American and British Spy Agencies Targeted In-Flight Mobile Phone Use

GCHQ and NSA have begun intercepting calls made using on-board cellular technology, according to Snowden documents reviewed by Le Monde in partnership with The Intercept.

An Air France Airbus A380 plane makes it approach to John F. Kennedy International Airport November 20, 2009 in New York for the first A380 Superjumbo flight on the Paris-Charles de Gaulle to New York-JFK route. Daily flights are scheduled to start on November 23, 2009. AFP PHOTO/Stan Honda / AFP / STAN HONDA (Photo credit should read STAN HONDA/AFP/Getty Images) Photo: Stan Honda/AFP/Getty Images

In the trove of documents provided by former National Security Agency contractor Edward Snowden is a treasure. It begins with a riddle: “What do the President of Pakistan, a cigar smuggler, an arms dealer, a counterterrorism target, and a combatting proliferation target have in common? They all used their everyday GSM phone during a flight.”

This riddle appeared in 2010 in SIDtoday, the internal newsletter of the NSA’s Signals Intelligence Directorate, or SID, and it was classified “top secret.” It announced the emergence of a new field of espionage that had not yet been explored: the interception of data from phone calls made on board civil aircraft. In a separate internal document from a year earlier, the NSA reported that 50,000 people had already used their mobile phones in flight as of December 2008, a figure that rose to 100,000 by February 2009. The NSA attributed the increase to “more planes equipped with in-flight GSM capability, less fear that a plane will crash due to making/receiving a call, not as expensive as people thought.” The sky seemed to belong to the agency.

In a 2012 presentation, Government Communications Headquarters, or GCHQ, the British equivalent of the NSA, in turn disclosed a program called “Southwinds,” which was used to gather all the cellular activity, voice communication, data, metadata, and content of calls on board commercial aircraft. The document, designated “top secret strap,” one of the highest British classification levels, said the program was still restricted to the regions covered by satellites from British telecommunications provider Inmarsat: Europe, the Middle East, and Africa.

INM_ConnectDiag_3DVector_AW7_LBand

An image of Inmarsat’s “unparalleled broadband experience in the sky.”

Source: Inmarsat.com
The data was collected “in near real time” and an aircraft could be “tracked” every two minutes, according to the presentation. To spy on a telephone, all that was required was that the aircraft be cruising at an altitude above 10,000 feet. Secret aerial stations on the ground could intercept the signal as it transited through a satellite. The simple fact that the telephone was switched on was enough to give away its position; the interception could then be cross-referenced with the list of known passengers on the flight, the flight number, and the airline code to determine the name of the smartphone user.

GCHQ and the NSA used bird names to refer to programs involving the surveillance of in-flight telephone calls; examples include “Thieving Magpie” and “Homing Pigeon,” as we learn from Glenn Greenwald in his 2014 book “No Place to Hide.” Le Monde examined information about the surveillance of aircraft and their passengers around the world between 2005 and 2013, including unpublished documents from the Snowden archives; the evidence demonstrates that from an early date, Air France drew particular attention from the United States and the United Kingdom.

Air France was targeted as early as 2005, as disclosed in an NSA document setting out the broad outline of a program for “worldwide civilian aircraft tracking.” Dated July 5, the 13-page memo provides a chronological, detailed list of the main stages of the program. The document stated that based on a CIA report, some or all “Air France and Air Mexico flights” had been “possible terrorist targets” since late 2003. The legal department of the NSA found “no problem with targeting Air France and Air Mexico flights overseas,” and “when the flights enter U.S. airspace, they should be more than covered by the U.S. air traffic control system.” In February 2005, these same lawyers outlined legal procedures be adopted for such collection.

The naming of Air France as a risk to the U.S. was not just a simple hypothesis by a few NSA technicians. An impressive circle of security and intelligence officials were informed of the purported danger represented by the French company. The 2005 NSA memo was sent to roughly 20 recipients, including the North American Air Defense Command; the CIA; the Department of Homeland Security; the National Reconnaissance Office, which operates satellites for the U.S. government; the Defense Intelligence Agency; and the Air Force chief of staff. This fixation with Air France continued in the years that followed.

Air France first tested the in-flight use of a smartphone on service from Paris to Warsaw on December 17, 2007. As an Air France spokesperson confirmed to Le Monde, “We began early, but since then, we have carried out tests continuously and today, like other companies, we are getting ready to move directly to Wi-Fi on board.” Questioned by Le Monde about the British and American surveillance activities, the company’s response was measured: “We are visibly not the only ones to have been targeted and we know absolutely nothing about these practices.”

In its 2012 presentation, GCHQ observed that 27 companies had already enabled or were about to enable passenger use of mobile phones, particularly in first and business class on long-haul flights. These included British Airways (which only enabled data and SMS functions), Hong Kong Airways, Aeroflot, Etihad, Emirates, Singapore Airways, Turkish Airlines, Cathay Pacific, and Lufthansa. Air France, however, is synonymous with the surveillance of in-flight calls to the extent that the GCHQ presentation used a full-page sketch of one of its planes to illustrate the working of in-flight interception in the presentation.

As an example of their know-how, GCHQ and the NSA provide numerous examples of calls intercepted on board commercial flights. The examples show that data was intercepted on March 23, 2012, at 1:56 p.m. on the UAE airline Etihad’s flight 8271 between JFK and Denver; on an Aeroflot’s Nice-Moscow flight on May 20, 2011, and subsequently that same year; on Qatar Airways flights from Milan to Doha and from Athens to Doha; and from Jeddah to Cairo (Saudi Airlines) and from Paris to Muscat (Oman Air).

Data collection was also conducted against BlackBerrys, according to the presentation, which identified BlackBerry PIN codes and email addresses on an aircraft on January 2, 2012, at 10:23 a.m., but did not include  destination or the airline company. The spoils of war — observed phone uses — are proudly listed in the GCHQ presentation: voice communication, data, SMS, Webmail, Webchat, social networks (Facebook, Twitter, etc.), travel apps, Google Maps, currency converters, media, VOIP, BitTorrent, and Skype. In the course of its intrusion exercises, GCHQ discovered, somewhat to its surprise, that it is not alone in its interest in these in-flight communications. GCHQ notes that the Russian company Aeroflot has set up a system of specific connections for GSM phones on its aircraft “presumably for legal intercept,” as the agency remarks in a technical memo.

Today, approximately 100 companies permit in-flight use of telephones. “Customers now consider it normal, even necessary, to remain connected in flight,” an Air France spokesperson said. Aviation security authorities have all approved the use of GSM phones on board aircraft and the experts estimate that the years 2016, 2017 and 2018 will go down in history as the years of the in-flight mobile phone, in particular with the long-term installation of in-flight Wi-Fi.

This will further extend the scope of espionage by providing a pool of potential targets comprising several hundreds of thousands of people, a level of popularity anticipated by the NSA seven years ago. This implies a population that goes far beyond terrorist targets. The political or economic surveillance of passengers in business or in first class on long-haul flights could be put to many other uses.

There is no limit to surveillance activities and each novelty is a technical challenge to be met. The intelligence services even seem to be slightly jaded. In the 2010 newsletter article, NSA analysts were already thinking further afield. “What’s next, trains? We’ll have to keep watching …”

This article was published today in Le Monde. It is the result of a collaboration with The Intercept and is based on documents provided by NSA whistleblower Edward Snowden. GCHQ responded to Le Monde with a statement that it does not comment on intelligence matters and that its activities are “authorized, necessary and proportionate” and “entirely compatible with the European Convention on Human Rights.” The NSA said its activities complied with U.S. law and policy and declined to comment further.

Join The Conversation