office has identified no support for these allegations. Indeed, more complete DNS data that the Special Counsel’s Office obtained from a company that assisted Tech Executive-1 in assembling these allegations reflects that such DNS lookups were far from rare in the United States. For example, the more complete data that Tech Executive-1 and his associates gathered – but did not provide to Agency-2 – reflected that between approximately 2014 and 2017, there were a total of more than 3 million lookups of Russian Phone-Provider-1 IP addresses that originated with U.S.-based IP addresses. Fewer than 1,000 of these lookups originated with IP addresses affiliated with Trump Tower. In addition, the more complete data assembled by Tech Executive-1 and his associates reflected that DNS lookups involving the EOP and Russian Phone Provider-1 began at least as early 2014 (i.e., during the Obama administration and years before Trump took office) – another fact which the allegations omitted. 

The second of these passages was an innumerate claim that falsely suggested Russian YotaPhones were common in the United States because between 2014 and 2017, there had been three million such look-ups. As William Ockham explained, these three million look-ups aren’t much more than his own family’s DNS requests during the same four (or even three) year period.

Contra Durham, 3 million DNS requests for a related IP addresses over a four-year period means these requests are very rare.

For comparison purposes, my best estimate is that my family (7 users, 14 devices) generated roughly 2.9 million DNS requests just from checking our email during the same time frame. That’s not even counting DNS requests for normal web browsing.

This seeming concession that Durham was wrong makes the other removal especially interesting, particularly given Joffe’s motion to intervene.

Durham also removed a passage claiming that Joffe “exploited” his access to data from the White House “for the purpose of gathering derogatory information about Donald Trump.”

Remember, the data in question all preceded January 20, 2017. Even assuming “exploit” and “mine” are the appropriate verbs here, to suggest accessing data from before Trump became President was an effort to obtain derogatory information on him makes no sense. And the inclusion of Spectrum Health in all of this — for which people made baseless claims about the DeVoses — is further proof that Joffe wasn’t looking for derogatory information. He was looking for anomalies, and those anomalies ended up implicating Trump-related servers. Plus, even if Joffe were accessing just Trump-related data, finding some unexplained Russian traffic would normally be seen as a risk to Trump, not a political attack on him.

Durham claims he didn’t say anything in the conflicts memo that needed to be struck. That issue (and the claimed conflict) will be reviewed at a hearing on Monday. But in the meantime, Durham already dropped two claims.

John Durham and Newly-Sanctioned Alfa Bank’s Filings: “Almost like they were written by the same people”

/71 Comments/in , , /by

In a DC hearing on February 9 regarding Alfa Bank’s attempt to obtain documents from Michael Sussmann before his trial, DC Superior Judge Shana Frost Matini observed that the Alfa Bank allegations and the John Durham indictment seemed like they could be written by the same people.

[R]ight now, given the — if the closeness of Alpha’s allegations, I mean, quite frankly, it’s — reading Alpha’s submissions and what the — and that compared to the indictment, there’s — it’s almost like they were written by the same people in some way. [Alpha misspelling original]

Judge Matini, a Trump appointee, scolded Alfa — which over this past weekend was included in sanctions against Russian banks in retaliation for the invasion — for claiming that their lawsuit and Durham’s indictment of Sussmann were not closely related after having raised the indictment in the first place.

As to the claims that the criminal and civil proceedings are not closely related, this is a surprising representation for Alpha to make, given that Alpha was the one to bring the criminal charges to the Court’s attention by filing what was styled as a notice of supplemental authority in support of its Motion to Compel.

Of course, there is no Supplemental Authority here. A criminal indictment is not an opinion of the Court. It’s just a charge that the prosecuting authority is bringing against an individual with facts that are alleged to support the charge.

In dual lawsuits in FL and PA, Alfa Bank purports to be trying to figure out who allegedly faked DNS records to make it look like Alfa was in contact with Trump back in 2016 so it can sue those people. Rather than finding anyone to sue, however, it has instead spent its time subpoenaing experts to learn as much as it can about how the US tracks DNS records to prevent cyberattacks by — among other hostile countries — Russia.

Matini ruled that Alfa’s effort to get more information from Sussmann will have to wait until June, after his trial. (It’s unclear whether the sanctioned bank will still have legal means to pay Skadden lawyers to pursue this lawsuit at that point.)

But since then, the timelines of the Alfa Bank and Durham investigations have closely paralleled.

Of particular interest, on the morning of February 11, Rodney Joffe — referred to as Tech Executive-1 in the Durham filings — sat for an almost 5-hour deposition with Alfa Bank’s lawyers. He revealed that Durham had first approached him for an interview at least a year earlier. He revealed he had been asked to testify before the grand jury, but he “declined to interview,” presumably meaning he told Durham he’d invoke the Fifth (just as Don Jr and probably his daddy are understood to have done with Mueller).

Joffe’s refusal to voluntarily feed this witch hunt continued in his Alfa deposition. Citing the ongoing Durham investigation, he invoked the Fifth Amendment a slew of times (though not as many times as your average Trump man in a financial fraud deposition or even Alex Jones in an interview about an insurrection). Those questions to which he invoked his Fifth Amendment rights and those he answered mapped out an interesting territory, marking who he does know and those Alfa thought he did but that he does not.

For example, he said he had never heard of Alfa Bank before investigating the anomaly related to it. He said he had never met Jean Camp or several of the other researchers that frothers are certain he conspired with. Joffe twice said he had never met Christopher Steele and also said he “had no idea” that Sussmann met with Steele about the server allegations. He denied knowing what the contract between Georgia Tech and DARPA looked like.

Alfa made a number of mistakes — confusing a domain name with a business. Claiming he authored a paper that David Dagon had. Asking him about several emails he hadn’t been sent.

There were several claims Alfa made that Joffe’s lawyer, Steven Tyrrell, established a record were unproven assumptions on Alfa’s part, such as that Joffe got one of the white papers described in the indictment. Importantly, that includes a question about the EOP server.

Q: I was just going to ask Mr. Joffe whether or not he knows who the executive branch office of the U.S. government is?

A: I have to invoke my Fifth Amendment rights.

Mr. Tyrrell: And Margaret, if I may, just — I apologize. Just for the record, I want to be clear that — that in invoking his rights and my allowing my client to invoke his rights, that should not be interpreted as an admission that the — I mean, you’ll argue whatever it is, if you do, that the allegations, which are just allegations in the indictment, are accurate.

In addition to those curious objections, there were several things alleged in the indictment that Joffe outright denied. In several questions, Joffe challenged the meaning of an email Durham has used to suggest he anticipated, and wanted, a top cybersecurity job within a hypothetical Hillary Administration. After objecting to the form of the way the Alfa Bank’s Skadden lawyer tried to corner Joffe into answering the question, Tyrrell answered,

You know, again, our position on this is Mr. Joffe is happy to answer the question that was posed about whether he was ever offered the top cybersecurity job by the Democrats when it looked like they’d win. I think he’s answered that question.

He’s not going to answer questions about communications that he may or may not have had with other people about the topic. And as to those, he would invoke his rights under the Fifth Amendment.

Joffe answered no to three questions about whether the Clinton campaign paid him for his work on the server allegations, a false claim that Kash Patel spread.  Joffe also distinguished his concern about Donald Trump from a political desire to see him lose.

I’ve never been interested in politics. I’ve never been involved in politics. I haven’t voted for many, many years. I haven’t donated to any parties or any — or given any kind of benefit to any parties, but I certainly over the last few years have had an interest in the politics of the country that I live in.

That explanation premised two invocations of his Fifth Amendment in response to questions about Trump specifically.

In other words, Joffe’s Alfa Bank deposition on February 11 undermined several of the premises of the Durham investigation, while it identified several areas where his lawyer suggested Alfa’s assumptions were wrong (in the hearing on Laura Seago’s deposition, there was a central Alfa Bank assumption I know to be badly wrong).

Joffe’s deposition ended at 2:07PM ET on February 11.

Nine hours later, at 11:32PM, Durham submitted the belated conflicts motion — which would have been filed in September if Durham really had concerns about any conflict — and floated a number of claims about Joffe, claims that went beyond those in the indictment. Joffe is mentioned twenty times, including the following:

The defendant’s billing records reflect that the defendant repeatedly billed the Clinton Campaign for his work on the Russian Bank-1 allegations. In compiling and disseminating these allegations, the defendant and Tech Executive-1 also had met and communicated with another law partner at Law Firm-1 who was then serving as General Counsel to the Clinton Campaign (“Campaign Lawyer-1”).

The Indictment also alleges that, beginning in approximately July 2016, Tech Executive-1 had worked with the defendant, a U.S. investigative firm retained by Law Firm-1 on behalf of the Clinton Campaign, numerous cyber researchers, and employees at multiple Internet companies to assemble the purported data and white papers. In connection with these efforts, Tech Executive-1 exploited his access to non-public and/or proprietary Internet data. Tech Executive-1 also enlisted the assistance of researchers at a U.S.-based university who were receiving and analyzing large amounts of Internet data in connection with a pending federal government cybersecurity research contract. Tech Executive-1 tasked these researchers to mine Internet data to establish “an inference” and “narrative” tying then-candidate Trump to Russia. In doing so, Tech Executive-1 indicated that he was seeking to please certain “VIPs,” referring to individuals at Law Firm-1 and the Clinton Campaign.

The Government’s evidence at trial will also establish that among the Internet data Tech Executive-1 and his associates exploited was domain name system (“DNS”) Internet traffic pertaining to (i) a particular healthcare provider, (ii) Trump Tower, (iii) Donald Trump’s Central Park West apartment building, and (iv) the Executive Office of the President of the United States (“EOP”). (Tech Executive-1’s employer, Internet Company-1, had come to access and maintain dedicated servers for the EOP as part of a sensitive arrangement whereby it provided DNS resolution services to the EOP. Tech Executive-1 and his associates exploited this arrangement by mining the EOP’s DNS traffic and other data for the purpose of gathering derogatory information about Donald Trump.)

The Indictment further details that on February 9, 2017, the defendant provided an updated set of allegations – including the Russian Bank-1 data and additional allegations relating to Trump – to a second agency of the U.S. government (“Agency-2”). The Government’s evidence at trial will establish that these additional allegations relied, in part, on the purported DNS traffic that Tech Executive-1 and others had assembled pertaining to Trump Tower, Donald Trump’s New York City apartment building, the EOP, and the aforementioned healthcare provider. In his meeting with Agency-2, the defendant provided data which he claimed reflected purportedly suspicious DNS lookups by these entities of internet protocol (“IP”) addresses affiliated with a Russian mobile phone provider (“Russian Phone Provider-1”). The defendant further claimed that these lookups demonstrated that Trump and/or his associates were using supposedly rare, Russian-made wireless phones in the vicinity of the White House and other locations. The Special Counsel’s Office has identified no support for these allegations. Indeed, more complete DNS data that the Special Counsel’s Office obtained from a company that assisted Tech Executive-1 in assembling these allegations reflects that such DNS lookups were far from rare in the United States. For example, the more complete data that Tech Executive-1 and his associates gathered – but did not provide to Agency-2 – reflected that between approximately 2014 and 2017, there were a total of more than 3 million lookups of Russian Phone-Provider-1 IP addresses that originated with U.S.-based IP addresses. Fewer than 1,000 of these lookups originated with IP addresses affiliated with Trump Tower. In addition, the more complete data assembled by Tech Executive-1 and his associates reflected that DNS lookups involving the EOP and Russian Phone Provider-1 began at least as early 2014 (i.e., during the Obama administration and years before Trump took office) – another fact which the allegations omitted.

As I noted, less than a day after Durham filed that motion, the former President suggested that Joffe had been spying and should be killed. In response to the furor, Joffe’s spox later issued a statement clarifying what went on — precisely the information he had tried to plead the Fifth over.

In a statement, a spokesperson for Mr. Joffe said that “contrary to the allegations in this recent filing,” he was apolitical, did not work for any political party, and had lawful access under a contract to work with others to analyze DNS data — including from the White House — for the purpose of hunting for security breaches or threats.

After Russians hacked networks for the White House and Democrats in 2015 and 2016, it went on, the cybersecurity researchers were “deeply concerned” to find data suggesting Russian-made YotaPhones were in proximity to the Trump campaign and the White House, so “prepared a report of their findings, which was subsequently shared with the C.I.A.”

And some of the other researchers had to provide more details to push back on the frenzy (including that the data from EOP preceded Trump’s inauguration). Few outlets, though, have presented the basic innumeracy in Durham’s filing about the rarity of YotaPhones as anything but a contested issue.

And after Durham incited claims that Joffe should be killed, one week later Alfa Bank then affirmed the tie between Joffe and Tech Executive 1 by posting his deposition in their motion to get another four months to conduct their fishing expedition. That has had the effect of further inflaming the frothy right, and providing Durham sworn testimony from Joffe that he was otherwise not entitled to (including several warnings about how his case against Sussmann may be vulnerable).

In the wake of the release of the Florida filing, Joffe’s lawyers intervened in the Sussmann case and then filed a separate sealed motion to strike the (misleading) references to Joffe in the filing.

A Trump appointed judge in DC believes these efforts look like they’re being written by the same people. Whether Durham’s sources and a sanctioned Russian Bank’s sources are “colluding,” these parallel developments had the effect of depriving Joffe of his ability to fully invoke the Fifth Amendment. And with the help of a sanctioned Russian bank, it gave Durham a substantial benefit in a criminal investigation.

Timeline

January 25: Durham asks to extend discovery deadline

January 28: Durham admits that Durham was informed about the James Baker phone he claimed to forget knowing about

February 9: Michael Sussmann succeeds in staying Alfa Bank’s effort to get documents from him

February 10: Fusion GPS’ Laura Seago attempts to quash a subpoena

February 11, 9:30AM: Rodney Joffe deposition

February 11, 11:32PM: Durham files a motion purporting to be a conflicts motion that misrepresents the evidence

February 14: Sussmann asks to strike unsupported allegations in conflicts motion

February 14: Peter Fritsch deposition

February 17: Sussmann moves to dismiss the case, arguing his alleged lie would not be material

February 17: Durham claims that the close associates of the investigation that lied about what the conflicts motion said have nothing to do with the Durham team

February 18: Alfa Bank requests another extension to keep looking for John Does in FL

February 24: Rodney Joffe’s lawyers file notices of appearance in the Sussmann docket

February 25: Judge Christopher Cooper schedules a hearing on the conflicts motion for March 7

February 28: Joffe files a sealed motion to expunge the references to Tech Executive-1

March 1: Judge Cooper sets a Friday deadline for the government to respond to Joffe’s motion

March 7: Hearing scheduled to address conflicts memo

Durham Says It’s Not His Fault His Former Boss Called for the Death of His Defendant

/83 Comments/in , /by

John Durham didn’t have much to say after being called out for making baseless accusations that their source Kash Patel lied about, leading the former President to suggest Michael Sussmann should be killed.

They’re not responsible for the death threats, the attorney who filed a notice of appearance in the wake of Friday’s stunt, Brittain Shaw, insists.

If third parties or members of the media have overstated, understated, or otherwise misinterpreted facts contained in the Government’s Motion, that does not in any way undermine the valid reasons for the Government’s inclusion of this information.

She said this even while acknowledging it might be prudent to take measures against death threats in the future.

That said, to the extent the Government’s future filings contain information that legitimately gives rise to privacy issues or other concerns that might overcome the presumption of public access to judicial documents – such as the disclosure of witness identities, the safety of individuals, or ongoing law enforcement or national security concerns – the Government will make such filings under seal. United States v. Hubbard, 650 F. 2d 293, 317-323 (D.C. Cir. 1980) (setting forth factors for considering whether the presumption of public access is overridden, including (1) the need for public access to the documents at issue; (2) the extent of previous public access to the documents; (3) the fact that someone has objected to disclosure, and the identity of that person; (4) the strength of any property and privacy interests asserted; (5) the possibility of prejudice to those opposing disclosure; and (6) the purposes for which the documents were introduced during the judicial proceedings.) The Government respectfully submits that no such issues or concerns are implicated here. [my emphasis]

The former President implied the defendant and a witness should be killed. But it’s not Durham’s fault and so he doesn’t have to deal with the fact that it happened!!

This is factually specious. Kash Patel, who was among the first to make egregiously false claims, is not a “third party.” He is the originator of this inquiry, and he knew well his statements to be false. Donald Trump, who suggested Sussmann and others should be killed, is not a “third party.” He was Durham’s boss and his demands for prosecutions are what led to Durham being appointed Special Counsel in the first place.

Plus, Durham’s team have already made the identities of some grand jury witnesses public in discovery filings.

The claim that the architects of this mob are neutral “third parties” is all the more pathetic given the excuse Shaw provides for including the false insinuation that Rodney Joffe spied on Trump’s White House rather than tried to keep the White House safe from hackers at the time it happened to be occupied by Barack Obama.

The reason they mentioned the White House, you see (Shaw claims), is because of one of the conflicts they raised.

The Government included two paragraphs of limited additional factual detail in its Motion for valid and straightforward reasons. First, those paragraphs reflect conduct that is intertwined with, and part of, events that are central to proving the defendant’s alleged criminal conduct. Second, the Government included these paragraphs to apprise the Court of the factual basis for one of the potential conflicts described in the Government’s Motion, namely, that a member of the defense team was working for the Executive Office of the President of the United States (“EOP”) during relevant events that involved the EOP. [my emphasis]

Shaw here argues that events in February 2017 are “intertwined” with an alleged crime that took place five months earlier.

She also suggests that the reason they raised the White House is because one of Sussmann’s team members worked there (Charlie Savage has now IDed the lawyer as Michael Bosworth).

I mean, so did Kash Patel, a central player in the false claims that led to the former President calling for death.

Here’s what the actual conflict memo said about that purported conflict.

Based on its review of documents in its investigation and other information, the Special Counsel’s Office also has learned that one of the members of the defendant’s current defense team (“Defense Team Member-1”) previously worked as Special Counsel to the then-FBI Director from 2013 to 2014. In connection with that work, Defense Team Member-1 developed professional and/or personal relationships with several individuals who later were involved with and/or knowledgeable of the FBI’s investigation of the Russian Bank-1 allegations. For example, Defense Team Member-1 appears to have developed a professional relationship with the former FBI General Counsel to whom the defendant made his alleged false statement and who will likely be a central witness at trial.4 While it is unlikely that these past interactions and activities will give rise to an actual conflict of interest, the Government respectfully requests in an abundance of caution that the Court inquire with the defense concerning whether Defense Team Member-1’s relationships with persons and entities who might be witnesses in this case could give rise to a potential conflict or appearance issue and, if so, whether the defendant waives any such conflict.

4 Following his employment at the FBI, Defense Team Member-1 worked from 2014 to early 2017 as an attorney in the EOP which, as noted above, was involved in certain factual issues that the Government expects will be relevant at trial and any sentencing proceedings. Latham has represented to the Government that while employed at the EOP, Defense Team Member-1 had no role in the aforementioned events or arrangements involving Tech Executive-1, Internet Company1, and/or allegations involving the purported use of Russian-made phones. The Government similarly has not seen evidence to suggest that Defense Team Member-1 had any role in, or direct knowledge of, the Russian Bank-1 allegations or the FBI’s ensuing investigation. [my emphasis]

It’s the tie to Jim Comey and through him to James Baker, not the subsequent job at the White House, that Durham’s team presented as a potential conflict — and even then, Durham’s team admits this is not likely a conflict. By this standard, several members of the prosecutorial team, not to mention the guy from whom this allegation came from, Kash Patel, have a conflict. John Durham was hired by Donald Trump; that’s a more serious conflict than anything his team spins up as one.

The White House will not be called to the stand at Sussmann’s trial. None of this is actually about the White House. As Andrew DeFilippis noted in his filing making wild claims of conflict, the White House job was not one of those conflicts. Indeed, this is yet another marker of Durham’s dishonesty. This team member, as described, was a victim of Rodney Joffe’s purportedly vicious efforts to make sure the Obama White House was not hacked. The team member only has an adversarial relationship if one believes that protecting against hacks is an adversarial stance. But that’s not how they describe the purported conflict which even they admit is not one.

Which is a pretty big hint their understanding of conflicts here is whacked beyond all reason.

Even in a terse four page motion (which I guess is one way she’s an improvement over DeFilippis), Shaw still had room for bullshit.

Having given a transparently bogus excuse for raising the White House, she then says that raising it in a conflict memo is cool because Durham plans to later raise these issues in a motion in limine (pre-trial motions about what can and cannot be presented during the trial).

In light of the above, there is no basis to strike any portion of the Government’s Motion. Indeed, the Government intends to file motions in limine in which it will further discuss these and other pertinent facts to explain why they constitute relevant and admissible evidence at trial. Pursuant to caselaw and common practice in this and other districts, the filing of documents containing reference to such evidence on the public docket is appropriate and proper, even in highprofile cases where the potential exists that such facts could garner media attention. See, e.g., United States v. Stone, 19 Cr. 18 (D.D.C. October 21, 2019) (ABJ), Minute Order (addressing the Government’s publicly-filed motion in limine seeking to admit video clip from the movie “Godfather II” that defendant sent to an associate and permitting admission of a transcript of the video); United States v. Craig, 19 Cr. 125 (D.D.C. July 10, 2019) (ABJ), Minute Order (addressing Government’s publicly-filed Rule 404(b) motion to offer evidence of defendant’s efforts to assist Paul Manafort’s relative in obtaining employment); United States v. Martoma, S1 12 Cr. 973, 2014 WL 164181 (S.D.N.Y. January 9, 2014) (denying defendant’s motion for sealing and courtroom closure relating to motions in limine concerning evidence of defendant’s expulsion from law school and forgery of law school transcript);1 see also Johnson v. Greater SE Cmty. Hosp. Corp., 951 F. 2d 1268, 1277 (D.C. Cir. 1991) (holding that there is a “strong presumption in favor of public access to judicial proceedings”). Moreover, any potential prejudice or jury taint arising from such media attention can effectively and appropriately be addressed through the voir dire process during jury selection.

1 The publicly-filed evidentiary motions and judicial rulings in each of the above-cited cases received significant media attention. See, e.g., Prosecutors Can’t Show Godfather II Clip at Roger Stone Trial, Judge Rules, CNN, October 21, 2019 (https://www.cnn.com/2019/10/21/politics/godfather-ii-roger-stone/index.html; Greg Craig Pushed to Hire Manfort’s Relative at Skadden, Prosecutors Say, POLITICO, May 10, 2019 (https://www.politico.com/story/2019/05/10/greg-craig-hire-manaforts-relative-1317600); SAC’s Martoma Tried to Cover Up Fraud at Harvard, Documents Show, REUTERS, January 9, 2014 (https://www.reuters.com/article/us-sac-martoma-harvard/sacs-martoma-tried-to-cover-up-fraudat-harvard-documents-show-idUSBREA081C720140109).

Roger Stone Roger Stone Roger Stone and Mueller, she throws in for good measure.

This is a fairly bald admission that the time to raise these issues, pretending they were relevant, would be the later 404(b) fight (over whether evidence of related conduct can be admitted at trial to help prove the case), not now, on a totally separate issue. That this might be a relevant issue later (which is itself admission that these topics are not direct evidence about Sussmann’s alleged lie and must first demonstrate relevance to even be admitted at trial) is not an excuse to use them in untimely and off-purpose fashion.

And yet that’s Durham’s excuse for saying a bunch of things that predictably led to calls for death.

According to John Durham’s logic of conflicts, he is the one with an unwaivable conflict. The guy who hired him to this job is the same guy suggesting, based off Durham’s filing, that the guy he is prosecuting should be executed.

Updated for clarity.

Update: Corrected Bosworth’s last name.

Indict First Interview Later: Durham’s Belated Efforts to Substantiate His Claims that Michael Sussmann Coordinated with Hillary

/73 Comments/in , /by

Among the accusations John Durham made when he charged Michael Sussmann with a single false statement count in September 2021 was that Sussmann had coordinated with the Hillary Campaign.

SUSSMANN, [Rodney Joffe], and [Perkins Coie] had coordinated, and were continuing to coordinate, with representatives and agents of the Clinton Campaign with regard to the data and written materials that SUSSMANN gave to the FBI and the media.

Coordinating with a client is not a crime. Working with a client to share suspicious data with the FBI is also not a crime. Indeed, Sussmann spent a great deal of his time in 2016 doing just that after the Hillary Campaign and several other Democratic Party committees were hacked by Russia.

The allegation that Sussmann “coordinated” with a client is included as one of three materiality claims regarding Sussmann’s alleged lie. To prove Sussmann is guilty, Durham has to prove not just that Sussmann made a willfully false claim to James Baker in a meeting on September 19, 2016, but that it mattered. One way Durham claims he will do that is, first, by proving that this effort was coordinated with the Hillary campaign and then establishing that,

it was relevant to the FBI whether the conveyor of these allegations (SUSSMANN) was providing them as an ordinary citizen merely passing along information, or whether he was instead doing so as a paid advocate for clients with a political or business agenda. Had SUSSMANN truthfully disclosed that he was representing specific clients, it might have prompted the FBI General Counsel to ask SUSSMANN for the identity of such clients, which in turn might have prompted further questions.

One of the first things Sussmann did after being charged was ask — first, informally, and then, via a Motion for a Bill of Particularswith whom on the Hillary Campaign he coordinated.

Fifth and finally, the Indictment conceals the actual identity of certain individuals and entities alleged to have witnessed and otherwise been involved in the conduct giving rise to the false statement charge, including the names of the agents and representatives of the campaign on whose behalf Mr. Sussmann was allegedly working. Id. ¶ 6. The entire animating theory of the Special Counsel’s Indictment is that, in meeting with the FBI and the other government agency, Mr. Sussmann was secretly working on behalf of Hillary Clinton’s 2016 campaign for president (the “Clinton Campaign”). The Special Counsel should be required to identify with which agents and representatives of the Clinton Campaign Mr. Sussmann was allegedly working so that Mr. Sussmann can adequately prepare his defense.

Counsel for Mr. Sussmann previously asked the Special Counsel to provide the detail and particulars identified above, but the Special Counsel declined to do so. The Special Counsel should not be permitted, on the one hand, to allege that Mr. Sussmann was working on behalf of the Clinton Campaign, but on the other hand, decline to identify the specific individuals with whom he was purportedly working.

7 The Special Counsel has identified virtually all of the other anonymous individuals and entities referred to in the Indictment (except, as noted above, the Agency-2 employees).

That motion was filed on October 6. In a response filed on October 20, Durham refused to provide the names of those on the Clinton Campaign with whom Sussmann coordinated, but instead pointed to these paragraphs of the indictment, only one of which even names people from the campaign, and none of which describes Sussmann speaking directly to anyone from the campaign.

d. In or around the same time period [mid-August 2016], SUSSMANN, [Marc Elias], and personnel from [Fusion GPS] began exchanging emails with the subject line, “Connecting you all by email.”

[snip]

g. Later in or about August 2016, [Rodney Joffe] exchanged emails with personnel from [Fusion GPS].

[snip]

e. On or about September 15, 2016, [Elias] exchanged emails with the Clinton Campaign’s campaign manager, communications director, and foreign policy advisor concerning the [Alfa Bank] allegations that SUSSMANN had recently shared with [Franklin Foer]. [Elias] billed his time for this correspondence to the Clinton Campaign with the billing entry, “email correspondence with [Jake Sullivan], [name of campaign manager], [name of communications director] re: [Alfa Bank] Article.” [emphasis added by Durham]

On October 20, over a month after indicting Sussmann, Durham was still refusing to name any Clinton Campaign personnel with whom Sussmann had coordinated directly.

That’s why this detail in Sussmann’s response to Durham’s conflict motion matters so much:

[T]he Special Counsel has alleged that Mr. Sussmann met with the FBI on behalf of the Clinton Campaign, but it was not until November 2021—two months after Mr. Sussmann was indicted—that the Special Counsel bothered to interview any individual who worked full-time for that Campaign to determine if that allegation was true.

When Durham refused to answer Sussmann’s requests, in September and October,  to tell him with whom on the Clinton campaign he had been coordinating, Durham still had never interviewed a single Clinton staffer. He first did so in November.

The discovery update submitted on January 25 reveals that that single Clinton staffer remained the sole Clinton staffer Durham had interviewed to that date.

Yesterday, Durham added a securities fraud prosecutor to his team, suggesting he’s going to try to change the theory of his case (I suspect, by suggesting Sussmann’s billing practices show he was trying to hide Rodney Joffe’s role).

But as I’ll lay out, there’s tons of instances of this, where Durham demonstrably failed to do basic investigative work before charging Sussmann five years after a claimed lie.

Update: Sussmann has filed his motion to dismiss. It is entirely a challenge to the materiality of his alleged lie. Motions to dismiss rarely work. He’s got good lawyers and he’s making a solid argument. Of note, he points out that Durham has never claimed that the tip wasn’t true or that Sussmann should have known it was not.

Guest Post: We Need to Talk about DNS

/55 Comments/in , , /by

[NB: This is a guest post by long-time community member WilliamOckham. Give him a shout in comments. /~Rayne]

For most people the Domain Name System (DNS) is one of the most boring topics imaginable. However the Department of Justice’s Special counsel John Durham – through a frothy mixture of technical incompetence and apparent malice in his published court filings – generated unusual interest in DNS from a lot of folks who’ve never thought about it before.

To understand DNS better, here’s an explanation simple enough even for lawyers who would like to keep their bosses from embarrassing them in federal court.

DNS is used to match and link domain names to Internet Protocol (IP) addresses. When one device needs to connect to another device via the internet, it needs to know the other’s IP address. Humans generally prefer to use names. Remembering a person’s or business’s name is much easier than recalling a string of numbers ranging from 12 to 32 digits (32-bits for older IPV4 addresses and 128-bits for newer IPV6 addresses).

Image: Comparitech.com c. 2019

I’ll use “example.com” to illustrate a domain name. As you might guess, example.com is a special-use domain which isn’t resolved normally; it can be used to demonstrate how domain names work without inadvertently generating unnecessary DNS lookups.

It’s a lot easier to input www.example.com instead of 2606:2800:220:1:248:1893:25c8:1946 and certainly a lot easier to remember. However your device can’t possibly store the IP address of every damn server in the entire world just to make data entry easier.

Instead, every device on the internet stores the address of one of the thousands of DNS servers. Devices are usually configured to use a DNS server maintained by the internet service provider which provides connectivity for that device.

When your device needs to connect to www.example.com, it sends a DNS lookup request to its primary DNS server. That server doesn’t store the address of every server on the internet either. If you or someone else using that DNS server has asked for that address recently, the DNS server might know the address and send it back to you.

However if it doesn’t have an IP address for example.com, it will issue requests to other DNS servers, looking for one that does know the address. In a worst case scenario, the request ends up going to one of the root DNS servers. They can reach a DNS server for any domain name on the internet.

During the time period subject to Durham’s investigation, virtually all DNS lookups happened in the open, unencrypted. They were recorded by DNS servers. Each time a website address was typed into a browser’s address bar, a DNS server logged the IP address of the device requesting the IP address for some other server. DNS lookup data isn’t proprietary or secret.

Gathering, collating, and analyzing DNS lookup requests, however, is expensive and valuable. It’s a massive amount of data. Billions of DNS requests are issued every day. There are a few companies specializing in managing incredibly large amounts of DNS data. During the time period covered by Durham’s filings, Michael Sussman’s technology executive client (Tech Executive-1) at a U.S.-based Internet company (Internet Company1) worked for such a firm.

Having access to DNS data had nothing to do with hacking servers, spying, surveillance or anything else nefarious. It was part of Tech Executive-1’s job.

Tech Executive-1’s responsibilities included monitoring anomalies in Internet Company1’s DNS database. As one of Durham’s filings indicated, Tech Executive-1’s firm found “that between approximately 2014 and 2017, there were a total of more than 3 million lookups of Russian Phone-Provider-1 IP addresses that originated with U.S.-based IP addresses.”

Contra Durham, 3 million DNS requests for a related IP addresses over a four-year period means these requests are very rare.

For comparison purposes, my best estimate is that my family (7 users, 14 devices) generated roughly 2.9 million DNS requests just from checking our email during the same time frame. That’s not even counting DNS requests for normal web browsing.

If you’re going to make a federal case out of this, at least make some attempt to understand the topic.

Kash Patel Knew, and Did Nothing, about the Latest Durham-Related Frenzy

/42 Comments/in , , /by

As predicted, the latest Durham filing has jacked up the frothy right. It even led the Former President to claim these actions should be “punishable by death.”

But the oddest statement came from “Former Chief Investigator for Russia Gate [sic]” and current key witness to an attempted coup, Kash Patel, sent out by the fake Think Tank that hosts some of the former Trumpsters most instrumental in covering up for Trump corruption.

Taken literally (which one should not do because it is riddled with false claims), the statement is a confession by Kash that he knew of what others are calling “spying” on Trump and did nothing to protect the President.

Let’s start, though, by cataloguing the false claims made by a man who played a key role in US national security for the entirety of the Trump Administration.

First, he claims that the Hillary Campaign, “ordered … lawyers at Perkins Coie to orchestrate a criminal enterprise to fabricate a connection between President Trump and Russia.” Thus far, Durham has made no claims about any orders coming from the Hillary Campaign (and the claim that there were such orders conflicts with testimony that Kash himself elicited as a Congressional staffer). The filing in question even suggests Perkins Coie may be upset about what Sussmann is alleged to have done.

Latham – through its prior representation of Law Firm-1 – likely possesses confidential knowledge about Law Firm-1’s role in, and views concerning, the defendant’s past activities.

In fact, in one of the first of a series of embarrassing confessions in this prosecution, Durham had to admit that Sussmann wasn’t coordinating directly with the Campaign, as alleged in the indictment.

Kash then claims that “Durham states that Sussmann and Marc Elias (Perkins Coie) … hired .. Rodney Joffe … to establish an ‘inference and narrative’ tying President Trump to Russia.” That’s false. The indictment says the opposite: Joffe was paying Perkins Coie, not the other way around. Indeed, Durham emphasized that Joffe’s company was paying Perkins Coie a lot of money.  And in fact, Durham shows that the information-sharing also went the other way. Joffe put it together and brought it to Perkins Coie. Joffe paid Perkins Coie and Joffe brought this information to them.

Kash then claims that “Durham writes that he has evidence showing Joffe and his company were able to infiltrate White House servers.” Kash accuses the Hillary Campaign of “mastermind[ing] the most intricate and coordinated conspiracy against Trump when he was both a candidate and later President.” This betrays either real deceit, or ignorance about the most basic building blocks of the Internet, because nowhere does Durham claim that Joffe “infiltrated” any servers. Durham, who himself made some embarrassing technical errors in his filing, emphasizes that this is about DNS traffic. And while he does reveal that Joffe “maintain[ed] servers for the EOP,” that’s not infiltrating. These claims amount to a former AUSA (albeit one famously berated by a judge for his “ineptitude” and “spying”) accusing a conspiracy where none has been charged, at least not yet. Plus, if Joffe did what Kash claims starting in July 2016, as Kash claims, then Barack Obama would be the one with a complaint, not Trump.

Finally, Kash outright claims as fact that Joffe “exploited proprietary data, to hack Trump Tower and the Eisenhower Executive Office Building.” This claim is not substantiated by anything Durham has said and smacks of the same kind of conspiracy theorizing Louise Mensch once engaged in. Only, in this case, Kash is accusing someone who has not been charged with any crime — indeed, a five year statute of limitation on this stuff would have expired this week — of committing a crime. Again: a former AUSA, however inept, should know the legal risk of doing that.

Curiously, Kash specifies that the White House addresses involved were in the Eisenhower Executive Office Building. That could well be true, but Durham only claims they were associated with EOP, and as someone who worked there, Kash should know that one is a physical structure and the other is a bureaucratic designation. But to the extent Kash (who has flubbed basic Internet details already) believes this amounted to hacking the EOP, it is based off non-public data.

So, like I said, the piece is riddled with false claims, but with two claims that go beyond anything Durham has said.

The statement is all the stranger given that Kash Patel knew about these allegations four years ago, at a time when he was one of the most powerful Congressional staffers on matters pertaining to intelligence.

And he did nothing about them.

Well. He did do something.

He started this line of inquiry — brought it up entirely out of the blue — in an interview of Michael Sussmann largely focused on Sussmann’s response to a hostile attack by Russia.

About a quarter of the way into an interview on December 18, 2017, after Sussmann debunked the frothy right’s conspiracy theory about the DNC being unwilling to share information with the FBI (which was a central focus of the interview), a staffer veered away from that line of questioning and asked about other meetings. Sussmann answered the questions that someone interested in cybersecurity would have wanted to know: how does the government share information with a high-profile victim of a nation-state attack?

Q Thats helpful. Thank you Going over to – moving on from CrowdStrike and the FBI, did you ever have any interactions with any other government agencies in relation to the DNC hack, Russian involvement in the 2016 elections, or anything like that, or any members of any government agencies?

A So.yes. For the intrusion, I believe our contacts initially and for a while were only with the FBI. And there came a time when we got involved with the Department of Homeland Security, and had a variety of ongoing meetings with them for various purposes. We reached out to State officials, to the State — Association of Chief Information Officers from the States.

But that’s not what this staffer was interested in. This staffer was thinking big.

Q Did you meet with anybody else, any members of the Intelligence Community, either officially or unofficially, to discuss these matters?

MS. RUEMMLER: With respect to the DNC?

Q The DNC, the 2016 Russia election, all things that fit under that sort of general big title.

Sussmann, perhaps sensing this staffer was about to deliver a gotcha, noted that he didn’t always know who was in a room.

A So let me provide one general exception. I had meetings and calls with the FBI when there were a lot of people in the room, and I don’t necessarily know —

Q Yeah, I don’t mean that.

A — who was there.

That’s not what this staffer was after either. The staffer wanted to know about a meeting Sussmann had with the CIA.

Q I don’t mean the FBI. I don’t mean those big conference calls or anything like that. I mean, did you have any engagements with any members of the Intelligence Community, not the FBI, one-on-one, or in small groups, or telephone calls, or communications with folks, say, such as the Central Intelligence Agency?

Sussmann responded as to the subject of the interview, the DNC hack: no, all the meetings were with FBI or DHS. That’s when the staffer in question revealed he wanted to know about other topics.

A I think as regards to the I think all of the hacking ~ I think all of the hacking stuff was limited to the FBI and DHS.

Q Okay. So you never had any communications with members of the CIA [redacted] discussing the ~ not only the hack, but also the possible Russian intrusion and Russian involvement in the 2016 election?

That’s when Kathryn Ruemmler, representing Sussmann, referred to the staffer in question by name: Kash. This line of questioning was done by Kash Patel (which isn’t surprising, seeing as how at the time he was the “Chief Investigator for Russia Gate [sic].”

MS. RUEMMLER: Kash, just to clarify, you’re talking about the 2016 timeframe here? [my emphasis]

The staffer now identified as Kash continued, making it clear he already knew the answer to the question he was asking. He already knew about this meeting.

Q Well, that’s when that incident occurred. I’m asking if you ever have from that time until today?

A So I have — I have various contacts with members of law enforcement and the Intelligence Community on behalf of a number of different clients. So I’m not sure how to —

Q Sure. I’ll narrow it down for you. Fair enough. As it relates to what you and I have been talking about here today

A Right

Q –that is, the DNC hack, the Russian involvement in the 2016 election, and any information that was derived therefrom, did you meet or discuss with any members of the Intelligence Community outside of the FBI to provide information, talk to them about these matters? Did they reach out to you? Did anything like that ever happen in 2016 or 2017

With her client having been asked about a topic that wasn’t among the topics he had prepared to discuss or among the clients whose privileged matters he had gotten prior authorization to discuss and apparently worried about ethical issues, Ruemmler asked if she and Sussmann need to take a minute to confer.

MS. RUEMMLER: Do you want to confer for a second?

MR. SUSSMANN: I just want to talk about the range of – I have a lot of different clients, and since we’ve just spoken —

MS. RUEMMLER: As long as you don’t reveal identity of them, which You’re not permitted to do under the rules, or any content.

MR. SUSSMANN: Can we step outside and talk about how to deal with the range of clients?

MS. RUEMMLER: Yes.

[Discussion off the record.]

MR. SUSSMANN: Thank you.

At this point, if Sussmann were really hiding this stuff (as John Durham claims), he could have refused to answer the question, citing that privilege and the off-topic question. But Sussmann didn’t do that. He consulted with Ruemmler (something that Durham is now making a stink about), then came back in the room, noted that Kash had asked an off-topic question, but nevertheless answered honestly.

[The reporter read the record as requested.]

MR. SUSSMANN: So I’m not clear as to the scope of what you’re asking your question, but I’m going to be sort of more expansive in my answer, because there’s nothing — you said in relation to the things that we discussed today, and this is not something we’ve discussed today.

But I did have — I don’t believe I had — s0 two things. I don’t believe I had — I didn’t have direct contact with [NSA] butI can relate to you some indirect contacts with [NSA]. And I had a meeting [at CIA] as well.

That’s what Kash was looking for.

Okay.

Sussmann explained, noting that this was classified.

A The [NSA] contact related to specifically my representation of the DNC, and my contact [with CIA] did not relate to my specific representation of the DNC, or the Clinton campaign, or the Democratic Party. And I also — I’m not — I will do the best that I can with you. I think there are limits to what I can discuss in an unclassified setting.

Kash asked about the CIA meeting.

Q Okay, fair enough. What was your contact [with CIA] about?

A So the contact [with CIA] was about reporting to them information that was reported to me about possible contacts, covert or at least nonpublic, between Russian entities and various entities in the Untied States associated with the — or potentially associated with the Trump Organization.

Q And when did that contact [with CIA] occur, month and year?

A February 2017.

Q Where did you get that information from to relay to [CIA]?

A From a client of mine.

Q Why did you go [to CIA]

After Ruemmler interrupted again to remind Sussmann not to violate privilege, he explained that he reached out on this front because he knew of Obama’s effort to get a review of potential Russian involvement in the election.

Q You did say, right, that you had — you’d received information from a client — I’m not asking who — that may be germane to the 2016 election and associates of the Trump campaign or people affiliated with the Trump campaign.

So my follow-up question was, why did you go to [CIA] with this information?

A Oh, I’m sorry. And I apologize. I remember what I was going to say. It was — it was, in large part, in response to President Obama’s post-election IC review of potential Russian involvement in the election. And in that regard, I had made outreach prior to the change in administration in 2016. And for reasons known and unknown to me, it took a long time to — or it took — you know, it took a while to have a meeting, and so it ended up being after the change in administration.

The line of questioning continued later with someone else, because Kash had to leave. In those questions, Sussmann factually answered the information came from a client he had represented before the DNC, and admitted he had the information prior to the election. He explained his motive for sharing the information with James Baker (which led the FBI to be able to intervene and prevent the NYT from publishing, something Durham didn’t bother to investigate before indicting Sussmann) and CIA. He admitted that Perkins Coie still represented the DNC when he met with the CIA, though he wasn’t doing work for them anymore. And, in a passage that will be a focal point of the trial, he described how he and Joffe decided together to share this information.

Q Okay. I want to ask you, so you mentioned that your client directed you to have these engagements with the FBI and [CIA] and to disseminate the information that client provided you. Is that correct?

A Well I apologize for the double negative. It isn’t not correct, but when you say my client directed me, we had a conversation, as lawyers do with their clients, about client needs and objectives and the best course to take for a client.

And so it may have been a decision that we came t0 together. I mean, I don’t want to imply that I was sort of directed to do something against my better judgment, or that we were in any sort of conflict, but this was — I think its most accurate to say it was done on behalf of my client.

In other words, Kash and his colleagues have known the outlines of this for over four years.

At the time, and in his next job at NSC, Kash would have had ready access to the CIA for more details about the meeting — indeed, he came into this interview knowing about it already.

At the time, and in his next job at NSC, and in his next job as DOD Chief of Staff, Kash would have had knowledge of Rodney Joffe’s contracts with FBI and NSA.

At the time, and in his next job at NSC, and in his next job as DOD Chief of Staff, Kash would have had access to the DARPA contract, which got extended afterwards.

In his comment, the Former President said that “those who knew about this” should be subject to criminal prosecution. And Kash Patel was, at all moments between December 2017 and January 2021, not only aware of the outlines and the players, but he did nothing.

Whatever else this kerfuffle has done, it has made Kash’s exposure as a witness in this case quite dicey. Because not only is Kash a witness that Sussmann was not hiding what he did, but he is someone who for years was in a position to do something about it, and he did nothing.

John Durham, Ask Not for Whom the Statute of Limitation Tolls …

/109 Comments/in , /by

As he did with Igor Danchenko, John Durham has raised a potential conflict as a way to air his conspiracy theories so he can jack up the frothy right. In this case, he describes an uncharged meeting at which Michael Sussmann, who no longer had anything to do with the DNC, shared an updated version of the Alfa Bank allegations with the CIA on February 9, 2017.

The Indictment further details that on February 9, 2017, the defendant provided an updated set of allegations – including the Russian Bank-1 data and additional allegations relating to Trump – to a second agency of the U.S. government (“Agency-2”). The Government’s evidence at trial will establish that these additional allegations relied, in part, on the purported DNS traffic that Tech Executive-1 and others had assembled pertaining to Trump Tower, Donald Trump’s New York City apartment building, the EOP, and the aforementioned healthcare provider. In his meeting with Agency-2, the defendant provided data which he claimed reflected purportedly suspicious DNS lookups by these entities of internet protocol (“IP”) addresses affiliated with a Russian mobile phone provider (“Russian Phone Provider-1”). The defendant further claimed that these lookups demonstrated that Trump and/or his associates were using supposedly rare, Russian-made wireless phones in the vicinity of the White House and other locations. The Special Counsel’s Office has identified no support for these allegations. Indeed, more complete DNS data that the Special Counsel’s Office obtained from a company that assisted Tech Executive-1 in assembling these allegations reflects that such DNS lookups were far from rare in the United States. For example, the more complete data that Tech Executive-1 and his associates gathered – but did not provide to Agency-2 – reflected that between approximately 2014 and 2017, there were a total of more than 3 million lookups of Russian Phone-Provider-1 IP addresses that originated with U.S.-based IP addresses. Fewer than 1,000 of these lookups originated with IP addresses affiliated with Trump Tower. In addition, the more complete data assembled by Tech Executive-1 and his associates reflected that DNS lookups involving the EOP and Russian Phone Provider-1 began at least as early 2014 (i.e., during the Obama administration and years before Trump took office) – another fact which the allegations omitted.

The frothy right is very excited that, among the data that someone heavily involved in cybersecurity like Rodney Joffe would have ready access to, was data that included the White House. They seem less interested that, to disprove the allegations Sussmann presented, Durham effectively (in their frothy minds) conducted the same “spying” on EOP networks of President Obama that Durham insinuates Joffe did of Trump.

Remember: This meeting is not charged. It’s not clear such a meeting with the CIA could be charged. Durham presents zero evidence Sussmann knows anything about the comparative value of this data, either.

That’ll become important in a bit.

The conflicts Durham raises to justify this filing are a bit more interesting than the ones he raised with Danchenko. Latham Watkins used to represent Perkins Coie and Marc Elias in this matter, now they represent just Sussmann, and Elias will be asked to testify about instructions Sussmann got about billing records in his representation of the DNC. Latham represented the DNC. Latham represented Sussmann in December 2017 House Intelligence testimony that significantly undermines Durham’s indictment (and shows that the allegations at the core of this indictment originally came from Kash Patel, who by the time of trial may be charged for his participation in helping Trump attempt a coup). Latham also provided Perkins Coie advice regarding a PR statement that, Durham admits, he’s not been able to pierce the privilege of and he knows those who made the statement had no knowledge that could implicate the statement in a conspiracy. Somebody on Sussmann’s team used to work at the FBI and then worked for the White House. Those are the conflicts — more substantive than the ones Durham raised about Danchenko, but probably nothing that problematic.

Which makes the relative timing of this filing all the more interesting.

With Danchenko, Durham raised the potential conflict, first, at a status hearing less than two weeks after Stuart Sears filed a notice of appearance for Danchenko, and then again, in a filing two weeks after Sears filed, for a less pressing imagined conflict involving different lawyers in Sears’ firm.

With Sussmann, Durham waited for almost five months after indicting Sussmann to raise the conflict, even though all but one element of the imagined conflict would have been immediately apparent to Durham, not least that Latham had previously represented Elias.

That doesn’t seem to reflect any real burning concern about this conflict.

But, as noted, it did give Durham an excuse to float previously unreleased information that may not even come in at trial, given that it’ll have to be presented as 404(b) evidence and it, in fact, as presented, undermines the claim that Sussmann was hiding his ties to Hillary from the Federal government.

If the information doesn’t come in at trial, this may be Durham’s only chance to jack up the frothy right with it.

And that’s interesting because of the date of that CIA meeting: February 9, 2017, five years and two days before Durham filed this belated notice of a conflict.

As I keep noting, Durham is obviously trying to pull his fevered conspiracy theories into an actual charged conspiracy, one tying together the DNC, Fusion GPS, Christopher Steele, and Hillary herself. If he succeeds, these flimsy charges (against both Sussmann and Danchenko) become stronger, but if he doesn’t, he’s going to have a harder time proving motive and materiality at trial.

After charging Sussmann on almost the last possible date before the statute of limitations expired for his claimed lie to the FBI, though, Durham would need something on which to hang a continuing conspiracy to be able to charge the others. One of those events could have been the PR statement issued in 2018, which Durham says is inaccurate.

Privilege logs and redacted emails obtained from Law Firm-1 in this investigation reflect that in the days before the issuance of these statements, Latham attorneys sent, received, and/or were copied on correspondence relating to the drafting and dissemination of the statements. (Much of the substance of those emails was redacted and withheld from the Special Counsel’s Office pursuant to Law Firm-1’s assertion of attorney-client privilege and attorney work product protections). Because the defendant was aware of and/or reviewed these media statements, the Government may seek to offer them as evidence pursuant to Rule 404(b) or other provisions of law to establish that the defendant sought to conceal the Clinton Campaign’s ties to the Russian Bank-1 allegations from the FBI and others.3

3 According to counsel for Law Firm-1, the attorneys at Law Firm-1 and Latham who participated in drafting and/or reviewing these statements were unaware at the time that the defendant had billed work on the Russian Bank-1 allegations to the Clinton Campaign.

Except, as laid out here, none of the Perkins Coie people involved in writing the statement knew how Sussmann had billed his time. And Durham hasn’t found a reason to otherwise pierce the privilege claims that went into the drafting of the statement.

So that’s probably not going to work to establish his continuing conspiracy.

The other event on which Durham might have hung a continuing conspiracy was that February 9 meeting. It involved updated work from Joffe, after all. And Durham claims Sussmann again deliberately hid who his client was rather than (as he now knows Sussmann did for tips from Jofffe that had nothing to do with Donald Trump) just shared a tip anonymously.

But instead of rolling out what Sussmann presented in that February 9 meeting five years and two days ago in a conspiracy indictment, Durham instead packaged it up in a filing pertaining to a potential conflict. This February 9 meeting, it appears, won’t be the hook on which Durham gets to charge a conspiracy.

I’m not saying that Durham won’t be able to pull together his grand conspiracy. He might next point to testimony in Congress (possibly Glenn Simpson’s) to claim that there was some grand cover-up of what he imagines was an attempt to smear Donald Trump. Except, as this filing admits, Sussmann’s sworn testimony to the House Intelligence Committee shows that when asked — by future coup investigative subject Kash Patel — Sussmann testified consistently with sharing this information on behalf of Joffe, which is what Sussmann’s currently operative story remains. Durham did suggest he thinks he can show Sussmannn misled members of Congress because he claims it was, “knowingly and intentionally misleading insofar as it failed to disclose that the defendant billed work on the Russian Bank-1 allegations to the Clinton Campaign,” except (as with the alleged lie more generally) that’s not what he was asked about.

By all means, John Durham, make Kash Patel a witness at your trial. Give Sussmann an opportunity to ask how Kash came to learn of this meeting in the first place, to say nothing about whether Kash has recently been involved in efforts to overthrow the US government.

Whatever Durham hopes to use to sustain the claim of a continuing conspiracy, this filing seems to concede that the lies Durham claims Sussmann told in that meeting that took place five years and a few days ago will not be charged.

Ask not for whom the statute of limitations toll, John Durham. They toll for you.