Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 1 of 58

AO 93 (Rev. 11/13) Search and Seizure Warrant

UNITED STATES DISTRICT COURT
for the
District of Columbia
In the Matter of the Search of
(Briefly describe the property lo be searched
or identij)' the person by name and address)

INFORMATION ASSOCIATED WITH

Case: 1 :18-sc-02401
Assigned To : Howell, Beryl A.
Assign. Date: 7/12/2018
Description: Search & Seizure Warrant

SEARCH AND SEIZURE WARRANT
To:

Any authorized law enforcement officer

An application by a federal law enforcement officer or an attorney for the government requests the search
of the following person or prope1iy located in the
Northern
District of
California
·--------~
(identify the person or describe the property to be searched and give its location):

See Attachment C.

I find that the affidavit(s), or any recorded testimony, establish probable cause to search and seize the person or property
described above, and that such search will reveal (identijj1 the person or describe the property to be seized):
See Attachment D.

YOU ARE COMMANDED to execute this warrant on or before
July 26, 2018
___ (,10110 exceed 14 days)
oif in the daytime 6:00 a.m. to I 0:00 p.m. 0 at any time in the day or night because good cause has been established.
Unless delayed notice is authorized below, you must give a copy of the warrant and a receipt for the property taken to the
person from whom, or from whose premises, the property was taken, or leave the copy and receipt at the place where the
propeiiy was taken.
The officer executing this warrant, or an officer present during the execution of the warrant, must prepare an inventory
as required by law and promptly return this warrant and inventory to .....
Hon. Beryl A. Howell
(United States Magistrate Judge)

0 Pursuant to 18 U.S.C. § 3103a(b), I find that immediate notification may have an adverse result listed in 18 U.S.C.
§ 2705 ( except for delay of trial), and authorize the officer executing this warrant to delay notice to the person who, or whose

property, will be searched or seized (check the appropriale box)
0 for
days (,101 to exceed 30) 0 until, the facts justifying, the later specific date of

Date and time issued:
City and state:

1j'l 2;/A?/i'ef f':{J-//J
_W_a_sh_i_n~g_to_n_,_D_C_ _ _ _ _ _ __

~-~
'Judge's signature

Hon. Beryl A. Howell, Chief U.S. District Judge
Printed name and title

/

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 2 of 58
AO 93 (Rev. 11/13) Search and Seizure Warrant (Page 2)

Return

Case No.:

Date and time warrant executed:

Copy of warrant and inventory left with:

Inventory made in the presence of:
Inventory of the property taken and name of any person(s) seized:

Certification

I declare under penalty of perjury that this inventory is correct and was returned along with the original warrant to the
designated judge.

Date:
E.x:ecuting officer's signature

Printed name and title

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 3 of 58

ATTACHMENT C
Property to be Searched

This warrant applies to infonnation associated with the following Apple account:
1.

that is stored at premises owned, maintained, controlled, or operated by Apple, Inc., located at
One Apple Park Way, Cupertino, California 95014.

37

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 4 of 58

ATACHMENTD
Particular Things to be Seized
I.

Files and Accounts to be produced by the Provider:

To the extent that the information described in Attachment A is within the possession,
custody, or control of Apple, regardless of whether such infmmation is located within or outside
of the United States, including any messages, records, files, logs, or information that have been
deleted but are still available to Apple, or have been preserved pursuant to a request made under
18 U.S.C. § 2703(f), Apple is required to disclose the following information to the government,
in unencrypted form whenever available, for each account or identifier listed in Attachment A:
a.
All records or other information regarding the identification of the account, to
include full name, physical address, telephone numbers, email addresses (including primary,
alternate, rescue, and notification email addresses, and verification info1mation for each email
address), the date on which the account was created, the length of service, the IP address used to
register the account, account status, associated devices, methods of connecting, and means and
source of payment (including any credit or bank account numbers);
b.
All records or other information regarding the devices associated with, or used in
connection with, the account (including all current and past trusted or authorized iOS devices
and computers, and any devices used to access Apple services), including serial numbers, Unique
Device Identifiers ("UDID"), Advertising Identifiers ("IDFA"), Global Unique Identifiers
("GUID"), Media Access Control ("MAC") addresses, Integrated Circuit Card ID numbers
("ICCID"), Electronic Serial Numbers ("ESN"), Mobile Electronic Identity Numbers ("MEIN"),
Mobile Equipment Identifiers ("MEID"), Mobile Identification Numbers ("MIN"), Subscriber
Identity Modules ("SIM"), Mobile Subscriber Integrated Services Digital Network Numbers
("MSISDN"), International Mobile Subscriber Identities ("IMSI"), and International Mobile
Station Equipment Identities ("IMEI");
c.
The contents of all emails associated with the account, including stored or
preserved copies of emails sent to and from the account (including all draft emails and deleted
emails), the source and destination addresses associated with each email, the date and time at
which each email was sent, the size and length of each email, and the true and accurate header
information including the actual IP addresses of the sender and the recipient of the emails, and
all attachments;
d.
The contents of all instant messages associated with the account, including stored
or preserved copies of instant messages (including iMessages, SMS messages, and MMS
messages) sent to and from the account (including all draft and deleted messages), the source and
destination account or phone number associated with each instant message, the date and time at
which each instant message was sent, the size and length of each instant message, the actual IP
addresses of the sender and the recipient of each instant message, and the media, if any, attached
to each instant message;
38

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 5 of 58

e.
The contents of all files and other records stored on iCloud, including all iOS
device backups, all Apple and third-party app data, all files and other records related to iCloud
Mail, iCloud Photo Sharing, My Photo Stream, iCloud Photo Library, iCloud Drive, iWork
(including Pages, Numbers, Keynote, and Notes), iCloud Tabs and bookmarks, and iCloud
Keychain, and all address books, contact and buddy lists, notes, reminders, calendar entries,
images, videos, voicemails, device settings, and bookmarks;
f.
All activity, connection, and transactional logs for the account (with associated IP
addresses including source port numbers), including FaceTime call invitation logs, messaging
and query logs (including iMessage, SMS, and MMS messages), mail logs, iCloud logs, iTunes
Store and App Store logs (including purchases, downloads, and updates of Apple and third-party
apps), My Apple ID and iForgot logs, sign-on logs for all Apple services, Game Center logs,
Find My iPhone and Find My Friends logs, logs associated with web-based access of Apple
services (including all associated identifiers), and logs associated with iOS device purchase,
activation, and upgrades;
g.
All records and information regarding locations where the account or devices
associated with the account were accessed, including all data stored in connection with Location
Services, Find My iPhone, Find My Friends, and Apple Maps;
h.

All records pertaining to the types of service used;

i.
All records pertaining to communications between Apple and any person
regarding the account, including contacts with support services and records of actions taken; and
j.
All files, keys, or other information necessary to decrypt any data produced in an
encrypted form, when available to Apple (including, but not limited to, the keybag.txt and
fileinfolist.txt files).

39

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 6 of 58

II.

Information to be Seized by Law Enforcement Personnel

Any and all records that relate in any way to the accounts described in Attachment A
which consists of evidence, fiuits, or instrumentalities of violations of 18 U.S.C. § 1030 (fraud
and related activities in connection with computers and 18 U.S.C. § 371 (conspiracy to commit
an offense against the United States) for the period from June 15, 2016 to November 10, 2016.
including:
a. All records, information, documents or tangible materials that relate in any way to
communications regarding hacking, release of hacked material, communications
with persons or entities associated with WikiLeaks, including but not limited to
Julian Assange, or communications regarding disinformation, denial, dissembling
or other obfuscation about knowledge of, or access to hacked material;
b. All records, information, documents or tangible materials that relate in any way to
communications or meetings involving Roger Stone,
Julian
Assange, or any individual associated with the Trump Campaign;
c. All images, messages, communications, calendar entries, search terms, and
contacts, including any and all preparatory steps taken in furtherance of the
above-listed offenses;
d. Communication, information, documentation and records relating to who created,
used, or communicated with the account or identifier, including records about
their identities and whereabouts;
e. Evidence of the times the account was used;
f.

All images, messages and communications regarding wiping software, encryption
or other methods to avoid detection by law enforcement;

g. Passwords and encryption keys, and other access information that may be
necessary to access the account and other associated accounts;
h. Credit card and other financial information, including but not limited to, bills and
payment records evidencing ownership of the subject account;
1.

All existing printouts from original storage which concern the categories
identified in subsection II.A; and

J.

All "address books" or other lists of contacts.

40

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 7 of 58

FILED
JUL 12 2018

IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA

Clerk, us Dis .
Courts ta'r ihe 0\~ct t & Bankruptcy
net ot Columbia

Case: 1:18-sc-02401
Assigned To : Howell, Beryl A.
Assign. Date: 7/12/2018
Description: Search & Seizure Warrant

IN THE MATTER OF THE SEARCH OF
INFORMATION ASSOCIATED WITH

ORDER
The United States has filed a motion to seal the above-captioned warrant and related
documents, including the application and affidavit in support thereof (collectively the "Warrant"),
and to require Apple, Inc. ("Apple") an electronic communication and/or remote computing
service headquartered at a company headquartered at I Infinite Loop, Cupertino, CA not to
disclose the existence or contents of the Warrant pursuant to 18 U.S.C. § 2705(b).
The Court finds that the United States has established that a compelling governmental
interest exists to justify the requested sealing, and that there is reason to believe that notification
of the existence of the Warrant will seriously jeopardize the investigation, including by giving the
targets an opp01tunity to flee from prosecution, destroy or tamper with evidence, and intimidate
witnesses. See 18 U.S.C. § 2705(b)(2)-(5).

IT IS THEREFORE ORDERED that the motion is hereby GRANTED, and that the
warrant, the application and affidavit in support thereof, all attachments thereto and other related
materials, the instant motion to seal, and this Order be SEALED until further order of the Court;
and

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 8 of 58

IT IS FURTHER ORDERED that, pursuant to 18 U.S.C. § 2705(b), Apple and its
employees shall not disclose the existence or content of the Warrant to any other person (except
attorneys for Apple for the purpose of receiving legal advice) for a period of one year or until
further order of the Comi.

THE HONORABLE BERYL A. HOWELL
CHIEF UNITED STATES DISTRICT JUDGE

2

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 9 of 58
AO 106 (Rev. 04/10) Application for a Search Warrant

FltED

UNITED STATES DISTRICT COURT
for the
District of Columbia
In the Matter of the Search of
(Briefly describe the property to be searched
or identijj, the person by name and address)

INFORMATION ASSOCIATED WITH

l
)
)

l

JUL f 2 2018
Clerk, U.S. District & Barikruptc
Courts for the District of Columbia

Case: 1:18-sc-02401
Assigned To : Howell, Beryl A
Assign. Date: 7/12/2018
Description: Search & Seizure Warrant

APPLICATION FOR A SEARCH WARRANT
I, a federal Jaw enforcement officer or an attorney for the government, request a search wan-ant and state under
penalty of perjury that I have reason. to believe that on the following person or properly (identify the person or describe the
property to be searched and give its location):

See Attachment C.
located in the

California
Northern
===--- District of ---------'===~--

, there is now concealed (identify the

person or describe the property Lo be seized):

See Attachment D.
This warrant is sought pursuant to 18 U.S.C. §§ 2703(a), 2703(b)(1){A), and 2703(c)(1)(A).
The basis for the search under Fed. R. Crim. P. 41 (c) is (check one or more):

ref evidence of a crime;
ref contraband, fruits of crime, or other items illegally possessed;
ref property designed for use, intended for use, or used in committing a crime;
0 a person to be arrested or a person who is unlawfully restrained.
The search is related to a violation of:

Code Section
18 U.S.C. § 371
18 U.S.C. § 1030

Offense Description
Conspiracy
Unauthorized Access of a Protected Computer

The application is based on these facts:
See attached Affidavit.
~ Continued on the attached sheet.

0 Delayed notice of
days (give exact ending date if more than 30 days: ___ _
) is requested
under 18 U.S.C. § 3103a, the basis of which is set forth o n ~

Reviewed by AUSA/SAUSA:
haron Zelinsky(ASC)

Applicant's signature

Andrew Mitchell, Special Agent, FBI
Printed name and title

Sworn to before me and signed in my presence.
Date:

7/12/2018

~/~~
Judge's signature

City and state: Washingto'n, D.C.

Hon. Beryl A. Howell, Chief U.S. District Judge
Printed name and title

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 10 of 58

FILED
IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
IN THE MATTER OF THE SEARCH OF
INFORMATION ASSOCIATED WITH

Case No. J 'i- SC

JUL 12 2018
Clerk, U.S. District & Bankruptcy
Courts tor the District of Columbia

- c.. '-Id(

Filed Under Seal

AMENDED AFFIDAVIT IN SUPPORT OF
AN APPLICATION FOR A SEARCH WARRANT

I, Andrew Mitchell, being first duly sworn, hereby depose and state as follows:
INTRODUCTION AND AGENT BACKGROUND

1.

I make this affidavit in support of an application for a search warrant for

information associated with the following:
a. The email account

maintained by CSC Holdings ("Target

Account 1 "), described further in Attachment A.
b. The Apple Account (including email) associated with

, maintained

by Apple, Inc. (Target Account 2), described further in Attachment C.
c. The email accoun

maintained by Windstream Communications

('Target Account 3"), described further in Attachment E.
The information to be disclosed by CSC Holdings, Apple, Inc., and Windstream
Communications ("the Providers") and searched by the government is described in the following
paragraphs and in Attachments A-F. This affidavit is made in support of an application for a
search warrant under 18 U.S.C. §§ 2703(a), 2703(b)(l)(A), and 2703(c)(l)(A).
2.

I, Andrew Mitchell, am a Special Agent with the Federal Bureau oflnvestigation

(FBI), and have been since 2011. As a Special Agent of the FBI, I have received training and
experience in investigating criminal and national security matters.

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 11 of 58

3.

The facts in this affidavit come from my personal observations, my training and

experience, and information obtained from other agents and witnesses. This affidavit is intended
to show merely that there is sufficient probable cause for the requested warrant and does not set
forth all of my knowledge about this matter.
4.

.Before the submission of this warrant application, the Special Counsel's Office

complied with all relevant Department of Justice policies, including the requirement for
Departmental approval under the Department's policy regarding obtaining information from
members of the news media, 28 C.F.R. 50.10.
5.

Based on my training and experience and the facts as set forth in this affidavit,

there is probable cause to believe that the Target Accounts contain communications relevant to
violations of 18 U.S.C. § 371 (conspiracy) and 18 U.S.C. § 1030 (unauthorized access of a
protected computer).
JURISDICTION

6.

This Court has jurisdiction to issue the requested warrant because it is "a court of

competent jurisdiction" as defined by 18 U.S.C. § 2711. Id. §§ 2703(a), (b)(l)(A), & (c)(l)(A).
Specifically, the Court is "a district court of the United States (including a magistrate judge of
such a court) ... that has jurisdiction over the offense being investigated." 18 U.S.C.

§ 2711(3)(A)(i). The offense conduct included activities in Washington, D.C., as detailed below,
including in paragraph 19.

SUMMARY
7.

On or about July 25, 2016, Roger STONE emailed Jerome CORSI to "Get to

Assange" at the Ecuadorian Embassy and "get pending WikiLeaks emails[.]" On or about July
31, 2016, STONE.also instructed CORSI to have
2

contact Julian

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 12 of 58

ASSANGE. On or about August2, 2016, CORSI responded to STONE that the "word is friend
in embassy [ASSANGE] plans 2 more dumps. One shortly after I'm back. 2nd in October.
Impact planned to be very damaging .... Time to let more than Podesta to be exposed as in bed w
enemy if they are not ready to drop HRC." After receipt of that message, on or about August 21,
2016, using @RogerJStoneJR, Stone tweeted: "Trust me, it will soon the [sic] Podesta's time in
the barrel. #CrookedHillary."
8.

Information disclosures subsequently occurred on or about the times CORSI

predicted: On or about August 12, 2016, the day CORSI was scheduled to return to the United
States ("shortly after I'm back"), Guccifer 2.0 released hacked information related to the
Democratic Congressional Campaign Committee (DCCC). On or about October 7, 2016, the day
the Washington Post published a breaking story about an Access Hollywood videotape ofthencandidate Trump making disparaging remarks about women, WikiLeaks released emails hacked
from the account of John Podesta.
9.

Furthermore, on the day of the Access Hollywood video disclosure, there were

phone calls between STONE and CORSI after the Washington Post contacted STONE prior to
publication. At approximately 11 :OOAM, the Washington Post received a tip regarding the
Access Hollywood video. Approximately one hour later, shortly before noon, STONE received
a call from the Washington Post. Approximately ninety minutes later, before 2:00 PM, STONE
called CORSI and they spoke. Approximately forty minutes later, CORSI called STONE and the
two spoke again at length. At approximately 4:00PM, the Washington Post published its story
regarding the Access Hollywood tape. By approximately 4:30PM, WikiLeaks tweeted out its
first release of emails hacked from John Podesta.

3

!

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 13 of 58

PROBABLE CAUSE.

A. Background on Relevant Individuals
i. Roger STONE
11.

Roger STONE is a self-employed political strategist/consultant and has been

actively involved in U.S. politics for decades. STONE worked on the presidential campaign of
Donald J. Trump (the "Campaign") until August 2015. Although Stone had no official
relationship with the Campaign thereafter, STONE maintained his support for Trump and
continued to make media appearances in support of Trump's presidential campaign. As
described further below, STONE also maintained contact with individuals employed by the
Campaign, including then-campaign chairman Paul MANAFORT and deputy chairman Rick
GATES.
ii. Jerome CORSI

4

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 14 of 58

12.

Jerome CORSI is a political commentator who, according to publicly available

information, currently serves as the "Washington Bureau Chief for Inforwars.com." According
to publicly-available sources, from 2014 until January 2017, CORSI was a "senior staffreporter"
for the website "World Net Daily" a/k/a "WND.com." CORSI has also written a number of
books regarding Democratic presidential candidates. As described further below, CORSI was in
contact with STONE during the summer and fall of20I6 regarding forthcoming disclosures of
hacked information by WikiLeaks, and appears to have obtained information regarding
upcoming disclosures which he relayed to STONE.

B. U.S. Intelligence Community (USIC) Assessment of Russian Government-Backed
Hacking Activity during the 2016 Presidential Election

5

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 15 of 58

14.

On October 7, 2016, the U.S. Department of Homeland Security and the Office of

the Director of National Intelligence released a joint statement of an intelligence assessment of
Russian activities and intentions during the 2016 presidential election. In the report, the USIC
assessed the following, with emphasis added:
15.

The U.S. Intelligence Community (USIC) is confident that the Russian

Government directed the recent compromises of emails from US persons and institutions,
including from US political organizations. The recent disclosures of alleged hacked emails on
sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent
with the methods and motivations of Russian-directed efforts. These thefts and disclosures are
intended to interfere with the US election process. Such activity is not new to Moscow-the
Russians have used similar tactics and techniques across Europe and Eurasia, for example, to
influence public opinion there. We believe, based on the scope and sensitivity of these efforts,
that only Russia's senior-most officials could have authorized these activities.
16.

On January 6, 2017, the USIC released a declassified version of an intelligence

assessment of Russian activities and intentions during the 2016 presidential election entitled,
"Assessing Russian Activities and Intentions in Recent US Elections." In the report, the USIC
assessed the following:
17.

"Russian President Vladimir Putin ordered an influence campaign in 2016 aimed

at the US presidential election. Russia's goals were to undermine public faith in the US
democratic process, denigrate [former] Secretary [of State Hillary] Clinton, and harm her
electability and potential presidency. We further assess Putin and the Russian Government
developed a clear preference for President-elect Trump."
18.

The USIC also described, at a high level, some of the techniques that the Russian
6

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 16 of 58

government employed during its interference. The USIC summarized the efforts as a "Russian
messaging strategy that blends covert intelligence operations-such as cyber activity-with
overt efforts by Russian Government agencies, state-funded media, third-party intermediaries,
and paid social media users or 'trolls.'"
19.

With respect to "cyber activity," the USIC assessed that "Russia's intelligence

services conducted cyber operations against targets associated with the 2016 US presidential
election, including targets associated with both major US political parties." Further, "[i]n July
2015, Russian intelligence gained access to Democratic National Committee (DNC) networks
and maintained that access until at least June 2016." The USIC attributed these cyber activities to
the Russian GRU, also known as the Main Intelligence Directorate: "GRU operations resulted in
the compromise of the personal e-mail accounts of Democratic Party officials and political
figures. By May, the GRU had exfiltrated large volumes of data from the DNC." The GRU is the
foreign military intelligence agency of the Russian Ministry of Defense, and is Russia's largest
foreign intelligence agency.
20.

With respect to the release of stolen materials, the USIC assessed "with high

confidence that the GRU used the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to
release US .victim data obtained in cyber operations publicly and in exclusives to media outlets."
21.

Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple

contradictory statements and false claims about his identity throughout the election.
C. Additional Hacking Activity by Individuals Associated with the GRU

22.

The Special Counsel's Office has determined that individuals associated with the

GRU continued to engage in hacking activity related to the 2016 campaign through at least
November 1, 2016.
7

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 17 of 58

23.

For example, in or around September 2016, these individuals successfully gained ·

. access to DNC computers housed on a third-party cloud-computing service. In or around late
September, these individuals stole data from these cloud-based computers by creating backups of
the DNC's cloud-based systems using the cloud provider's own technology. The individuals
used three new accounts with the same cloud computing service to move the "snapshots" to
those accounts.
24.

On or about September 4, 2016, individuals associated with the GRU stole the

· emails from a former White House advisor who was then advising the Clinton Campaign. These
emails were later post on DCLeaks.
25.

On or about November 1, 2016, individuals associated with the GRU

spearphished over 100 accounts used by organizations and personnel involved in administering
elections in numerous Florida counties.

D. Roger Stone's Public Interactions with Guccifer 2.0 and WikiLeaks
26.

On June 14, 2016, Crowdstrike, the forensic firm that sought to remediate an

unauthorized intrusion into the computer systems of the DNC, publicly attributed the hack to
Russian government actors and the media reported on the announcement. On June 15, 2016, the
persona Guccifer 2.0 appeared and publicly claimed responsibility for the DNC hack. It stated
on its WordPress blog that, with respect to the documents stolen from the DNC, "[t]he main part
of the papers, thousands of files and mails, I gave to Wikileaks. They will publish them soon."
In that post, Guccifer 2.0 also began releasing hacked DNC documents.
27.

On July 22, 2016, WikiLeaks published approximately 20,000 emails stolen from

theDNC.
28.

On August 5, 2016, Roger Stone published an article on Breitbart.com entitled,
8

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 18 of 58

"Dear Hillary: DNC Hack Solved, So Now Stop Blaming Russia." The article stated: "It doesn't
seem to be the Russians that hacked the DNC, but instead a hacker who goes by the name of
Guccifer 2.0." The article contained embedded publicly available Tweets from Guccifer 2.0 in
the article and stated: "Here's Guccifer 2.0's website. Have a look and you'll see he explains
who he is and why he did the hack of the DNC." The article also stated: "Guccifer 2.0 made a
fateful and wise decision. He went to WikiLeaks with the DNC files and the rest is history. Now
the world would see for themselves how the Democrats had rigged the game."
29.

On August 8, 2016, Stone addressed the Southwest Broward Republican

Organization. During his speech, he was asked about a statement by WikiLeaks founder Julian
Assange to Russia Today (RT) several days earlier about an upcoming "October Surprise" aimed
at the Hillary Clinton presidential campaign. Specifically, Stone was asked: "With regard to the
October surprise, what would be your forecast on that given what Julian Assange has intimated
he's going to do?" Stone responded: "Well, it could be any number of things. I actually have
communicated with Assange. I believe the next tranche of his documents pertain to the Clinton
Foundation but there's no telling what the October surprise may be." A few days later, Stone
clarified that while he was not personally in touch with Assange, he had a close friend who
served as an intermediary.
30.

On August 12, 2016, Guccifer 2.0 publicly tweeted: "@RogerJStoneJr thanks that

u believe in the real #Guccifer2." That same day, Guccifer 2.0 released the personal cellphone
numbers and email addresses from the files of the Democratic Congressional Campaign
Committee (DCCC).
31.

On August 13, 2016, Stone posted a tweet using@RogerJStoneJr calling Guccifer

2.0 a "HERO" after Guccifer 2.0 had been banned from Twitter. The next day, Guccifer 2.0's
9

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 19 of 58

Twitter account was reinstated.
32.

On August 17, 2016, Guccifer 2.0 publicly tweeted, "@RogerJStoneJr paying you

back." Guccifer also sent a private message to @RogerJStoneJr stating "i'm pleased to say u r
great man. please tell me ifl can help u anyhow. it would be a great pleasure to me."
33.

On August 18, 2016, Paul Manafort, Stone's longtime friend and associate,

resigned as Chairman of the Trump Campaign. Contemporary press reports at the time indicated
that Manafort had worked with a Washington D.C.-based lobbying firms to influence U.S. policy
toward Ukraine.
34.

On August 21, 2016, using @RogerJStoneJR, Stone tweeted stating: "Trust me, it

will soon the [sic] Podesta's time in the barrel. #CrookedHillary." In a C-SPAN interview that
same day, Stone reiterated that because of the work of a '"mutual acquaintance' of both his and
[Assange], the public [could] expect to see much more from the exiled whistleblower in the form
of strategically-dumped Clinton email batches." He added: "Well, first of all, I think Julian
Assange is a hero ... I think he's taking on the deep state, both Republican and Democrat. I
believe that he is in possession of all of those emails that Ruma Abedin and Cheryl Mills, the
Clinton aides, believe they deleted. That and a lot more. These are like the Watergate tapes."
35.

On September 16, 2016 Stone said in a radio interview with Boston Herald Radio

that he expected WikiLeaks to "drop a payload of new documents on Hillary on a weekly basis
fair!y soon. And that of course will answer the question as to what exactly what was erased on
that email server."
36.

On Saturday, October 1, 2016, using@RogerJStoneJr, Stone Tweeted,

"Wednesday @ HillaryClinton is done. #WikiLeaks."
37.

On Sunday, October 2, 2016, MSNBC Morning Joe producer Jesse Rodriquez
10

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 20 of 58

tweeted regarding an announcement Julian Assange had scheduled for the next day from the
balcony of the Ecuadoran Embassy in London. On the day of the Assange announcement which was part of WikiLeaks' I 0-year anniversary celebration - Stone told Infowars that his
intermediary described this release as the "mother load." On October 5, 2016, Stone used
@RogerJStoneJr to tweet: "Payload coming. #Lockthemup."
38.

On Friday, October 7, 2016, at approximately 4:03 P.M., the Washington Post

published an article containing a recorded conversation from a 2005 Access Hollywood shoot in
which Mr. Trump had made a series oflewd remarks.
39.

Approximately a half hour later, at 4:32 P.M., WikiLeaks sent a Tweet reading

"RELEASE: The Podesta Emails #HillaryC!inton #Podesta #imWithHer" and containing a link
to approximately 2,050 emails that had been hacked from John Podesta's personal email account.
40.

WikiLeaks continued to release John Podesta's hacked emails through Election

Day, November 8, 2016. On October 12, 2016, John Podesta- referring back to Stone's August
21, 2016 C-SPAN and Twitter references-argued publicly that "[it is] a reasonable assumption
to - or at least a reasonable conclusion - that [StoneJ had advanced warning [of the release of his
emailsJ and the Trump campaign had advanced warning about what Assange was going to do. I
think there's at least a reasonable belief that [AssangeJ may have passed this information on to
[Stone]." Connnenting to the NBC News, Stone responded: "I have never met or spoken with
Assange, we have a mutual friend who's traveled to London several times, and everything I
know is through that channel of communications. I'm not implying I have any influence with
him or that I have advanced knowledge of the specifics of what he is going to do. I do believe he
has all of the e-mails that Huma Abedin and Cheryl Mills, the Clinton aides, thought were
deleted. I hear that through my emissary."
11

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 21 of 58

41.

On March 27, 2017; CNN reported that a representative ofWikiLeaks, writing

from an email address associated with WikiLeaks, denied that there was any backchannel
communication during the Campaign between Stone and WikiLeaks. The same article quoted
Stone as stating: "Since I never communicated with WikiLeaks, I guess I must be innocent of
charges I knew about the hacking of Podesta's email (speculation and conjecture) and the timing
or scope of their subsequent disclosures. So I am clairvoyant or just a good guesser because the
limited things I did predict (Oct disclosures) all came true."
E. Roger Stone's Private Twitter Direct Messages with WikiLeaks and Julian Assange.

42.

On August 7, 2017, Chief Judge Beryl A. Howell issued a search warrant for the

Twitter account@RogerJStoneJr.
43.

On October 13, 2016, while WikiLeaks was in the midst of releasing the hacked

Podesta emails, @RogerJStoneJr sent a private direct message to the Twitter account
@wikileaks. This account is the official Twitter account of WikiLeaks and has been described as
such by numerous news reports. The message read: "Since I was all over national TV, cable and
print defending WikiLeaks and assange against the claim that you are Russian agents and
debunking the false charges of sexual assault as trumped up bs you may want to rexamine the
strategy of attacking me- cordially R."
44.

Less than an hour later, @wikileaks responded by direct message: "We appreciate

that. However, the false claims of association are being used by the democrats to undermine the
impact of our publications. Don't go there if you don't want us to correct you."
45.

On or about October 15, 2016, @RogerJStoneJr sent a direct message to

@wikileaks: "Ha! The more you \"correct\" me the more people think you're lying. Your
operation leaks like a sieve. You need to figure out who your friends are."
12

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 22 of 58

46.

On or about November 9, 2016, one day after the presidential election,

@wikileaks sent a direct message to @RogerJStoneJr containing a single word: "Happy?"
@wikileaks immediately followed up with another message less than a minute later: "We are
now more free to communicate."
47.

In addition, @RogerJStoneJr also exchanged direct messages with Julian

Assange, the founder ofWikiLeaks. For example, on June 4, 2017, @RogerJStoneJr directly
messaged @JulianAssange, an address associated with Julian Assange in numerous public
reports, stating: "Still nonsense. As a journalist it doesn't matter where you get information only
that it is accurate and authentic. The New York Times printed the Pentagon Papers which were
indisputably stolen from the government and the courts ruled it was legal to do so and refused to
issue an order restraining the paper from publishing additional articles. If the US government
moves on you I will bring down the entire house of cards. With the trumped-up sexual assault
charges dropped I don't know of any crime you need to be pardoned for - best regards. R." That
same day, @JulianAssange responded: "Between CIA and DoJ they're doing quite a lot. On the
DoJ side that's coming most strongly from those obsessed with taking down Trump trying to
squeeze us into a deal."
48.

On Saturday, June 10, 2017, @RogerJStoneJr sent a direct message to

@wikileaks, reading: "I am doing everything possible to address the issues at the highest level of
Government. Fed treatment of you and WikiLeaks is an outrage. Must be circumspect in this
forum as experience demonstrates it is monitored. Best regards R."

F. CORSl's Communications with STONE,
Forthcoming Leaks.

13

and Others Regarding

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 23 of 58

49.

On September 11, 2017, Chief Judge Beryl A. Howell of the District of Columbia

issued a search warrant for STONE's

address,

On October

17, 2017, Chief Judge Beryl A. Howell issued a search warrant for STONE's

address,

On or about December 19, 2017 Chief Judge Beryl A. Howell issued a
search warrant for

mail account. On or about March 14, 2018, Chief Judge Beryl

A. Howell issued a search warrant for STONE's iCloud account. Information recovered pursuant
to those search warrants indicated the following:
50.

On or about May 15, 2016,

emailed CORSI at Target Account 3:

"Here is my flight schedule. Need to get something confirmed now .... " CORSI responded, "I
copied Roger Stone so he knows your availability to meet Manafort and DT this coming week."
CORSI appears to have forwarded the message to STONE, who replied to CORSI that, "May
meet Manafort -guarantee nothing."
51.

On or about May 16, 2016,

emailed CORSI on Target Account 3:

"Outside of Wednesday 2-4 ... I am open. Do you have times for meeting on other things?
Flexible re DJT. How about the head of finance for them?" CORSI responded, "I will work on
other meetings today."

replied, "Do you [want] me to bring you anything from the

Old Country? I have a meeting now from 2-6 on Wednesday. Open all other times!!!"
52.

On or about May 18, 2016, CORSI, using Target Account 3, emailed STONE

with the Title, "Roger -- why don't you look this over before I send it

I believe that
CORSI wrote,

and I did manage to see Mr. Trump for a few minutes today as we were
waiting in Trump Tower to say hello to Mike Cohen. Mr. Trump recognized us immediately and
was very cordial. He would look for this memo from you this afternoon."
14

I

I

II

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 24 of 58

53.

On July 25, 2016, STONE sent an erriail to CORSI at Target Account 1 with the

subject line, "Get to Assange." The body of the message read: "Get to Assange [a]t Ecuadorian
Embassy in London and get the pending WikiLeaks emails ... they deal with Foundation,
allegedly."
54.

On or about July 31, 2016, STONE emailed CORSI at Target Account 1 with the

subject line, "Call me MON." The body of the email read: "

should see Assange[.]

should find Bernie [S]anders brother who called Bill a Rapist - turn him for Trump[.]
should find
55.

or more proof of Bill getting kicked out."

On or about August 2, 2016 (approximately 19 days before STONE publicly

tweeted about "Podesta's time in the barrel"), CORSI emailed STONE using Target Account 1,
"Word is friend in embassy plans 2 more dumps. One shortly after I'm back. 2nd in Oct. Impact
planned to be very damaging. Signs are Fox will have me on mid-Aug. more post Ailes shakeup
underway. Expect Shine to surface victor, for now. Post-DNC bump for HRC an artifact of
rigged polling. Won't last. I expect presidential campaign to get serious starting Sept. Still in preseason games. Time to let more than Podesta to be exposed as in bed w enemy if they are not
ready to drop HRC. That appears to be the game hackers are now about. Would not hurt to start
suggesting HRC old, memory bad, has stroke -- neither he nor she well. I expect that much of
next dump focus, setting stage for Foundation debacle." Investigators believe that CORSI's
reference to a "friend in embassy [who] plans 2 more dumps" refers to Julian AS SANGE, the
founder of WikiLeaks, who resided in Ecuador's London Embassy in 2016.
56.

an associate ofSTONE's, emailed

On or about August 5, 2016,

him a link to a poll indicating that Clinton led Trump by 15 points. STONE responded "enjoy it
while u can[.] I dined with my new pal Julian Assange last night."
15

subsequently

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 25 of 58

stated to investigators that, around the same time; STONE told him he had gone to London to
meet ASSANGE.

also stated that in 2018,

told STONE.he would be

interviewed by the FBI and would have to divulge the conversation about meeting ASSANGE.
STONE told
57.

he was joking and had not actually met Assange.
On or about August 15, 2016, CORSI messaged STONE using Target Account

3: "Give me a call today if you can. Despite MSM drumroll that HRC is already elected, it's not

over yet. More to come than anyone realizes. Won't really get started until after Labor Day. I'm
in NYC this week. Jerry."
58.

On or about August 31, 2016, CORSI using Target Account 1 emailed STONE:

"Did you get the PODESTA writeup." STONE replied "yes."
59.

On or about August 31, 2016, CORSI, using Target Account 2, messaged

STONE, "Podesta paid $180k to invest in Uranium One - was hired by Rosatom in Giustra
scandal. Podesta now under FBI investigation - tied to Ukraine Yanukovych - Panama papers
reveals Podesta hired by S[b]erbauk, Russia's largest financial institution-Podesta$$$ ties to
Russia undermine Clinton false narrative attempting to tie Trump to Putin."
60.

On or about September 6, 2016, CORSI emailed STONE using Target Account

3: "Roger[,] Is NY Post going to use the Pedesta [sic] stuff?"
61.

On or about September 24, 2016,

emailed CORSI, "I will have much

more on Turkey. Need a back channel highly sensitive stuff." CORSI responded using Target
Account 3, "We have secure back channel through Roger. I saw him again in NYC last Friday

and spoke to him about it again today."

wrote back, "Awaiting secret file.

Explosive ... Hope you are well. Can't wait for the debate. Channeling Reagan, I hope!" CORSI
responded, "Keep me posted about file[.]" In a subsequent meeting with investigators,
16

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 26 of 58

indicated this conversation concerned possible derogatory information he was trying ·
to obtain from Turkey.
62.

On or about October 3, 2016, an associate of STONE emailed STONE and asked:

"Assange-what's he got? Hope it's good." Stone wrote back, "It is. I'd tell Bannon but he
doesn't call me back. My book on the TRUMP campaign will be out in Jan. Many scores will be
settled." The associate forwarded the email to Steve BANNON and wrote: "You should call
Roger. See below. You didn't get from me." BANNON wrote back, "I've got important stuff to
worry about." The associate responded, "Well clearly he knows what Assange has. I'd say that's
important."
63.

On or about October 4, 2016, ASSANGE gave a press conference at the

Ecuadorian Embassy. There had been speculation in the press leading up to that event that
AS SANGE would release information damaging to then-candidate Clinton, but WikiLeaks did
not make any new releases. Instead, AS SANGE promised more documents, including
information "affecting three powerful organizations in three different states, as well as, of course,
information previously referred to about the U.S. election process." ASSANGE also stated that
WikiLeaks would publish documents on various subjects every week for the next ten weeks, and
vowed that the U.S. election-related documents would all come out before Election Day.
64.

On or about October 4, 2016, CORSI messaged STONE using Target Account 2,

"Assange made a fool of himself. Has nothing or he would have released it. Total BS hype."
65.

That same day, BANNON emailed STONE, "What was that this morning???"

STONE replied, "Fear. Serious security concern. He thinks they are going to kill him and the
London police are standing done [sic]." BANNON wrote back, "He didn't cut deal w/
clintons???" Stone replied, "Don't think so BUT his lawyer

17

is a big democrat."

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 27 of 58

66.

When BANNON spoke with investigators during a voluntary proffer on February

14, 2018, he initially denied knowing whether the October 4, 2016 email to STONE was about
WikiLeaks. Upon further questioning, BANNON acknowledged that he was asking STONE
about WikiLeaks, because he had heard that STONE had a channel to ASSANGE, and
BANNON had been hoping for releases of damaging information that morning.
G. STONE and CORSI Communications on October 7, 2016, when the Podesta Emails·
Are Released.

67.

According to a publicly available news article, 1 at approximately 11AM on

Friday, October 7, 2016, Washington Post reporter David Fahrenthold received a phone call from
a source regarding a previously unaired video of candidate Trump. According to the same article,
"Fahrenthold didn't hesitate. Within a few moments of watching an outtake of footage from a
2005 segment on 'Access Hollywood,' the Washington Post reporter was on the phone, calling
Trump's campaign, 'Access Hollywood' and NBC for reaction."
68.

According to phone records

, at approximately

11 :27 AM, CORSI placed a call to STONE which STONE did not answer.
69.

At approximately 11 :53AM, STONE received a phone call from the Washington

Post. The call lasted approximately twenty minutes.
70.

At approximately 1:42PM, STONE called CORSI and the two spoke for

approximately seventeen minutes.
71.

At approximately 2:18PM, CORSI called STONE and the two spoke for

approximately twenty minutes.

1 https://www.washingtonpost.com/lifestyle/style/the-caller-had-a-lewd-tape-of-donald-trump-then-the-race-was-

on/2016/10/07/3 ld74714-8ce5-l le6-875e-2c 1bfe943b66_story.html

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 28 of 58

72.

At approximately 4:00PM, the Washington Post published a story regarding the

Access Hollywood tape.
73.

At approximately 4:30PM, WikiLeaks tweeted out its first release of emails

hacked from John Podesta that focused primarily on materials related to the Clinton Foundation.
On or about August 2, 2016, when CORSI emailed STONE on Target Account 1, he wrote "I
expect that much of next dump focus, setting stage for Foundation debacle."
74.

At approximately 6:27PM,

sent STONE an email titled,

"WikiLeaks - The Podesta Emails" with a link to the newly-released Podesta emails.
Approximately ten minutes later, STONE forwarded

message to CORSI at Target

Account 1 without comment. STONE does not appear to have forwarded the email to any other
individual.
H. STONE Requests to CORSI for "SOMETHING" to Post About Podesta After
STONE Is Accused of Advance Knowledge of the Leak
75.

On or about October 8, 2016, STONE messaged CORSI at Target Account 2,

"Lunch postponed- have to go see T." CORSI responded to STONE, "Ok. I understand."
Approximately twenty minutes later, CORSI texted, "Clintons know they will lose a week of
Paula Jones media with T attacking Foundation, using Wikileaks Goldman Sachs speech
comments, attacking bad job numbers."
76.

On or about Wednesday, October 12, 2016, at approximately 8:17 EDT, STONE

emailed CORSI at Target Account 1, asking him to "send me your best podesta links." STONE
emailed CORSI at approximately 8:$$ EDT, "need your BEST podesta pieces." CORSI wrote
back at approximately 8:54AM EDT, "Ok. Monday. The remaining stuff on Podesta is
19

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 29 of 58

complicated. Two articles in length. I can give you in raw form ihe stuff I got in Russiau
trauslated but to write it up so it's easy to understand will take weekend. Your choice?"
77.

On or about that same day October 12, 2016, Podesta accused STONE of having

advance knowledge of the publication of his emails. At approximately 3:25PM EDT, CORSI,
using Target Account 1, emailed STONE with a subject line "Podesta talking points." Attached
to the email was a file labeled, "ROGER STONE podesta talking points Oct 12 2016.docx." The
"talking points" included the statement that "Podesta is at the heart of a Russian-govermnent
money laundering operation that benefits financially Podesta personally aud the Clintons through
the Clinton Foundation."
78.

CORSI followed up several minutes later with another email titled, "Podesta

talking points," with the text "sent a second time just to be sure you got it." STONE emailed
CORSI back via the Hotmail Account, "Got them aud used them."
79.

On or about Thursday, October 13, 2016, CORSI, using Target Account 3,

emailed STONE: "PODESTA -- Joule & ties to RUSSIA MONEY LAUNDERING to
CLINTON FOUNDATION." STONE responded, "Nice but I was hoping for a piece I could
post under my by-line since I am the one under attack by Podesta and now Mook." CORSI wrote
back to STONE, "I'll give you one more -NOBODY YET HAS THIS[:] It looks to me like
skimmed maybe billions off Skolkovo -

Skolkovo kept their money with

Metcombank[.] The Russiaus launched a criminal investigation[.] [web link] Once
had the channel open from Metcombank to Deutsche Bank America to Ban[k] of America's
Clinton Fund account, there's no telling how much money he laundered, or where it ended up.
Nothing in Clinton Foundation audited financials or IRS Form 990s about$$$ received via

20

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 30 of 58

Russia & Metcombank[.] I'm working on that angle now." STONE replied, "Ok Give me
SOMETHING to post on Podesta since I have now promised it to a dozen MSM reporters[.]"
80.

On or about Thursday, October 13, 2016 at approximately 6:30PM EDT, CORSI

sent STONE an email with the Subject, "ROGER STONE article RUSSIAN MAFIA STYLE
MONEY-LAUNDERING, the CLINTON FOUNDATION, and JOHN PODESTA." The text
stated: "Roger[,] You are free to publish this under your own name." That same day, STONE
posted a blog post with the title, "Russian Mafia money laundering, the Clinton Foundation and
John Podesta." In that post, STONE wrote, "although I have had some back-channel
communications with Wikileaks I had no advance notice about the hacking of Mr. Podesta nor I
have I ever received documents or data from Wikileaks." The post then asked, "Just how much
money did

, a controversial Russian billionaire investor with ties to the

Vladimir Putin and the Russian government, launder through Metcombank, a Russian regional
bank owned 99 .978 percent by

with the money transferred via Deutsche Bank and

Trust Company Americas in New York City, with the money ending up in a private bank
account in the Bank of America that is operated by the Clinton Foundation?"
81.

On or about October 14, 2016, CORSI sent a message using Target Account 2 to

STONE, "i'm in NYC. Thinking about writing piece attacking Leer and other women. It's
basically a rewrite of what's out there. Going through new Wikileaks drop on Podesta."
82.

On or about October 17, 2016, CORSI messaged STONE using Target Account

2, "On Assange, can you call me now - before 2pm[.]" STONE responded, "Missed u - just
landed JFK- on Infowars now." CORSI wrote back, "Call afterwards. Have some important
intel to share."

21

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 31 of 58

I

I

I

83.

On or about October 17, 2016, CORSI, using Target Account 1, emailed STONE

with the subject, "Fwd: ASSANGE ... URGENT ... " CORSI wrote, "From a very trusted source,"
and forwarded an email with the header information stripped out, showing only the body text.
The email read, "Yes[.] I figured this. Assange is threatening Kerry, Ecuador and U.K. He will
drop the goods on them if they move to extradite him. My guess is that he has a set of dead man
files that include Hillary. It's what they used to call a 'Mexican stand off[.]' Only hope is that if
Trump speaks out to save him[.] Otherwise he's dead anyway, once he's dropped what he has. If
HRC wins, Assange can kiss his life away. Interesting gambit Assange has to play out. He's
called Podesta' s bluff and raised him the election."
84.

On or about October 18, 2016, CORSI messaged STONE using Target Account

2, "Pis call. Important."
85.

On or about October 19, 2016, STONE published an article on Breitbart.com in

which he claimed he had, "no advance notice ofWikileaks' hacking of Podesta's e-mails."
STONE stated that, "I predicted that Podesta' s business dealings would be exposed. I didn't hear
it from Wikileaks, although Julian Assange and I share a common friend. I reported the story on
my website." STONE linked to the story he had asked CORSI to write for him on October 13,
2016 discussed above.
86.

On or about November 8, 2016, the United States presidential election took place.

87.

On or about November 9, 2016, CORSI, using Target Account 2, messaged

STONE, "Congratulations, Roger. He could not have done it without you."
88.

On or about November 10, 2016, CORSI messaged STONE using Target

Account 2, "Are you available to talk on phone?" Several minutes later, CORSI messaged, "I'm

in London. Have some interesting news for you."
22

I
!

 Case Document 29-9 Filed 04/28/20 Page 32 of 58

 

Case Document 29-9 Filed 04/28/20 Page 33 of 58

 

Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 34 of 58

· BACKGROUND CONCERNING EMAIL
96.

In my training and experience, I have learned the Providers provide a variety of

on-line services, including electronic mail ("email") to the public. The Providers allow
subscribers to obtain email accounts at the domain names identified in the email address
contained in Attachment A and C. Subscribers obtain an account by registering with the
Providers. During the registration process, the Providers ask subscribers to provide basic
personal information. Therefore, the computers of the Providers are likely to contain stored
electronic communications (including retrieved and unretrieved email) for their subscribers and
information concerning subscribers and their use of services, such as account access information,
email transaction information, and account application information. In my training and
experience, such information may constitute evidence of the crimes under investigation because
the information can be used to identify the account's user or users.
97.

Inmy training and experience, email Providers generally ask their subscribers to

provide certain personal identifying information when registering for an email account. Such
information can include the subscriber's full name, physical address, telephone numbers and
other identifiers, alternative email addresses, and, for paying subscribers, means and source of
payment (including any credit or bank account number). In my training and experience, such
information may constitute evidence of the crimes under investigation because the information
can be used to identify the account's user or users. Based on my training and my experience, I
know that, even if subscribers insert false information to conceal their identity, this information
often provides clues to their identity, location, or illicit activities.
98.

In my training and experience, email Providers typically retain certain

transactional information about the creation and use of each account on their systems. This
25

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 35 of 58

information can include the date on which the account was created, the length of service, records
oflog-in (i.e., session) times and durations, the types of service utilized, the status of the account
(including whether the account is inactive or closed), the methods used to connect to the account
(such as logging into the account via the Providers' website), and other log files that reflect
usage of the account. In addition, email Providers often have records of the Internet Protocol
address ("IP address") used to register the account and the IP addresses associated with particular
logins to the account. Because every device that connects to the Internet must use an IP address,
IP address information can help to identify which computers or other devices were used to access
the email account.
99.

In my training and experience, in some cases, email account users will

communicate directly with an email service Providers about issues relating to the account, such
as technical problems, billing inquiries, or complaints from other users. Email Providers
typically retain records about such communications, including records of contacts between the
user and the Providers' support services, as well as records of any actions taken by the Providers
or user as a result. of the communications. In my training and experience, such information may
constitute evidence of the crimes under investigation because the information can be used to
identify the account's user or users.
100.

As explained herein, information stored in connection with an email account may

provide crucial evidence of the "who, what, why, when, where, and how" of the criminal conduct
under investigation, thus enabling the United States to establish and prove each element or
alternatively, to exclude the innocent from further suspicion. In my training and experience, the
information stored in connection with an email account can indicate who has used or controlled
the account. This "user attribution" evidence is analogous to the search for "indicia of

26

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 36 of 58

occupancy" while executing a search warrant at a residence. For example, email
communications, contacts lists, and images sent ( and the data associated with the foregoing, such
as date and time) may indicate who used or controlled the account at a relevant time. Further,
information maintained by the email Providers can show how and when the account was
accessed or used. For example, as described below, email Providers typically log the Internet
Protocol (IP) addresses from which users access the email account, along with the time and date
of that access. By determining the physical location associated with the logged IP addresses,
investigators can understand the chronological and geographic context of the email account
access and use relating to the crime under investigation. This geographic and timeline
information may tend to either inculpate or exculpate the account owner. Additionally,
information stored at the user's account may further indicate the geographic location of the
account user at a particular time (e.g., location information integrated into an image or video sent
via email). Last, stored electronic data may provide relevant insight into the email account
owner's state of mind as it relates to the offense under investigation. For example, information in
the email account may indicate the owner's motive and intent to commit a crime (e.g.,
communications relating to the crime), or consciousness of guilt (e.g., deleting communications
in an effort to conceal them from law enforcement).
101.

In my training and experience, information such as search history can help to

show the state of mind of an individual at the time the search was made, as well as the
individuals potential advance knowledge of events, as they search to see if the anticipated event
has occurred.

27

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 37 of 58

INFORMATION REGARDING APPLE ID AND iCLOUD2

102.

Apple is a United States company that produces the iPhone, iPad, and iPod

Touch, all of which use the iOS operating system, and desktop and laptop computers based on
the Mac OS operating system.
103.

Apple provides a variety of services that can be accessed from Apple devices or,

in some cases, other devices via web browsers or mobile and desktop applications ("apps"). As
described in further detail below, the services include email, instant messaging, and file storage:
•

Apple provides email service to its users through email addresses at the

domain names mac.com, me.com, and icloud.com.
•

iMessage and FaceTime allow users of Apple devices to communicate in

real-time. iMessage enables users of Apple devices to exchange instant messages ("iMessages")
containing text, photos, videos, locations, and contacts, while FaceTime enables those users to
conduct video calls.
•

iCloud is a file hosting, storage, and sharing service provided by Apple.

iCloud can be utilized through numerous iCloud-connected services, and can also be used to
store iOS device backups and data associated with third-party apps.

2
The information in this section is based on information published by Apple on its website, including, but
not limited to, the following document and webpages: "U.S. Law Enforcement Legal Process Guidelines," available
at http://images.apple.com/privacy/docs/legal-process-guidelines-us.pdf; "Create and start using an Apple ID,"
available at https://support.apple.com/en-us/HT203993; "iCloud," available at http://www.apple.com/icloud/; "What
does iCloud back up?," available at https://support.apple.com/kb/PH12519; "iOS Security," available at
https://www.apple.com/business/docs/i0S Security Guide.pd[, and "iCloud: How Can I Use iCloud?," available at
https://support.apple.com/kb/PH26502.

28

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 38 of 58

·•

iCloud-connected services allow users to create, store, access, share, and

synchronize data on Apple devices or via icloud.com on any Internet-connected device. For
example, iCloud Mail enables a user to access Apple-provided email accounts on multiple Apple
devices and on icloud.com. iCloud Photo Library and My Photo Stream can be used to store and
manage images and videos taken from Apple devices, and iCloud Photo Sharing allows the user
to share those images and videos with other Apple subscribers. iCloud Drive can be used to
store presentations, spreadsheets, and other documents. iCloud Tabs and bookmarks enable
iCloud to be used to synchronize bookmarks and webpages opened in the Safari web browsers
on all of the user's Apple devices. iWork Apps, a suite of productivity apps (Pages, Numbers,
Keynote, and Notes), enables iCloud to be used to create, store, and share documents,
spreadsheets, and presentations. iCloud Keychain enables a user to keep website usemame and
passwords, credit card information, and Wi-Fi network information synchronized across multiple
Apple devices.
•

Game Center, Apple's social gaming network, allows users of Apple

devices to play and share games with each other.
•

Find My iPhone allows owners of Apple devices to remotely identify and

track the location of, display a message on, and wipe the contents of those devices. Find My
Friends allows owners of Apple devices to share locations.
•

Location Services allows apps and websites to use information from

cellular, Wi-Fi, Global Positioning System ("OPS") networks, and Bluetooth, to determine a
user's approximate location.
•

App Store and iTunes Store are used to purchase and download digital

content. iOS apps can be purchased and downloaded through App Store on iOS devices, or

29

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 39 of 58

through iTunes Store on desktop and laptop computers running either Microsoft Windows or
Mac OS. Additional digital content, including music, movies, and television shows, can be
purchased through iTunes Store on iOS devices and on desktop and laptop computers running
either Microsoft Windows or Mac OS.
104.

Apple services are accessed through the use of an "Apple ID," an account created

during the setup of an Apple device or through the iTunes or iCloud services. A single Apple ID
can be linked to multiple Apple services and devices, serving as a central authentication and
syncing mechanism.
105.

An Apple ID takes the form of the full email address submitted by the user to

create the account; it can later be changed. Users can submit an Applesprovided email address
(often ending in@icloud.com, @me.com,or @mac.com)or an email address associated with a
third-party email provider (such as Gmail, Yahoo, or Hotmail). The Apple ID can be used to
access most Apple services (including iC!oud, iMessage, and FaceTime) only after the user
accesses and responds to a "verification email" sent by Apple to that "primary" email address.
Additional email addresses ("alternate," "rescue," and "notification" email addresses) can also be
associated with an Apple ID by the user.
106.

Apple captures information associated with the creation and use of an Apple ID.

During the creation of an Apple ID, the user must provide basic personal information including
the user's full name, physical address, and telephone numbers. The user may also provide means
of payment for products offered by Apple. The subscriber information and password associated
with an Apple ID can be changed by the user through the "My Apple ID" and "iForgot" pages on
Apple's website. In addition, Apple captures the date on which the account was created, the
length of service, records oflog-in times and durations, the types of service utilized, the status of

30

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 40 of 58

the account (including whether the account is inactive or closed), the methods used to· connect to
and utilize the account, the Internet Protocol address ("IP address") used to register and access
the account, and other log files that reflect usage of the account.
107.

Additional information is captured by Apple in connection with the use of an

Apple ID to access certain services. For example, Apple maintains connection logs with IP
addresses that reflect a user's sign-on activity for Apple services such as iTunes Store and App
Store, iCloud, Game Center, and the My Apple ID and iForgot pages on Apple's website. Apple
also maintains records reflecting a user's app purchases from App Store and iTunes Store, "call
invitation logs" for FaceTime calls, "query logs" for iMessage, and "mail logs" for activity over
an Apple-provided email account. Records relating to the use of the Find My iPhone service,
including connection logs and requests to remotely lock or erase a device, are also maintained by
Apple.·
108.

Apple also maintains information about the devices associated with an Apple ID.

When a user activates or upgrades an iOS device, Apple captures and retains the user's IP
address and identifiers such as the Integrated Circuit Card ID number ("ICCID"), which is the
serial number of the device's SIM card. Similarly, the telephone number of a user's iPhone is
linked to an Apple ID when the user signs in to FaceTime or iMessage. Apple also may
maintain records of other device identifiers, including the Media Access Control address ("MAC
address"), the unique device identifier ("UDID"), and the serial number. In addition,
information about a user's computer is captured when iTunes is used on that computer to play
content associated with an Apple ID, and information about a user's web browser may be
captured when used to access services through icloud.com and apple.com. Apple also retains
records related to communications between users and Apple customer service, including

31

I

lI

1

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 41 of 58

communications regarding a particular Apple device or service, and the repair history for a
device.
I 09.

Apple provides users with five gigabytes of free electronic space on iC!oud, and

users can purchase additional storage space. That storage space, located on servers controlled by
Apple, may contain data associated with the use of iCloud-connected services, including: email
(iCloud Mail); images and videos (iCloud Photo Library, My Photo Stream, and iCloud Photo
Sharing); documents, spreadsheets, presentations, and other files (iWork and iCloud Drive); and
web browser settings and Wi-Fi network information (iCloud Tabs and iCloud Keychain).
iCloud can also be used to store iOS device backups, which can contain a user's photos and
videos, iMessages, Short Message Service ("SMS") and Multimedia Messaging Service
("MMS") messages, voicemail messages, call history, contacts, calendar events, reminders,
notes, app data and settings, Apple Watch backups, and other data. Records and data associated
with third-party apps may also be stored on iCloud; for example, the iOS app for WhatsApp, an
instant messaging service, can be configured to regularly back up a user's instant messages on
iC!oud Drive. Some of this data is stored on Apple's servers in an encrypted form but can
nonetheless be decrypted by Apple.
110.

In my training and experience, evidence of who was using an Apple ID and from

where, and evidence related to criminal activity of the kind described above, may be found in the
files and records described above. This evidence may establish the "who, what, why, when,
where, and how" of the criminal conduct under investigation, thus enabling the United States to
establish and prove each element or, alternatively, to exclude the innocent from further
susp1c10n.

32

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 42 of 58

INFORMATION TO BE SEARCHED AND THINGS TO BE SEIZED

111.

I anticipate executing this warrant under the Electronic Communications Privacy

Act, in particular 18 U.S.C. §§ 2703(a), 2703(b)(1 )(A) and 2703(c)(I )(A), by using the warrant
to require Google to disclose to the government copies of the records and other information
(including the content of communications) associated with the accounts in Attachment A, C, and
E and particularly described in Section I of Attachment B, D, and E. Upon receipt of the
information described in Section I of Attachments B, D, and F, government-authorized persons
will review that information to locate the items described in Section II of Attachment B, D, and
F. The items identified in Attachments A-F will also be screened by reviewers not on the
prosecution team to identify and filter out privileged material.
CONCLUSION

112.

Based on the forgoing, I request that the Court issue the proposed search warrant.

113.

Pursuant to 18 U.S.C. § 2703(g), the presence of a law enforcement officeris not

required for the service or execution of this warrant.

33

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 43 of 58

REQUEST FOR SEALING
114.

I further request that the Court order that all papers in support of this application,

including the affidavit and search warrant, be sealed until further order of the Court. These
documents discuss an ongoing criminal investigation, the full nature and extent of which is not
known to all of the targets of the investigation. Accordingly, there is good cause to seal these
documents because their premature disclosure may seriously jeopardize that investigation.

Andrew Mitchell
Special Agent
Federal Bureau oflnvestigation

Subscribed and sworn to before me on this/)/;}ay of July, 2018.

~~~

The Honorable Beryl A. Howell
Chief United States District Judge

34

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 44 of 58

ATTACHMENT A
Property to be Searched

This warrant applies to information associated with the following email account:
1.
that is stored at premises owned, maintained, controlled, or operated by CSC Holdings, LLC,
1111 Stewart Avenue, Bethpage, NY 11714.

35

I

I

I
I

I

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 45 of 58

ATTACHMENT B
Particular Things to be Seized
I.

Files and Accounts to be produced by the Provider:

To the extent that the information described in Attachment A is within the possession,
custody, or control of the Provider including any messages, records, files, logs, images, videos,
or information that have been deleted but are still available to the Provider or have been
preserved pursuant to a preservation request under 18 U.S.C. § 2703(:f), the Provider is required
to disclose the following information to the government for each account or identifier listed in
Attachment A:
a. The contents of all e-mails, attachments and chat messages stored in the account,
including copies of e-mails sent to and from the account, draft e-mails, the source and
destination e-mails sent addresses associated with each e-mail, the date and time at which
each e-mail was sent, and the size and length of each e-mail;
b. All existing printouts from original storage of all of the electronic mail described above
in Section I.A. above;
c. All internet search data including all queries and location data;
d. All transactional information of all activity of the account described above in Section I.A,
including log files, dates, times, methods of connecting, ports, dial ups, and/or locations;
e. All records or other information stored by an individual using the account, including
address books, contact and buddy lists, calendar data, pictures, and files;
f.

Records or other information regarding the identification of the account described above
in Section I.A, to include application, full name, physical address, telephone numbers and
other identifiers, records of session times and durations, log-in IP addresses associated
with session times and dates, account status, alternative e-mail addresses provided during
registration, all screen names associated with subscribers and/or accounts, all account
names associated with the subscriber,

g. All records indicating the services available to subscribers of the electronic mail address
described above in Section I.A.;

36

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 46 of 58

II
I

l
i

II.

Information to be Seized by Law Enforcement Personnel

Any and all records that relate in any way to the accounts described in Attaclnnent A
which consists of evidence, fruits, ~r instrumentalities of violations of 18 U.S.C. § 1030 (fraud
and related activities in connection with computers and 18 U.S.C. § 371 (conspiracy to commit
an offense against the United States) for the period from June 15, 2016 to November 10, 2016.
including:
a. All records, information, documents or tangible materials that relate in any way to
communications regarding hacking, release of hacked material, communications with
persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or
communications regarding disinformation, denial, dissembling or other obfuscation about
knowledge of, or access to hacked material;
b. All records, information, documents or tangible materials that relate in any way to
communications or meetings involving Roger Stone,
Julian Assange, or
any individual associated with the Trump Campaign;
All images, messages, communications, calendar entries, search terms, "address book"
entries and contacts, including any and all preparatory steps taken in furtherance of the
above-listed offenses;
c. Communication, information, documentation and records relating to who created, used, or
communicated with the account or identifier concerning the messages identified above,
·including records about their identities and whereabouts;
d. Evidence of the times the account was used;
e. All images, messages and communications regarding wiping software, encryption or
other methods to avoid detection by law enforcement;
f.

Passwords and encryption keys, and other access information that may be necessary to
access the account and other associated accounts;

g. Credit card and other financial information, including but not limited to, bills and
payment records evidencing ownership of the subject account;
h. All existing printouts from original storage which concern the categories identified in
subsection II.A;

37

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 47 of 58

'

I
,,I

ATTACHMENT C
Property to be Searched

This warrant applies to information associated with the following Apple account:
1.
1hat is stored at premises owned, maintained, controlled, or operated by Apple, Inc., located at
One Apple Park Way, Cupertino, California 95014.

38

I

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 48 of 58

ATACHMENTD
Particular Things to be Seized
I.

Files and Accounts to be produced by the Provider:

To the extent that the information described in Attachment A is within the possession,
custody, or control of Apple, regardless of whether such information is located within or outside
of the United States, including any messages, records, files, logs, o~ information that have been
deleted but are still available to Apple, or have been preserved pursuant to a request made under
18 U.S.C. § 2703(1), Apple is required to disclose the following information to the govermnent,
in unencrypted form whenever available, for each account or identifier listed in Attachment A:
a.
All records or other information regarding the identification of the account, to
include full name, physical address, telephone numbers, email addresses (including primary,
alternate, rescue, and notification email addresses, and verification information for each email
address), the date on which the account was created, the length of service, the IP address used to
register the account, account status, associated devices, methods of connecting, and means and
source of payment (including any credit or bank account numbers);
b.
All records or other information regarding the devices associated with, or used in
connection with, the account (including all current and past trusted or authorized iOS devices
and computers, and any devices used to access Apple services), including serial numbers, Unique
Device Identifiers ("UDID"), Advertising Identifiers ("IDFA"), Global Unique Identifiers
("GUID"), Media Access Control ("MAC") addresses, Integrated Circuit Card ID numbers
("ICCID"), Electronic Serial Numbers ("ESN"), Mobile Electronic Identity Numbers ("MEIN"),
Mobile Equipment Identifiers ("MEID"), Mobile Identification Numbers ("MIN"), Subscriber
Identity Modules ("SIM"), Mobile Subscriber Integrated Services Digital Network Numbers
("MSISDN"), International Mobile Subscriber Identities ("IMSI"), and International Mobile
Station Equipment Identities ("IMEI"); .
c.
The contents of all emails associated with the account, including stored or
preserved copies of emails sent to and from the account (including all draft emails and deleted
emails), the source and destination addresses associated with each email, the date and time at
which each email was sent, the size and length of each email, and the true and accurate header
information including the actual IP addresses of the sender and the recipient of the emails, and
all attachments;
d.
The contents of all instant messages associated with the account, including stored
or preserved copies of instant messages (including iMessages, SMS messages, and MMS
messages) sent to and from the account (including all draft and deleted messages), the source and
destination account or phone number associated with each instant message, the date and time at
which each instant message was sent, the size and length of each instant message, the actual IP
addresses of the sender and the recipient of each instant message, and the media, if any, attached
to each instant message;
39

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 49 of 58

e.
The contents of all files and other records stored on iCloud, including ail iOS
device backups, all Apple and third-party app data, all files and other records related to iCloud
Mail, iCloud Photo Sharing, My Photo Stream, iCloud Photo Library, iCloud Drive, iWork
(including Pages, Numbers, Keynote, and Notes), iCloud Tabs and bookmarks, and iCloud
Keychain, and all address books, contact and buddy lists, notes, reminders, calendar entries,
images, videos, voicemails, device settings, and bookmarks;
f.
All activity, connection, and transactional logs for the account (with associated IP
addresses including source port numbers), including FaceTime call invitation logs, messaging
and query logs (including iMessage, SMS, and MMS messages), mail logs, iCloud logs, iTunes
Store and App Store logs (including purchases, downloads, and updates of Apple and third-party
apps), My Apple ID and iForgot logs, sign-on logs for all Apple services, Game Center logs,
Find My iPhone and Find My Friends logs, logs associated with web-based access of Apple
services (including all associated identifiers), and logs associated with iOS device purchase,
activation, and upgrades;
g.
All records and information regarding locations where the account or devices
associated with the account were accessed, including all data stored in connection with Location
Services, Find My iPhone, Find My Friends, and Apple Maps;
h.

All records pertaining to the types of service used;

i.
All records pertaining to communications between Apple and any person
regarding the account, including contacts with support services and records of actions taken; and

j.
All files, keys, or other information necessary to decrypt any data produced in an
encrypted form, when available to Apple (including, but not limited to, the keybag.txt and
fileinfolist. txt files).

40

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 50 of 58

II.

· Information to be Seized by Law Enforcement Personnel

Any and all records that relate in any way to the accounts described in Attachment A
which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 1030 (fraud
and related activities in connection with computers and 18 U.S.C. § 371 (conspiracy to commit
an offense against the United States) for the period from June 15, 2016 to November 10, 2016.
including:
a. All records, information, documents or tangible materials that relate in any way to
communications regarding hacking, release of hacked material, communications
with persons or entities associated with WikiLeaks, including but not limited to
Julian Assange, or communications regarding disinformation, denial, dissembling
or other obfuscation about knowledge of, or access to hacked material;
b. All records, information, documents or tangible materials that relate in any way to
communications or meetings involving Roger Stone,
, Julian
Assange, or any individual associated with the Trump Campaign;
c. All images, messages, communications, calendar entries, search terms, and
contacts, including any and all preparatory steps taken in furtherance of the
above-listed offenses;
d. Communication, information, documentation and records relating to who created,
used, or communicated with the account or identifier, including records about
their identities and whereabouts;
e. Evidence of the times the account was used;
f.

All images, messages and communications regarding wiping software, encryption
or other methods to avoid detection by law enforcement;

g. Passwords and encryption keys, and other access information that may be
necessary to access the account and other associated accounts;
h. Credit card and other financial information, including but not limited to, bills and
payment records evidencing ownership of the subject account;
i.

All existing printouts from original storage which concern the categories
identified in subsection II.A; and

j.

All "address books" or other lists of contacts.

41

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 51 of 58

ATTACHMENTE
Property to be Searched
This warrant applies to information associated with the following email account:

that is stored at premises owned, maintained, controlled, or operated by Windstream
Communications, Inc, with offices located at 11001 Executive Center Drive, Little Rock,
Arkansas, 72211.

42

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 52 of 58

ATTACHMENT F
Particular Things to be Seized
I.

Files and Accounts to be produced by the Provider:

To the extent that the information described in Attachment A is within the possession,
custody, or control of the Provider including any messages, records, files, logs, images, videos,
or information that have been deleted but are still available to the Provider or have been
preserved pursuant to a preservation request under 18 U.S.C. § 2703(±), the Provider is required
to disclose the following information to the government for each account or identifier listed in
Attachment E:
a. The contents of all e-mails, attachments and chat messages stored in the account,
including copies of e-mails sent to and from the account, draft e-mails, the source and
destination e-mails sent addresses associated with each e-mail, the date and time at which
each e-mail was sent, and the size and length of each e-mail;
b. All existing printouts from original storage of all of the electronic mail described above
in Section I.A. above;
c. All internet search data including all queries and location data;
d. All transactional information of all activity of the account described above in Section I.A,
including log files, dates, times, methods of connecting, ports, dial ups, and/or locations;
e. All records or other information stored by an individual using the account, including
address books, contact and buddy lists, calendar data, pictures, and files;
f.

Records or other information regarding the identification of the account described above
in Section I.A, to include application, full name, physical address, telephone numbers and
other identifiers, records of session times and durations, log-in IP addresses associated
with session times and dates, account status, alternative e-mail addresses provided during
registration, all screen names associated with subscribers and/or accounts, all account
names associated with the subscriber,

g. All records indicating the services available to subscribers of the electronic mail address
described above in Attachment E;

43

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 53 of 58

II.

Information to be Seized by Law Enforcement Personnel

Any and all records that relate in any way to the accounts described in Attachment A
which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 1030 (fraud
and related activities in connection with computers and 18 U.S.C. § 371 (conspiracy to commit
an offense against the United States) for the period from June 15, 2016 to November 10, 2016.
including:
a. All records, information, documents or tangible materials that relate in any way to
communications regarding hacking, release of hacked material, communications with
persons or entities associated with WikiLeaks, including but not limited to Julian Assange, or
communications regarding disinformation, denial, dissembling or other obfuscation about
knowledge of, or access to hacked material;
b. All records, information, documents or tangible materials that relate in any way to
communications or meetings involving Roger Stone,
Julian Assange, or
any individual associated with the Trump Campaign;
c. All images, messages, communications, calendar entries, search terms, "address book"
entries and contacts, including any and all preparatory steps taken in furtherance of the
above-listed offenses;
d. Communication, information, documentation and records relating
to who created, used, or.
.
communicated with the account or identifier concerning the messages identified above,
including records about their identities and whereabouts;
e. Evidence of the times the account was used;
f.

All images, messages and communications regarding wiping software, encryption or
other methods to avoid detection by law enforcement;

g. Passwords and encryption keys, and other access information that may be necessary to
access the account and other associated accounts;
h. Credit card and other financial information, including but not limited to, bills and
payment records evidencing ownership of the subject account;
1.

All existing printouts from original storage which concern the categories identified
above;

44

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 54 of 58

IN THE UNITED STATES DISTRICT COURT.
FOR THE DISTRICT OF COLUMBIA
IN THE MATTER OF THE SEARCH OF
INFORMATION ASSOCIATED WITH

Case: 1:18-sc-02401
Assigned To : Howell, Beryl A.
Assign. Date: 7/12/2018
Description: Search & Seizure Warrant

MOTION TO SEAL WARRANT AND RELATED DOCUMENTS AND
TO REQUIRE NON-DISCLOSURE UNDER 18 U.S.C. § 2705(b)
The United States of America, moving by and through its undersigned counsel, respectfully
moves the Court for an Order placing the above-captioned waITant and the application and affidavit
in support thereof (collectively herein the "Warrant") under seal, and precluding the provider from
notifying any person of the WmTant pursuant to 18 U.S.C. § 2705(b). In regard to the nondisclosure, the proposed Order would direct Apple Inc. ("Apple") an electronic communication
and/or remote computing services provider headquartered in Cupertino, California not to notify
m1y other person (except attorneys for Apple for the purpose of receiving legal advice) of the
existence or content of the W aITant for a period of one year or until further order of the Court.
JURISDICTION AND LEGAL BACKGROUND
1.

The Court has the inherent power to seal court filings when appropriate,

including the Wm-rant. United States v. Hubbard, 650 F.2d 293, 315-16 (D.C. Cir. 1980) (citing
Nixon v. Warner Communications, Inc., 435 U.S. 589,598 (1978)). The Court may also seal the
WaITant to prevent serious jeopm·dy to an ongoing criminal investigation when, as in the present
case, such jeopardy creates a compelling governmental interest in preserving the confidentiality of
the Warrant. See Washington Post v. Robinson, 935 F.2d 282, 287-89 (D.C. Cir. 1991).
2.

In addition, this Court has jurisdiction to issue the requested order because it is "a

court of competent jurisdiction" as defined by 18 U.S.C. § 2711. Specifically, the Court is a
"district court of the United States ... that - has jurisdiction over the offense being investigated."

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 55 of 58

18 U.S.C. § 2711(3)(A)(i). As discussed fully below, acts or omissions in furtherance of the
offense under investigation occurred within Washington, D.C. See 18 U.S.C. § 3237.
3.

Further, the Corui has authority to require non-disclosure of the Warrant under 18

U.S.C. § 2705(b).

Apple provides an "electronic communications service," as defined in 18

U.S.C. § 2510(15), and/or "remote computing service," as defined in 18 U.S.C. § 2711(2). The
Stored Communications Act ("SCA"), 18 U.S.C. §§ 2701-2712, governs how Apple may be
compelled to supply communications and other records using a subpoena, court order, or search
warrant.

Specifically, Section 2703(c)(2) authorizes the Government to obtain cetiain basic

"subscriber information" using a subpoena, Section 2703(d) allows the Government to obtain other
"non-content" information using a court order, and Section 2703(a)-(b)(l)(A) allows the
Government to obtain contents of conmmnications using a search warrant. See 18 U.S.C. § 2703.
4.

The SCA does not set forth any obligation for providers to notify subscribers about

subpoenas, court orders, or search warrants under Section 2703. However, many have voluntarily
adopted policies of notifying subscribers about such legal requests. Accordingly, when necessary,
Section 2705(b) of the SCA enables the Government to obtain a court order to preclude such
notification. In relevant part, Section 2705(b) provides as follows: 1
(b) Preclusion of notice to subject of governmental access. - A governmental
entity acting under section 2703 ... may apply to a court for an order commanding
a provider of electronic communications service or remote computing service to
whom a warrant, subpoena, or court order is directed, for such period as the court
deems appropriate, not to notify any other person of the existence of the warrant,
subpoena, or corui order. The court shall enter such an order if it determines that
there is reason to believe that notification of the existence of the warrant, subpoena,
or court order will result .in(!) endangering the life or physical safety of an individual;
(2) flight from prosecution;
1 Section 2705(b)

contains additional requirements for legal process obtained pursuant to 18 U.S.C.
§ 2703(b )(1 )(B), but the Government does not seek to use the proposed Order for any legal process
under that provision.
2

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 56 of 58

(3) destruction of or tampering with evidence;
(4) intimidation of potential witnesses; or
(5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.
18 U.S.C. § 2705(b). The United States District Court for the District of Columbia has made clear
that a nondisclosure order under Section 2705(b) must be issued once the Government makes the
requisite showing about potential consequences of notification:
The explicit terms of section 2705(b) make clear that if a courts [sic] finds that there
is reason to believe that notifying the customer or subscriber of the court order or
subpoena may lead to one of the deleterious outcomes listed under § 2705(b), the
court must enter an order commanding a service provider to delay notice to a
customer for a period of time that the court determines is appropriate. Once .the
government makes the required showing under § 2705(b), the court is required to
issue the non-disclosure order.
In re Application for Order of Nondisclosure Pursuant to 18 US.C. § 2705{b) for Grand Jury
Subpoena #GJ2014031422765, 41 F. Supp. 3d 1, 5 (D.D.C. 2014).
5.

Accordingly, this motion to seal sets forth facts showing reasonable grounds to

command Apple not to notify any other person (except attorneys for Apple for the purpose of
receiving legal advice) of the existence of the Subpoena for a period of one year or until further
order of the Court.
FACTS SUPPORTING SEALING AND NON-DISCLOSURE
6.

At the present time, law enforcement officers of the FBI are conducting an

investigation into violations related to 18 U.S.C. § 1030 (unauthorized access of a protected
computer) and 18 U.S.C. § 371 (conspiracy) arising out of the conduct of Roger Stone, Jerome
Corsi, and others. It does not appear that Stone and Corsi are currently aware of the full nature and
scope of the ongoing FBI investigation. Disclosure of this waITant to Corsi could lead him to
destroy evidence or notify others who may delete information relevant to the investigation.

3

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 57 of 58

REQUEST FOR SEALING AND NON-DISCLOSURE
7.

In this matter, the government requests that the Warrant be sealed until further order

of the Court and that Apple and its employees be directed not to notify any other person of the
existence or content of the Warrant (except attorneys for Apple for the purpose of receiving legal
advice) for a period of one year or until further order of the Court. Such an order is appropriate
because the Wanant relates to an ongoing criminal investigation, the full scope of which is neither
public nor known to the targets of the investigation, and its disclosure may alert these targets to
the ongoing investigation and its scope. Once ale1ied to this investigation, potential targets would
be immediately prompted to destroy or conceal incriminating evidence, alter their operational
tactics to avoid future detection, and otherwise take steps to undermine the investigation and avoid
future prosecution. In particular, given that they are known to use electronic communication and
remote computing services, the potential target could quickly and easily destroy or encrypt digital
evidence relating to their criminal activity.
8.

Given the complex and sensitive nature of the criminal activity under investigation,

and also given that the criminal scheme may be ongoing, the Government anticipates that this
confidential investigation will continue for the next year or longer.

However, should

circumstances change such that court-ordered nondisclosure under Section 2705(b) becomes no
longer needed, the Government will notify the Comi and seek appropriate relief;
9.

There is, therefore, reason to believe that notification of the existence of the

Warrant will seriously jeopardize the investigation, including by giving the targets an opportunity
to flee from prosecution, destroy or tamper with evidence, and intimidate witnesses. See 18 U.S.C.
§ 2705(b)(2)-(5). Because of such potential jeopardy to the investigation, there also exists a

4

 Case 1:19-mc-00029-CRC Document 29-9 Filed 04/28/20 Page 58 of 58

compelling· governmental interest in· confidentiality to justify the government's sealini request.
See Robinson, 935 F.2d at 287-89.

10.

Based on prior dealings with Apple the United States is aware that, absent a court

order under Section 2705(b) commanding Apple not to notify anyone about a legal request, it is
Apple's policy and practice, upon receipt of a wanant seeking the contents of electronically stored
wire or electronic communications for a certain account, to notify the subscriber or customer of
the existence of the warrant prior to producing the material sought.
WHEREFORE, for all the foregoing reasons, the government respectfully requests that the
above-captioned wanant, the application and affidavit in suppmi thereof, and all attachments
thereto and other related materials be placed under seal, and furthe1more, that the Court command
Apple not to notify any other person of the existence or contents of the above-captioned wanant
(except attorneys for Apple for the purpose of receiving legal advice) for a period of one year or
until further order of the Court.
Respectfully submitted,
ROBERTS. MUELLER, III
Special Counsel
Dated:

J/tl/2,D/'3

By:

~-~-~

kamnS.f Zeliy

The Special Counsel's Office
(202)-514-0637

5