Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 1 of 38 AO 93 (Rev. 11/13) Search and Seizure Warrant UNITED STATES DISTRICT COURT for the District of Columbia In the Matter of the Search of ) (Briefly describe the property to be searched or identify the person by name and address) ) ) INFORMATION ASSOCIATED WITH VARIOUS APPLE ACCOUNTS ) ) ) Case: 1:18-sc-00662 Assigned To : Howell, Beryl A. Assign. Date : 3/14/2018 Description: Search & Seizure Warrant SEARCH AND SEIZURE WARRANT To: Any authorized law enforcement officer An application by a federal law enforcement officer or an attorney for the government requests the search of the following person or property located in the Northern District of California (identify the person or describe the property to be searched and give its location): See Attachment A. I find that the affidavit(s), or any recorded testimony, establish probable cause to search and seize the person or property described above, and that such search wi 11 reveal (identify the person or describe the property to be seized): See Attachment B. YOU ARE COMMANDED to execute this warrant on or before March 28, 2018 (not to exceed 14 days) ~ in the daytime 6:00 a.m. to 10:00 p.m. 0 at any time in the day or night because good cause has been established. Unless delayed notice is authorized below, you must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken, or leave the copy and receipt at the place where the property was taken. The officer executing this warrant, or an officer present during the execution of the warrant, must prepare an inventory as required by law and promptly return this warrant and inventory to Hon. Be I A. Howell (United States Magistrate Judge) 0 Pursuant to 18 U .S.C. § 3103a(b), I find that immediate notification may have an adverse result Iisted in 18 U .S.C. § 2705 (except for delay of trial), and authorize the officer executing this warrant to delay notice to the person who, or whose property, will be searched or seized (check the appropriate box) 0 for _ _ days (not to exceed 30) until, the facts justifying, the later specific date of • Date and time issued: ;:;/J f/ Z£J ;g a,;f ~ 'f_zf;n_ __~-----~t'/_•~-¼ -~---- Judge 's signature City and state: Washington, DC - -- - - - - - -- - - - Hon. Beryl A. Howell, Chief U.S. District Judge Printed name and title Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 2 of 38 AO 93 (Rev. l J/13) Search and Seizure Warrant (Page 2) Return Case No.: Date and time warrant executed: Copy of warrant and inventory left with: Inventory made in the presence of: Inventory of the property taken and name of any person(s) seized: Certification I declare under penalty of perjury that this inventory is correct and was returned along with the original warrant to the designated judge. Date: Executing officer's signature Printed name and title Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 3 of 38 ATTACHMENT A Property to be Searched This warrant applies to information associated with the following Apple Accounts: that is stored at premises owned, maintained, controlled, or operated by Apple, Inc., a business with offices located at 1 Infinite Loop, Cupertino, California 95014. 26 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 4 of 38 ATTACHMENT B Particular Things to be Seized I. Information to be disclosed by Apple To the extent that the information described in Attachment A is within the possession, custody, or control of Apple, including any messages, records, files, logs, or information that have been deleted but are still available to Apple, or have been preserved pursuant to a request made under 18 U.S.C. § 2703(f), Apple is required to disclose the following infonnation to the government, in unencrypted form whenever available, for each account or identifier listed in Attachment A: a. All records or other information regarding the identification of the account, to include full name, physical address, telephone numbers, email addresses (including primary, alternate, rescue, and notification email addresses, and verification information for each email address), the date on which the account was created, the length of service, the IP address used to register the account, account status, methods of connecting, and means and source of payment (including any credit or bank account numbers); b. All records or other information regarding the devices associated with, or used in connection with, the account (including all current and past trusted or authorized iOS devices and computers, and any devices used to access Apple services), including serial numbers, Unique Device Identifiers ("UDID"), Advertising Identifiers ("IDF A"), Global Unique Identifiers ("GUID"), Media Access Control ("MAC") addresses, Integrated Circuit Card ID numbers ("ICCID"), Electronic Serial Numbers ("ESN"), Mobile Electronic Identity Numbers ("MEIN"), 27 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 5 of 38 Mobile Equipment Identifiers ("MEID"), Mobile Identification Numbers ("MIN"), Subscriber Identity Modules ("SIM"), Mobile Subscriber Integrated Services Digital Network Numbers ("MSISDN"), International Mobile Subscriber Identities ("IMSI"), and International Mobile Station Equipment Identities ("IMEI"); c. The contents of all emails associated with the account, including stored or preserved copies of emails sent to and from the account (including all draft emails and deleted emails), the source and destination addresses associated with each email, the date and time at which each email was sent, the size and length of each email, and the true and accurate header information including the actual IP addresses of the sender and the recipient of the emails, and all attachments; d. The contents of all instant messages associated with the account, including stored or preserved copies of instant messages (including iMessages, SMS messages, and MMS messages) sent to and from the account (including all draft and deleted messages), the source and destination account or phone number associated with each instant message, the date and time at which each instant message was sent, the size and length of each instant message, the actual IP addresses of the sender and the recipient of each instant message, and the media, if any, attached to each instant message; ,. e. The contents of all files and other records stored on iCloud, including all iOS device backups, all Apple and third-party app data, all files and other records related to iCloud Mail, iCloud Photo Sharing, My Photo Stream, iCloud Photo Library, iCloud Drive, iWorks (including Pages, Numbers, and Keynote), iCloud Tabs, and iCloud Keychain, and all address 28 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 6 of 38 books, contact and buddy lists, notes, reminders, calendar entries, images, videos, voicemails, device settings, and bookmarks; f. All activity, connection, and transactional logs for the account (with associated IP addresses including source port numbers), including FaceTime call invitation logs, mail logs, iCloud logs, iTunes Store and App Store logs (including purchases, downloads, and updates of Apple and third-party apps), messaging and query logs (including iMessage, SMS, and MMS messages), My Apple ID and iForgot logs, sign-on logs for all Apple services, Game Center logs, Find my iPhone logs, logs associated with iOS device activation and upgrades, and logs associated with web-based access of Apple services (including all associated identifiers); g. All records and information regarding locations where the account was accessed, including all data stored in connection with Location Services; h. All records pertaining to the types of service used; 1. All records pertaining to communications between Apple and any person regarding the account, including contacts with support services and records of actions taken; and J. All files, keys, or other information necessary to decrypt any data produced in an encrypted form, when available to Apple (including, but not limited to, the keybag.txt and fileinfolist.txt files). 29 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 7 of 38 II. Information to be Seized by Law Enforcement Personnel a. Any and all records that relate in any way to the accounts described in Attachment A which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C.§ 1030 (fraud and related activities in connection with computers), 18 U.S.C. § 2 (aiding and abetting), and 18 U.S.C. § 371 (conspiracy to commit an offense against the United States), for the period January 2015 to the present, including: All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange; b. All images, messages, communications, calendar entries, search terms, and contacts, including any and all preparatory steps taken in furtherance of the abovelisted offenses; c. Communication, information, documentation and records relating to who created, used, or communicated with the account or identifier, including records about their identities and whereabouts; d. Evidence of the times the account was used; e. All images, messages and communications regarding w1pmg software, encryption or other methods to avoid detection by law enforcement; f. Passwords and encryption keys, and other access information that may be necessary to access the account and other associated accounts; g. Credit card and other financial information, including but not limited to, bills and payment records evidencing ownership of the subject account; h. All existing printouts from original storage which concern the categories identified in subsection II.A; and 1. All "address books" or other lists of contacts. 30 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 8 of 38 AO I 06 (Rev 04/10) App lication for a Search Warran t UNITED STATES DISTRICT COURT for the District of Columbia In the Matter of the Search of (Briefly de.rcrih the proper/JI rob.~ .1·eardred or idem ify 1h person by na111e ar,d address) INFORMATION ASSOCIATED WITH VARIOUS APPLE ACCOUNTS ) ) ) ) ) ) MAR f 4 2018 _Glerk, U.S. District & Bankruptcy Courts for the District of Columbia Case: 1: 18-sc-00662 Assigned To : Howell, Beryl A Assign. Date : 3/14/2018 Description: Search & Seizure Warrant APPLICATION FOR A SEARCH WARRANT I, a federal law enforcement officer or an attorney for the government, request a search warrant and state under penalty of perjury that I have reason to believe that on the following person or property (identify the person or describe the property to be searched and give its location): See Attachment A. located in the District of Northern - -- - - -- - person or describe the property to be seized): -- - --California - - ----- , there is now concealed (identify the See Attachment B. This warrant is sought pursuant to 18 U.S.C. §§ 2703(a), 2703(b)(1 )(A), and 2703(c)(1 )(A). The basis for the search under Fed. R. Crim. P. 4 l(c) is (check one or more): ref evidence of a crime; ref contraband, fruits of crime, or other items illegally possessed; rJ property designed for use, intended for use, or used in committing a crime; 0 a person to be arrested or a person who is unlawfully restrained. The search is related to a violation of: ode Section 18 U.S.C. §§ 2, 3, 4, 371, 1343 and 1349; and 52 U.S.C. § 30121(a)(1)(C) Offense Description Aiding & Abetting (§2); Accessory after the Fact (§3); Misprison of a Felony (§4); Conspiracy (§371 ); Computer Fraud (§1030); Wire Fraud (§1343); Attempt and Conspiracy to Commit Wire Fraud (§1349); and Foreign Expenditure Ban (§30121) The application is based on these facts: See attached Affidavit. ~ Continued on the attached sheet. 0 Delayed notice of days (give exact ending date if more than 30 days: under 18U.S.C.§3103a, the basis of which is set forth on the attached sheet. &-4 /44~ Reviewed by AUSA/SAUSA: !Aaron Zelinsky (ASC) ) is requested = Curtis Heide, Special Agent, FBI Printed name and title Sworn to before me and signed in my presence. Date: 3/14/2018 Judge 's signature City and state: Washington, D.C. Hon. Beryl A. Howell, Chief U.S. District Judge Printed name and title Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 9 of 38 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA IN THE MATTER OF THE SEARCH OF INFORMATION AS SOCIA TED WITH VARIO US APPLE ACCOUNTS MAR 14 2018 Clerk , -·-· ,, c: ..,,oo 1~+•/~• • a . v, a anM. t Court11 tor th ·District at·Col~~ik----- Case: 1: 18-sc-00662 Assigned To : Howell, Beryl A, Assign . Date : 3/14/2018 Description: Search & Seizure Warrant AFFIDAVIT IN SUPPORT OF AN APPLICATION FOR A SEARCH WARRANT I, Curtis Heide, being first duly sworn, hereby depose and state as follows: INTRODU TION AND AGENT BACKGROUND 1. I make this affidavit in support of an application for a search warrant for information associated with the following Apple Accounts: that is stored at premises owned, maintained, controlled, or operated by Apple, Inc., a business with offices located at llnfinite Loop, Cupertino, California 95014. The information to be disclosed by Apple and searched by the government is described in the following paragraphs and in Attachments A and B. This affidavit is made in support of an application for a search warrant. 2. I, Curtis A. Heide, have been a Special Agent with the Federal Bureau of investigation for 11 years. In the course of my duties, I have been responsible for investigating federal crimes and national security matters involving both counterintelligence and issues related to cybersecurity. 3. The facts in this affidavit come from my personal observations, my training and experience, and information obtained from other agents and witnesses. This affidavit is intended to show merely that there is sufficient probable cause for the requested warrant and does not set forth all of my knowledge about this matter. Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 10 of 38 4. Based on my training and experience and the facts as set forth in this affidavit, ---- - - - -----there is-probable-Gause-t0-believe-that-the-T'-arget--Accounts--00ntain--eommunications relevant-to -- - --- - ---- violations of 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision of a felony), 18 U.S.C. § 371 (conspiracy),, 18 U.S.C. § 1030 (unauthorized access of a protected computer); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud),, and 52 U.S.C. § 30121 (foreign contribution ban) (the "Subject Offenses"). 1 5. As set forth below, Roger STONE communicated directly via Twitter with WikiLeaks, Julian Assange, and Guccifer 2.0, a Twitter account used to disseminate hacked information. STONE, using his Account, also emailed instructions to Jerome CORSI to "Get to Assange" in person at the Ecuadorian Embassy and "get pending WikiLeaks emails[.]" CORSI emailed STONE back that it was "Time to let more than Podesta to be exposed" (before any of Podesta's emails were leaked). After Podesta's emails were leaked, CORSI emailed STONE "talking points" about Podesta. CORSI also emailed Stone to convey information "from a very trusted source" regarding Julian ASSANGE, WikiLeaks, and potential future disclosures. BANNON also sent text messages to STONE discussing potential upcoming leaks by ASSANGE. The Target Accounts are STONE's iCloud accounts, which are registered to the email accounts STONE used to communicate with CORSI. JURISDICTION 1 Federal law prohibits a foreign national from making, directly or indirectly, an expenditure or independent expenditure in connection with federal elections. 52 U.S.C. § 3012l(a)(l)(C); see also id. § 30101(9) & (17) (defining the terms "expenditure" and "independent expenditure"). 2 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 11 of 38 6. This Court has jurisdiction to issue the requested warrant because it is "a court of ------- ----c-0mpetent-jur-isdieti0n?2-as-de-fined--by-l--8--{:1.,.S"G,--§--2'.7-l--l--,-/da-§~-2-70J(aj,fbj(--1-)E-A0,&-(-G-)E-I-)(Aj. Specifically, the Court is "a district court of the United States (including a magistrate judge of such a court) ... that has jurisdiction over the offense being investigated." 18 U.S.C. § 271 l(J)(A)(i). The offense conduct included activities in Washington, D.C., as detailed below, including in paragraph 7. PROBABLE CAUSE A. U.S. Intelligence Community (USIC) Assessment of Russian Government-Backed Hacking Activity during the 2016 Presidential Election 7. On October 7, 2016, the U.S. Department of Homeland Security and Office of the Director of National Intelligence released a joint statement of an intelligence assessment of Russian activities and intentions during the 2016 presidential election. 2 In the report, the USIC assessed the following: 8. The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow-the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to 2 "Joint Statement from the Department Of Homeland Security and Office of the Director of National Intelligence on Election Security," Oct. 7, 20 I 6, available at ttps://www.dhs.gov/news/2016/10/07 /joint-statement-departmenthomeland-security-and-office-director-national. 3 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 12 of 38 influence public opinion there. We believe, based on the scope and sensitivity of these efforts, - -that-only Russia's senior-most officials could have authorized these activities 9. On January 6, 2017, the USIC released a declassified version of an intelligence assessment of Russian activities and intentions during the 2016 presidential election entitled, "Assessing Russian Activities and Intentions in Recent US Elections." 3 In the report, the USIC assessed the following: 10. [] Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia's goals were to undermine public faith in the US democratic process, denigrate [former] Secretary [of State Hillary] Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump." 11. In its assessment, the USIC also described, at a high level, some of the techniques that the Russian government employed during its interference. The USIC summarized the efforts as a "Russian messaging strategy that blends covert intelligence operations-such as cyber activity-with overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or 'trolls."' 12. With respect to hacking activity, the USIC assessed: "Russia's intelligence services conducted cyber operations against targets associated with the 2016 US presidential election, including targets associated with both major US political parties." In addition, "In July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016." The USIC further assessed that cyber 3 "Assessing Russian Activities and Intentions in Recent US Elections," Jan. 6, 2017, available at https://www.dni.gov/files/documents/ICA_2017 _ 0 l .pdf. 4 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 13 of 38 operations by Russian military intelligence (General Staff Main Intelligence Directorate or GRU) "resulted in the compromise of the personal e-mail accounts of Democratic Paiiy officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC." 13. With respect to the release of stolen materials, the USIC assessed "with high confidence that the GRU used the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to release US victim data obtained in cyber operations publicly and in exclusives to media outlets." 1. Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple contradictory statements and false claims about his likely Russian identity throughout the election. Press reporting suggests more than one person claiming to be Guccifer 2.0 interacted with j oumalists. A. Roger Stone's Disclosed Interactions with Guccifer 2.0 and WikiLeaks. 2. Roger Stone is a self-employed political strategist/consultant and has been actively involved in U.S. politics since 1975. Stone worked on the presidential campaign of Donald J. Trump (the "Campaign") until he was fired in August 2015. Although Stone had no official relationship with the Campaign thereafter, Stone maintained his support for Trump and continued to make media appearances in support of Trump's presidential campaign. 3. As discussed further below, Stone made a number of public references to WikiLeaks and its release of DNC-related emails. Stone has also stated that he was in contact via Twitter with Guccifer 2.0. 4. On June 14, 2016, news reports indicated that the computer systems of the DNC had been hacked. On June 15, 2016, Guccifer 2.0 publicly claimed responsibility for the DNC · hack. Shortly thereafter, Guccifer 2.0 began releasing the hacked documents, including a June, 21, 2016 release of hacked documents. 5 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 14 of 38 5. On July 22, 2016, WikiLeaks published approximately 20,000 emails stolen from the DNC. 6. On August 5, 2016, Roger Stone published an article on Breitbart.com entitled, "Dear Hillary: DNC Hack Solved, So Now Stop Blaming Russia." Stone wrote: "It doesn't seem to be the Russians that hacked the DNC, but instead a hacker who goes by the name of Guccifer 2.0." Stone embedded publicly available Tweets from Guccifer 2.0 in the article and wrote: "Here's Guccifer 2.0's website. Have a look and you'll see he explains who he is and why he did the hack of the DNC." Stone also stated: "Guccifer 2.0 made a fateful and wise decision. He went to WikiLeaks with the DNC files and the rest is history. Now the world would see for themselves how the Democrats had rigged the game." 7. On August 8, 2016, Stone addressed the Southwest Broward Republican Organization. During his speech, he was asked about a statement by WikiLeaks founder Julian Assange to Russia Today (RT) several days earlier about an upcoming "October Surprise" aimed at the Hillary Clinton presidential campaign. Specifically, Stone was asked: "With regard to the October surprise, what would be your forecast on that given what Julian Assange has intimated he's going to do?" Stone responded: "Well, it could be a number of things. I actually have communicated with Assange. I believe the next tranche of his documents pertain to the Clinton Foundation but there's no telling what the October surprise may be." A few days later, Stone clarified that while he was not personally in touch with Assange, he had a close friend who served as an intermediary. 8. On August 12, 2016, Guccifer 2.0 publicly tweeted: "@RogerJStoneJr thanks that u believe in the real #Guccifer2." That same day, Guccifer 2.0 released the personal cellphone 6 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 15 of 38 numbers and email addresses from the files of the Democratic Congressional Campaign Committee (DCCC). 9. On August 13, 2016, Stone posted a tweet using @RogerJStoneJr calling Guccifer 2.0 a "HERO" after Guccifer 2.0 had been banned from Twitter. The next day, Guccifer 2.0's Twitter account was reinstated. 10. On August 17, 2016, Guccifer 2.0 publicly tweeted, "@RogerJStoneJr paying you back." Guccifer also sent a private message to @RogerJStoneJr stating "i'm pleased to say u r great man. please tell me ifl can help u anyhow. it would be a great pleasure to me." 11. On August 18, 2016, Paul Manafort, Stone's longtime friend and associate, resigned as Chairman of the Campaign. Contemporary press reports at the time indicated that Manafort had working with a Washington D.C.-based lobbying firms to influence U.S. policy toward Ukraine. 12. On August 21, 2016, using @RogerJStoneJR, Stone directed a tweet at John Podesta, Hillary Clinton's presidential campaign manager, stating: "Trust me, it will soon the [sic] Podesta's time in the barrel. #CrookedHillary." In a C-SPAN interview that same day, Stone reiterated that because of the work of a "'mutual acquaintance' of both his and [Assange], the public [could] expect to see much more from the exiled whistleblower in the form of strategically-dumped Clinton email batches." He added: "Well, first of all, I think Julian Assange is a hero ... I think he's taking on the deep state, both Republican and Democrat. I believe that he is in possession of all of those emails that Huma Abedin and Cheryl Mills, the Clinton aides, believe they deleted. That and a lot more. These are like the Watergate tapes." 7 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 16 of 38 13. On September 16, 2016 Stone said in a radio interview with Boston Herald Radio that he expected WikiLeaks to "drop a payload of new documents on a weekly basis fairly soon. And that of course will answer the question of exactly what was erased on that email server." 14. On Saturday, October 1, 2016, using@RogerJStoneJr, Stone Tweeted, "Wednesday@ HillaryClinton is done. #WikiLeaks." 15. On Sunday, October 2, 2016, MSNBC Morning Joe producer Jesse Rodriquez tweeted regarding an announcement Julian Assange had scheduled for the next day from the balcony of the Ecuadoran Embassy in London. On the day of the Assange announcement which was part of WikiLeaks' 10-year anniversary celebration - Stone told Info wars that his inten,nediary described this release as the "mother load." On Tuesday, October 4, 2016, Stone used @RogerJStoneJr to tweet: "Payload coming. #Lockthemup." 16. On Friday, October 7, 2016, at approximately 4:03 P.M., the Washington Post published an article containing a recorded conversation from a 2005 Access Hollywood shoot in which Mr. Trump had made a series of lewd remarks. 17. Approximately a half hour later, at 4:32 P.M., WikiLeaks send a Tweet reading "RELEASE: The Podesta Emails #HillaryClinton #Podesta #imWithHer" and containing a link to approximately 2,050 emails that had been hacked from John Podesta's personal email account. 18. WikiLeaks continued to release John Podesta's hacked emails throughout October 10-21, 2016. On October 12, 2016, John Podesta- referring back to Stone's August 21, 2016 CSP AN and Twitter references - argued publicly that "[it is] a reasonable assumption to - or at least a reasonable conclusion - that [Stone] had advanced warning [of the release of his emails] and the Trump campaign had advanced warning about what Assange was going to do. I think there's at least a reasonable belief that [Assange] may have passed this information on to 8 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 17 of 38 [Stone]." Commenting to the Miami Herald, Stone responded: "I have never met or spoken with Assange, we have a mutual friend who ' s traveled to London several times, and everything I know is through that channel of communications. I'm not implying I have any influence with him or that I have advanced knowledge of the specifics of what he is going to do. I do believe he has all of the e-mails that Huma Abedin and Cheryl Mills, the Clinton aides, thought were deleted. I hear that through my emissary." 19. On March 27, 2017, CNN reported that a representative of WikiLeaks, writing from an email address associated with WikiLeaks, denied that there was any backchannel communication during the Campaign between Stone and WikiLeaks. The same article quoted Stone as stating: "Since I never communicated with WikiLeaks, I guess I must be innocent of charges I knew about the hacking of Podesta's email (speculation and conjecture) and the timing or scope of their subsequent disclosures. So I am clairvoyant or just a good guesser·because the limited things I did predict (Oct disclosures) all came true." B. Roger Stone's Private Twitter Direct Messages with WikiLeaks and Julian Assange. 20. On August 7, 2017, Chief Judge Beryl A. Howell issued a search warrant for the Twitter account @RogerJStoneJr. 21. On October 13, 2016, while WikiLeaks was in the midst ofreleasing the hacked Podesta emails, @RogerJStoneJr sent a private direct message to the Twitter account @wikileaks. This account is the official Twitter account of WikiLeaks and has been described as such by numerous news reports. The message read: "Since I was all over national TV, cable and print defending WikiLeaks and assange against the claim that you are Russian agents and debunking the false charges of sexual assault as trumped up bs you may want to rexamine the strategy of attacking me- cordially R." 9 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 18 of 38 22. Less than an hour later, @wikileaks responded by direct message: "We appreciate that. However, the false claims of association are being used by the democrats to undermine the impact of our publications. Don't go there if you don't want us to correct you." 23. On October 16, 2016, @RogerJStoneJr sent a direct message to @wikileaks: "Ha! The more you \"correct\" me the more people think you're lying. Your operation leaks like a sieve. You need to figure out who your friends are." 24. On November 9, 2016, one day after the presidential election, @wikileaks sent a direct message to @RogerJStoneJr containing a single word: "Happy?" @wikileaks immediately followed up with another message less than a minute later: "We are now more free to communicate." 25. In addition, @RogerJStoneJr also exchanged direct messages with Julian Assange, the founder of WikiLeaks. For example, on June 4, 2017, @RogerJStoneJr directly messaged @JulianAssange, an address associated with Julian Assange in numerous public reports, stating: "Still nonsense. As a journalist it doesn't matter where you get information only that it is accurate and authentic. The New York Times printed the Pentagon Papers which were indisputably stolen from the government and the courts ruled it was legal to do so and refused to issu~ an order restraining the paper from publishing additional articles. If the US government moves on you I will bring down the entire house of cards. With the trumped-up sexual assault charges dropped I don't know of any crime you need to be pardoned for - best regards. R." That same day, @JulianAssange responded: "Between CIA and DoJ they're doing quite a lot. On the DoJ side that's coming most strongly from those obsessed with taking down Trump trying to squeeze us into a deal." 10 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 19 of 38 26. On Saturday, June 10, 2017, @RogerJStoneJr sent a direct message to @wikileaks, reading: "I am doing everything possible to address the issues at the highest level of Government. Fed treatment of you and WikiLeaks is an outrage. Must be circumspect in this forum as experience demonstrates it is monitored. Best regards R." C. Roger Stone's Private Email and Text Messages Regarding WikiLeaks, Julian Assange, Russia, and John Podesta 27. On September 11, 2017, Chief Judge Beryl A. Howell of the District of Columbia issued a search warrant for STONE's address, . On October 17, 2017, Chief Judge Beryl A. Howell issued a search warrant for STONE's address, . Information recovered pursuant to those search warrant indicated the following: 28. On July 25, 2016, STONE sent an email from his Account to Jerome CORSI, an author and political commentator, with the subject line, "Get to Assange." The body of the message read: "Get to Assange [a]t Ecuadorian Embassy in London and get pending WikiLeaks emails ... they deal with Foundation, allegedly." 29. On or about August 2, 2016 (approximately 19 days before STONE publicly tweeted about "Podesta's time in the barrel"), CORSI emailed the Account, "Word is friend in embassy plans 2 more dumps. One shortly after I'm back. 2nd in Oct. Impact planned to be very damaging ... Time to let more than Podesta to be exposed as in bed w enemy if they are not ready to drop HRC. That appears to be the game hackers are now about. Would not hurt to start suggesting HRC old, memory bad, has stroke -- neither he nor she well. I expect that much of next dump focus, setting stage for Foundation debacle." Based on my training, experience, and review of materials in this case, it appears that CORSI's reference to a "friend in embassy 11 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 20 of 38 [who] plans 2 more dumps" refers to Julian AS SAN GE, the founder of WikiLeaks, who resided in Ecuador's London Embassy in 2016. 30. On or about August 5, 2016, , an associate of STONE's emailed him a link to a poll indicated that Clinton lea Trump by 15 points. STONE responded "enjoy it while u can[.] I dined with my new pal Julian Assange last night." subsequently stated to investigators that, around the same time, STONE told him he had gone to London to meet ASSANGE. also stated that in 2018, told STONE he would be interviewed by the FBI and would have to divulge the conversation about meeting AS SAN GE. STONE told 31. he was joking and had not actually met Assange. On or about August 16, 2016, CORSI emailed STONE a link to a piece CORSI had written about STONE titled, "Trump Adviser: WikiLeaks Plotting Email Dump to Derail Hillary." 32. On August 19, 2016, Bannon sent Stone a text message asking ifhe could talk that morning. On August 20, 2016, Stone replied, "when can u talk???" 33. On or about August 31, 2016, CORSI emailed STONE: "Did you get the Podesta writeup." STONE replied "yes." 34. On September 4, 2016, Stone texted Bannon that he was in New York City for a few more days, and asked if Bannon was able to talk. 35. On or about September 6, 2016, CORSI emailed STONE: "Roger[,] Is NY Post going to use the Pedesta [sic] stuff?" 36. On September 7, 2016, Stone and Bannon texted to arrange a meeting on September 8, 2016 at the Warner Center in New York. 12 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 21 of 38 37. On September 7, 2016, Bannon texted Stone asking him ifhe could "come by trump tower now???" 38. On September 8, 2016, Stone and Bannon texted about arranging a me~ting in New York. 39. On October 3, 2016, an associate of Stone emailed Stone and asked: "Assange - what's he got? Hope it's good." Stone wrote back, "It is. I'd tell Bannon but he doesn't call me back. My book on the TRUMP campaign will be out in Jan. Many scores will be settled." The associate forwarded the email to Bannon and wrote: "You should call Roger. See below. You didn't get from me." Bannon wrote back, "I've got important stuff to worry about." The associate responded, "Well clearly he knows what Assange has. I'd say that's important." 40. On or about October 4, 2016, ASSANGE gave a press conference at the Ecuadorian Embassy. There had been speculation in the press leading up to that event that ASSANGE would release information damaging to then-candidate Clinton, but WikiLeaks did not make any new releases. Instead, ASSANGE promised more documents, including information "affecting three powerful organizations in three different states, as well as, of course, information previously referred to about the lJ.S. election process." AS SAN GE also stated that WikiLeaks would publish documents on various subjects every week for the next 10 weeks, and vowed that the U.S. election-related documents would all come out before Election Day. 41. Later that day, BANNON emailed STONE, "What was that this morning???" STONE replied, "Fear. Serious security concern. He thinks they are going to kill him and the London police are standing done [sic]." BANNON wrote back, "He didn't cut deal w/ clintons???" Stone replied, "Don't think so BUT his lawyer 13 is a big democrat." Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 22 of 38 42. When BANNON spoke with investigators during a voluntary proffer on February 14, 2018, he initially denied knowing whether the October 4, 2017 email to STONE was about WikiLeaks. Upon further questioning, BANNON acknowledged that he was asking STONE about WikiLeaks, because he had heard that STONE had a channel to ASSANGE, and BANNON had been hoping for releases of damaging information that morning. 43. On or about October 7, 2016, WikiLeaks began releasing the Podesta emails. 44. On or about October 12, 2016, the same day on which Podesta accused STONE of having advance knowledge of the publication of his emails, CORSI emailed STONE on both the email accounts, with a subject line "Podesta talking points." Attached to the email was a file labeled, "ROGER STONE podesta talking points Oct 12 2016.docx." The "talking points" included the statement that "Podesta is at the heart of a Russian-government money laundering operation that benefits financially Podesta personally and the Clintons through the Clinton Foundation." CORSI followed up several minutes later with another email titled, "Podesta talking points," with the text "sent a second time just to be sure you go it." STONE emailed CORSI back via the 45. Account, "Got them and used them." On or about October 17, 2016, CORSI emailed the STONE with the subject, "Fwd: AS SANGE ... URGENT ... " CORSI wrote, "From a very trusted source," and forwarded an email with the header information stripped out, showing only the body text. The email read, "Yes[.] I figured this. Assange is threatening Kerry, Ecuador and U.K. He will drop the goods on them if they move to extradite him. My guess is that he has a set of dead man files that include Hillary. It's what they used to call a 'Mexican stand off[.]' Only hope is that if Trump speaks out to save him[.] Otherwise he's dead anyway, once he's dropped what he has. If HRC wins, 14 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 23 of 38 Assange can kiss his life away. Interesting gambit Assange has to play out. He's called Podesta's bluff and raised him the election." 46. On or about January 7, 2017, emailed STONE, CORSI, and with the subject line, "in case you need his mail. ........ " Attached to the message was a scan of a business card for John Podesta. Several hours later, replied to all recipients: "Ha ... maybe he wants to go phishing with us?" 47. I know from my training and experience that the term "phishing" is used to refer to the practice of sending emails purporting to be from a reputable party in order to induce individuals to reveal personal information, including passwords. Public reports indicate that Podesta's emails were obtaining through a "phishing" scheme. D. STONE's Recent Public Statements Regarding Contact with Assange 48. As described above, STONE stated that on October 12, 2016 that he was in contact with ASSANGE via a "a mutual friend who's traveled to London several times," and that "everything I know is through that channel of communications." 49. On March 13, 2018, the Washington Post published an article about STONE's previous claims of contact with Assange. 4 The cited an anonymous source who claimed to have a conversation with STONE in the "spring of 2016" where STONE indicated that he had learned from "Julian Assange that his organization had obtained emails that would torment senior Democrats such as John Podesta," and that the conversation occurred before it became publicly known that hackers had obtained the "emails of Podesta and of the Democratic National 4 https://www.washingtonpost.com/politics/roger-stone-claimed-contact-with-wikileaks-founder-julian-assange-in20 l 6-according-to-two-associates/20 l 8/03/l 3/a263 f842-2604- l l e8-b79d-t3d93 I db7f68_ story.html?hpid=hp_rhptop-table-main_ stone-656am%3Ahomepage%2Fstory 15 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 24 of 38 Committee." The article also cited statements that STONE stated he had spoken to ASSANGE. The article cited STONE denying any advance notice about the hacked emails or any "contact with Assange." The Article stated that STONE "said he only recalled having one conversation with anyone in which he alluded to meeting the WikiLeaks founder - a comment he said he made as a joke to Nunberg." STONE was quoted as stating, "The allegation I met with Assange, or asked for a meeting or communicated with Assange, is provably false." 50. The article also stated that STONE told the House Intelligence Committee in September 2017 that his August 21 tweet was meant as a prediction that Podesta's business opportunities would come under scrutiny after Paul MANAFORT was forced to resign amid allegations about his work for a pro-Russian party in Ukraine. MANAFORT resigned from the Campaign on or about August 19, 2016. CORSI's email to STONE about WikiLeaks and "Time to let more than Podesta to be exposed as in bed w_enemy if they are not ready to drop HRC," occurred on August 2, 2016, over two weeks before MANAFORT's resignation. E. STONE's use of the Target Accounts 51. On November 21, 2017, Chief Judge Beryl A. Howell signed an order pursuant to 18 U.S.C. §2703(d) for header information related to the Target Accounts. Pursuant to that order, Apple prov_ided the following information: 52. Target Account 1 has the Apple ID , an email address associated with STONE discussed above. The associated email address is . The company registered as the account user is Citroen Associates, a company linked to STONE by investigators. Additionally, the "rescue email" is , which is STONE's account. IP login information shows that the account was in use as of the time of the service of the Order According to Apple, the system has 16 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 25 of 38 been set to a "Full iCloud" backup. I know from my training and experience that a full iCloud backup can include other databases and messaging features, including third party messaging programs. Often individuals are unaware that the information is being stored in their iCloud, and therefore the iCloud may contain additional communications not contained in the standard mail accounts. STONE's email account ( ) also contains messages regarding his iCloud account, including an indication that iCloud storage was "full." STONE also used Target Account 1's associated iCloud email account, , to send an email in March, 201 7. 53. Target Account 2 has the Apple ID , an email address associated with STONE. Target Account 2 is registered to "Roger Stone," and according to information provided by Apple pursuant to the§ 2703(d) order, contains a full iCloud backup as well. The account is currently locked. INFORMATION REGARDING APPLE ID AND iCLOUD 5 54. Apple is a United States company that produces the iPhone, iPad, and iPod Touch, all of which use the iOS operating system, and desktop and laptop computers based on the Mac OS operating system. The information in this section is based on information published by Apple on its website, including, but not limited to, the following document and webpages: "U.S. Law Enforcement Legal Process Guidelines," available at htlp://images.applc.com/ privacy/docs/legal-process-guidelines-us.pdf; "Create and start using an Apple ID," available at https://suppo11.apple.co111/en-us/HT203993; "iCloud," available at http://www.apple.com/icloud/; "iCloud: iCloud storage and backup overview," available at https://suppo1i.apple.com/kb/PT-l l 25 L9; and "iOS Security," available at lmp://images.app le.com/privacy/docs/iO, Security Guide.pdf. 17 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 26 of 38 55. Apple provides a variety of services that can be accessed from Apple devices or, in some cases, other devices via web browsers or mobile and desktop applications ("apps"). As described in further detail below, the serv,ices include email, instant messaging, and file storage: a. Apple provides email service to its users through email addresses at the domain names mac.com, me.com, and icloud.com. b. iMessage and FaceTime allow users of Apple devices to communicate in real-time. iMessage enables users of Apple devices to exchange instant messages ("iMessages") containing text, photos, videos, locations, and contacts, while FaceTime enables those users to conduct video calls. c. iCloud is a file hosting, storage, and sharing service provided by Apple. iCloud can be utilized through numerous iCloud-connected services, and can also be used to store iOS device backups and data associated with third-party apps. d. iCloud-connected services allow users to create, store, access, share, and synchronize data on Apple devices or via icloud.com on any Internet-connected device. For example, iCloud Mail enables a user to access Apple-provided email accounts on multiple Apple devices and on icloud.com. iCloud Photo Library and My Photo Stream can be used to store and manage images and videos taken from Apple devices, and iCloud Photo Sharing allows the user to share those images and videos with other Apple subscribers. iCloud Drive can be used to store presentations, spreadsheets, and other documents. iCloud Tabs enables iCloud to be used to synchronize webpages opened in the Safari web browsers on all of the user's Apple devices. iWorks Apps, a suite of productivity apps (Pages, Numbers, and Keynote), enables iCloud to be used to create, store, and share documents, spreadsheets, and presentations. iCloud Keychain 18 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 27 of 38 enables a user to keep website usemame and passwords, credit card information, and Wi-Fi network information synchronized across multiple Apple devices. e. Game Center, Apple's social gaming network, allows users of Apple devices to play and share games with each other. f. Find My iPhone allows owners of Apple devices to remotely identify and track the location of, display a message on, and wipe the contents of those devices. g. Location Services allows apps and websites to use information from cellular, Wi-Fi, Global Positioning System ("GPS") networks, and Bluetooth, to determine a user's approximate location. h. App Store and iTunes Store are used to purchase and download digital content. iOS apps can be purchased and dow11loaded through App Store on iOS devices, or through iTunes Store on desktop and laptop computers running either Microsoft Windows or Mac OS. Additional digital content, including music, movies, and television shows, can be purchased .through iTunes Store on iOS devices and on desktop and laptop computers running either Microsoft Windows or Mac OS. 56. Apple services are accessed through the use of an "Apple ID," an account created during the setup of an Apple device or through the iTunes or iCloud services. A single Apple ID can be linked to multiple Apple services and devices, serving as a central authentication and syncing mechanism. 57. An Apple ID takes the form of the full email address submitted by the user to create the account; it can later be changed. Users can submit an Apple-provided email address (often ending in @icloud.com, @me.com, or @mac.com) or an email address associated with a 19 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 28 of 38 third-party email provider (such as Gmail, Yahoo, or Hotmail). The Apple ID can be used to access most Apple services (including iCloud, iMessage, and FaceTime) only after the user accesses and responds to a "verification email" sent by Apple to that "primary" email address. Additional email addresses ("alternate," "rescue," and "notification" email addresses) can also be associated with an Apple ID by the user. 58. Apple captures information associated with the creation and use of an Apple ID. During the creation of an Apple ID, the user must provide basic personal information including the user's full name, physical address, and telephone numbers. The user may also provide means of payment for products offered by Apple. The subscriber information and password associated with an Apple ID can be changed by the user through the "My Apple ID" and "iForgot" pages on Apple's website. In addition, Apple captures the date on which the account was created, the length of service, records of log-in times and durations, the types of service utilized, the status of the account (including whether the account is inactive or closed), the methods used to connect to and utilize the account, the Internet Protocol address ("IP address") used to register and access the account, and other log files that reflect usage of the account. 59. Additional information is captured by Apple in connection with the use of an Apple ID to access certain services. For example, Apple maintains connection logs with IP addresses that reflect a user's sign-on activity for Apple services such as iTunes Store and App Store, iCloud, Game Center, and the My Apple ID and iForgot pages on Apple's website. Apple also maintains records reflecting a user's app purchases from App Store and iTunes Store, "call invitation logs" for FaceTime calls, and "mail logs" for activity over an Apple-provided email 20 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 29 of 38 account. Records relating to the use of the Find My iPhone service, including connection logs and requests to remotely lock or erase a device, are also maintained by Apple. 60. Apple also maintains information about the devices associated with an Apple ID. When a user activates or upgrades an iOS device, Apple captures and retains the user's IP address and identifiers such as the Integrated Circuit Card ID number ("ICCID"), which is the serial number of the device's SIM card. Similarly, the telephone number of a user's iPhone is linked to an Apple ID when the user signs in to FaceTime or iMessage. Apple also may maintain records of other device identifiers, including the Media Access Control address ("MAC address"), the unique device identifier ("UDID"), and the serial number. In addition, information about a user's computer is captured when iTunes is used on that computer to play content associated with an Apple ID, arid information about a user's web browser may be captured when used to access services through icloud.com and apple.com. Apple also retains records related to communications between users and Apple customer service, including communications regarding a particular Apple device or service, and the repair history for a device. 61. Apple provides users with five gigabytes of free electronic space on iCloud, and users can purchase additional storage space. That storage space, located on servers controlled by Apple, may contain data associated with the use of iCloud-connected services, including: email (iCloud Mail); images and videos (iCloud Photo Library, My Photo Stream, and iCloud Photo Sharing); documents, spreadsheets, presentations, and other files (iWorks and iCloud Drive); and web browser settings and Wi-Fi network information (iCloud Tabs and iCloud Keychain). iCloud can also be used to store iOS device backups, which can contain a user's photos and 21 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 30 of 38 videos, iMessages, Short Message Service ("SMS") and Multimedia Messaging Service ("MMS") messages, voicemail messages, call history, contacts, calendar events, reminders, notes, app data and settings, and other data. Records and data associated with third-party apps may also be stored on iCioud; for example, the iOS app for WhatsApp, an instant messaging service, can be configured to regularly back up a user' s instant messages on iCloud. Some of this data is stored on Apple's servers in an encrypted form but can nonetheless be decrypted by Apple. 62. In my training and experience, evidence of who was using an Apple ID and from where, and evidence related to criminal activity of the kind described above, may be found in the files and records described above. This evidence may establish the "who, what, why, when, where, and how" of the criminal conduct under investigation, thus enabling the United States to establish and prove each element or, alternatively, to exclude the innocent from further suspicion. 63. The stored communications and files connected to an Apple ID may provide direct evidence of the offenses under investigation. For example, stored iMessage communications, voicemails, and emails may contain conversations with foreign government officials similar to those described above in PAPADOPOULOS 's Linkedin and Gmail accounts. Based on my training and experience, instant messages, emails, voicemails, photos, videos, and documents are often created and used in furtherance of criminal activity, including to communicate and facilitate the offenses under investigation. 64. In addition, the user's account activity, logs, stored electronic communications, and other data retained by Apple can indicate who has used or controlled the account. This "user 22 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 31 of 38 attribution" evidence is analogous to the search for "indicia of occupancy" while executing a search warrant at a residence. For example, subscriber information, email and messaging logs, documents, and photos and videos (and the data associated with the foregoing, such as geolocation, date and time) may be evidence of who used or controlled the account at a relevant time. As an example, because every device has unique hardware and software identifiers, and because every device that connects to the Internet must use an IP address, IP address and device identifier information can help to identify which computers or other devices were used to access the account. Such information also allows investigators to understand the geographic and chronological context of access, use, and events relating to the crime under investigation. 65. Account activity may also provide relevant insight into the account owner's state of mind as it relates to the offenses under investigation. For example, information on the account may indicate the owner's motive and intent to commit a crime (e.g., information indicating a plan to commit a crime), or consciousness of guilt (e.g., deleting account information in an effort to conceal evidence from law enforcement). 66. Other information connected to an Apple ID may lead to the discovery of additional evidence. For example, the identification of apps downloaded from App Store and iTunes Store may reveal services used in furtherance of the crimes under investigation or services used to communicate with co-conspirators. For instance, ifthere are secured and encrypted communication applications downloaded from the App Store, that can show an attempt to hide information from investigators. In addition, emails, instant messages, Internet activity, documents, and contact and calendar information can lead to the identification of coconspirators and instrumentalities of the crimes under investigation. 23 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 32 of 38 67. Therefore, Apple's servers are likely to contain stored electronic communications and information concerning subscribers and their use of Apple's services. In my training and experience, such information may constitute evidence of the crimes under investigation including information that can be used to identify the account's user or users. CONCLUSION 68. STONE instructed CORSI to "Get to Assange" at the Ecuadorian Embassy regarding upcoming leaks, and CORSI emailed Stone on the Account that it was "Time to let more than Podesta to be exposed as in bed w enemy if they are not ready to drop HRC." STONE also texted and emailed BANNON about potential forthcoming leaks from ASSANGE and WikiLeaks. There is therefore probable cause to believe that evidence of the DNC hack and the hacking of other emails associated with the 2016 election will be found in the information associated with the Target Accounts. 69. Based on the forgoing, I request that the Court issue the proposed search warrant. 70. Pursuant to 18 U.S.C. § 2703(g), the presence of a law enforcement officer is not required for the service or execution of this warrant. 24 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 33 of 38 REQUEST FOR SEALING 71. I further request that the Court order that all papers in support of this application, including the affidavit and search warrant, be sealed until further order of the Court. These documents discuss an ongoing criminal investigation, the full nature and extent of which is not known to all of the targets of the investigation. Accordingly, there is good cause to seal these documents because their premature disclosure may seriously jeopardize that investigation. Respectfully submitted, , ·t. 4 - d/{,,. . . • ---- li-s-Heide Special Agent Federal Bureau oflnvestigation Subscribed and sworn to before me on this d .faf of March, 2018. ~;/~ The Honorabl Beryl A. Howell Chief United States District Judge 25 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 34 of 38 ATTACHMENT A Property to be Searched This warrant applies to information associated with the following Apple Accounts: that is stored at premises owned, maintained, controlled, or operated by Apple, Inc., a business with offices located at 1 Infinite Loop, Cupertino, California 95014. 26 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 35 of 38 ATTACHMENT B Particular Things to be Seized I. Information to be disclosed by Apple To the extent that the information described in Attachment A is within the possession, custody, or control of Apple, including any messages, records, files, logs, or information that have been deleted but are still available to Apple, or have been preserved pursuant to a request made under 18 U.S.C. § 2703(f), Apple is required to disclose the following infonnation to the government, in unencrypted form whenever available, for each account or identifier listed in Attachment A: a. All records or other information regarding the identification of the account, to include full name, physical address, telephone numbers, email addresses (including primary, alternate, rescue, and notification email addresses, and verification information for each email address), the date on which the account was created, the length of service, the IP address used to register the account, account status, methods of connecting, and means and source of payment (including any credit or bank account numbers); b. All records or other information regarding the devices associated with, or used in connection with, the account (including all current and past trusted or authorized iOS devices and computers, and any devices used to access Apple services), including serial numbers, Unique Device Identifiers ("UDID"), Advertising Identifiers ("IDF A"), Global Unique Identifiers ("GUID"), Media Access Control ("MAC") addresses, Integrated Circuit Card ID numbers ("ICCID"), Electronic Serial Numbers ("ESN"), Mobile Electronic Identity Numbers ("MEIN"), 27 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 36 of 38 Mobile Equipment Identifiers ("MEID"), Mobile Identification Numbers ("MIN"), Subscriber Identity Modules ("SIM"), Mobile Subscriber Integrated Services Digital Network Numbers ("MSISDN"), International Mobile Subscriber Identities ("IMSI"), and International Mobile Station Equipment Identities ("IMEI"); c. The contents of all emails associated with the account, including stored or preserved copies of emails sent to and from the account (including all draft emails and deleted emails), the source and destination addresses associated with each email, the date and time at which each email was sent, the size and length of each email, and the true and accurate header information including the actual IP addresses of the sender and the recipient of the emails, and all attachments; d. The contents of all instant messages associated with the account, including stored or preserved copies of instant messages (including iMessages, SMS messages, and MMS messages) sent to and from the account (including all draft and deleted messages), the source and destination account or phone number associated with each instant message, the date and time at which each instant message was sent, the size and length of each instant message, the actual IP addresses of the sender and the recipient of each instant message, and the media, if any, attached to each instant message; ,. e. The contents of all files and other records stored on iCloud, including all iOS device backups, all Apple and third-party app data, all files and other records related to iCloud Mail, iCloud Photo Sharing, My Photo Stream, iCloud Photo Library, iCloud Drive, iWorks (including Pages, Numbers, and Keynote), iCloud Tabs, and iCloud Keychain, and all address 28 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 37 of 38 books, contact and buddy lists, notes, reminders, calendar entries, images, videos, voicemails, device settings, and bookmarks; f. All activity, connection, and transactional logs for the account (with associated IP addresses including source port numbers), including FaceTime call invitation logs, mail logs, iCloud logs, iTunes Store and App Store logs (including purchases, downloads, and updates of Apple and third-party apps), messaging and query logs (including iMessage, SMS, and MMS messages), My Apple ID and iForgot logs, sign-on logs for all Apple services, Game Center logs, Find my iPhone logs, logs associated with iOS device activation and upgrades, and logs associated with web-based access of Apple services (including all associated identifiers); g. All records and information regarding locations where the account was accessed, including all data stored in connection with Location Services; h. All records pertaining to the types of service used; 1. All records pertaining to communications between Apple and any person regarding the account, including contacts with support services and records of actions taken; and J. All files, keys, or other information necessary to decrypt any data produced in an encrypted form, when available to Apple (including, but not limited to, the keybag.txt and fileinfolist.txt files). 29 Case 1:19-mc-00029-CRC Document 29-6 Filed 04/28/20 Page 38 of 38 II. Information to be Seized by Law Enforcement Personnel a. Any and all records that relate in any way to the accounts described in Attachment A which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C.§ 1030 (fraud and related activities in connection with computers), 18 U.S.C. § 2 (aiding and abetting), and 18 U.S.C. § 371 (conspiracy to commit an offense against the United States), for the period January 2015 to the present, including: All records, information, documents or tangible materials that relate in any way to communications regarding hacking, release of hacked material, communications with persons or entities associated with WikiLeaks, including but not limited to Julian Assange; b. All images, messages, communications, calendar entries, search terms, and contacts, including any and all preparatory steps taken in furtherance of the abovelisted offenses; c. Communication, information, documentation and records relating to who created, used, or communicated with the account or identifier, including records about their identities and whereabouts; d. Evidence of the times the account was used; e. All images, messages and communications regarding w1pmg software, encryption or other methods to avoid detection by law enforcement; f. Passwords and encryption keys, and other access information that may be necessary to access the account and other associated accounts; g. Credit card and other financial information, including but not limited to, bills and payment records evidencing ownership of the subject account; h. All existing printouts from original storage which concern the categories identified in subsection II.A; and 1. All "address books" or other lists of contacts. 30