[Links to Parts II and III at the bottom. – J.E.]
This article started out to be a somewhat different one, developing a couple of points about the monitoring of EOP (Executive Office of the President) communications referenced in the John Durham court filings.
But with a firehose of new information coming in, it seems necessary to take stock and put in perspective the things we know up to this point. I don’t think most will find it a waste of time. The stock-taking is relatively short, and the principal feature is something we haven’t had yet: schematic diagrams of how the major IT pieces fit together to make the surveillance of “Trump” possible, and facilitate the concoction of an anti-Trump narrative about supposed links to Russia.
The graphics are very simplified, which I suspect many readers will consider a blessing. My hope is to spare some unnecessary efforts to sort out confusion when it need not be at work.
After the stock-taking, in Part II, I’ll add some findings and commentary on the marvelous spadework done by Margot Cleveland to identify the “Ops-Trust” group. She suggests the group – rightly, I believe – as a clue to the data-mining allegedly done by the Rodney Joffe team, as it looked for ways to depict IT events as evidence of connection between Trump and Russia. There are significant collateral reasons to adopt this perspective.
As a matter of events over time, we first started absorbing data points that apply to the right-hand end of the first graphic. Chief among them were discoveries by Devin Nunes at the White House, VADM Mike Rogers’s brief to President-Elect Trump in November 2016, and the remarkable number of “unmasking” requests on U.S. persons made by members of the National Security Council.
Some of us with career expertise in the green and red boxes offered analysis of these data points and their import, as new information emerged in the period from 2017 to 2020.
A couple of general comments on the green and red boxes will help our understanding. Rather than going in-depth here, in the interest of brevity I will merely mention them. One is that the green box is actually the center of the cycle, because bulk-collection requirements arise from analysis by the agencies stacked to the viewer’s right (plus some others, such as Treasury Intelligence, DEA, etc.). Bulk-collected data then populates repositories like NSA’s, and analysts pull from the data store. This is actually a national intelligence process applicable to all forms of intel.
The other is that the Foreign Intelligence Surveillance Act (FISA) brokers that process for national security collection that has an impact on U.S. persons’ communications. Law enforcement collection, though it intersects at some points with national security collection (and the main agency involved, the FBI, is subject to FISA), is governed under a separate set of regulations, among which the Communications Assistance for Law Enforcement Act (CALEA) of 1994 is the relevant baseline statute. It puts telecoms on the hook to feed government requirements, and at the time of passage updated provisions that had applied more usefully to pre-digital telephony. Laws like the Patriot Act and subsequent updates to CALEA have also affected the details of this relationship (as well as some national security applications under FISA).
Under this item heading, note that Executive Order 12333 applies to the red and green boxes: the red box for record-keeping on the NSA database, the green box for agency handling of the data.
Finally, the Cybersecurity Information Sharing Act (CISA) of 2015 applies to information sharing of the telecom data as it exists in industry formats in the blue box.
A brief discussion of CALEA and CISA follows, because this is a significant point affecting how and how much information-sharing matters as a law enforcement concern. (CISA here is different from the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security. Although, confusingly, CISA, the Act, is also a governing document for some of what CISA, the Agency, does.)
As mentioned in an earlier article from October 2021, the privacy protection status of elements in the telecoms’ data is something of a gray area as regards CALEA, which is the governing reference for such questions about the data routinely forwarded under government collection mandates by the service providers.
The general reason for this is that CALEA is now old, dating to 1994. (Its predecessor laws about telephone and teletype data protection are even older.) CALEA and earlier laws were written for older technology. Analogies between the functions of elements in older and newer telecom technology have in some cases been stretched beyond the point of utility now. (In fact, the specific question cited in October, “call-identifying information” going over a packet-mode Internet, may apply to a greater or lesser degree depending on individual comms events.)
That leaves holes that have yet to be closed in the bases for application and decision-making. It’s important to note that this is a general comment, and isn’t intended to refer to any unique or specific feature of DNS data. The Durham filings have got us bore-sighted on DNS transactions, but the issue of data-sharing ethics and legality for IT researchers is a bigger one. The bigger issue is what’s relevant to everything Joffe’s “researchers” were doing.
Add to this the discussion of CISA, the 2015 law on information sharing cited in the Sedenberg-Dempsey study Margot Cleveland linked to, in which the authors observe that public and private leadership operated on a cyber-crime-oriented “assumption that with more information, systems may be made more secure through prevention measures or rapid remediation.” (All quotes are from pp. 1-3 of the study.)
“Policymakers,” suggest Sedenberg and Dempsey, “reluctant to regulate cybersecurity standards, viewed voluntary information sharing as a tangible coordination activity that could be incentivized through policy intervention and sometimes directly facilitated by federal government roles.”
They continue: “The law sought to encourage information sharing by the private sector by alleviating concerns about liability for sharing otherwise legally restricted information. It also sought to improve sharing within the federal government and between the government and the private sector.”
Government had already set up bodies to “coordinate and increase information sharing with and within the private sector.” Sedenberg and Dempsey give the example of the U.S. Secret Service (USSS) creating “the New York Electronic Crimes Task Force (ECTF) in 1995 to facilitate information exchanges among the private sector, local and national law enforcement, and academic researchers.” The 2015 CISA effectively endorsed other similar efforts from the FBI and DHS – and as the authors note, “Various other information exchanges and feeds—each with its own scope, access policies, and rules—were established across federal agencies charged with securing aspects of cyberspace.”
The study authors recount that “private sector information sharing arrangements also proliferated. … Security researchers and individual corporate professionals formed ad hoc arrangements around critical responses to major incidents such as the Conficker worm and the Zeus botnet—threats that required coordination of response as well as exchange of information.”
All of this is about what happens in the blue box, which is where Team Joffe was operating. With relevant laws taken all together, there is plenty of ambiguity in guidelines for privacy protection of industry-held telecom data as it relates to end-user interests, like yours and mine.
As we’ll see in Part II, DHS’s CISA, the agency, uses what’s known industry-wide as the “Traffic Light Protocol” to provide guidance on sharing information from the telecoms’ gigantic stores of data. It urges private partners as well as government agencies to do the same.
But adhering to those guidelines is basically a self-policing process for people like researchers in “trust groups,” who don’t have fealty to specific end-users, or any particular employee obligations to IT companies.
Something the Durham filings have not told us is what the precise terms were, regarding data-sharing, data use, and security, of any DARPA-chartered research that may have been exploited for the Alfa Bank narrative shopped by Michael Sussmann. It would be useful to know that.
This area of practice – the privacy protection of telecom data like that accessed by the Joffe team – is in serious need of congressional attention.
The graphics tell their story
From here the graphics breaking down what we know about the blue and green boxes are largely self-explanatory.
The first one (Graphic 2) addresses the role of telecom data in concoction of the Alfa Bank narrative.
Graphic 3 depicts the commercial roles played by Neustar, as outlined in the Durham filings (DNS services to the EOP) and as known through public record (Neustar’s legal compliance service for telecoms under mandate to feed data to NSA). The latter service ended, as described in previous articles, on 5 June 2015 with the sale of the compliance division to rival company Subsentio.
The DNS services for the EOP were ongoing from as early as 2014 to a point in 2017, according to Durham’s 11 February 2022 court filing. In earlier articles, I’ve discussed why the Neustar service probably ended in early February 2017.
Graphic 4 contains commentary about monitoring Trump and his associates using telecom data.
Trump’s transition-period comms would not have been monitored through Neustar’s contract with the EOP. (See below.) Access to the EOP comms before and after Trump’s inauguration would have encompassed the Obama and Trump administrations (the latter at least briefly) in that data stream, but if Trump’s transition comms were monitored at the level of telecom IT data, that was done separately.
Note: It is interesting indeed that the Durham filing mentions Neustar’s access to EOP comms before and during the presidential transition, apparently in relation to the monitoring of Trump. This was a question in my mind on first seeing that Neustar had had a contract with the EOP. The question was why Durham was highlighting it, and I continue to have a question why the highlighting persists, and includes oblique but unmistakable references to the Obama EOP.
Durham seems to be adding to his original “talking indictment” – but what he’s saying isn’t fully clear yet. It’s one thing if “Neustar with the EOP comms” relates to 20 days of the Trump administration. But it’s another if “Neustar with the EOP comms” relates to a year, or maybe two, of the Obama administration (and perhaps through that portal to the anti-Trump operation?).
The final graphic depicts our understanding of the data abuse and exploitation in the green box during the Obama administration. This occurred in (at a minimum) the final 18 months of Obama’s tenure. This graphic shouldn’t require much explanation.
Note here that Trump team comms were mined for information from this box during the transition period, as well as before the 2016 election. Information on that was released by Richard Grenell and John Ratcliffe, and alluded to with less detail (but the right verbal clues for bona fides) by reporting from the House Intelligence Committee. It confirmed what Devin Nunes – one of the transition team members who had been monitored – warned about in March 2017.
The following previous articles provide some background for the notes on this graphic: here, here, here, and here.
The Trump transition
This was one of the topics intended for this article as originally conceived. There’s quite a bit of background, but I’m going to abbreviate it to a couple of salient points for the purposes here.
One is that a source quoted by Paul Sperry, in his 17 February 2022 article for Real Clear Investigations, is on the right track.
Sperry cites former federal prosecutor and assistant FBI director Chris Swecker: “As I see it … Joffe, who worked for Neustar at the time, had a contract with either the Executive Office of the President or the [presidential] transition team, and he used information gleaned from his contractual relationship to provide that private information to the Clinton campaign.”
Joffe himself may or may not have been directly working either contract, but Swecker’s implied point that they would have been different contracts is the key. Joffe was presumably aware of Neustar’s access at the EOP, and again, Durham’s filings haven’t made it clear yet why he keeps throwing that point in. (At a minimum, access at the EOP level could explain some activity involving Joffe and Sussmann for a few days of the Trump administration. I have the sense that it’s more than that.)
But the presidential transition team’s comms aren’t hosted through the EOP. If you think about it for a moment, you realize a president-elect wouldn’t want them to be.
(Especially not Donald Trump after being briefed by Admiral Rogers. But note that there’s still an obvious peril here: i.e., that the Obama GSA contracting for the Trump transition’s communications could certainly have arranged by that method to spy on them. In that case, Joffe’s team could have received data collected by the GSA-selected vendor.)
The General Services Administration separately provides IT infrastructure for the transition team – and we have specific reason to know it did so for the Trump team (which operated as Trump for America during the transition). In 2019, after it was revealed by the DOJ inspector general that the GSA had improperly preserved the records of the Trump transition and turned them over to Robert Mueller in 2017 – without a subpoena – Senators Chuck Grassley and Ron Johnson investigated the matter and released a report on GSA’s handling of Trump for America.
They confirmed that GSA had indeed provided the IT and communications infrastructure for the Trump transition. On pages 7-8 of the Senate report, we read: “The General Services Administration (GSA) is the federal agency charged with providing office space and communications services to presidential transition teams.”
The report continues: “In 2016, the memorandum between the GSA and Trump for America expressly addressed what the GSA would do with the electronic devices it provided to Trump for America:
“’GSA will provide an architected infrastructure to meet telecommunications and IT services and equipment for use by the Office of the President-elect, with installation included as part of the ‘turn-key’ office space. GSA will supply software and equipment, and the equipment will be returned by February 19, 2017. This equipment will be inventoried and all data on these devices will be deleted.’”
The senators found that GSA provided the agreed services, but did not delete the data on the devices as contracted with the Trump team.
It doesn’t appear that Neustar provided any services to the transition team. Neustar and its subsidiaries had no payments from contracts with GSA (either as prime or a subcontractor) in the presidential transition period, according to data retrieved from the Federal Procurement Data System website.
But as Chris Swecker suggests, there was presumably someone who had a contract to provide IT and communications services to Trump for America. Joffe probably didn’t have difficulty learning which vendors were involved, and his team could conceivably have gained access to ISP-level data that way. As we’ll see in Part II, it might actually be harder to avoid having access than to have it.*
* One question raised by this discussion is locating the contract under which Neustar provided DNS services to the EOP. (If someone has identified it, please advise. Obviously Durham has the particulars.)
We get a bit of an assist from the Rodney Joffe deposition filed 18 February 2022 in the Alfa Bank lawsuit (h/t: Ryan M), because the Alfa Bank attorney questioning Joffe says Neustar was a subcontractor performing this role.
That said, I want to write about that topic at another time. It’s actually quite a substantial one, because no one has a handle on how big the forensic problem of EOP contracting actually is. Basically, any other agency in the federal executive could be contracting as funding or awarding agency for fundable items and activities in the EOP – and, possibly worse, vice versa.
Feature image: The Eisenhower Executive Office Building. Wikipedia image.
The Optimistic Conservative 
The graphics are nice. Thankful I am not color blind. Did you ever resort to graphics for any of your superiors during your active service. FYI, I am on the cutting edge of technology. My wife retired my iphone 5s a few days ago. Left a 13. Will dust it off weekly as usual. You are in a deep, silent running mode concerning Ukraine. Very best regards OC.
An impressive amount of data and analysis, as with all your posts. Thanks for the work you have done consistently clarifying the Clinton Coup.
I can understand why you wanted to get that out before tackling Ukraine, but I suspect I’m not the only reader waiting impatiently for your view of the situation.
Would love to see you set up an account on Gab so people could follow you there. (And I think many would.) I couldn’t in good conscience use Twitter any more and deleted my account. The key to Gab happiness is liberal use of the “Block” button: it’s like the old-school internet from years ago and it starts out as a high-noise environment. Just click “Block” on the assorted trolls and spammers when they first appear, and within a couple of days you’ll have a clean feed of interesting commentary from people all over. Hope to see @OptimisticCon there soon! 🙂
There is the element of understanding… spent most of my 40 year career digging at some form of networking… So, in my case that element is pretty big and grew with the relatively rudimentary X.25/X.75 based networks and just kept moving as Banyan Trees, and Token Rings bloomed and died off. I just shook my head at IPv6 because it’s addressing and structure make it dangerously intrusive and also dangerously exploitable.
The proliferation of Internet of Things (IOT devices) means that your hacked refrigerator or thermostat can be set to hack someone else’s world, or do something that could get you thrown in the klink… and you, yourself did nothing… except buy a fridge that ordered from Bezos world without you specifically opening the door to actually check to see if you had enough cheese for the burgers.
I just purchased a Samsung S22+ phone. My old phone was dying and also choking down because the software operating burden is so high the older technologies can’t keep up. It’s married to Goog… and there is no separating it. Google owns Android… which means it owns every non-Crapple iPhone out there regardless of brand. Good luck operating without a phone in an active business environment. Two-factor ID, Near Field Payments, messaging and even grocery savings are all needed.
And then there is the monsters in the closet who can see when they want to see, touch when they want to touch, and exploit when they feel the need. Something began the process of derailing in the post war period. The tech explosion of the generation after the turn of the 21st century has us barreling down the tracks of an unknown railway through the mountain passes with no brakes and operators with their own power agendas.
The 2020 election steal was powered by good old fashioned ballot box stuffing, but those phony ballots could never be counted in time, so the monsters in the closet arranged to change the numbers in their machines to match the paper. Those monsters are about to remove our ability to govern ourselves, communicate in private, and conduct our lives as free people of a free nation. The monsters of gothic fiction were easier to get rid of. No crosses, holy water, garlic, wooden stakes, silver bullets or sunlight seem to be handy.
-OAB