Posts

“Something Like This Has 0 Repercussions if You Mess Up:” John Durham Debunked the Alfa Bank Debunkery

As you know, John Durham failed spectacularly in trying to use a false statement charge against Michael Sussmann to cement a wild conspiracy theory against the Democrats.

But Durham did succeed in one thing (though you wouldn’t know it from some of the reporting from the trial): He utterly discredited the FBI investigation into the Alfa Bank allegations. Lead prosecutor Andrew DeFilippis even conceded as much in his closing argument.

Now, ladies and gentlemen, you have heard testimony about how the FBI handled this investigation. And, ladies and gentlemen, you’ve seen that the FBI didn’t necessarily do everything right here. They missed opportunities. They made mistakes. They even kept information from themselves.

That’s a fairly stunning concession from DeFilippis. After all, DeFilippis asked the guy who was responsible for some of the worst failures in the investigation, Scott Hellman, to be his expert witness, even though Hellman, by his own admission, only “kn[e]w the basics” of the DNS look-ups at the heart of the investigation. Along with Nate Batty, Hellman wrote an analysis of the Alfa Bank white paper in less than a day that:

  • Misstated the methodology behind the white paper
  • Blew off a reference to “global nonpublic DNS activity” that should have been a tip-off about the kinds of people behind the white paper
  • Falsely claimed that the anomaly had only started three weeks before the white paper when in fact it went back months
  • Asserted that there was no evidence of a hack even though a hack is one of the hypotheses presented in the white paper for the anomaly at Spectrum Health (Spectrum itself said the look-ups were the result of a misconfigured application)

Later testimony showed that, after speaking to Hellman and before even checking whois records, the Chicago-based agent who had a lead role in the investigation told a supervisor that “we’re leaning towards this being a false server.”

Within hours, Miami-based agents had confirmed with Cendyn that was false.

In spite of being so egregiously misled from the start by the guys in Cyber, agent Curtis Heide testified in cross-examination by Sussman’s attorney, Sean Berkowitz, that Hellman’s analysis was one of the four things that he believed supported a finding that the anomaly was not substantiated.

Q. Okay. I think near the end of your examination by Mr. Algor he questioned you about your basis for concluding that there was — that the allegations were unsubstantiated. And I think you gave four reasons. I’m going to run through them. If there’s more, that’s okay. Number one, you said the assessment done by Agents Hellman and Batty. Correct?

A. Yes.

Q. Two, the review of the logs. Correct?

A. Yes.

Q. Three, the Mandiant conclusion. Correct?

A. Yes.

Q. And four, the discussions with Spectrum Health about the TOR node. Correct?

A. Yes.

Q. Anything else that you can recall, sir, as to why it was that your investigation, or rather the investigation that you oversaw, suggested that the allegations were unsubstantiated?

A. The only other thing I can think of would be my training and experience with — relating to Russia and cyber investigations.

Q. And is there anything in particular about that that you recall today?

A. With respect to the white paper, it didn’t — when I read through it initially, I had several questions, and it didn’t appear to be consistent with Russian TTPs.

Another thing Heide relied on was the analysis from Mandiant, which Alfa Bank hired to investigate after NYT reached out. According to Franklin Foer’s story, Lichtblau reached out to Alfa on September 21, after Sussmann had given the FBI a heads up but before the FBI asked Lichtblau to hold the story on September 26, so in the window when the FBI had a chance — but failed — to protect the investigation.

One of the truly insane parts of this investigation, by the way — which was conducted entirely during the pre-election window when overt actions were prohibited — was that FBI big-footed to Cendyn and Listrak before sending NSLs to them. And by that point, Alfa Bank was calling the FBI.

A report that was not explained amid the primary resources from the investigation, but which was concluded by October 3, reveals that Chicago’s conclusion was almost entirely based on what Alfa told the FBI and Mandiant.

There was nothing in the case documentation until a 302 for a March 27, 2017 interview done in association with Alfa’s 2017 claims of spoofed DNS traffic (the interview may have been done with Kirkland and Ellis) that documented that, when Mandiant arrived the previous year to investigate, there were no logs to investigate.

Indeed, Heide testified on cross-examination that he had never learned of that fact. At all.

Q. And were you aware, while you were doing the investigation, that Mandiant, when it went to talk to AlfaBank to look into these allegations, did not have any historical data, that Alfa-Bank did not provide any historical data to Mandiant? Did you know that?

A. No

We now know that at a time when “Executives at the highest level of ALFA BANK leadership” had been hoping to “exonerate them[selves]” in 2017, Petr Aven had already started acting on specific directives from Vladimir Putin, including trying to open a back channel to Trump.

Plus, at least as far as Listrak could determine, while the marketing server had sent materials to Spectrum, it had never sent anything to Alfa Bank. The stated explanation that this was spam, then, conflicts with what FBI was seeing in the logs.

As for Spectrum — another of the reasons Heide pointed to — there’s no evidence of anyone reaching out to them (as compared to interactions with agents in Philadelphia and Miami who reached out to Listrak and Cendyn, respectively).

It’s true that the anomaly at Spectrum was not a Tor node (something that researchers came to understand themselves around the time Sussmann shared the allegations with the FBI). But it’s also true that, per Cendyn (which only looked back a month), the identified IP address at Spectrum was reaching out to the Trump server.

The IP address in question showed up in traffic that may be associated with Chinese hacking.

This then might have corroborated the hypothesis, from the white paper, of a hack of Spectrum, but by this point, Hellman had long before decided there was no evidence of a hack and this was, “just garbage.”

That leaves the logs, Heide’s fourth reason for believing FBI had debunked the Alfa Bank allegations. As far as the logs in question, former agent Allison Sands (who was assigned the investigation as a brand new case agent) told one of the tech people on September 26 that, “the end user [possibly Cendyn] is willing to provide logs but they dont have what we need.” Cendyn did share details of their own spam filter, which wouldn’t address the DNS look-ups themselves.

Then, on October 12, Sands told Heide that,

the ‘logs’ we got from Listrak were not network logs

they basically just confirm that trump org is one of their email clients, but they dont show destination email addresses or IPs or anything that we can use to[ ]determine any communications

[snip]

it was two excel spreadsheets

that was all we got

The FBI did get something. Sands testified that the FBI obtained upwards of 600,000 records (she described obtaining records from Cendyn, Listrak, and GoDaddy, but not Spectrum or Alfa Bank). But it’s not clear how useful those records really were. There’s a reference to the “take” elsewhere (see below), and redacted entries that look like intelligence targeting, plus a reference to an OGA partner reporting “no attempts.” (Here’s a reference to the OGA analysis that is redacted in other versions of the same email chain.) So it seems any useful logs came from another agency. But if that’s right, it would be targeted overseas.

In trial testimony, Sands described that her task was to prove that the allegation wasn’t true, not to explain what the anomaly was.

I knew still I had to rebuild from scratch and prove that this allegation wasn’t true.

In real time, too, she saw her task as disproving that emails had been shared, not even disproving that covert communication had occurred.

I have a few more logs to definitely prove there are no emails, and then Im putting it to bed

That’s a particularly problematic description given that the FBI had been told via other channels that there was some activity reflecting more than DNS look-ups.

That leaves, according to Heide’s judgement, just the observation that the DNS traffic was not consistent with known Russian techniques. Newbie agent Sands said something similar to Chris Trifiletti, Joffe’s handler and apparently sensitive for some other reasons. In response, he mused about whether Russia was “trying other things now that look more non traditional.”

We don’t know the answer to that, because the FBI didn’t try to figure it out.

Scott Hellman, the cyber agent who insisted at every opportunity he got that this was garbage was wrong about how long the anomaly had lasted, but he was right about one thing. On October 4, he advised newbie agent Sands that,

any chance you get to work something like this that truly has 0 repercussions if you mess it up ….take those opportunities

He did mess it up. It wasn’t just his own analysis; his repeated insistence that this was “garbage” appears to have made all the other investigators less careful, too. Six years later, we’re still no closer to understanding what happened.

Hellman was right about facing “zero repercussions if you mess it up.” By all appearances, he’s one of the few people who escaped any consequences for trying to investigate Russia in 2016. We know that several people — including Jim Comey, Andrew McCabe, Peter Strzok, and Bruce Ohr — were fired for their efforts to investigate Russia. We learned at the trial that Ryan Gaynor was threatened with criminal investigation for not answering questions the way Andrew DeFilippis wanted. Curtis Heide remains under FBI Inspection Division investigation for things he did in 2016. Rodney Joffe was discontinued as an FBI informant, according to him, at least, because he refused to cooperate with Durham’s investigation. Everyone who actually tried to investigate Russia in 2016 has faced adverse consequences.

But Hellman appears to have suffered none of those adverse consequences for fucking up an investigation into a still unexplained anomaly. On the contrary, he’s been promoted; he’s now a Supervisory Special Agent, leading a team of people who will, presumably, similarly blow off anomalies that might be politically inconvenient to investigate.

That’s the lesson of the Sussmann trial then: The only people who face zero consequences are the ones who fuck up.

Update: Corrected spelling of Hellman’s last name. Added Comey and McCabe to the list of those fired for investigating Russia. Removed Lisa Page–she quit before she was fired. In this podcast, Peter Strzok said that all FBI agents named in the DOJ IG Report are still under investigation.

Update: All the links to exhibits should be live now.

Update: Added detail that Listrak says Trump never sent marketing mail to Alfa Bank.

Timeline

I’ve put (what I believe are) all the exhibits about the FBI investigation below.

These times are surely not all correct. Durham consistently shared evidence without marking what time zone the evidence reflected. Importantly, some, but probably not all of the FBI Lync messages reflect UTC time; where I was fairly certain, I tried to reflect the time in ET, but in others, the timeline below doesn’t make sense (I’ll keep tweaking it). Some of the emails reflect the Chicago time zone.

September 19, 2:00PM: Sussmann Meeting

September 19: Priestap notes

September 19: Anderson notes

September 19, 3:00PM: Strzok accepts materials

September 19, 4:31PM: Gessford to Pientka: Moffa with info dropped off to Baker

September 19, 5:00PM: Sporre accepts materials

September 20, 9:30AM: Nate Batty to Jordan Smith: A/AD has two thumb drives.

September 20, 12:29PM: Batty accepts materials

September 20, 4:54PM: Batty and Hellman re analysis

September 21, 8:48AM: Batty to Hellman: at least look at the thumb drives [Batty Lync]

September 21, 4:25PM: Pientka Lync to Heide: People on 7th floor fired up about this server

September 21, 4:46PM: Batty to Heide and others: initial assessment

September 21, 1:10PM [time uncertain] Sands to Pape: Director level interest

September 21, 4:57PM: Norwat to Todd: Not a cyber matter

September 21, 5:06PM: Todd to Heide, cc Pientka

September 21, 5:52PM: Pientka to Heide: Nat [sic] Batty ha the thumb drives

September 22, 4:58AM: Hubiak to Heide: Let me know if you need anything from PH

September 22, 8:09AM: Todd to Marasco [noting thumb drives came from DNC, suggesting tie to debate]

September 22, 8:33AM: Pientka to Heide: Less than 24 hours to investigate, determine nexus, before losing traffic, watched by Comey

September 22, 9:30AM: Pientka to Moffa: Cyber, ugh. Read first email.

September 22, 9:59PM: Hellman to Heide: can you talk on link

September 22, 10:23AM: Marasco to Pientka: FYI

September 22, 11:13AM: Sands to Hubiak: Suspect email domain hosted on Listrak server — if you can help out with a knock and talk it would be great.

September 22, 11:14AM: Baker to Comey and others: Reporter is Lichtblau

September22, 11:34AM: Hubiak to Sands: Will start working on this now

September 22, 12:02PM: Batty to Wierzbicki: We think it’s a setup

September 22, 12:10PM: Heide to Pientka: We’re leaning to this being a false server.

September 22, 2:00PM: Pientka to Hubiak: Thanks for all your efforts. The CROSSFIRE HURRICANE Team greatly appreciates you running this to ground.

September 22, 4:22PM: Sands to all: open full investigation, summary of Hellman’s conclusions [OGA partner targeting Alfa?]

September 22, 5:33PM: Heide to Pientka: it’s a legit domain

September 22, 4:53PM: Sands to all: Cendyn agrees to cooperate, legit mail server

September 23, 8:26AM: Sands to Hubiak: Cendyn willing to cooperate and provide logs

September 23, 1:09PM: Heide to Sands: once we get that case opened, let’s cut a lead to the MM division requesting assisting with the interview, etc.

September 23, 1:53PM: Sands to others: Cendyn, as of this morning no longer resolves, picture of Barracuda spam filter

September 23, 4:04PM: Heide to Gaynor: Cyber’s review

September 23: EC Opening Memo [without backup]

September 26: Gaynor notes

September 26: Intelligence Memo

September 26, 8:02AM: Lichtblau to Kortan: You know what time we’re meeting?

September 26, 9:29AM: Kortan to Lichtblau: Baker’s tied up until later this afternoon.

September 26, 10:02AM: Lichtblau to Kortan: planning to bring Steve Myers

September 26, 10:15: Heide to Pientka: We want to interview the source of the whitepaper?

September 26, 12:09: Kortan to Baker and Priestap: some kind of recap later today?

September 26, 12:29: Sands to Hubiak: I’m writing a justification for an NSL to GoDaddy

September 26, 4:19PM: Heide to Shaw: apparently it’s going to hit the times?

September 26, 4:55PM: Heide to Hellman: We think it’s a bunk report still…

September 26, 5:02PM: Soo to Sands: searching current and historical lists of Tor exit nodes

September 26, 6:20PM: Sands to all, cc Heide: Spectrum hit at Cendyn, NSLs for Listrak, GoDaddy, redacted, Tor results

October 2, 12:02PM: Grasso to Wierzbicki: Two IP addresses

October 2, 7:02PM: Heide to Hellman: Check this out….

October 3: Tactical Product

October 3: Communications Exploitation

October 3, 1:48PM: Gaynor to Heide: Did white paper start with person of interest?

October 3, 2:49PM: Heide to Gaynor and Sands: Interview source

October 3, 3:00PM: Wierzbicki to Gaynor, cc Moffa: I agree with Heide, interview source

October 4: Kyle Steere to Wierzbicki and Sands: Documenting contents of thumb drive

October 4, 8:26AM: Sands to Hellman: 2 random IP addresses we got from tom grasso

October 4, 8:28AM: Sands to Hellman: we got a report on the Alfa Bank side that they also think this is nothing

October 4, 8:43AM: Hellman to Sands: any chance you get to work something like this that truly has 0 repercussions if you mess it up ….take those opportunities [alt version]

October 4, 10:00AM: Gaynor to Wierzbicki et al, cc Moffa: We need to know what we can learn from the logs [CT version]

October 4, 9:50PM: Grasso to Sands: SME who can help give context to the data we discussed

October 4, 11:08PM: Sands to Grasso: Sounds great.

October 5, 1:20PM: Trifiletti to Sands: i reminded him once more that he has never proceeded with anything when he wasnt absolutely sure

October 5, 1:33PM: Hosenball request for comment

October 5, 3:02PM: Strzok to Gaynor, forwarding Hosenball with Mediafire package

October 5, 4:08PM: Sands to Trifiletti: We need to speak to Dave dagon now too

October 5, 5:07PM: Sands to all: Update on CHS conversation — redacted explanation for why Alfa changed

October 5, 6:58PM: Grasso to Sands: I told Dagon that you would be able to protect his identity so that his name is not made public

October 6: Gaynor notes and drawing [alt version, more redacted]

October 6, 4:20PM: Materials to storage

October 6, 4:28PM: Christopher Trifiletti: CHS report (Spectrum: misconfigured server)

October 6, 4:54PM: Trifiletti to Sands: Actual text of 1023 submitted

October 6, 6:21PM: Wierzbicki to Gaynor: CHS debrief

October 7, 8:59AM: Sands to Trifiletti

October 12, 8:01AM: Sands to Heide: the “logs” we got from listrak were not network logs

October 13, 5:45PM: Gaynor to Wierzbicki: Mediafire (includes link)

October 19, 8:05AM: Sands to Heide: we spoke to mandiant and that we are talkingt o [sic] the tech people at the ISP today

October 19, 10:15AM: Gaynor to Wierzbicki: 2 IP addresses, Mediafire, Dagon author?

November 1, 3:09PM: Sands to Trifiletti: I have a few more logs to definitely prove there are no emails, and then Im putting it to bed

November 14, 2:52PM: Steere to Sands: [report on September 30 receipt of logs from Cendyn]

January 18, 2017: Closing Memo

March 27, 2017: Sands 302 with Alfa reports that Mandiant reported no historic data

July 24, 2017: Moffa to Priestap: Includes several other reports

July 24, 2017, 3:10PM: Sands accepts custody

“The Bell Can Never Be Unrung” … The Many Times Durham’s Prosecutors Flouted Judge Cooper’s Orders

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work. 

The jury in the Michael Sussmann case will return to work this morning. They deliberated for some period on Friday (I’m not sure whether how long they deliberated has been reported). But the jury was unable to get questions answered or a verdict accepted after Judge Christopher Cooper left for the long holiday at 2:30PM. Even if the jury ends up finding Jim Baker’s testimony unreliable — which would likely be the quickest way to come to a verdict one way or another — I would expect it to take the jury a bit of time to sort through the centrality of his testimony to the charges.

So while we wait, I want to catalog how Durham’s team blew off just about every adverse decision Cooper made against them.

1. Delayed Request for Privileged Material

As I laid out in this post, Cooper ruled that a bunch of the emails over which the Democrats had originally claimed privilege were not. But because Durham waited so long to request a review of the privileged documents, Cooper ruled Durham could not use the emails at trial.

In cross-examination of Fusion’s tech person, Laura Seago, DeFilippis used the content of one of those emails that apparently discussed hiding her Fusion affiliation from Tea Leaves. (I laid out this exchange in this post.)

MR. DeFILIPPIS: So we have an issue with regard to Ms. Seago’s testimony. The government followed carefully Your Honor’s order with regard to the Fusion emails that were determined not to be privileged but that the government had moved on.

As Your Honor may recall, there was an email in there in which Ms. Seago talks very explicitly about seeking to approach someone associated with the Alfa-Bank matter and concealing her affiliation with Fusion in the email. When we asked her broadly whether she ever did that, she definitively said no when I, you know, revisited it with her. So it raises the prospect that she may be giving false testimony.

And so we were — you know, I considered trying to refresh her with that, but I didn’t understand that to be in line with Your Honor’s ruling. So the government is — we’d like to consider whether we should be — we’d like Your Honor to consider whether we should be able to at least recall her and refresh her with that document?

THE COURT: I don’t remember that question, but the subject matter was concealing Fusion or her identities in conversations with the press. If I recall correctly, that email related to “tea leaves,” correct?

After repeatedly asking Seago whether she had hidden her affiliation from the media, he asked about this email, catching Seago in a gotcha (though both Judge Cooper and Sussmann lawyer Sean Berkowitz took the question, as Seago seemed to, to relate to outreach to the press).

After setting his perjury trap, DeFilippis immediately tried to recall Seago onto the stand to delve into the content of this email. In this case, Judge Cooper ruled that DeFilippis had waived his opportunity to do so.

THE COURT: Well, I think the time to have asked the Court whether using the document to refresh was consistent with the order was before she was tendered and dismissed. So I think you waived your opportunity. All right? So we’re going to move on.

2. Non-Expert Expert Testimony

One of the most contentious arguments leading up to trial was Durham’s belated attempt to use an expert witness, ostensibly to discuss the technical complexities of DNS and Tor at the heart of the case (topics which prosecutors had witnesses explain over and over in as much detail as their nominal expert witness David Martin did), to address the accuracy of the research on the DNS anomaly.

This was an attempt to lead the jury to believe the anomaly was fabricated by Rodney Joffe and the researchers, in spite of the fact that Durham obtained plenty of evidence it was not.

On April 25, Judge Cooper ruled that Durham could have an expert discuss the technicalities of the data, but could only raise the accuracy if Sussmann did so himself.

Then on May 6, Durham attempted to expand that ruling by asking the expert to address materiality. In discussions the morning of opening arguments that focused entirely on the testimony of non-DNS expert Scott Hellman, not the nominal expert on DNS David Martin, Cooper prohibited Martin’s discussion of spoofing. (I describe these discussions here.)

Ironically, this was all supposed to be about visibility, the import of understanding how much DNS traffic a researcher could access to the quality of that researcher’s work. In Hellman’s own analysis — for which he fairly demonstrably did not review the data that Sussmann shared with the FBI very closely —  he showed no curiosity about the issue.

Searched “…global nonpublic DNS activity…” (unclear how this was done) and discovered there are (4) primary IP addresses that have resolved to the name “mail1.trump-email.com”. Two of these belong to DNS servers at Russian Alfa Bank. [my emphasis]

Nevertheless, DeFilippis used this nested set of witnesses as an opportunity to get Hellman — who admitted he had only a basic understanding of DNS, who didn’t review the data very closely, and who formed his initial conclusion in about a day — to comment on the methodology of the researchers.

Q. And what, if anything, did you conclude about whether you believed the authors of the paper or author of the paper was fairly and neutrally conducting an analysis? Did you have an opinion either way?

MR. BERKOWITZ: Objection, Your Honor.

THE COURT: Basis?

MR. BERKOWITZ: Objection on foundation. He asked him his opinion. He’s not qualified as an expert for that.

THE COURT: I’ll overrule it.

A. Sorry, can you please repeat the question?

Q. Sure. Did you draw a conclusion one way or the other as to whether the authors of this paper seemed to be applying a sound methodology or whether, to the contrary, they were trying to reach a particular result? Did you —

A. Based upon the conclusions they drew and the assumptions that they made, I did not feel like they were objective in the conclusions that they came to.

Q. And any particular reasons or support for that?

A. Just the assumption you would have to make was so far reaching, it didn’t — it just didn’t make any sense.

This is precisely the kind of opinion that Cooper had prohibited from an actual expert, admitted from someone whose own shoddy analysis became a recurrent theme for the defense.

3. Hearsay Clinton Tweet

DeFilippis’ efforts to get excluded information introduced was still more brazen with hearsay materials.

On May 7, Judge Cooper issued his initial ruling on which parts of Durham’s conspiracy theory could be admitted at trial. In general, Cooper permitted the introduction of Fusion GPS emails with the press about the Alfa Bank allegations, all of which post-date Sussmann’s alleged lie. He excluded all but one of the emails between Rodney Joffe and the researchers (more on the exception below).

Cooper equivocated wildly about a tweet sent out under Hillary Clinton’s name in response to the Franklin Foer story on the anomaly. In a hearing on April 27, he excluded it as hearsay.

THE COURT: All right. The Clinton Campaign Tweet, the Court will exclude that as hearsay. To the extent that the government believes that it offers some connection to the campaign and an attorney-client relationship, it’s likely duplicative of other evidence, so the Tweet will not come in.

In a pre-trial hearing on May 9 (after he had issued his order on motions in limine), Cooper explained he was revisiting the decision.

But I guess my question, as I have thought more about this, given the sort of two competing theories of the case and two narratives laid out in the Court’s ruling on the motion in limine, is whether it is relevant not for the truth, but to show the campaign’s connection to the alleged public relations effort to play stories regarding the Alfa-Bank data with the press and that therefore it is sort of context for the Government’s motive theory, that Mr. Sussmann sought to conceal that effort, as well as the campaign’s general connection to that effort.

After Sussmann lawyer Sean Berkowitz explained that the defense would not contest that the campaign wanted a story out there, Cooper opined that would make the tweet cumulative.

Well, if that’s going to be the case, and he’s not contesting that he was representing the campaign in connection with that effort, isn’t the tweet cumulative? It’s icing on the cake. Right?

DeFilippis claimed that without the tweet they would have no evidence about how the campaign worked the press on this issue (even though both Marc Elias, called as a government witness, and Robby Mook, who was originally listed as a government witness, eventually testified to the issue on the stand). After Judge Cooper said he would reserve his decision, Berkowitz noted that in fact, DeFilippis planned to use the tweet to claim the campaign wanted to go to the FBI when the testimony at trial (from both Elias and Mook) would establish that going to the FBI conflicted with the campaign’s goals.

[T]hey are offering the tweet for the truth of the matter, that that’s what the campaign desired and wanted and that it was a accumulation of the efforts.

Number one, it’s not the truth; and in fact, it’s the opposite of the truth. We expect there to be testimony from the campaign that, while they were interested in an article on this coming out, going to the FBI is something that was inconsistent with what they would have wanted before there was any press. And in fact, going to the FBI killed the press story, which was inconsistent with what the campaign would have wanted.

And so we think that a tweet in October after there’s an article about it is being offered to prove something inconsistent with what actually happened.

Then, after both Elias and Mook had testified that they had not sanctioned Sussmann going to the FBI, DeFilippis renewed his assault on Cooper’s initial exclusion, asking to introduce it through Mook’s knowledge that the campaign had tried to capitalize on the Foer story.

Having ruled in the past that the tweet was cumulative and highly prejudicial, Cooper nevertheless permitted DeFilippis to introduce the tweet if he could establish that Mook knew that the campaign tried to capitalize on the Foer story.

But Cooper set two rules: The government could not read from the tweet and could not introduce the part of the tweet that referenced the FBI investigation. (I explained what DeFilippis did at more length in this post.)

THE COURT: All right. Mr. DeFilippis, if you can lay a foundation that he had knowledge that a story had come out and that the campaign decided to issue the release in response to the story, I’ll let you admit the Tweet. However, the last paragraph, I agree with the defense, is substantially more prejudicial than it is probative because he has testified that had neither — he nor anyone at the campaign knew that Mr. Sussmann went to the FBI, no one authorized him to go to the FBI, and there’s been no other evidence admitted in the case that would suggest that that took place. And so this last paragraph, I think, would unfairly suggest to the jury, without any evidentiary foundation, that that was the case. All right?

MR. DeFILIPPIS: Your Honor, just two brief questions on that.

THE COURT: Okay.

MR. DeFILIPPIS: Can we — so can we use — depending on what he says about whether he was aware of the Tweet or the public statement, may we use it to refresh him?

THE COURT: Sure. Sure.

MR. DeFILIPPIS: Okay. And then, as to the last paragraph, could it be used for impeachment or refreshing purposes as well in terms of any dealings with the FBI?

THE COURT: You can use anything to refresh.

MR. DeFILIPPIS: Okay.

THE COURT: But we’re not going to publish it to the jury. We’re not going to read from it. And let’s see what he says. [my emphasis]

Having just been told not to read the tweet, especially not the part about the FBI investigation, DeFilippis proceeded to have Mook do just that.

The exhibit of the tweet that got sent to the jury had that paragraph redacted and that part of the transcript was also redacted. But, predictably, the press focused on little but the tweet, including the part that Cooper had explicitly forbidden from coming into evidence.

4. Hearsay about Joffe’s Request for Feedback

As noted above, Judge Cooper permitted just one email between Joffe and the researchers to come into evidence: a request for feedback Rodney Joffe made of the researches. But he did so based on Durham’s representation that either David Dagon or Manos Antonakakis — both of whom received the email — would testify.

Neither did.

During Sean Berkowitz’ cross-examination of Curtis Heide, one of the agents assigned to investigate the anomaly, Sussmann’s attorney had Heide explain how they knew David Dagon had a role in the research, but nevertheless never bothered to speak to him directly.

AUSA Jonathan Algor used that as an opportunity to ask to introduce not just the email that had been permitted, but also the response, claiming that by highlighting how shoddy the FBI investigation was, Berkowitz was opening the door to accuracy questions.

MR. ALGOR: So, Your Honor, there was a good amount of cross-examination regarding David Dagon.

THE COURT: Yes.

MR. ALGOR: And specifically asking about reaching out to him and also going into that he was the source of the white paper and what types of questions you would ask him and all. I think that this goes right to the red herring email.

THE COURT: I’m sorry, the what email?

MR. ALGOR: The red herring email, which you’ve previously excluded. It was Government Exhibit 124, when you would go through what type of questions. Now that Mr. Berkowitz has asked these, I would ask: What would you have asked having to provide data related to it? You know, Were there drafts of the white paper? Would Agent Heide ask who else he communicated with and what he believed regarding all of that data? And so I think he’s opened the door regarding that email.

Berkowitz noted that neither Sussmann nor Heide knew of the email.

MR. BERKOWITZ: Judge, this is not an email that was authored by Mr. Dagon. My cross-examination went directly to their investigation, who they spoke to, who they didn’t speak to. I asked him, he doesn’t know what Mr. Dagon said to Mr. Sussmann, if anything, and he said he didn’t. And I don’t think that opening the door to these communications where there’s no indication that it went to Mr. Sussmann is appropriate.

Cooper ruled that Algor could not introduce the email response.

That did not open the door to the excluded email about which — about what his and the other researchers’ views on the data or motivations may have been. In any case, the emails reflect — or the email reflects the views of Mr. Joffe, not Mr. Dagon, and those views came a full month and a half before the FBI was in a position to interview Mr. Dagon. They are, therefore, not relevant to Mr. Dagon’s views or motivations in any event.

So you can — you can certainly ask him, as you have in direct, what he would have done differently, what he would have questioned Mr. Dagon about, you know, to establish a materiality argument, but we’re not going to get into what the researchers’ motivations were. Okay?

Minutes later, Algor walked how Heide didn’t know any of the people on the email, and elicited from Heide the opinion that even asking the opinion might suggest people were trying to fabricate the data.

Q. Okay. And it — the “from” is Rodney Joffe. Do you see that?

A. Yes.

Q. And then the “to” is to Manos Antonakakis. Do you see that?

A. Yes.

Q. Do you know who that is?

A. I do not.

Q. And David Dagon, do you see that second name?

A. Yes.

Q. Do you know who David Dagon is?

A. No.

Q. You testified —

A. I’m sorry.

Q. — earlier —

A. I never met David Dagon, but I do know that he was the information that the source came forward and said he was potentially the author of the white paper.

Q. Okay. And that’s from a CHS that your team was contacted by?

A. Yes. Yes.

Q. And then, finally, April Lorenzen. Do you know who April Lorenzen is?

A. I do not.

[snip]

Q. Would you also want to know whether the authors of the white paper were trying to make it out so that it wasn’t — so that it couldn’t be understood if you weren’t a DNS expert?

A. That would be important.

Q. And if you could read that last line, please.

A. It says, “Do NOT spend more than a short while on this (if you spend more than an hour you have failed the assignment). Hopefully less.”

Q. And just going back to the line above, it says, without — it says, “NOT to be able to say this is, with out doubt, fact, but to merely be plausible,” would you want to understand that coming from the source of the white paper?

A. Yes.

The discussion of the bench conference immediately after Heide left the stand (Berkowitz generally refrained from objecting to these shenanigans in front of the jury) is entirely redacted. But as noted below, Judge Cooper ultimately excluded the entire email as hearsay introduced without proper foundation.

6. Hearsay Commentary on an Attorney

In the very same sidebar where Judge Cooper excluded the Heide testimony, he also explicitly prohibited prosecutors from tying a research request that Rodney Joffe had given a colleague, Jared Novick, to an attorney. The research request pertained to Richard Burt and Carter Page (among others) at a time both had established ties to Russia. Novick testified to Joffe’s displeasure with his work abilities and it’s quite clear the two don’t like each other.

MR. BERKOWITZ: So with respect, Judge, to that, it sounds as if outside the norm of what he normally does, that he thought it was likely for a political campaign. I’m not sure that his determination that he thought it was for an attorney is relevant. If they want to put in an attorney-client-privileged document that he saw, I think he can do that. But if he says I understood this was going to an attorney connected to the campaign, that’s hearsay. And it really doesn’t have anything to do with Mr. Sussmann, unless they can tie it up in any way.

THE COURT: Is there — is there any link to the defendant?

MR. ALGOR: Your Honor, just that he understood the tasking was related to opposition research regarding Trump; that he was told by Mr. Joffe — and his understanding was — that it was — it was someone tied to the Clinton campaign. But his understanding overall, full context and understanding, regardless of what Mr. Joffe said, was that this was going to someone tied to the campaign; and that also in receiving the document that had attorney-client privilege, that he understood it to be for an attorney.

THE COURT: How is that not hearsay if Mr. Joffe offered for the purpose of showing that, in fact, it was from —

MR. ALGOR: Because it’s a full understanding. It’s not getting into the actual specific statements that Mr. Joffe told him, but just the full context of what he was tasked to do and who the ultimate receiver was.

THE COURT: Okay.

MR. KEILTY: One second, Your Honor.

THE COURT: You can elicit his understanding that it was for a campaign, that it was unusual, that it may have had some political purpose. But I want you to stay away from any suggestion, which I don’t think has been established, that it was from Mr. Sussmann, including by suggesting it was from an attorney. Okay? [my enphasis]

Once again, minutes after Judge Cooper issued an order — this one ruling that Durham’s team could not elicit any reference to an attorney — Algor nevertheless got a former Joffe associate to do so.

Q. And, again, you — during cross-examination, Mr. Berkowitz asked you a series of questions regarding — regarding your work for Mr. Joffe on this project?

A. Uh-huh.

Q. And without getting into any specific conversations, based on the totality of your work, who was the intended audience for the project?

A. It was to go to an attorney with ties.

MR. BERKOWITZ: Objection, Your Honor.

THE COURT: Sustained.

That was the first time Berkowitz started getting really insistent about the pattern of Durham’s prosecutors completely ignoring explicit prohibitions from Cooper.

MR. BERKOWITZ: And — and just briefly, Your Honor, I don’t know when is an appropriate time to — to raise this. I want to express what — and I am not a — a hotheaded person —

THE COURT: You’re not a what?

MR. BERKOWITZ: I’m not a hotheaded person, but I have deep concern over the last line of questioning with the witness eliciting something that I think was clearly prohibited. And it’s consistent, in our view, with the line of questioning relative to Mr. Elias, [sic] relative to them reading the tweet that had been excluded. And, again, I know you don’t apportion bad faith, and I’m not asking you to do that at this point, but I just — I’m — I’m really concerned about the number of those issues that have come in and the prejudice to Mr. Sussmann. And I don’t know how best to deal with it, but I want to raise that to your attention.

Judge Cooper finally warns Durham to follow his orders

The Novick questioning finally stirred Cooper to try to do something about prosecutors flouting his orders. The first thing the next morning, he issued a both-sides warning about adhering to his rulings.

THE COURT: Okay. Good morning, everybody. All right. I just want to return briefly to the discussion we had at the end of the day yesterday.

You know, we’ve been here for two weeks. I have tried my best to let you folks try your cases as you see fit without undue intervention from the Court, as is my usual practice. But I obviously have set some evidentiary guardrails in the case that I expect both sides to follow, and I think you’ve done that for the most part.

Yesterday, however, I thought it was pretty clear — that I was pretty clear that in Mr. Novick’s testimony the government was not to suggest a link between the defendant and — on the one hand, and Mr. Joffe and the researchers’ data collection efforts on the other hand, or their views about the data. I didn’t think there was an evidentiary foundation for that.

I thought that the jury would only be able to speculate about any such connection, and I thought that any knowledge Mr. Novick had about that was necessarily hearsay from Mr. Joffe, who obviously is not here to testify. And I thought, at least, the final question in the redirect that was asked yesterday, nevertheless, attempted to establish such a link.

You know, I know that questions get asked rhetorically or argumentatively that are likely to draw an objection, and I will give lawyers some slack on that, but I expect both sides to comply with my evidentiary rulings.

There’s a lot of evidence in this case. There’s a lot for the jury to digest. They will have plenty of validly admitted evidence to pore over, and from here on out, including in arguments, I expect both sides to comply with both the letter and the spirit of the Court’s evidentiary rulings. So let’s keep it clean from here, okay?

MR. KEILTY: Yes, Your Honor.

Berkowitz used that exchange to request that Cooper exclude the entirety of the email that Algor used to invite Heide to suggest the data had been fabricated as the only way to limit the damage from prosecutors breaking Cooper’s rules.

MR. BERKOWITZ: Thank you very much for that, Your Honor. I have one other request related to it. And I don’t mean to go to the well, but there was an additional line of questioning yesterday related to Government Exhibit 132 with Agent Heide. I’m happy to provide a copy of it, if you would like.

THE COURT: Just remind me what it is.

MR. BERKOWITZ: It’s the document they sought to admit between Rodney Joffe, David Dagon, and Manos Antonakakis, “Is this a plausible explanation?”

THE COURT: Yes, I know that one. Actually, pass it up.

MR. BERKOWITZ: Your Honor, I went back and read the basis for your admitting the document, which was that it was not hearsay because there was a statement, “can you review,” and a question, “is this a plausible explanation?” I think we all contemplated at the time that both Mr. Dagon and Mr. Antonakakis were on the witness list and might testify.

You did allow it in. We didn’t object on the basis that you had previously ruled on it.

The manner in which it was used with the witness, I think, didn’t comply with the spirit of the Court’s ruling. There were questions asked related to “if you had spoken with Mr. Dagon, and you were aware of this communication” words to the effect of “would that have been concerning?”

And the witness — and I’m not suggesting that it was elicited intentionally, but the witness said “it would concern me because it appears as if it’s fabricated.”

Berkowitz noted that (like the Clinton tweet before it, though Berkowitz didn’t make the connection) that exchange got reported in the press.

That’s been reported in the press, even though you struck it from the record at our request.

Our remedy request, Your Honor, in light of that, and in light of the lack of probative value of that document with no connection to Mr. Sussmann, would be to strike the question and answering related to that document, to strike that document from the record, and not allow the prosecution team to use it with any defense witnesses, as well as not to use it in argument because it would have been stricken from the record.

We think the probative value of that document at this stage is minimal, and I expect that if it is published to the jury and used in any way, the jurors will associate it with the fabrication comment. And you worked real hard — and we have all worked really hard — to keep out the accuracy of the data. And the prejudicial nature of the document and the testimony associated with it is something that we think, while it can’t be remedied, and the bell can never be unrung, they should not be reminded and put before them. [my emphasis]

After having just been scolded, DeFilippis nevertheless made a bid to keep the document that might trigger the improperly elicited comment in as evidence.

Michael Keilty — the closest thing to a grown-up on this team — then tried to explain away Algor’s flouting of the rules with Novick.

MR. KEILTY: One last thing, Your Honor, just with respect to the final question to Mr. Novick yesterday. I think Your Honor’s aware that the government obviously did not intend for that — to elicit that answer. Instead, it intended to elicit an answer regarding Mr. Novick’s thoughts about whether this was involved with a political entity or political campaign. We didn’t have the opportunity or the benefit of conferring with Mr. Novick prior to Your Honor’s ruling. So we apologize for that, but we just wanted to put on the record some of the reasons why.

THE COURT: Well, you could have asked, “Without telling me who it came from, what was your understanding of the general nature of the source?” Right?

7. Hearsay on Top of Hearsay about Joffe’s Joke about a Job

But the Durham team’s defiance of Cooper didn’t stop there. While Cooper had permitted (with the proper foundation) a Joffe email that elicited feedback, Cooper had excluded an email — sent to someone never identified as a witness in this case — in which Joffe had joked about working in cybersecurity under a Clinton Administration. Nevertheless, as part of a long exchange with retired FBI Agent Tom Grasso in which DeFilippis asked Grasso materiality questions about stuff he heard about but had no firsthand knowledge of — each time presented as fact rather than as a conspiracy that Durham had explicitly been prohibited from presenting because they hadn’t charged it — Durham’s lead prosecutor raised the allegation he had been prohibited from raising.

Q. So when he came to you or at any time after that, did Mr. Joffe disclose to you whether he was working on this with representatives of the — of a political campaign?

A. He did not, no.

Q. And do you think you’d remember if he had told you at the time, you know, “I’m doing this, working with some folks who are working with the political campaign”?

A. I would think I would remember that, yes.

Q. So Mr. Joffe didn’t tell you — have you heard of a firm called Fusion GPS?

A. I have heard of Fusion GPS, yes, sir.

Q. Okay. And are you generally aware that they had — without getting into any specific work you did, are you generally aware that they had done some work for the Clinton Campaign at the time?

A. Yes, I —

Q. Okay.

A. Yes, I am aware of that, yes.

Q. So Mr. Joffe didn’t say he was working with Fusion GPS on this project?

A. Not that I recall, no.

Q. And Mr. Joffe never told you that, you know, this project had arisen in the context of opposition research that the Clinton Campaign was working on?

A. I do not recall that coming up, no.

Q. If Mr. Joffe had come to you and said, “I’m working with some investigators and some lawyers who are working for the Clinton Campaign, and, you know, that’s part of what I’m doing here with this information, can you please keep my name out of this,” would you have viewed that differently than you viewed the information as you got it?

[snip]

Q. Okay. And in the 2016 election period, you and Mr. Joffe, I imagine, never discussed politics or anything like that?

A. I don’t recall political discussions with him, no.

Q. Okay. And did you — so you certainly didn’t know that he was working with folks affiliated with a particular political party or campaign on what he brought to you, right?

A. I have no recollection of that.

Q. And any recollection of hearing or learning that he was expecting any kind of position in a future political administration?

A. I do not have a recollection of that other than — let me rephrase that. I have a recollection of that being reported in the media, but I don’t have a —

MR. BERKOWITZ: Objection, Your Honor.

THE COURT: Sustained. [my emphasis]

When Berkowitz raised this exchange at the end of the day, Judge Cooper noted that the several meetings they had with Grasso were ample basis for DeFilippis to understand that Grasso had no knowledge of those matters (or, for that matter, the topics covered by that entire line of questioning).

MR. BERKOWITZ: Judge, I regret that I’m going back to this same issue that we started the day with where  you admonished counsel to be careful of the guardrails related to evidentiary rulings. We had another situation n today that I think ran afoul of your comments. There was an email that was the subject of a motion related to Mr. Joffe communicating about a potential job. And in the cross-examination of Agent Grasso there was a question about, “He certainly didn’t know he was working with folks affiliated with a particular political party or campaign when he brought that to you. Right?”

Answer: “I have no recollection of that.” I didn’t object.

And then he followed up with: “And any recollection of hearing or learning that he was expecting any kind of position in a future political administration, knowing that there was nothing in the 3500 materials related to that and knowing an objection that was sustained could elicit a belief that he would do that?”

The witness answered, “I do not have a recollection of that other than — let me rephrase that. I have a recollection of that being reported in the media.”

I objected. Your Honor, they had met with this witness four times. They had pretried him twice. There was nothing in the 3500 material to suggest that he had any belief of that or any recollection or any connection.

And it’s another instance in a litany of instances that’s suggesting to the jury topics and issues that were the subject of your ruling. And I, you know, particularly  with the potential testimony of Mr. Sussmann coming up, I don’t know what else to say or to do, and we’ll consider filing a motion. But I wanted to raise the issue, and I take no joy in continuing to do this. But I cannot stand by while it continues to go on.

DeFilippis at first tried to excuse blowing off Cooper’s ruling by saying that the rules for cross-examination are different. But not if the witness was originally a witness for the prosecution.

THE COURT: Counsel?

MR. DeFILIPPIS: Yes, Your Honor. I guess we’re glad that Mr. Berkowitz raised it in the sense that, you know, typically the rules for cross-examination are different from evidence presented in a case in chief. And if there is a good-faith basis to ask — inquire as to knowledge of a matter, Your Honor, the government didn’t phrase the question tethered to any email or refer to any hearsay.

It was just inquiring as to knowledge and then inquiring as to whether that fact would be relevant to what  it is that Mr. Grasso’s interactions with Mr. Joffe were.

So if, again if the Court wants —-

THE COURT: Counsel, I don’t disagree with that, but you got to have a good faith basis for asking the question. Right? And if you prepped this guy and he’s never said anything about it, then there’s no good-faith basis. Okay? Him reading it in The New York Times or whatever is not a good-faith basis.

Then DeFilippis claimed that the question — which came after two earlier ones in which he asked Grasso questions about things he had “heard of” — was not deliberately intended to elicit such a response.

MR. DeFILIPPIS: Yeah, and to be clear, Your Honor, the portion where he said he read in the — we didn’t know that, and we wouldn’t have intentionally elicited something from a press account. So we will certainly be careful.

THE COURT: He was the defense’s witness here, but he was on your witness list. You should have known. If there was a basis to ask that question, you should have known what it was.

MR. DeFILIPPIS: Yeah. Understood, Your Honor.

Only after this exchange on prosecutors using someone who had originally been a government witness to invite speculation did Cooper exclude the entire email discussion involving Heide.

THE COURT: In that vein, let’s go back to GX-132 the admission of the email did not sit well with me yesterday, and it still does not sit well with me.

The Court ruled that the document was [sic] hearsay originally because it contained a question and a request, as opposed to an assertion. But the Court made clear in its order that, in order to be admitted, it would still need a proper foundation. The witness through which the document ultimately was admitted, albeit not without an objection from the defense, was Mr. Heide, who, as far as I could tell, had no personal knowledge whatsoever of the email. He didn’t know Mr. Joffe. He didn’t know the researchers who received it. He obviously was not a party to the email. So frankly, I don’t see how he could testify to that email in his personal knowledge as required by Rule 602.

So for that reason, I don’t think it was properly admitted through that witness. As I said yesterday, we had expected at least two of the researchers to testify based on who was on the government’s list. And I think it would have been properly admissible through those people to explain how the data came into being  as the Court ruled prior to trial. So I am going to exclude that email as well as any testimony by Mr. Heide describing his interpretation or views or thoughts on the email. Okay?

Conspiracy theory

This repeated defiance of Judge Cooper was treated as one after another evidentiary issue, usually prosecutors sneaking in hearsay with no basis. Ultimately, however, it was about a more basic ruling Judge Cooper had made, that this trial would not be about a conspiracy theory that Durham wanted to criminalize without charging.

As Berkowitz observed in his close,

This case is not about a giant political conspiracy theory. It’s about a short meeting.

[snip]

So the people who were part of this large political conspiracy theory are the people at HFA, Rodney Joffe, and Fusion GPS. They’re the people that are supposedly involved in this conspiracy.

There will be a lot said about this trial, no matter the verdict. But the serial defiance of the Durham prosecutors was a successful attempt to do something else that Judge Cooper had prohibited: to criminalize, under a conspiracy theory, perfectly legal behavior.

OTHER SUSSMANN TRIAL COVERAGE

Scene-Setter for the Sussmann Trial, Part One: The Elements of the Offense

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

The Founding Fantasy of Durham’s Prosecution of Michael Sussmann: Hillary’s Successful October Surprise

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

John Durham’s Lies with Metadata

emptywheel’s Continuing Obsession with Sticky Notes, Michael Sussmann Trial Edition

Brittain Shaw’s Privileged Attempt to Misrepresent Eric Lichtblau’s Privilege

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Jim Baker’s Tweet and the Recidivist Foreign Influence Cheater

That Clinton Tweet Could Lead To a Mistrial (or Reversal on Appeal)

John Durham Is Prosecuting Michael Sussmann for Sharing a Tip on Now-Sanctioned Alfa Bank

Apprehension and Dread with Bates Stamps: The Case of Jim Baker’s Missing Jencks Production

Technical Exhibits, Michael Sussmann Trial

Jim Baker’s “Doctored” Memory Forgot the Meeting He Had Immediately After His Michael Sussmann Meeting

The FBI Believed Michael Sussmann Was Working for the DNC … Until Andrew DeFilippis Coached Them to Believe Otherwise

The Visibility of FBI’s Close Hold: John Durham Will Blame Michael Sussmann that FBI Told Alfa Bank They Were Investigating

The Staples Receipt and FBI’s Description of Michael Sussmann Sharing a Tip from Hillary

“and” / “or” : How Judge Cooper Rewrote the Michael Sussmann Indictment

 

The FBI Believed Michael Sussmann Was Working for the DNC … Until Andrew DeFilippis Coached Them to Believe Otherwise

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs of transcripts. But if you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations. This coverage reflects the culmination of eight months work. 

There’s accumulating evidence that at least some people — including some key decision-makers — believed the FBI believed that the Alfa Bank tip came from the DNC — and that Andrew DeFilippis has engaged in a lot of coaching to try to make that evidence go away.

The first time FBI Agent Ryan Gaynor testified to John Durham about the investigation into the Alfa Bank anomaly in October 2020, he told prosecutors that the DNC was the source of the allegation.

Q. Okay. So in your first meeting with the government, you — this is October of 2020, correct?

A. Yes.

Q. You told them multiple times that you believed that the Democratic National Committee was the source of the allegations of connections between Alfa-Bank and Russia, correct?

A. Correct, which was wrong.

Q. Okay. But you said that you thought the Democratic party itself was who provided the information, correct?

A. I did say that in the meeting.

That’s even what he has written down in a briefing document he kept in Fall 2016.

At the end of that October 2020 interview, prosecutors threatened Gaynor with prosecution.

His more recent testimony, starting for the first time on May 13, was that Sussmann was representing himself. The reason he now remembers that to be true goes to the heart of Durham’s materiality: it would have mattered if Sussmann was representing the DNC, so he must have been representing himself.

Q. Okay. I want to ask you, first, about testimony that you gave today where you said that when Mr. Moffa told you that Mr. Sussmann was a DNC attorney, you said, “I understood that to mean that he had been affiliated with the Democratic party but that he had come representing himself on the Alfa-Bank allegations.” Do you remember giving that testimony?

A. That was my take-away.

Q. And you gave that testimony that I just read?

A. Yes; that he was a DNC attorney, but that my take-away from that discussion was that he wasn’t there representing the DNC.

Q. When you were asked, “When Mr. Moffa said Mr. Sussmann was an attorney for the DNC, what impression did you come away with?” what did you understand that to mean? And your answer was: “I understood that to mean that he had been affiliated with the Democratic party, but that he had come representing himself,” right?

A. So he’s affiliated with the Democratic party because he was a DNC attorney.

Q. And your impression was he had come representing himself?

A. My take-away from that meeting, what I recall, is that I did not believe that he was there representing the DNC specifically because, had he been, that would have been information that would have impacted it.

This is a tautology: If Sussmann had been representing the DNC it would have mattered so it must be the case that Gaynor believed he was not representing the DNC. It also happens to be the central argument of DeFilippis’ materiality claim.

Meanwhile, Scott Hellman — Durham’s star cyber witness — received a text from his boss, Nate Batty (with whom he compared notes before his first interview with Durham), referring to the white paper as a “DNC report” on September 21, 2016, two days after Jim Baker received the materials.

Michael Sussmann lawyer Sean Berkowitz asked Hellman about that the other day. At first, Hellman expressed surprise about that text.

Q. All right. And then, with respect to Stranahan, he asks you and Nate to write a report about the — write a summary of the DNC report. Correct? That’s what it says?

A. That’s what it says in this chat, yes.

Q. And did you understand, sir, that the information had come from a DNC, meaning Democratic National Committee, source?

A. I did not understand that, no.

Q. Did you know what Nate Batty knew about it?

A. I don’t think he knew anything about it.

Q. Did you call up Tim and say, what a second. This is a DNC report? That’s political motivation.

A. No.

Q. Didn’t do anything or it didn’t occur to you?

A. The first time I saw this was two years ago when I was being interviewed by Mr. DeFilippis, and I don’t recall ever seeing it. I never had any recollection of this information coming from the DNC. I don’t remember DNC being a part of anything that we read or discussed.

Q. Okay. When you say, the first time you saw it was two years ago when you met with Mr. DeFilippis, that’s not accurate. Right? You saw it on September 21st, 2016. Correct?

A. It’s in there. I don’t have any memory of seeing it.

Later in Berkowitz’ cross-examination he returned to the text. He asked how it could be that a white paper from a DNC lawyer could be referred to as a DNC report.

Q. And although you were surprised to see it today, it appears that at least somebody, such as Mr. Batty was aware and you were aware that somebody was calling this white paper a DNC report. Correct?

A. I was not aware that anybody was calling it a DNC report, and I don’t believe Mr. Batty knew that either.

Q. But you saw the link message. Right?

A. I did see the link message, yes.

Berkowitz asked Hellman how it could be that he would see a reference to a DNC report and not take from that it was a DNC report. Hellman describes “the only explanation that … was discussed” — which is that it was a typo.

Q. What’s your explanation for it?

A. I have no recollection of seeing that link message. And there is — have absolutely no belief that either me or Agent Batty knew where that data was coming from, let alone that it was coming from DNC. The only explanation that popped or was discussed was that it could have been a typo and somebody was trying to refer to DNS instead of DNC.

Q. So you think it was a typo?

A. I don’t know.

Q. When you said the only one suggesting it — isn’t it true that it was Mr. DeFilippis that suggested to you that it might have been a typo recently?

A. That’s correct.

Q. Okay. You didn’t think that at the time. Right?

A. I did not. I had never seen it or had any memory of seeing it ever before it was put in front of me.

With some prodding, Hellman admitted that when he referred to “discussing explanations,” he meant doing so with Andrew DeFilippis. This exchange was, quite literally, Berkowitz eliciting Hellman to provide an answer that DeFilippis thought up — one necessary to sustain DeFilippis’ narrative — without, at first, admitting it was DeFilippis’ opinion of what the truth must be.

So after DeFilippis threatened Gaynor with prosecution, he came to remember something other than what the note, tying the white paper to DNC lawyer Michael Sussmann, that he used to “refresh his memory” said.

And when faced with the possibility, two years or maybe six after the fact, that Scott Hellman’s epically shitty analysis of the white paper could have been influenced by being told that it was a DNC white paper, Hellman offered up the explanation that DeFilippis offered him.

At least twice, then, under coaching from Durham’s lead prosecutor, key witnesses have come to believe something other than what the documentary evidence suggests.

The fact that DeFilippis has twice coached witnesses to deny any understanding at FBI that this was a DNC tip — whether it was a DNC tip or not — is really telling. That’s because DeFilippis has to try to pitch a nearly unsustainable position: how his single witness to Sussmann’s alleged crime, Jim Baker, can in 2016 have told Bill Priestap the following:

Q. I think you testified yesterday that by this time you were at least generally aware that Mr. Sussmann represented the DNC in connection with hacks; is that right?

A. That’s correct.

Q. And what, if anything, did you say to Mr. Priestap about that?

A. I think I told him like, okay, this is who Michael is. He’s represented the Democratic party in the Russian hack that we were also investigating and/or the Hillary Clinton Campaign. So just, again, to orient Bill to who Michael was. I mean, that’s a serious credential in terms of being a cyber security expert. And then to explain: But in this case he said he’s not appearing on behalf of them. In this case he’s coming in as a good citizen.

And then, in 2018, have told Jim Jordan the following:

Q. Mr. Jordan then says: “And he was representing a client when he brought this information to you or just out of the goodness of his heart? Someone gave it to him and he brought it to you?”

A. In that first interaction, I don’t remember him specifically saying that he was acting on behalf of a particular client.

Q. Did you know at the time that he was representing the DNC in the Clinton campaign?

A. I can’t remember. I had learned that at some point. I don’t, as I said — as I think I n said last time, I don’t specifically remember when I learned that — excuse me — so I don’t know that I had that in my head when he showed up in my office. I just can’t remember.

Q. Did you learn that shortly thereafter if you didn’t know it at the time?

And then testify last week this way.

Q. Okay. Number two, did you know on the September 19th, 2016 meeting that Mr. Sussmann had been representing Hillary For America’s campaign and the DNC in connection with the hack investigation. Did you know that on September 19th when he met with you?

A. Sitting here today, I think the answer is, yes, I did know that by that point in time.

Q. I’ve written down, “yes, DNC and HFA and hack”. I want to be really clear. You’re not saying that he said that in the meeting. correct?

A. Correct.

Q. And you’re not saying he said he was there on behalf of them? You’re just saying that in your mind you knew that he had been acting as a lawyer for those two entities in connection with the hack. Correct?

It’s not just a question of whether Baker will be a credible witness, though his wildly changing claims about the DNC are among the reasons why his testimony is not credible.

It’s also that Durham wants to point to Sussmann’s failure, a year earlier in a Congressional hearing, to offer up his ties with the Democrats as proof he was lying. But Durham is treating Baker’s failure to do so in the same situation as an innocent mistake. For his single witness to be credible, DeFilippis has to find a way to excuse Baker’s failure to offer that up in a far more direct question while pointing to Sussmann’s failure to offer it up as proof of guilt.

He has to do so to defend his prosecutorial decisions, too. Given how much stake DeFilippis has placed on Baker sharing with Priestap that he knew Sussmann represented the Democrats, it makes it far less credible that Baker didn’t knowingly lie to Jordan. Especially given the way Baker responded to a Berkowitz question, suggesting that perhaps he hadn’t been truthful with Jordan, but instead was “careful.”

Q. And when you gave voluntary information to Congress, you understood that you were under oath?

A. I don’t think I was under oath, but I understood that it’s a crime to make false statements to Congress.

Q. So you tried to be as careful as you could. Correct?

A. I tried to be as careful as I could in that environment, yes, sir.

Q. You tried to be as truthful as you could?

A. (No response)

Q. Tried to be as truthful as you could?

A. Yes, sir.

Sussmann’s team is going to argue that there are a long list of people against whom there is far better evidence for false statements or perjury charges than him, with the single difference being that the other people were willing to tell the storytale DeFilippis is using prosecutorial resources to tell. And the first person on that list — it makes me sick to my stomach to say — is Jim Baker.

Finally, it’s a matter of materiality. DeFilippis has to find a way for it to be the case that his single witness knew when he met with Sussmann that Sussmann was a DNC lawyer (because Bill Priestap’s notes reflect that), but didn’t view that to be material to everything that happened next.

And the only way to sustain that rickety narrative is to ensure that no one else — not even the people using documentary proof reflecting a belief that this was a DNC report to refresh faded memories — understood that the white paper came from the DNC.

Thus far, Sussmann’s cross-examination has elicited evidence that at least three witnesses changed their testimony after interviews with DeFilippis, adopting a “memory” that conflicts with the documentary record with regards to whether the FBI believed the white paper to be associated with the DNC.

OTHER SUSSMANN TRIAL COVERAGE

Scene-Setter for the Sussmann Trial, Part One: The Elements of the Offense

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

The Founding Fantasy of Durham’s Prosecution of Michael Sussmann: Hillary’s Successful October Surprise

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

John Durham’s Lies with Metadata

emptywheel’s Continuing Obsession with Sticky Notes, Michael Sussmann Trial Edition

Brittain Shaw’s Privileged Attempt to Misrepresent Eric Lichtblau’s Privilege

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Jim Baker’s Tweet and the Recidivist Foreign Influence Cheater

That Clinton Tweet Could Lead To a Mistrial (or Reversal on Appeal)

John Durham Is Prosecuting Michael Sussmann for Sharing a Tip on Now-Sanctioned Alfa Bank

Apprehension and Dread with Bates Stamps: The Case of Jim Baker’s Missing Jencks Production

Technical Exhibits, Michael Sussmann Trial

Jim Baker’s “Doctored” Memory Forgot the Meeting He Had Immediately After His Michael Sussmann Meeting

Apprehension and Dread with Bates Stamps: The Case of Jim Baker’s Missing Jencks Production

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs of transcripts. But if you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations. This coverage reflects the culmination of eight months work. 

I’ve done a couple of posts showing how much fun one can have with Bates stamps — the serial numbers stamped onto every page of discovery that tells you a little bit about how any document was treated. In this post, for example, I showed that when John Durham accidentally-on-purpose released an exhibit with a bunch of Fusion GPS documents, he wasn’t doing so primarily to get them admitted at trial, because he had no intention of using most of them at trial. In this post, I showed that Durham hadn’t looked at key investigative documents that Michael Horowitz had relied upon in the Inspector General investigation into Crossfire Hurricane before Durham claimed he knew better than Horowitz about the predication of the Russian investigation. As of now, by the way, Horowitz is on the schedule to be a witness for Michael Sussmann. Ostensibly he’ll just talk about how valuable an anonymous tip that Sussmann once shared on behalf of Rodney Joffe proved to be, but who knows whether he’ll get a question about comments Durham has made about knowing better than Horowitz about things he hadn’t done the work to understand?

This post about Bates stamps won’t be so fun. It fills me with dread.

In this post and these two threads (Thursday nightFriday morning), I tried to summarize the Greek tragedy of Sussmann lawyer Sean Berkowitz’ cross-examination of Jim Baker. The short version of it is that these two men, men who used to be friends, are stuck in some nightmare Hunger Games created by a right wing mob led by Donald Trump. After years of being dragged through the mud because they dared to try to protect the United States from Russia in 2016, the survival of each depends on taking out the other. Jim Baker only avoids prosecution if he adheres obediently to John Durham’s internally contradictory script. Sussmann only gets his life back if he takes Baker out. While just Sussmann’s lawyer, Sean Berkowitz, and Jim Baker appear on this stage, it’s quite clear that Durham and DeFilippis set it.

Berkowitz started by quoting Baker’s explanation, from his earlier testimony, for why he had never searched his own files for texts with Sussmann.

Q. It’s your investigation, you said. I’m just here to answer the questions. Right? It’s Mr. DeFilippis’ investigation. You’re just here to answer the questions. Is what you said?

The context of that statement, from Andrew DeFilippis’ direct questioning of Baker, is crucial to understanding what follows.

The comment was Baker’s explanation to Durham’s lead prosecutor for why he only found a September 18, 2016 text from Michael Sussmann in March of 2022, almost six months after an entire indictment had been built around what Sussmann had said, instead, on September 19. As teed up by DeFilippis, Baker went looking for and found that text because Durham was just trying to comply with Jencks obligations, the requirement that prosecutors provide the prior statements of government witnesses in their possession to defendants.

Q. Are you familiar with the concept of Jencks materials or 3500 materials?

A. Yes.

[snip]

A. Correct. Yes. It’s an act of Congress that requires that — the reference to 3500 is a section in the U.S. Code.

Q. So did there come a time when you were asked by the Government to give any statements you might have on the subject of your testimony today?

A. Yes.

Q. And just tell us how that happened and then what you did in response.

A. There was a phone call with the Government. I think it was in March of this year. And it was to discuss discovery-related matters in part in the conversation. And I think it was Mr. Durham who asked me, you know: You need — we have an obligation to hand over discovery to the defense in this case. And can you go look for emails and other communications that you might have had with Mr. Sussmann?

And so in response to that, I — after we got off the phone, I immediately went to my phone and started looking through emails and then I looked for texts. And I did a search for texts with Michael’s last name; and texts came up, and I scrolled through them. They took a while to down — it was clear to me at least that they were downloading from the cloud.

And as I scrolled through and got to the beginning of my set of communications with Michael, this is the first one that I had.

Q. Now, had you — have you spoken to and met with the Government in connection with this case previously?

A. Yes.

Q. And had you previously located this text message here?

A. Not to the best of my recollection. No.

Q. What, if anything, was the reason for that?

A. It’s — I was not — I mean, the way I thought about it was that frankly, like, I am not out to get Michael. And this is not my investigation; this is your investigation. And so if you ask me a question, I answer it. If you ask me to look for something, I go look for it. But to the best of my recollection, nobody had asked me to go look for this material before that. [my emphasis]

Nobody had ever asked him to go look for evidence in his own possession related to the defendant against whom he was the key witness before, Baker testified. There’s a lot that’s unsaid — and batshit crazy — about this. One is that Durham only asked for communications directly with Sussmann, at least as Baker described events that happened just a few months ago.

Anyway, that was Durham’s explanation for how this text got shared with the government in March, six months after Durham had charged Sussmann for lying to hide what Durham imagines were Sussmann’s self-interests in a meeting with Baker on September 19, 2016. And by Baker’s telling, this belated request wasn’t just an example of DeFilippis trying to cover up his past incompetence (again). Durham was personally involved in this.

The only Bates stamp on this exhibit looks like this:

As you can see from Sussmann’s challenges to Durham’s exhibits submitted earlier this month, SCO-###### is one of two standard Bates stamps that Durham uses, the other being SC-########. Note both have a dash.

I knew as soon as I read the transcript that DeFilippis’ suggestion that this was about Jencks was intentionally misleading. Almost certainly, Durham found this text because they were still trying to comply with Sussmann’s demands, first made immediately after the indictment and then over and over after that, that prosecutors find  the communications about Sussmann’s role in killing a NYT story that he knew must exist. Besides, Jencks is an obligation to turn over statements about an investigation in the government’s possession. These texts weren’t, until Durham asked for them, in the government’s possession.

I mean, I guess if they were, and Durham had been sitting on them for six months, then Durham has even bigger problems, which I don’t rule out.

That’s the background to the way Sussmann’s lawyer began his cross-examination. After reminding Baker of this statement, Berkowitz then laid out that, while Baker had met over ten times with Durham’s team, he had declined to meet with Sussmann’s team. Berkowitz introduced a letter he had sent Baker’s lawyer on April 20, asking to meet.

That letter had no Bates stamp. Just the Exhibit number submitting it into evidence.

That suggests Durham’s team hadn’t seen this letter yet — though I’m sure nothing about the letter was a surprise to them. Baker has met with Durham’s team at least twice since Berkowitz sent this letter. Berkowitz asked if Baker knew about the letter but Baker dodged, saying only that he had delegated the decision about meeting with Sussmann’s team to his lawyer, Dan Levin.

Then Berkowitz asked whether Baker knew what it was like to be under criminal investigation.

A. Yes.

Q. That’s Mr. Durham?

A. Yes.

They talked for a while about an earlier Durham investigation, one that lasted from 2017 until 2019 (Berkowitz made Baker repeat the dates), into whether information about surveillance that Baker had shared with a journalist had, or had not, been an authorized disclosure. Berkowitz talked about what might have happened had Baker been charged.

Loss of his legal career.

Being prosecuted.

Berkowitz talked about how that investigation basically boiled down to several conflicting versions of a phone call that other witnesses had given Durham. Their word against Baker’s.

Q. So at least one of their recollections was inconsistent with yours. Right?

A. Yes. Yes.

Q. Memories are a difficult thing, aren’t they, sir?

A. That’s a difficult question to answer. That depends.

That’s how Berkowitz prefaced the first of a long list of things Baker had said in Michael Sussmann’s trial that conflicted with things he had said in the past, a list that carried into a second day (actually Baker’s third day on the stand). At this point, Berkowitz mentioned just one of them — Baker’s inconsistent testimony to the Inspector General in July 2019 — then interrupted.

He put up a text to Ben Wittes that Baker sent the day after Durham was appointed in this matter (so weeks before that particular interview with the IG). Wittes and Baker were talking about TV appearances, but Baker seemed preoccupied by the Durham appointment.

MR. BERKOWITZ: The date, Mr. Cleaves.

THE WITNESS: There we go. Okay. Sorry. May 14th, 2019. Thank you.

BY MR. BERKOWITZ:

Q. And you write: “It went well. It was about the Love piece which was good. CNN Tonight was okay but didn’t cover that at all. And now I get to be investigated for another year or two by John Durham. Lovely.” Correct?

A. Right.

Q. So you expected to be investigated further by Mr. Durham. Correct?

A. Yes, I did.

I’ll come back to the metadata on the text in just a bit.

The text makes it clear how, after being investigated by John Durham from 2017 to 2019, upon learning that Durham had just been appointed to investigate other matters implicating Baker, FBI’s former General Counsel immediately realized the investigation would continue for another two years.

Baker was wrong about the timing. Durham’s investigation just celebrated its third birthday.

This text frames all of Baker’s subsequent cooperation in that light — in Baker’s immediate recognition that the hell he had been going through for the previous two years would continue another two. Or three. Or longer.

This is brilliant lawyering on Berkowitz’s part. But remember as you read along that this is really a Hunger Games conflict staged by Trump and Bill Barr to exploit the US Justice system to create a never-ending supply of revenge theater that will incite the base and lead the press to do shitty reporting for easy clicks. This is an act of revenge targeting anyone who has ever dared to question Trump’s corruption. Or even, question the dangers of Russian interference in American democracy.

Back to Berkowitz. After showing Baker the text reflecting his immediate dread about being investigated by Durham for two more years, Berkowitz described how, the day after Durham’s appointment (actually it was about three days after, and so two days after this text), Baker had his lawyer reach out to Durham and offer to cooperate.

The letter is actually kind of funny. It shows Levin emailing and saying, “Jim asked me to reach out and let you know that he is available if you wish to interview him (he just spoke to the IG today).” Durham seems to have forwarded that email from one of his DOJ emails to another. I sort of wonder if there was a BCC, because Durham was in really close contact with Bill Barr’s office in these weeks. Durham then attempted to write back to Levin but at least as it appears (because he forwarded the email to himself rather than simply replying with a CC to his second DOJ account), Durham simply wrote to himself, responding into a void about meeting with “tour client” soon.

The Bates stamp for this exhibit looks like this:

DX-811 is the exhibit number for this trial (DX shows that it is one of Sussmann’s exhibits, as opposed to one of the government’s).

LW-06_0001 may reflect Sussmann’s Latham & Watkins’ lawyers sharing their proposed exhibits with Durham and Judge Cooper before the trial.

SCO-012114 is the regular Bates stamp associated with Durham’s production to Sussmann. It’s part of the same series (though much earlier in) the Bates stamp of the text that Baker turned over to Durham on March 4. SCO dash ######.

And SCO-3500U-4007 seems to be a Bates stamp specifically tied to Jencks discovery, which as noted above is called Rule 3500. That’s a really handy Bates stamp because it may indicate what Durham is treating as Jencks discovery. It appears in other direct statements made by Durham’s witnesses about this investigation. The calendar entry for the September 19, 2016 meeting between Baker and Sussmann, for example, has one of those 3500 stamps.

The text that, DeFilippis suggested, Durham had only asked for out of a diligent desire to comply with Jencks obligations doesn’t have one of these 3500 Bates stamps. Here it is again, SCO dash ######.

Having shown those three documents — Berkowitz’s request for a meeting with Baker, Baker’s text to Wittes dreading two more years of investigation by Durham, and Levin’s letter to Durham immediately after his appointment offering to come in for an interview — Berkowitz then resumed talking about inconsistencies in Baker’s testimony. He alluded, briefly, to a sworn statement Baker made to the grand jury under questioning from DeFilippis about the role that the General Counsel would have in FBI investigations. Then, after going through what Baker’s current testimony is, Berkowitz asked,

Q. The fact that Mr. Sussmann stated specifically in his message that he was acting on his own and not for a client did not factor heavily into your decision to meet with him. Correct?

This statement is inconsistent with the testimony Baker gave on the stand. Baker disavowed it.

A. I disagree with that.

So Berkowitz did what’s known as “refreshing” a witness’ memory, first by reading him what the 302 memorializing an FBI interview said.

Q. All right. Do you remember speaking with these folks in March of this year — by these folks to be, correct for the record, the prosecution team, Mr. DeFilippis?

A. In March of this year, I spoke to them, yes.

Q. Okay. And in March of this year, is it not true that you told them you do not believe that the fact that Sussmann stated specifically in his texts that he was acting on his own and not for a client factored heavily into your decision to meet with Michael Sussmann the very next day. You told them that?

A. Can you repeat the first part of that again? Sorry.

Q. “Baker does not believe that the fact that Sussmann stated specifically in his text message that he was acting on his own and not for a client factored heavily into his decision to meet with Sussmann the very next day”?

Baker, perhaps realizing that this interview from a few months ago conflicts with the testimony he has just given, had forgotten the question.

A. So, I’m sorry. What’s your question?

Q. You told them that on March 4th of 2022.

Baker didn’t recall giving that conflicting testimony.

A. Sitting here today, I don’t recall telling them that.

Berkowitz offered to show him the proof: a 302 interview report that, unlike the meeting between Baker and Sussmann on September 19, 2016, actually documents what was said.

Q. Refresh your recollection to see the 302 of your meeting, sir?

A. Sure. I haven’t seen that 302 before.

This is an opportunity for Berkowitz to explain, as he did when he used one to refresh Scott Hellman’s memory earlier in the week, what a 302 is and how FBI always creates 302s for fact witnesses.

Q. All right. And to orient the jury is when an agent is present and take notes. Correct?

A. It’s a report of an interview.

Q. And when a witness is interviewed by the FBI, an agent is there to take notes, if it’s a fact witness, and put it into a report. Correct?

A. Correct.

Q. You didn’t do that with Mr. Sussmann. Right?

A. Correct.

Berkowitz asked Baker if he remembered making the statement on March 4. DeFilippis’ single witness to Sussmann’s alleged crime professed, for the second time in short order, not to remember something that happened just a few months ago.

Q. Does it refresh your recollection that, on March 4th of 2022, you told the FBI and Mr. DeFilippis that you didn’t believe the fact that Mr. Sussmann stated specifically in his text he was acting on his own and not for a client factored heavily into your decision to meet with Mr. Sussmann the next day?

A. I don’t recall making that statement sitting here today.

Q. And it’s your testimony

MR. BERKOWITZ: You can take that down.

BY MR. BERKOWITZ: Q. It’s your testimony that that’s not accurate. Correct?

A. It’s my testimony today that, as I think about it today, that that’s not accurate.

More than just forgetting what he said a few months ago, Baker is showing the jury how, if his current belief conflicts with a past one shared under threat of false statements charges, he’ll simply say his past truth is not the truth. Not accurate.

Then Baker thinks of something: the significance of the date.

A. Can I ask you a question? When was that 302? What was the date? What meeting or what interview was that pertaining to?

Q. There’s a lot of different meetings and interviews here. This one was a couple of months ago on March 4th of 2022 —

A. Okay.

Q. — in connection with your trial preparation for today.

A. That was the date that I found the text, yes.

Q. Okay. Did that change your recollections at all or —

Baker explains that discovering a text in which Sussmann had stated that he wasn’t asking for the September 19, 2016 meeting “on behalf of any client,” but wanted to help the FBI had upset him, suggesting that might explain why he gave testimony a few months ago that substantially differs from the testimony he gave on the stand.

A. Well it’s just it was a very — it was a very difficult day for me and it was a bit upsetting.

As a reminder, this day was not just a stressful one for Baker. While I can’t think of an evidentiary basis by which Sussmann could share this with the jury, after Baker found a text that greatly complicated Durham’s prosecution, Durham accused Sussmann of hiding evidence, a stance he was forced to drop after Sussmann obtained a subpoena on his own to disprove that accusation.

Anyway, after noting that Baker met with Durham in spite of the stress of having found the text, Berkowitz asked Baker, for the first time in this Hunger Games conflict, whether he was aware that it was a crime to lie to the FBI.

A. I know very well it’s a crime to make a false statement to the FBI if that’s what you are getting at. Whether they say it or not, I know it.

At that point, Berkowitz pulled out a white board and starting writing down the things that Baker was committing to believing were the truth. He started with “the elephant in the room,” the memory that, if the jury finds it shaky, will sink this entire prosecution.

Q. Let’s start with the elephant in the room. Sitting here today, what is your testimony about what Mr. Sussmann told you relative to clients?

A. At the meeting in person on the 19th of September?

Q. Yes.

A. Okay. My testimony is that he said that he was not there on behalf of any particular client or words to that effect.

Q. Oh, now it’s “words to that effect.” Okay.

DeFilippis objected.

He didn’t want Berkowitz to write this down, I’m sure, because any juror taking notes is going to write down exactly what Berkowitz writes down, thereby solidifying the points in their memory. That’s how my memory works anyway: If I write it down, I’m far more likely to remember it. People think I have a really good memory, but in actuality, I just write a lot more than most people.

DiFilippis probably also didn’t want Berkowitz to write this down because it’ll isolate the key claims that Baker has made, thereby making it easier for jurors to compare his currently operative statements with what he had said in the past. DeFilippis wanted just the court reporter to write this down, in a transcript that won’t ever be shared with the jury.

MR. DeFILIPPIS: Objection, Your Honor, we do have a court reporter.

THE COURT: Overruled.

Berkowitz walked Baker through his currently operative story for the following:

  • What Sussmann said on September 19 about having a client
  • Whether Baker knew Sussmann worked for Hillary that day
  • How long the meeting was
  • What Sussmann said about a news organization ready to publish a story
  • Whether he identified any particular cyber experts
  • Whether those experts — Steve Bellovin, Matt Blaze, and Susan Landau — had vouched for the data
  • Whether Baker or Sussmann had taken notes
  • Whether he had refused to share Sussmann’s name when Scott Hellman and an FBI administrative person  named Jordan Kelly had come to obtain the materials, as Scott Hellman testified earlier in the week

That’s when they break for lunch. After lunch they go over Baker’s meeting with Bill Prietsap, his calls to get Eric Lichtblau’s name later in the week, and his foggy memory about the details from the the March 6, 2017 when the Alfa Bank allegation comes back up. I’m not sure whether this got written onto a white board or not (it sounds like Berkowitz had filled the white board before lunch).

Berkowitz then returned to the many times Baker had given conflicting testimony under oath, starting with his testimony before Congress.

Q. And when you gave voluntary information to Congress, you understood that you were under oath?

A. I don’t think I was under oath, but I understood that it’s a crime to make false statements to Congress.

Q. So you tried to be as careful as you could. Correct?

A. I tried to be as careful as I could in that environment, yes, sir.

Q. You tried to be as truthful as you could?

A. (No response)

Q. Tried to be as truthful as you could?

A. Yes, sir.

Berkowitz then went through and laid out how his prior testimony conflicts with what he’s just laid out on the whiteboard and after lunch.

Again, great lawyering, but the reason this is so dreadful is because this is precisely the kind of Hunger Games conflict that Reality TV show star Donald Trump uses to accrue power.

Berkowitz reminded Baker that his two appearances before Congress in October 2018 could be subject to false statement prosecution, his 2019 interview with the Inspector General (which Baker calls “the I.G. thing”), the two meetings with Durham at which Sussmann was raised in June 2020 (at such time as Trump and Barr were pressuring Durham for pre-election results). All potentially subject to prosecution as false statements or perjury.

Berkowitz ended the day by asking about threats, returning again to the possibility that any single one of these inconsistent statements — the most recent of which discussed thus far was on March 4, 2022, the statute of limitation for which would not expire until 2027 — could be charged as a false statement.

Q. Did they threaten you, sir, with anything — based on the fact that you had previously told folks under oath or subject to perjury — that you had said inconsistent things?

A. Mr. Durham and his team have never threatened me in any way.

Q. But you understood, sir, did you not, as a lawyer, that if you had said something that someone determined was false, under oath, or subject to perjury, you could be prosecuted. Correct?

I suspect that, by the end of the week, Berkowitz will argue that several of Durham’s witnesses have made more easily provable false statements — and more material — to the Special Counsel and others than Sussmann, but Durham is not choosing to prosecute the ones who tell the story he wants told, the story he chooses to refresh. Remember, there are at least three documents already introduced that Durham chose not to use to refresh Baker’s memory to something different than he delivered on the stand last week.

Which brings me back to DeFilippis’ excuse for finding a text that Sussmann was asking for but which Durham had never bothered to look for, and the inconsistent statement — that Sussmann’s notice that he was not there on behalf of any client had a big role in him taking the meeting — and Baker’s attribution of his now-inconsistent answer to stress.

Durham discovered on March 4 that Baker had relevant texts he never bothered to ask for in 16 months of investigation before he charged Sussmann. DeFilippis introduced that text by claiming prosecutors had discovered it by asking — John Durham asked himself, according to Baker — for Jencks material.

That text has no Bates stamp reflecting that it is Jencks material.

There’s something else about that text. It looks nothing like the text that Berkowitz entered describing Baker’s dread as he realized Durham was going to be investigating for two more years. Here’s the text Baker turned over in March, in response to Durham’s request for any communications involving Sussmann, but only communications involving Sussmann.

Here’s the text to Wittes expressing certainty that Durham would investigate him for two more years.

These are both iMessage texts! They look entirely different, though, because one is a screen cap turned over by Baker, and the other was obtained via legal process served on Apple (which is where all the extra metadata comes from).

More interesting still, however, is the Bates stamp on the set of texts involving Wittes. The Bates stamp on that text looks like this:

There’s the red stamp that, I’m guessing, is the stamp associated with a pre-trial proposed exhibit.

There’s the trial exhibit stamp, DX-810.

And then there’s a Bates stamp that does not match any Durham Bates stamp I’ve seen. SCO_######. Underscore, not dash.

Although this is a statement by a witness — the key witness!! — about this very investigation, there’s no Jencks stamp.

Mind you, the government only has to turn over statements about an investigation under Jencks if it is in their possession. So maybe this was never in their possession? If it was, it’d be a Jencks violation and Sussmann could ask to have the entirety of Baker’s testimony thrown out. All of it.

I have no idea where this text string comes from. Perhaps it came from an FBI Inspection Division investigation of all these same people; such material was among the stuff that Durham was permitted to turn over late. Perhaps, as Latham & Watkins did when Durham accused Sussmann of hiding this text, they got a subpoena and obtained it themselves. But it appears, at least, that it didn’t come from Durham.

If that’s right — if, even after discovering that Baker had texts that were absolutely critical to this investigation that he had never turned over, Durham didn’t choose to obtain these texts directly from Apple themselves, or at the very least ask Baker to turn over all texts pertinent to his investigation — there are several implications. First, it’s proof that Durham never ever subjected Baker, the guy who offered to cooperate on day three, to investigative scrutiny for his role in the events from September 19, 2016 that Durham has chosen to criminalize. Nor has Durham tested what might be behind any of Baker’s subsequent inconsistent statements. And when Durham discovered that Baker had had texts that were critical to his investigation almost three years into the investigation, his first response was to attempt to blame Sussmann. When that didn’t work, it appears, Durham didn’t put his prosecution at risk to see what other texts, texts that might be critical to Durham’s investigation but which didn’t involve communications between him and Sussmann, might be in Baker’s iCloud account.

This is brilliant lawyering. But it’s all just a part of Donald Trump’s Hunger Games, revenge theater targeting the people who questioned his complicit ties with Russia. And the wrong people are going to get hurt.

Other Sussmann trial coverage

Scene-Setter for the Sussmann Trial, Part One: The Elements of the Offense

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

The Founding Fantasy of Durham’s Prosecution of Michael Sussmann: Hillary’s Successful October Surprise

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

John Durham’s Lies with Metadata

emptywheel’s Continuing Obsession with Sticky Notes, Michael Sussmann Trial Edition

Brittain Shaw’s Privileged Attempt to Misrepresent Eric Lichtblau’s Privilege

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Jim Baker’s Tweet and the Recidivist Foreign Influence Cheater

That Clinton Tweet Could Lead To a Mistrial (or Reversal on Appeal)

John Durham Is Prosecuting Michael Sussmann for Sharing a Tip on Now-Sanctioned Alfa Bank

John Durham Is Prosecuting Michael Sussmann for Sharing a Tip on Now-Sanctioned Alfa Bank

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work. 

During his cross-examination of Jim Baker, Michael Sussmann’s lawyer Sean Berkowitz introduced the Electronic Communication that opened the investigation pertaining to the Alfa Bank anomaly. He did so, ostensibly, to show that when DeFilippis elicited Jim Baker to explain the predication of investigations, Baker claimed not to remember that an investigation into the Alfa Bank anomaly had been opened, and claimed not to remember that the EC erroneously said the investigation was a referral from DOJ.

Q. And you were aware, though, because the government showed you a document, that a particular file number here was opened up, correct?

A. I don’t — did I see that? I don’t remember seeing that yesterday.

Q. Let’s show — I don’t think they showed it to you yesterday. They showed it to you in one of your preparation exhibits.

A. Okay. Okay.

Baker should have known it because he was shown the Electronic Communication during an interview with Durham, but he had forgotten it on the stand. So this appeared to be yet another attempt to show Baker’s hot-and-cold running memory.

When Berkowitz moved to enter it into evidence, DeFilippis noted it was a government exhibit, suggesting they weren’t hiding it (even though they hadn’t shown it to Baker on the stand). Probably they would have introduced it when Alfa Bank case agent Allison Sands testifies, probably Monday.

But introducing it with Baker gave Sussmann an opportunity to lay out several huge problems with Durham’s case against him and ensure that DeFilippis has to deal with this EC with Sands.

First, there’s this: When the FBI opened an investigation into this anomaly, they considered it an investigation into Alfa Bank.

This was an investigation into Alfa Bank. Not an investigation into Donald Trump.

In the part of the EC that explains why they opened it, they repeat, again, that it’s an investigation into Alfa Bank. But they also opened it because the FBI was still trying to figure out what Trump associate got an advance heads up that the Russians were going to intervene to hurt Hillary. But even in the context of the fact that one of the agents investigating Crossfire Hurricane had been pulled back to Chicago to work on this investigation, the investigation was not into biological human Donald Trump, it was into corporate human Trump Organization.

Based on the information above, FBI Chicago has predicated a Full Counterintelligence investigation into the activities of ALFA BANK, in order to conduct further investigation regarding the extent and nature of the network communications between ALFA BANK and the TRUMP ORGANIZATION. This investigation will attempt to determine the validity of the information that was provided by the third-party entity, and to assess whether or not pose a threat to either the TRUMP ORGANIZATION, or United States national security.

In addition, FBI investigation [redacted] [CROSSFIRE HURRICANE] was predicated based on an allegation that a member of the TRUMP campaign had received a suggestion from the Russian Government, indicating that the Russian government could assist the TRUMP campaign with an anonymous release of information during the campaign, which would be a detriment to the HILLARY CLINTON campaign. Investigation in [redacted] has surfaced additional ties between the TRUMP campaign team and the Russian government.

Investigation of the communications between the Russian ALFA BANK and the TRUMP ORGANIZATION could provide additional insight about the connections between the TRUMP ORGANIZATION and Russia, and help to determine whether those ties pose a threat to United States national security.

This matter is being treated as a Sensitive Investigative Matter based on the fact that the TRUMP ORGANIZATION is affiliated with a current U.S. Presidential candidate. As such, FBI Chicago requests that FBIHQ/NSLB coordinate with the US DEPARTMENT OF JUSTICE to provide all appropriate notifications required by the DIOG.

So it was sensitive because it related to Trump Organization, and only through that corporate human, to the biological human who was a presidential candidate. Even there, the EC at least envisioned, appropriately, that Trump might be a victim of this, as he would be if someone were trying to infiltrate the campaign or his company.

And in fact, Durham’s own evidence supports the predication against Alfa. The script that Durham falsely suggested (he will be disproven on this point later) were the basis for the research in the technical white paper was focused on Alfa Bank.

There is another that includes the anomalous mail server in question, right next to dcleaks — a query that may well have returned data on Roger Stone’s pre-public searches on the domain, and in any case, since this was entered as a government exhibit, should have obliged Durham to turn over details of these Stone searches.

It’s only a request from July 2017 — probably in conjunction with Dan Jones’ attempt to chase down this anomaly — that the searches were called “Trump query jobs,” and even there, one was focused on Alfa Bank.

The FBI viewed this as an investigation into Alfa Bank, and Joffe’s data requests actually reinforce that.

That creates three problems for Durham.

First, on redirect, DeFilippis got his star cyber agent Scott Hellman, to offer up this explanation for why he found the white paper crap when the counterintelligence people saw something more. It’s about the data, his star witness said.

Q. Now the counterintelligence division, when they look at information like this, are they looking at it with an eye towards the same issues or different issues from the cyber division?

A. Um, I think they’d probably be looking at it from the same vantage point, but if you’re not — you don’t have experience looking at technical logs, you may not have the capability of doing a review of those logs. You might rely on somebody else to do it. And perhaps counterintelligence agents are going to be thinking about other investigative questions. So I guess it would probably be a combination of both.

Never mind that the evidence shows that Hellman didn’t look closely at the data, which caused him to make a false claim in his own assessment of it. He should know that this tied in with the investigation into whom, in Trump’s camp, got advance notice that Russia was going to attack Hillary, because he was on an email that his boss, Nate Batty, sent laying out how the guy investigating George Papadopoulos had been called back to Chicago to also look at this.

Curtis has been working (TDY) the election issues and has been called back by CD to work matters related to this white paper. CG had a copy of the white paper I forwarded to you from CD channels, and was inquiring as to whether ECOU 1 had any logs or other data from the referenced server.

Sure, maybe his comment about “other investigative questions” covers Hellman here. But the reason CD looked at this differently is because they were hunting for the Trump associate who got advance notice of the hack-and-leak. Hellman knows that.

Another problem this creates for Durham is that — as laid out here — he accused Michael Sussmann of lying about sharing allegations about “a Presidential candidate.”

As Sussmann noted in a recent filing summarizing conflicting views on jury instructions, Durham’s indictment describes Sussmann’s alleged lie this way:

[O]n or about September 19, 2016, the defendant stated to the General Counsel of the FBI that he was not acting on behalf of any client in conveying particular allegations concerning a Presidential candidate, when in truth, and in fact, and as the defendant knew well, he was acting on behalf of specific clients, namely, Tech Executive-1 and the Clinton Campaign.

Never mind that Durham characterized the allegations as pertaining to “a Presidential candidate,” which presents other problems for Durham, he has also accused Sussmann of lying about having two clients.

Mr. Sussmann proposes modifying the last sentence as follows, as indicated by underlining: Specifically, the Indictment alleges that, on or about September 19, 2016, Mr. Sussmann, did willfully and knowingly make a materially false, fictitious, and fraudulent statement or representation in a matter before the FBI, in violation of 18 U.S.C. § 1001(a)(2), namely, that Mr. Sussmann stated to the General Counsel of the FBI that he was not acting on behalf of any client in conveying particular allegations concerning Donald Trump, when, in fact, he was acting on behalf of specific clients, namely, Rodney Joffe and the Clinton Campaign.5 The government objects to the defense’s proposed modification since it will lead to confusion regarding charging in the conjunctive but only needing to prove in the disjunctive.

4 Authority: Indictment.

5 Authority: Indictment.

Durham’s language about “conjunctive” versus “disjunctive” will likely be the matter for heated debate next week. Particularly in the wake of Cooper’s decision that the materials from the researchers won’t come in as evidence, Durham seems to be preparing to prove only that Sussmann lied about representing Hillary, and not about Joffe. Sussmann, meanwhile, seems to believe that Durham will have to prove that his alleged lie was intended to hide both alleged clients.

At least the people who opened this investigation didn’t see these allegations to pertain to Donald Trump, biological human They viewed them, first and foremost, as an allegation about Alfa Bank, and secondarily as an allegation about corporate human, Trump Organization.

This distinction will show up over and over again in the next week.

Finally, this goes to materiality. There was no way FBI was going to take allegations that might explain who got advance notice of the hack-and-leak attack on Hillary and not see if it answered that question. Durham wants to complain that this got opened as a Full Investigation when the allegations weren’t that strong. They weren’t! But the reason why it got opened as a Full Investigation is because Crossfire Hurricane had already been opened as a Full Investigation looking for the unknown subject who had gotten a heads up on Russia’s attack plans,

Sussmann has both Jonathan Moffa (who is included on this opening EC) and Michael Horowitz slotted as witnesses next week. He explicitly said that Moffa will address materiality and, depending on how things go, Horowitz’s determination that CH was properly predicated as a Full Investigation might become an issue as well.

In other words, Durham is going to have to talk about Crossfire Hurricane.

And from there, things could get worse, because we know Durham didn’t provide discovery to allow Sussmann to fully argue these issues.

John Durham is prosecuting Michael Sussmann because he brought allegations to the FBI about a bank that has now been sanctioned as part of an effort to halt Russia’s efforts to dismantle democracies in Ukraine and elsewhere, including the United States. Yet for months, he has claimed that such a tip did grave damage to Donald Trump.

Other Sussmann trial coverage

Scene-Setter for the Sussmann Trial, Part One: The Elements of the Offense

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

The Founding Fantasy of Durham’s Prosecution of Michael Sussmann: Hillary’s Successful October Surprise

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

John Durham’s Lies with Metadata

emptywheel’s Continuing Obsession with Sticky Notes, Michael Sussmann Trial Edition

Brittain Shaw’s Privileged Attempt to Misrepresent Eric Lichtblau’s Privilege

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Jim Baker’s Tweet and the Recidivist Foreign Influence Cheater

That Clinton Tweet Could Lead To a Mistrial (or Reversal on Appeal)

Jim Baker’s Tweet and the Recidivist Foreign Influence Cheater

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work. 

In my post on what prosecutors need to prove to win their case against Michael Sussmann, I noted they had to prove that:

  • Sussmann said the lie that they claim he did: that he affirmatively said he was not sharing the Alfa Bank allegations on behalf of a client
  • He said it on September 19, and not just on September 18
  • It was an intentional lie
  • It was material, meaning the alleged lie mattered to the operation of the FBI

I think the government has, in some ways, done best presenting their materiality arguments (but then, that’s the lowest bar). But even there, exhibits submitted at trial show that at least two of the key decision-makers on investigative issues had received a text referencing that this was a DNC report; Andrew DeFilippis speculated with one of the witnesses who received the text that it was a typo for DNS. And it appears, in multiple situations, people just assumed that Sussmann was at the FBI on behalf of the Hillary campaign, and took it into account. That said, Berkowitz got Baker — who was a key player in the Stellar Wind story that Eric Lichtblau held through an election in 2004 — to explain how important, from a national security perspective, it can be to hold certain stories.

And as I’ll show, Sussmann’s team may have something very special in store to make their materiality argument.

Regarding whether his statement that he was not there “on behalf of any client,” I think Sussmann has made a very good case that he meant his comment to Jim Baker on September 18 that he wanted to help the FBI. Both Marc Elias and Robbie Mook testified that sharing advance warning of a story they wanted to come out was the last they would have wanted or approved, because Jim Comey had done so much to damage the campaign. Particularly if Eric Lichtblau testifies, Sussmann will have a powerful story about all the damage that going to the FBI did to the campaign.

As to the other questions, they all go to Baker’s credibility on the stand.

I can’t say how the jury reacted, but I think prosecutors really didn’t do what they needed to do to prove that Sussmann repeated his comment about not meeting with Baker on behalf of any client and, then, hiding it when he helped the FBI kill the story later in the week. And Berkowitz did even more to show the changing nature of Baker’s statements about the meeting over time.

I did two long twitter threads on Sean Berkowitz’ cross-examination of Baker (Thursday night, Friday morning). I think Berkowitz achieved the following:

  • Used Baker to define “lie” as having an intention to deceive.
  • Made it clear that Baker reconstructed his understanding of his face-to-face meeting with Sussmann with the help of a chain of custody log that an FBI agent referring to the process called “doctored.” That’s going to provide Sussmann’s team a great metaphor to explain what Baker’s memory consists of.
  • Got Baker to suggest his memory of what happened on September 19 amounted to “words to that effect” of what has been charged.
  • Got Baker to agree that there’s at least a 25% chance Sussmann told him he had a client on September 21, which would be proof he wasn’t hiding a client.
  • Foregrounded the possibility that Baker could be prosecuted for his many inconsistent statements, including some that were made in 2018 and some that were made months ago. The statute of limitations on Baker’s inconsistent statements won’t expire until 2027.
  • Showed that Baker’s testimony on the stand was inconsistent with things he told Durham even in recent months; and Baker continues to not remember key details both of what happened on September 19 but also much more recently.
  • Showed that Baker’s reconstructed memory shifts at times from “that matter” (collecting the data) to the meeting itself; this is a reconstructed memory that can only come from prosecutors.
  • Demonstrated that Durham withheld at least three documents that could have “refreshed” Baker’s memory to believing Sussmann had told him he had a client.
  • Placed Durham in the room for some of the key sessions — including in Summer 2020, when Barr and Trump were pressuring Durham to show some results in time for the election — when Baker’s memory was “refreshed.”

Those threads were hard to write and I’m sure even more painful for people who are friends of one or both men to read. The story Berkowitz told was how, through the relentless grind of Republican blowhards and the Trump DOJ’s politicized investigations, Baker came to “remember” testimony that could put his friend, Sussmann, someone who had tried to get him a job when he was at a really bad point in his life, in prison.

There was no way out for Sussmann except to destroy his friend. And Berkowitz at least made it seem that Baker had believed there was no way out for him except to “refresh” his memory to match what Durham wanted.

I suspect it likely that Sussmann’s team will point out that Durham is choosing to prosecute just the people whose story doesn’t match the one that Durham wants to tell. It’s not just Baker whose testimony to Durham is inconsistent with provable facts, but Durham is not prosecuting any of the witnesses who are saying what he wants them to.

With all that as background I want to point to something subtle that I suspect will become part of that theme. Ostensibly to address materiality — Baker’s belief, one he shared with Congress in 2018 but contradicted under coaching by Durham on the stand — that if you have a national security tip you need to feel free to come to the FBI. Baker tweeted it out on June 13, 2019.

This would have been posted weeks after Durham was appointed, which — Baker testified — led Baker to expect he’d be under criminal investigation again.

Q. And you, sir, were aware that Mr. Baker was — I mean, Mr. Durham was reappointed as special counsel, correct, in or around 2019?

A. For this matter?

Q. yes.

A. yes.

Q. And when that happened, you were concerned, were you not?

A. Concerned about what?

Q. That Mr. Durham might come and investigate you more?

A. I wasn’t concerned about it. I expected it.

Q. All right. You expected to be investigated further by Mr. Durham. Correct?

A. Correct.

After having laid out how Baker had been investigated by Durham as part of a leak investigation for years, Berkowitz even introduced a text that Baker sent Ben Wittes the day after Durham was appointed saying, “now I get to be investigated for another year or two by John Durham. Lovely.”

But the tweet about going to the FBI wasn’t about Durham and it wasn’t random.

Rather, it was a response to something Trump said in an interview with George Stephanopoulos, between the time Mueller wrapped up his investigation, in part, of Trump’s request, “Russia, are you listening,” in 2016 and the time Trump asked Volodymyr Zelensky, “but first, I would like you to do us a favor.” On the same day Baker encouraged people to go to the FBI if they had evidence, ABC posted an interview in which Trump said,

“It’s not an interference, they have information — I think I’d take it,” Trump said. “If I thought there was something wrong, I’d go maybe to the FBI — if I thought there was something wrong. But when somebody comes up with oppo research, right, they come up with oppo research, ‘oh let’s call the FBI.’ The FBI doesn’t have enough agents to take care of it. When you go and talk, honestly, to congressman, they all do it, they always have, and that’s the way it is. It’s called oppo research.”

I’m not precisely sure how Sussmann’s team is going to use this tweet, beyond the materiality question, materiality about precisely this situation, whether someone should share information with the FBI after their opponent solicited help from a hostile foreign government.

But it sure seems to be evidence of more than just materiality.

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work. 

When Michael Sussmann attorney Sean Berkowitz was walking FBI Agent Scott Hellman through the six meetings he had with Durham’s team on Tuesday — meetings he first had as a witness about the investigation into the Alfa Bank allegations and later in preparation for his trial testimony — Berkowitz asked Hellman about how, sometime earlier this year, Andrew DeFilippis and Jonathan Algor asked him whether he could serve as their DNS expert for the trial.

Q And then, more recently, you met with Mr. DeFilippis and I think Johnny Algor, who is also at the table here, who’s an Assistant U.S. Attorney. Correct?

A. Yes.

Q. They wanted to talk to you about whether you might be able to act as an expert in this case about DNS data?

A. Correct.

To Hellman’s credit, he told Durham’s prosecutors — who have been investigating matters pertaining to DNS data for two years — that he only had superficial knowledge of DNS and so wasn’t qualified to be their expert.

Q. You said, while you had some superficial knowledge, you didn’t necessarily feel qualified to be an expert in this case, correct, on DNS data?

A. On DNS data, that’s correct.

It wasn’t until the third day of trial before Durham’s team presented any evidence about the alleged crime. Instead, Durham’s first two witnesses were their nominal expert, David Martin, and Hellman, who told Durham he wasn’t an expert but who offered opinions he neither had the expertise to offer nor had done the work to substantiate.

That’s important, because DeFilippis used him to provide an opinion only an expert should give. And virtually everything about his testimony — his claim to have relied on the data in the materials without looking at the thumb drives, an apparently made up claim about the timing of the analysis, and behaviors that the FBI normally finds suspicious — suggest he’s not only not a DNS expert qualified to assess this report, but his assessment of the white paper Sussmann shared also suffers from serious credibility issues.

The battle over an expert

The testimony of the nominal expert, David Martin, was remarkably nondescript, particularly given the fight that led up to his testimony. Durham’s team sprung even having an expert on Sussmann at a really late date: on March 30, after months of blowing off Sussmann’s inquiries if they would. Not only did they want Martin to explain to the jury what DNS and Tor are, Durham’s team explained, but they also wanted him to weigh in on the validity of conclusions drawn by researchers who had found the anomaly.

  • the authenticity vel non of the purported data supporting the allegations provided to the FBI and Agency-2;
  • the possibility that such purported data was fabricated, altered, manipulated, spoofed, or intentionally generated for the purpose of creating the false appearance of communications;
  • whether the DNS data that the defendant provided to the FBI and Agency-2 supports the conclusion that a secret communications channel existed between and/or among the Trump Organization, Alfa Bank, and/or Spectrum Health;

[snip]

  • the validity and plausibility of the other assertions and conclusions set forth in the various white papers that the defendant provided to the FBI and Agency-2;

As Sussmann noted in his motion to limit Martin’s testimony, he didn’t mind the testimony about DNS and Tor. He just didn’t want this trial to be about the accuracy of the data, especially without the lead time to prepare his own expert.

As the Government has already disclosed to the defense, should the defense attempt to elicit testimony surrounding the accuracy and/or reliability of the data that the defendant provided to the FBI and Agency-2, Special Agent Martin would explain the following:

  • That while he cannot determine with certainty whether the data at issue was cherry-picked, manipulated, spoofed or authentic, the data was necessarily incomplete because it was a subset of all global DNS data;
  • That the purported data provided by the defendant nevertheless did not support the conclusions set forth in the primary white paper which the defendant provided to the FBI;
  • That numerous statements in the white paper were inaccurate and/or overstated; and
  • That individuals familiar with these relevant subject areas, such as DNS data and TOR, would know that such statements lacked support and were inaccurate and/or overstated.

Based off repeated assurances from Durham that they weren’t going to make accuracy an issue in their case in chief, Judge Cooper ruled that the government could only get into accuracy questions if Sussmann tried to raise the accuracy of the data himself. But if he said he relied on the assurances of Rodney Joffe, it wouldn’t come in.

The government suggests that Special Agent Martin’s testimony may go further, depending on what theories Sussmann pursues in cross-examination or his defense case. Consistent with its findings above, the Court will allow the government’s expert to testify about the accuracy (or lack thereof) of the specific data provided to the FBI here only in certain limited circumstances. In particular, if Sussmann seeks to establish at trial that the data were accurate, and that there was in fact a communications channel between Alfa Bank and the Trump Campaign, expert testimony explaining why this could not be the case will become relevant. But, as the Court noted above, additional testimony about the accuracy of the data—expert or otherwise—will not be admissible just because Mr. Sussmann presents evidence that he “relied on Tech Executive-1’s conclusions” about the data, or “lacked a motive to conceal information about his clients.” Gov’s Expert Opp’n at 11. As the Court has already explained, complex, technical explanations about the data are only marginally probative of those defense theories. The Court will not risk confusing the jury and wasting time on a largely irrelevant or tangential issue. See United States v. Libby, 467 F. Supp. 2d 1, 15 (D.D.C. 2006) (excluding evidence under Rule 403 where “any possible minimal probative value that would be derived . . . is far outweighed by the waste of time and diversion of the jury’s attention away from the actual issues”).

Then, days before the trial, the issue came up again. Durham sent a letter on May 6 (ten days before jury selection), raising a bunch of new issues they wanted Martin to raise. Sussmann argued that Durham was trying to expand the scope of what his expert could present. Among his complaints, Sussmann argued that Durham was trying to make a materiality argument via his expert witness.

Third, the Special Counsel apparently intends to offer expert testimony about the materiality of the false statement alleged in this case. Indeed, the Special Counsel’s supplemental topic 9 regarding the importance of considering the collection source of DNS data is plainly being offered to prove materiality. But the Special Counsel did not disclose this topic in either his initial expert disclosure or Opposition, and the Court’s ruling did not permit such testimony. The Special Counsel should not now be allowed to offer an entirely new expert opinion under the guise of eliciting testimony regarding the types of conclusions that can be drawn from a review of DNS data.

Judge Cooper considered the issue Tuesday morning, before opening arguments. When asking why Martin had to present the concept of visibility, DeFilippis explained that Hellman–the Agent who’s not an expert on DNS but whom DeFilippis nevertheless had asked to serve as an expert on DNS–would talk about the import of knowing visibility to assess data.

THE COURT: Well, but isn’t the question here whether a case agent — is your case agent later going to testify that that was something that the FBI looked at or wanted to look at in this case and was unable to do so, and that that negatively affected the FBI’s investigation in some way? MR.

DeFILIPPIS: Yes, and I expect Special Agent Hellman, who will testify likely today, Your Honor, I expect that that is a concept that he will say was relevant to the determination that — determinations he was making as he drafted analysis of the data that came in. And, again, I don’t think we — for example, another way in which this comes up is that the FBI routinely receives DNS data from various private companies who collect that data, and it is always relevant sort of the breadth of visibility that those companies have. So it’s relevant generally, but also in this particular case the fact that the FBI did not have insight into the visibility or lack of visibility of that data certainly affected steps that the FBI took.

THE COURT: Okay. But Mr. Sussman has not been accused of misrepresenting who the source is. He’s simply — but rather who the client is. So how do you link that to the materiality of the alleged false statement?

MR. DeFILIPPIS: Because, Your Honor, I think we view them as intertwined. It was because — it was in part because Mr. Sussman said he didn’t have a client that made it more difficult for the FBI to get to the bottom of the source of this data or made it less likely they would, and so — and, again, I don’t think we expect to dwell for a long time on this, but I think the agents and the technical folks will say that that is part of why the origins of the data are extremely relevant when they took investigative steps here.

When Cooper noted Sussmann’s objection to Martin discussing possible spoofing of data, DeFilippis again answered not about what Martin would testify, but what Hellman would.

As DeFilippis explained, he claimed to believe that under Cooper’s ruling, the government could put in any little thing they wanted that they claimed had been part of the investigation.

And Special Agent Hellman, when he testifies today — now, Your Honor’s ruling we understand to permit us to put into evidence anything about what the FBI analyzed and concluded as its investigation unfolded because that goes to the materiality of the defendant’s statement. So Special Agent Hellman — through Agent Hellman we will offer into evidence a paper he prepared when the data first came in, and among its conclusions is that the data might — he doesn’t use the word “spoof” — but might have been intentionally generated and might have been fabricated. That was the FBI’s initial conclusion in what it wrote up.

So in order for the jury to understand the course of the FBI’s investigation and the conclusions that it drew at each stage, those concepts are at the center of it.

[snip]

MR. DeFILIPPIS: Okay. Your Honor, I’m sorry. We understood your ruling to be that the FBI’s conclusions as it went along were okay as long as we weren’t asserting the conclusion that it was, in fact, fabricated. You know, I mean, it’s difficult to chart the course of the FBI’s investigation unless we can elicit at each stage what it is that the FBI concluded.

Judge Cooper ordered that references to spoofing be removed — leading to a last minute redaction of an exhibit — but permitted a discussion of visibility to come in.

After all that fight, Martin’s testimony was not only bland, but it was recycled powerpoint. He not only admitted lifting the EFF description of Tor for his PowerPoint, but he included their logo.

Hellman delivers the non-expert expert opinion Durham was prohibited from giving

As I said, Martin was witness number one, Hellmann — the self-described non-expert in DNS — was witness number two.

Even though Hellman admitted, again, that he’s not a DNS expert, DeFilippis still had him go over what DNS is.

Q. How familiar or unfamiliar are you with what is known as DNS or Domain Name System data?

A. I know the basics about DNS.

Q. And in your understanding, on a very basic level, what is DNS?

A. DNS is basically how one computer would try and communicate with another computer.

After getting Hellman to explain how he purportedly got chain of custody signatures on September 20, 2016 for the materials Michael Sussmann dropped off with James Baker on September 19, DeFilippis walked Hellman through how, he claimed, he had concluded that the allegations Sussmann dropped off were unsupported. Hellman reviewed the data accompanying the white paper, Durham’s star cybersecurity witness claimed on the stand, and after reviewing that data, determined there was no allegation of a hack in the materials and therefore nothing for the Cyber Division to look at. And, as a report he wrote “within a day” summarized, he concluded the methodology was horrible.

As you read the following exchange, know that (as I understand it) some, if not most, of what Hellman describes as the methodology is wrong. Obviously, if Hellman’s understanding of the methodology is wrong, then the opinion that DeFilippis elicits from a guy who admitted he was not an expert on DNS but whom DeFilippis nevertheless asked to serve as his expert witness on DNS before inviting David Martin in to present slides lifted from the Electronic Frontier Foundation instead [Takes a breath] … If Hellman’s understanding of the methodology and the data he’s looking at is wrong, then his opinion about the methodology is going to be of little merit.

With that understanding, note the objection of Sean Berkowitz, who fought DeFilippis’ late hour addition of an expert that DeFilippis wanted to use to opine on the validity of the research, bolded below.

So we looked at the top part, which set out your top-line conclusion. You then have a portion of the paper that says, “The investigators who conducted the research appear to have done the following.” Now, Special Agent Hellman, it appears to be a pretty technical discussion, but can you just tell us, in that first part of the paper, what did you set out and what did you conclude?

A. It looks to be that they were looking for domains associated with Trump, and the way that they did that was they looked at a list of sort of all domains and looked for domains that had the word “Trump” in them as a way to narrow down the number of domains they were looking at.

And then they wanted to find, well, which of that initial set of Trump domains, which of them are email servers associated with those domains. And the way they did that was to search for terms associated with email, like “mail” or other email-related terms to then narrow down their list of domains even further to be Trump-associated domains that were email servers.

Q. And did you opine on the soundness of that methodology? In other words, did you express a view as to whether this was a good way to go about this project?

A. We did not — I did not feel that that was the most expeditious way to go about identifying email servers associated with the domain.

Q. And why was that?

A. You can name an email server anything you want. It doesn’t have to have the words “mail” or “SMTP” in it. And so by — if you’re just searching for those terms, I would wager to guess you would miss an actual email server because there are other — there are other more technical ways that you can use — basically look-up tools, Internet look-up tools where you can say, for any domain, tell me the associated email server. That’s essentially like a registered email server. But the way that they were doing it was they were just looking for key terms, and I think that it just didn’t make sense to me why they would go about identifying email servers that way as opposed to just being able to look them up.

Q. Was there anything else about the methodology used here by the writer or writers of this paper that you found questionable or that you didn’t agree with?

A. I think just the overall assumptions that were being made about that the server itself was actually communicating at all. That was probably one of the biggest ones.

Q. And what, if anything, did you conclude about whether you believed the authors of the paper or author of the paper was fairly and neutrally conducting an analysis? Did you have an opinion either way?

MR. BERKOWITZ: Objection, Your Honor.

THE COURT: Basis?

MR. BERKOWITZ: Objection on foundation. He asked him his opinion. He’s not qualified as an expert for that.

THE COURT: I’ll overrule it.

A. Sorry, can you please repeat the question?

Q. Sure. Did you draw a conclusion one way or the other as to whether the authors of this paper seemed to be applying a sound methodology or whether, to the contrary, they were trying to reach a particular result? Did you —

A. Based upon the conclusions they drew and the assumptions that they made, I did not feel like they were objective in the conclusions that they came to.

Q. And any particular reasons or support for that?

A. Just the assumption you would have to make was so far reaching, it didn’t — it just didn’t make any sense.

That’s how, as his second witness, Andrew DeFilippis introduced the opinion of a guy who admitted he wasn’t an expert on DNS that DeFilippis had asked to serve as an expert even though DeFilippis should have known that he didn’t have the expertise to offer expert opinions like this.

If Sussmann is found guilty, I would bet a great deal of money this stunt will be one part of a several pronged appeal, because Judge Cooper permitted DeFilippis to do precisely what Cooper had prohibited him from doing before trial, and he let him do it with a guy who by his own admission is not a DNS expert.

Cyber Division reaches a conclusion without looking at the thumb drives

Now let’s look at what Hellman describes his own methodology to be.

First, it was quick. DeFilippis seems to think that serves his narrative, as if this stuff was so crappy that it took a mere glimpse to discredit it.

Q. Special Agent Hellman, how long would you say it took you and Special Agent Batty to write this up?

A. Inside of a day.

Q. Inside of a day, you said?

Berkowitz walked Hellman through the timeline of it, and boy was it quick. There’s some uncertainty about this timeline, because John Durham’s office doesn’t feel the need to make clear whether exhibits they’re turning over in discovery reflect UTC or ET. But I think I’ve laid it out below (Berkowitz got it wrong in cross-examination, which DeFilippis used to attack his analysis).

As you can see, not only were FBI’s crack cybersecurity agents making a final conclusion about the data within a day but — by all appearances — they did so before they had ever looked at the thumb drives included with the white papers. From the record, it’s actually not clear when — if!!! — they looked at the thumb drives. But it’s certain they had their analysis finalized no more than one working day after they admitted they hadn’t looked at the thumb drive, which was itself after they had already decided the white paper was shit.

Timeline

September 20, 10:20AM: Nate Batty tells Jordan Kelly they’ll come from Chantilly to DC get the thumb drives

September 20, 10:31AM: Jordan Kelly tells Batty the chain of custody is “Sussman to Strzock to Sporre”

September 20, 12:29PM: Hellman and Nate Batty accept custody of the thumb drives

September 20, 1:30PM: Hour drive back to Chantilly, VA

September 20, 4:44PM: Hellman appears to explain the process of picking up the thumb drives to jrsmith, claiming to have spoken to Baker on the phone. jrsmith jokes about “doctor[ing] a chain of evidence form.”

September 20, 4:58: Hellman says the more he reads the report “it feels a little 5150ish,” suggesting (as he explained to Berkowitz on cross) the authors suffered from a mental disability, and Hellman complains that “it contains an absurd quantity of data” to which Batty responded, the data seemed “inserted to overwhelm and confuse the reader.”

September 21, 8:47AM: Batty tells Hellman their supervisor wants them to “write a brief summary of what we think about the DNC report.” Batty continues by suggesting that “we should at least plug the thumb drives into Frank’s computer and look at the files…”

9/22, 9:44AM: Curtis Heide, in Chicago, asks Batty to send the contents of the thumb drive so counterintelligence agents can begin to look at the evidence. The boys in Cyber struggle to do so for a bit.

9/22, 2:49PM: Batty asks Hellman what he did with the blue thumb drive.

9/22, 4:46PM: Batty sends “analysis of Trump white paper” to others.

In other words, the cyber division spent less than 28 hours doing this analysis.

Yes. The analysis was quick.

Hellman says his analysis is valid because he looked at the data

The hastiness of the analysis and the fact that Hellman didn’t look at the thumb drive before making initial conclusions about the research is fairly problematic, because when he discussed his own methodology, he described the data driving everything.

Q. Now, what principally, from the materials, did you rely on to do your analysis?

A. So it was really two things. It was looking at the data, the technical data itself. There was a summary that it came with. And then also we were comparing what we saw in the data, sort of the story that the data told us, and then looking at the narrative that it came with and comparing our assessment of the data to the narrative.

[snip]

Q. And in connection with that analysis, did you also take a look at the data itself that was underlying this paper?

A. Yes

[snip]

Q. And if we look at that first page there, Agent Hellman, what kind of data is this?

A. It appears to be — as far as I can tell, it looks to be — it’s log data. So it’s a log that shows a date and a time, a domain, and an IP address. And, I mean, that’s — just looking at this log, there’s not too much more from that.

Q. And do you understand this to be at least a part of the DNS data that was contained on the thumb drives that I think you testified about earlier?

A. Yes.

[snip]

A. It would have mattered — well, I think on one hand it would not have mattered from the technical standpoint. If I’m looking at technical data, the data’s going to tell me whatever story the data’s going to tell me independent of where it comes from. So I still would have done the same technical analysis.

But knowing where the data comes from helps to tell me — it gives me context regarding how much I believe in the data, how authentic it is, do I believe it’s real, and do I trust it. [my emphasis]

He repeated this claim on cross with Berkowitz.

I just disagreed with the conclusions they came to and the analysis that they did based upon the data that came along with the white paper.

When Berkowitz asked him why counterintelligence opened an investigation when Cyber didn’t, Hellman suggested that the people in CD wouldn’t understand how to read the technical logs.

A. Um, I think they’d probably be looking at it from the same vantage point, but if you’re not — you don’t have experience looking at technical logs, you may not have the capability of doing a review of those logs. You might rely on somebody else to do it. And perhaps counterintelligence agents are going to be thinking about other investigative questions. So I guess it would probably be a combination of both.

“If I’m looking at technical data,” DeFilippis’ star cybersecurity agent explained, “the data’s going to tell me whatever story the data’s going to tell me.”

Except he didn’t look at the technical data, at least not the data on the thumb drives, before he reached his initial conclusion.

Hellman makes a claim unsupported by the data in his own analysis

I’ll leave it to people more expert than me to rip apart Hellman’s own analysis of the white paper Sussmann shared with the FBI. In early consultations, I’ve been told he misunderstood the methodology, misunderstood how researchers used Trump’s other domains to prove that just one had this anomaly (that is, as a way to test their hypothesis), and misstated the necessity of some long-term feedback loop for this anomaly to be sustained. Again, the experts will eventually explain the problems.

One part of his report that I know damns his methodology, however, is where he says the researchers,

Searched “…global nonpublic DNS activity…” (unclear how this was done) and discovered there are (4) primary IP addresses that have resolved to the name “mail1.trump-email.com”. Two of these belong to DNS servers at Russian Alfa Bank. [my emphasis]

This is the point where every single person I know who assessed these allegations who is at least marginally expert on DNS issues stopped and said, “global nonpublic DNS activity? There are only a handful of people that could be!” See, for example, this Robert Graham post written in response to the original Slate story, perhaps the most influential critique of the allegations, probably even on Durham. Every marginally expert person I know has, upon reading something like that, tried to figure out who would have that kind of visibility on the data, because that kind of visibility, by itself, would speak to their expertise. Those marginally expert people did not have the means to identify the possible sources of the data. But a lot of them — including the NYTimes!! — were able to find people who had that kind of visibility to better understand the anomaly. When Hellman read that, he simply said, “unclear how this was done” and moved on.

Still, Hellman did not contest (or possibly even test) the analysis that said there were really just four IP addresses conducting look-ups with the Trump marketing server. Dozens of people have continued to test that result in the years since, and while there have been adjustments to the general result, no one has disproven that the anomaly was strongest between Alfa Bank and Trump’s marketing domain.

Where Hellman’s insta-analysis really goes off the rails, however, is in his assertion that, “it appears that the presumed suspicious activity began approximately three weeks prior to the stated start date of the investigation conducted by the researcher.”

I’m not a DNS expert, but I’m pretty good at timelines, and by my read here are the key dates in the white paper.

May 4, 2016: Beginning date for look-up analysis

July 28, 2016: Lookup for hostnames yielding Trump

September 4, 2016: End date for look-up analysis

September 14, 2016: Updated search for look-ups covering June 17 through September 14

The start date reflected in this white paper is July 28, 2016. Three weeks before that would be July 7, 2016, a date that doesn’t appear in the white paper. The anomaly started 85 days before the start date reflected in this white paper (and the start date for the research began months earlier, but still over three weeks after the May 4 start date).

I don’t understand where he got that claim. But DeFilippis repeated it on the stand, as if it were reflected in the data, I guess believing it makes his star cybersecurity agent look good.

DeFilippis’ star cybersecurity agent has some credibility problems

There are a few more problems with the credibility of Hellman, DeFilippis’ star cybersecurity agent who is not a DNS expert. One of those is that he compared notes with his boss before first testifying.

Q: And you also spoke with Nate Batty around that time, Right?

A: Yes.

Q: Did you talk to him before the first interview to kind of get ready for it?

A: I think so, but I don’t remember.

Q: Is that something that you encourage witnesses to do, to talk to other witnesses to see if your recollections are consistent?

A: No.

In addition, notwithstanding that Batty was told that Sussmann was in the chain of control, Batty claimed to believe the source was “anonymous” and Hellmann claimed to believe it was sensitive–a human source. Even after comparing notes their stories didn’t match.

There are other problems with Hellman’s memory of the events, notably that in his first interview — the one he did shortly after comparing notes with Batty — he claimed that Baker had told him he was unable to identify the source of the data.

Q. And when you went to Mr. Baker’s office, do you remember what, if anything, was said during that discussion or during that interaction?

A. I remember being in the office, but I don’t distinctly recall what the conversation was. I do remember after the fact, though, that I was frustrated that I was not able to identify who had provided these thumb drives, this information to Mr. Baker. He was not willing to tell me.

At the very least, this presents a conflict with Baker’s testimony, but it’s also another testament to how variable memories can be four years, much less six years, after the fact.

Hellman also claimed, when asked on cross, that the first time he had ever seen the reference to a “DNC report” in September 21 Lync notes he received was two years ago, when he was first interviewed.

A: The first time I saw this was two years ago when I was being interviewed by Mr. DeFilippis, and I don’t recall ever seeing it. I never had any recollection of this information coming from DNC. I don’t remember DNC being a part of anything we read or discussed.

Q: Okay. When you say, the first time you saw it was two years ago when you met with Mr. DeFilippis, that’s not accurate. Right? You saw it on September 21st, 2016. Correct?

A: It’s in there. I don’t have any memory of seeing it.

And when Sean Berkowitz asked about Hellman the significance of seeing the reference to a “DNC report” first thing on September 21, he described that DeFilippis suggested to him that it was likely just a typo for DNS.

Q. What’s your explanation for it?

A. I have no recollection of seeing that link message. And there is — I have absolutely no belief that either me or Agent Batty knew where that data was coming from, let alone that it was coming from DNC. The only explanation that popped or was discussed was that it could have been a typo and somebody was trying to refer to DNS instead of DNC.

Q. So you think it was a typo?

A. I don’t know.

Q. When you said the only one suggesting it — isn’t it true that it was Mr. DeFilippis that suggested to you that it might have been a typo recently?

A. That’s correct.

When asked about a topic for which there was documentary evidence Hellman had seen in real time that he claimed not to remember, Andrew DeFilippis offered up an explanation that Hellman then offered on the stand.

On the stand, DeFilippis also tried to get Hellman to call a marketing server a spam server, though Hellman resisted.

Once you look closely, I don’t think Hellman’s testimony helps Durham all that much. What it proves, however, is that DeFilippis attempted to coach testimony.

One final thing. DeFilippis got his star cybersecurity agent to observe that the researchers didn’t include their name or other markers on their report, as if that’s a measure of unreliablity.

Q. Now, let me ask you, were you able to determine from any of these materials who had actually drafted the paper alleging the secret channel?

A. No.

Q. In other words, was it contained anywhere in the documents?

Here’s what Hellman’s own report looks like:

There’s a unit — ECOU1 — but the names of the individual agents appear nowhere in the report. The report is not dated. It does not specifically identify the white papers and thumb drives by control numbers, something key to evidentiary analysis.

It has none of the markers of regularity you’d expect from the FBI. Hellman’s own analysis doesn’t meet the standards that DeFilippis uses to measure reliability.

This long-time Grand Rapids resident is furious that Hellman judged there was no hack

Everything above I write as a journalist who has tried to understand this story for almost six years. Between that and 18 years of covering national security cases, I hope I now have sufficient familiarity with it to know there are real problems with Hellman’s analysis.

But let me speak as someone who lived in Grand Rapids for most of this period, and had friends who had to deal with the aftermath of Spectrum Health appearing at the center of a politically contentious story.

Hellman had, as he testified, two jobs. First, he was supposed to determine whether there were any cyber equities, then he was supposed to do some insta-analysis of the data without first looking at the thumb drives.

According to Hellman, there was no hack.

I was asked to perform two tasks in tandem with Special Agent Batty, and our tasks were, number one, to look at this data, look at the data and look at the narrative that it came with and identify were there any what’s known as cyber equities. And by that it was, was there any allegation of a hacking. That’s what cyber division does. We investigate hacking. So was there an allegation that somebody or some company or some computer had been hacked. That was first.

[snip]

As I mentioned, the first piece was we had to identify was there any real allegation of hacking; and there was not. That was our first task by our supervisor. There was not.

[snip]

The allegation was that someone purported to find a secret communication channel between the Trump organization and Russia. And so we identified first that, no, we didn’t think that there was any cyber equity, meaning that there was probably nothing more for cyber to investigate further, if there was no hacking crime.

Except here’s what the white paper says about Spectrum, that Grand Rapids business that was swept up in this story.

The Spectrum Health IP address is a TOR exit node used exclusively by Alfa Bank. ie.,  Alfa Bank communications enter a Tor node somewhere in the world and those communications exit, presumably untraceable, at Spectrum Health There is absolutely no reason why Spectrum would want a Tor exit node on its system. (Indeed, Spectrum Health would not want a TOR node on its system because, by its nature, you never know what will come out of a TOR node, including child pornography and other legal content.)

We discovered that Spectrum Health is the victim of a network intrusion. Therefore, Spectrum Health may not know it has a TOR exit node on its network. Alternatively, the DeVos family may have people at Spectrum who know there is a TOR node. i.e.,  could have been placed there with inside help.

When faced with some anomalous activity that seemed to tie into the weird DNS traffic, the experts suggested that maybe the Spectrum hack related to the DNS anomaly.

To be clear, this Tor allegation is the the weakest part of this white paper. You will hear about this to no end over the next week. It was technically wrong.

But the allegation in the white paper is that maybe a recent hack of Spectrum Health is why it had this anomalous traffic with Trump’s marketing server. There’s your hack!!

Had the people at FBI’s cybersecurity side actually treated this as a possible compromise, it might have addressed the part of this story that never made any sense. And we might not, now, six years later, be arguing about what might explain it.

Let me be clear: I do think the white paper overstated its conclusions. I don’t think secret communication is the most obvious explanation here.

But there are hacks and then there are hacks in the testimony of DeFilippis’ star cybersecurity agent.

Update: Corrected an attribution to Batty instead of Hellman.

Update: Fixed my own timeline.

Update: Added link to Robert Graham’s analysis.

Update: This may be where Hellman gets his erroneous three week claim. There were two histograms included with the report. One, the close-up, does start around July 7.

But the broader scope shows look-ups earlier, very actively in June, but with a few stray ones in May.

The government didn’t include the pages and pages of logs that Batty complained about in this exhibit. Had they, it would be clear to jurors that this claim is false.

Update: Correction on two points. First, I think I’ve finally got the Lync exchange above correct between Batty and Hellman. As noted, Hellman complains that “it contains an absurd quantity of data” to which Batty responded, the data seemed “inserted to overwhelm and confuse the reader.”

Second, I was wading through exhibits this morning and found the exhibit of 19 pages of logs. Here’s just a subset of them, including logs that go back to May 2016. Hellman didn’t look even at the printed page of log files closely enough to realize his claim about three weeks was wrong. These data weren’t intended to overwhelm the reader. They were there to show how the anomaly accelerated during the election.

John Durham’s Lies with Metadata

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work. 

I’d like to thank John Durham for showing us back in April how he was going to mislead the jury with metadata.

He appears to have done just that, yesterday, with several exhibits entered into evidence. And I fear that unless Durham’s lie is corrected, he will gravely mislead the jury.

As I pointed out in April, because of the email system at Fusion GPS, the first email in any thread they produced to Durham renders as UTC; the rest render as ET. So, for the emails on which one could check, the first email in every thread they released in April was four hours later than the time the email was actually sent.

Durham has revealed that his exhibit has irregularities in the emails pertaining to a key issue: whether Fusion sent out a link to April Lorenzen’s i2p site before Mark Hosenball sent it to them.

This shows up in the timestamps. In the exhibit, the lead email for each appearance appears to be set to UTC, whereas the sent emails included in any thread appear to be set to ET.

For example, in this screencap, the time shown for Mark Hosenball’s response to Peter Fritsch (the pink rectangle) is 1:35 PM, which is presumably Eastern Time.

In this screencap, the very same response appears to be sent at 5:36PM, which is presumably UTC.

Both instances of Peter Fritsch’s email (the green rectangle), “that memo is OTR–tho all open source,” show at 1:33PM, again, Eastern Time.

To be clear: this irregularity likely stems from Fusion’s email system, not DOJ’s. It appears that the email being provided itself is rendered in UTC, while all the underlying emails are rendered in the actual received time.

That means if you show someone only the first email in a thread, you will be misrepresenting what time that email was sent.

That’s what Durham did yesterday with a bunch of Fusion-produced emails he submitted during Laura Seago’s testimony, including (but not limited to):

Over and over, Andrew DeFilippis showed these to Laura Seago and asked her to state what date and time the emails were.

MR. DeFILIPPIS: Okay. And, Your Honor, if there’s no objection from the defense, we’ll offer Government’s Exhibit 612.

MR. BERKOWITZ: No objection.

THE COURT: So moved.

Q. Okay. So what is the date and time of this email?

A. October 5, 2016, at 5:23 p.m.

Q. And the “Subject” line?

A. “Re: so is this safe to look at” — excuse me — “so this is safe to look at.”

While these emails appear to have been produced to Durham at a later time (their Bates numbers from Fusion are about 3000 pages off some of the earlier ones), they’re from the same series and produced by the same custodian, so we should assume that the same anomaly that existed on the earlier ones exists here.

Seago hasn’t seen these emails for years and — because they were treated as privileged — she can only see the first email in a thread, even if there are replies in that thread (and there clearly are, in some of them). She had no way of knowing if she was looking at UTC time!

But Andrew DeFilippis surely does. Indeed, he’s prepping an attack on Sussmann for not understanding that Durham turned over Lync files from the FBI without making clear they, also, get produced in UTC. So he’s aware of which exhibits he has sent to Sussmann without clarifying the correct time. Yet over and over again, DeFilippis asked Seago what time these emails were sent, even though he likely knows (especially since these are files that are no longer privileged, so he has seen those that are threads) that he was deceiving her.

And the timing of these Fusion emails — and possibly some earlier ones exchanged with Rodney Joffe — almost certainly matter.

As I showed in my earlier post, because Durham didn’t fix the anomaly in these emails, they have created the false impression that an October 5 email from Mark Hosenball that shared public links to Tea Leaves’ files came in after Fusion sent it out to Eric Lichtblau. They appear to be prepping another deceit, this one conflating a link that Hosenball sent with one Seago found on Reddit.

Assuming the emails released yesterday share this same anomaly, here’s how the timeline would work out. I’ve bolded the ones that would be grossly misleading taken out of order.

5:23PM (could be 1:23?): Seago to Fritsch, Is this safe?

1:31PM: [not included] Fritsch to Hosenball email with Alfa Group overview

1:32PM: Fritsch sends Isikoff the September 1, 2016 Alfa Group overview (full report included in unsealed exhibit)

1:33PM [not included] Fritsch to Hosenball, “that memo is OTR — tho all open source”

1:35/1:36PM: Hosenball replies, “yep got it, but is that from you all or from the outside computer experts?”

1:37PM: Fritsch responds,

the DNS stuff? not us at all

outside computer experts

we did put up an alfa memo unrelated to all this

1:38PM: [not included] Hosenball to Fritsch:

is the alfa attachment you just sent me experts or yours ? also is there additional data posted by the experts ? all I have found is the summary I sent you and a chart… [my emphasis]

1:41PM: [not included] Fritsch to Hosenball:

alfa was something we did unrelated to this. i sent you what we have BUT it gives you a tutanota address to leave questions.  1. Leave questions at: [email protected]

1:41PM: [not included] Hosenball to Fritsch:

yes I have emailed tuta and they have responded but haven’t sent me any new links yet. but I am pressing. but have you downloaded more data from them ?

1:43PM: [not included] Fritsch to Hosenball, “no”

1:44PM: Fritsch to Lichtblau:

fyi found this published on web … and downloaded it. super interesting in context of our discussions

[mediafire link] [my emphasis]

2:23PM: [not included] Lichtblau to Fritsch, “thanks. where did this come from?”

2:27PM: [not included] Hosenball to Fritsch:

tuta sent me this guidance

[snip]

Since I am technically hopeless I have asked our techie person to try to get into this. But here is the raw info in case you get there first. Chrs mh

2:32PM: Fritsch to Lichtblau:

no idea. our tech maven says it was first posted via reddit. i see it has a tutanota contact — so someone anonymous and encrypted. so it’s either someone real who has real info or one of donald’s 400 pounders. the de vos stuff looks rank to me … weird

6:33PM (likely 2:33PM): Fwd Alfa Fritsch to Seago

6:57PM (like 2:57PM): Re alfa Seago to Fritsch

7:02PM (likely 3:02): Re alfa Seago to Fritsch

3:27PM: [not included] Fritsch to Hosenball cc Simpson: “All same stuff”

3:58PM: [not included] Hosenball to Fritsch, asking, “so the trumpies just sent me the explanation below; how do I get behind it?”

4:28PM: [not included] Fritsch to Hosenball, “not easily, alas”

4:32PM: Fritsch to Hosenball, cc Simpson:

Though first step is to send that explanation to the source who posted this stuff. I understand the trump explanations can be refuted.

 

 

What Durham will completely and utterly misrepresent if it doesn’t clarify this anomaly (and this is the second time they have declined to) is that Seago and Mark Hosenball both accessed different packages of the Tea Leaves materials, one of which then got sent out to Lichtblau. Between 2:33 and 2:57, Seago appears to have compared the files and told Fritsch, who then told Hosenball, that the packages were “all the same stuff.”

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work. 

Andrew DeFilippis has done several arguably unethical things in an attempt to win the Michael Sussmann trial.

He repeatedly attempted to get Marc Elias to repeat something Elias shouldn’t have said in the first place: that the only way to understand whether Sussmann had gone to the FBI to benefit the Hillary campaign would be to ask him (in response to which stunt Sussmann is asking for a mistrial).

DeFilippis also set up a ploy to get a non-expert to offer opinions that only an expert should offer (more on that later).

At times (such as during Neustar employee Steve DeJong’s testimony), DeFilippis seemed more focused on eliciting testimony that might help him make a case against Rodney Joffe than obtain a guilty verdict against Sussmann.

And in direct examination yesterday of Fusion’s Laura Seago (my reading of the transcript is here), he did both, violating Judge Cooper’s orders in an attempt to set up his ongoing investigation in a way that did nothing to help him win the trial against Sussmann.

For all the anticipation for it, Seago’s testimony was not all that helpful to Durham’s team. She described having about as much awareness of which Democratic entity Fusion’s ultimately client was as the FBI did on Carter Page’s FISA applications. She indicated that the Alfa Bank allegations were just one of a whole bunch of possible ties to Russia that Trump had. She described how, to the extent Fusion could assess the Alfa Bank allegations, they found them credible. In discussing Fusion’s pitch to Franklin Foer on the Alfa Bank story, she described the other major data scientists who had backed the Alfa Bank allegations, identities that Durham has always suppressed because they kill his conspiracy theory.

Q. And what was discussed? What did you say, and what did they say?

A. I really don’t remember the specifics six years on. We talked about the allegations between the Trump organization and Alfa-Bank. We talked about highly credible computer scientists who seemed to think that these allegations were credible.

Q. And by that, are you referring to Mr. Joffe or somebody else?

A. There were others that ended up being cited in Mr. Foer’s article. He cited L. Jean Camp and Paul Vixie, who invented the DNS system.

During cross-examination by Sussmann lawyer Sean Berkowitz, Seago made it clear she didn’t tell Foer about the FBI investigation into these matters.

Q. And with respect to your meeting with Mr. Foer, did you tell Mr. Foer that the FBI was investigating these allegations?

A. No. I had no knowledge of that investigation.

Q. So before your meeting with Franklin Foer, did you have any information that the FBI was involved in any way?

A. No.

Q. All right. Did Mr. Fritsch or anyone else at the meeting say, “The FBI is looking into this”?

A. Not that I can remember.

Also on cross, Seago described that her impression from having dealt with Joffe is that he really did believe the allegations too.

Q. And your impression of Mr. Joffe that was made at that meeting was that he was — he seemed reliable?

A. Yes.

Q. And he seemed well-placed to have knowledge and information about the server issues?

A. Yes, he did.

Q. And you understood that Mr. Joffe supported the suggestion that there was at least potential contact between Trump servers and Alfa-Bank servers?

A. Yes, I did.

MR. DeFILIPPIS: Objection, Your Honor.

THE COURT: Overruled.

Q. You answered the question?

A. Yes, I did understand that.

But it was in DeFilippis’ treatment of emails that Judge Cooper granted Durham’s team access to, but did not permit them to use at trial, where he got particularly obnoxious. Remember: while Durham’s team maintained from the start that the privilege claims behind these emails were not proper (because they were largely about communicating with the press, not about providing research assistance to the Democrats), the reason they didn’t get access to them was their own incompetence. They didn’t ask for a privilege review until right before trial.

DeFilippis has no one to blame but himself, but in true right wing fashion, he’s lashing out.

Perhaps in an attempt to make some drama out of documents that Cooper described “not very revelatory,” DeFilippis walked Seago through all the ones she was privy to, including those with Joffe that Cooper ruled were privileged.

Generally, such exchanges went something like this:

Q. Ms. Seago, does this appear to be part of the same chain as the prior email exchanges?

A. It has the same “Subject” line and says “Re,” so that is what it appears to be. I have no independent recollection of this email.

Q. And what, if any, connection in your mind did the Alfa Bank issue have to New York? I ask because “New York” is in the “Subject” line. Any sense?

A. I don’t know.

Q. And the attachment on this email, any sense of what that was?

A. I don’t know.

Note: there’s no reason to believe Seago has reviewed these emails recently.

That was all setup for DeFilippis’ last set of questions:

Q. Did you ever receive instructions that you couldn’t disclose your affiliation with Fusion GPS to the media?

A. No. I don’t remember hiding that affiliation from the media ever.

Q. Do you ever remember hiding or considering hiding that affiliation from anyone?

A. No.

Q. How certain are you of that?

A. I’m quite certain. You know, we don’t go around advertising who we are and where we work, but I certainly don’t lie to people, and I don’t lie to the press about where I work.

Q. Okay. So you’re fairly certain you never sought to conceal that?

A. Not that I can recall.

Immediately after Seago left the stand, DeFilippis asked for a bench conference (the DC Court adopted phones for the purpose during COVID and all the judges love them, so they’re keeping them). Seago’s answer to the question, DeFilippis noted, was inconsistent with the content of the email, which referenced Tea Leaves.

MR. DeFILIPPIS: Your Honor, could we speak to you on the phone?

THE COURT: Excuse me?

MR. DeFILIPPIS: Could we speak to you on the phone?

THE COURT: Yes. (The following is a bench conference outside the hearing of the jury)

MR. DeFILIPPIS: Your Honor, can you hear me now?

THE COURT: Yes.

MR. DeFILIPPIS: So we have an issue with regard to Ms. Seago’s testimony. The government followed carefully Your Honor’s order with regard to the Fusion emails that were determined not to be privileged but that the government had moved on.

As Your Honor may recall, there was an email in there in which Ms. Seago talks very explicitly about seeking to approach someone associated with the Alfa-Bank matter and concealing her affiliation with Fusion in the email. When we asked her broadly whether she ever did that, she definitively said no when I, you know, revisited it with her. So it raises the prospect that she may be giving false testimony.

And so we were — you know, I considered trying to refresh her with that, but I didn’t understand that to be in line with Your Honor’s ruling. So the government is — we’d like to consider whether we should be — we’d like Your Honor to consider whether we should be able to at least recall her and refresh her with that document?

THE COURT: I don’t remember that question, but the subject matter was concealing Fusion or her identities in conversations with the press. If I recall correctly, that email related to “tea leaves,” correct?

MR. DeFILIPPIS: Your Honor, I thought I had phrased it more broadly. We can go to the transcript.

THE COURT: Mr. Berkowitz?

MR. BERKOWITZ: Judge, I’m not familiar with the specifics. I’m happy to take a look at the transcript. I certainly got the impression he was asking if she had ever concealed Fusion as an entity from the press. That was what was asked in her deposition, and she answered the same way in her deposition. One thing, just to note, some of our paralegals can hear Mr. DeFilippis talking, so I suggest, just as a reminder, to keep your voices down.

MR. DeFILIPPIS: Sure, sure.

THE COURT: All right. Let me look at the transcript.

(Pause)

THE COURT: Can you hear me?

MR. DeFILIPPIS: Yes, Your Honor.

THE COURT: All right. Looking at the transcript, I think you did ask a more open-ended question. She said, “I don’t remember hiding that affiliation from the media ever.” And then you followed up, “Do you ever remember hiding or considering hiding that affiliation from anyone?” And she answered, “No.” I would — so I think that she — I think the email is inconsistent with her answer, Mr. Berkowitz. But the question now is whether they can refresh her with that email notwithstanding the Court’s order. And now she’s gone.

How are we going to do that even if we were to allow it? Is it worth the candle of calling her back?

MR. DeFILIPPIS: Your Honor, I understand she’s still in the building.

MR. BERKOWITZ: Your Honor, is this email privileged?

MR. DeFILIPPIS: This was one of the emails that was determined not to be privileged by Your Honor.

MR. BERKOWITZ: So why didn’t they impeach her with it when they had the chance?

MR. DeFILIPPIS: Your Honor, the reason is because I didn’t want to violate Your Honor’s order that we couldn’t use those affirmatively.

THE COURT: Well, I think the time to have asked the Court whether using the document to refresh was consistent with the order was before she was tendered and dismissed. So I think you waived your opportunity. All right? So we’re going to move on.

Frankly, I think using the formerly privileged emails to impeach was beyond the scope of Cooper’s order, too. This was an affirmative use of the email!

But this was nothing more than a perjury trap, and with it an attempt to get the content of the email DeFilippis had been prohibited from using before the jury. Cooper didn’t allow it in, though he shouldn’t have allowed that line of questions in either (had such questions been permitted, then Seago should have been permitted to refresh her own memory of them).

Probably, DeFilippis will consider charging her with perjury over this. I think the fact that both Judge Cooper and Berkowitz had the impression that the question pertained solely to outreach to the press, Seago’s reiteration that, “I don’t lie to the press about where I work,” reinforcing that understanding, plus her last minute caveat, “Not that I can recall,” would make such a case as flimsy as this one. Probably, DeFilippis will use this exchange as part of his bid to get access to some subset of the 1,500 other not very revelatory emails that Democrats have claimed privilege over.

But this was a stunt. It wasn’t about getting, or sharing, the truth with the jury (and any scenario in which I can imagine Seago trying to hide her identity with Tea Leaves would suggest a more distant relationship than even I imagined Fusion had, though I would love to know what it was).

When a prosecutor engages in as many stunts as DeFilippis has, it’s a confession he knows the facts are not on his side.

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work. 

In this post, I laid out the elements of the offense, a single count of a false statement to the FBI, which will drive the outcome of the Michael Sussmann trial, in which jury selection begins today. As I showed, John Durham has to prove that:

  • Michael Sussmann said what Durham has accused him of saying, which is that he was not sharing information with the FBI on behalf of any client
  • Sussmann said that on September 19, not just September 18
  • Sussmann meant his statement to be understood to mean that no client of his had an interest in the data, as opposed to that he was not seeking any benefit for a client from the FBI
  • The lie made a difference in how the FBI operates

In this post I’d like to say a bit about the expected witnesses. Before I do, remember the scope of the trial, as laid out in several rulings from Judge Cooper.

  • Durham can only raise questions about the accuracy of the Alfa Bank anomaly if Sussmann does so first
  • He generally can only discuss how the data was collected via witnesses; with one exception, Cooper has ruled the emails between Rodney Joffe and researchers to be inadmissible in a trial about whether Sussmann lied
  • While Cooper found that 22 of 38 Fusion emails over which Democrats had claimed privilege were not privileged, he also ruled that because Andrew DeFilippis got cute in delaying his request for such a review, Durham can’t use those emails or pierce any related claims of privilege at trial
  • That leaves the unprivileged emails between Fusion and journalists, which Cooper has ruled admissible; he even considered changing his decision and letting a tweet from Hillary come in as evidence (though note that the emails Durham got pre-approved barely overlap with the emails Durham wants to use at trial, so there still could be problems admitting individual emails at trial)
  • Cooper ruled the communications between Rodney Joffe, the person who shared the DNS anomaly with Michael Sussmann, and Laura Seago, his connection with Fusion, were privileged
  • Cooper ruled that Sussmann can elicit testimony from witnesses, including Robby Mook and Marc Elias, about how Trump’s request that Russia hack Hillary some more made him not just a campaign opponent, but a threat to national security

As I noted, a dispute over the final jury instructions suggests that Durham is beating a tactical retreat from his charged claim that Sussmann lied to cover up that he was representing both Hillary and Rodney Joffe.

Mr. Sussmann proposes modifying the last sentence as follows, as indicated by underlining: Specifically, the Indictment alleges that, on or about September 19, 2016, Mr. Sussmann, did willfully and knowingly make a materially false, fictitious, and fraudulent statement or representation in a matter before the FBI, in violation of 18 U.S.C. § 1001(a)(2), namely, that Mr. Sussmann stated to the General Counsel of the FBI that he was not acting on behalf of any client in conveying particular allegations concerning Donald Trump, when, in fact, he was acting on behalf of specific clients, namely, Rodney Joffe and the Clinton Campaign.5 The government objects to the defense’s proposed modification since it will lead to confusion regarding charging in the conjunctive but only needing to prove in the disjunctive.

Durham wants to be able to get a guilty verdict if the jury decides that Sussmann was hiding Hillary but not hiding Joffe. What Durham will really need to prove won’t be finalized until sometime next week, meaning both sides will be arguing their cases without knowing whether Durham will have to prove that 1) the allegations pertained to Donald Trump personally 2) Sussmann had two clients 3) he lied to hide both of them, or whether he has to prove only that Sussmann lied to hide one or more client.

Durham’s tactical retreat is likely dictated by the scope set by Cooper and will dictate the witnesses he wants to call.

This post laid out whom, as of last week, each side planned to call. Remember that it’s not uncommon for a defendant not to put any witnesses on the stand (though I would be surprised if that happened in this case). Normally, the scope of a witness’ testimony is set by the Direct examination of them. So, for example, if Durham puts Marc Elias on the stand to talk exclusively about his decision to hire Fusion GPS, then Sussmann could not ask him questions about other topics. But Sussmann incorporated Durham’s entire witness list, and Cooper ruled that he would rather not have to call people twice. So for at least the Democratic witnesses, Sussmann will have the ability to ask about things that Durham would really prefer not to appear before the jury even though Durham called that witness as a government witness. Because Durham doesn’t understand much of what really went on here, that may be a really useful thing for Sussmann to exploit.

Summary Witness: It is typical for prosecutors to call one of their FBI agents at trial as a sort of omniscient narrator who can both introduce a vast swath of evidence (such as records the accuracy of which have been stipulated for emails that can be introduced without witness testimony) and provide some interpretation of what it all means. Usually, that agent is not the lead agent, because the lead agent knows things that the prosecutor wants to keep from the defendant and the public, either details of an ongoing investigation or major investigative fuck-ups that haven’t been formally disclosed to the defendant. As of last week, DeFilippis maintained that, “It may be an agent who’s our summary witness, but we’re not looking to put a case agent on the stand.” That suggests there is no agent on his team that is sufficiently compartmented from his secrets to take the stand. Judge Cooper seemed a bit surprised by that.

Jim Baker: Jim Baker is the single witness to Michael Sussmann’s alleged crime. Durham is going to have a challenge walking him through the version of this story Durham wants to tell, not least because the materiality parts of it — whether Baker thought it unusual to hear from Sussmann, whether he thought it mattered who Sussmann’s client was — are also recorded in Baker’s past sworn testimony. Given the late discovery of a text showing that Sussmann wrote Baker on September 18 telling him he wanted to benefit the FBI, and given the even later discovery of March 2017 notes recording that the FBI understood that Sussmann did have an (undisclosed) client, Sussmann doesn’t even have to trash Baker to call into question his memory: he can allow Baker to admit he can’t separate out what happened in which of at least five communications he had with Sussmann that week, the sum total of which show that Sussmann wasn’t hiding the existence of a client, did represent that he was trying to help the FBI, and did help the FBI. The cross-examination of Baker will, however, be an opportunity for Sussmann to implicate Durham’s investigative methods, both for building an entire case around Baker after concluding, years earlier, that he wasn’t credible, and then, for refreshing Baker’s memory only with the notes that said what Durham wanted Baker to say, and not what the FBI ultimately came to know.

Bill Priestap and Tisha Anderson, Mary McCord and Tasha Gauhar: This trial is expected to feature two sets of witnesses — the first set called by Durham and the second called by Sussmann — who will be asked to reconstruct from their own notes what was said in a meeting attended by Baker. Priestap and Anderson will say that the day of Baker’s meeting with Sussmann, they wrote down that Sussmann didn’t have a client (but not in the words Sussmann is known to have used or the words that Durham has charged). McCord and Gauhar will say that in March 2017, Andy McCabe stated, in front of Baker and with no correction, that the FBI did know Sussmann had a client. The only notes in question that use the same phrase — “on behalf of” — that Durham used in the indictment say that Sussmann did say he was meeting with FBI on behalf of someone. I expect at least several of these witnesses will be asked materiality questions: If they didn’t ask who the client is, doesn’t that prove it didn’t matter? The notes of everyone involved, importantly, emphasized the import of Sussmann sharing an imminent newspaper article. Sussmann will also ask Priestap how and why he asked the NYT to hold the Alfa Bank story.

Agents Heide, Sands, and Gaynor, plus Agent Martin: Durham plans to call three of the FBI Agents who investigated the anomaly — for a couple of hours each, in the case of Heide and Sands — to talk about how they did so. Let me suggest that not only is this overkill, it may backfire in spectacular fashion, because the March 2017 notes make it clear that these agents did not take very basic steps to chase this anomaly down and Heide, at least, is not a cyber agent (in the same period he was also investigating George Papadopoulos). In addition to having those hours and hours of testimony, Durham will call Agent Martin, ostensibly to explain what one could learn from the anomaly, though there’s still a fight about the scope of his testimony,  particularly with respect to misleading claims he would make about the scope of the data accessed to find the anomaly in the first place.

Antonakakis, Dagon, DeJong, and Novick: According to what DeFilippis said last week, in the wake of Cooper’s ruling excluding all but one of the researchers’ emails, he likely will not call David Dagon, may or may not call Manos Atonakakis, but will call two employees of Rodney Joffe whom, DeFilippis claims, were “tasked by” Joffe, in the first case to pull some but not all of the data researchers used to test the anomaly, and in the second case to do research that may not have been presented to the FBI. If these decisions hold, his presentation of the data will be, as I understand it, affirmatively false. For that reason, Sussmann might have been able to challenge Durham’s reliance on these witnesses in the absence of others; that Sussmann is not doing so may suggest he knows that the witnesses won’t do what Durham thinks they will. If Durham persists in this plan, it means he’ll have FBI agents spend 5 hours describing how they chased down an anomaly, without ever really explaining what the anomaly is (and how it could have easily been investigated using about two different steps that the FBI didn’t take). Perhaps (given his tactical retreat), Durham may want to eliminate virtually all discussion of the anomaly at the heart of this case. Alternately, this is a tactical move to force Sussmann to call David Dagon (whom Durham has immunized) or Manos Antonakakis (whose status is unknown) in hopes that they’ll help him make his YotaPhone case or explain the full scope of the data accessed (particularly if he gets Martin to make misleading comments about that topic first). But if Durham forgoes his chance to call the researchers and Sussmann does so himself, it may allow Sussmann to rebut Durham’s claims about what the anomaly was and what went into the two white papers presented to the FBI. In addition, Sussmann can have these witnesses explain how far before the involvement of the Democrats this research started and how Trump’s open invitation to Russia to do more hacking meant the anomaly posed a possible national security threat worthy of sharing with the FBI.

Robby Mook, Marc Elias, and Debbie Fine: Rather than talking about the anomaly, Durham wants to talk about the Hillary campaign. At least as of last week (before Cooper excluded some of this stuff on privilege and belated privilege challenges), Durham will definitely call Mook, may call Elias, but may rely instead on a Hillary lawyer named Debbie Fine, who was on daily calls with Fusion. Durham wants to claim,

[T]he strategy, as the Government will argue at trial, was to create news stories about this issue, about the Alfa-Bank issue; and second, it was to get law enforcement to investigate it; and perhaps third, your Honor, to get the press to report on the fact that law enforcement was investigating it.

Sussmann, by contrast, knows he has a witness or witnesses who will rebut that.

[I]t’s not the truth; and in fact, it’s the opposite of the truth. We expect there to be testimony from the campaign that, while they were interested in an article on this coming out, going to the FBI is something that was inconsistent with what they would have wanted before there was any press. And in fact, going to the FBI killed the press story, which was inconsistent with what the campaign would have wanted.

As suggested above, Elias is a witness Sussmann will call even if Durham does not. Among other things, Sussmann will have Elias explain what it was like to have Donald Trump openly asking Russia to hack Hillary some more.

Laura Seago: Before Cooper ruled on privilege issues, DeFilippis (who doesn’t know how to pronounce her last name) said he would call Seago. She was the pivot point between Fusion and Rodney Joffe. According to Fusion attorney Joshua Levy, Seago knows little about the white paper from Fusion that Sussmann shared with the FBI. “Seago didn’t contribute to it, doesn’t know who did, doesn’t know who researched it, doesn’t know who wrote it, doesn’t know its purpose; and the government’s aware of all that.” So it’s unclear how useful she’ll be as a witness.

Eric Lichtblau: As I noted the other day, Durham is trying to prevent Lichtblau from testifying unless he’s willing to testify to all his sources for the Alfa Bank story (which would include a bunch of experts never named in any charging documents). My guess is that Cooper will rule that forcing Lichtblau to talk about communications with Fusion would be cumulative, though he might force Lichtblau to talk about an in-person meeting he had at which Fusion shared information that did not derive from Joffe. If Sussmann succeeds in getting Lichtblau’s testimony, however, he will be able to talk about what a serious story this was and what a disastrous decision agreeing to hold the story was for his own career and, arguably, for democracy.

Perkins Coie billing person and McMahon: As Durham has repeatedly confessed, most of the substance of his conspiracy theory is based off billing records. But there’s a dispute about whether Sussmann fully billed his meeting with Baker (Sussmann has noted, for example, that he paid for his own taxi to and from the meeting). Durham will have a Perkins Coie person explain how they track billing and will call a former DNC person with whom Sussmann had lunch immediately before his Baker meeting, either because Sussmann said something to him about the Baker meeting, or because he needs to rule out that Sussmann billed for the lunch meeting but not Baker.

Agent Grasso: In addition to the hours and hours of testimony about how the FBI did investigate the anomaly, Durham also wants to call an Agent Grasso, with whom Joffe shared a piece of the Alfa Bank allegations directly. This may actually be an important witness for Durham, because it might show that the packaged up allegations shared with Baker were substantially different than what Joffe was sharing when his identity was not hidden.

Kevin P: Durham only plans to call one of the two CIA personnel at the meeting in January 2017 (ironically meaning a meeting in March 2017 will get far more focus than a meeting that played a central role in the indictment). It sounds like Sussmann will get the one person to validate an email from another person who also recorded Sussmann saying he had a client.

Agent Gessford: One FBI Agent Sussmann will call will authenticate emails Sussmann will use with other witnesses to show what FBI’s understanding of Sussmann’s activities were in 2016. Not only will he use these emails to prove that the FBI knew well he was representing Hillary on cyber issues, but he will likely also use these emails to talk about what it looks like for a campaign to be systematically attacked through the entirety of a campaign by a hostile nation-state, which will make the potential seriousness of the Alfa Bank anomaly quite clear.

Agent Giardina: This is someone the scope of whose testimony Durham may have actually tried to limit by calling him himself. Sussmann will have Giardina explain that after the Frank Foer article, he tried to open an investigation, which Sussmann will use to prove that the FBI would have opened an investigation whether or not he shared the tip with the FBI.

Jonathan Moffa: Moffa, a senior FBI agent involved in the Crossfire Hurricane and Alfa Bank investigations will address materiality. He’ll explain how, given the UNSUB investigation open to find out who in Trump’s camp got a heads up to the hack-and-leak investigation, it was inevitable they would chase down this tip and treat it, like the CH investigation itself, as a Full Investigation.

DOJ IG Michael Horowitz: On paper, Horowitz’s testimony will be limited to explaining how an anonymous tip from Joffe via Sussmann is supposed to work, which is that someone in a position to direct a tip to the right person does so and succeeds in addressing a national security concern. Joffe provided a tip to Horowitz in January 2017 that — we can assume given Horowitz’s testimony — proved to be valuable. This tip will also demonstrate that DNS research is not as limited as Agent Martin will claim it is. But given the way that Durham has failed to understand basic aspects of Horowitz’s investigation, including ones that disproved large swaths of Durham’s conspiracy theories, this testimony might be somewhat contentious.

Update, 5/22: Very belatedly added Moffa after writing this post.