Why Trump is once again claiming that he was spied upon in 2016
By Philip Bump
National correspondent
Today at 3:40 p.m. EST
It started with a tweet from President Donald Trump in early March 2017.
“Terrible! Just found out that Obama had my ‘wires tapped’ in Trump Tower just before the victory,” he wrote. “Nothing found. This is McCarthyism!”
It was a wild claim — and one that was soon debunked. The primary rationale for Trump’s tweet, it seems, was a story published by Breitbart News that attempted to summarize a broadcast by right-wing radio host Mark Levin. As a way of conveying the credibility that assertion deserves, the Breitbart story included two references to claims about surveillance warrants made by columnist Louise Mensch, whose claims about various things have repeatedly been shown to be meritless. Trump’s allies quickly tried to backstop his tweet by elevating activity that, if you squinted and plugged your ears, could seem like maybe it constituted wiretapping.
“I was proven right about the spying,” he said in one of his Twitteresque “statements” from his office, “and I will be proven right about 2020.”
It’s a useful parallel, in fact, comparing his claims about having been spied on with his claims about fraud in the 2020 election. In neither case has any such thing been proved despite, as always, the robust effort by his allies to provide some foundation to Trump’s unfounded claims.
The prompt for Trump’s claim is a court filing submitted on Friday. It combines several interesting threads from the Trump era to make one relatively vague allegation, an allegation then misrepresented by some of Trump’s most fervent allies as dispositive. Bear with me as I explain those threads briefly.
You’ll recall that Trump’s core complaint as president was that the investigation into Russian interference and possible overlap with his campaign was unfounded. It wasn’t, involving probes into a number of individuals with obvious links to Russian actors. But Trump and his allies crafted a countervailing narrative centered on malfeasance by government officials — again, a claim downstream from Trump’s initial response to reports about the probe in which he asserted that government officials might be out to get him.
Eventually, Trump’s loyal-until-almost-the-end attorney general William P. Barr appointed U.S. Attorney John Durham to serve as special counsel to investigate the Russia investigation. The Friday filing came from Durham, centered on his examination of a rumor that emerged shortly before the 2016 election in which it was alleged that there was a secret back-channel communication between a Russian bank, Alfa Bank, and a Trump Organization email server.
When that allegation was first reported in October 2016, it was pretty obviously unfounded. I wrote about the various ways in which the idea didn’t pass the smell test, from the theoretical — why leave any trail at all if you’re trying to secretly communicate with Russia? — to the technical, given that the Trump Organization server wasn’t controlled by Trump at all. Others, like technologist Rob Graham, reached a similar conclusion: that this was probably just a glitchy side effect of marketing emails.
Last year, Durham unveiled an indictment against an attorney named Michael Sussman centered on the Alfa Bank rumor. Durham claimed that Sussman had lied to an FBI official in September 2016 when trying to get the FBI to investigate the connection, saying he was not working for a specific client as he offered the tip. The allegation is that this was a false statement of the sort that tripped up various Trump allies during the Russia probe: that Sussman was, in fact, working for the campaign of Hillary Clinton. As journalist Marcy Wheeler has written, the criminal case is not terribly strong.
The theory behind the Alfa Bank rumor is complicated. Sussman’s law firm, Perkins Coie, had been retained by Clinton’s campaign (leading it, separately, to engage the investigative firm Fusion GPS that later generated the infamous dossier of reports alleging a more robust connection between Russia and Trump’s team). An unidentified individual first noticed traffic between the Trump server and the Russian bank and brought it to an executive at a technology firm who had retained Perkins Coie and was working with Sussman. (Wheeler has an excellent timeline of all of this.) That triggered an effort to examine the scope of those connections, one that at least some of those involved in the research apparently understood to be an effort to create a jumping-off point for further research that could bolster a Trump-Russia narrative. (The tech executive, I’ll note, wasn’t sold on the Alfa-Trump link even back in August 2016.) Durham’s filing ties the campaign to Sussman and Sussman to the executive, but it’s not explicitly argued that the probe flowed down from Clinton’s team — or up to it.
Remember that in July 2016, there was already attention focused on possible links between Trump and Russia. The prior month, Russian actors had been implicated in stealing material from the Democratic National Committee, material that was released by WikiLeaks at the end of July. Trump’s allies have in the past tried to point to the Clinton campaign’s focus on amplifying that connection as the trigger for the Russia probe when, in reality, that focus came only after the political conversation emerged. There’s no indication that the Alfa Bank probe preceded the Clinton campaign’s public discussion of possible Trump-Russia ties — and there was certainly reason to pay attention to a possible digital connection between the two.
Now the technical stuff. At issue here are what are called domain name server (DNS) lookups. Traffic on the Internet is pushed around between points identified with Internet protocol (IP) addresses, strings of numbers that might be thought of like latitude and longitude in real-world positioning. In the real world, we don’t generally point people to latitude and longitude coordinates but to street addresses. On the Internet, we don’t generally go to IP addresses but domains. A DNS lookup converts a domain like washingtonpost.com to this newspaper’s actual Web server IP address.
The traffic between Alfa Bank and the Trump email server — actually run by a company called Cendyn that does a lot of hospitality-industry marketing work — consisted of DNS lookups. The Alfa Bank server was trying to find domain information for trump-email.com (the domain at issue) and the lookups were being logged.
It’s important here to know why those records might have been collected. An expert on the technology with whom I spoke on Monday explained that Internet service providers often allow third parties to collect domain name lookups because the information is useful for tracking bad actors on the Internet. If, for example, there are suddenly a number of lookups to we11sfargo.com, with ones replacing the Ls in the domain name, that might suggest some effort to redirect traffic away from the bank to some spoof site. Or organizations might similarly have a passive DNS collection process in place so that they might know if there’s a sudden spike in lookups for unusual servers in, say, Russia — an early indication that maybe someone is trying to run a scam targeting employees.
This brings us to the court filing that was submitted on Friday. In it, Durham extends his articulation of what allegedly happened as the Alfa Bank rumor was being developed behind closed doors. The key element of the document centers on the DNS data that was being looked at:
The Government’s evidence at trial will also establish that among the Internet data Tech Executive-1 and his associates exploited was domain name system (“DNS”) Internet traffic pertaining to (i) a particular healthcare provider, (ii) Trump Tower, (iii) Donald Trump’s Central Park West apartment building, and (iv) the Executive Office of the President of the United States (“EOP”). (Tech Executive-1’s employer, Internet Company-1, had come to access and maintain dedicated servers for the EOP as part of a sensitive arrangement whereby it provided DNS resolution services to the EOP. Tech Executive-1 and his associates exploited this arrangement by mining the EOP’s DNS traffic and other data for the purpose of gathering derogatory information about Donald Trump.)
The “particular healthcare provider” is apparently Spectrum Health, which — when the story first emerged in 2016 — was identified as similarly linked to the Trump email server but also provided reporters with the marketing spam emails that explained that connection.
It’s useful to note that Durham’s claim about data being “exploited” emerged early. Both Wheeler and Graham elevated questions about the ethics of digging through collected DNS records to investigate something that was probably outside of any agreement governing what the data was being collected for.
But that doesn’t mean 1) that any laws were violated or 2) that this constitutes “hacking.” If I give you a key to my house and you use it to come in and read my diary, I will certainly be angry with you, but it’s not like you committed burglary.
Yet that’s how the paragraph above has at times been conveyed. On Fox News, for example, a story about the Durham filing ran with the headline “Clinton campaign paid to ‘infiltrate’ Trump Tower, White House servers to link Trump to Russia: Durham.” There are a few problems with this, including that the connection between Clinton’s team and the Perkins Coie Alfa Bank investigation is not direct, nor did Durham use the word “infiltrate,” a word that suggests illicit access to data.
Instead, both of those claims come not from Durham but, as the article makes clear, from former Trump staffer Kash Patel. It’s a statement from Patel that makes the Clinton claim and uses the word infiltrate. It’s Patel — whose recent career has often centered on backstopping Trump’s claims of being unfairly investigated — who drew the line that Fox is attributing to the special counsel.
Durham describes an effort to impugn Trump by claiming that during a meeting with a government agency in February 2017, Sussman alleged that DNS lookups “demonstrated that Trump and/or his associates were using supposedly rare, Russian-made wireless phones in the vicinity of the White House and other locations.” This doesn’t support a throughline back to Clinton, of course, since Trump wasn’t spending much time at the White House while Clinton was still a presidential candidate. Durham’s filing asserts that the lookups centered on those phones went back to 2014, when Trump wasn’t even yet a candidate."
