Case Document 98-11 Filed 06/18/19 Page 1 of 46 Exhibit Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 2 of 46 18MAG9130 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK IN THE MATTER OF THE APPLICATION OF THE UNITED STATES OF AMERICA FOR SEARCH WARRANTS FOR INFORMATION AND DATA ASSOCIATED WITH THE TWITTER ACCOUNT @FREEJASONBOURNE; THE BUFFER ACCOUNT WITH THE USER ID 5b8c7b5804c2e71709f92901 AND ASSOCIATED WITH THE EMAlL ADDRESS FREEJASONBOURNE@PROTONMAJL.COM; THE GRAVATARPROFILEURL HTTPS://EN.GRAVATAR.COM/JOSHSCHULTEl (INCLUDING THE WORDPRESS SITES JOSHSCHULTE.WORDPRESS.COMAND PRESUMPTIONOFSLAVERY.WORDPRESS.COM); AND THE EMAIL ACCOUNTS JOSHSCHULTEl@GMAIL.COM, FREEJASONBOURNE@GMAIL.COM, JOHN12GALT21@GMAIL.COM, AND JOHNSMITH742965@OUTLOOK.COM; THE FACEBOOK ACCOUNT WITH THE USER IDENTIFICATIONNUMBER225303401359184; STORED AT PREMISES CONTROLLED BY TWITTER, INC., BUFFER.INC, AUTOMATTIC INC., GOOGLE, INC., MICROSOFT CORPORATION, AND FACEBOOK, INC. SEALED AGENT AFFIDAVIT Sl 17 Cr. 548 (PAC) STATE OF NEW YORK ) ) ss. COUNTY OF NEW YORI( ) JEFF D. DONALDSON, being duly sworn, deposes and states: I. Introduction A. Affiant I. I am a Special Agent of the Federal Bureau of Investigation (the ''FBI" or the "Investigating Agency") assigned to the New York Field Office, and have been employed by the FBI since 2010. I am currently assigned to a squad responsible for couuterespionage matters and have worked in the field of couuterintelligence from 2010 to present. In the cpurse of my duties JAS_021345 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 3 of 46 as a Special Agent, I am responsible for investigating offenses involving espionage and related violations oflaw, including the unauthorized retention, gathering, transmitting or losing classified documents or materials; the unauthorized removal and retention of classified documents or materials; illegally acting in the United States as a foreign agent; other national security offenses; and the making of false statements. As a result of my involvement in espionage investigations and investigations involving the unauthorized disclosure or retention of classified information, as well as my training in counterintelligence operations, I am familiar with the tactics, methods, and techniques of United States persons who possess, or have possessed a United States Government security clearance and may choose to harm the United States by misusing their access to classified information. I am also familiar, though my training and experience, with the use of computers in criminal activity and the forensic analysis of electronically stored information, including email. 2. This Affidavit is based upon, among other things, my participation in the investigation, my examination ofreports and records, and my conversations with other law enforcement agents and other individuals, as well as my training and experience. Because this Affidavit is being submitted for the limited purpose of obtaining the requested wanants, it does not include all the facts that I h.ave learned during the course of this investigation. Where the contents of documents and the actions, statements, and conversations of others are reported herein, they are reported in substance and in patt, except where otherwise indicated. In addition, unless otherwise indicated, statements by others referenced in this Affidavit were not necessarily made to me, but may have been provided to me by someone else to whom I have spoken or whose report I have read (and who in turn may have had either direct or indirect knowledge of the statement). 2 2018-10-24 JAS_021346 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 4 of 46 B. The Providers, the Target Accounts, and the Subject Offenses 3. I make this Affidavit in support of an application for search warrants pursuant to 18 U.S.C. § 2703 for all content and other information associated with the following electronic accounts: a. The Twitter identification user @freejasonbourne, account number 1035952759252701184 (the "Schulte Twitter Acconnt"), which is stored at premises controlled by Twitter Inc. ("Twitter"), headquartered at 1355 Market Street, Suite 900, San Francisco, California 94103; b. The Buffer 5b8c7b5804c2e71709f92901 account and with associated the user with identification the email number address freejasonbourne@protonmail.com (the "Schulte Buffer Account"), which is stored at premises controlled by Buffer, Inc. ("Buffer"), headquartered at 44 Tehama Street, San Francisco, California 94105; c. The Gravatar profile URL https://en.gravatar.com/joshschultel (the "Schulte WordPress Account"), which includes the sites joshschulte.wordpress.com (the "Schulte WordPress Site-1"), presumptionofslavery.wordpress.com (the "Schulte WordPress Site-2,"), and presumptionofinnocence.net (the "Schulte WordPress Site-3," and together with the Schulte 1 WordPress Site-1 and the Schulte Word Press Site-2, the "Schulte WordPress Sites"), which are stored at premises controlled by Automattic Inc. ("Automattic"), headqua1tered at 60 29th Street #343, San Francisco, California 94110; Based on my review of the Schulte Word Press Sites, it appears that when a user tries to access the Schulte Word Press Site-2, the user is redirected to the Schulte WordPress Site-3. 1 3 2018-10-24 JAS_021347 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 5 of 46 d. The email accouuts joshschultel@gmail.com (the "Schulte Gmail Accountjohn12galt21@gmail.com l"), (the "Schulte Gmail and Account-2"), Schulte freejasonbourne@gmail.com (the "Schulte Gmail Account-3," and together with the are Gmail Account -I and the Schulte Gmail Account-2, the "Schulte Gmail Accounts"), which 1600 maintained at premises controlled by Google, Inc. ("Google"), headquartered at search Amphitheatre Parkway, Mountain View, California 94043. The Government executed two or about warrants on the Schulte Gmail Account-1 (the "Original Gmail Search Warrants") on a search March 14, 2017 and on or about May 17, 2017. In this application, the Government seeks warrant for the contents of the Schulte Gmail Account-1 from May 18, 2017 through the present; e. The, email account Johnsmith742965@outlook.com (the "Schulte Outlook oft"), Account"), which is maintained at premises controlled by Microsoft Corporation ("Micros headquartered at 1 Microsoft Way, Redmond, Washington 98052; and f. The Facebook page with the user identification number 225303401359184 and d at which is entitled ''who is JOHN GALT?" (the "Schulte FacebookPage"), which is maintaine ic, premises controlled by Facebook, Inc. ("Facebook," and together with Twitter, Buffer, Automatt a Microsoft, and Google, the "Providers"), headquartered at 1 Hacker Way, Menlo Park, Californi 94025. g. The Schulte Twitter Account, the Schulte Buffer Account , the Schulte WordPress Account (including the Schulte WordPress Sites), the Schulte Faceboo k Page, the Schulte Outlook Account, and the Schulte Gmail Accounts are collectively referred to herein as the "Target Accounts." 4 2018-10-24 JAS_021348 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 6 of 46 hs and in 4. The information to be searched is described in the following paragrap be directed to Attachment A attached separately to each of the four proposed warrants, one to each of the Providers. ts contain 5. As detailed below, there is probable cause to believe that the Target Accoun §§ 401 (contempt of evidence, fruits, and instrnmentalities of violations of violations of18 U.S.C. computer access), coU1t), 793 (unlawful disclosure ofclassi fied information), 1030 (unauthorized a federal detention 1503 and 1512 (obstruction of justice), 1791 (smuggling contraband into cies and facility), and 2252A (illegal acts related to child pornography), as well as conspira attempts other statutes (the to violate these provisions and aiding and abetting these offenses, among "Subjec t Offenses"). C. Services and Records of the Providers and 6. Based on my training and experience, my participation in this investigation law others, my review of reports prepared by others, and my conversations with other s: enforcement agents and others, I have learned the following about the Provider Information About Twitter a. Twitter offers electronic messaging and online social media services. Twitter y, a photo of allows its users to create their own profile pages, which can include a short biograph read 280-character themselves, and location information. Twitter also permits users to post and approve. In messages called "tweets, " and to restrict their "tweets " to individuals whom they subscribers, which addition, Twitter 's subscribers can send "direct messages," or "DMs" to other features are are typically only viewable by the sender or recipient of the direct message. These his or her described in more detail below. A subscriber using Twitter' s services can access account from any computer connected to the Internet. 5 2018-10-24 JAS_021349 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 7 of 46 b. Twitter maintains the following records and information with respect to every subscriber account: 1. Biographical Information: Twitter allows its users to create personal profile pages. These pages include a short biography, photographs of the users, and location informatio n for the user. ii. Tweets: As discussed above, Twitter's users can use their accounts to post "tweets" of280 characters or fewer. Each tweet includes a timestamp that displays when the tweet was posted. Twitter's users can also '.'favorite," "retweet," or reply to tweets of other users. In addition, when a tweet includes a username, often preceded by"@," Twitter designates that tweet a "mention" of the identified user. In the "Collllect" tab for each account, Twitter provides the user with a list of other users who have favorite or retweeted the user's own tweets, as well.as a list of all tweets that include the user's username (i.e., a list of all mentions and replies for that username). By enabling the "Tweet With Location" feature, Twitter's users can also choose to include location data in their tweets. iii. Photographs/Images: Twitter users can also include photographs or images in their tweets. Each account is provided a user gallery, which stores photographs or images that the user has shared on Twitter's network, including photographs or images that were uploaded from another service. iv. Link Information: Twitter's users can also include links to a website in their tweets. By using Twitter's linking service, a longer website link can be converted into a shortened link, which allows it to fit into the 140-character limit. The linking service measures how many times a link has been clicked. 6 2018-10-24 JAS_021350 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 8 of 46 v. Associat ed Users: A user can also "follow" other users, which means that the user subscribes to the other users' tweets and site updates. Each user profile page and a list includes a list of the people who are following that user (i.e., the user's "followers" list) of people whom that user follows (i.e., the user's "following" list). Twitter's users can "unfollow " users whom they previously followed, and they can also adjust the privacy settings than for their profile so that their tweets are visible only to the people whom they approve, rather that to the public (which is the default setting). A user can also group other users into "lists" of"Who display on the right side of the user's home page. Twitter also provides users with a list g, to Follow," which includes recommendations of accounts that the user may find interestin based on the types of accounts that the user is already following and who those people follow. v1. Direct Messages: A user can also send direct messages, or DMs, to the one of his or her followers. These messages are typically visible only to the sender and the recipient, and both the sender and the recipient have the power to delete the message from inboxes of both users. v11. Subscrib er and Billing Information: Twitter collects and maintains · (typically unverified) identifying information about each subscriber, including, for example, name, username, address, telephone number, and alternate email addresses. ·Twitter also maintains records concerning the date on which the account was created, the Internet protocol (e.g., ("IP") address of the user at the time of account creation, the cmTent status of the account active or closed), the length of service, and the types of services used by the subscriber. and Additionally, for paying subscribers, Twitter maintains records of the subscriber's means source ofpaytne nt, including any credit card or bank account number. 7 2018-10-24 JAS_021351 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 9 of 46 viii. Search Information: Twitter includes a search functfon that enables its other things. A user users to search all public tweets for keywords, usernames, or subject, among may save up to 25 past searches. ix. Third-Party Information: Users can connect their accounts to third- ions access to the pmty websites and applications, which may grant these websites and applicat users' public profiles with Twitter. x. Transactional Information: Twitter also typically retains certain tion can transactional information about the use of each account on its system. This informa to connect to the include records oflogin (i.e., session) times and durations and the methods used account (such as logging into the account through Twitter' s website). xi. Customer Correspondence: Twitter also typically maintains records of s or complaints any customer service contacts with or about the subscriber, including any inquirie concerning the subscriber's account. xii. Preserv ed Records: Twitter also maintains preserved copies of the upon receiving a foregoing categories of records with respect to an account, for at least 90 days, preserva tion request from the Government pursuant to 18 U.S.C. § 2703(f). Informa tion About Buffer c. Buffer provides a software application that can be used through an Internet browser on a computer or a mobile device. d. Buffer's application allows users ofvm·ious social media applications to media schedule their posts at vm·ious times. Buffer works with several different social offered by applications, including Twitter, Facebook, WordPress (an online blogging platform by Google, see Automattic, see infra 'If 6(g)-(k), and Google+ (a social media application offered 8 2018-10-24 JAS_021352 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 10 of 46 but anange for it infra~ 6(cc)). For example, using Buffer, a user could draft a Tweet one day, · not to publicly post on the user's Twitter page until a later date. e. The number of posts that can be scheduled at any given time depends on the plan, a user can · type of plan the user has purchased from Buffer. In the case of Buffer's free ng up to 100 posts schedule up to 10 posts at once, while Buffer's "Pro" plan allows for scheduli at once. f. I believe that the information available from Buffer may include, among other things: 1. Scheduled Social Media Posts: Messages that were scheduled to be should be stored posted on various social media applications through Buffer's scheduling feature on Buffer's servers. ii. Subscriber and Billing Information: Buffer usually collects and including, for maintains (typically unverified) identifying information about each subscriber, s. Buffer also example, name, username, address, telephone number, and alternate email addresse IP address of the maintains records concerning the date on which the account was created, the or closed), the user at the time of account creation, the current status of the account (e.g., active for paying length of service, and the types of services used by the subscriber. Additionally, payment, including subscribers, Buffer maintains records of the subscriber's means and source of any credit card or bank account number. iii. Transactional Information: Buffer also typically retains certain tion can transactional information about the use of each account on its system. This informa to connect to the include records of login (i.e., session) times and durations and the methods used account (such as logging into the account through Buffer's websites). 9 2018-10-24 JAS_021353 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 11 of 46 1v. Cookie Data: Buffer also typically maintains records of"cooki es" used by Buffer to track information about the user of an account, including, for example, websites visited. v. Customer Correspondence: Buffer also typically maintains records of ts any customer service contacts with or about the subscriber, including any inquiries or complain concerning the subscriber's account. Information About Automatt ic g. Automattic is a web development corporation that owns and operates Worc!Press.com, a free-access open source online publishing and social networking website called WordPress.com, which can be accessed at https://www.wordpress.com ("WordPress"). WordPress allows its users to start a blog or build a website. A user can select the free basic service or pay for upgrades with advanced features such as domain hosting and extra storage. and WordPress users can post content to their site, including messages, .Photographs, videos, links to other websites. Some content may be geotagged. In addition, other users can comment on a blog entry that is posted on a WordPress site. h. WordPress can be accessed through an Internet browser operating on a computer or a mobile device. 1. Automattic typically retains the following records with respect to a particular WordPress account: i. Subscriber Information: Automattic retains records showing, among the other things, the username, email address, name, and telephone number associated with account. 10 2018-10-24 JAS_021354 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 12 of 46 11. Billing Information: Automattic also maintains routine records related iii. Transactional Information: Automatt ic usually retains log data, which to billing. may include the user's IP address, browser type, and operating system. iv. Site Creation, Posting, and Revision History Iriformation: Automatt ic informati on maintain s activity information related to the creation of a site and posting of revising the IP on a site. This informati on can include the date aud time at which the site was created, posts. address used to create the site or post information to the site, aud posts, including deleted v. Comment Information: Automattic can also retain informati on about by the site conunent s posted about au entry on a WordPre ss site until those comment s are deleted owner. vi. Contact Information Associate d with Domain Registration: If a user user's site has registered a custom domain on WordPre ss (meaning that the domain name for the would not reflect that it is a WordPre ss site), Automattic may have records of the contact informati on for the user. For example, the Schulte WordPress Site-3 appears as. "presump tionofinn ocence.n et," and thus does not reflect the WordPre ss domain, "wordpress.com." j. Wordpre ss also cau provide the content of informati on associate d with a given l website or blog. In addition to the documents described above, that may include additiona as widgets functionality added to the website or blog by its owner in the form of software known or plugins. It may also include a website or blog avatar or gravatar. An avatar is a picture Avatar, associate d with the owner of the website or blog; a g:ravatar is a Globally Recogniz ed in that it from the website Gravatar .com or a plugin on WordPress, which differs from an avatar 11 2018-10-24 JAS_021355 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 13 of 46 to a follows a user from website to website. When a user leaves a comment on a website or posts next blog that suppo1ts Gravatar, the user's gi·avatar is pulled from Gravatar servers and appears by to the user's comment. The Gravatar.com website attempts to appear in the user's language .com detecting the language settings that are configured in the user's browser. From the Gravatar website, a user can manage all the images and email addresses assigned to a Gravatar.com profile. Gravatar.com images can be associated with email addresses. When creating a gravatar, any. the Gravatar.com service asks to Vfhich registered email the image should be applied, if k. Gravatar.com is another website owned and operated by Automattic and ss provides free gravatar profiles. Automattic includes a gravatar profile in every WordPre account. Information About Facebook I. Facebook owns and operates a free-access, social-networking website of the users to same name that can be accessed at http://www.fucebook.com. Facebook allows Internet establish accounts with Facebook, which they can use to share written news, photographs, public. videos, and other information with other Facebook users, and sometimes with the general m. Face book asks users to provide basic contact information to Facebook, either name, dming the registration process or thereafter. This information may include the user's full birth date, contact email addresses, physical address (including city, state, and zip code), telephone numbers, screen names, websites, and other personal identifiers. Facebook also assigns a user identification number to each account. n. Facebook users can select different levels of privacy for the communications a and information associated with their Faceboo k accounts. By adjusting these privacy settings, Facebook user can make information available only to himself or herself, to paiticular Facebook 12 2018-10-24 JAS_021356 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 14 of 46 g people who are users, to all Facebook users, or to auyone with access to the Internet, includin users c.au adjust, not Faceboo k users. Facebook accounts also include other account settings that to control, for example, the types of notifications they receive from Facebook. o. Facebook users may join one or more groups or networks to connect and book user cau interact with other users who are members of the same group or network. A Face also connect directly with individual Faceboo k users by sending each user a "Friend Request." If become "Friends" the recipient of a "Friend Request" accepts the request, then the two users will tion about each for purposes ofFaceb ook and cau exchange communications or view informa a "Mini-Feed," other. Each Facebook user's account includes a list of that user's "Friends" and , upcoming which highlights information about the user's "Friends," such as profile changes events, and birthdays. l p. Facebook users can create profiles that include photographs, lists of persona about their interests, and other information. Facebook users can also post "status" updates other items whereabouts and actions, as well as links to videos, photographs, articles, and about upcoming available elsewhere on the Internet. Faceboo k users can also post information and guest list. A "events, " such as social occasions, by listing the event's time, location, host, user and his or paiticular user's profile page also includes a "Wall," which is a space where the visible to anyone her "Friend s" can post messages, attachments, and links that will typically be who cau view the user's profile. q. Facebook has a Photos application, where users can upload an unlimited ability to "tag" number of albums and photos. Another feature of the Photos application is the a photo or video, (i.e., label) other Facebook users in a photo or video. When a user is tagged in For Faceboo k's he or she receives a notification of the tag aud a link to see the photo or video. 13 2018-10-24 JAS_021357 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 15 of 46 user that have purposes, a user's "Photoprint" includes all photos uploaded by that not been user tagged in them. deleted, as well as all photos uploaded by anyone else that have that other users. r. Face book users can exchange private messages on Facebook with recipient's "Inbox " on These messages, which are similar to email messages, are sent to the as well as other Facebook, which also stores copies of messages sent by the recipient, profiles of other users or information. Facebo ok users can also post comments Ol) the Facebo ok specific posting or item on on their own profiles; such comments are typically associated with a the profile. and it s. Facebook Notes is a blogging feature available to Facebo ok users, or to irnpott their biogs enables users to write and post notes or personal web logs ("biogs"), from other services, such as Xanga, LiveJournal, and Blogger. t. friends The Facebo ok Gifts feature allows users to send virtual "gifts" to their to purchase, and a that appear as icons on the recipient's profile page. Gifts cost money also send each other personalized message can be attached to each gift. Facebo ok users can t that he or she has been "pokes ," which are free and simply result in a notification to the recipien "poked " by the sender. free u. Facebo ok also has a Marketplace feature, which allows users to post items on the Marketplace. classified ads. Users can post items for sale, ,housing, jobs, and other s its v. In addition to the applications described above, Facebook also provide platform. When a users with access to thousands of other applications on the Facebook that user's access or Face book user accesses or uses one of these applications, an update about use of that application may appear on the user's profile page. 14 2018-10-24 JAS_021358 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 16 of 46 w. Facebook uses the term "Neoprint" to describe an expanded view of a given tion from the user profile. The "Neoprint" for a given user can include the following informa links to user's profile: profile contact information; Mini-Feed information; status updates; including the videos, photographs, articles, and other items; Notes; Wall postings; friend lists, the user is a friends' Faceboo k user identification numbers; groups and networks of which and past event member, including the groups' Faceboo k group identification numbers; futµre tion about the postings; rejected "Friend" requests; comments; gifts; pokes; tags; and informa user's access and use ofFaceb ook applications. x. Facebook also retains IP logs for a given user ID or IP address. These logs on Facebook, may contain information about the actions taken by the user ID or IP address and the user ID including information about the type of action, the date and time of the action, k profile, that and IP address associated with the action. For example, if a nser views a Faceboo show when and user's IP log wonld reflect the fact that the user viewed the profile, and would from what IP address the user did so. y. Social networking providers like Facebook typically retain additional of service information abont their users' accounts, such as information about the length any payments (including start date), the types of service used, and the means and source of . In some cases, associated with the service (including any credit card or bank account number) Faceboo k users may communicate directly with Faceboo k about issues relating to their account, Social networking such as technical problems, billing inquiries, or complaints from other users. including records providers like Facebook typically retain records about such conununications, of any of contacts between the user and the provide r's suppo1t services, as well as records actions taken by the provider or user as a result of the communications. 15 2018-10-24 JAS_021359 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 17 of 46 z. Facebook typically maintains preserved copies of the foregoing categories of records with respect to an account, for at least 90 days, upon receiving a preservation request from the Government pursuant to Section 27O3(f). Information About Microsoft and Google aa. Microsoft and Google (together the "Email Providers") offer email services to under, the public. In particular, Microsoft allows users to subscribers to maintain email accounts among others, the domain name "outlook .com" while Google allows subscribers to maintain email services accounts under the domain name "gmail.co m." A subscriber using the Email Provider s' can access his or her email account from any computer connected to the Internet. bb. In addition, Google offers an online social media service. Specifically, Google a user allows subscribers to maintain "Google+ " accounts. Through his or her Google+ account, about the can create a profile page, which contains (generally unverified) background information through user. Among other services, a Google+ user can upload content to his or her account contacts posting. In addition, Google+ allows subscribers to create "circles," which are groups of content to that the subscriber creates and organizes. The subscriber can disseminate private pa1ticular circles. cc. The information available from the Email Providers may include the fo Hawing: i. Email Contents: In general, any email (which can include attachments in draft such as documents, images, and videos) sent to or from a subscribe r's account, or stored subscriber form in the account, is maintained on the Email Providers' servers unless and unt/1 the s' deletes the email. If the subscriber does not delete the email, it can remain on the Email Provider available computers indefinitely. Even if the subscriber deletes the email, it may continue to be on the Email Providers' servers for a ce1tain period of time. 16 . 2018-10-24 JAS_021360 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 18 of 46 ii. Address Book: The Email Providers also allow subscribers to maiutaiu information of the equivalent of an address book, comprising email addresses and other contact other email users. iii. Subscriber and Billing Information: The Email Providers collect and er, iucludiug, for maiutaiu (typically unverified) identifying iuformation about each subscrib s. The Email example, name, username, address, telephone number, and alternate email addresse created, the IP Providers also maintain records concerniug the date on which the account was (e.g., active or address of the user at the time of account creation, the current status of the account Additionally, for closed), the length of service, and the types of services used by the subscriber. and source of payiug subscribers, the Email Providers rnaintaiu records of the subscriber's means payment, including any credit card or bank account nuinber. iv. Transactional Information: The Email Providers also typically retain This information certain transactional iuformation about the use of each account on its system. used to com1ect to can iuclude records oflogin (i.e., session) times and durations and the methods s). the account (such as logging iuto the account through the Email Providers' website v. Search History: The Email Providers also typically record searches done by a user of an account through their search engines. vi. Cookie Data: The Email Providers also typically maintaiu records of g, for example, "cookies" that they use to track information about the user of an account, includin websites visited. vii. Customer Correspondence: The Email Providers also typically maintain g any inquiries or records of any customer service contacts with or about the subscriber, includiu complaints concerning the subscriber's account. 17 2018-10-24 JAS_021361 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 19 of 46 viii. Google Drive Content: Google provides users with a certain amount of Drive" (users can free "cloud" storage, currently 15 gigabytes, through a service called "Google purchase enhanced purchase a storage plan through Google to store additional content). Users can to store email, storage capacity fur an additional monthly fee. Users can use their Google Drive attachments, videos, photographs, documents, and other content "in the cloud," i e., online. A user through any can access content stored on Google Drive by logging into his or her Google account files stored on computer or other electronic device connected to the Internet. Users can also sharn Google Drive with others, allowing them to view, comment, and/or edit the files. ix. Google Docs: Google provides users with the ability to write, edit, and collaborate on various documents with other Google users through a service called "Google Docs." saved to the user's Users can use Google Docs to create online documents that can be stored on or Google Drive. x. Google Photos: Google provides users with a certain amount of free storage for photographs, through a service called Google Photos, which allows users to manually videos taken by store photographs and videos, and which automatically uploads photographs and s information registered mobile devices. Google also retains the metada ta-or data that provide creator, the means about the data in question, such as the time and date of creation, the author or videos uploaded to of its creation, the purpose of the data, among other data-fo r photos and as exchangeable Google, including to Google Photos. This metadata includes what is known where a photo or image file format (or "Exif') data, and can include GPS location information for video was taken. xi. Google Calendar: Google provides users with an online calendar, in across registered which they can add appointments, events, and reminders, that is syncln·onized 18 2018-10-24 JAS_021362 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 20 of 46 allowing the computers and mobile devices. Users can share their calendars with other users, maintenance of joint calendars. xii. Google Chats and Google Hangouts Content: Google allows Google users, subscribers to engage in "chat" sessions in an instant-messaging format with other y, Google allows the transcripts of which are generally stored in a user's email content. Similarl of users to engage in enhanced chat sessions, called Hangouts, which permit the sharing additional separately from content such as videos, sounds, and images. In general, Hangouts content is stored a user's email and chat content. xiii. Location History Data: Google maintains recent location data, collected (or "apps") or periodically, from mobile devices that are logged into or have used applications d from GPS, WiFi services provided by Google. For example, Google collects information collecte . Google apps and networks, cell site locations, and mobile networks to estimate a user's location store and use a services also allow for location reporting, which allows Google to periodically device's most recent location data in connection with a Google account. xiv. Google Payments: Google allows for the storage of payment accounts, and information associated with a Google account, including credit cards and bank contains information about all transactions made with.a Google account, allowing for the payment other features. for goods (such as those purchased through Google Shopping) and bills, among xv. Google+: Google hosts an Internet-based social network. Among other hips (rather things, users can post photos and status updates and group different types of relations PlusOne, in which than simply "friends") into Circles. In addition, Google has a service called , based in pa1t on Google recommends links and posts that may be of interest to the account information accounts in the user's Circle having previously clicked "+ 1" next to the post. PlusOne 19 2018-10-24 JAS_021363 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 21 of 46 on activity by other therefor e provides information about the user of a given account, based individu als the user has entered in the user's Circle. xvi. Google Voice: Google provide s a telephon e service that provides call forward ing and voicema il services, voice and text messagi ng. xvn. Preserv ed Records: The Email Provide rs also maintain preserve d copies least 90 days, upon of the foregoin g categories of records with respect to an account, for at 2703(f). receivin g a preserva tion request from the Govenn nent pursuan t to Section D. Jurisdiction and Authority to Issue the Warrant may require a 7. Pursuan t to Section 2703(a) , (b)(l)(A ) & (c)(l)(A ), the Governm ent such as Google, provide r of an electronic commun ications service or a remote computing service, tion pertaini ng to a to disclose all stored content and all non-con tent records or other informa the Federal Rules of subscrib er, by obtaining a wan-ant issued using the procedu res described in Crimina l Procedu re. of the United 8. A search wan-ant under Section 2703 may be issued by "any district court over the offense being States (includi ng a magistrate judge of such a court)" that "has jurisdict ion investig ated." 18 U.S.C. § 2711(3)(A)(i). search 9. When the Governm ent obtains records under Section 2703 pursuan t to a warrant , e of the warrant. Id the Goverrunent is not required to notify the subscrib er of the existenc an order precludi ng § 2703(a) , (b)(l)(A ), (c)(2) & (3). Additionally, the Governm ent may obtain , for such period as the Provide r from notifying the subscribe!" or any other person of the warrant tion will seriousl y the Comt deems appropriate, where there is reason to believe that such notifica jeopard ize an investigation. Id. § 2705(b). 20 2018-10-24 JAS_021364 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 22 of 46 II. Facts Establishing Probable Cause A. Overview the Government seeks a 10. As described in ftuther detail below, through this application, to be the facilities through which warrant related to the Target Accounts because they appear ence Agency ("CIA") charged Joshua Adam Schult e--a former employee of the Central Intellig ation and possession of child with, among other things, dissemination of classified inform war" against the United States porno graph y-has conducted or intends to conduct an "information from the Metropolitan Correctional Center ("MCC") by disclosing classified information and other by publishing false exculpatory sensitive information protected by a protective order, and e has been charged. information in an effort to defend against the crimes of which Schult MCC pursuant to a search 11. On October 3, 2018, law enforcement officers searched the WaiTant"). The MCC Search warrant signed by the Court on October 2, 2018 (the "MCC Search Warrant and underlying affidavit are attached to this application as Exhibit A and are incorporated During that search, the officers by reference, including the defmed terms identified therein. ents"), which showed that reviewed documents from Schulte's cell (the "Schulte Cell Docum ted information to, among others, Schulte intended to engage in a systematic disclosure of protec h the review the media. 2 The Target Accou nts-w hich were identified tlll'Oug of the Schulte Cell h three encrypted email accounts Documents, as well as emails Schulte sent and received throug Account-3," and together the ("Encrypted Account-I," "Encrypted Account-2," "Encrypted "Encrypted Accou nts")- are social media and email accounts that Schulte appears to intend to use (or has used) to fucilitate his disclosure efforts. pursuant to a procedure set forth The Schulte Cell Documents were first reviewed by a wall team in another search warrant executed on October 3, 2018. 2 21 2018-10-24 JAS_021365 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 23 of 46 le cause to believe that the 12. Thus, as described in more detail below, there is probab es, including, among other things, Targe t Accou nts contain evidence of the Subject Offens (including the press) of classified evidence of Schulte's unlawful dissemination to third parties ce ofSch ulte's public disclosure information and material subject to a protective order, and eviden where it could be accessed by of such protected information on publicly available Interne t pages, anyone. B. Schult e's "Infor mation War" s executed the MCC Search 13. On October 3, 2018, I and other law enforc ement officer Schulte Cell Docum ents, among Warrant. Prior to the search, MCC officials had removed the official office at the MCC. other things, from Schult e's former cell and stored them in an 14. Based on my training and experience, my paiticipation in this investigation and others, others, and my review of record s my conversations with other law enforcement agents and e Cell Docum ents, I have learned, provid ed in response to grand jury subpoenas a11d the Schult among other things, the following: documents that a. The Schulte Cell Docum ents contain, among other things, ng: Schulte appeared to be preparing for public dissemination, includi e wrote i. Various versions of "articl es" or "chapters," in which Schult prosec ution agains about his experience in prison and his views with respect to the t him. The FBI s") throug h other sources as well, found versions of IO of these articles (the "Schu lte Article e gave the Aiticle s for purposes of including from members of Schult e's family to whom Schult that have been recovered (including dissemination. Some of the versions of the Schulte Articles classified information. versions Schulte sent to his cousin for public dissemination) contain ofenga ii. Drafts ofa "press release" in which Schulte accused the FBI ging Release"). in terrori sm and declared his candidacy for Congress (the "Press 22 2018-10-24 JAS_021366 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 24 of 46 aks.org iii. A document that appears to be an a1ticle for release by WikiLe have provided ("WikiLeaks"), in which a purported FBI "whistleblower" claimed to the discovery pornography in this case to WikiLeaks and that the FBI had planted evidence of child on Schulte 's compu ter to frame him (the "Fake FBI Document"). been iv. Drafts of a tweet (the "Fake CIA Tweet" ) that appear to have 3 be a former CIA collea guedrafted around August 30, 2018, in which Schult e-prete nding to referre d to by full name and claimed that two other former CIA colleagues, both of whom Schulte up" Schulte and used him as one of whom he described as the "Peter Strzok of the CIA," had "set disclosures of CIA material a "scapeg oat" for "Vault 7," which is the name of WikiLeaks serial some of the current charges that began on or about March 7, 2017 and which forms the basis of ents appears the text "Just to against Schulte. On the following page of the Schulte Cell Docum discussed the CIA's alleged authenticate me fast" followed by other apparent draft tweets that activities and methods, some of which appear to be classified (the "Fake Authentication Tweets "). 4 . . Tweet before the Falce I believe that Schulte planne d to potentially publish the Fake Authentication CIA Tweet in an effort to purportedly verify the author' s employment with the CIA and knowle dge of the information in the Fake CIA Tweet. tev. Drafts of Facebo ok posts (the "Face book Posts") in which Schul y banned and burned " his posing as one or more of his friends -claim ed that the FBI had "openl 's Facebo ok page would be writings, and that, as a result of this alleged harassment, Schulte t dates. Not all of the entries in the Schulte Cell Docum ents have readily apparen tication Tweets were 4 It is unclear from the Schulte Cell Docum ents whether the Fake Authen were to be publish ed that tweets e separat or Tweet meant to be a single tweet with the Fake CIA along with the Fake CIA Tweet. 3 23 2018-10-24 JAS_021367 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 25 of 46 to relieve "pressure" on his manage d by his friends going forward, rather than his family, in order family. g to send b. The Schulte Cell Documents also show that Schulte was plannin parties, including by using discovery in this case and potentially classified information to third e, Schulte wrote: encrypted email accounts and some of the Target Accounts For exampl 1. "If govt doesn't pay me $50 billion in restitution & prosecute the visit every country in the criminals who lied to the judge and presented this BS case then I will States Govermnent]. I will world and bear witness to the treachery ... that is the USG [United occupation around the world look to breakup diplomatic relationships, close embassies, and U.S. one of their own, how do & finally reverse U.S. jingoism. If this one the way the U.S. govt treats you think they treat allies?" ii. "I NEED my discovery to be released to the public. I NEED my articles iii. "Mayb e get discovery leaked and articles update d then give all my stuff to be updated." to [defense counsel] and leave for VA." iv. "Unabl e to copy over discovery to DVD. Went to law library, used MY laptop unable to read laptop of Cheeno + Sardy; Laptop unable to write to DVD, drive, etc. could write to it, can't read DVD. So, laptop that can read the DVD can't write to it & laptop that is discussing his inability to from it. Connect to wifi hotspot? VM?" I believe that here, Schulte lity of transferring that use an MCC laptop to copy his discovery to a DVD, and the possibi a wireless network. discovery instead by connecting one of the laptops to the Intemet through v. A notation that appears to indicate that Schulte intended to post the Fake CIA Tweet on the Schulte Twitter Account. 24 2018-10-24 JAS_021368 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 26 of 46 vi. ·what appears to be a "to-do" list dated September 12, 2018, in which on September Schulte wrote that on September 17 and 18, he would "DL Disc. UL WL," and.that WL" means that 19, 20, and 21, he would "schedule tweets[.]" I believe that here, "DL Disc. UL and upload that Schulte planned to download his discovery (''DL Disc.") from the Schulte Laptop discovery to WikiLeaks ("UL WL"). As noted above, in another place in the Schulte Cell by a supposed FBI Documents, Schulte drafted the Fake FBI Document, a purp01ted statement that the FBI had "whistleblower" who provided Schulte 's discovery to WikiLeaks and claimed 14(a)(iii). I further planted evidence of child pornography on .Schulte's computer. See supra ,r including the Fake believe that "schedule tweets" means that Schulte intended to schedule tweets, would allow him to CIA Tweet, using the Schulte Buffer Account, which, as described above, ,r 6(c)-(f). time the disclosure of the tweets through the Schulte Twitter Account, see supra vii. "I thought I convinced him [Schulte's father] to setup a protonm ail Schulte Atticles. email acct for me to upload the articles," which is potentially a reference to the viii. "Create new protonmail: presumedguilty@protonmail.com ... migrate wordpress to protonmail." ix. "The way. is clear. I will set up a wordpress of[the Schulte WordPress my information Site-1] and presumptionofinnocense.wordpress.com From here, I will stage 5 war: .. The presumption of innocence blog will contain my 10 articles .... " x. "Yesterday I sta1ted cleansing the phone & in the process setup a new wrote that he protonmail which I transferred the wordpress too [sic]." I believe that when Schulte ce blog" appear to "Presumptionofinnocence.wordpress.com" and the "presumption of innocen nocence.net." ptionofm "presum website the at which be references to Schulte WordPress Site-3, 5 25 2018-10-24 JAS_021369 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 27 of 46 data and/or enc1'ypt one had "started cleansing the phone," he was referring to his efforts to delete detail below. of the Contraband Cellphones that he used at the MCC, discussed in more xi. "Facebook I will rename, simply 'Who is John Galt?' or 'Who is Josh them. Schulte?' From FB, I will post links to the mticles and the biogs as I write The presumption presumption of innocence. of innocence blog will only contain my 10 mticles 1-10, ending on the my blog, I will write about I will post each of them on the FB & delete the previous mticles. From to publish his articles, my time, etc." Here, I believe that Schulte was referencing his plans including the Schulte Articles, on the Schulte Facebook Page. xii. In an ent1y that appem·s to be dated September 11, 2018, Schulte is a reference to the appem·ed to indicate that he planned to "update Facebook" (which I believe aiticles," and "chang[ing] Schulte Facebook Page) by "chang[ing] password," "delet[ing] g of the Schulte Facebook name[.]" The entry also seemed to indicate that--------as part of his updatin Posts, in which he falsely Page---Schulte also intended to upload to the account the Facebook ). claimed that the FBI was "burn[ing]" his writings, see supra ,r 14(a)(v xiii. An entry, which appem·s to be dated September 17, 2018, in which Schulte wrote, "I posted the FB thing ... on the John Galt page & change d the pw. We'll see what stnff." I believe that here, happens! Maybe a little interest? In a week I'm going to dump all my in the manner described in Schulte is confirming that he had updated the Schulte Facebook Page I'm working through Paragr aph[] of this_ affidavit. Schulte also wrote in this entry, "My articles Ideally for release pn the with Joel. He edited articles 1&2; Hopefully I can perfect them soon. 25th but maybe not?" y Here, I believe that Schulte is indicating that he hopes to publicl on September 25, 2018, disseminate his articles (potentially on the Schulte Facebook Page) Schulte's birthday this year. 26 2018-10-24 JAS_021370 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 28 of 46 C. Schulte's Transfer of Data Out oftheM CC source (the 15. As described in more detail in the MCC Search Warrant, a confidential things, Schulte and "CS") 6 has described to the FBI, in substance and in part, how, among other (the "Contraband another inmate, Omar Amanat, used cellphones smuggled into the MCC MCC and to help Cellphones") to, among other things, communicate with people outside of the ing. 7 See Ex. prepare a "report" for Amanat to submit in connection with his sentencing proceed been able to take A at pp. 9-18. The CS further rep01ted, in substance and in pait, that the CS had screenshots of the Contraband Cellphones. I know that 16. Based on my training, experience, and pa1ticipation in this investigation, recorded. Thus, inmate phone calls and emails at federal detention facilities, like the MCC, are MCC, such as the inmates at times attempt to smuggle contraband electronic devices into the prison. In addition, Contraband Cellphones, in order to cove1tly communicate with others while in can connect many cellphones can also be used as a Wi Fi hotspot, which means that other devices will use such to the Internet through a network created by the cellphone. I also know that inmates Accounts, that will electronic devices to access email and social media accounts, like the Target result, the fact that allow them to communicate discreetly, including about criminal conduct. As a send or receive an email account is located on a Contraband Cellphone and used to ting in the hope The CS is facing immigration and narcotics trafficking charges, a11d is coopera , and potential of receiving a cooperation agreement with the Government, a more lenient sentence , information Wai-rant immigration benefits. As described in this affidavit and in the MCC Search seizure of at a provided by the CS has been at least partly corroborated by, among other things, least one contraband cellphone and documentary evidence, including emails. deal with emails 7 As described in more detail in the MCC Search Warrant, the "report" appears to the Honorable before trial his during evidence into e introduc that Amanat fabricated and sought to Paul G. Gardephe. 6 27 2018-10-24 JAS_021371 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 29 of 46 t likely contains commm1ications communications, on its own, demonstrates that the accoun evidencing crinles, including the Subject Offenses. in this investigation, my 17. Based on my training and experience, my participation and my review of, among other conversations with other law enforcement agents and others, the Contraband Cellphones by the things, the Schulte Cell Documents, the screenshots taken of e Gmail Account-1 that were CS, responses to grand jury subpoenas, and emails in the Schult nts and emails in the Encrypted produc ed to the FBI pursuant to the Original Gmail Search Warra have learned, among other things, Acconnts that were reviewed pursuant to a search warrant, I that: Cellphones (the a. The CS took several screenshots of one of the Contraband "Aman at Contraband Cellphone") engaging in electronic commu nications with a contac t identified is linked as "J." As discussed below, I believe the contact "J"-w hich to a telephone number (the e's hometown of Lubbock, Texas, "806 Number") with an-806 area code (which covers Schult among other place )-is Schult e's Contraband Cellphone. ning wodc by "J," b. These screenshots appear to capture a conversation concer whom I believe to be Schulte, on a "report," including: 28 2018-10-24 JAS_021372 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 30 of 46 Btw l can't access the report. Did you freeze it? SUN804PM {Q +1806777 4841 No c. In these screenshots, I believe that Schulte ("J," texting in the gray bubbles) is could edit the "report" that instructing Amanat (texting in the blue bubbles) on how a third party provided by Google. was shared with them through Google Docs, a document-sharing service the first page d. One of the screenshots taken by the CS depicts what appears to be ), which was apparently of a purported "expert" report in Schulte's name (the "Schulte Repoli" prepared in connection with Amana t's case: 29 2018-10-24 JAS_021373 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 31 of 46 ~i~~.: :~=a~ ~:t:=l ~;;t~r ~i~ (PGG) for Omar Amana t 1/29/20 18 By: Joshua Schult e I: Introd uction I run the founder and CEO of my own consultin g firm. I was contacted and hired directly by Omar Amanat to provide an expert report in the matter of United States v. Kaleil Isaza Tuzrnan,. et al. 15 Cr. 15 (PGG). I was retained post-verd ict on 1/1_9/18 due to concerns of unusual and suspici9u s b_cha".jOr, on b~h_alfof the FBI. Particularly; fu,c cxpe.tt t~Stimony of Joel DcCapl}a . ts contain a e. Both the Schulte Cell Docum ents and one of the Encryp ted Accouu Repo1t. In this draft, Schulte handwr itten docume nt that appears to be a draft of the Schulte employ ment. Schulte opined claimed to be an expe1t in a numbe r of topics on the basis of his CIA about emails that Arnana t that an FBI expert witness called at Amana t' s trial had testifie d falsely in the MCC Search Warran t, had sought to introduce into evidenc e. As describ ed in more detail t had fabrica ted those emails. during that trial, the Goverm nent introdu ced evidenc e that Arnana See Ex. A at p. 9. f. ed above, The 806 Numbe r is a Google Voice number , which means, as describ for the 806 Numbe r indicat es that it is linked to a specific Gmail accoun t. Subscri ber informa tion that it is associa ted with the Schulte Gmail Account-1. 30 2018-10-24 JAS_021374 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 32 of 46 t g. Based on my review of the contents of the Schulte Gmail Account-1 pursuan ications with a to the Original Gmail Search Wan-ants, I know that Google often captures commun a search warrant. Google Voice number in the Gmail account, and produces them in response to public the CIA For example, on or about March 7, 2017, the day that WikiLeaks first made Schulte and others information, the Schulte Gmail Account-1 contained several texts between concerning the leak. (the h. The Schulte Cell Documents also include handwritten documents or other electronic "Location Documents") describing potential hidden locations on hard drives One of the ways to storage devices in which a user can secretly store data ("Covert Partitions"). Slack space identify Covert Partitions is to identify slack space on a hard drive or storage device. appear to identify is the nnused space between paititions on the drive. The Location Documents drive or storage the sectors where slack space is available, i.e., the Covert Partitions, on a hard device using the Windows operating system. i. 8 Schulte also used Encrypted Account-I to commnnicate with another email September 2018, acconnt (the "iCloud Account"). During one such commnnication in or about spycific electronic Schulte requested that the individual using the iCloud Acconnt purchase a ic data storage device (the "Device"). The Device is capable of transfen-ing data from an electron on my review of location, such as a computer hard drive, to a cellphone, or vice versa. Based records obtained concerning the suspected user of the iC!oud Acconnt, I have learned, among other of equipment with things, that the user of the iCloud Acconnt arranged for the purchase of a piece capabilities similar to those of the Device. two laptops On or about October 16, 2018, the Govermnent obtained a search warrant to seai·ch or used any created had he things, other among if, e determin to n used by Schulte since his detentio Covert Partitions to store data. That review is ongoing. 8 31 2018-10-24 JAS_021375 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 33 of 46 j. one of the On or about Octobe r 5, 2018, MCC officials recover ed at least ed an "SD card," which is Contra band Cellphones. The recover ed Contraband Cellphone contain to another. For example, an a device that is capable of.stori ng data for transfer from one device ry laptops SD card can be used to transfer data from a laptop (like the discove housed at the MCC) to a cellpho ne (like the Contra band Cellphones). sent a reporte r k. Using Encryp ted Accoun t-I, Schulte also, among other things, designa ted pursuan t to the ("Repo rter-I") search warran t affidavits (the "Protec ted Affidav its") "Protec tive Order")),9 and at protect ive order in this case (see 17 Cr. 548 (PAC), Dkt. No. 11 (the least one docume nt containing classifi ed information. of Them D. Sclmlte Creates the Target Accounts and Tries to Hide His Use ation and others, 18. Based on my training and experience, my paiticip ation in this investig my review of, among other my convers ations with other law enforce ment agents and others, and 10 I have learned, among other things, subscri ber informa tion for most of the Target Accounts, things, the following: 5, 2006, and is a. The Schulte Gmail Account-I was created on or about April subscri bed in the name "Josh Schulte ." 15, 2018, and is b. The Schulte Gmail Account-2 was created on or about April subscri bed in the name "John Galt." Schulte of the te1ms of the On May 21, 2018, the Comt held a conference at which it remind ed by the Protect ive covered nts Protect ive Order, including that Schulte could not shai·e docume acknow ledged Schulte . Order with third paities, like repmte rs, who ai·e not involve d in his defense that he underst ood the terms of the Protective Order. inform ation for the Schulte 10 Grand jury subpoe nas that call for produc tion of the subscri ber Gmail Account-3 and the Schulte Outlook Account are pending. 9 32 2018-10-24 JAS_021376 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 34 of 46 2018, and is c. The Schulte Facebo ok Page was created on or about April 17, register ed to Schulte Gmail Account-2. 14, 2018. d. The Schulte WordPress Accounts were created on or about August is "Joshu a Schulte "; and the The "userna me" of the accoun t is "joshsc hultel" ; the "displa y name" email associa ted with the accoun t is Encryp ted Account-3. ber e. The Schulte Twitter Account was created on or about Sept~m 1, 2018, and last recorde d activity in the the email associated with the accoun t is Encryp ted Account-2. The Schulte Twitter Account occurre d on or about October 2, 2018. · f. 2018, and The Schulte Buffer Account was created on or about Septem ber 3, Accoun t is also linked to the was created by the user of Encryp ted Account-2. The Schulte Buffer Buffer Accou nt occmrn d on Schulte Twitter Account. The last recorde d aptivity on the Schulte or about Septem ber 7, 2018. gation and others, 19. Based on my training and experience, my particip ation in this investi my review of; among other my convers ations with other law enforce ment agents and others, and things, the Schulte Cell Docum ents, I have learned the following: August 21, a. The Schulte Cell Docum ents include a page that appears to be dated includes the followi ng items: 2018, and which seems to reflect a "to do" list for Schulte. That list i. next "Delete all Google Docs fromjo hnsmit h." There is a checkm ark ii. this "Delete all emails from johnsm ith." There is a check:mark next to iii. this "Delete suspici ous emails from my gmail." The numbe r next to to this entry. entry. four sub-ite ms: entry is circled, and is followed by what appears to be the following 33 JAS_021377 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 35 of 46 1. "New logins from phones[;]" 2. "Paypal[;]" 3. "WordPress[;]" and 4. "PW changes[.]" 1v. ." "Creat e new protonmail: presmnedguilty@protonmail.com This entry has a checkmark next to it. v. to this "Migra te wordpress to protonmail." There is no checkm ark next entry. among other things, b. The following page contains what appears to be a list of, tions together with passwords for several email, social media, and encrypted messaging applica those accounts, including: i. Two of the three Encrypted Accounts; ii. The Schulte Twitter Account; iii. The Schulte Gmail Account-2; iv. The Schulte Gmail Account-3; and v. The Schulte Outlook Account. of, among other c. Based on my examination of these two pages, and my review Encrypted Accounts, I believe that things, the Schulte Cell DocU1Tients and the contents of the ing incriminating evidence in Schulte was planni ng how to evade detection, including by destroy ) and by transferring his work to accounts he used (e.g., "Delet e suspicious emails from my gmail" mail"). Furthermore, I believe a more secure, encrypted platfor m ("Migrate wardre ss to proton ed in further detail below, Schulte that-g iven the location of the page and the fact that, as describ has used these accounts to transfer protec ted information, see infra ,i,i 21-23 -the list of accounts 34 2018-10-24 JAS_021378 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 36 of 46 which he potenti ally planne d and passwo rds on the following page includes the accoun ts through ed information. to dissem inate his writings, including classified and otherw ise protect this investigation, my 20. Based on my training and experience, my participation in my review of, among other convers ations with other law enforce ment agents and others, and ted Accoun ts, I have learned things, the Schulte Cell Docum ents and the contents of the Encryp to corrobo rate that Schulte that emails in Encryp ted Accoun t-2 and Encryp ted Accoun t-3 appear ed and sensitiv e information, was plannin g to use the Target Accounts to dissem inate classifi including: a. Encryp ted Accoun t-2 contained the following emails, among others: 1. ted On or about September I, 2018, Twitter sent an email to Encryp t to comple te your Twitter Accoun t-2 stating that the user needed to "confir m your email accoun d, automa tic email from accoun t [the Schulte Twitter Account]." This appears to be a standar Twitter as part of the process of creating a Twitter account. 11. Later that day, an email accoun t associated with Twitter sent an email t had been accessed from an to Encryp ted Accoun t-2 indicat ing that the Schulte Twitter Accoun be an automatic email from IP address associated with a server in Moldova. This appears to be trying to gain access to the Twitter intende d to alert a user that an unautho rized user might Accoun t-2, sent an email back nser's Twitter account. A few hours later, Schulte, using Encryp ted r Account. to Twitter claiming that he was not able to access the Schulte Twitte iii. had On that same day-a day after the Schulte Twitte r Account ted with Twitter sent two purp01tedly been accessed from Moldo va--an email accoun t associa r Account had been accesse d emails to Encryp ted Accoun t-2 indicating that the Schulte Twitte The pattern of logins from from IP addresses associa ted with servers in France and Romania. 35 2018-10-24 JAS_021379 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 37 of 46 different countries in a shmt time period described in this subparagraph and subpara is consistent with a user masking his or her true location and identity when accessin iv. graph 15(c)(ii) g the Internet. 11 Furthermore, on or about September 2, 2018, an email account associated with Buffer sent Encrypted Account-2 an email asking the user of the account to verify g that a Buffer Encrypted Account-2. This was a standard, automatic email from Buffer indicatin account linked to Encrypted Account-2 was either created or accessed that day. Records produced by Buffer in response to a grand jmy subpoena show that the Schulte Buffer Accoun t was created on or about September 3, 2018. b. Encrypted Account-3 contained the following emails, among others: i. On or about August 22, 2018, an email account associated with associated with Automattic sent an email to Encrypted Account-3 stating that the email account t-1 to Encrypted the Schulte WordPress Site-1 had been changed from Schulte Gmail Accoun that he intended to Account-3. As noted above, in the Schulte Cell Documents, Schulte wrote service provider "migrate" one or more of the Schulte WordPress Accounts to ProtonMail, the for the Encrypted Accounts. See supra 'i[ 14(b)(viii). ii. On or about September 25, 2018, an email account associated with ed AccountAutomattic sent an email to Encrypted Account-3 congratulating the user of Encrypt in the Schulte Cell 3 on his or her first post on the Schulte WordPress Site-1. As noted above, " on September Documents, Schulte wrote that he wished to begin publicly disclosing his "articles 25, 2018, which is his birthday. See supra'i[ 14(b)(iii). Onion Router While Schulte was released on bail, he, or someone acting on his behalf; used The the Government. ("TOR") to, according to Schulte's attorney, hide Schulte's Internet activity from 11 36 2018-10-24 JAS_021380 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 38 of 46 luform E. Schulte Begins to Disclose and Arrange to Disclose Protected ation ation, as well as my 21. Based on my training, experience, and participation in this investig September 2018, Encrypted conversations with others, I know, among other things, in or about September 2018 between Accoun t- I contained, among other things, communications in or about behalf -and Repolier-1. In Schult e--who was pretending to be a third paity acting on Schulte's Rep01ter-l "information" on those communications, Schulte told Repolier-1 that he would give me dictated by Schulte. For several topics if Report er-I published stories pursuan t to a timefra example, Schulte stated: for a. "If you can consent to an embargo on disclosnre of the information a limited g several topics." Repolier-1 time we would give you an exclusive to the infomiation spaimin agreed to the embargo. on how the b. "We have decided to share With you an initial expose (depending Oligarchs business ties and first one goes with you we will share up to 9 more) involving Russian l and the U.S. Officia l's wire transfers involving hundreds of millions of dollai·s to [a U.S. Officia associates]." Affidavits and c. As discuss ed above, Schulte also sent Reporter- I the Protect ed 'If l 7(k). at least one document containing classified information. See supra investigation, my 22. Based on my training and experience, my paiticip ation in this review of the Schulte Cell conversations with other law enforcement agents and others, and my Docum ents and information publicly available about the Target Accoun ts, I have learned, among 37 2018-10-24 JAS_021381 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 39 of 46 Documents on some of other things, that Schulte has posted versions of parts of the Schulte Cell 12 the Target Accounts akeady, including : Facebook a. On or about September 18, 2018, Schulte posted a version of the Posts, see supra ,r falsely 14(a)(v), on the Schulte Facebook Account. In this post, Schulte claimed that the FBI had "burned" Schulte's writings. b. On or about September 25, 2018, Schulte posted a version of the Press Release other things, that the FBI on the Schulte WordPress Site-1. In the post, Schulte claimed, among is a terrorist organization, and declared his intention to run for Congress. the Schulte c. On or about September 25, 2018, Schulte posted another post on e .else) wrote, among other Facebo ok Account. In this post, Schulte (pretending to be someon things, that: 1. ii. It was Schulte's 30th birthday. The pmported writers of the post had "issued a press release on his WordPress Site-1. [Schulte's] behalf." The purported writers then included a link to the Schulte iii. "Josh is fmally able to speak out despite the government's attempt to s in blog format." silence him. He is coordinating with friends who are posting his writing iv. "What' s next? Setup of Twitter and tweets via snailmail to Twitter." laughter. This message was followed by an image of a cartoon face crying from in the d. On or about October 1, 2018, Schulte posted an "article" that appears the "article" is entitled Schulte Cell Documents on the Schulte WordPress Site-1. On the site, "Master of Whisperers," and in it, Schulte wrote, among other things: review by the CIA. It The posts described in this paragraph are undergoing a classification herein omit some of the appears, however, that the versions of the posted documents described documents. classified information that was contained in other versions of these same 12 38 2018-10-24 JAS_021382 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 40 of 46 i. "I now believe the government planted the CP after their search warrants and decimate my turned up empty- not only to save their jobs and investigation, but also to target and covert action." reputation considering my involvement in significant information operations a purported FBI As noted above, in the Fake FBI Document in the Schulte Cell Documents, 's computer after "whistleblower" claimed that the FBI had placed child pornography on Schulte supra~ 14(a)(iii). its initial searches of the device were unsuccessful in recovering evidence. See ii. "So who's responsible for Vault 7? The CIA's own version of the FBI's in the Schulte Cell Peter Strzok and Lisa Page," As noted above, in the September Tweet fact simply Schulte Documents, a purp01ted former CIA colleague of Schulte (but who was in described as the himself) claimed that two other CIA former colleagues, one of whom Schulte aks' disclosure of "Peter Strzok of the CIA," had conspired to blame Schulte for Vault 7, WikiLe the CIA material. See supra~ 14(a)(iv). e. On or about October 8, 2018, Schulte posted versions of nine of the Schulte 13 (the "October 8 Aiticles on the Schulte WordPress Site-2 and the Schulte WordPress Site-3 his statements were WordPress Posts"), In one of the posted "articles," Schulte --while stating that not intended as a "threat "-wrote The United States government has a vital interest in safeguarding national security and especially the names of those who nsk [sic] their lives to spy on their own countries for the US. Does it seem like a good idea, then, to directly compromise and jeopardize these people? I don't think in the history of intelligence something so idiotic has even been done, but leave it to the US to be the first to do it. Let's take our own people worth billions of dollarn of intelligence and let's illegally throw them in prison and start fucking with them until they are bankrupt and completely compromised and vulnerable. The United States government has done the job of a foreign adversary to exploit its own intelligence is redirected to As noted above, when a user accesses the Schulte WordPress Site-2, the user the sites may also the Schulte WordPress Site-3. Thus it appears that content posted on one of be posted on the other site. See supra ~ 3(c) n.1. 13 39 2018-10-24 JAS_021383 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 41 of 46 , officers. Essentially, it's the same as taking a soldier in the military his test to ss sensele handing him a rifle, and then begin beating him loyalty and see if you end up getting shot in the foot or not. It just isn't smart. ation 23. Based on my training and experience, my participation in this investig and others, my review of, among other my conversations with other law enforcement agents and others, and about the Provide things, the Schulte Cell Documents and publicly available information rs and the appears to be scheduling the Target Accounts, I believe that the foregoing facts show that Schulte Articles on the Target posting of excerpts of the Schulte Cell Documents and/or the Schulte including: Accounts, such as the Fake FBI Document and the Fake CIA Tweet, a secure a. On or about October 2, 2018, MCC officials placed Schulte into ed his access to the housing unit (the "SHU") within the MCC, which should have restrict Contraband Cellphones. WordPress b. Nevertheless, the October 8 Postings still appeared on the Schulte Schulte arranged for the Site-2 and the Schulte WordPress Site-3. As a result, it appears that or by using the WordPress October 8 Postings either by asking another person to post them after f to have the Octa ber 8 feature that allows a user to schedule content to post at a later date himsel s suggests that Schulte is Postings posted. Either way, the timing of the Octa ber 8 Posting scheduling the public disclosure of his writings through the Target Accoun ts. before the c. The Fake CIA Tweet was drafted around August 30, 2018, days . Schulte Twitter Account and the Schulte Buffer Account were created to "schedu d. As described above, the Schulte Cell Documents contain a notation le September 20. See supra Tweets" at a later date apparently on or about September 18 and ,r 14(b)(vi). 40 2018-10-24 JAS_021384 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 42 of 46 information e. To date, Schulte does not appear to have publicly released any Schulte Buffer Account through the Schulte Twitter Account. However, as discussed above, the allows Schulte to schedule the Schulte Twitter Account's future tweets. f. to have Despite the fact that the Schulte Twitter Account does not appear r 2, 2018, the account publicly tweeted any messages between the date of its creation and Octobe about October 2. was accessed more than 20 times, with the final login occurring on or scheduled g. I believe that the foregoing indicates that Schulte may have the Schulte Twitter additional posts for public disclosure on the Schulte WordPress Sites, Account, and the Schulte Facebook Page. III. Evidence, Fruits and Instrumentalities in Target Accounts le cause to believe· 24. Based on the foregoing, I respectfully submit that there is probab prison contraband, has that Schulte, through the. use of the Contraband Cellphones and other (such as the Protected publicly disclosed material protected by the Schulte Protective Order more such material. I also Affidavits) and classified information, and that he intends to disclose submit that there is probable cause to believe that Schulte was using this prison contraband to help ing. Furthermore, I Amanat submit a fraudulent "rep01t" in Amanat' s pending criminal proceed appear to be at least some submit that there is probable cause to believe that the Target Accounts disclosures of protected of the facilities through which Schulte has and intends to make his that the Target Accounts information. Moreover, I submit that there is probable cause to believe obstruction of justice. In will also contain evidence of potential child pornography offenses and ents and on some of the patticular, Schulte has made certain allegations in the Schulte Cell Docum which he is charged, which Target Accounts with respect to the child pornography crimes with constitute evidence of the charged offenses. 41 2018-10-24 JAS_021385 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 43 of 46 to contain, among 25. Based on the foregoing, I believe the Target Accounts are likely other things, the following information: ts, the a. Evidence of the identity(ies) of the user(s) of the Target Accoun coconspirators in contact Contraband Cellphones, and the Encrypted Accounts, as well as other ted Accounts; with the Target Accounts, the Contraband Cellphones, and the Encryp ts, the b. Evidence relating to the geolocation of the users of the Target Accoun t to the Subject Offenses; Contraband Cellphones, and the Encrypted Accounts, at times relevan by the CS, c. Evidence relating to the participation in the Subject Offenses Accoun Schulte, Amanat, and others using or in commnnication with the Target ts, the Contraband Cellphones, and the Encrypted Accounts; the d. Evidence concerning financial institutions and transactions used by users of Accounts, in furtherance of the Target Accounts, the Contraband Cellphones, and the Encrypted the Subject Offenses; s; e. Communications evidencing crimes, including the Subject Offense f. facilities Evidence of and relating to computers or other online accounts and user(s) of the Contraband (such as additional email addresses) controlled or maintained by the Cellphones, the Encrypted Accounts, or the Target Accounts; and accounts, g. Passwords or other information needed to access any such computers, or facilities. ment officer is not 26. Pursuant to 18 U.S.C. § 2703(g), the presence of a law enforce or for the collection or required for service of a search watTant issued under Section 2703, herein will be transmitted production of responsive records. Accordingly, the watTants requested responsive records to the Providers, which will be directed to produce a digital copy of any to law 42 ,,· 2018-10-24 JAS_021386 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 44 of 46 enforcement personnel enforcement personnel within three days from the date of service. Law ing on the nature of the (including, in addition to law enforcement officers and agents, and depend and related proceedings, electronically stored information and the status of the investigation assisting the government in attorneys for the government, attorney suppo1t staff, agency personnel ) will retain the records this investigation, and outside technical expe1ts under government control Offenses as specified in and review them for evidence, fruits, and instrumentalities of the Subject shall not be transmitted Section III of Attachments A-1 and A-2 to the requested warrants, which to the Providers. various methods to 27. In conducting this review, law enforcement personnel may use including but not limited to locate evidence, fruits, and instrumentalities of the Subject Offenses, unde1taking a cursory inspection of all content associated with the Target Accounts. This method office to determine which is analogous to cursorily inspecting all the files in a file cabinet in an el may use other methods paper evidence is subject to seizure. Although law enforcement personn that keyword searches and as well, to the extent applicable, including keyword searches, I know to seizure. As a~ initial siniilar methods are typically inadequate to detect all information subject files commonly associated matte1~ keyword searches work only for text data, yet many types of s, and videos, do not store with emails, including attachments such as scanned documents, picture s cannot be relied upon data as searchable text. Moreover, even as to text data, keyword searche to know in advance all of to capture all relevant communications in an account, as it is inipossible their communications, and the unique words or phrases that investigative subjects will use in t that are relevant to an consequently there are often many communications in an accoun to search for. investigation but that do not contain any keywords that an agent is likely 43 2018-10-24 JAS_021387 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 45 of 46 IV. Request for Non-Disclosure and Sealing Order 28. The existence and scope of this ongoing criminal investigation are not pnblicly known. alert As a resnlt, prematnre pnblic disclosure of this Affidavit or the requested warrant could flee potential criminal targets that they are under investigation, causing them to destroy evidence, that from prosecution, or otherwise seriously jeopardize the investigation. In particular, given in targets of the investigation are known to use computers and electronic communications such furtherance of their activity, the targets could easily delete, encrypt, or otherwise conceal tion. digital evidence from law enforcement were they to learn of the Government's investiga others · Accordingly, there is reason to believe that, were the Provider to notify the subscriber(s) or ed. of the existence of the requested warrant, the investigation would be seriously jeopardiz Pursuant to 18 U.S.C. § 2705(b), I therefore respectfully request that the Court direct the Provider not to notify any person of the existence of the warrant for a period of 30 days from issuance, subject to extension upon application to the Comt, if necessary. 44 2018-10-24 JAS_021388 Case 1:17-cr-00548-PAC Document 98-11 Filed 06/18/19 Page 46 of 46 submitted 29. For similar reasons, I respectfully request that this Affidavit and all papers the Government herewith be maintained under seal until the Comt orders otherwise, except that and Affidavit as be permitted without fu1ther order of this Comt to provide copies of the warrant and to disclose need be to personnel assisting it in the investigation and prosecution of this matter, ns in any those materials as necessary to comply with discove1y and disclosure obligatio prosecutions related to this matter. ~=~L Spe,fa,l Agent lefD.Donaldson Federal Bureau oflnvestigation i) (; I/ Sworn to befor,6 me this er·2018 1'(,0da y of0ctc;lb I ,I ', I . '') ',. : ....· r1LtJ:~ -~~ J?htA A, CR.~O~TT_Y_ United States Disti'iat ;~1lq~1/, , ' · THE HONOlliW/t~ Southern District of New Yorlc 45 · 2018-10-24 JAS_021389