Did rogue techies spy on the president?
Maybe. The one-sided Durham filing can't be trusted, right-wing misinterpretations of that filing even less so.
The bombshell this week is this court filing by the Durham investigation, claiming techies working for the Democrats spied on President Trump’s White House. I thought I’d write up some notes.
Here are some verdicts:
Yes, techies (Georgia Tech and Rodney Joffe) used their legitimate access to DNS data in order to track (“spy on”?) something they associated with candidate Donald Trump. Data they were given to secure the Internet was instead used for politics.
No, they didn’t hack anything, they weren’t paid by the Democrats or Hillary campaign, they didn’t violate any law, or access any other than data than they legitimately had access to.
All this was before Trump was elected in 2016 — they didn’t spy on the Trump White House.
There’s nothere’s nothing outrageous here — if you are hearing outrage from your favorite news site or Twitter pundit, then they are misrepresenting the facts.
The background for this story is described in this New York Times article written by Charlie Savage, “Trump Server Mystery Produces Fresh Conflict” (from last September). The article identifies those involved. I assume you know this much background.
The major background points are:
Trump’s DoJ appointed John Durham as special counsel to investigate the Mueller investigation — a counter-investigation if you will. Durham is trying to debunk things like the infamous Steele Dossier.
Durham indicted Michael Sussmann, a lawyer working on the fringe of the Hillary campaign, for lying to the FBI.
Sussmann was bringing a report from DNS researchers (Rodney Joffe, Dave Dagon, and others) that claimed to find in Internet logs evidence of a secret communications channel between Trump Organization and Alfa Bank — a big Russian bank tied to Putin.
The new thing is a recent court filing from Durham claiming that one of Sussmann’s lawyers has a conflict on interest. Along the way, he revealed something new: these techies had produced a second report about suspicious Russian-made phones following the Trump campaign. A Russian company YotaPhone made an innovative phone with an e-ink display, but was only sold in Europe, and didn’t work with US carriers.
Yet, according to DNS data, one or more of these rare phones were associated with Trump’s activities on the campaign trail, showing up at what they claim are suspiciously coincidental times at Spectrum Health (run the Trump allies in the DeVos family), his apartment building, and his office building. Neustar can track all its activities — only when it attached to a WiFi network that ran DNS queries through Neustar, and only when it was making contact with Yota servers, such as trying to download software updates.
Charlie Savage at the New York Times has a nice article debunking the right-wing narrative on this, “Court Filing Started a Furor in Right-Wing Outlets, but Their Narrative Is Off Track”. Despite being biased, he’s got the best access to the people involved.
The Durham court filing at the heart of this is twisted and misleading. The narratives on right-wing sites are even worse. For example, John Yoo claims in this Fox News segment “a tech company executive broke into the White House Internet system — the White House connection to the Internet, and emails, was collecting data…it seems to me this is a federal crime of hacking”. This is something Yoo just made up completely, it wasn’t in the court filing, there’s no fact to substantiate this.
On the other hand, Charlie Savage bends things the other way, trying to defend the researchers. This isn’t appropriate, either.
Joffe and Dagon monitor part of the DNS system looking for signs of hacker activity, malware, and phishing campaigns. They only get DNS logs from customers who voluntarily give them that information. The White House (through intermediaries) redirected their DNS queries through Neustar (Joffe’s company) servers. Neustar blocks cybersecurity threats — a useful service to customers like the White House.
To provide this service, techies at Neustar are constantly sifting through logs of DNS queries sent to them (again, voluntarily by customers). Neustar can’t see the contents of any other Internet traffic, like web pages, emails, or Zoom calls. They can only see the DNS lookups, they can only see requests for names and where they came from. Imagine your companies is a Neustar client, and you attempted to visit ExpertSexChange.com. They’ll see this fact.
It’s a privacy and security concern, but not necessarily a big one. What these companies can see into your activities is minor compared to the big cybersecurity protections they provide.
Dave Dagon is a researcher at Georgia Tech, working with other DNS researchers. They got a grant from DARPA to analyze DNS logs to track down hackers. They worked with Neustar and Joffe on the project.
It’s unclear where the logs came from for their first report on Alfa Bank, maybe Neustar, maybe some other source. However, for the second report on YotaPhones, mentioned in the recent court filing, the data definitely came from Neustar.
Thus, they all had lawful access to the data to mine it for security threats. This includes data from the White House, who voluntarily gave that data to Neustar. Likewise, many other organizations gave their DNS data voluntarily to Neustar, including those associated with Trump. No hacking, like what John Yoo claims, was involved.
But while Neustar gave researchers permission to use the data for hunting cyberthreats, tracking down hackers, they likely didn’t give permission to look for collusion between Trump and the Russians.
The situation is the same as Trump’s first impeachment, the phone call where he tried to coerce the Ukraine leader to pursue a criminal investigation into his political rival’s son. Trump claimed that this was part of his legitimate activities as President to fight international crime. But it was clearly an abuse of power pursuing his political goals — “fighting crime” was just an excuse.
Here, DNS researchers claim that the scope for their research includes “serious and legitimate national security concerns about Russian attempts to infiltrate the 2016 election” [*]. That has never been part of the typical “DNS research” scope. It sounds like a flimsy excuse. This is especially true when they contacted a lawyer in the Hillary campaign whose job it was to find dirt on Trump, who took it to the mainstream press right before the election.
There is a well-known technique for resolving such ethical dilemmas: when you do the questionable thing, do you try to hide, or do you proudly proclaim “it was me who did this thing!”. If Joffe and Dagan had come forward after the Alfa Bank story was reported on Slate, especially adding details that had been redacted from the original data, there would be good reason to believe their concern was about what the data said. Instead, they manipulated the data then hid, letting misconceptions about the data fester. It was a political hit, not an investigation into a national security threat.
As for the YotaPhone data they gave the CIA (discussed in Durham’s recent filing), they have a better argument. They didn’t go public with the data. Also, they could have legitimately been tracking “YotaPhones” independently, and that in the course of their investigation, happened to find them at the White House and following Trump on the campaign trail.
I’m not sure I trust this since it’s bogus to believe the YotaPhone is tied to Russia. Yes, it’s built by a Russian company, but it was sold mostly in Europe. It’s only suspicious if you don’t think too hard about it. Given that this came after a clear smear campaign with the Alfa Bank information, I’m not sure I believe the innocent excuses.
Charlie Savage’s New York Times article accepts their explanation, that it was part of their legitimate DNS research. I disagree, but I think reasonable people will disagree on this.
However, the narrative spinning out of control on right-wing sites stoking outrage isn’t reasonable. The researchers had legitimate access to mine billions of DNS log entries to hunt down hackers and secure the Internet. There is no hacking, no “spying on the White House”, and they weren’t really in contact with the DNC, much less paid by them. There is no justification, zero, zilch, nada, for saying things like “a tech executive broke into the White House”, as John Yoo does in the Fox News example above. The most they did was overstep their bounds a little. Yes, I personally disagree with that — but it’s not outrageous.
I'm mostly on-board with your interpretation. You say "[a]ll this was before Trump was elected in 2016 — they didn’t spy on the Trump White House." Item 6 in the document seems to say that it continued after 1/20/2017.
I'd also point out that earlier Durham filings indicated that Tech Executive-1 was hoping for a position in the Clinton administration, so even if he was uncompensated, he was hoping for compensation.
One more thing: IANAL, but it seems to me that TE-1 may have opened up Neustar to civil liability. I'd like to hear a real lawyer's opinion on that.
I think it is outrageous because of "special trust" given to entities that receive (say) netflow and dns logs for threat intel, from internet infra (public resolvers for example). It's not just about rjoffe or neustar's reputation, it is a stark reminder of potential conflicts of interest and insider threats, and I'd think twice about cymru feeds now.