The Washington PostDemocracy Dies in Darkness

Why Trump is once again claiming that he was spied upon in 2016

Trump Tower in New York in January. (Justin Lane/EPA-EFE/Shutterstock)

It started with a tweet from President Donald Trump in early March 2017.

“Terrible! Just found out that Obama had my ‘wires tapped’ in Trump Tower just before the victory,” he wrote. “Nothing found. This is McCarthyism!”

It was a wild claim — and one that was soon debunked. The primary rationale for Trump’s tweet, it seems, was a story published by Breitbart News that attempted to summarize a broadcast by right-wing radio host Mark Levin. As a way of conveying the credibility that assertion deserves, the Breitbart story included two references to claims about surveillance warrants made by columnist Louise Mensch, whose claims about various things have repeatedly been shown to be meritless. Trump’s allies quickly tried to backstop his tweet by elevating activity that, if you squinted and plugged your ears, could seem like maybe it constituted wiretapping.

On Monday morning, Trump claimed that he had at last been vindicated.

“I was proven right about the spying,” he said in one of his Twitteresque “statements” from his office, “and I will be proven right about 2020.”

It’s a useful parallel, in fact, comparing his claims about having been spied on with his claims about fraud in the 2020 election. In neither case has any such thing been proved despite, as always, the robust effort by his allies to provide some foundation to Trump’s unfounded claims.

Sign up for How To Read This Chart, a weekly data newsletter from Philip Bump

The prompt for Trump’s claim is a court filing submitted on Friday. It combines several interesting threads from the Trump era to make one relatively vague allegation, an allegation then misrepresented by some of Trump’s most fervent allies as dispositive. Bear with me as I explain those threads briefly.

You’ll recall that Trump’s core complaint as president was that the investigation into Russian interference and possible overlap with his campaign was unfounded. It wasn’t, involving probes into a number of individuals with obvious links to Russian actors. But Trump and his allies crafted a countervailing narrative centered on malfeasance by government officials — again, a claim downstream from Trump’s initial response to reports about the probe in which he asserted that government officials might be out to get him.

Eventually, Trump’s loyal-until-almost-the-end attorney general William P. Barr appointed U.S. Attorney John Durham to serve as special counsel to investigate the Russia investigation. The Friday filing came from Durham, centered on his examination of a rumor that emerged shortly before the 2016 election in which it was alleged that there was a secret back-channel communication between a Russian bank, Alfa Bank, and a Trump Organization email server.

When that allegation was first reported in October 2016, it was pretty obviously unfounded. I wrote about the various ways in which the idea didn’t pass the smell test, from the theoretical — why leave any trail at all if you’re trying to secretly communicate with Russia? — to the technical, given that the Trump Organization server wasn’t controlled by Trump at all. Others, like technologist Rob Graham, reached a similar conclusion: that this was probably just a glitchy side effect of marketing emails.

Last year, Durham unveiled an indictment against an attorney named Michael Sussman centered on the Alfa Bank rumor. Durham claimed that Sussman had lied to an FBI official in September 2016 when trying to get the FBI to investigate the connection, saying he was not working for a specific client as he offered the tip. The allegation is that this was a false statement of the sort that tripped up various Trump allies during the Russia probe: that Sussman was, in fact, working for the campaign of Hillary Clinton. As journalist Marcy Wheeler has written, the criminal case is not terribly strong.

The theory behind the Alfa Bank rumor is complicated. Sussman’s law firm, Perkins Coie, had been retained by Clinton’s campaign (leading it, separately, to engage the investigative firm Fusion GPS that later generated the infamous dossier of reports alleging a more robust connection between Russia and Trump’s team). An unidentified individual first noticed traffic between the Trump server and the Russian bank and brought it to an executive at a technology firm who had retained Perkins Coie and was working with Sussman. (Wheeler has an excellent timeline of all of this.) That triggered an effort to examine the scope of those connections, one that at least some of those involved in the research apparently understood to be an effort to create a jumping-off point for further research that could bolster a Trump-Russia narrative. (The tech executive, I’ll note, wasn’t sold on the Alfa-Trump link even back in August 2016.) Durham’s filing ties the campaign to Sussman and Sussman to the executive, but it’s not explicitly argued that the probe flowed down from Clinton’s team — or up to it.

Remember that in July 2016, there was already attention focused on possible links between Trump and Russia. The prior month, Russian actors had been implicated in stealing material from the Democratic National Committee, material that was released by WikiLeaks at the end of July. Trump’s allies have in the past tried to point to the Clinton campaign’s focus on amplifying that connection as the trigger for the Russia probe when, in reality, that focus came only after the political conversation emerged. There’s no indication that the Alfa Bank probe preceded the Clinton campaign’s public discussion of possible Trump-Russia ties — and there was certainly reason to pay attention to a possible digital connection between the two.

Now the technical stuff. At issue here are what are called domain name server (DNS) lookups. Traffic on the Internet is pushed around between points identified with Internet protocol (IP) addresses, strings of numbers that might be thought of like latitude and longitude in real-world positioning. In the real world, we don’t generally point people to latitude and longitude coordinates but to street addresses. On the Internet, we don’t generally go to IP addresses but domains. A DNS lookup converts a domain like to this newspaper’s actual Web server IP address.

The traffic between Alfa Bank and the Trump email server — actually run by a company called Cendyn that does a lot of hospitality-industry marketing work — consisted of DNS lookups. The Alfa Bank server was trying to find domain information for (the domain at issue) and the lookups were being logged.

It’s important here to know why those records might have been collected. An expert on the technology with whom I spoke on Monday explained that Internet service providers often allow third parties to collect domain name lookups because the information is useful for tracking bad actors on the Internet. If, for example, there are suddenly a number of lookups to, with ones replacing the Ls in the domain name, that might suggest some effort to redirect traffic away from the bank to some spoof site. Or organizations might similarly have a passive DNS collection process in place so that they might know if there’s a sudden spike in lookups for unusual servers in, say, Russia — an early indication that maybe someone is trying to run a scam targeting employees.

This brings us to the court filing that was submitted on Friday. In it, Durham extends his articulation of what allegedly happened as the Alfa Bank rumor was being developed behind closed doors. The key element of the document centers on the DNS data that was being looked at:

The Government’s evidence at trial will also establish that among the Internet data Tech Executive-1 and his associates exploited was domain name system (“DNS”) Internet traffic pertaining to (i) a particular healthcare provider, (ii) Trump Tower, (iii) Donald Trump’s Central Park West apartment building, and (iv) the Executive Office of the President of the United States (“EOP”). (Tech Executive-1’s employer, Internet Company-1, had come to access and maintain dedicated servers for the EOP as part of a sensitive arrangement whereby it provided DNS resolution services to the EOP. Tech Executive-1 and his associates exploited this arrangement by mining the EOP’s DNS traffic and other data for the purpose of gathering derogatory information about Donald Trump.)

The “particular healthcare provider” is apparently Spectrum Health, which — when the story first emerged in 2016 — was identified as similarly linked to the Trump email server but also provided reporters with the marketing spam emails that explained that connection.

It’s useful to note that Durham’s claim about data being “exploited” emerged early. Both Wheeler and Graham elevated questions about the ethics of digging through collected DNS records to investigate something that was probably outside of any agreement governing what the data was being collected for. But that doesn’t mean 1) that any laws were violated or 2) that this constitutes “hacking.” If I give you a key to my house and you use it to come in and read my diary, I will certainly be angry with you, but it’s not like you committed burglary.

Yet that’s how the paragraph above has at times been conveyed. On Fox News, for example, a story about the Durham filing ran with the headline “Clinton campaign paid to ‘infiltrate’ Trump Tower, White House servers to link Trump to Russia: Durham.” There are a few problems with this, including that the connection between Clinton’s team and the Perkins Coie Alfa Bank investigation is not direct, nor did Durham use the word “infiltrate,” a word that suggests illicit access to data.

Instead, both of those claims come not from Durham but, as the article makes clear, from former Trump staffer Kash Patel. It’s a statement from Patel that makes the Clinton claim and uses the word infiltrate. It’s Patel — whose recent career has often centered on backstopping Trump’s claims of being unfairly investigated — who drew the line that Fox is attributing to the special counsel. (Fox News later updated its headline.)

Durham describes an effort to impugn Trump by claiming that during a meeting with a government agency in February 2017, Sussman alleged that DNS lookups “demonstrated that Trump and/or his associates were using supposedly rare, Russian-made wireless phones in the vicinity of the White House and other locations.” This doesn’t support a throughline back to Clinton, of course, since Trump wasn’t spending much time at the White House while Clinton was still a presidential candidate. Durham’s filing asserts that the lookups centered on those phones went back to 2014, when Trump wasn’t even yet a candidate.

Update: In a responding filing, Sussman’s attorneys write that the data from the White House complex that was part of the examination only covered a period during which Obama was president. In other words, no “spying” on the Trump administration at all.

There are legitimate questions about the effort to link Trump back to Russia using this data that was not only sketchy at the outset, but had also been debunked by the time the election was over. But there is no question that this is not proof that Trump Tower was “wiretapped.” It is not proof that Mark Levin’s claims in early 2017 were accurate, since they weren’t. (He’s tried to take credit for his foresight in recent days.) If it’s evidence of Trump being “spied on,” as the former president has also claimed in recent days, it’s a very broad sort of spying — collecting all of the domain-name lookups from a physical location or a network — being conducted not by the Obama administration or by Hillary Clinton, but by an anti-Trump lawyer.

“In a stronger period of time in our country, this crime would have been punishable by death,” Trump said over the weekend, the sort of escalation of rhetoric that is not lessened by our being so accustomed to him doing it. It is also not, as he said at another point, a bigger scandal than Watergate.

This is precisely the same claim he made back in March 2017 — “How low has President Obama gone to tapp my phones during the very sacred election process. This is Nixon/Watergate. Bad (or sick) guy!” — well before this particular justification of his claims had been generated in the first place.

This article has been updated.