In-flight WiFi providers go above and beyond to help feds spy on us

library
crime | hacking | security

In-flight WiFi provider Gogo keeps passengers on more than 6,000 aircraft connected while they’re flying thousands of feet up in the air.

Connected and easily snooped on, as it turns out.

Documents have come to light in which Gogo brags about how it not only complies with a federal law for compliance with law enforcement; it actually goes above and beyond requirements to give law enforcement extra special surveillance sauce, it says.

The revelation was buried in recent Federal Communications Commission (FCC) filings about the company.

It was first spotted by the American Civil Liberty Union’s (ACLU’s) Christopher Soghoian, who tweeted about his find over the weekend:

GoGo Wireless “worked closely with law enforcement to … serve public safety and national security interests.” http://t.co/2HQ2FU6HTC

— Christopher Soghoian (@csoghoian) April 5, 2014

Specifically, Soghoian points to a letter dated 20 July 2012, sent by Gogo lawyer Karis A. Hastings to FCC Secretary Marlene H. Dortch.

From the letter, emphasis and link added:

In designing its existing network, Gogo worked closely with law enforcement to incorporate functionalities and protections that would serve public safety and national security interests. Gogo’s network is fully compliant with the Communications Assistance for Law Enforcement Act (“CALEA”).The Commission’s ATG rules do not require licensees to implement capabilities to support law enforcement beyond those outlined in CALEA.

Nevertheless, Gogo worked with federal agencies to reach agreement regarding a set of additional capabilities to accommodate law enforcement interests. Gogo then implemented those functionalities into its system design.

As Pando Daily reports, this declaration came after a Gogo subsidiary, Aircell, boasted to an aviation trade magazine that the company “can give [law enforcement] any information they need in real time.”

The law that Gogo referred to in its letter to the FCC, CALEA, was passed by the US Congress in 1994 to make it easier for law enforcement to wiretap digital telephone networks.

CALEA forced telephone companies to redesign their network architectures to make wiretapping easier, but it expressly kept its hands off of data traveling over the internet.

In 2004, law enforcement agencies tried to change that, filing a petition with the FCC requesting that CALEA’s reach be extended to the internet.

The Electronic Frontier Foundation (EFF) has filed several lawsuits to prevent the FCC from expanding domestic surveillance capabilities under the act.

Not surprisingly, the EFF and other civil liberties groups were alarmed at the recent Gogo revelation.

Peter Eckersley, of the EFF, told Wired that companies shouldn’t be working with the government to help federal agencies monitor or track their users:

CALEA itself is a massive infringement on user’s rights. Having ISPs [now] that say that ‘CALEA isn’t enough, we’re going to be even more intrusive in what we collect on people’ is, honestly, scandalous.

When Pando asked Gogo about the company’s partnership with law enforcement agencies and for details about what new surveillance capabilities the company has developed that go beyond CALEA, a Gogo spokesman had this to say:

Gogo does what all airborne connectivity companies have been asked to do from a security perspective, and it has nothing to do with monitoring traffic. Beyond that, we can’t comment beyond what’s in our public comments with the FCC.

When Wired contacted the company, a Gogo spokesman insisted that the company only added one capability – having nothing to do with monitoring traffic – that goes beyond CALEA, in spite of the letter’s reference to multiple capabilities.

That capability was a CAPTCHA feature added to “prevent people from remotely accessing the system”, the Gogo spokesman told Wired. In a followup email sent to Wired, the spokesman suggested that yes, in fact, there was more than one concession, but that the secondary concessions are simply “all the CALEA requirements we adhere to.”

The ACLU’s Soghoian is skeptical about the notion of CAPTCHA being used to keep remote users out of the network, as Gogo claimed:

That doesn’t make any sense. You can only access [the network] from the airplane. The Wi-Fi only works when you’re above a certain number of feet…. If that’s all the government wanted, why not be up front with that in the beginning? Initially they said there were things that were done, but they couldn’t describe them. [The new statement] suggests there’s more there.

In fact, Wired hypothesizes that the extra capabilities might be those alluded to in Aircell’s comments to the aviation trade magazine.

In that interview, Aircell director of business development and strategy Timothy Twohig mentioned a “Super CALEA” arrangement with the FBI whereby it could immediately shut off service to select individuals or an entire airplane, without shutting the service off to US air marshals, if authorities determined there was a security threat to the plane.

At any rate, Gogo isn’t the only company that’s cozy with law enforcement.

Wired points to an FCC notice of proposed rule making published in December regarding negotiations between Panasonic Avionics and law enforcement about lawful data interception in the company’s eXConnect system, which provides broadband connectivity to airlines including American and United.

According to the document, Panasonic Avionics is “engaged in active discussions with US law enforcement officials regarding lawful interception (‘LI’) and network security functionality to be deployed in the eXConnect System” and has “engaged a CALEA-compliant equipment vendor to implement its LI solution, which will be in place before the commencement of commercial operations.”

Panasonic Avionics is also “implementing additional functionality subject to final agreement with US law enforcement,” the document says, while operators “have uniformly engaged in direct consultations with law enforcement to develop appropriate capabilities consistent with their system characteristics and service offerings.”

In fact, the FCC says in the document, it’s already concluded that it’s OK to extend CALEA beyond its initial parameters.

It’s decided that WiFi and Voice over IP (VoIP) service providers can be deemed to be “telecommunications carriers” for purposes of applying CALEA, “regardless of whether such offerings are voice or data services”.