A story from September 2014 carried by ZDNet was recirculated on Twitter a few days ago. The story, by Zack Whittaker for Zero Day, was about “Trusted Third Party” companies, which provide legal compliance services for Internet and communications service providers presented with surveillance subpoenas from law enforcement agencies.
The fundamental basis for this model of compliance operations goes back to the Communications Assistance for Law Enforcement Act (CALEA) of 1994. CALEA was implemented before most instant communications over the Internet – things like text messaging and voice-over-IP – existed, and after 9/11 was updated (in 2004) to keep up with technology and the new imperative for security-focused surveillance.
There are a lot of details to master for a full understanding of what CALEA does, and I recommend starting with Whittaker’s article and perusing this summary and FAQ posted by the Electronic Frontier Foundation (EFF).
For our purposes, here’s a short summary of what matters. First, as Whittaker discusses, the bases for use of CALEA by the FBI are targeted FISA warrants, National Security Letters (which apply to classes of activity or telecom customers rather than individual cases, and are approved, typically on a renewable basis, by the FISA court), and criminal warrants or subpoenas.
Second, the practical function of this apparatus is to feed the notorious “NSA database.” The data repository effect is to load the NSA reservoir with data for analysts to pull from. This is probably one of the least understood realities of the post-9/11 “surveillance state.” Most of the domestically-carried comms data that piles up with NSA isn’t hoovered in by NSA’s hand. It’s commandeered by law enforcement through the telecoms, using the instruments listed above: FISA warrants, NSLs, and criminal warrants.
So – and consider this point number three – when Admiral Mike Rogers reacted in March-April 2016 to the revelation that contractors at the FBI were being improperly exposed to sensitive U.S. person identifying information (USPI), he was concerned with the data-pull side of the equation.
He wasn’t complaining that private companies were handling the data that feeds the NSA reservoir. That’s built into the system. He was alarmed that USPI was revealed to contractors performing analytical functions at the FBI, when data queries resulted in data being presented to analytical end-users. (This is why none of this freshly relevant information changes our understanding of the “contractors exposed to raw USPI” event in March 2016.)
One other point will help us keep perspective on the import of all this. The transformation of technology in the 27 years since 1994 has significantly blurred the distinction between the metadata of individual comms transactions (i.e., one user account exchanging data with another) and the content of the transactions.
After the Snowden leak in 2013, that distinction became a publicly known concept. But it was already outdated for some applications then. EFF has an accessible summary:
CALEA requires communications carriers to be capable of providing both “call-identifying information” (CII) and call content to law enforcement. In the circuit-switched world of traditional telephony, the meaning of CII was clear: telephone numbers are CII, and the conversations are content. But in the packet-mode world of the Internet, communications are encapsulated (see 16 below — link), and each protocol layer is associated with different “signaling information.” Whether a component is “signaling information” or “content” depends on which layer is reading it. Thus CII on the Internet is not a clearly defined concept, although it is in traditional telephony. Compliance with CALEA in the packet-mode world of the Internet will therefore result in significant legal, technical, and economic problems.
There are additional discussions of the implications of packetized comms at the EFF link (I suggest doing a “find” on “packet”), and concern among watchdogs that the gathering of comms data remains insufficiently defined and regulated from that perspective. (Another key facet of this is the surge of cloud computing since the last big refresh for CALEA in 2004. Rudy Giuliani would probably have some opinions on that.)
The bottom line is that segregating content from metadata isn’t the clean-lined operation it was described as when the Snowden revelations hit, and James Clapper and other intelligence officials were explaining that matter to us. That was seven or eight years ago, and their discussion points were already less applicable even then. Guarantees about privacy for innocent Americans, in the gathering, storing, and querying of comms data, haven’t reliably kept up with technological developments. The system can’t necessarily vouch for what its human elements have access to, in the state-of-the-art process of data-pull “surveillance.”
The basic connection
This summary of points is what to keep in mind as we approach the rather simple set of connections highlighted by the Sussmann indictment. The short version of it is short indeed: the company Neustar is named as one of the top “Trusted Third Parties” in articles like Whittaker’s from the last decade (see also a BuzzFeed article from 2012, which Whittaker references), and Neustar was until a few weeks ago the employer of Rodney Joffe, “Tech Executive 1” from the indictment whose work appears to be implicated in Sussmann’s shopping of the “Alfa Bank-Trump” narrative to the FBI.
In other words, Joffe’s company was involved in assisting telecoms to properly forward customer data reflecting detailed Internet and other comms activity to the FBI. Neustar did this for its clients’ compliance with (mainly) FISA warrants and NSLs. In 2014, Neustar’s clients for this service numbered about 400. The company had the largest clientele of anyone in the business.
Whittaker lists Subsentio and Yaana as the other two best-known names. Each of them had “dozens” of clients.
The history of Neustar’s involvement in the compliance business is worth a look. Neustar itself was a spin-off from Lockheed Martin in the 1990s. In 2005, after CALEA was modified and expanded in 2004, Neustar acquired a company called Fiducianet, which had been started by a 29-year FBI veteran, Michael Warren, in 2002, as a CALEA-compliance service company. That was Neustar’s entry into CALEA compliance services.
Michael Warren stayed with his enterprise under Neustar’s wing, becoming an assistant vice president in the new parent. Neustar’s organization incorporated Fiducianet as its Legal Compliance Services Division.
This is how Neustar presented the division in 2015.
Of note, according to Whittaker, Neustar acted as a legal agent – “custodian of records” – for its clients. At the time of Whittaker’s report, Yaana did as well, whereas Subsentio did not. Whittaker briefly discussed the significance to these legal compliance services of having “lawyers with clearances,” and indeed of having tech personnel with clearances for some applications in the suite of services.
It doesn’t take much thought to recognize that a “Trusted Third Party” with clearances, managing warrant and subpoena compliance for hundreds of telecoms, will have a pretty in-depth view of what the FBI wants to siphon in data on. Nor does it take much imagination to recognize the information nexus such a TTP company can become if it is also working with universities and the federal government on special – secret – cyber projects at the same time.
Such a company, one like Neustar, has unique visibility into the arcane backlot workings of the Internet, and the broad scope of the federal government’s interests in how the world, including the American public, is using the Internet. At this point, it’s just a little icing on the cake to recall that Rodney Joffe was named a special adviser to the Obama White House.
A refresher on context: the Alfa Bank saga and Spygate
But here is where it gets interesting. We need to take a little excursion into previous analysis.
Recall, from the Alfa Bank subplot of Spygate/Russiagate, that key events in the Alfa Bank timeline coincided with equally key events in the overall Spygate timeline, especially in March 2016 and February-March 2017.
The appearance of instigation by Spygate principals becomes stronger with each new fact we uncover. That was a point stressed in my last two articles on the topic.
In that light, another set of events, highlighted in the 14 October piece, looks like a potentially coherent thread; i.e., a link between the following: CrowdStrike’s 2016 “study” of cyber attacks on the hospitality industry – which covered the 2014-2016 timeframe in which such attacks were being mounted against the Trump Hotels – and the timing of coincident developments in the fall of 2015, especially the month of September, when the Trump Hotels announced they were switching to a new marketing-services vendor, within days of Fusion GPS (a) hiring Nellie Ohr, and (b) being hired by the Washington Free Beacon to compile oppo on Trump.
As a refresher, recall also that the alleged cyber-link between Trump and Alfa Bank was through the marketing-services vendor that Trump Hotels switched away from; i.e., Cendyn. So the side-story of the marketing services vendor matters to Spygate, and to the Sussmann-Alfa Bank thread in 2016.
Those interesting dates again
Now we’re almost ready for the fresh point of interest. One more data point goes into the mix. It comes from the spadework tweet thread done by @wakeywakey16, featured in my last article.
What @wakeywakey16 provides in this tweet is an FAQ summary offered to customers by the Trump Hotels after they detected one of the cyber attacks from the 2014-2016 timeframe. This one ran from 19 May 2014 to 2 June 2015.
As alluded to in the previous TOC report (14 October link above), on discovering the intrusion into its payment system, the Trump organization “notified the F.B.I. and financial institutions, and engaged an outside forensic expert to conduct an investigation of the incident.” So we know the FBI was formally aware of the cyber attack on the Trump Hotels in late May 2015 or by 2 June 2015 at the latest.
The FAQ summary avers that “the malware was on Properties systems between May 19, 2014, and June 2, 2015.” It also states that “we removed the malware and are in the process of reconfiguring various components of our network and payment systems to further secure our payment card processing systems.”
So the Trump organization gives the last date on which its payment system was affected by the cyber intrusion as 2 June 2015.
Our colleague @wakeywakey16 noted in the thread that that was two weeks before Trump formally announced his 2016 campaign for president.
But here’s something it was three days before. On 5 June 2015, Neustar, which would end up being of such significance to the Alfa Bank saga and the Sussmann indictment, sold its Legal Compliance Services Division, lock, stock, and barrel, to rival company Subsentio.
That’s right. Neustar sold out of the FISA-warrant and NSL compliance business. The timing is fascinating, of course.
Subsentio, in its announcement of the transaction, included this brief statement:
Key elements of the agreement:
-
Communications service providers previously served by Neustar’s Legal Compliance Services (LCS) division are now under management by Subsentio.
-
With Neustar’s warrant management business under its wing, Subsentio has a new service to offer its legacy customers and future prospects.
-
Neustar employees that worked for LCS are transferring to Subsentio.
Basically, the whole operation picked up and moved from Neustar to Subsentio – which has the ring more of an institutional administrative move than a decision about a business initiative.
An obvious question is what the deal is with Subsentio. The company was started in 2004 by CEO Steve Bock, who came from the telecom industry, and co-founder Ward Jackson, a 28-year FBI agent. Subsentio was a veteran CALEA-compliance company before buying Neustar’s LCS Division; recall that BuzzFeed had written about its CALEA work in 2012, and Whittaker in 2014. 2004 was, of course, the year that CALEA was expanded, and new forms of compliance requirements took off like a rocket for the telecom industry.
Subsentio attracts a lot of FBI veterans, for obvious reasons. (In addition to knowing CALEA and tech, the FBI agents come with in-status clearances.) Besides Jackson, Chief Technology Officer Marcus Thomas was a career FBI official, as was Marc Hopper, Subsentio’s law enforcement liaison officer. Working-level employees are likely to include former FBI agents as well.
It’s not to imply that there’s anything nefarious about Subsentio, or its CALEA services, that this article highlights the Neustar sale in June 2015. But it is to note that it looks awful darn particular that a sale of such moment, in the context of Spygate, Alfa Bank, and the recent Sussmann indictment, took place just at that time.
Off the top of my head, I’d have to guess that Neustar’s function as a “custodian of records” for clients traveled to Subsentio with the LCS Division, as a shift of fiduciary responsibility. In other words, forensic probes into the records in question would redirect from Neustar to Subsentio. Subsentio is where the lawyers with clearances went.
Interestingly, federal contract records since 2009, available at the GovTribe website, show nothing for Subsentio until 2021. The absence of federal contracts isn’t necessarily odd. Subsentio’s contracts would be with its industry clients. But it can’t fail to be of interest that after years of not doing business with the feds, Subsentio dipped its toe in those waters 10 days before news of the Sussmann indictment broke.
On the eye-catching date of 31 August 2021, Subsentio obtained a small $15,000 contract with the Drug Enforcement Administration, its first and only contract reflected in the database.
The Optimistic Conservative 
What would we do without your expertise and snooping eyes? This detail does look suspicious at least as presented. If someone (Hillary and her campaign? The Obama Admin ?) we’re indeed spying on amd even planting evidence on Trump from the beginning before he was considered viable as a candidate, the question is obviously why? I have always suspected corrupt US govt actors have needed a foil or patsy to set up and then accuse of doing everything they actually did. Problems with Hunter Biden taken illegal money from a Russian oligarch in Ukraine? Just say Don Jr did something like that.
Information and events move so fast, I can’t keep track all the time . . . but distinctly remember a couple of years ago reading about plans that were laid out to be used against whoever won the GOP nomination, and that Trump and at least two others were being surveilled with that plan in mind. I believe Obama was the instigator of that plan.
JE can you follow me on Twitter @MonsieursGhost? I have a SIGINT related question I would like to pose to you privately in DM.
Done. Twitter has been giving me weird access problems, so if I don’t reply quickly please don’t despair. It may be Twitter.
begs the question……did Trump run BECAUSE he found out he was being spied on?