David Sirota/Pando/Kim Zetter/WIRED:
We already know that there’s almost nowhere on earth you can go to escape the warrantless snooping and panoptic surveillance of the US government. Now it turns out you’re not even safe 30,000 feet up in the sky.
Gogo, the in-flight WiFi provider, is used by millions of airline passengers each year to stay connected while flying the friendly skies. But if you think the long arm of government surveillance doesn’t have a vertical reach, think again.
Gogo and others that provide WiFi aboard aircraft must follow the same wiretap provisions that require telecoms and terrestrial ISPs to assist U.S. law enforcement and the NSA in tracking users when so ordered. But they may be doing more than the law requires.
According to a letter Gogo submitted to the Federal Communications Commission, the company voluntarily exceeded the requirements of the Communications Assistance for Law Enforcement Act, or CALEA, by adding capabilities to its service at the request of law enforcement. The revelation alarms civil liberties groups, which say companies should not be cutting deals with the government that may enhance the ability to monitor or track users.
“CALEA itself is a massive infringement on user’s rights,” says Peter Eckersley of the Electronic Frontier Foundation. “Having ISP’s [now] that say that CALEA isn’t enough, we’re going to be even more intrusive in what we collect on people is, honestly, scandalous.”
Gogo provides in-flight WiFi and digital entertainment to Delta, American Airlines, Alaska Airlines, Virgin America, US Airways and others using a dedicated air-to-ground network that GoGo says it designed in consultation with law enforcement.
The disclosure that GoGo voluntarily exceeded the requirements of CALEA appears in a letter to the FCC the company wrote in 2012. “In designing its existing network, Gogo worked closely with law enforcement to incorporate functionalities and protections that would serve public safety and national security interests,” Gogo attorney Karis Hastings wrote.
Although FCC rules “do not require licensees to implement capabilities to support law enforcement beyond those outlined in CALEA…,” Hastings noted, “[n]evertheless, Gogo worked with federal agencies to reach agreement regarding a set of additional capabilities to accommodate law enforcement interests. Gogo then implemented those functionalities into its system design.”
When CALEA became law in 1994, it applied only to telecoms and required them to provide wiretap capabilities for phone calls. But in 2007 the FCC ordered CALEA compliance from broadband and VoIP providers as well, amid pressure from the Justice Department and the FBI. Under CALEA, these communications providers must be able to isolate all wire and electronic communications to and from any account targeted by law enforcement and identify the numbers or accounts with which the target has communicated.
CALEA already gives expansive powers to law enforcement agencies. According to the Center for Democracy and Technology, “the FBI has used CALEA to expand its capabilities, turning wireless phones into tracking devices, requiring phone companies to collect specific signaling information for the convenience of the government, and allowing interception of packet communications without privacy protections.” The watchdog group notes that in 2005, “the Federal Communications Commission granted an FBI petition and expanded CALEA to broadband Internet access and VOIP services.”
The FCC has considered applying special rules to in-flight WiFi providers. Gogo’s 2012 letter to the FCC was an effort to convince the commission that special mandated rules were unnecessary for in-flight WiFi providers because the companies were willing to work with law enforcement agencies to give them what they want.
“Gogo believes that its experience demonstrates that a flexible approach based on direct negotiation can best ensure that … operators deploy capabilities designed to protect public safety and national security, and that adoption of a specific list of capabilities … is unwarranted,” Hastings wrote.
A Gogo spokesman insists that, despite the letter’s reference to multiple capabilities added by Gogo, the company only added a single capability beyond CALEA, and it has nothing to do with monitoring traffic.
But it apparently is not the only company cutting deals with law enforcement. An FCC notice of proposed rule making published in December notes that Panasonic Avionics negotiated with law enforcement “regarding lawful interception … and network security functionality to be deployed” in the company’s eXConnect system, which provides WiFi to American Airlines and United.
According to the document, Panasonic engaged a CALEA-compliant equipment vendor to implement its intercept capability but was also “implementing additional functionality subject to final agreement with U.S. law enforcement.” The document notes operators “have uniformly engaged in direct consultations with law enforcement to develop appropriate capabilities consistent with their system characteristics and service offerings.”
Chris Soghoian of the American Civil Liberties Union, who first spotted the reference to expanded capabilities in the FCC documents, says law enforcement often leverages FCC threats of added rules to pressure companies into making concessions.
“I don’t think people understand the extent to which the FCC acts as the enforcer for the surveillance community,” he says. “The Gogo document and Panasonic documents really reflect this process of these companies sitting down with the government and making deals so the FCC wouldn’t get on their back. These are not agreements that are taking place in the sunlight. These are secret deals that are definitely not being made in the best interest of the public.”
Panasonic Avionics did not respond to a call for comment. A Gogo spokesman, when initially asked about the FCC documents by Pando Daily, declined to identify what additional capabilities Gogo implemented.
“What we are prepared to say is: Gogo does what all airborne connectivity companies have been asked to do from a security perspective, and it has nothing to do with monitoring traffic. Beyond that, we can’t comment beyond what’s in our public comments with the FCC,” spokesman Steve Nolan told Pando Daily.
But in a phone call with WIRED, Nolan said the company made just one concession to law enforcement beyond its CALEA requirements: adding a CAPTCHA feature to “prevent people from remotely accessing the system.” That would seem to contradict the FCC letter that specifically says that Gogo made “a set of additional capabilities” beyond CALEA. In a follow-up email, Nolan suggested there was more than one concession.
“Beyond adhering to CALEA, our primary concession to law enforcement is the use of CAPTCHA to access the system,” he wrote. Asked to clarify the disparity in his statements, he wrote that the “secondary concessions are all the CALEA requirements we adhere to.”
CAPTCHA displays a string of numbers or a word that users must enter to use the service. It generally is used to prevent automated bots from using online services, but Nolan said GoGo added it as a security feature to keep remote users out of the network. Soghoian doesn’t buy that.
“That doesn’t make any sense,” he says. “You can only access [the network] from the airplane. The WiFi only works when you’re above a certain number of feet…. If that’s all the government wanted, why not be up front with that in the beginning? Initially they said there were things that were done, but they couldn’t describe them. [The new statement] suggests there’s more there.”
The answers may lie in a 2009 statement made by the director of business development and strategy for Aircell, a GoGo subsidiary that provides WiFi for the business aviation sector.
The Aircell executive told Flight Global that the company had a “Super CALEA” arrangement with the FBI whereby it could immediately shut off service to select individuals or an entire airplane– without shutting the service off to U.S. air marshals–if authorities determined there was a security threat to the plane.
But the executive also described surveillance capabilities that go beyond what CALEA generally provides. “CALEA,” he said, “allows the feds to collect information about who is using the system, on which devices, and what the traffic looks like. Aircell can give [law enforcement] any information they need in real time.”
Nolan, asked about those statements, said, “Despite what the person said in 2009, what I can tell you today and what the truth is today is that we adhere to CALEA and we do everything in conjunction with what law enforcement has asked us to do.” He added that, “There is no ‘super CALEA’ capability. Our capabilities and what we adhere to are exactly what any communications provider, including on the ground networks, adhere to when they abide by CALEA. Nothing more and nothing less.”
Gogo notes in its terms of service that it may be required by law “to record some or all of your communications” and that it may “disclose your Personal Information (including your Account Information) and your communications through the Services, if required by law … or if we believe in good faith that such disclosure is necessary to: (a) comply with relevant laws or to respond to subpoenas or warrants served on us; or (b) protect or defend the rights, property, or safety of Gogo, you, other users, or third parties (especially in emergency situations).”
If Gogo is making additional concessions to law enforcement aside from the CALEA requirements and the CAPTCHA feature, Soghoian and others say it’s not hard to imagine what those might include.
“There are a number of things that are still in the surveillance arena that don’t involve monitoring traffic,” he says, such as watching “the MAC addresses of known bad guys.”
A recent CBC News story, based on documents obtained from Edward Snowden, described how Canada’s electronic spy agency, the Communications Security Establishment Canada, collected “metadata” from devices used to access WiFi at a major Canadian airport. Authorities then used the metadata to track the movement of these devices for days as the devices connected to WiFi hotspots across Canada and in U.S. airports.
The Canadian article doesn’t specify the device metadata the spy agency collected, but it most likely refers to the Media Access Control (MAC) address, a unique identifier for computers.
“If you’re watching [MAC addresses] in the airport, why not watch them in the air?,” says Soghoian.
Authorities may also want the ability to trace online activity to a specific passenger. “That is surveillance. It’s just not about [monitoring traffic]. It’s about making sure they can finger you down the line.”
Late last year, Gogo announced plans to launch in-flight texting and calling services, potentially opening up a whole load of other data to the company’s law enforcement partners.
The prospect of in-air surveillance has been a periodic controversy during the last few decades. Back in the early 1990s, for example, NBC News reported that French intelligence agencies were using Air France as a base for in-flight surveillance of U.S. businesspeople and government officials. More recently, the UK Telegraph reported that the European Union has been funding and testing surveillance systems on planes involving “a combination of cameras, microphones, explosive sniffers and a sophisticated computer system” to monitor passengers. Meanwhile, Gogo’s major competitor for in-flight WiFi service is ViaSat, a defense contractor that specializes, in part, in surveillance.
During Glenn Greenwald’s keynote speech to the Chaos Communication Congress last December, he said he was working on a new story indicating that the NSA was “obsessed” by the idea that people could still use some Internet devices and mobile phones on airplanes without being recorded. “The very idea that human beings can communicate for even a few moments without their ability to monitor is intolerable.”