Summary of the Trial Session on June 10, 2013 | US v Pfc. Manning

I will continue to update as time and Internet connectivity is available. This post contains a summary and reflections on U.S. v. Pfc. Manning underway at Fort Meade, MD. It is June 10, 2013.

Courtroom Manner

Defense started out of the gate swinging– even attempting to ask Special Agent David Shaver from Computer Crimes Investigative Unit about CENTAUR Logs– also known as NetFlow logs collected from the Office of the Director of National Intelligence– before the USG had established their existence in the courtroom.

When the USG objected, Captain Tooman for the defense argued that the prosecution had pre-admit the evidence at the pretrial in July 2012– last year.

While the Judge sustained the objection, what became apparent today is– if the USG does not add anything additional to their hackneyed pretrial case, they will lose control of the courtroom.

We started today with a stipulation of expected testimony from an NSA contractor, Mr. Steven Buchanan, the Information Assurance Manager at Intelink.

Intelink, Buchanan’s sworn affidavit said, is a classified version of Google– used by the Intelligence Community to search SIPRnet– the Secret Internet ProtocolRouter Network– for information and documents classified at SECRET or below.

Essentially Buchanan’s stipulated testimony is meant to establish the chain of custody concerning the Intelink logs that Agent Shaver eventually testified to.

A common occurrence in this courtroom is defense standing up and stating it will stipulate to testimony by the USG witness– what it is attempting to do, I believe, is drain the gas out of the circumstantial case the USG is trying to build regarding offenses that Manning has pled not guilty to– essentially daring the USG to “fish or cut bait”.

One of the tactics that the USG uses to destabilize lead civilian defense counsel David Coomb’s cross examinations is to object before Coombs has had a chance to finished his question– interrupting his personable style and back and forth known to turn USG witness to the defense.

Stipulation of Testimony by Steven Buchanan

The most important information gleaned from Buchanan’s stipulation is that the Intelink Logs are dated from November 2009 to May 2010, the time that Manning was deployed in Iraq. The Intelink Logs also establish IP address, date and time, keyword searches, if the search index links were engaged, and if those links resolved to a web page OR a redirect, as wells as other identifying metadata concerning application, i.e. FireFox browser or Wget including version.

At the time that Manning was deployed one did not need a Passport account to conduct Intelink searches, but one did need a Intelink account. On investigating agents’ request, Mr. Buchanan provided them with Intelink Logs and Manning’s account information.

Special Agent David Shaver, CCIU

SA Shaver is the lead CCIU forensic examiner on the Manning case. He filled out 19 classified CCIU reports and was the supervisor of ManTech contractor Mr. Mark Johnson who is projected to testify this week if not today.

Once Shaver testified to his handling of the Intelink log evidence and his conversion of that evidence into an Excel sheet, the USG examination focused on aiding the enemy, wanton publication, espionage and stealing USG property– namely for the SOUTHCOM database and the Detainee Assessment Profiles contained within, as well as espionage charge for the 2008 U.S. Army Counter Intelligence Center Memo on WikiLeaks.

The USG has declassified portions of a 2008 US Army Counterintelligence Center Memo entitled, “(U)–An Online Reference to Foreign Intelligence Services, Insurgents, or Terrorist Groups?” which is charged against Manning under the Espionage Act and is also being employed against him in the USG’s case for aiding the enemy and wanton publication.

The USG is trying to prove Manning had actual knowledge that WikiLeaks was used by the enemies of the USG– by the name and subject matter of the 2008 USACIC memo on WikiLeaks. Via Shaver and Intelink logs, the USG is trying to establish that Manning had accessed the memo.

Manning has already pled guilty to the lesser included offense of Specification 15 of Charge II for the unauthorized possession and willful communication of the 2008 USACIC report.

Defense established on Shaver’s cross examination that while the Intelink log did show that a Manning’s workstation computer had searched for WikiLeaks and been served an index links for the 2008 USACIC and C3 Reports on WikiLeaks, the logs only proved that the memo was accessed successfully once, on 1 December 2009.

Further, Shaver could only say with certainty that the report had been accessed. Intelink logs do not have information about whether Manning actually viewed the USACIC memo at the time it was accessed or in what manner.

The USG would cast Manning’s searches as sinister, “Any other keyword searches of interest to the investigation?” Shaver responded, “Yes…for Iceland and Julian Assange.” In reality, as Shaver admits, the totality of Manning’s searches in the Intelink logs total hundreds of pages. Defense established through Shaver’s testimony that Manning’s searches for CENTCOM would be completely relevant to Manning’s area of operations in Iraq.

Defense also established that Wget– a free software program that automates the download of content from web servers and for which Manning faces four years if convicted of two separate offenses for failure to obey a lawful general regulation by installing said software on his classified machine– is neither a program that is “used for hacking” nor does the program require administrative privileges.

The defense’s and military judge’s questions of Shaver and then later a co-worker in the T-SCIF that Manning shared a computer with, then Sergeant now civilian Chad Madaras, also established that there was no specific prohibition on installing executable programs on the desktop of one’s computer.

The two Wget offenses under Article 92 are part of the USG case for Specification 13 of Charge II, namely for the greater offense of exceeding authorized access under the Computer Fraud and Abuse Act for 75 Department of State cables for which Manning is exposed to an additional 10 years if convicted on the USG’s case.

Manning pled to the lesser included offense of “knowingly accessing” the cables and willfully communicating them. But, in order to prove the greater offense, and per the Court’s own ruling last Summer to take a narrow view to the CFAA, the USG is now trying to prove that Manning “hacked” or “exceeded authorized access” to obtain the cables by means of Wget. Defense’s cross of Shaver and later Madaras eroded the USG’s case today.

Sergeant, now civilian, Chad Madaras

Stipulations of Expected Testimony

19 Stipulations of “expected testimony” were hammered out by trial and defense counsel and agreed to by Pfc. Manning. These stipulations were listed but not read out loud in court.

Stipulations of Expected Testimony Lt. Commander Hoskins

Stipulation of Expected Testimony by Peter [‘Ar-ta-le’ phonetic sp.]

Stipulation of Expected Testimony by Sean Chamberlain

Stipulation of Expected Testimony by SA John Wilbur

Stipulation of Expected Testimony by James Fung (sp.)

Stipulation of Expected Testimony by Alex Withers

Stipulation of Expected Testimony by James McManis

Stipulation of Expected Testimony by SA Troy Bettencourt

Stipulation of Expected Testimony by SA Kirk Ellis

Stipulation of Expected Testimony by SA Mark Mander

Stipulation of Expected Testimony by Doug Chastien (sp.)

Stipulation of Expected Testimony by Jacob Grant

Stipulation of Expected Testimony by Lorinda (sp.) White

Stipulation of Expected Testimony by Lt. Commander Hoskins, US Navy Reserve (Classified and Unclassified)

Stipulation of Expected Testimony by Lt. Col. Martin Naring (sp.)

Stipulation of Expected Testimony by Ms. Deborah Van Alstyne ( Manning’s Aunt)

Stipulation of Expected Testimony by Wyatt Bora (sp.)

Stipulation of Expected Testimony by Patrick Hoffel (sp.)

Stipulation of Expected Testimony by CW5 John LaRue

Stipulation of Expected Testimony by Jacqueline Scott

Special Agent Mark Mander, CCIU

Mander is the lead case agent on the Army CCIU investigation, best known for his statements at the pretrial concerning Jason Katz, the Garani air strike video, and seven civilians being investigated by the FBI including the “founders, owners, or managers of WikiLeaks.”

The USG asked Mander today about his investigation of Manning and WikiLeaks and he described the investigation as one of the largest and most complicated investigations ever conducted by CCIU.

According to Mander, Army CID received an email concerning a possible unauthorized disclosure by a military intelligence analyst. CID led the investigation until the second week of June 2010. It was understood that CCIU would perform computer forensics when the investigation was still being conducted in Iraq.

As the case developed there was an understanding that there was a lot of commercial providers– including Google and Microsoft– which required a federal magistrate.

When Mander was asked by the USG if working with the US Attorneys was normal procedure, defense objected. Mander said federal magistrates required to compel commercial providers for user information. CCIU also had COMUS leads who knew Manning– people he had been in contact with in the Boston area.

Mander could not remember but stated that forensic evidence was transfered from Iraq, and discussed the chain of custody for evidence.

Chat logs were found between Pfc. Manning and Mr. Lamo that corresponded to those found on digital media collected from Mr. Lamo. There was email on Mr. Manning’s personal computer, which created investigative leads.

“Who was the recipient of the information?” Mander answered “WikiLeaks.” “What is WikiLeaks?” “To obtain and display information from government’s and private organizations.” Mander said WikiLeaks became well known after the publication of Collateral Murder, which of course is never referred to as such by the USG in court– prosecutors always referring to it as the “Apache Video.”

“How does WikiLeaks publish information?” Mander explained that WikiLeaks is comprised of a domain and mirrors. During this line of questioning, defense continued to object stating that Mander could not speak to either the video or to the use of mirrors. When asked who is associated with WikiLeaks, Mander said, “Julian Assange.”

Mander explained that the Department of State was already investigating the disclosure of the Reykjavik 13 cable prior to CID involvement. Army military intelligence was also involved in the early investigation. When asked if any federal agencies were involved, Mander said, “Yes…in June…the FBI joined the case.” Mander explained that it was a joint investigation. CCIU’s “lane” said Mander was to investigate military leads; and the FBI’s to investigate civilian leads. Did the investigative organizations share information? “Yes,” said Mander. He added that numerous interviews were conducted together amongst the investigative partners.

Agents, Mander said downloaded “classified” information on the WikiLeaks Web site. Defense continued to object to the line of questioning saying that Mander did not conduct the downloads. USG shot back that Mander was familiar as case agent with the entire investigation. Mander also said content was downloaded from WikiLeaks and compared to other information collected in the course of the investigation.

Mander then testified about the Way Back Machine and Google cache, used by agent to show “how a website may look like in the past.”

Defense objected to the entry of the exhibit of a printed copy of the WikiLeaks Most Wanted Leak 2009 List that was obtained from the Their objection was based on voir dire and overruled. Mander explained the WikiLeaks Most Wanted List of 2009.

USG asked Mander to scroll down to the Intelink Log to “retention + of + interrogation + video” and to compare that search term to the 1009 WikiLeaks Most Wanted List. Prosecutors asked Mander to read “detainee + abuse” search term and Mander said similar information was contained in the 2009 WikiLeaks Most Wanted List.

USG asked Mander to read the Intelink Search logs for 8 December 2009 “Guantanamo + detainee + operations,” he read and “GTMO + SOP” “CJTF + 82+ detainee + SOP.” Mander continued reading from the Intelink logs and on request comparing them to the 2009 WikiLeaks Most Wanted List.

Before the USG was allowed to continue, defense was given the opportunity to object and cross examine the witness on here-say. Captain Tooman for defense, conducted voir dire, asking Mander if he in fact went to or what the web archive demonstrated the web site looked like in 2009.

Tooman continued, “You don’t have any knowledge about how compiles their data?” Mander, admitted that he did not know how often that data is technically gathered. Tooman said, “So you said you did not visit in 2009 so you don’t know if any information is missing from the web page representation of the site?”

Tooman then asked where the servers are located? When they gather their information? Mander says he did not know, but assumed there was no specific pattern to archiving Web site. “Do you have any knowledge if there are back ups? Hack attempts? Were you there when it was cached when was archived?” Mander said he did not know. “Do you know if WikiLeaks had a robots.txt on their web page?” Mander didn’t know. Defense then objected to witness testimony regarding permissibility of testimony by Mander, stating that he does not have direct knowledge of how operates.

Tooman then demanded that the USG call a witness from WikiLeaks to explain the WikiLeaks Most Wanted List in 2009 and the use or lack of use of robots.txt on their Web page. Defense also objected to the Mander’s testimony and the evidentiary submission for its lack of relevance.

Mander’s Implosion.

Defense said that there is no evidence that the document presented by the prosecution was up on the WikiLeaks Web site in 2009, or that Pfc. Manning ever saw the WikiLeaks 2009 Most Wanted List. Ruling on the admissibility of evidence and Mander’s testimony will be forthcoming by Judge Lind next week after defense and prosecution file motions.


USG asked Mander if he is familiar with social media and WikiLeaks’ twitter feed. Agent Mander then described in detail the WikiLeaks logo, “two globes…one side dripping to the other.” Mander then testifies how he found and made a print copy of the tweets:

Defense said it will challenge the admissibility of the witness testimony and evidence of the two tweets on here-say and the witness has no personal knowledge how Google creates a cache. USG also said they are not moving for “the truth of the tweets” but for their “effect on Pfc. Manning.”

Tooman from defense asks Mander if he has a twitter account? “No.” “Do you know how Twitter archives their tweets?” “No.” “Do you know if tweets can be deleted?” “No.” “Do you know how Google creates a cache?” “I believe there are located in many places. “Do you know how often they go out an grab data?” “I do not,” says Mander. Tooman asks, “Do know if anyone has ever tried to hack Twitter? If they have back ups of their servers?” Defense objects to witness testimony and evidence admissibility on authentication, here-say, and relevance. USG says again they are offering for a non-heresay purpose but for the effect on the listener, vis. the “.mil tweet.”

Defense continues voir dir of Mander. Defense establishes that Mader has no evidence of the “effect of the tweets on Pfc. Manning”. Defense (Tooman) then continues with cross examination. Defense establishes that Mander did not find any evidence that Manning was “anti-American” or that Manning was trying to “help the enemy”. Defense establishes that Mander found no evidence that Manning had any contact with foreign adversaries or intelligence service. Defense also establishes that no evidence was found that Manning was paid or compensated in relation to the leaks.

Defense on cross (Tooman) presents Mander with another print out, a defense exhibit of the WikiLeaks website that shows another version of the 2009 WikiLeaks Most Wanted List. This one presents introductory information.

Defense establishes that the introductory content for the defense 2009 WikiLeaks Most Wanted List– via Mander own words is one that the “general public can edit.” It list the content described as “concealed documents most sought after by countries, activists, human right…, lawyers…ethical, historical…” Mander admits that he does not know why WikiLeaks wants documents. Defense then re-reads the introductory statement, and asks Mander if the introductory statement explains why WikiLeaks might want documents.

USG objects on the grounds of authentication. Judge Lind interjects herself, asking Mander to authenticate the two versions– one a defense exhibit of the 2009 Most Wanted List with the introduction and another the USG’s without the introductory paragraph. It turns out– on questioning by the judge that Mander printed both within a short time period of each other. USG comes back and objects on here-say; to which Lind responds essentially, (a paraphrase) “If I don’t admit the defense exhibit, wouldn’t it be on the same grounds as your exhibit.”

Both exhibits are admissible, says the Judge to the USG. Defense (Tooman) continues his cross of Mander. Tooman presents a new exhibit. “You spoke about a number of “Intelink searches” that correspond to the 2009 WikiLeaks Most Wanted List presented by Government.

Prosecution (Tooman) interrupts, the USG will stipulate that only three search items from the Intelink logs correspond to the 2009 WikiLeaks Most Wanted List.

Defense (Tooman) then asks Mander regarding the 2009 WikiLeaks Most Wanted List that was presented as evidence by the USG. “How many items are listed under bulk database?” Mander says three. “How many federal items?” Mander says six. “Under Military intelligence? “Appears to be 21 bullets,” says Mander. Defense continues. “We are stil under military intelligence– essentially how many items are listed?” Mander says 56 items are listed. Tooman goes on under “Banking”, “Media”, “Religion.” Mander lists all the items. USG does not re-direct. Mander is temporarily excuse. This lead case agent witness Mark Mander and the USG case erodes further today.

Sheila Glenn, US Army Counterintelligence Center

Witness testified concerning how intelligence reports are drafted by the US Army Counterintelligence Center. Glenn goes through the entire chain, “after product is reviewed for content, accuracy, and grammar,” she repeats. She explains the prosecution exhibit, a 2008 USACIC Memo. The witness explains that the document is now declassified in portions and entitled, “(U)–An Online Reference to Foreign Intelligence Services, Insurgents, or Terrorist Groups?”

Glenn explains how this “self-initiated” product was created. Glenn stated that Michael Horvath, the author came across the WikiLeaks Web site and thought it was a concern. Defense objected on here-say. USG said it would ask her questions based on her observations, and apparently she helped research the report. She reads from the memo. On USG prompting, she reads that “WikiLeaks is not a news organization. WikiLeaks does not provide source checking…overview…does not confirm accuracy of their information…’ On USG prompting, Glenn briefs that WikiLeaks uses anonymous methods to post information to the site.

Glenn reads page 20, paragraph one about how WikiLeaks encourages illegal behavior. On USG questioning, Glenn proposes the following threat: “force protection, counter intelligence, information security, and operational security threat.” On being asked, “how” WikiLeaks threatens these sectors, Glenn testifies, by providing “foreign terrorist groups and insurgents” with information. Glenn then reads the three examples contained in the report.

Glenn testified that the document was never release and that she received an email notifying her that the document has been published by WikiLeaks. The email arrived on a on an unclassified system.

On cross examination by defense, Glenn admitted that the title of the 2008 USACIC Memo had a question mark– and that it means that “at that time period we could not confirm [that WikiLeaks was being used by enemies and foreign adversaries].” Defense (Tooman) establishes that WikiLeaks’ stated intent was “to uncover illegality.” Defense establishes that one of the stated goals is a “free and unrestrained press.”

Defense establishes that the the report was self-initiated, meaning no unit had requested information; and that the report was not created through requirements, namely by request for an assessment. Defense also establishes that Horvath would have researched on Joint Worldwide Intelligence Communications System (JWICS) a portal for TOP SECRET information and other information in order to draft this report including HUMINT (Human Intelligence) SIGNIT (Signal Intelligence), OSINT (Open Source Intelligence), MASINT (Measurement and signature intelligence), and IMINT (Imagery intelligence). Defense establishes that the author of the document would have had access to all that intelligence and also outside reviewers would have had similar access to a multitude of different types of information.

Defense then reviewed the document, “Intelligence indicates that insurgents in Afghanistan have recovered several Warlock system,” and begins to deconstruct the end notes and basis for the information contained within the document. Defense asks about “information gaps”– “if you know it you would cite it?” Glenn comes back, “If the source cannot confirm it.” “So,” said Tooman, “If you can’t confirm it, you don’t really know it?” Glenn agrees and establishes that if she cannot confirm then she would not put the information in the document.

According to the document in question, item three under “intelligence gaps” refers to, “Will the Web site be used by FISS, foreign military services,
foreign insurgents, or terrorist groups to collect sensitive or classified US Army
information posted to the Web site?” The line of questioning goes right to the actual knowledge element of both “aiding enemy” and “wanton publication.”

Defense establishes through Glenn that there was no intelligence that terrorist or foreign adversaries visited WikiLeaks. Defense then asks Glenn to define “presume”. On “redirect” USG establishes that no intelligence existed in 2008 and 2009, but in 2010 intelligence confirmed that terrorists used WikiLeaks.