October 18, 2016

Former election foe stands by hacking allegations against Senate candidate

More than a year before announcing his candidacy in a high-profile race for a state senate seat, Diego Espinoza filed a defamation lawsuit against a 2014 Republican candidate for U.S. Senate.

The lawsuit alleged that Espinoza experienced “public and personal humiliation,” among other damages, after candidate David Clements accused him of hacking his campaign email account.

Now, nine months after a judge dismissed the case with prejudice, Clements can still publicly make the allegation against Espinoza.

“If there’s any benefit or silver lining to deal with Espinoza’s frivolous lawsuit, it’s that to the day I die I can tell anyone who asks me, ‘Yeah, he hacked me,’” Clements, who ran for the GOP nomination for U.S. Senate in 2014 on a libertarian-minded platform, said.

Espinoza was campaign manager for Clements’ Republican primary opponent Allen Weh.

Weh, a retired U.S. Marine Corps colonel, former state Republican Party chairman and unsuccessful 2010 gubernatorial candidate, received backing from much of the party’s  establishment during the primary.

He eventually beat Clements by 26 points in June 2014 election (Weh then lost the general election to Sen. Tom Udall by 11 points). But three months before the primary election, Clements received roughly 47 percent of state delegate support to Weh’s 53 percent at the state Republican Party preprimary convention.

For an upstart attorney with very little name recognition campaigning against a candidate with more than four times the amount of campaign money spent, it was a good showing.

But days before the preprimary convention, Clements accused the Weh campaign of playing dirty by cheating delegates and hacking his campaign email account to influence the eventual delegate vote.

Alleged mass-forwarding of an email

Clements alleged the Bernalillo County Republican Party elected delegates from a list of 30 names submitted by Espinoza, many of whom Clements said were not present at the county convention. Espinoza denied the charge.

Then, Clements accused Espinoza of masking his email address and mass-forwarding an open letter Clements wrote detailing accusations of the delegate cheating. The email appeared to come from Clements, making recipients believe Clements was bombarding delegates with the same email message himself, Clements alleged. The tactic would presumably turn delegates away from supporting him.

Courtesy Diego Espinoza

Diego Espinoza

Courtesy Diego Espinoza

The process of masking an email sender’s address is known as “spoofing,” a practice that Santa Fe attorney and IT expert Thomas Blog described as common and easy.

“It’s usually done to get around orders of protection,” Blog said, citing restraining orders from ex-girlfriends as an example.

To this day, Espinoza denies the allegations.

Reached by phone, Espinoza would not comment on the case beyond repeatedly stating he and Clements had since settled the case. He also added that both he and Clements made “an agreement not to talk about the case.”

“This has nothing to do with the race I’m running,” Espinoza said in an interview. “I guess he can go out and say what he pleases, but the agreement he signed settled the case.”

Clements, who now works for the district attorney’s office in Otero and Lincoln counties, represented himself throughout the whole process. He estimated if he hired an attorney to represent him, it would have cost between $40,000-$50,000.

He added that what he and Espinoza actually aren’t allowed to talk about publicly is the terms of the lawsuit settlement, which were agreed to in January.

“After what I’ve been through, I can tell you there is no way in hell I’d agree to a non-disclosure agreement concerning discussion of the events leading up to, and including the lawsuit,” Clements said. “Any overtures from Espinoza’s attorneys to that effect were flatly rejected.”

Later, Espinoza followed up with a text message, calling the hacking allegations “ridiculous.”

“I have never hacked or hijacked anyone’s email or been investigated for voter fraud,” he wrote.

Tracking the emails

Shortly before the March 2014 pre-primary convention, Republican delegates alerted Clements that they were getting the same email from him as many as eight times.

Clements had his campaign email service provider, Streamsend, track the sent emails. Streamsend and other service providers can do this because they put an invisible pixel of an image on each email message which they then track. It’s a common practice among not just campaigns, but also companies that send out newsletters and other emails to track opens.

“Each time the open letter email was viewed with images enabled, Streamsend can see that the image is loaded and can identify the subscriber,” Clements said.

Streamsend then found that an email address called diego@allenweh.com had an open rate “in excess of 500 times as of Feb. 21, 2014,” according to Clements, and then 660 times by Feb. 26, “though it would have appeared that the email was coming from me.”

Strucken, Clements quickly launched a website called “The Bernalillo Coverup” detailing both the delegate cheating and hacking allegations against Espinoza (the website is no longer active but a copy is still available on the Internet Archive).

Espinoza filed the defamation lawsuit the following month. Part of Espinoza’s argument revolved around the legal definition of the term “hacking,” which he alleged Clements used against him “with malice.”

On this distinction, Blog said hacking is usually defined as “unauthorized access” while spoofing can be defined more as identity theft or fraud.

Clements, for his part, said he consulted with experts who agreed with his definition of the term “hacking.”

Either way, Clements argued the true reason of the lawsuit was to hamper the rest of his campaigning time between the March pre-primary convention and the primary election held three months later.


Throughout the nearly two years of litigation, Clements asked multiple times for Espinoza to prove his hacking allegations wrong.

Last fall, Clements filed two separate discovery motions asking for records of email activity from Espinoza own campaign account during the week that Clements alleges the hacking took place.

David Clements

David Clements

David Clements

One asked for an “internet service report” of Espinoza’s email address, looking specifically for his “forwards,” “opens,” “clicks” and “views” of the email in question. Clements’ other discovery request asked for “any and all email service reports, analytics reports or email tracking reports” of Espinoza’s email account regarding the same email in question.

“Such a report would have provided analytics of his email activity from his end,” Clements said.

In both cases, Espinoza denied that he ever had access to or possessed any such reports. In one case, he responded by writing that “if such a report existed at some point, it no longer does.”

Reports like these indeed exist, Blog said, and are usually kept between a year and 18 months on average. Clements’ discovery requests came roughly a year and a half after the alleged hacking incident. Websites anticipating subpoenas, Blog said, typically keep their email reports on hand longer.

Online records show that Weh owns the domain Espinoza used, which is still active today.

“Mr. Weh had access to some level of email reports,” Blog said. “Whether they existed at this timeframe, I don’t know, but they existed at one time.”

Blog added: “It’s unusual that they couldn’t produce something.”

Colin Hunter, the attorney who represented Espinoza during the case, said that Weh’s email tracking service that wasn’t as sophisticated as the program Clements used. In other words, Hunter argued that Espinoza and Weh didn’t track as many analytics as Clements did.

“We gave David everything that we had,” Hunter said, referring to roughly a half-dozen emails they submitted to court. “But nothing we had that broke down analytics like the service David was using.”

Clements called the explanation “laughable” and noted that Weh’s campaign email list had more than 14,000 people on it.

“In order to send email blasts to a population group that size, even a basic service would have had the information we sought,” Clements said.

“I seriously doubt my shoe-string campaign was using anything more expensive than what Weh was using,” he added.

Blog, for his part, said that the question depends on the email server Weh was using. But he added that the information Clements sought from Espinoza “was rather fundamental” and “basic.”

“I find it hard to imagine any commercial or hosting plug email in that does not provide similar functionality,” Blog said.

Clements and Espinoza settled last January, the same month the case was set to go to trial. Clements said he had two IT experts lined up and ready to take the stand.

“[They] would have been comfortable testifying that the information I was seeking would have been accessible during the timeframe of the lawsuit,” Clements said. “Depending on the service provider, it’s entirely possible that the information is still accessible.”

The emails Espinoza did submit amounted to 30 pages of material that show him forwarding the email in question to Weh and a Bernalillo County Republican official. Another email shows Espinoza replying to Clements and criticizing the delegate cheating allegation as ”a stunt.”