Case Document 20 Filed 11/07/11 Page 1 of 1 A0 I06 (Rev. 04110) Application for a Search Wamnt UNITED STATES DISTRICT COURT for the District of Columbia In the Matter of the Search of I: had i Email Account gmaitcom on i Computer Servers Operated by Googie. lnc..160O Amphitheatre Parkway. Mountain View. Caiifomia APPLICATION FOR A SEARCH WARRANT i, a federal law enforcement officer or an attorney for the govemment, request a search warrant and state under penalty of perjury that I have reason to believe that on the following person or property fldeniijfiv the person or describe the Prgeriigi bem'f maintained on computer sewers operated by Google. lnc.. headquartered accoun at 1600 Amphitheatre Parkway. Mountain View. Caiifomia, located in the Northem District of Caiifomia per.n:m or describe the property to be seized): certain property, the disclosure of which is governed by 'Title 42. U.S.C. Section 2000aa. and Title 18. U.S.C. Sections 2701 through 2711. namely contents of electronic e-mails and other electronic data and more fully described in ATTACHMENT A to this application. The basis for the search under Fed. R. Crim. P. 4i(c) is (check one or more): Rf evidence of a crime; contraband, fruits of crime, or other items illegally possessed; Ef property designed for use. intended for use, or used in committing a crime; a person to be arrested or a person who is uniawfiriiy restrained. there is now concealed (identofir the The search is related to a violation of: Code Section Oflense Description 18 U.S.C. 793 Gathering. transmitting or losing defense information The giication is based on these facts: See a ed etfidavlt herein incorporated by reference as if fully restated herein. Continued on the attached sheet. EJ Delayed notice of days (give exact ending date if more than 30 days: is requested under is U.S.C. 31033, the basis of which is set forth on ached sheet. i3e_ginaid B. Reyes. Special Agent. FBI Printed name and title Swom to before me and signed in my presence. Date: City and state: Washingon, D.C. Case Document 20-1 Filed 11/07/11 Page 1 of 36 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA APPLICATION FOR SEARCH WARRANT MISC. 0.: GMAIL.COM MAINTAINED ON COMPUTER OPERATED BY GOOGLE, UNDER SEAL HEADQUARTERED AT 1600 AMPHITHEATRE PARKWAY, MOUNTAIN VIEW, CA AFFIDAVIT IN SUPPORT on APPLICATION FOR SEARCH WARRANT I, Reginald B. Reyes, being first duly sworn, hereby depose and state as follows: I. INTRODUCTION 1. I am a Special Agent of the Federal Bureau of Investigation assigned to the Washington Field Office, and have been employed by the FBI for over five years. I am assigned to a squad responsible for counterespionage matters and matters involving the unauthorized disclosure of classified information, and have worked in this field since October 2005. As a result of my involvement in espionage investigations and investigations involving the unauthorized disclosure of classified information, I am familiar with the tactics, methods, and techniques of particular United States persons who possess, or have possessed a United States government security clearance and may choose to harm the United States by misusing their access to classified information. Before working for the FBI, I was a Special Agent with the Drug Enforcement Administration for two years. 2. As a federal agent, I am authorized to investigate violations of laws of the United States and to execute warrants issued under the authority of the United States. Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 2 of 36 The statements in this affidavit are based in part on information provided by the investigation to date and on my experience and background as a Special Agent of the FBI. The information set forth in this afiidavit concerning the investigation at issue is known to me as a result of my own involvement in that investigation or has beenprovided to me by other law enforcement professionals. Eince this affidavit is being submitted for the limited purpose of securing a search warrant, I have not included each and every fact known to me concerning this investigation. 3. This afiidavit is made in support of an application for a warrant pursuant to 18 U.S.C. 2703 and 42 U.S.C. 2000aa to compel Google, Incorporated, which functions as an electronic communication service and remote computing service, and is a provider of electronic communication and remote computing services (hereinafter "Google" or the located at 1600 Amphitheatre Parkway, Mountain View, California, to provide subscriber information, records, and the contents of limited wire and electronic communications pertaining to the account identified asgmail.com, herein referred to as the SUBJECT ACCOUNT. I have been informed by the United States Attomey's Office that because this Court hasjurisdiction over the offense under investigation, it may issue the warrant to compel the PROVIDER pursuant to 13 U.S.C. 4. The SUBJECT ACCOUNT is an e-mail account. As discussed below, investigation into the SUBJECT ACCOUNT indicates it is an e-mail account used by a national news reporter (hereinafter "the Reporter"). S55 18 U.S.C. 2703(a) governmental entity may require the disclosure by a provider . . . pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the ofi'ense under investigation . . . . . 2 Case Document 20-1 Filed 11/07/11 Page 3 of 36 5. For the reasons set forth below, I believe there is probable cause to conclude that the contents of the wire and electronic communications pertaining to the SUBJECT ACCOUNT, are evidence, fiuits and instrurnentalities of criminal violations of 18 U.S.C. 793 (Unauthorized Disclosure of National Defense Information), and that there is probable cause to believe that the Reporter has committed or is committing a violation of section 793(d), as an aider and abettor and/or co--conspirator, to which the materials relate. 6. Based on my training and experience, and discussions with the United States Attorney's Ofiice, I have learned that Title 18, United States Code, Section 793(d) makes punishable, by up to ten years imprisonment, the willfirl communication, delivery or transmission of documents and information related to the national defense to someone not entitled to receive them by one with lawful access or possession of the same. Specifically, section 793(d) states: Whoever, lawfully having possession of, access to, control over, or being entrusted with any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, instrument, appliance, or note relating to the national defense, or information relating to the national defense which information the possessor has reason to believe could be used to the injury of the United States or to the advantage of any foreign nation, willfully communicates, delivers, transmits or causes to be communicated, delivered, or transmitted or attempts to communicate, deliver, transmit or cause to be communicated, delivered or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it on demand to the oficer or employee of the United States entitled to receive it . . . shall be fined under this title or imprisoned not more than ten years or both. 18 U.S.C. 793(d). Further, section 793(g) makes a conspiracy to violate section 793(d) a violation of 793 and punishable by up to ten years imprisomnent. 18 U.S.C. 793(g). 7. Based on my training and experience, and discussion with the United States Case Document 20-1 Filed 11/07/11 Page 4 of 36 Attomey's Ofifice, I have learned that "classiIied" information is defined by Executive Order 1295 8, as amended by Executive Order 13292, and their predecessor orders, Executive Orders 12356 and 12065, as information in any form that: (1) is owned by, produced by or for, or under control of the United States government; (2) falls within one or more of the categories set forth in the Order; and (3) is classified by an original classification authority who determines that its unauthorized disclosure reasonably could be expected to result in damage to the national security. Where such damage could reasonably result in "exceptionally grave" damage to the national security, the information may be classified as Access to classified information at any level may be further restricted through compartrnentalization (SCI) categories, which further restricts the dissemination and handling of the information. 8. Based on my training and experience, and discussions with the United States Attorney's Omce, I have learned that the Privacy Protection Act (the codified at 42 U.S.C. 2000aa _e1_sgq., defines when a search warrant impacting media-related work product and documentary materials may be executed. Section 2000aa(a) of the PPA states, in pertinent part: Work product materials Notwithstanding any other law, it shall be unlawful for a government officer or employee, in connection with the investigation or prosecution of a criminal offense, to search for or seize any work product materials'? possessed by a person reasonably Section 2000aa-7(b) defines the terms "documentary materials" as follows: "Work product materials" as used in this chapter, means materials, other than contraband or the fi'uits of a crime or things otherwise criminally possessed, or property designed or intended for use, or which is or has been used, as a means of committing a criminal offense, and - 4 Case Document 20-1 Filed 11/07/11 Page 5 of 36 believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication, in or affecting interstate or foreign commerce; but this provision shall not impair or afl'ect the ability of any government officer or employee, pursuant to otherwise applicable law, to search for or seize such materials, (1) there is probable cause to believe that the person" possessing such materials has committed or is committing the criminal ofiense to which the materials relate: Provided, however, That a government officer or employee may not search for or seize such materials under the provisions of this paragraph if the offense to which the materials relate consists of the receipt, possession, communication, or withholding of such materials or the infonnation contained therein (but such a search or seizure may be conducted under the provisions of this paragraph if the ofiense consists of the receipt, possession, or communication of information relating to the national defense, classified information, or restricted data under the provisions of section 793, 794, 797, or 798 of title 18, or [other enumerated statutes]) Other documents Notwithstanding any other law, it shall be unlawful for a government oflicer or employee, in connection with the investigation or prosecution of a criminal offense, to search for or seize documentary materials, other than work product materials,' possessed (1) in anticipation of communicating such materials to the public, are prepared, produced, authored, or created, whether by the person in possession of the materials or by any other person; (2) are possessed for the purposes of communicating such materials to the public; and (3) include mental impressions, conclusions, opinions, or theories of the person who prepared, produced, authored or created such material. 42 U.S.C. Section 2000aa-7(a) defines the terms "documentary materials" as follows: "Documentary materials" as used in this chapter, means materials upon which information is recorded, and includes, but is not limited to, written or printed materials, photographs, motion picture films, negatives, video tapes, audio tapes, and other mechanically, magnetically or electronically recorded cards, tapes, or discs, but does not include contraband or fiuits of a crime or things otherwise criminally possessed, or property designed or intended for use, or 5 Case Document 20-1 Filed 11/07/11 Page 6 of 36 by a person in connection with a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication, in or afiecting interstate or foreign commerce; but this provision shall not impair or affect the ability of any government oficer or employee, pursuant to otherwise applicable law, to search for or seize such materials, (1) there is probable cause to believe that the person possessing such materials has committed or is committing the criminal offense to which the materials relate: Provided, however, That a government officer or employee may not search for or seize such materials under the provisions of this paragraph if the offense to which the materials relate consists of the receipt, possession, communication, or withholding of such materials or the information contained therein (but such a search or seizure may be conducted under the provisions of this paragraph if the offense consists of the receipt, possession, or communication of information relating to the national defense, classified information, or restricted data under the provisions of section 793, 794, 797, or 798 of title 18, or [other enumerated statutes]) 42 U.S.C. 2000aa(a) (emphasis added). Thus, section 2000aa(a) specifically exempts from its prohibitions cases in which there is probable cause to believe that the possessor of media related work product or documentary materials has committed a violation of section 793. I have been further informed that the legislative history of the statute indicates: The purpose of the statute is to limit searches for materials held by persons involved in First Amendment activities who are themselves not suspected of participation in the criminal activity for which the materials are sought, and not to limit the ability of law enforcement officers to Search for and seize materials held by those suspected of committing the crime under investigation. 3. Rep. No. 96-874 at 11 (1980), reprinted in 1980 U.S.C.C.A.N. 3950. I also have been informed that violations of the PPA do not result in suppression of the evidence, _Sfl3_ 42 U.S.C. 15 which is or has been used as, the means of committing a criminal offense. 42 U.S.C. Case Document 20-1 Filed 11/07/11 Page 7 of 36 but can result in civil damages against the sovereign whose officers or employees executed the search in violation of section 2000aa(a). 42 U.S.C. II. FACTS SUPPORTING PROBABLE CAUSE 9. In or about June 2009, classified United States national defense information was published in an article on a national news organization's website (hereinafter the "June 2009 article"). The June 2009 article was written by the Reporter who frequently physically worked out of a booth located at the main Department of State building located at 2201 Street, N.W., Washington, 10. The Intelligence Community owner of the classified information at issue (the "Owner") has informed the FBI that the June 2009 article disclosed national defense information that was classified TOP COMPARTMENTBD INFORMATION (TSISCI). It has also informed the FBI that the information was not declassified prior to its disclosure in the June 2009 article, that the information's public disclosure has never been lawfiilly authorized, and that the information remains classified at the level to this day. 11. Following the disclosure of the classified national defense information in the June 2009 article, an FBI investigation was initiated to determine the source(s) of the unauthorized disclosure. That investigation has revealed that the Owner's information disclosed in the June 2009 aificle was first made available to a limited number of Intelligence Community members in an intelligence report (the "Intelligence Report") that was electronically disseminated to the Intelligence Community outside of the Owner on the morning of the date of Case Document 20-1 Filed 11/07/11 Page 8 of 36 publication of the June 2009 article. The Intelligence Report was accessible on a classified information database that warned all Intelligence Community users seeking access to information in the database, through a "click through" banner, of the following: Due to recent unauthorized disclosures of sensitive intelligence, you are reminded of your responsibility to protect the extremely sensitive, compartmented intelligence contained in this system. Use of this computer system constitutes consent to monitoring of your actions. None of the intelligence contained in this system may be discussed or shared with individuals who are not authorized to receive it. Unauthorized use . . . is prohibited and violations may result in disciplinary action or criminal prosecution. 12. The Intelligence Report was clearly marked The security markings further instructed the reader that every portion of the information contained in the Intelligence Report was classified and was not authorized for disclosure without permission of the Owner. 13. The investigation has revealed that one individual who accessed the Intelligence Report through the classified database on the date of the June 2009 article (prior to the publication of the article) was Stephen Jin-Woo Kim.' Review of government records has revealed that Mr. Kim was born on--and was naturalized as a United States So far, the FBI's investigation has revealed in excess of 95 individuals, in addition to Mr. Kim, who accessed the Intelligence Report on the date of the June 2009 article and prior to its publication. To date, however, the FBI's investigation has not revealed any other individual, other than Mr. Kim, who Ml; accessed the Intelligence Report _a_mJ_ who also had contact with the Reporter on the date of publication of the June 2009 article. Thus far, the FBI's investigation has revealed four other individuals who have admitted to limited contacts with either the Reporter's news organization or the Reporter anywhere from six weeks, to six months, or to nine years prior to publication of the June 2009 article. The FBI's investigation of these contacts is on-going. All these individuals have denied being the source of the June 2009 article and the FBI has not discovered any information to date that would tend to discredit their statements. Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 9 of 36 citizen in 1988.5 Mr. Kim is a Lawrence Livermore National Laboratory employee who was on detail to the DoS's Bureau of Verification, Compliance, and Implementation (V Cl) at the time of the publication of the June 2009' article. VCI is responsible for ensuring that appropriate verification requirements are fully considered and properly integrated into arms control, nonproliferation, and disarmament agreements and to monitor other countries' compliance with such agreements. On his detail to VCI, Mr. Kim worked as a Senior Advisor for Intelligence to the Assistant Secretary of State for VCI. 14. Like the Reporter's booth at on the date of publication of the June 2009 article, Mr. Kim's VCI office was located at the headquarters building at 2201 Street, N.W., Washington, D.C. 15. Based on my training and experience, I have learned that classified information, of any designation, may be shared only with persons determined by an appropriate United States government oflicial to be eligible for access to classified information, that is, the individual has received a security clearance, has signed an approved non-disclosure agreement and possesses a "need to know" the information in question. If a person is not eligible to receive classified information, classified infonnation may not be disclosed to that person. 16. Govemment records demonstrate that, at all times relevant to this investigation, Mr. Kim possessed a security clearance. As a govemment employee with a security clearance, and prior to the disclosures at issue, Mr. Kim executed multiple SF 312 Classified Information Non-Disclosure Agreements (NDAs) with the Government. NDAs are legally 5 In prior affidavits in this matter seeking search warrants of Mr. Kim's e-mail accounts, the date of Mr. Kim's naturalization was erroneously reported as 1999 rather than 1988. 9 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 10 of 36 binding agreements between an individual being granted, or already in possession of, a security clearance, and the United States Govemment wherein the parties agree that the individual never disclose classified information without the authorization of the Government. The NDAS further notified Mr. Kim that the unauthorized disclosure of classified information can lead to criminal prosecution, including for violations of 18 U.S.C. 793. 17. The Reporter did not possess a security clearance and was not entitled to receive the information published in the June 2009 article. Nor was Mr. Kim authorized, directly or indirectly, by the United States Govemrnent to deliver, communicate, or transmit the information in the article to the Reporter or any other member of the press. 18. Government electronic records revealed that between the hours the Intelligence Report was made available to the Intelligence Community on the morning of the publication of the June 2009 article, and the publication of the June 2009 article, the unique electronic user profile and password associated with Mr. Kim accessed at least three times the Intelligence Report that contained the information which later that day was disclosed in the June 2009 article.' Specifically, the Intelligence Report was accessed by Mr. Kim's user profile at or 5 Mr. Kim accessed the classified database in question through his work computer provided to him to process and access TOP information. The "click through" banner on Mr. Kim's classified computer permits the government's review of the data contained therein. It read: NOTICE AND CONSENT LOG-ON BANNER IS A DEPARTMENT OF STATE COMPUTER SYSTEM. THIS COMPUTER SYSTEM, INCLUDING ALL RELATED EQUIPMENT, NETWORKS, AND NETWORK DEVICES (SPECIFICALLY INCLUDING INTERNET ACCESS), ARE PROVIDED ONLY FOR AUTHORIZED U.S. GOVERNMENT USE. DOS COMPUTER SYSTEMS MAY BE MONITORED FOR ALL LAWFUL PURPOSES, INCLUDING TO ENSURE THAT THEIR USE IS AUTHORIZED, FOR MANAGEMENT OF THE SYSTEM, TO FACILIT ATE PROTECTION AGAINST UNAUTHORIZED l0 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 11 of 36 around 11:27 11:37 and 11:48 am. on the date the article was published. security badge access records suggest that, at those times, Mr. Kim was in his VCI oflice suite where his DOS computer was located on which he would have accessed the Intelligence Report. 19. Telephone call records demonstrate that earlier on that same day, multiple telephone communications occurred between phone numbers associated with Mr. Kim and with the Reporter. Specifically: . - at or aroundl0:15 an approximate 34-second call was made from the Reporter's desk telephone to Mr. Kim's DOS desk telephone; - two minutes later, at or around 10:17 an approximate 11 minute 35 second call was made from Mr. Kim's desk telephone to the Reporter's desk telephone; ACCESS, AND TO VERIFY SECURITY PROCEDURES, SURVIVABILITY, AND OPERATIONAL SECURITY. MONITORING INCLUDES ACTIVE ATTACKS BY AUTHORIZED DOS ENTITIES T0 TEST OR VERIFY THE SECURITY OF THIS SYSTEM. DURING MONITORING, INFOR.MATION MAY BE EXAMINED, RECORDED, COPIED, AND USED FOR AUTHORIZED PURPOSES. ALL INFORMATION, INCLUDING PERSONAL INFORMATION, PLACED ON OR SENT OVER THIS SYSTEM MAY BE MONITOR.ED. USE OF THIS DOS COMPUTER SYSTEM, AUTHORIZED OR UNAUTHORIZED CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL PROSECUTION. EVHDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSENT TO MONITORING FOR THESE PURPOSES. Further, Mr. Kim had to "click through" an additionai banner on the classified database where he accessed the Intelligence Report, as detailed in Paragraph 11 above, which stated that "use of this computer system constitutes consent to monitoring of your actions." Moreover, nos policy specifically prescribes that "personal use [of classified computers] is strictly prohibited; therefore, users do not have a reasonable expectation of privacy." 12 FAM 632.15; 5 FAM 723(2). In addition, the DoS's Foreign Affairs Manual states that ofiice spaces are subject to security inspections to insure that classified information is properly protected. Indeed, Mr. Kim's oflice was located in a secured facility within the main DOS building that was subject to daily inspections by rotating duty officers (sometimes including Mr. Kim himself) who were responsible for making sure that classified information in each of the offices within the facility was properly secured. II Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 12 of 36 - one hour later, at or around 11:18 an approximate 3 minute 58 second call was made from Mr. Kim's desk telephone to the Reporter's desk telephone; and - at or around 11:24 an approximate 18 second call was made from Mr. Kim's desk telephone to the Repo11er's DOS desk telephone. 20. Thereafter, telephone call records for Mr. K.i.m's oflice phone reveal that at or around the some time that Mr. Kim 's user profle was viewing the Intelligence Report two telephone calls were placed from his desk phone to the Reporter. Specifically, a call was made at or around 1 1:37 am (at or around the same time that Mr. Kim's user profile was viewing the Intelligence Report) from Mr. Kim's desk phone to the Reporter's desk phone located within the That call lasted approximately 20 seconds. Immediately thereafter, a call was placed by Mr. Kim's desk phone to the Reporter's cell phone. This second call lasted approximately 1 minute and 8 seconds. 21. In the hour following those calls, the FBI's investigation has revealed evidence suggesting that Mr. Kim met face-to-face with the Reporter outside of the Specifically, security badge access records demonstrate that Mr. Kim and the Reporter departed the DOS building at 2201 Street, N.W., at nearly the same time, they were absent fiom the building for nearly 25 minutes, and then they returned to the building at nearly the same time. Specifically, the security badge access records indicate: Mr. Kim departed at or around 12:02 p.m. followed shortly thereafter by The Reporter at or around 12:03 and - Mr. Kim returned to at or around 12:26 p.m. followed shortly thereafier by The Reporter at or around 12:30 p.m. 22. Within a few hours after those nearly simultaneous exits and entries at Dos, the 12 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 13 of 36 June 2009 article was published on the Internet. Following the publication of the article, yet another call was placed from Mr. Kim's desk telephone to the Reporter's desk telephone number. This call lasted approximately 22 seconds. 23. In the evening of August 3 l, 2009, D08 Diplomatic Security entered Mr. Kim's office space, without his knowledge, pursuant to intemal regulations, procedures, and computer banner authority for purposes of imaging his computer hard drives. Lying in plain view on Mr. Kim's desk next to his computer was a photocopy of the June 2009 article as well as two other articles published in June 2009. All three articles were stapled together. These three articles were also observed on Mr. Kim's desk during entries made in his oflice space on September 21 and 22, 2009. 24. On September 24, 2009, the FBI conducted a non-custodial interview of Mr. Kim conceming the leak of classified infonnation in the June 2009 article, among other leaks of classified information. During that interview, Mr. Kim denied being a source of the classified information in the June 2009 article. Mr. Kim also claimed to have no recollection of one of the other two articles which were seen in plain view on his desk on August 31, 2009. Mr. Kim admitted to meeting the Reporter in approximately March 2009 but denied having any contact with the Reporter since that time. Mr. Kim acknowledged that protocol required that he would have to go through the press office before he could speak with the press. Mr. Kim stated, wouldn't pick-up a phone and call [the Reporter] or [the news organization that the Reporter works for]." 25. An analysis of call records for Mr. Kim's desk phone reveals that between May 26, 2009 and July 14, 2009, 36 calls were placed to or received from telephone numbers 13 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 14 of 36 associated with the Reporter, including the 7 aforementioned calls on the date of the publication of the June 2009 article. Further, there were 3 calls during this tirneframe between his desk phone and a number associated with the Reporter's news organization. 26. During the September 24, 2009 non-custodial interview, when asked by the FBI for a cell phone number to reach him in the future, Mr. Kim stated that his cell phone was "no longer active" as of the day of the interview. Mr. Kim indicated to the FBI that he would be purchasing a new cell phone with a different number. 27. An analysis of call records for Mr. Kim's cellular phone reveals that between May 26, 2009 and June 30,2009, 16 calls were placed to or received from telephone numbers associated with the Reporter and 0 calls? were placed to or received from telephone numbers associated with the Reporter's news organization. 28. It is apparent from the foregoing both that Mr. Kim was in contact with the Reporter on multiple occasions prior to and afler the publication of the June 2009 article, and that Mr. Kim did not want the FBI, who he knew was investigating the leak of classified information in that article, to know about those contacts. The FBI has also learned that, following its interview with Mr. Kim, he provided the Department of Energy - for which Mr. Kim's permanent employer, LLNL, is a sub-contractor - with "pre-paid" cell phone number 7 In prior affidavits in this matter seeking search wanants of Mr. Kim's e~rnail accounts, it was reported that there were 1 calls between Mr. Kim's cellular phone and telephone numbers associated with the Reporter's news organization. Mr. Kim's toll records for his cellular phone do, in fact, list 11 such cells. Further review of those records suggested, however, that one of the calls may have been double counted by Mr. Kim's cellular telephone service provider. Discovering this discrepancy, the service provider was contacted and indicated that what appears to be two calls on the toll records was, in fact, only a single cell. Accordingly, in this affidavit, I have corrected the total of the calls between Mr. Kim's cellular telephone and telephone numbers associated with the Reporter's news organization to reflect that there were only 10 such calls. 14 Case Document 20-1 Filed 11/07/11 Page 15 of 36 (sometimes referred to as a "throw away" phone) that he instructed representatives to use in the future to contact him about future employment opportunities. 29. Similarly, during the same September 24, 2009 non-custodial interview, M.r. Kim told the FBI that the best e-mail address through which to contact him was myahoocom. One day later, Mr. Kim e-mailed the FBI and stated that yahoo account that I gave you is full and am [sic] going reached at mgrnailcom." It is apparent from the foregoing that, like his cell phone number, Mr. Kim was concerned about the FBI focusing on his e-mail account. 30. Following the FBI's interview of Mr. Kim on September 24, 2009, FBI and DoS/Diplomatic Security entered Mr. Kim's office on the evening of September 26, 2009. The stapled photocopies of the three articles containing classified information (including the June 2009 article) seen next to Mr. Kim's computer on August 31, 2009, September 21 and 22, 2009, were no longer present in Mr. Kim's oflice on September 26"' -- two days after his interview with the FBI wherein he was questioned about the unauthorized disclosures of classified information in the June 2009 article. 31. A forensic analysis of the hard drive imaged from Mr. Kim's unclassified DOS computer,' has revealed an e-mail communication, dated July 11, 2009, from the Reporter's 8 The "click through" banner on Mr. Kim's unclassified computer permits the govemment's review of the data contained therein. It reads as follows: You are accessing a U.S. Government information system, which includes (1) this computer, (2) this computer network, (3) all computers connected to the network, and (4) all devices and storage media attached to this network or to a computer on this network. This information system is provided for U.S. Government-authorized use only. 15 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 16 of 36 Unauthorized or improper use of this system may result in disciplinary actions, as well as civil and criminal penalties. By using this infonnation system, you -understand and consent to the following: You have no reasonable expectation of privacy regarding any communications or data transiting or stored on this information system. At any time, and for any lawful government purpose, the government may monitor, intercept, and search and seize any communication or data transiting or stored on this information system. Any communications or data transiting or stored on this information system may be disclosed or used for any lawful government purpose. Nothing herein consents to the search and seizure of a privately-owned computer or other privately owned communications device, or the contents thereof, that is in the system user's home. Further, when he first started at the in June 2008, Mr. Kim signed an "Intemet Briefing Acknowledgement" and "Security Briefing for OpenNet+ Account" forms, both of which stated that he understood that his use of Govemment provided Internetand of his OpenNet+ account "may be monitored at any time." He also signed a "Waiver Statement Form," wherein he acknowledged that he understood that 0 he did "not have a reasonable expectation of privacy concerning the data on [his] computer;" 0 "All data contained on [his] computer may be monitored, intercepted, recorded, read, copied, or captured in any manner by authorized personnel. For example supervisors, system personnel or security personnel may give law enforcement officials any potential evidence of crime, fiaud, or employee misconduct found on [his] computer." 0 "Law enforcement may be authorized to access and collect evidence from [his] computer." 0 "Authorized personnel will be routinely monitoring [his] computer for authorized purposes." 0 "Consequently, any use of [his] computer by any user, authorized or unauthorized, constitutes DIRECT CONSENT to monitoring of [his] computer." Similarly, while DOS policy permits limited personal use of the Intemet and personal e-mail through an Internet connection, that policy also states: Employees have no expectation of privacy while using any U.S. Govemment-provided access to 16 Case Document 20-1 Filed 11/07/11 Page 17 of 36 e--mail account to an e-mail account entitled - yahoocorn. The e-mail from the Reporter forwarded another e-mail from other news reporters which included in its body a news article (not written by the Reporter) that would appear in the Washington Times (not the Reporter's news organization) the following day, July 12, 2009. This e-mail was found in the unallocated space located on Mr. Kim's unclassified hard drive. I have been informed that when a computer file is deleted, the deleted file is flagged by the operating system as no longer needed, but remains on the hard disk drive in unallocated space unless the date is later overwritten. 32. Electronic evidence retrieved from Mr. Kim's unclassified workstation also revealed that on September 24, 2009, following his interview with the FBI, Mr. Kim's user profile logged into theS@yahoo.com account through an DOS Internet connection accessed through his unclassified workstation. security badge access records suggest that Mr. Kim was in his VCI office suite where his Des unclassified workstation was located when account was accessed on September 24, 2009. While accessing that account on his DOS computer, Mr. Kim's user profile observed e-mails in that account from an e-mail account entitled gmail.com (which is the subject matter of the Government's request for a warrant here). Mr. Kim's profile also observed e-mails between the Reporter's work e-mail and Scyyahoocorn, the e--mail account the Internet. The Department considers electronic mail messages on U.S. Government computers, using the Internet or other networlrs, to be government materials and it may have access to those messages whenever it has a legitimate purpose for doing so. Such messages are subject to regulations and laws covering government records, and may be subject to Freedom of Information Act (FOIA) request or legal discovery orders." 5 FAM 723 (4). 17 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 18 of 36 identified by Mr. Kim as his own during his September 24, 2009 interview with the FBI, but which, one day later, he told the FBI was "full" and that he was "going to get rid of it." 33. During the Internet session described above on September 24, 2009, Mr. Kim attempted to clear his "Temporary interact Files." I have been informed that deletion of Temporary Internet Files created by a web browser software application moves the cached content of internet sites visited to unallocated space, which, again, is space on the hard drive flagged by the operating system as being available for overwriting. 34. On November 9, 2009, Search warrants were executed on both the _@yahoo.corn and _@yahoo.corn e--1:nail accounts. Those searches revealed multiple e-mails between Mr. Kim and the Reporter dating between May 1 1, 2009 and August 15, 2009. Review of these emails demonstrates that E133/ahoo.com and are e-mail accounts used by Mr. Kim and E@gmail.com is an account used by the Reporterg to receive from Mr. Kim and perhaps other sources. Further, in their e-mail communication, Mr. Kim and the Reporter appear to have employed aliases Mr. Kim is "Leo" and the Reporter is "Alex"). The content of the e-mail communications also demonstrate that Mr. Kim was a source for the Reporter concerning the foreign country that was the subject matter of the June 2009 article (the "Foreign Country") and that the Reporter solicited the disclosure of intelligence information from Mr. Kim concerning that country. A chronological listing and description of the most is not the name of the Reporter. Rather, this e--mail account was apparently named after a former Deputy Assistant to President Richard Nixon who is best known as the individual responsible for the secret taping system installed in the Nixon White House, and who exposed the existence of that taping system when he testified before Congress during the Watergate hearings. 18 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 19 of 36 pertinent e--mails is as follows: gmaihcom reads: A Mai 11' 2009 e--mail from E@yahoo.com to I am back from my trip. Here is my personal information. Please send me your personal cell number. I believe you have mine. It was great meeting you. Thanks, Stephen (Mr. Kim attached to this e-mail his resume and a biographical description, both of which noted his access to classified information and his expertise concerning the Foreign Country). A May 20, 2009 e-mail from gmailcorn to yahoocom responding to the above May 2009 e-mail outlines a clandestine comrnunications plan between Mr. Kim and the Reporter. In the e- mail, the Reporter solicits Mr. Kim as a source of sensitive andlor internal government doemnents (italicized below). It reads: Your credentials have never been doubted -- but I am nonetheless grateful to have the benefit of a chronological listing of your postings and accomplishments. I only have one cell phone number, on my Blackberry, which I gave you 202-[phone number for the Reporter]. Unfortunately, when I am seated in my booth at the State Department, which is much of every day, it does not get reception. thus [sic] I instruct individuals who wish to Contact me simply to send me an c-mail to this address gmail.com]. One asterisk means to Contact them, or that previously suggested plans for communication are to proceed as agreed; two asterisks means the opposite. With all this established, and presuming you have read/seen enough about me to know that I am trustworthy . . . let's get about our Work! What do you want to accomplish together? As I told you when we met, I can always go on television and say: "Sources tell [name of the Reporter '5 national news organization] But I am in a. much better position to advance the interests of all concerned If] can say: "[Nome of the Reporter 's national news organization] has obtained . . . Warmest regards, [first name of Reporter]. 19 Case 1:10-mj--00291-AK Document 20-1 Filed 11/07/11 Page 20 of 36 [Emphasis added] Another May 20, 2009 e-mail from 5 . yahoocoro, the body of which states: Please forgive my delay in replying to you. I was on vacation out of town Yours faithfully, [first name of Reporter] A Ma 22, 2009 e--mail from gmailcom to yahoocom in which the Reporter explicitly seeks from Mr. Kim the disclosure of intelligence information about the Foreign Country. It reads: Thanks Leo. What I am interested in, as you might expect, is breaking news ahead of my competitors. I want to report authoritatively, and ahead of my competitors, on new initiatives or shifts in US. policy, events on the ground in [the Foreign Country], what intelligence is picking up, etc. As possible examples: Pd love to report that the ICM sees activity inside [the Foreign Country] suggesting [description of national defense information that is the subject of the intelligence disclosed in the June 2009 article]. I'd love to report on what the hell [a named U.S. diplomat with responsibilities for the Foreign Country] is doing, maybe on the basis of internal memos detailing how the US. plans to [take a certain action related to the Foreign Country] (if that is really our goal). I'd love to see some internal State Department analyses about the state of [a particular progam within the Foreign Country that was the subject matter of the June 2009 article], about [the leader of the Foreign Country]. . . . In short: Let's break some news, and expose muddle-headed policy when we see it -- or force the administration's hand to go in the right direction, if possible. The only way to do this is to EXPOSE the policy, or what the [Foreign Country] is up to, and the only way to do that authoritatively is with EVIDENCE. Yours faithfully, Alex. [Emphasis added] Mr. Kim forwarded an email containing the above Ma 22, 2009 gmail.corn email to his @yahoo.com at 10:57 is a common acronym denoting "Intelligence Community." 20 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 21 of 36 am. on the date of the June 2009 article. At the time of this e~mail, badge records indicate that Mr. Kim and the Reporter were outside the building, having left the building at approximately the same time. The content of the forwarded e-mail is blank, but the subject line is "Fw: Re: here." (1). In an e-mail dated in June 2009, following the publication of the June 2009 article, the Reporter forwarded from the Re orter's work e-mail account (which spells out the Reporter's name) to thehyahoosom account the following e-mail from another reporter associated with the Reporter's national news organization. It reads: Hi [first name of Reporter] - wondering if you would like to check with your sources on something we are hearing but can't get totally nailed down over here. It seems that the Government is concerned about something related to the Foreign Country] and is watching it very closely . . . We can't get many more details than that right now - but our source said if we could find [a specific detail] elsewhere he would give us more. Though you might be able to squeeze out a few details and we could double team this one . . . . Many thanks, dear friend . . . ., [Name of second reporter associated with Reporter's national news organization] The Reporter then forwarded the above e-mail asking for the Reporter to "squeeze out a few details" about the Foreign Country fi'om the Reporter's "sources" to Mr. Kim at his _@yahoo.com account and included the following introductory note: Leo: From the [Reporter's national news organization] Pentagon correspondent. I am at office number at the Reporter's news organization] today. Hugs and kisses, Alex" One day after this e-mail was sent, toll records indicate that Mr. Kim placed a six-and-a-half minute phone call to the Reporter's office number at the Reporter's news organization (as requested in the above- referenced e-mail). Case 1:10-mj--00291-AK Document 20-1 Filed 11/07/11 Page 22 of 36 35. - in June 2009 from the Reporter's work e-mail to yahoocom containing a subject referencing the Foreign Country. The content of the email included only the Reportcr's phone number next to an asterisk which, according to the May 20, 2009 e-mail described above, was the Repotter's signal that Mr. Kim should call him." A Jul 11 2009 e~tnail from the Reporter's work e-mail to fi@yahoo.con1 attaching, without comment, a news article dated the following day from another national news organization concerning the intelligence community. A Jul 12, 2009 e-mail from the Reporters work e--mail to &4;yahoo.com attaching, without comment, a news article dated the following day from another national news organization concerning the Foreign Country. An August l5, 2009 e-mail from account to the Reporter's work email account, which states: Hope you are alright but I sense that they are not. An August 15, 2009 e-mail from the Reporter's work e-mail responding to the above e-mail, and stating: Leo, You are most perceptive and I appreciate your inquiry. Call me at work on Monday {at the Reporter's work phone number] and I will tell you about my reassignment. In the meantime, enjoy your weekend! Alex (The electronic signature to this e-mail following the word "Alex" identifies the Reporter by the Reporter's full name, phone number, e--mail address, and media organization). The FBI conducted a second non-custodial interview of Mr. Kim on March 29, '2 On the date of this e-mail, Mr. Kim was traveling outside of the United States. Mr. Kim's toll records do not indicate that Mr. Kim called the Reporter after this e-mail was sent. They do indicate, however, that three minutes after this e-mail was sent, a 53 second call was placed from a number associated with the Rcporter's news organization to Mr. Kim's cell phone. 22 Case Document 20-1 Filed 11/07/11 Page 23 of 36 2010. During the interview Mr. Kim made a number of admissions, including: confirming that the Owner's information disclosed in the June 2009 article was national defense information and most of it, in Mr. Ki.m's mind, was properly classified at the TOP SECRET level; confirming that the same disclosures in the June 2009 article were, in Mr. Kim's mind, "egregious," "bad" and harmful to the national security in a number of respects which he described in detail; acknowledging that, while he could not recall the specifics of the Intelligence Report, be was "fairly certain" he had reviewed it and agreed that if electronic records indicated that he had accessed the Report then he did so; agreeing that the Owner's information disclosed in the June 2009 article appeared to be derived from the Intelligence Report with only one difference that he described as a "subtle nuance;" acknowledging that he had received extensive training on the handling of classified information, and had executed multiple classified information non- disclosure agreements with the Govemment; confirming that he understood the classification markings that were prominently displayed on the Intelligence Report; admitting that the Owner's information disclosed in the June 2009 article, to his lcnowledge, did not "match" information in the public domain, but advising that "bits and pieces" of the article were possibly derived from open source information; acknowledging that he understood the security banner on the classified computer database and that his actions were subject to monitoring; re--stating his false statement from his interview with the FBI on September 24, 2009, that he had no contact with the Reporter alter they first met in March 2009; after being confronted with the evidence of his extensive contacts with the Reporter in the months after they first met, first stating that his calls with the Reporter had been facilitated by an unidentified "friend" and that he did not inform the FBI of his telephone contacts with the Reporter because he did not consider then "direct contacts;" but then later (ii) openly admitting during the interview that he had "lied" to the FBI about the extent of his relationship with the Reporter because he was "scared" that the FBI might investigate him for the leak; 23 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 24 of 36 0 while denying that he had met face-to-face with the Reporter on the date of the June 2009 article, admitting that he had met with the Reporter outside of the building at other times including once following the FBI's September 24, 2009 interview; 0 admitting that the emails seized during the FBI's investigation were, in fact, emails between himself and the Reporter; 0 admitting, after being asked the question a number of times, that "Leo Grace" was an alias used in the e-mails for himself and that "Alex" was an alias used by the Reporter, and 0 while asserting that th . 15-: I yahoo.com account pre-dated his relationship with the Reporter, stating that it was the Reporter's idea to use covert e-mail communications as a means of compartmentalizing the information and a way for Mr. Kim to "feel comfortable talking with [the Reporter]." 36. According to the FBI agents who conducted the interview, during the interview, Mr. Kim never provided a coherent explanation for the evidence of his extensive contacts with the Reporter including on the date of the leak in question. At one point, he indicated that he was communicating with the Report hoping that the Reporter "could help put him in a think tank." Mr. Kinfs reaction to the evidence was mostly stunned silence, although at one point he admitted that some of the evidence was "very disturbing." Nevertheless, Mr. Kim denied that he was a source for the Reporter or had knowingly provided the Reporter with classified documents or information. Mr. Kim claimed to have Specifically informed the Reporter that the Reporter "won't get stuff out of me," to which the Reporter allegedly replied, don't want anything." Mr. Kim did admit, however, that he may have "inadvertently" confirmed information that he believed the Reporter had already received from other individuals. Mr. Kim made further 24 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 25 of 36 statements which could fairly be characterized as either a confession or a near confession 37. I3. did not purposely discuss the [Intelligence Report], but might have discussed [some of the topics discussed in the Report "Maybe I inadvertently confirmed something . . . too stubborn to not . . . . just don't know . . . someone values my views, listens up,. . . maybe I felt flattered. [The Reporter] is a very affable, very convincing, persistent person. [The Reporter] would tell me I was brilliant and it is possible I succumbed to flattery without knowing it. Maybe it was my vanity. [The Reporter] considers me an expert and would tell me . . . could use my insightbig macho game but I would never say I'm read in to this and you are not. I would never pass [the Reporter] classified." "[The Reporter] exploited my vanity." personal and professional training told me not to meet people like [the Reporter]. I felt like while on the phone I was only confinning what he already knew. I was exploited like a rag doll. [The Reporter] asked me a lot of questions and got me to talk to him and have phone conversations with him. [The Reporter] asked me a lot, not just specific countries. [The Reporter] asked me how nuclear weapons worked." "It's apparent I did it. I didn't say 'did you see this?' I think I did it. I can't deny it. I didn't give [the Reporter] the [specific intelligence infonnation in the article]. I didn't provide him with the stuff." don't think I confirmed . . . maybe I inadvertently confirmed in the context of other conversations [with the Reporter]. It wasn't far-fetched that the information was out there. I would not talk over an open line about intelligence. I did not leak classified." Finally, Mr. Kim opined that "someone either gave [the Reporter] the [the Intelligence Report] or it was read to [the Reporter] over the telephone." During his interview, Mr. Kim also consented to a physical search of his condominium in McLean, Virginia. No hard-copy classified documents or other hard-copy materials directly related to the leak at issue were found during the search of Mr. Kim's The FBI interview was not audio or video taped. What follows are excerpts from an FBI report memorializing the interview. 25 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 26 of 36 condominium. During the search the FBI recovered three computers that are presently being analyzed. Thus far, no information relevant to this investigation has been identified on those computers. 38. The text of the June 2009 article reflects the Reporter's lcnowledge and understanding that the information the Reporter had received was intelligence information the disclosure of which could be harmful to the United States. 39. or. (0. (3) I conclude from the foregoing that there is probable cause to believe that: From the beginning of their relationship, the Reporter asked, solicited and encouraged Mr. Kim to disclose sensitive United States internal documents and intelligence information about the Foreign County. Indeed, in the May 20, 2009 e-mail, the Reporter solicits from Mr. Kim some of the national defense intelligence information that was later the subject matter of the June 2009 article; The Reporter did so by employing flattery and playing to Mr. Kim's vanity and 3305 Much like an intelligence oficer would run an clandestine intelligence source, the Reporter instructed Mr. Kim on a covert communications plan that involved the e- mail of either one or two asterisks to what appears to be a e-mail account set up by the Reporter, gmail.com, to facilitate communication with Mr. Kim and perhaps other sotmces of information; To conceal further their communications, the Reporter and Mr. Kim employed aliases in their e-mail communication to each other Mr. Kim is "Leo" and the Reporter is "Alex"); The Reporter was in repeated telephone contact with Mr. Kim prior to, and on the day of, the leak of the classified infonnation in question; On the day of the leak, Mr. Kim was on the telephone with the Reporter at or around the same time that Mr. Kim was viewing the Intelligence Report containing TOP national defense information about the Foreign Country; The text of the June 2009 article reflects the Reporter's knowledge and understanding that the information the Reporter had received was intelligence 26 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 27 of 36 information the disclosure of which could be harmful to the United States; Ch). Nevertheless, the Reporter published an article on the Internet containing the TOP national defense information about the Foreign Count:ry that was in the Intelligence Report; Thereafter, it appears the Reporter retumed the favor by providing Mr. Kim with news articles in advance of their publication concerning intelligence matters and the Foreign Country and (ii) continued to contact Mr. Kim as a source when the Reporter's colleagues needed sensitive government information about the Foreign Country. 40. Based on the foregoing, there is probable cause to believe that the Reporter has committed a violation of 18 U.S.C. 793 (Unauthorized Disclosure of National Defense Information), at the very least, either as an aider, abettor andlor co-conspirator of Mr. Kim. ITEMS TO BE SEIZED 41. Further, based on the foregoing, there is probable cause to believe that evidence material to this investigation will be found in the gmail.com account While the searches of Mr. Kim's e-mail accounts have revealed a number of e-mails between Mr. Kim and the Reporter, certain of those e--mails indicate that there are additional e-mail communications that have not been recovered by the FBI and that, if they still exist, would likely be found in the _4}gmail.com account. Specifically, the searches of Mr. K.im's _@yahoo.com e--mail account did not reveal his responses to the May 20, 2009 or May 22, 2009 e-mails from the Reporter soliciting sensitive, intemal and/or intelligence information about the Foreign Country. The May 22, 2009 e-mail from the Reporter, for example, begins "Thanks Leo. Whatl am interested in, as you might expect, is breaking news ahead of my competitors." Thus, the May 22nd e-mail is a response from the Reporter to an earlier e-mail fi'om Mr. Kim apparently inquiring as to what kind of information the Reporter 27 Case 1:10-mj--00291-AK Document 20-1 Filed 11/07/11 Page 28 of 36 was interested in receiving. Further, the subject line of the e-mail is "Re: here," indicating that there was a prior e-mail from Mr. Kim to the Reporter with the subject line "here." That e-mail - sent from Mr. Kim to the Reporter just following the Reporter's May 20, 2009 solicitation of information from Mr. Kim - was not found in the searches of Mr. Kim's e-mail accounts. It is reasonable to believe that this and other e-mails sentfiom M'r. Kim to the Reporter would exist in the "in-box" of the gmaihcom account. Mr. Kim's missing responses to the Reporter's e-mails would materially assist the FBI's investigation as they could be expected to establish further the fact of the disclosures, their content, and Mr. Kim's and the Reporter's intent in making them, and could be expected to constitute direct evidence of their guilt or innocence. 42. The June 2009 article was published on June 11, 2009. The Owner's information published in that article was first disseminated to representatives of the United States on June 10, 2009. 43. Further, it would materially assist the FBI's investigation to review all e-mails in the Reporter's gmailcom account on these two days to potentially establish by direct evidence the fact of the disclosures. Further, because we know that Mr. Kim was in contact with the Reporter through this account, it is reasonable to believe that any other sources the Reporter may have had with regard to the Foreign Country, if any, would similarly use the _@gmail.com account to communicate with the Reporter, particularly given the statement in the May 20, 2009 e--mail that the Reporter "instructs individuals who want to reach" the Reporter to send an e-mail to that account. 44. Accordingly, the FBI submits that Google should be ordered to produce in 28 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 29 of 36 response to this warrant: all communications, on whatever date, between gmailcom and Mr. Kim's known e-mail accounts, ahoo.corn,ahoo.com, and gmail.com; and (ii) all communications "to" or "from" the gmail.com on June 10"' and 2009. 45. While it is not required for a warrant to issue under section 2000aa, the FBI has exhausted all reasonable non--media alternatives for collecting the evidence it seeks. We seek e- mails between the Reporter and Mr. Kim that we have probable cause to believe existed. To gather that evidence, we have the option of searching either the Reporter's or Mr. Kim's e-mail accounts. Our searched of Mr. Kim's e-mail accounts have not yielded all the e-mails between him and the Reporter that our evidence to date demonstrates exist. Other than asking the Reporter for a voluntary production of the e-mails firom thegmaihcom account, there is no other way to get the evidence we rightfully seek. Because of the Reporter's own potential criminal liability in this matter, we believe that requesting the voluntary production of the materials from Reporter would be futile and would pose a substantial threat to the integrity of the investigation and of the evidence we seek to obtain by the warrant. 46. Based on the above, there is probable cause to believe that the Reporter (along with Mr. Kim) has committed a violation of 18 U.S.C. 793(d) either as Mr. Kim's co- conspirator andlor aider and abettor, and that evidence of that crime is likely contained within the gmaihcom account. Accordingly, the FBI's request to search the contents of A Google representative has indicated that, if ordered by a court as part of a search wanant, Google can produce e-mail communications between certain e-mail accounts. 29 Case Document 20-1 Filed 11/07/11 Page 30 of 36 that account falls squarely within section exception permitting searches of media- related work product materials, even when possessed by a national news reporter because there is "probable cause to believe that the person possessing such materials has committed or is committing the criminal offense to which the materials relate." 42 U.S.C. 2000aa(a). 47. On October 2, 2009, the FBE submitted a preservation letter to Google, pursuant to 18 U.S.C. 2703(1), requesting that the contents orggmastcom be preserved. On January 15, 2010, a second preservation letter for the account was sent to Google. This second preservation letter was 15 days over the 90-day limit for preservation prescribed by 18 U.S.C. 27036). Thus, there remains the possibility that relevant content in the account has been deleted." Nevertheless, we consider that possibility remote because, to the FBI's knowledge, in January 2010, neither Mr. Kim nor the Reporter knew that Mr. Kim was a target of this investigation nor that the existence of the - gmailcom account was known to the FBI. On April 9, 201 0,,another 90~day extension of the preservation order was permitted by Google, Inc. for the account. IV. COMPUTERS, THE INTERNET, AND 48. I have received training from the FBI related to computer systems and the use of computers during criminal investigations. Based on my education, training and experience, and information provided to me by other law enforcement agents, I know the following: The Internet is a worldwide computer network that connects computers and allows communications and the transfer of data and information across state and national boundaries. The term "computer", as used herein, is defined in 13 U.S.C. l030(e)(I) and includes an electronic, magnetic, optical, electrochemical, or '5 On January 21, 2010, Google refused to confirm to an FBI agent whether there is any content in the account without service of formal process. 30 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 31 of 36 49. other high speed data processing device performing logical, arithmetic, or storage and includes any data storage facility or communications facility directly related to or operating in conjunction with such device. A computer user accesses the Internet through a computer network or an Internet Service Provider (ISP). E-mail, or electronic mail, is a popular method of sending messages and files between computer users. When a computer user sends an e-mail, it is created on the sender's computer, transmitted to the mail server of the sender's e-mail service providers, then transmitted to the mail server of the recipient's e-mail service provider, and eventually transmitted to the recipient's computer. A server is a computer attached to a dedicated network that serves many users. Copies of e-mails are usually maintained on the recipient's e-mail server, and in some cases are maintained on the sender's e-mail server. Based on my training and experience, and information provided to me by other law enforcement agents, I know the following: First, searches of c-mail accounts usually provide information that helps identify the user(s) of the e-mail accounts. Second, individuals who use e- mail in connection with criminal activity, or activity of questionable legality, ofien set up an e- mail account to be used solely for that purpose. This is ofien part of an efihrt to maintain anonymity and to separate personal communication from communication and information that is related to the criminal activity. Third, when the criminal violation involves a conspiracy, a search of an e-mail account often allows the identification of any co-conspirators. V. BACKGROUND REGARDING GOOGLE 50. Based on my training and experience, I have learned the following about Google: Google is an internet services company that, among other things, provides e-mail services (known as grnail). Subscribers obtain an account by registering on the Internet with Google. Google requests subscribers to provide basic information, such as name, gender, zip code and other personal/biographical information. However, Google does not verify the information provided. Google is located at 1600 Amphitheatre Parkway, Motmtain View, California. Google maintains electronic records pertaining to the subscribers of its e-mail 31 Case 1:10--mj-00291--AK Document 20-1 Filed 11/07/11 Page 32 of 36 (C services. These records include account access information, e--mail transaction information, and account application information. Subscribers to Google may access their Goo gle accounts using the Internet. 'B-mail messages and files sent to a gmail account are stored in the account's "inbox" as long as they are not identified as the account has not exceeded the maximum storage limit, and the account has not been set to forward messages or download to an e-mail client with the option "delete gmail's copy." Ifthe message/file is not deleted by the subscriber, the account is below the maximum storage limit, and the account has not been inactivated, then the message/file will remain on the server indefinitely. Email messages and filed sent from at gmail account will remain on the server indefinitely unless they are deleted by the subscriber. Google provides POP3 access for gmail accounts. POP3 is a protocol by which e- mail client sofiware such as Microsoft Outlook or Netscape Mail can access the servers of an e-mail service provider and download the received messages to a local computer. If POP3 access is enabled, the account user can select to keep a copy of the downloaded messages on the server or to have the messages deleted from the server. The default setting for gmail accounts is to keep a copy of the messages on the server when POP3 access is enabled. Gmail subscribers can also access their accounts through an e-mail client such as Microsofi Outlook by using the IMAP protocol. When gmail subscribers access their accounts through IMAP, a copy of the received messages remains on the server unless explicitly deleted. A Google subscriber can store files, including e-mails, text files, and image files, in the subscriber's account on the servers maintained and/or owned by Google. E-mails and other files stored by a Google subscriber in a Google account are not necessarily also located on the computer used by the subscriber to access the Google account. The subscriber may store e-mails and other files in their Google account server exclusively. A search of the files in the subscriber's computer will not necessarily uncover the files that the subscriber has stored on the Google server. In addition, communications sent to the Google subscriber by another, but not yet retrieved by the subscriber, will be located on the Google server in the subscriber's account, but not on the computer used by the subscriber. Computers located at Google contain information and other stored electronic communications belonging to unrelated third parties. As a federal agent, I am trained and experienced in identifying communications relevant to the crimes under investigation. The personnel of Google are not. I also know that the manner in which the data is preserved and analyzed may be critical to the 32 Case Document 20-1 Filed 11/07/11 Page 33 of 36 successful prosecution of any case based upon this evidence. Computer Forensic Examiners are trained to handle digital evidence. Google employees are not. It would be inappropriate and impractical, however, for federal agents to search the vast computer network of Google for the relevant accounts and then to analyze the contents of those accounts on the premises of Google. The impact on Google's business would be severe. vr. wnu: AND COMMUNICATIONS 51. 18 U.S.C. 2701-2711 is called the "Electronic Communications Privacy Act." 18 U.S.C. 2703(a) provides, in part: A governmental entity may require the disclosure by a provider of electronic communication service of the contents of an electronic communication that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued under the Federal Rules of Criminal Procedure or equivalent State warrant. A govemmental entity may require the disclosure by a provider of electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection of this section. 18 U.S.C. 2703(b) provides, in part: (1) A governmental entity may require a provider of remote computing service to disclose the contents of any wire or electronic communication to which this paragraph is made applicable by paragraph (2) of this subsection -- (A) Without required notice to the subscriber or customer, if the governmental entity obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the offense under investigation or equivalent State warrant; or . . . . (2) Paragraph (1) is applicable with respect to any wire or electronic communication that is held or maintained on that service -- (A) On behalf of, and received by means of electronic transmission fi'om (or created by means of computer processing of communications received by means of electronic transmission 33 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 34 of 36 (c (D- fiom), a subscriber or customer of such remote computing service; and (B) Solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing. The Government may also obtain records and other information pertaining to a subscriber or customer of an electronic communication service or remote computing service by way of a search warrant. 18 U.S.C. 2703(c)(1)(A). No notice to the subscriber or customer is required. 18 U.S.C. 2703(c)(2). 18 U.S.C. 2711 provides, in part: As used in this chapter (1) the terms defined in section 2510 of this title have, respectively, the definitions given such terms in that section; and (2) the term "remote computing service" means the provision to the public of computer storage or processing services by means of an electronic communications system. 18 U.S.C. 2510 provides, in part: (8) "contents," when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that "electronic communications system" means any wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission of electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications; (15) service" means any service which provides to users thereof the ability to send or receive wire or electronic (17) "electronic storage" means - (A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication. 18 U.S.C. 2703(3) provides, in part: 34 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 35 of 36 Notwithstanding section 3105 of this title, the presence of an officer shall not be required for service or execution of a search warrant issued in accordance with this chapter requiring disclosure by a provider of electronic communications service or remote computing service of the contents of communications or records or other information pertaining to a subscriber to or customer of such service. VII. REQUEST FOR NON-DISCLOSUREQY 52. Pursuant to 18 U.S.C. 2705(b), this Court can enter an order commanding the PROVIDER not to notify any other person, including the subscriber of the SUBJECT ACCOUNT, of the existence of the warrant because there is reason to believe that notification of the existence of the warrant will result in: (1) endangering the life or physical safety of an individual; (2) flight from prosecution; (3) destruction of or tampering of evidence; (4) intimidation of potential witnesses; or (5) otherwise seriously jeopardize the investigation. The involvement of the SUBJECT ACCOUNT as set forth above is not public and I know, based on my training and experience, that subjects of criminal investigations will often destroy digital evidence if the subject leams of an investigation. Additionally, if the PROVIDER or other persons notify anyone that a warrant has been issued on the SUBJECT ACCOUNT, the targets of this investigation and other persons may further mask their identity and activity, flee, or otherwise obstruct this investigation. Accordingly, I request that this Court enter an order commanding the PROVIDER not to notify any other person, including the subscriber of the SUBJECT ACCOUNT, of the existence of the warrant. REQUEST FOR SEALING 53. Because this investigation is continuing and disclosure of some of the details of this affidavit may compromise subsequent investigative measures to be taken in this case, may 35 Case 1:10-mj-00291-AK Document 20-1 Filed 11/07/11 Page 36 of 36 cause subjects to flee, may cause individuals to destroy evidence and/or may otherwise jeopardize this investigation, I respectfully request that this afiidavit, and associated materials seeking this search warrant, be sealed until further order of this Court. Finally, I specifically request that the sealing order not prohibit information obtained from this warrant from being shared with other law enforcement and intelligence agencies. IX. CONCLUSION 54. Based on the foregoing, there is probable cause to believe that the Reporter has committed or is committing a violation of 18 U.S.C. 793 (Unauthorized Disclosure of National Defense Information), as an aider, abettor and/or co-conspirator, and that on the computer systems owned, maintained, and/or operated by Google, Inc., there exists in, and related to, the SUBJECT ACCOUNT, evidence, fruits, and instrumentalities of that violation of section 793. By this affidavit and application, I request that the Court issue a search warrant directed to Google, Inc., allowing agents to seize the content of the ACCOUNT and other related information stored on the Google servers as further described and delimited in Attachment A hereto. Regi . Re Special Agent Federal Bureau of Investigation 36 Case 1:10-mj-00291-AK Document 20-2 Filed 11/07/11 Page 1 of 6 TTAC NT A: TO BE SEIZED Pursuant to 18 U.S.C. 2703 and 42 U.S.C. 2000aa(a), it is hereby ordered as follows: I. SERVICE QF Aim SEARCH PROCEDURE a. Google, Incorporated, a provider of electronic communication and remote computing services, located at 1600 Amphitheatre Parkway, Mountain View, California, (the will isolate those accounts and files described in Section II below. Pursuant to 18 U.S.C. 2703(g) the presence of an agent is not required for service or execution of this warrant. b. The PROVIDER shall not notify any other person, including the subscriber(s) of mgmailmom of the existence of the warrant. c. In order to minimize any disruption of computer service to innocent third parties, the employees and/or law enforcement personnel trained in the operation of computers will create an exact duplicate of the computer accounts and files described in Section II below, including an exact duplicate of all information stored in the computer accounts and files described therein. d. As soon as practicable after service of this warrant, the PROVIDER shall provide the exact duplicate in electronic form of the account and files described in Section 11 below and all information stored in that account and files to the following FBI special agent: Reginald B. Reyes FBI-WFO 601 Street, NW Washington, D.C. 20535 Fax: 202-278-2864 Desk: 202-278-4868 The PROVIDER shall send the information to the agent via facsimile and overnight mail, and where maintained in electronic form, on CD-ROM or an equivalent electronic medium. Case 1:10-mj-00291-AK Document 20-2 Filed 11/07/11 Page 2 of 6 e. The FBI will make an exact duplicate of the original production from the PROVIDER. The orignal production from the PROVIDER will be sealed by the FBI and preserved for authenticity and chain of custody purposesLOYE a. Any and all communications, on whatever date, between mgmaiheom and any of the following accounts: (1) yahoo.com, (2) myahoocom, and (3) "Any and all communications" includes, without limitation, received messages (whether or "bcc'd" to the SUBJECT ACCOUNT), forwarded messages, sent messages (whether or "bcc'd" to the three above-listed accounts), deleted messages, and messages maintained in trash or other folders, and any attachments thereto, including videos, documents, photos, internet addresses, and computer files sent to and received fi'om other websites. "Any and all communications" further includes all prior email messages in an email "chain" between the SUBJECT ACCOUNT and any of the three above--listed accounts, whether or not these prior emails were in fact sent between the SUBJECT ACCOUNT and the above-listed accounts; b. Any and all communications "to" or "from" the SUBJECT ACCOUNT on lune I0 and/or June 1 1, 2009. "Any and all communications" includes, without limitation, received messages (whether or "bcc'd" to the SUBJECT ACCOUNT), forwarded messages, sent messages, deleted messages, messages maintained in trash or other folders, and any attachments thereto, including videos, documents, photos, intemet addresses, and computer files Case Document 20-2 Filed 11/07/11 Page 3 of 6 sent to and received from other websites. "Any and all communications" further includes all prior email messages in an email "chain" sent "to" or "from" tl1e SUBJECT ACCOUNT on June 10 or June 1 1, 2009, whether or not those prior emails in the "chain" were in fact sent or received on June 10 or June I 1, 2009; c. All existing printouts from original storage of all of the electronic mail described above in Section II and d. All transactional information of all activity of the SUBJECT ACCOUNT described above in Section and including log files, dates, times, methods of connecting, ports, dial-ups, registrati'on Internet Protocol (IP) address andlor locations; c. All business records and subscriber information, in any form kept, pertaining to the SUBJECT ACCOUNT described above in Section l1(a) and including applications, subscribers' fiill names, all screen names associated with the subscribers and/or accounts, all account names associated with the subscribers, account numbers, screen names, status of accounts, dates of service, methods of payment, telephone numbers, addresses, detailed billing records, and histories and profiles; f. All records indicating the account preferences and services available to subscribers of the SUBJECT ACCOUNT described above in Section H(a) and TO BE SEIZED BY LAfl ENFORCEMENT PERSONNEL Items to be seized, which are believed to be evidence of violations of 18 U.S.C. 793 (Unauthorized Disclosure of National Defense Information) as follows: a. The contents of electronic communications, including attachments and stored files, for the SUBJECT ACCOUNT as described and limited by Section H(a) and above, Case Document 20-2 Filed 11/07/11 Page 4 of 6 including videos, computer files sent to and received from other websites, received messages, sent messages, deleted messages, messages maintained in trash or other folders, any attachments thereto, and all existing printouts from original storage of all of the electronic mail described above in Section and that pertain to: 1. 2. records or information related to violations of 18 U.S.C. 793; any and all communications between Stephen Kim and theauthor of the article (the "Author") that is the subject matter of the FBI investigation that is the basis for this warrant (the "Article") and any record or information that reflects such communications; records or information relating to Stephen Kim's communications and/or activities on the date of publication of the Article; records or information relating to the Author's communication with any other source or potential source of the information disclosed in the Article; records or information related to Stephen Kim's or the Author's knowledge of laws, regulations, mles and/or procedures prohibiting the unauthorized disclosure of national defense or classified information; records or information related to Stephen Kim's or the Author's knowledge of government rules and/or procedures regarding communications with members of the media; records or information related to any disclosure or prospective disclosure of classified and/or intelligence information; any classified document, image, record or information, and any Case 1:10-mj-00291-AK Document 20-2 Filed 11/07/11 Page 5 of 6 communications concerning such documents, images, records, or information; 9. any document, image, record or information concerning the national defense, including but not limited to documents, maps, plans, diagrams. guides, manuals, and other Department of Defense, U.S. military, and/or weapons material, as well as sources and methods of intelligence gathering, and any communications concerning such documents, images, records, or information; l0. records or information related to the state of mind of any individuals seeking the disclosure or receipt of classified, intelligence and/or national defense information; I 1. records or information related to the subject matter of the Article; and l2. records or information related to the user(s) of the SUBJECT ACCOUNT. b. All of the records and information described above in Sections and including: 1. Account information for the SUBJECT ACCOUNT including: Names and associated email addresses; Physical address and location information; Records of session times and durations; Length of service (including start date) and types of service utilized; Telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; Case Document 20-2 Filed 11/07/11 Page 6 of 6 The means and source of payment for such service (including any credit card or bank account number); and Intemet Protocol addresses used by the subscriber to register the account or otherwise initiate service. 2. User connection logs for the SUBJECT ACCOUNT for any connections to or from the SUBJECT ACCOUNT. User connection logs should include the following: Connection time and date; Disconnect time and date; Method of connection to system SLIP, Shell); Data transfer volume bytes); The IP address that was used when the user connected to the service, Connection information for other systems to which user connected via the SUBJECT ACCOUNT, including: (1) Connection destination; (2) Connection time and date; (3) Disconnect time and date; (4) Method of connection to system telnet, fip, http); (5) Data transfer volume bytes); (6) Any other relevant routing information. Case Document 20-3 Filed 11/07/11 Page 1 of 1 AD 93 (Rev. l2I09) Search and Seizure Warrant UNITED STATES DISTRICT COURT for the District of Columbia in the Matter of the Search of (Bri fly describe the property to be searched or ifientiifv the person by name and address) C353 No_ 1 0 2 9 1 E-mall Account mgmaitcom on Computer Servers Operated by Google. |nc..1600 Amphitheatre Parkway. Mountain View. California SEARCH AND SEIZURE WARRANT To: Any authorized law enforcement officer An application by a federal law enforcement officer or an attorney for the govemm ent requests the search of the following person or property located in the District of (Ideally) the person re any to be searched and give its location): E-mil account grnail.com. maintained on computer sewers operated by Google, Inc.. headquartered at 1600 Amphitheatre Parkway. Mountain View. Califomla. The person or property to be searched. described above, is believed to conceal (tdenafia lheperson the property to be seized): Certain properly. the disclosure of which is governed by Title 42. U.S.C. Section 2000aa, and Title 18, U.S.C. Sections 2701 through 2711. namely contents of electronic e-mails and other electronic data. more fully described in ATTACHMENT A to this application. I find that the affidavit(s), or any recorded testimony, establish probable cause to search and seize the person or property. YOU ARE COMMANDED to execute this warrant on or before I 1 6/ (nor to exceed 14 days) in the daytime 6:00 a.m. to 10 p.m. Ci at any time in the day or night as I find reasonable cause has been established. Unless delayed notice is authorized below. you must give a copy of the warrant and a receipt for the property taken to the person from whom. or from whose premises, the property was taken, or leave the copy and receipt at the place where the property was taken. The officer executing this warrant, or an officer present during the execution of the warrant. must prepare an inventory as required by law and return this wanant and inventory to United States Magistrate Judge (name) find that immediate notification may have an adverse result listed in 18 U.S.C. 2705 (except for delay of trial), and authorize the ofiicer executing is warrant to delay notice to the person who, or whose property, will be searched or seized (check the appropriate box) for 3 [1 days (not to exceed 3.0). Eluntil, the facts justiyin Date and time issued: 2 8 City and state: Disl:ricl:_of_Co1umbta_ Printed name and It'll: