UPDATE as this goes to post.
There was no guarantee we’d get lucky and see a specific instance of the “surveillance melding” referred to below in the original article – a theme I have discussed at length since 2017. (What I call “surveillance melding” here is about someone in a position to monitor data streams from multiple intelligence sources using them in company, to spy on and develop specific targets individually and in depth.)
But we did get lucky, due to the sharp eyes of some of our excellent Internet sleuths. In this case, Margot Cleveland pulled this nugget from a new tranche of emails among the team assembled by Rodney Joffe in 2016 for the DNS lookups caper:
Her point about Joffe clearly having a partisan agenda is of course valid. But our interest here is in the implication that “Steve Bannon” needs to be added by name to – presumably – the team’s list of Trump-related DNS surveillance targets.
Diligent sleuth Monsieurs Ghost fleshes it out for us:
This connection, validated with a name and a highly indicative timeframe (late August 2016), shifts the outline of what the Joffe team was doing to where it needs to be, to function as a companion source to the NSA data pulls Devin Nunes discovered evidence of in the White House.
It’s not a smoking gun demonstrating a verifiable instance of collusion. But in personal identification and level of detail, it goes beyond “DNS lookup monitoring at the server level” to matching individual users and their “communications identities” with servers used by their comms providers.
It certainly indicates that the Joffe team didn’t at some point discover they just happened to have been monitoring Steve Bannon, and exclaim, “Well, gaaah-LEEE!”
It’s very important not to forget the reality that this was a larger enterprise, and not just something Hillary was paying for in an out-of-the-way corner. We know multiple agencies of the Obama administration were involved in it. Fox News reminded us Tuesday night of the Stefan Halper angle; the misuse of the NSA database (known about publicly since March 2017) hasn’t gone away either.
Hillary could not have made those parts of the campaign against Trump happen. She couldn’t have gotten Neustar a DNS services contract in the Executive Office of the President, or made a data stream from that source available to the Joffe team. She couldn’t have made any DNS monitoring source available to the Joffe team. Functionaries with official cognizance had to do that. Perhaps the Joffe team could tap the other data streams listed in Durham’s Sussmann filings without anyone noticing, but only persons cognizant of security for the EOP could have suffered the EOP data stream to be tapped.
Involvement by the Obama administration, by the way, is how you account for this being done basically in the open. The email trove from the Joffe team so far is sanguine and has no hint of furtiveness to it. Hillary didn’t have to pay anyone to “steal” anything. If Durham proves his case, she was paying them to misuse it.
A couple of points on the surveillance melding. One is that the scope of the enterprise has been evident from the beginning, and it’s no surprise to see what is probably evidence that there was cross-cueing between the Joffe team’s tracking work and the data pulls of NSA information that were being done on the NSC. You’ll find articles via links below in which I’ve discussed that before.
The level of detail described in Durham’s Sussmann filing (see the text in Monsieurs’ tweet) is consonant with both sides of that cross-cueing equation being stoked and ready. The NSA-data side would typically have more detailed elements to work with, but once the dynamic was set in motion, each side could cue the other working from a largely common dataset.
(The dataset is communications metadata, the concept we all remember from the explanations that flew after the Snowden data heist. Identification, monitoring, and purposeful analysis are a matter of filling in a set of known blanks in the universe of metadata. It’s possible, as some will point out, to develop a list of candidate elements for tracking – e.g., addresses, phone numbers – just by doing an Internet search. But the overwhelming magnitude of a multi-telecom data stream and a frequently-changing comms environment makes that option prohibitive for time-sensitive work, especially if you’re on a fishing expedition. I note also the sense of casual confidence conveyed by the Joffe email of 25 August 2016, and Durham’s statement about the “Trump Associates List.” This was not a pickup game; it was an ongoing enterprise with established parameters.)
The other point is that involvement of the Obama agencies, including the White House, explains the things that otherwise appear hard to account for, such as why the Joffe team would perform the function it allegedly did when the only money in sight seems to have been a billing arrangement with Michael Sussmann.
Joffe was a lot more plugged in to the Obama White House than he ever was with Hillary Clinton. I wouldn’t waste time attributing motive to Joffe, or power over the federal executive (or Georgia Tech, or Neustar, or most other third parties) to an out-of-office Hillary.
Durham is filing on the crimes he can prove, which at the moment have everyone focused on Hillary’s responsibility for Fusion GPS and its influence ops. I see an effort, in some of the known Spygate arrangements, to keep the Obama executive’s fingerprints off of the enterprise – but in terms of structure and institutional function, it had to be involved.
Original text:
Numerous clued-in Internet sleuths have been understandably concerned, perhaps a bit impatient, at the abridgment and consequent misunderstanding with which Fox and some new media outlets have been conveying the import of the latest filing by John Durham in the case against Michael Sussmann.
They’re right to be concerned (even impatient), although not all the clued-in are getting it right either. One of the most important errors is seeking to interpret the revelations about DNS lookup monitoring as the all-purpose explanation of how spying on Trump was done.
It’s not. We haven’t been pursuing the companion avenues of spying for nothing all these years. Monitoring DNS transactions is a really big puzzle piece, but it’s just one of the pieces. What has made it so big with the latest update from Durham is that that update gets the monitoring into the Executive Office of the President.
I see another major feature in the details of the latest update, and will get to that in a moment. But first, a key point about the misunderstandings at the media outlets.
Many of them are speaking as if data about Trump and his campaign and associates was “stolen,” in an operation ordered and paid for by Hillary Clinton. That’s not an accurate rendering.
Hillary paid for exploitation of that data in an effort to tar Trump with a false narrative.
But the (frankly diabolical) reality about how the data was obtained is that it was being processed, up to the point of being fed into the Fusion GPS operation, by people with legitimate access to it. No one had to steal it, or otherwise break the law in obtaining it. People had access to it through the assigned functions of their jobs.
That means something worse than that Hillary paid for exploitation of it. It means the Obama administration – the supervisor and arbiter at the time of legitimate access – had to be in on it.
The really big deal about the latest Durham filing is that it’s the first court filing we’ve seen, at any point since 2017, in which a conduit for some of the spying went through the Obama EOP. That’s the DNS resolution service performed by Neustar, employer of Rodney Joffe (“Tech Executive-1”), for the EOP.
I want to keep tech notes to a minimum in this article, but will enter two here. We don’t have enough details yet to know the extent to which Neustar’s service for the EOP provided DNS data actually used for the Hillary-instigated operation. It may have been very little. But it’s significant that Durham mentions it, which he would not do if it weren’t relevant to the subsequent interactions of the Clinton operatives, Sussmann, and the federal agencies Sussmann approached.
And Neustar’s service to the EOP gives us a known opportunity with a wide-open spigot. Durham isn’t going to spill his guts right now on what he’s found out about the extent and use of the data involved. But it matters, and quite seriously.
The other note is that Neustar performing DNS services for the EOP doesn’t necessarily mean the bulk of the work was done inside the White House complex (which includes the executive office buildings). Neustar could well have maintained the operation at a separate site with a secure connection to the EOP users. In such a case there was probably a small contingent of Neustar employees in the White House complex, but most of the workers would have been in a secure facility elsewhere (e.g., a location in northern Virginia, near where Neustar’s corporate headquarters is located).
Durham, in the meantime, has to limit the scope of his court statements to what is legally useful and relevant to his Sussmann case.
But we don’t.
Thinking points
In the balance of this article, I want to lay out a few basic points, without the vista full of weeds in which I’ve written about these matters before, to try to make it all easier to see. (For the background weed extravaganza, start here.)
First, to orient us to Durham’s Sussmann case, keep in mind that Durham is tying Hillary Clinton, Perkins Coie, and Marc Elias to the Joffe-to-Sussmann-to FBI chain, with billing and some telling communications among the parties. Durham’s case is that Sussmann lied to the FBI about whom he represented in coming forward in September 2016.
As of now, the information Durham discloses isn’t going beyond illuminating that predicate for his case. The details about the Georgia Tech-DARPA project are key, because they link the Alfa Bank-Trump allegations – the content Sussmann offered the FBI when he made the false statement – to Hillary and Fusion GPS at one end, and the FBI at the other.
But Georgia Tech-DARPA applies to Alfa Bank. It’s not the comprehensive explanation or means of all the spying on Trump.
We don’t know yet how much else GT-DARPA may apply to. We don’t have enough details for that. My guess is that it is implicated in more of the hydra-headed spying-on-Trump monster. But Sussmann’s false statement to the FBI when he shopped the GT-DARPA work framing Trump is the case Durham can make right now. His prosecutorial obligation in court documents is to focus there.
Moreover – and this is really important to understand; let’s call it point two – the GT-DARPA access and analysis was of a specific kind, and it could not have been behind everything done to spy on Trump.
In a sense, it’s not even “spying,” because the GT-DARPA project was focused on DNS transactions, which aren’t privacy-protected (in relation to the end-user) and don’t actually tell you all that much. What they do tell you is useful, but here’s the really big thing they don’t tell you. They don’t tell you if a person of interest at one end was trying to contact a person of interest at the other.
All they tell you is that two servers were having themselves a grope and a handshake, as a routine, not always informative feature of the communication system. The transactions are automated housekeeping. What humans do sets them in motion, but the transactions don’t tell you what the intent was on either end.
If you see a whole lot of them in a particular timeframe, and if that’s unusual, you may very well have something significant. On the other hand, you may not.
That point, right there, has been made repeatedly in various expert analyses of the Alfa Bank connection – which, as a reminder, was not with a “Trump server” or even a Trump Hotels server, but with the server of a small business (Listrak) that was contracted for server operations by a sub-contractor to Trump Hotels, Cendyn. (The sub-contractor provided hospitality advertising and management services to Trump Hotels.)
Watching the DNS transactions of a Russian bank and the sub-contractor of a sub-contractor with zero relevance to Trump himself or his 2016 campaign was a way to manufacture something that could be made to seem nefarious. Literally: it wasn’t “noticed” as activity of interest; it was sought for with the intent of trying to make something of it that wasn’t there.
How would you demonstrate that in court? By asking witnesses the question why the researchers keyed on Listrak – the sub-sub-contractor – and Alfa Bank. The only answer they could give is that Listrak was a sub-contractor to a sub-contractor of Trump Hotels. Not a speck of activity of interest cued them to Listrak. (If it had, we’d already know that.) Listrak’s sole interest was that it performed a service for a while for a sub-contractor of Trump Hotels.
It was a fishing expedition.
Listrak was never seen to “do” anything interesting in connection with Trump. The researchers chose to pluck it from obscurity because they were – a priori – looking for something to demonstrate a Trump-Russia connection, and Listrak, with its DNS lookups with Alfa Bank, was the only thing they could find.
That’s not spying in the sense of government agencies spying. It’s really important to “get” that. The Hillary side of the enterprise wasn’t spying so much as making stuff up. The spying part of the larger plan was done by assets that were under the control of the Obama administration.
Monitoring DNS transactions is not – here’s point three – how most of the spying on Trump was done. We’ve known for years how most of the spying on Trump was done. DNS transactions would have been wholly inadequate to that purpose, because they just don’t yield enough information.
Devin Nunes told us in March 2017, with his language then and subsequent details that confirmed his meaning, how most of the spying was done. It was done with FISA Section 702 queries.
Nothing about the Durham revelations has changed that.
But here is point four. This is extraordinarily important. I’ll try to keep it as simple as possible. Now that the data stream of DNS transactions is a known quantity, there is no need to speculate from non-public knowledge. We know there was a potential DNS-based cueing mechanism, and we know it involved a company contracted to perform DNS services for the Obama EOP.
That’s what brings it home for us and enables us to make point four. To put it baldly, DNS transactions could be monitored to cue the makers of Section 702 queries to home in on Trump-relevant communications in the vast ocean of telecom noise. Counter-cueing could in turn make the DNS monitors’ job easier and more productive.
DNS lookups mean servers are trying to talk to each other. Know whose comms use those servers, and you have a leg up on running queries to tailor your search results. You don’t have to violate the query rules – at least not as much, or as egregiously – if you already know when the servers you’re interested in were doing DNS transactions.
And what makes it all “legitimate” is obtaining your telecom data flow and running your queries under the terms of a National Security Letter (NSL), those handy authorizations routinely renewed by the FISA court for counterintelligence and national security searches on – for example — Russia.
In a sense, it’s almost as if the “Russia” angle was concocted as a means of legitimizing the spying on Trump. Spy away – spy hard – as long as it can be tied to “Russia.” You’ve already got the NSL for that. (I perceive other reasons why Russia was made a central theme, but putting Russia in the plot was a perpetual license to spy.)
I’ve made the case over and over that the legally separate puzzle pieces of comms surveillance had to be melded at the White House level in order to facilitate the industrial-scale spying that was apparently done against Trump. What we’re starting to see now is the features of that reality, emerging in a bit of detail. We can probably expect more detail in the future.
Two big questions
Meanwhile, to conclude here I want to re-up the key questions I had in the longer, in-the-weeds article about this on 13 February.
One was why there were DNS lookups between a YotaPhone or phones (operated by “Russian Phone Provider-1”) and Obama’s Executive Office of the President, starting in 2014. I would like to see the documentation on that: when and between whom contacts were made, as well as when those YotaPhone phones showed up in the YotaPhone service records and who paid for their service.
The reason, if it’s not obvious, is that if it’s not accounted for by some obvious explanation (e.g., someone in the EOP had occasion to talk to a Russian), it could be another fishing expedition.
We can assume the routine security monitoring of the EOP’s comms, if nothing else, made cognizant persons aware of the YotaPhone link-ups as soon as they occurred. It’s the EOP we’re talking about, not a pizza parlor. The EOP’s comms are monitored constantly. The phone contacts couldn’t have been a surprise discovery years later.
Yet it seems as if Sussmann’s brief to the CIA presented them as one. That’s the implication of Durham’s description on p. 4. Supposedly the YotaPhone contacts were random unidentified events that might have even involved Trump associates who happened to be near the White House.
Durham had the DNS data from which this analysis was compiled retrieved and reviewed, and he discovered that Obama’s EOP had had comms transactions with a YotaPhone phone or phones well before the Trump campaign was on the scene.
That wouldn’t seem particularly suspicious – if the Joffe team’s DNS project hadn’t flagged it as suspicious and tried to hang it on Trump.
If it was nefarious activity, maybe it was a matter of Obama political operatives getting a Russian phone and plugging into its IT environment to gain insight into what that environment would look like from a tech perspective.
Why not? Cherry-picking from DNS data to make up tales about a political candidate is not a good way to keep meriting the benefit of the doubt. Documentation, please.
The other question is what DNS data stream was flowing through the servers managed for the EOP by Neustar. Was it only the DNS data that would be incident to the comms of the EOP? In theory, that’s all it should be.
But Durham’s latest filing indicates that Joffe exploited access to the EOP data as well as the GT-DARPA data stream to orchestrate the fiction about Trump. That’s quite curious.
How much EOP-specific data could there possibly be? That’s only one question here.
The other is why the EOP data from the Obama era – again, from DNS resolutions relevant to EOP comms – would have anything to do with Donald Trump’s comms. How would that EOP data stream be mineable for information about Trump? Was someone repeatedly trying to contact Trump-connected comms hosts from the EOP? If so – why?
In this regard, Neustar was in a unique – literally, a unique, single-copy-on-Planet-Earth – position to cause more (extraneous) data to flow through those EOP servers, if it had some reason to.
I stress that Durham has advanced no evidence that this was done, and without more details speculation is not particularly fruitful.
But a contractor that came preloaded with privileged access to telecom data could be exploited, in an EOP role, to feed more through EOP-related servers than a DNS resolution-services contract would strictly call for.
Why would something like that be done? One possibility: if it is done, neither the FISA court nor DARPA (or the DOD) has to know about it – or know about anything that’s done with the data stream. In light of this second question, which is about opportunity (not concrete proof), it remains of exceptional interest that Neustar sold off its FISA compliance/Trusted Third Party operation on 5 June 2015.
I would want to wirebrush all of the EOP IT records – and audit those Pentagon IP addresses that had the monkish sojourn with the little shell company in Florida for 7-odd months in 2021. Whatever they were doing in 2021, I suspect their lives prior to 2021 were pretty interesting.
Feature image: The “Old” (Eisenhower) Executive Office Building across from the White House in Washington, D.C. Wikimedia
The Optimistic Conservative 
Grassley and Johnson both knew this and still said 2020 elections were free of fraud. Complacent traitors. Grassley even took Trumps endorsement for reelection. Hummmmm.
Welcome, Rustychrome. Apologies for the “approval” delay. Shouldn’t be a problem now that you’re “approved.” The one-time wicket keeps down the spam.
Well, this was bound to happen. It was going to be a problem from the very beginning and as storage became solid state and processor density increased with the entire rig being quantumly smaller and less expensive, this sort of problem was going to occur. BECAUSE! Democrats are corrupt, most bureaucrats are partisans, and there are enough mercenaries out there who will work at the dollar of the highest bidder to get the job done.
I said this 15 years ago, and I will repeat it. Metadata is not benign. It is a critical component in a database search that provides an explicit key to many candidate tuples containing “interesting elements”. It’s even more interesting when IPv6 contains the MAC address to the equipment being traced. IPv4 takes a few jumps to sort out, but by and large most elements are traceable.
It’s the old traffic analysis game. And this is actually an absolute prime example of real time and historic traffic analysis, only the comparisons, inductions, and deductions can be applied at speeds and volumes unheard of even 15 years ago when I started warning about this.
It was always going to be used for nefarious purposes by bad people with motivations to maintain and expand their power.
If you want to see the brains of the Clinton Crime Syndicate, look no further than Hillary. Bill’s a sex addicted doofus compared to her. They are both sociopaths, but she’s the power mad psychotic who will do or say anything to preserve what she sees as her “legacy”. Unfortunately, there are enough apparatchiki to provide her with a wide range of options in which to hatch and grow her schemes.
If you looked through history and studied the machinations of the nobility and royalty of Europe, you wouldn’t be surprised in the slightest. This is just more of the same, with much better technology.
Of course, nothing will be done to stop it except maybe Satan calls her contract completed and demands her soul be forfeit as promised.
Creepy evil… make one shutter.
-OAB
Creepy evil indeed.
One of the worst aspects of this is that no matter how much straightforward traffic analysis they did, it’s evident they never came up with anything against Trump.
If they had, they would have used it.
So instead they took comms events that were something non-Trump-related and made up fictional stories around them to tar Trump with.
Really good guide to how such actors will use this and a ream of other digital data-trail stuff, if they can get their hands on it. They didn’t need anything real – to convince the media with, to get FISA authorization with, to get a special counsel appointed with.
Everything they used was *manufactured* fiction. They’ve jerked around our political system with it for more than 5 years now.
And bless their hearts, there are still people of goodwill who haven’t had that revelation in their minds that none of this was an investigation of Trump.
It was an investigation of the universe of metadata, to find stuff that could plausibly be fictionalized to impugn Trump.
When you own the media, the judiciary, and a good deal of law enforcement leadership, you can pretty much do as you please. With no one to provide a check or balance, the demons, mostly housed in the Democrat Party (not all, mind you), have free reign. In the case of anyone not having sold their souls, the demons feel free to frame, smear, malign, and torture whomever they deem to be in opposition to their control.
The problem is that they have instituted a corporate state and the last natural opposition to the imposition of government control, free enterprise, has been co-opted. Much of this spying, and information gathering would be much more difficult and “due process” bound if corporations weren’t also in bed with the ruling order.
The light at the end of the long tunnel is either an oncoming train, or the other side. It is difficult to determine which, at this time, unfortunately.
-OAB
You forgot to talk about the DOD 175,000 IP address is that they sold and we’re probably used in spying and then took back
No, it’s in there at the very end. 🙂
Welcome, and thanks for your patience with the one-time “approval” requirement. Any comments you want to make from now on should post automatically (unless they have 2 or more links in them. Helps bat off the spam).
Good read, tho outside my wheelhouse, so, had nothing to say after reading it on Feb. 17.
O/T, but, thought you’d find this interesting, if only to show Trudeau/Freeland do not have an Intel Community on their leash in their Snowflake❄Republic™: Toronto Sun‘s Furey noticed:
Have not seen any echo, probably due to the Ottawa Police Horse Attack. Horses should protest being used like that! And, imagine what US Park Police and Border Patrol think!
One would hope most of Parliament might be appalled.
J.E., I’d be curious on your thoughts about this: https://conservativehardliner.com/one-point-spygate-researchers-consider-regarding-joffes-dns-spying