U.S. and U.K. spy agencies have been monitoring in-flight mobile phone users for years, according to new revelations from the trove of documents leaked by former NSA contractor Edward Snowden.
As early as 2012 the U.K. Government Communications Headquarters (GCHQ) was intercepting voice and data communications from commercial aircraft using the OnAir service to carry 2G mobile services over the Inmarsat satellite communications network. At the time, GCHQ did not have access to a rival in-flight mobile service provider, Aeromobile, French newspaper Le Monde reported Wednesday.
The Thieving Magpie interception program relied on another GCHQ project called Southwinds to capture the calls as they were transmitted to and from Inmarsat satellites over Europe, the Middle East, and Africa, according to a 2012 GCHQ presentation published by Le Monde. The spy agency expected to extend Southwinds globally the following year, the presentation said.
In addition to intercepting calls, Thieving Magpie allowed GCHQ to track persons of interest around the world as long as their phones remained switched on. The phones would log on to in-flight cellular base stations and signal to their home networks which aircraft they were roaming on, even if not used to make calls or send data.
Thieving Magpie also allowed GCHQ staff to identify the PIN and email addresses associated with BlackBerry phones thus tracked.
"We can confirm that target selectors are on board specific flights in near real time, enabling surveillance or arrest teams to be put in place in advance. If they use data, we can also recover email address's, Facebook Ids, Skype addresses etc," the presentation said.
Another of the Snowden documents published by Le Monde, this time from GCHQ's opposite numbers at the U.S. National Security Agency, posed a riddle:
"What do the President of Pakistan, a cigar smuggler, an arms dealer, a counterterrorism target, and a combating-proliferation target have in common? They all used their everyday GSM phone during a flight, and were tracked by the SIGINT System, because the phone number was tasked in OCTAVE."
The NSA tracked an average of 17 target mobile phones in flight each day in 2010, the document said, implying that deliberate tracking had begun at the same time as commercial in-flight mobile phone use in 2008.
NSA analysts could use the phone-tracking service to identify other devices on the same flight, perhaps also used by their surveillance targets, or at least by persons travelling with them, the document said.
The May 2010 document went on to identify a number of airlines offering in-flight mobile services and serving "target-rich areas," including Emirates Air and Royal Jordanian, with Libyan Air, Saudi Arabian Air and Air France expected to join their ranks shortly.
But another document titled "In-flight GSM" shows that the NSA had unknowingly been intercepting in-flight mobile communications as early as 2006, thanks to its policy of storing everything and figuring out whether it needed to later. (The document is dated January 2007, but that date is apparently incorrect as the document contains commercial information from March 2009 and NSA database search results dated January 2009.)
The author of the document described how he had intercepted a message to a mobile phone mid-flight saying "Welcome onboard Emirates. Phone & SMS services are now available," and decided to search the NSA's intercept archives for earlier evidence of in-flight activity. He identified a mobile phone registering to one of Aeromobile's in-flight base stations as early as Oct. 2, 2006, and one to an OnAir base station as early as Nov. 23, 2006. It was another six months before an NSA target registered for in-flight mobile use, with OnAir on May 29, 2007.
The NSA could even track targets on certain cruise lines that also used OnAir to provide on-board cellular coverage, according to the 2010 document, and was looking at other possibilities too. "What's next, trains?!? We'll have to keep watching," its author concluded.