The intent of this update is not to be an in-depth treatment with new research, but to address basic questions flying around social media, with the hope of sparing analysts time in their research efforts. That said, it turns out, based on the implications of the new court filing, that a lot of my old analysis has been borne out. There will be plenty of links to that. The original analysis, which has held up, provides background for verifying the explanations outlined below.
The topic is the latest filing by John Durham in the Michael Sussmann case. The purpose of the filing is to advise the federal court of a potential conflict of interest for Sussmann’s legal counsel at the firm Latham & Watkins LLP.
In the course of developing that point, the court filing discloses the following interesting information (which pertains to other Spygate clients Latham has represented in related legal proceedings, and Sussmann’s connection to them).
I have highlighted the really interesting parts.
This is from paragraph 5 on page 3:
And this is from paragraph 6 on pp. 3-4:
Here, from the next passage of para. 6, is the actually illegal act Sussmann is alleged to have committed:
Sussmann’s claims to a federal agency (the CIA) about the data are the legal issue here. It’s important not to miss that, because it reflects why no one (such as Tech Executive-1, Rodney Joffe) has been indicted for monitoring DNS data to mine it for information about Trump.
No one has been indicted for that because it wasn’t illegal. It was unethical and improper as all get-out, but it’s not illegal to monitor DNS transactions or data. DNS data isn’t privacy-protected as it pertains to an end-user (e.g., the sender of a text message). Its status in law is like the connecting transactions of old-style phone calls; they aren’t afforded privacy protection by the fact that some individual with privacy rights picked up the phone and made a phone call. The contents of the phone call are privacy-protected, but not the transaction at the switchboard.
DNS transactions may be proprietary as they pertain to a telecom provider, but that’s a different story. Joffe’s employer, Neustar, was in a unique position to have authorized access to enormous quantities of DNS data in the time period referenced, as we’ll see below.
To round out the passages of interest from the new Durham filing, see here (continuing to the end of para. 6):
To be clear, that last portion in bold means that the Obama EOP was involved in DNS lookups with “Russian Phone Provider-1” starting at least in 2014.
There could certainly be an innocent and not terribly interesting reason for that. But taking things in order, to address the questions flying around:
1. This information is not about the inappropriate contractor access to NSA data culled by the FBI. Full stop. This form of data isn’t the droid you’re looking for. This isn’t the “fun stuff” from FISA Section 702 queries, grab-and-snatched through the back door. It’s a different animal, although the reason it’s collected is a branch of the same vine. Stay tuned: holding that thought will pay off in this very same article.
2. The passages highlighted genuinely tell us something we didn’t know before. They tell us that Neustar “access[ed] and maintain[ed] dedicated servers for the EOP as part of a sensitive arrangement whereby it provided DNS resolution services to the EOP.”
Well, doggies. The same company whose senior executive was involved in the vast Internet monitoring project with Georgia Tech and the Department of Defense was performing DNS resolutions for the Executive Office of the President.
The first thing to wonder is what Neustar was doing that for. We’ll see that there were links between Neustar and the Obama EOP. But just a few data points (further below) about White House communications set Neustar’s very privileged activity in an informative context.
There’s a part 2 to this second point. It wasn’t just that Neustar was performing this DNS resolution service for the EOP, or just maintaining dedicated servers tied to that task.
Neustar executive Joffe was “exploit[ing] this arrangement by mining the EOP’s DNS traffic and other data for the purpose of gathering derogatory information about Donald Trump.”
“Mining the EOP’s traffic.”
Man, do I ever want to see that EOP traffic, to figure out why it was mine-able for information on the DNS transactions entailed in Trump-related comms.
A lot of other users’ traffic could be relevant to Trump comms and DNS transactions. But it can’t fail to be of interest that EOP traffic apparently was as well.
Remember, as described above, almost all of the data Durham had pulled for comparison on the traffic Joffe was monitoring came from before Trump took office. If Sussmann gave CIA a data dump on 9 February 2017, only 20 days’ worth came from the Trump White House. The arrangement and data set apparently went back at least to 2014 (that’s how far back Durham had the DNS data pulled up independently).
And we know that the period of interest for Sussmann’s indictment, as reflected in earlier information about what Sussmann shopped to federal agencies, went back to at least 2016. I assume Durham wouldn’t put out details that clearly imply the Obama EOP’s DNS activity was germane to Sussmann’s info-shopping, if those details were merely gratuitous.
This brings us to part 3 of the second point, which is that Durham’s data comparison found “that DNS lookups involving the EOP and Russian Phone Provider-1 began at least as early 2014 (i.e., during the Obama administration and years before Trump took office).”
It would be of more than passing interest to know why the Obama EOP’s communications involved Russian Phone Provider-1.
And it appears that that involvement is a detail Durham obtained only by doing an independent pull of the dataset Joffe and his associates had to work with.
We can imagine a reason why the Obama EOP’s comms systems would be involved in DNS lookups with a Russian phone provider. Contacts with Russian diplomatic personnel could be an explanation. Contacts by NSC staffers with Russian think-tank colleagues might be another. The constraint on supposition, if these system transactions were merely incidental, is that the end-user of the Russian Phone Provider-1 service would be someone whose cell phone service was with, or used infrastructure provided by, Russian Phone Provider-1.
That kind of narrows it down. A string worth pulling, and we can hope Durham has pulled it.
3. At any rate, back to the question about why Neustar was providing DNS resolution services for the EOP.
That really jumps out from the noise, in part because it’s a function we would once have expected the White House Communications Agency (WHCA), a joint Department of Defense command, to perform.
A commercial vendor having such privileged access to EOP communications would be an arrangement of fairly recent vintage. This gets back to the ongoing interest I’ve had in Obama’s comprehensive updating of the White House communications and general IT arrangements starting in 2014. This article from March 2018 is good for background on that.
I won’t re-up all the details, but a couple of timeline items are noteworthy. One is that the White House Chief Information Systems Officer (CISO) who had been appointed by Obama, Mr. Cory Louie, was abruptly dismissed by Trump on 2 February 2017, or 13 days after Trump was inaugurated. (Background on that can be found at the March 2018 link. Obama created the position of CISO in 2015.)
A week later, Michael Sussmann was at the CIA briefing someone there about DNS lookup data that had been monitored – indeed, resolved – by Neustar while Louie was CISO. In doing such work for the EOP, Neustar performed what was arguably an unexpected function for a commercial contractor.
The other timeline item covers a longer stretch. Here is a notice put out to Navy service members in March 2009 about applying for the WHCA. That was before Obama’s White House IT/comms upgrade. (The WHCA still exists, but it seems at least some of its comms management and security functions were migrated to other entities in the reorganization and upgrades.)
The White House upgrade reportedly began in 2014. Interestingly, John Durham pulled DNS transaction data starting with that year, which may indicate that that’s when Neustar’s performance of resolution services for the EOP began. At a minimum, it could be when Joffe’s use of EOP DNS data and “other data” to gather information on Trump began.
The public heard almost nothing about the White House comms upgrade until the New York Times article (linked in my March 2018 piece) in April 2016. The NYT article contained few details, and previous reporting on the reorganization of IT functions for the EOP (again, links in the 2018 post) were similarly vague.
Now, in February 2022, we discover from Durham’s court filing that Neustar was providing DNS resolution services for the EOP, apparently as early as 2014. That’s interesting.
4. Now it’s time to close the circle with Neustar’s links to the Obama administration during the period when White House comms were being upgraded, and functions reorganized. This won’t be a comprehensive rendering, as I haven’t had time to do more than scratch the surface.
In June 2011, Neustar announced it was hiring Scott Deutchman as its Vice President of Legal and External Affairs. “Mr. Deutchman,” said the company, “comes to Neustar from the Executive Office of the President’s Office of Science and Technology Policy (OSTP), where he serves as the Deputy Chief Technology Officer for Telecommunications.” The OSTP was one of the IT and comms entities later reorganized by Obama in the big shakeup.
Neustar also noted that Deutchman had “served as a Democratic Counsel to the U.S. House Judiciary Committee.”
Earlier, in March 2011, Neustar hired on Scott Blake Harris as Executive Vice President, Legal and External Affairs, described at the time as a newly created position. Mr. Harris had been general counsel to the Department of Energy, but of probably equal importance he came from sitting on Obama’s National Science and Technology Council.
There are some arresting details in the background information assembled on Harris by the Revolving Door Project:
And we’ll come back below to that point about “Neustar collaborat[ing] with law enforcement, including the NSA, to provide data on consumers.”
Rodney Joffe’s links to the Obama administration have been thrashed out elsewhere. But as a final point, note that in May 2011 Neustar President and CEO Lisa Hook was appointed by Obama to the President’s National Security Telecommunications Advisory Committee (a Reagan-era entity established in 1982).
NSTAC is a presidential-level commission that works with the Cybersecurity and Infrastructure Security Agency (CISA) at DHS. Alert readers will remember that CISA was formed as an agency in 2018, in a years-long process partly linked to Obama’s designation of election systems as critical infrastructure.
As with most such committees, NSTAC’s chief function over time has come to be plugging industry into the government-agency (and contracting) power source.
The year 2011 was a big one for cross-pollination of Neustar and Obama’s presidential agencies. The timing was a few years before the White House IT upgrade began. Of note, however, Rodney Joffe was appointed to an NSTAC subcommittee in 2013. He still lists a role as a subject matter expert (SME) for NSTAC as an active position in his LinkedIn profile.
5. The survey is almost complete, but now we get to what was probably a key reason for the affinity between the Obama White House and Neustar. I wrote about it in an extensive treatment on 28 October 2021.
Heart rate alert: get ready for a big klieg light to come on.
The short version is that, from 2005 to 2015, Neustar was the highest-volume and most prominent company in the tech industry performing a very particular niche function. The function was assisting telecom providers on legal compliance with their obligation to respond to FISA data requests from federal agencies.
I won’t go into the particulars again. The background is all in the October post.
But what’s important to know is that Neustar filled the role of a “Trusted Third Party” (TTP) in its execution of this function for hundreds of clients. The “trusted” part means Neustar had access to the clients’ Internet transactions data, and was able to basically do the work for them in determining what elements of their vast data stores met the compliance requirements of the requests coming through from federal agencies.
This doesn’t mean Neustar was watching all the “same” data NSA does. It wasn’t. But as I explained in October (emphasis added), “the practical function of this [compliance/TTP] apparatus is to feed the notorious ‘NSA database.’ The data repository effect is to load the NSA reservoir with data for analysts to pull from. This is probably one of the least understood realities of the post-9/11 ‘surveillance state.’”
The analysts pulling as end-users from the NSA database would be the ones at the FBI, where contractors were improperly exposed to data from 702 queries.
Neustar was a TTP on the feeding end of the big-data reservoir, before the data was – element by element – tagged and made “queriable” in the NSA database to the level analysts would need. With its hundreds of clients, a number of them major telecoms, Neustar oversaw compliance for a whole lot of comms transaction data, which the company was trusted to access for the performance of its contracted function.
As regards Joffe (not necessarily Neustar; be clear on that), it’s quite possible that’s what Durham refers to when he speaks of “Tech Executive-1 [Joffe] exploit[ing] his access to non-public and/or proprietary Internet data” in his services to Perkins Coie and the Clinton campaign. (See para. 4 on p. 3.)
As discussed at great length several months ago, Joffe (per Durham) “also enlisted the assistance of researchers at a U.S.-based university who were receiving and analyzing large amounts of Internet data in connection with a pending federal government cybersecurity research contract. [Joffe] tasked these researchers to mine Internet data to establish ‘an inference’ and ‘narrative’ tying then-candidate Trump to Russia.”
But it’s the new nugget about the DNS resolution services in the EOP that brings it home for us.
The reason is that the services were provided in the EOP. Just connect a couple of dots for our principal cast: (1) being contracted to provide DNS resolutions in the EOP, resolutions that would reveal which servers Trump’s (or other Americans’) comms were interacting with; and (2) being in proximity to other people in the EOP – National Security Council staffers, let’s say – with the user privileges that allowed them to run 702 queries, with just a little bit of cueing from basic comms transaction data (see Dot 1).
This is a connection I’ve previewed since 2017 as essential to the Spygate enterprise. Spying on Trump – and other Americans – had to be a whole-of-government effort, because the individual agencies aren’t authorized to handle or be cognizant of all the datasets that would be involved.
Each agency has obligations to control and/or purge records to prevent exactly what the Obama EOP had the opportunity to do. And agency by agency, they are subject to being audited, regularly if not frequently. They’re required to conform to IT record-keeping standards that make their electronic transaction histories readily auditable.
But one federal entity is, for practical purposes, not subject to that level of oversight.
The Executive Office of the President.
Basically, only the POTUS himself has the horsepower to hold his people’s feet to the fire on this matter. And at the EOP level, with cloud computing technology factored in, all of the relevant IT transactions for putting data together where it shouldn’t be put can be performed, and their histories stored, outside of data environments overseen by more auditable agencies.
In this regard, it’s extremely interesting to note that, prior to the summer of 2016, Neustar ceased offering FISA compliance services as a trusted third party. If 2014 was when the DNS-lookup data marathon Sussmann referenced in his info-shopping started, Neustar would have still been fulfilling TTP contracts at that time, and also providing DNS resolution services to the EOP.
But in 2015, Neustar unloaded its compliance/TTP operation, selling it off to a company named Subsentio. Subsentio, a much smaller firm, had been founded in 2004 by an industry professional and a 28-year FBI agent (see the October 2021 link for all the background). Subsentio was in the compliance/TTP game, but had far fewer clients than Neustar.
Significantly, according to Subsentio, the entire Neustar operation migrated to Subsentio. As I described it in the earlier article, “Neustar … sold its Legal Compliance Services Division, lock, stock, and barrel, to rival company Subsentio. … Basically, the whole operation picked up and moved from Neustar to Subsentio.”
One important meaning of that is that the records of anything that was done for Neustar’s telecom clients presumably went from Neustar to Subsentio. “In other words,” as I wrote in October, “forensic probes into the records in question would redirect from Neustar to Subsentio. Subsentio is where the lawyers with clearances went.”
So the timing of this move was part of its extreme interest. It was a major move for Neustar, and the date of the transaction is a downright thigh-slapper: 5 June 2015.
In the 28 October article, I pointed out that this was not just 11 days before Trump announced his 2016 candidacy, but three days after Trump Hotels made its announcement on a significant IT intrusion into its contracted customer payment service (the announcement was made on 2 June 2015). An IT contractor for Trump Hotels, remember, was the central entity in the allegations about a supposed link with Alfa Bank, and the connection was said to be demonstrated by DNS lookups between the relevant servers on either side.
That’s interesting enough.
But those who’ve also been following the Felix Sater counterclaim in the lawsuit filed against him by Arcanum Global and his Kazakh clients recognize early June 2015 as a most interesting time. The lawsuit filed for the Kazakh plaintiffs states that Sater’s company Litco and the plaintiff’s counsel contracted for Sater’s asset-recovery services on 8 June 2015. It was making that contract that thrust Sater into the center of a Spygate-intensive web of personalities linked to funny money (and even funnier uranium) in Kazakhstan.
Neustar seems to have picked the gosh-darnedest time to sell off its FISA compliance operation – if didn’t nobody in this Spygate mess know nothin’ about what anybody else was doing.
Understand this. Neustar selling its FISA compliance operation, and ceasing to perform as a trusted third party, didn’t have to deny data-stream access to Neustar employees providing services to the Obama EOP. The Obama EOP had – quite evidently had – other potential ways to assemble the data stream needed for spying on Trump.
Durham has it right there in his new filing: Joffe was “mining the EOP’s DNS traffic and other data for the purpose of gathering derogatory information about Donald Trump.”
We don’t know how much legitimate DNS traffic the EOP has. But melding the EOP’s DNS traffic, for which Neustar was apparently under contract to perform certain functions, with “other data” was clearly something the EOP could bring off.
Expertise with the FISA-relevant data stream appears to have been how Neustar got the EOP DNS resolutions gig. But once Neustar was no longer acting as a TTP for FISA compliance, access to a larger data stream had to come from somewhere else. That looks like what Durham’s terse allusion to “other data” refers to.
What we need to determine at this point was where the “other data” data stream came from. The project with Georgia Tech and the Pentagon is a likely place to start.
6. One more point. It has continued to appear significant to this story that a gigantic set of reserved, unassigned Pentagon-controlled IP addresses was suddenly – on Joe Biden’s inauguration day – transferred to the control of a tiny one-man company in Florida incorporated a few months earlier by a longtime associate of Rodney Joffe.
The same IP addresses were very quietly turned back over to the Pentagon a few days before Durham’s first Sussmann filing in September 2021.
There’s more than one reason to suspect that the Pentagon IP addresses were used, at some point, in the enterprise to combine telecom data streams and use them to spy on Trump. The beauty of a rogue interagency operation being run from the EOP is that most of the work can be done at the agencies, and only the end-product – the stage of “analysis” that reveals what the enterprise is up to – has to be recorded by an IT system at the EOP.
Feature image: The “Old” (Eisenhower) Executive Office Building across from the White House in Washington, D.C. Wikimedia