The media–Democrat complex’s main gripe about special counsel John Durham’s Feb. 11 motion is the prosecutor’s supposedly misleading reference to Internet traffic records (i.e., domain name system data, or DNS) derived from the Executive Office of the President (EOP) — i.e., the president’s staff or the White House.
Durham, of course, has indicted Democratic Party lawyer Michael Sussmann for allegedly making a false statement to the FBI in September 2016. The prosecutor alleges that Sussmann and his alleged collaborator, tech executive Rodney Joffe, exploited Joffe’s access to EOP records — among other Internet-traffic records — in order to frame Trump as a clandestine agent of Russia. They are said to have suggested that Trump and the Kremlin were using servers at Alfa Bank, a significant Russian financial institution, as part of a communications back channel.
Last week, in the course of making a motion to ask the court to address defense counsel’s potential conflicts of interest (see my Corner post), Durham disclosed that Sussmann also met with the CIA in early February 2017 and provided Trump–Russia data (from Joffe) that updated what he had given the Bureau in September. Sussmann and his supporters now grouse that Durham’s motion is prejudicially misleading. The gist of this complaint is that Durham was hiding the ball: The EOP records in question cover the period from 2014 until early 2017 — the period during which the president was Obama, not Trump. How could it be, Sussmann supporters theatrically pine, that Trump could be framed by using data from another president’s time in office? How could Trump supporters seriously contend that the Clinton campaign was “spying on the Trump White House” when the Internet-traffic records in question reflect activities of the Obama White House?
The Sussmann-camp claim is itself misleading.
To begin with, as noted above, the objective of Durham’s motion was not to ignite a media frenzy over political spying. It was to lay out, as Durham was obliged to do, the evidence that might be relevant to conflicts of interest under which Sussmann’s lawyers are potentially laboring.
That aside, Durham’s motion expressly states that the relevant EOP records are from 2014 to 2017, when Obama was president. There is no ball-hiding on that. Durham further asserts, moreover, that Sussmann based his framing of Trump as a Russian spy on data Joffe had mined from EOP Internet traffic. There is no reason to doubt that this is true — indeed, in their pushback, Sussmann apologists are not claiming that EOP traffic mined by Joffe formed no part of Sussmann’s presentation to the CIA; they are claiming that the DNS data from EOP is from the Obama years (and they want you to believe it must all be from the Obama years, even though a small portion of it is almost certainly from Trump’s first weeks in office). Again, Durham was entirely transparent about that.
Let’s look at exactly what Durham’s motion (at p. 3) said in this regard (my italics):
5. The Government’s evidence at trial will also establish that among the Internet data Tech Executive-1 and his associates exploited was domain name system (“DNS”) Internet traffic pertaining to (i) a particular healthcare provider, (ii) Trump Tower, (iii) Donald Trump’s Central Park West apartment building, and (iv) the Executive Office of the President of the United States (“EOP”). (Tech Executive-1’s employer, Internet Company-1, had come to access and maintain dedicated servers for the EOP as part of a sensitive arrangement whereby it provided DNS resolution services to the EOP. Tech Executive-1 and his associates exploited this arrangement by mining the EOP’s DNS traffic and other data for the purpose of gathering derogatory information about Donald Trump.)
The Indictment further details that on February 9, 2017, the defendant provided an updated set of allegations — including the Russian Bank-1 data and additional allegations relating to Trump — to a second agency of the U.S. government (“Agency-2”). [ACM: Agency-2 appears to be the CIA.] The Government’s evidence at trial will establish that these additional allegations relied, in part, on the purported DNS traffic that Tech Executive-1 and others had assembled pertaining to Trump Tower, Donald Trump’s New York City apartment building, the EOP, and the aforementioned healthcare provider. In his meeting with Agency-2, the defendant provided data which he claimed reflected purportedly suspicious DNS lookups by these entities of Internet protocol (“IP”) addresses affiliated with a Russian mobile phone provider (“Russian Phone Provider-1”). The defendant further claimed that these lookups demonstrated that Trump and/or his associates were using supposedly rare, Russian-made wireless phones in the vicinity of the White House and other locations. The Special Counsel’s Office has identified no support for these allegations. Indeed, more complete DNS data that the Special Counsel’s Office obtained from a company that assisted Tech Executive-1 in assembling these allegations reflects that such DNS lookups were far from rare in the United States. For example, the more complete data that Tech Executive-1 and his associates gathered — but did not provide to Agency-2 — reflected that between approximately 2014 and 2017, there were a total of more than 3 million lookups of Russian Phone-Provider-1 IP addresses that originated with U.S.-based IP addresses. Fewer than 1,000 of these lookups originated with IP addresses affiliated with Trump Tower. In addition, the more complete data assembled by Tech Executive-1 and his associates reflected that DNS lookups involving the EOP and Russian Phone Provider-1 began at least as early 2014 (i.e., during the Obama administration and years before Trump took office) — another fact which the allegations omitted.
Now, a couple of things to notice here. First, Sussmann’s meeting with the CIA is said to have occurred on February 9, 2017. By that date, Trump had been president for nearly three weeks. Furthermore, Durham says that the information Sussmann brought the CIA was “updated.” Obviously, that means it included new data since Sussmann’s September 19, 2016, meeting with FBI general counsel James Baker (the meeting at which Sussmann made the alleged false statement). The data that Sussmann showed the CIA has not been made public, but we can safely assume that if Joffe still had access to EOP Internet traffic (as it appears he did), the data included traffic from Trump’s early presidency — i.e., drawn from January 20 up to February 9, 2017 (or shortly before February 9).
In addition, Durham relates that Sussmann told the CIA that “Trump and/or his associates were using supposedly rare, Russian-made wireless phones in the vicinity of the White House and other locations.” That is clearly a reference to records generated during Trump’s presidency — Trump was not in the vicinity of the White House during Obama’s presidency, and Durham’s reference to the White House “and other locations” clearly relates to the other Trump locations discussed in the motion (Trump Tower in Manhattan, Trump’s Central Park West apartment, and a health-care provider that news coverage indicates is Spectrum Health). That is, this reference to the White House is to the Trump White House, not the Obama White House.
Durham further relates that Sussmann connected his claims about the use of Russian-made wireless phones at the Trump White House and other Trump locations to “purportedly suspicious DNS lookups by these entities of Internet protocol (“IP”) addresses affiliated with a Russian mobile-phone provider (“Russian Phone Provider-1”). That is, DNS data connected these Trump “entities” — including the Trump White House — to the Russian mobile-phone provider.
The Russian phones are known as YotaPhones. I know that because I read the New York Times, particularly reporting by Charlie Savage, the Times’ best reporter on things cyber. That is why I’m surprised by Savage’s intimation that the “data” to which Durham referred — which Savage suggests means all of the DNS logs addressed in the prosecutor’s motion — “came from Barack Obama’s presidency.” The Times report quotes a pair of lawyers who represent a data scientist “who helped develop the Yota analysis.” They maintain that the data being analyzed was “nonprivate DNS data from before Trump took office.” But a caveat: The lawyers take pains to qualify that assertion: “To our knowledge” the data are pre-Trump — but we don’t know how complete their knowledge is, or why they felt the need to add that qualification.
In any event, the suggestion that none of the data relate to Trump’s presidency is not consistent with what Durham’s motion states. It is also inconsistent with the implications of the Times’ own prior reporting. Here is what Savage and his colleague Adam Goldman explained in a news article published on September 30, 2021 (i.e., before there was any Durham motion to push back against):
[T]he Alfa Bank suspicions were only half of what the researchers sought to bring to the government’s attention, according to several people familiar with the matter. Their other set of concerns centered on data suggesting that a YotaPhone — a Russian-made smartphone rarely seen in the United States — had been used from networks serving the White House, Trump Tower and Spectrum Health, a Michigan hospital company whose server had also interacted with the Trump server.
Mr. Sussmann relayed their YotaPhone findings to counterintelligence officials at the C.I.A. in February 2017, the people said. It is not clear whether the government ever investigated them.
Now, the Times does not say flat out in this passage that the data suggesting YotaPhone usage “from networks serving the White House” were from the Trump White House, but that certainly is the implication. There is no reason to think Sussmann was trying to warn the CIA that Obama might be using a YotaPhone. In his more recent reporting, Savage dismissively says that it is problematic for conservative news outlets suddenly to highlight this information because it is “old news,” which he and Goldman previously reported. I don’t see how the vintage of the reporting makes any difference when the question now being raised is whether some of the relevant data traces to Trump’s administration rather than Obama’s.
A final point. Durham was completely clear that the vast majority of the EOP data was from the Obama era. And that’s not just because he saw a need to elucidate the obvious. It is because this fact helps Durham’s case. As Durham’s motion stressed, the complete data going back to 2014 — i.e., the data that Sussmann allegedly did not include in his presentation to the CIA — shows that the Trump traffic that Sussmann couched as suspicious was not suspicious at all. It’s worth repeating what Durham wrote on this score (my italics):
For example, the more complete data that Tech Executive-1 and his associates gathered — but did not provide to Agency-2 — reflected that between approximately 2014 and 2017, there were a total of more than 3 million lookups of Russian Phone-Provider-1 IP addresses that originated with U.S.-based IP addresses. Fewer than 1,000 of these lookups originated with IP addresses affiliated with Trump Tower. In addition, the more complete data assembled by Tech Executive-1 and his associates reflected that DNS lookups involving the EOP and Russian Phone Provider-1 began at least as early 2014 (i.e., during the Obama administration and years before Trump took office) — another fact which the allegations omitted.
To summarize, Durham was not trying to spark a “spying on the Trump White House” controversy. There is abundant basis to believe a small amount of the EOP data at issue — relating to YotaPhone usage in the vicinity of the White House — is from the early days of the Trump administration. And far from hiding the fact that the vast majority of relevant EOP data was from the Obama years, Durham expressly emphasized this fact because it helps him: It tends to show that Sussmann and his collaborators were deceptively cherry-picking data to create the illusion of a corrupt Trump–Russia connection, when the broader context they withheld would have revealed their data to be unremarkable.
Durham is not the one who’s spinning here.