I’ve taken up a “weekend” project to perform an independent analysis of the data file that allegedly contains a record of activity—during the months leading up to the election—between a server at Alfa Bank in Russia, the Trump Organization, and a server at the Spectrum Health company in Grand Rapids, Michigan. (See links for Part I and Part II, Part III, Part IV and the original Slate article on this story. The end of this diary lists related links, including to other dkos diaries on this same story.)
Building on this analysis, this diary entry addresses several simple questions one might ask:
1. Does the server activity change at the same time as other key events in the 2016 election season?
I would say yes. There is an overall increase in server activity during the May 4 to Sept 23 time period, plausibly mirroring the increase in campaign activity. More apparent are the sharp increases in activity on the day after the Brexit vote (June 24)—also a time when the Trump campaign was ramping up—and at the start of the Democratic convention (July 25-26).
2. Do features in the file appear to be correlated with any of the major news events surrounding people connected with the Trump-Russia and Russia hacking stories?
Here, a qualified yes. Last diary reported key “spikes” in activity on July 8-9 and July 31, and what we’ll call “quiet periods” in non-periodic activity on Aug 13-17 and Sept 14-20. The Trump email server was shut down on Sept 23.
Let’s break this down by matching all of these events to a timeline of activities of several key actors:
Let’s be clear, I’m only matching server events to news events specifically related to the Trump-Russia story. Possibly I’d be able to find a good match with other completely different story lines. Perhaps there’s an even more mundane explanation for the patterns in the data.
And yet, there does seem to be a plausible pattern that emerges with respect to the “quiet periods.” Let’s stop here for now and move on to a final set of questions.
3. Did campaign related WikiLeaks releases correspond to changes in the server activity? How about Guccifer 2.0 and DCleaks releases?
Hard to say, but possibly. There were only two larger WikiLeaks releases during the period of server activity (May-Sept 2016). These occurred on July 4th (HRC Iraq e-mails) and July 22nd (DNC e-mails).
Notably, server activity was significantly reduced just before and around those dates. Prior to both WikiLeaks releases, there was no activity between Trump and Spectrum Health for at least 36 hours. Also, around the time of these releases the data suggest that the Trump server could have been off, or not sending messages, for an extended duration. These outages were unusual in the July-September period.
Of course, it would not be surprising to have periods of inactivity on July 4th weekend. Similarly there could be many reasons for outages on July 21 (the last day of the RNC, when Trump was speaking), or the days between the RNC and DNC conventions (July 24-25).
Guccifer 2.0 and DCleaks produced more frequent, smaller releases that are harder to correlate with server events. One unusual DCleaks release included hacked e-mails from Republican targets, first widely reported on Aug 12-13, though there’s some uncertainty as to when these were initially placed on-line. Nothing more to describe here.
Adding it all up… for now.
We can summarize the above analysis with three key observations:
- A significant spike in server activity coincided with Carter Page’s July visit to Moscow.
- Twice during this five-month interval do we identify distinct “quiet periods.” At the end of each of these “quiet periods,” a Russia-connected member of the campaign staff stepped down, Paul Manafort in August, and Carter Page in September.
- Server activity decreased on or around the timing of the two largest election-releated Wikileaks releases during this period.
Some have argued that the most likely explanation for these data is that the Trump-mail1.com server was sending spam or mass-marketing e-mails. As reported in the New York Times, just hours after the server story broke:
“F.B.I. officials spent weeks examining computer data showing an odd stream of activity to a Trump Organization server and Alfa Bank. Computer logs obtained by The New York Times show that two servers at Alfa Bank sent more than 2,700 “look-up” messages — a first step for one system’s computers to talk to another — to a Trump-connected server beginning in the spring. But the F.B.I. ultimately concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts.” (NYT, 11/1/16, Investigating Donald Trump, F.B.I. Sees No Clear Link to Russia, Lichtblau and Myers)
Given my independent analysis of the data set, described here and in previous diaries, I’m skeptical about the spam or mass-marketing e-mail explanation, but I welcome serious efforts to prove me wrong! If this server was generating spam, it shouldn’t be hard to find an e-mail that it sent during the May-Sept 2016 time period. I’ll leave it to my next diary to address such alternate explanations and other such critiques.
The original F. Foer Slate story: Was a Trump Server Communicating With Russia? (dkos diary) and follow-up Slate posting. Rebuttal stories (incomplete list): Vox, Intercept, Verge, ErrataSec (follow-up), Medium (N. Jeewa), Logs (J. Camp). Earlier dkos analysis with a different emphasis. Recent dkos diary on the Spectrum Health connection.