Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 1 of 33 AO 93 (Rev. 11/13) Search and Seizure Warrant UNITED STATES DISTRICT COURT for the District of Columbia In the Matter of the Search of ) (Briefly describe the property to be searched or identify the person by name and address) ) ) INFORMATION ASSOCIATED WITH ONE ACCOUNT STORED AT PREMISES CONTROLLED BY 1&1 MAIL & MEDIA, INC. ) ) ) Case: 1: 18-sc-02670 Assigned To: Howell, Beryl A. Assign. Date : 8/20/2018 Description: Search & Seizure Warrant SEARCH AND SEIZURE WARRANT To: Any authorized law enforcement officer An application by a federal law enforcement officer or an attorney for the government requests the search of the following person or property located in the Eastern District of Pennsylvania (identify the person or describe the property to be searched and give its location): See Attachment A I find that the affidavit(s), or any recorded testimony, establish probable cause to search and seize the person or property described above, and that such search will reveal (identify the person or describe the property to be seized): See Attachment B YOU ARE COMMANDED to execute this warrant on or before September 3, 2018 (not to exceed 14 days) ~ in the daytime 6:00 a.m. to 10:00 p.m. 0 at any time in the day or night because good cause has been established. Unless delayed notice is authorized below, you must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken, or leave the copy and receipt at the place where the property was taken. The officer executing this warrant, or an officer present during the execution of the warrant, must prepare an inventory as required by law and promptly return this warrant and inventory to Hon. Rudolph Contreras-, U.S. District Judge (United States Magistrate Judge) 0 Pursuant to 18 U.S.C. § 3103a(b), I find that immediate notification may have an adverse result listed in 18 U.S.C. § 2705 (except for delay of trial), and authorize the officer executing this warrant to delay notice to the person who, or whose property, will be searched or seized (check the appropriate box) 0 for _ _ days (not to exceed 30) 0 until, the facts justifying, the later specific date of Date and time issued: City and state: if_dJ!J(J.&18 3: l?t t'\L Washington, DC / Judge 's signature Hon. Rudolph Contreras, U.S. District Judge Printed name and title Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 2 of 33 AO 93 (Rev. l l/13) Search and Seizure Warrant (Page 2) Return Case No. : Date and time warrant executed: Copy of warrant and inventory left with: Inventory made in the presence of: Inventory of the property taken and name of any person(s) seized: Certification I declare under penalty of pe1jury that this inventory is correct and was returned along with the original warrant to the designated judge. Date: Executing officer's signature Printed name and title Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 3 of 33 ATTACHMENT A Property to be Searched This warrant applies to information associated with the following l&I Mail account, whic;h is stored at premises owned, maintained, controlled, or operated by 1&1 Mail & Media, Inc., a company headquartered i~ Chesterbrook, Pennsylvania: -1- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 4 of 33 ATTACHMENT B I. Information to be disclosed by l&l Mail To the extent that the infonnation described in Attachment A is within the possession, custody, or control of 1& 1 Mail & Media, Inc. (the "Provider"), including any messages, records, files, logs, or information that have been deleted but are still available to the Provider, or have been preserved pursuant to a request made under 18 U.S.C. § 2703(£), the Provider is required to disclose the following information to the government for each account listed in Attachment A: a. The contents of all emails associated with the account, including stored or preserved copies of emails sent to and from the account, draft emails, the source and destination addresses associated with each email, the date and time at which each email was sent, and the size and length of each email; b. All records or other information regarding the identification of the ac.count, to include full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative email addresses provided during registration, methods of connecting, log files, and means and source of payment (including any credit or bank account number); c. The types of service utilized; d. All records or other information stored at any time by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, and files; -2- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 5 of 33 e. All records pertaining to communications between the Provider and any person regarding the account, including contacts with support services and records of actions taken; f. All subscriber "change history" associated with the account; g. All search history and web history associated with the account; h. All location and maps information associated with the account; 1. All device information associated with the account, including all instrument or telephone numbers (including MAC addresses, Electronic Serial Numbers ("ESN"), Mobile Electronic Identity Numbers ("MEIN"), Mobile Equipment Identifier ("MEID"), Mobile Identification Numbers ("MIN"), Subscriber Identity Modules ("SIM"), Mobile Subscriber Integrated Services Digital Network Number ("MSISDN"), International Mobile Subscriber Identifiers ("IMSI"), or International Mobile Equipment Identities ("IMEI")); and j. For any accounts linked to the accounts listed in Attachment A, including accounts linked by cookie, SMS number, or recovery email address, and for accounts for which the accounts described in Attachment A are the recovery email address, provide all records or other information regarding the identification of the account, to include full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative email addresses provided during registration, methods of connecting, log files, and means and source of payment (including any credit or bank account number). -3- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 6 of 33 II. Information to be Seized by the Government Any and all records that relate in any way to the accounts described in Attachment A which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision of a felony), 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 1030 (unauthorized access of a protected computer); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud); and 52 U.S.C. § 30121 (foreign contribution ban), including: a. Evidence of unauthorized access to protected computers; b. Evidence of the distribution or transfer of data obtained through unauthorized access to protected computers; c. Evidence indicating how and when the account was accessed or used, to determine the geographic and chronological context of account access, use, and events relating to the crimes under investigation and to the account owner; d. Evidence indicating the account owner's state of mind as it relates to the crimes under investigation; e. The identity of the person(s) who created or used the account, including records that help reveal the whereabouts of such person(s); f. Communications, records, documents, and other files related to any expenditure, independent expenditure, or disbursement for an electioneering communication; g. Records of any funds or benefits disbursed by or offered on behalf of any foreign government, foreign officials, foreign entities, foreign persons, or foreign principals; -4- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 7 of 33 h. Communications, recorqs, documents, and other files that reveal efforts by any person to conduct activities on behalf of, for the benefit of, or at the direction of any foreign government, foreign officials, foreign entities, foreign persons, or foreign principals; i. The identity of any non-U.S. person(s)-including records that help reveal the whereabouts of the person(s)-who made any expenditure, independent expenditure, or disbursement for an electioneering communication; and J. The identity of any person(s)-including records that help reveal the whereabouts of the person(s)-who communicated with the account about any matters relating to activities conducted by on behalf of, for the benefit of, or at the direction of any foreign government, foreign officials, foreign entities, foreign persons, or foreign -5- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 8 of 33 AO 106 (Rev. 04/10) Application for a Search Warrant UNITED STATES DISTRICT COURT for the District of Columbia In the Matter of the Search of (Briefly describa the property to be searched or identify the person by name and oddres!i) INFORMATION ASSOCIATED WITH ONE ACCOUNT STORED AT PREMISES CONTROLLED BY 1&1 MAIL & MEDIA, INC. l ) Clerk, U.S. District & Bankruptcy Courts for the District of Columbia Case: 1:18-sc-02670 Ass!gned To : Howell, Beryl A. Assign. Date: 8/20/2018 Description: Search & Seizure Warrant APPLICATION FOR A SEARCH WARRANT I, a federal law enforcement offi cer or an attorney for the government, request a search warrant and state under penalty of perjury that I have reason to believe that on the following person or property (identify the person or describe the property to be searched and give its location): See Attachment A located in the Eastern ------- District of Pennsylvania ----"--''--"-...c...r...;_..:....:.._;~- - - , there is now concealed (identify the person or describe the property to be seized): See Attachment B The basis for the search under Fed. R. Crim. P. 41(c) is (check one or more): evidence of a crime; M Mcontraband, fruits of crime, or other items illegally possessed; ~ property designed for use, intended for use, or used in committing a crime; 0 a person to be arrested or a person who is unlawfully restrained. The search is related to a violation of: Code Section u.s.c. § 30121 18 u.s.c. §§ 1030, 371 52 Offense Description Foreign Contribution Ban Unauthorized Access of Protected Computer, Conspiracy See Affidavit for add'I The application is based on these facts : See attached Affidavit. ~ Continued on the attached sheet. 0 Delayed notice of _ _ days (give exact ending date if more than 30 days: _ _ __ _ ) is requested under 18 U.S.C. § 3103a, the basis of which is set forth on the attached sheet. Reviewed by AUSA/SAUSA: !Kyle R. Freeny (ASC) Patrick J. Myers, Special Agent, FBI Printed name and title Sworn to before me and signed in my presence. Date: er City and state: Washington, D.C. Hon. Rudolph Contreras, U.S. District Judge Printed name and title Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 9 of 33 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA IN THE MATTER OF THE SEARCH OF INFORMATION ASSOCIATED WITH ONE ACCOUNT STORED AT PREMISES CONTROLLED BY l&l MAIL & MEDIA, INC. AUG 2o20'8 Clerk. U.S. District & Bankruptcy Courts for thil Oiatriat af r · a Case: 1 :18-sc-02670 Assigned To: Howell, Beryl A. Assign. Date: 8/20/2018 Description: Search & Seizure Warrant AFFIDAVIT IN SUPPORT OF AN APPLICATION FOR A SEARCH WARRANT I, Patrick J. Myers, being first duly sworn, hereby depose and state as follows: INTRODUCTION AND AGENT BACKGROUND 1. I make this affidavit in support of an application for a search warrant for ("Target Account"), stored at information associated with the account premises owned, maintained, controlled or operated by l&l Mail & Media, Inc. ("1&1 Mail"), a company headquartered in Chesterbrook, Pennsylvania. The information to be disclosed by 1& 1 Mail and searched by the government is described in the following paragraphs and in Attachments A and B. 2. I am a Special Agent with the Federal Bureau of Investigation ("FBI") assigned to FBI Pittsburgh working directly with the Special Counsel's Office. I have been a Special Agent with the FBI since 2017. I was previously employed as a network and software engineer for approximately fifteen years, including for the FBI. As a Special Agent, I have conducted national security investigations relating to foreign intelligence and cybersecurity. 3. The facts in this affidavit come from my personal observations, my training and experience, and information obtained from other FBI personnel and witnesses. This affidavit is intended to show merely that there is sufficient probable cause for the requested warrant and does not set forth all of my knowledge about this matter. -1- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 10 of 33 4. Based on my training and experience and the facts as set forth in this affidavit, there is probable cause to believe that the Target Account contain evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision of a felony), 18 U.S.C. § 951 (acting as an unregistered foreign agent), 18 U.S.C. § 1030 (unauthorized access of a protected computer), 18 U.S.C. § 1343 (wire fraud), and 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud), and 52 U.S.C. § 30121(a)(l)(C) (foreign expenditure ban). There also is probable cause to search the information described in Attachment A for evidence, contraband, fruits, and/or instrumentalities of the Subject Offenses, further described in Attachment B. JURISDICTION 5. This Court has jurisdiction to issue the requested warrant because it is "a court of competentjurisdiction" as defined by 18 U.S.C. § 2711. Id. §§ 2703(a), (b)(l)(A), & (c)(l)(A). Specifically, the Court is "a district court of the United States (including a magistrate judge of such a court) ... that has jurisdiction over the offense being investigated." 18 U.S.C. § 2711(3)(A)(i). The offense conduct included activities in Washington, D.C., as detailed below. PROBABLE CAUSE A. Russian Government-Backed Hacking Activity during the 2016 Presidential Election 6. On June 14, 2016, the cybersecurity firm CrowdStrike, Inc. and its affiliates ("CrowdStrike") published a blog post entitled, "Bears in the Midst: Intrusion into the -2- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 11 of 33 Democratic National Committee." 1 In the blog post, CrowdStrike described how the firm "was called by the Democratic National Committee (DNC), the formal governing body for the US Democratic Party, to respond to a suspected breach." According to CrowdStrike, the cyber actor known as "Fancy Bear" breached the DNC network in 2016. CrowdStrike further assessed: "Extensive targeting of defense ministries and other military victims [by FANCY BEAR] has been observed, the profile of which closely mirrors the strategic interests of the Russian government, and may indicate affiliation with f'nasttoe Pa:rne,ri:hrnaTeJihHoe Yrrpasnem1e (Main Intelligence Department) or GRU, Russia's premier military intelligence service." 7. Starting in or around mid-2016, published reports also detailed attempts to compromise both the work and personal email accounts of numerous individuals involved in the 2016 U.S. presidential campaign through "spearphishing" efforts. In this context, spear phishing refers to the fraudulent practice of sending an email that purports to be from a known or trusted sender in order to induce the targeted victim to respond in a desired manner, typically by clicking a malicious link or URL. The perpetrators used Bitly, a link-shortening and management service, to disguise the malicious URLs. Victims of these spearphishing efforts included John Podesta, the chairman of the Clinton Campaign, who received a spearphishing email on or about March 19, 2016. The email contained a Bitly link created by the Bitly account john356gh, which the FBI has linked to a known GRU officer. 8. On or about September 20, 2016, Crowd Strike also identified a new intrusion into the DNC's virtual private cloud, hosted by Amazon Web Services (AWS). CrowdStrike advised 1 "Bears in the Midst: Intrusion into the Democratic National Committee," June 14, 2016, available at https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-nationalcommittee. -3- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 12 of 33 the FBI that the perpetrators obtained unauthorized access to the DNC's VPC system through the theft of an administrator credential, which gave the perpetrators the ability to modify the network's security rules. After gaining this access, the perpetrators modified the rules that limited the universe of devices that could connect to the victim computers. Based on its forensic analysis, CrowdStrike determined that the perpetrators copied snapshots of the DNC's cloud-based computers onto at least three new AWS accounts created by the perpetrators. 9. Following the inception of the spear phishing and intrusion campaigns, a series of overlapping actors began to be release documents stolen from the DNC, DCCC, and the personal email accounts of campaign-affiliated individuals. Release of these stolen documents principally occurred through three forums: (1) a series of accounts operated under the online persona "Guccifer 2.0"; (2) a website and series of accounts operated under the online persona "DCLeaks"; and (3) the websites and public archives operated by the group "Wikileaks." The releases of stolen documents included confidential memoranda written by Democratic employees; strategy documents discussing various components of the 2016 federal elections; and confidential correspondences of the DNC and DCCC, as well as individuals involved in the presidential campaign of Hillary Clinton. 10. On January 6, 2017, the USIC released a declassified version of an intelligence assessment of Russian activities and intentions during the 2016 presidential election entitled, "Assessing Russian Activities and Intentions in Recent US Elections." 2 In the report, the USIC assessed the following: [] Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia's goals were to undermine public faith .in the US 2 "Assessing Russian Activities and Intentions in Recent US Elections," Jan. 6, 2017, available at https://www.dni.gov/files/documents/ICA_20l 7_01.pdf. -4- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 13 of 33 democratic process, denigrate [former] Secretary [of State Hillary] Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. 11. In its assessment, the USIC also described, at a high level, some of the techniques that the Russian government employed during its interference. The USIC summarized the efforts as a "Russian messaging strategy that blends covert intelligence operations-such as cyber activity-with overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or 'trolls."' 12. With respect to hacking activity, the USIC assessed: "Russia's intelligence services conducted cyber operations against targets associated with the 2016 US presidential election, including targets associated with both major US political parties." In addition, "In July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016." The USIC further assessed that cyber operations by Russian military intelligence (General Staff Main Intelligence Directorate or GRU) "resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC." 13. With respect to the release of stolen materials, the USIC assessed "with high confidence that the GRU used the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to release US victim data obtained in cyber operations publicly and in exclusives to media outlets." 14. On July 13, 2018, a grand jury in the District of Columbia returned an indictment against twelve Russia military officers for criminal offenses related to efforts to influence the 2016 presidential election, including conspiracy to commit authorized access to protected computers. (Case No. 1:18-cr-00125). -5- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 14 of 33 B. Guccifer 2.0's Use of WikiLeaks to Further the Interference in the 2016 U.S. Presidential Election 15. On June 15, 2016, the day after CrowdStrike publicly attributed the DNC hack to Russian government actors, the persona Guccifer 2.0 published its first post on a WordPress blog, publicly claiming responsibility for the hack. The post, titled "GUCCIFER 2.0 DNC'S SERVERS HACKED BY A LONE HACKER," contained a number of documents that Guccifer 2.0 represented as "docs I downloaded from the Democrats network." Guccifer 2.0 also stated in the same post that, with respect to the documents stolen from the DNC, "[t]he main part of the papers, thousands of files and mails, I gave to Wikileaks. They will publish them soon." 16. According to open source information, WikiLeaks is a self-described anti-secrecy organization, which is responsible for releasing stolen documents from a number of government and non-governmental entities. Julian Assange, an Australian citizen, founded WikiLeaks in or around 2006, and he has stated in public interviews that he is deeply involved in running the organization. 17. On or about June 20, 2016, Guccifer 2.0 registered the Twitter account @GUCCIFER_ 2. Search warrant returns for that Twitter account show that Guccifer 2.0 communicated via direct message with WikiLeaks' Twitter account, @wikileaks, about the stolen DNC documents, including about ways to maximize the impact of the documents on the 2016 U.S. presidential election. For example, on or about June 22, 2016, WikiLeaks sent a private message to Guccifer 2.0, via Twitter, telling Guccifer 2.0 to "[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing." On or about July 6, 2016, WikiLeaks stated, "if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [Democratic National Convention] is approaching and she will solidify Bernie supporters behind her after." Guccifer -6- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 15 of 33 2.0 responded, "ok ... I see." WikiLeaks explained, "we think trump has only a 25% chance of winning against Hillary ... so conflict between Bernie and Hillary is interesting." 18. According to information obtained through a court-authorized search of the Target Account conducted in or around August 2016, I know that on or about July 14, 2016, Guccifer 2.0 sent WikiLeaks an email with an attachment titled "wk dnc linkl .txt.gpg." Search warrant returns for the Guccifer 2.0 Twitter account show that Guccifer 2.0 then sent a direct message to WikiLeaks that appears to explain that the encrypted file contained instructions on how to access an online archive of stolen DNC documents. On or about July 18, 2016, WikiLeaks confirmed it had "the 1Ob or so archive" and would make a release of the stolen documents "this week." 19. On or about July 22, 2016, WikiLeaks released over 20,000 emails and other documents stolen from the DNC network. This release occurred approximately three days before the start of the Democratic National Convention. WikiLeaks did not disclose Guccifer 2.0's role in providing them. 20. On or about October 7, 2016, WikiLeaks released the first set of emails that had been stolen from John Podesta, chairman of the Clinton Campaign. Between on or about October 7, 2016 and November 7, 2016, WikiLeaks released approximately thirty-three tranches of documents that had been stolen from Podesta. Based on an assessment of the WikiLeaks releases, investigators believe that the total amount of stolen election-related data released by WikiLeaks was substantially greater than the 1GB of stolen data apparently contained in the online archive provided by Guccifer 2.0, as described above. -7- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 16 of 33 21. In an August 2017 interview, AS SANGE indicated that only a small number of people, including himself, worked on the release of the DNC emails. 3 Based on public source information, I know that AS SANGE made false and misleading statements about the origins of the stolen documents, including statements that insinuated that WikiLeaks had received them from a recently-deceased DNC employee. 22. Investigators have learned that WikiLeaks and/or ASSANGE communicated, including via intermediaries, about the stolen documents with Roger J. Stone ("STONE"), who advised the presidential campaign of Donald J. Trump in 2015 and who remained in contact with individuals employed by the campaign through the 2016 election. For example, search warrant returns for STONE's Hotmail account , show that on or about July 25, 2016, STONE directed one of his associates, Jerome CORSI, to "[g]et to Assange [a]t the Ecuadorian Embassy in London and get the pending WikiLeaks emails ... ." On or about July 31, 2016, Stone reached out again to CORSI, suggesting that he should "see Assange." A few days later, on or about August 2, 2016, CORSI emailed STONE, "Word is friend in embassy plans 2 more dumps. One shortly after I'm back 2nd in Oct[ober]. Impact planned to be very damaging .... " I believe that CORSl's reference to a "friend in [the] embassy" refers to ASSANGE. C. The Target Account 23. According to subscriber information obtained from WordPress in July 2016, the Guccifer 2.0 WordPress account the email addres 3 ) was created on June 15, 2016 using and Target Account was listed as See https://www.newyorker.com/magazine/2017/08/21/julian-assange-a-man-without-a-country -8- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 17 of 33 another email address on the account. Subscriber records for the Target Account indicate that it was created on July 23, 2016 in the name of "Guccifer Second." 24. The FBI searched the Target Account in approximately August 2016 pursuant to a search warrant authorized by the Northern District of California. In approximately September 2017, the government obtained additional non-content information about the Target Account pursuant to 18 U.S.C. § 2703(d), which included header information for the period of time between approximately August 2016 and September 2017. The header information shows that the Target Account continued to receive emails through at least approximately February 25, 2017, including emails from WordPress and the file sharing services DropBox and MediaFire, which were not captured in the original court-authorized search conducted in August 2016. 25. Subscriber records obtained from l&l Mail in August 2018 show that the Target Account is still active (that is, it has not been deleted). The last login is listed as October 18, 2016. Records from the Target Account will, among other things, assist investigators in understanding Guccifer 2.0's use of file sharing services, which may in turn assist investigators in identifying additional means by which Guccifer 2.0 shared stolen documents with WikiLeaks and others. BACKGROUND CONCERNING l&l MAIL 26. In my training and experience, I have learned that l&l Mail provides a variety of on-line services, including electronic mail ("email") access, to the public. 1& 1 Mail allows subscribers to obtain email accounts at several domain names, including mail.com, like the Target Account. Subscribers obtain an account by registering with l&l Mail. During the registration process, 1& 1 Mail asks subscribers to provide basic personal information. Therefore, the computers of 1& 1 Mail are likely to contain stored electronic communications (including retrieved -9- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 18 of 33 and unretrieved email for l&l Mail subscribers and information concerning subscribers and their use of 1& 1 Mail services, such as account access information, email transaction information, and account application information. In my training and experience, such information may constitute evidence of the crimes under investigation because the information can be used to identify the account's user or users. 27. In my training and experience, email providers generally ask their subscribers to provide certain personal identifying information when registering for an email account. Such information can include the subscriber's full name, physical address, telephone numbers and other identifiers, alternative email addresses, and, for paying subscribers, means and source of payment (including any credit or bank account number). In my training and experience, such information may constitute evidence of the crimes under investigation because the information can be used to identify the account's user or users. Based on my training and my experience, I know that, even if subscribers insert false information to conceal their identity, this information often provides clues to their identity, location, or illicit activities. 28. In my training and experience, email providers typically retain certain transactional information about the creation and use of each account on their systems. This information can include the date on which the account was created, the length of service, records of log-in (i.e., session) times and durations, the types of service utilized, the status of the account (including whether the account is inactive or closed), the methods used to connect to the account (such as logging into the account via the provider's website), and other log files that reflect usage of the account. In addition, email providers often have records of the Internet Protocol address ("IP address") used to register the account and the IP addresses associated with particular logins to the account. Because every device that connects to the Internet must use an IP address, -10- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 19 of 33 IP address information can help to identify which computers or other devices were used to access the email account. 29. In my training and experience, m some cases, email account users will communicate directly with an email service provider about issues relating to the account, such as technical problems, billing inquiries, or complaints from other users. Email providers typically retain records about such communications, including records of contacts between the user and the provider's support services, as well as records of any actions taken by the provider or user as a result of the communications. In my training and experience, such information may constitute evidence of the crimes under investigation because the information can be used to identify the account's user or users. 30. This application seeks a warrant to search all responsive records and information under the control of l&l Mail, a provider subject to the jurisdiction of this court, regardless of where 1& 1 Mail has chosen to store such information. The government intends to require the disclosure pursuant to the requested warrant of the contents of wire or electronic communications and any records or other information pertaining to the customers or subscribers if such communication, record, or other information is within l&l Mail's possession, custody, or control, regardless of whether such communication, record, or other information is stored, held, or maintained outside the United States. 31. As explained herein, information stored in connection with an email account may provide crucial evidence of the "who, what, why, when, where, and how" of the criminal conduct under investigation, thus enabling the United States to establish and prove each element or alternatively, to exclude the innocent from further suspicion. In my training and experience, the information stored in connection with an email account can indicate who has used or controlled -11- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 20 of 33 the account. This "user attribution" evidence is analogous to the search for "indicia of occupancy" while executing a search warrant at a residence. For example, email communications, contacts lists, and images sent (and the data associated with the foregoing, such as date and time) may indicate who used or controlled the account at a relevant time. Further, information maintained by the email provider can show how and when the account was accessed or used. For example, as described below, email providers typically log the Internet Protocol (IP) addresses from which users access the email account, along with the time and date of that access. By determining the physical location associated with the logged IP addresses, investigators can understand the chronological and geographic context of the email account access and use relating to the crime under investigation. This geographic and timeline information may tend to either inculpate or exculpate the account owner. Additionally, information stored at the user's account may further indicate the geographic location of the account user at a particular time (e.g., location information integrated into an image or video sent via email). Last, stored electronic data may provide relevant insight into the email account owner's state of mind as it relates to the offense under investigation. For example, information in the email account may indicate the owner's motive and intent to commit a crime (e.g., communications relating to the crime), or consciousness of guilt (e.g., deleting communications in an effort to conceal them from law enforcement). 32. Because there is probable cause to believe that the Target Account is an operational account created to further criminal conduct, this application seeks authorization to seize the information in Attachment B from the time of the creation of the account to the present. FILTER REVIEW PROCEDURES 33. Review of the items described in Attachment A and Attachment B will be conducted pursuant to established procedures designed to collect evidence in a manner consistent -12- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 21 of 33 with professional responsibility requirements concerning the maintenance of attorney-client and other operative privileges. The procedures include use, if necessary, of a designated "filter team," separate and apart from the investigative team, in order to address potential privileges. The government, however, does not at this time anticipate that any of the items described in Attachment A will contain materials requiring review by a designated filter team. CONCLUSION 34. Based on the forgoing, I request that the Court issue the proposed search warrant. 35. Pursuant to 18 U.S.C. § 2703(g), the presence of a law enforcement officer is not required for the service or execution of this warrant. REQUEST FOR SEALING 36. I further request that the Court order that all papers in support of this application, including the affidavit and search warrant, be sealed until further order of the Court. These documents discuss an ongoing criminal investigation, the full nature and extent of which is not known to all of the targets of the investigation. Accordingly, there is good cause to seal these documents because their premature disclosure may seriously jeopardize that investigation. Respectfully submitted, -Ei?~ Special Agent Federal Bureau oflnvestigation Subscribed and sworn to before me on this _df}_~ yof August, 2018. __, rable Rudolph Contreras United States District Judge -13- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 22 of 33 ATTACHMENT A Property to be Searched This warrant applies to information associated with the following l&l Mail account, which is stored at premises owned, maintained, controlled, or operated by l&I Mail & Media, Inc., a company headquartered in Chesterbrook, Pennsylvania: -1- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 23 of 33 ATTACHMENTB I. Information to be disclosed by l&l Mail To the extent that the information described in Attachment A is within the possession, custody, or control of 1& 1 Mail & Media, Inc. (the "Provider"), including any messages, records, files, logs, or information that have been deleted but are still available to the Provider, or have been preserved pursuant to a request made under 18 U.S.C. § 2703(£), the Provider is required to disclose the following information to the government for each account listed in Attachment A: a. The contents of all emails associated with the account, including stored or preserved copies of emails sent to and from the account, draft emails, the source and destination addresses associated with each email, the date and time at which each email was sent, and the size and length of each email; b. All records or other information regarding the identification of the account, to include full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative email addresses provided during registration, methods of connecting, log files, and means and source of payment (including any credit or bank account number); c. The types of service utilized; d. All records or other information stored at any time by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, and files; -2- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 24 of 33 e. All records pertaining to communications between the Provider and any person regarding the account, including contacts with support services and records of actions taken; f. All subscriber "change history" associated with the account; g. All search history and web history associated with the account; h. All location and maps information associated with the account; 1. All device information associated with the account, including all instrument or telephone numbers (including MAC addresses, Electronic Serial Numbers ("ESN"), Mobile Electronic Identity Numbers ("MEIN"), Mobile Equipment Identifier ("MEID"), Mobile Identification Numbers ("MIN"), Subscriber Identity Modules ("SIM"), Mobile Subscriber Integrated Services Digital Network Number ("MSISDN"), International Mobile Subscriber Identifiers ("IMSI"), or International Mobile Equipment Identities ("IMEi")); and J. For any accounts linked to the accounts listed in Attachment A, including accounts linked by cookie, SMS number, or recovery email address, and for accounts for which the accounts described in Attachment A are the recovery email address, provide all records or other information regarding the identification of the account, to include full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative email addresses provided during registration, methods of connecting, log files, and means and source of payment (including any credit or bank account number). -3- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 25 of 33 II. Information to be Seized by the Government Any and all records that relate in any way to the accounts described in Attachment A which consists of evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision ofa felony), 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 1030 (unauthorized access of a protected computer); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud); and 52 U.S.C. § 30121 (foreign contribution ban), including: a. Evidence of unauthorized access to protected computers; b. Evidence of the distribution or transfer of data obtained through unauthorized access to protected computers; c. Evidence indicating how and when the account was accessed or used, to determine the geographic and chronological context of account access, use, and events relating to the crimes under investigation and to the account owner; d. Evidence indicating the account owner's state of mind as it relates to the crimes under investigation; e. The identity of the person(s) who created or used the account, including records that help reveal the whereabouts of such person(s); f. Communications, records, documents, and other files related to any expenditure, independent expenditure, or disbursement for an electioneering communication; g. Records of any funds or benefits disbursed by or offered on behalf of any foreign government, foreign officials, foreign entities, foreign persons, or foreign principals; -4- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 26 of 33 h. Communications, records, documents, and other files that reveal efforts by any person to conduct activities on behalf of, for the benefit of, or at the direction of any foreign government, foreign officials, foreign entities, foreign persons, or foreign principals; 1. The identity of any non-U.S. person(s)-including records that help reveal the whereabouts of the person(s)-who made any expenditure, independent expenditure, or disbursement for an electioneering communication; and J. The identity of any person(s)-including records that help reveal the whereabouts of the person(s)-who communicated with the account about any matters relating to activities conducted by on behalf of, for the benefit of, or at the direction of any foreign government, foreign officials, foreign entities, foreign persons, or foreign -5- Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 27 of 33 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA IN THE MATTER OF THE SEARCH OF INFORMATION AS SOCIA TED WITH ONE ACCOUNT STORED AT PREMISES CONTROLLED BY l&l MAIL & MEDIA, INC. Case: 1:18-sc-02670 Assigned To: Howell, Beryl A. Assign. Date : 8/20/2018 Description: Search & Seizure Warrant MOTION TO SEAL WARRANT AND RELATED DOCUMENTS AND TO REQUIRE NO -DIS 'LOSURE UND "' R 18 U.S .C. § 2705(b) The United States of America, moving by and through its undersigned counsel, respectfully moves the Court for an Order placing the above-captioned warrant and the application and affidavit in support thereof (collectively herein the "Warrant") under seal, and precluding the provider from notifying any person of the Warrant pursuant to 18 U.S.C. § 2705(b). In regard to the nondisclosure, the proposed Order would direct l&l Mail & Media, Inc. ("l&l Mail"), an electronic communication and/or remote computing services provider headquartered in Chesterbrook, Pennsylvania, not to notify any other person (except attorneys for l&l Mail for the purpose of receiving legal advice) of the existence or content of the Warrant for a period of one year or until further order of the Court. 1. The Court has the inherent power to seal court filings when appropriate, including the Warrant. United States v. Hubbard, 650 F.2d 293, 315-16 (D.C. Cir. 1980) (citing Nixon v. Warner Communications, Inc., 435 U.S. 589, 598 (1978)). The Court may also seal the Warrant to prevent serious jeopardy to an ongoing criminal investigation when, as in the present case, such jeopardy creates a compelling governmental interest in preserving the confidentiality of the Warrant. See Washington Post v. Robinson, 935 F.2d 282, 287-89 (D.C. Cir. 1991). Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 28 of 33 2. In addition, this Court has jurisdiction to issue the requested order because it is "a court of competent jurisdiction" as defined by 18 U.S.C. § 2711. Specifically, the Court is a "district court of the United States ... that - has jurisdiction over the offense being investigated." 18 U.S.C. § 2711(3)(A)(i). Acts or omissions in furtherance of the offense under investigation occurred within Washington, D.C. See 18 U.S.C. § 3237. 3. Further, the Court has authority to require non-disclosure of the Warrant under 18 U.S.C. § 2705(b). l&l Mail provides an "electronic communications service," as defined in 18 U.S.C. § 2510(15), and/or "remote computing service," as defined in 18 U.S.C. § 2711(2). The Stored Communications Act ("SCA"), 18 U.S.C. §§ 2701-2712, governs how l&l Mail may be compelled to supply communications and other records using a subpoena, court order, or search warrant. Specifically, Section 2703(c)(2) authorizes the Government to obtain certain basic "subscriber information" using a subpoena, Section 2703(d) allows the Government to obtain other "non-content" information using a court order, and Section 2703(a)-(b)(1 )(A) allows the Government to obtain contents of communications using a search warrant. See 18 U.S.C. § 2703. 4. The SCA does not set forth any obligation for providers to notify subscribers about subpoenas, court orders, or search warrants under Section 2703. However, many have voluntarily adopted policies of notifying subscribers about such legal requests. Accordingly, when necessary, Section 2705(b) of the SCA enables the Government to obtain a court order to preclude such notification. In relevant part, Section 2705(b) provides as follows: 1 (b) Preclusion of notice to subject of governmental access. - A governmental entity acting under section 2703 ... may apply to a court for an order commanding a provider of electronic communications service or remote computing service to whom a warrant, subpoena, or court order is directed, for such period as the court 1 Section 2705(b) contains additional requirements for legal process obtained pursuant to 18 U.S.C. § 2703(b)(1 )(B), but the Government does not seek to use the proposed Order for any legal process under that provision. 2 Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 29 of 33 deems appropriate, not to notify any other person of the existence of the warrant, subpoena, or court order. The court shall enter such an order if it determines that there is reason to believe that notification of the existence of the warrant, subpoena, or court order will result in(1) endangering the life or physical safety of an individual; (2) flight from prosecution; (3) destruction of or tampering with evidence; (4) intimidation of potential witnesses; or (5) otherwise seriously jeopardizing an investigation or unduly delaying a trial. 18 U.S.C. § 2705(b). The United States District Court for the District of Columbia has made clear that a nondisclosure order under Section 2705(b) must be issued once the Government makes the requisite showing about potential consequences of notification: The explicit terms of section 2705(b) make clear that if a courts [sic] finds that there is reason to believe that notifying the customer or subscriber of the court order or subpoena may lead to one of the deleterious outcomes listed under § 2705(b ), the court must enter an order commanding a service provider to delay notice to a customer for a period of time that the court determines is appropriate. Once the government makes the required showing under § 2705(b ), the court is required to issue the non-disclosure order. In re Application for Order of Nondisclosure Pursuant to 18 US.C. § 2705(b) for Grand Jury Subpoena #GJ2014031422765, 41 F. Supp. 3d 1, 5 (D.D.C. 2014). 5. Accordingly, this motion to seal sets forth facts showing reasonable grounds to command l&l Mail not to notify any other person (except attorneys for 1&1 Mail for the purpose of receiving legal advice) of the existence of the Subpoena for a period of one year or until further order of the Court. FA 6. N-DlSCLOSURE The Federal Bureau oflnvestigation ("FBI") is investigating WikiLeaks and others for violations of 18 U.S.C. § 2 (aiding and abetting), 18 U.S.C. § 3 (accessory after the fact), 18 U.S.C. § 4 (misprision of a felony), 18 U.S.C. § 371 (conspiracy), 18 U.S.C. § 951 (acting as an unregistered foreign agent), 18 U.S.C. § 1030 (unauthorized access of a protected computer); 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud), 3 Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 30 of 33 and 22 U.S.C. § 611 et seq. (Foreign Agents Registration Act), and 52 U.S.C. § 30121 (foreign contribution ban) (the "Subject Offenses"), in connection with efforts to compromise the networks of the Democratic National Convention ("DNC"), the Democratic Congressional Campaign Committee ("DCCC"), and the email accounts of U.S. persons involved in the 2016 presidential election, followed by the public release of stolen materials through various outlets. 7. In this matter, the government requests that the Warrant be sealed until further order of the Court and that l&l Mail and its employees be directed not to notify any other person of the existence or content of the Warrant (except attorneys for 1& 1 Mail for the purpose of receiving legal advice) for a period of one year or until further order of the Court. Such an order is appropriate because the Warrant relates to an ongoing criminal investigation, the scope and nature of which is neither public nor known to the targets of the investigation, and its disclosure may alert these targets to the nature, scope, and focus of the ongoing investigation. Disclosure of the Warrant and related papers may also alert the targets to the scope of information known to the FBI. Once alerted to this information, potential targets would be immediately prompted to destroy or conceal incriminating evidence, alter their operational tactics to avoid future detection, and otherwise take steps to undermine the investigation and avoid future prosecution. In particular, given that they are known to use electronic communication and remote computing services, the potential target could quickly and easily destroy or encrypt digital evidence relating to their criminal activity. 8. Given the complex and sensitive nature of the criminal activity under investigation, and also given that the criminal scheme may be ongoing, the Government anticipates that this confidential investigation will continue for the next year or longer. However, should circumstances change such that court-ordered nondisclosure under Section 2705(b) becomes no longer needed, the Government will notify the Court and seek appropriate relief. 4 Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 31 of 33 9. There is, therefore, reason to believe that notification of the existence of the Warrant will seriously jeopardize the investigation, including by giving the targets an opportunity to flee from prosecution, destroy or tamper with evidence, and intimidate witnesses. See 18 U.S .C. § 2705(b)(2)-(5). Because of such potential jeopardy to the investigation, there also exists a compelling governmental interest in confidentiality to justify the government's sealing request. See Robinson, 935 F.2d at 287-89. 10. Based on prior dealings with l&l Mail, the United States is aware that, absent a court order under Section 2705(b) commanding l&l Mail not to notify anyone about a legal request, 1& 1 Mail may, upon receipt of a warrant seeking the contents of electronically stored wire or electronic communications for a certain account, notify the subscriber or customer of the existence of the warrant prior to producing the material sought. WHEREFORE, for all the foregoing reasons, the government respectfully requests that the above-captioned warrant, the application and affidavit in support thereof, and all attachments thereto and other related materials be placed under seal, and furthermore, that the Court command 1& 1 Mail not to notify any other person of the existence or contents of the above-captioned warrant (except attorneys for 1& 1 Mail for the purpose of receiving legal advice) for a period of one year or until further order of the Court. Respectfully submitted, ROBERTS. MUELLER, III Special Counsel Dated: 8 [2o/( 8 By: Kyle The ·a l Counsel's O · e (202) 616-3812 5 Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 32 of 33 AUG 2o2018 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA IN THE MATTER OF THE SEARCH OF INFORMATION AS SOCIA TED WITH ONE ACCOUNT STORED AT PREMISES CONTROLLED BY l&l MAIL & MEDIA, INC. Clerk, U.S. District & Bankruptcy Courts tor the District of Columbia Case: 1: 18-sc-02670 Assigned To : Howell, Beryl A. Assign. Date: 8/20/2018 Description: Search & Seizure Warrant ORDER The United States has filed a motion to seal the above-captioned warrant and related documents, including the application and affidavit in support thereof (collectively the "Warrant"), and to require l&l Mail & Media, Inc. ("1&1 Mail"), an electronic communication and/or remote computing services provider headquartered in Chesterbrook, Pennsylvania, not to disclose the existence or contents of the Warrant pursuant to 18 U.S.C. § 2705(b). The Court finds that the United States has established that a compelling governmental interest exists to justify the requested sealing, and that there is reason to believe that notification of the existence of the Warrant will seriously jeopardize the investigation, including by giving the targets an opportunity to flee from prosecution, destroy or tamper with evidence, and intimidate witnesses. See 18 U.S.C. § 2705(b)(2)-(5). IT IS THEREFORE ORDERED that the motion is hereby GRANTED, and that the warrant, the application and affidavit in support thereof, all attachments thereto and other related materials, the instant motion to seal, and this Order be SEALED until further order of the Court; and Case 1:19-mc-00029-CRC Document 29-17 Filed 04/28/20 Page 33 of 33 IT IS FURTHER ORDERED that, pursuant to 18 U.S.C . § 2705(b), l&l Mail and its employees shall not disclose the existence or content of the Warrant to any other person (except attorneys for I & I Mail for the purpose of receiving legal advice) for a period of one year or until further order of the Court. //L-BLE RUDOLPH CONTRERAS TES DISTRICT JUDGE oG)oJdfl_c ( 2