How I found a secret U.S. government aerial surveillance program
I’m calling this talk “4414” because that’s the most significant number in this story. 4414 is what really led to everything else. And this picture shows the crucial piece of hardware I used to do this: An RTL-SDR dongle and a BeagleBone Black.
Who am I?
Disney R&D Imagineer
Interested in robotics, natural language processing, drones, aviation
The work I do at Disney has no overlap with this project :)
What is this about?
Tracking police helicopters
The first year I lived in LA I had an experience with a police helicopter’s spotlight transfixing me from the heavens, which led to a long obsession. One thing I wanted to do was track them and learn their behaviors, like you might do with birds.
I tried to come up with the easiest way to track helicopters, and spent a lot of time thinking about acoustic tracking, which has a long history.
But I never got it to work very well.
But then this amazing thing happened: Someone figured out the RTL dongle for receiving digital TV transmissions could be used as a wideband SDR and pick up all sorts of stuff, including the aircraft transponder packets on 1090 MHz that sometimes include aircraft position.
Easy to set up for < $100
Nowadays I use a FlightAware dongle, with built-in 1090 MHz amplifier, and a Raspberry Pi 3 with power-over-ethernet.
This is a FlightAware 1090 MHz filter just before the dongle.
And an antenna tuned for 1090 MHz.
You can see on this version of the listening station, I’d tuned to a reference signal and determined that my dongle had a 40 PPM error that I needed to compensate for.
You can go from a fresh Raspberry Pi to having a full browser-based radar-like display in under an hour.
This shows my approximate reception range, though I do sometimes pick up aircraft as far as Vegas, San Diego, and even Arizona.
There’s an easy-to-install package that even includes a nice dashboard showing system stats.
Now we begin our survey of interesting things you see over Los Angeles.
Fire in Eagle Rock
5 LAFD helicopters, a Pasadena PD helicopter, and a news chopper.
Burbank & Glendale PD
This shows just a few days of flight paths from a Burbank/Glendale PD helicopter. It seems like there’s always a helicopter overhead because there’s always a helicopter overhead.
Sterile Insect Technique
One of the first things I noticed was a shadowy military contractor flying planes in weird patterns over LA several times a week. OMG, should I blow the whistle on them?! I waited and did more research, and it turns out they’re dropping thousands of sterile fruit flies as part of a fruit fly eradication program.
Tour of California TV relay
Chalk 2, Inc.
This plane out over the desert is registered to Chalk 2, Inc. (a military reference), and is used as a UAV chase plane.
There’s a U-2 test range to the north. They limit the altitude the transponder reports to 60,000 feet but they’re actually flying higher.
U-2 (and Air Cerberus)
You can see what happens when I lose line-of-sight for a portion of a flight. Air Cerberus… We’ll come back to them.
One day while driving home, I saw a giant C-17 fly over my car at low altitude. When I got home I checked, and it was barely at 1000 feet. It was on its way to a stadium flyover (and is a plane known for doing aggressive, photogenic training in Star Wars canyon, which is the photo on the right).
San Bernardino Sheriff
Why are they flying a square circle? I don’t know.
Keystone Aerial Surveys
Another lawnmower pattern, but much tighter than the Dynamic Aviation sterile insect technique flights. Keystone seems to do some military/intelligence work too.
Aperture Aviation (mapping) (Wells Fargo)
Look at how precise that is. This plane is actually registered to Wells Fargo, which is a commonly used technique to obscure ownership. Often you can dig up enough to track down the real owner.
Keystone Aerial Surveys (and SIT)
Aerial imagery? (Aeroptic Inc.)
What’s the significance of the clover-leaf pattern? I don’t know. Some aerial mapping companies are known to be fronts for doing government surveillance.
I asked on aviation.stackexchange.com but there wasn’t a conclusive answer. I’ve wondered if it was related to doing radio direction finding.
3x military surveillance training
A few weeks ago local news showed special operations soldiers training in the LA area, helicopters dropping soldiers on top of buildings etc. They were supported by multiple military surveillance aircraft.
3x military surveillance training
And here they are downtown.
Air Cerberus is a front company used by the military, with an address shared by a National Guard office. Air Cerberus does surveillance over and around LA frequently. They fly planes over the Super Bowl, too.
Busy day: SIT, 4 different police departments (N420LE)
N420LE is registered to a local drug task force (ha ha).
Busy day: 2x news, 2x LAFD, 2x police, SIT, Air Cerberus
This isn’t a record of 12 hours of flying or something, this is just an instantaneous snapshot of one moment in time in Los Angeles’ sky.
DHS over Pasadena. Check out the equipment pods on that.
DHS, Subject driving 405 north
DHS, Subject driving 10 east
DHS Shift change
The aircraft flying the outer circle is leaving, the one flying the inner circle just arrived.
2x Silver Creek Aviation (DEA)
In the lower right there’s a Cessna registered to a small Texas company, Silver Creek Aviation. Why is it flying circles over LA? Why does it have a camera turret? Because Silver Creek Aviation is actually a front for the DEA. How do I know? We’ll get to that.
OK, this isn’t really about police helicopters
I started out tracking police helicopters, but then something else fell into my lap.
In May 2015, The Washington Post published an article about how some planes were circling over Baltimore neighborhoods after the Freddie Gray riots, and how some guy thought for some unknown reason that they were FBI surveillance planes.
Uncovering aerial surveillance by the FBI
...with Unix (& Clojure & postgres)
This talk is actually about uncovering a massive, secret, FBI aerial surveillance program.
Since tracking aircraft was kind of my thing, and I’m also interested in military and police surveillance, I was curious.
The article included one piece of identifying information for one plane: It was owned by NG Research.
Googling NG Research led to lots of suspicious (or paranoid) people posting about possible surveillance planes. This redditor thought “NG Research” was Northrop Grumman (it’s not).
They mention the tail number, and that the ownership record lists Bristow, VA as the owner’s address. They suspect persistent surveillance, and they mention that the FBI sometimes uses the transponder squawk code 4415 when doing surveillance. It seemed a little hard to believe, but I found several people (mostly on conspiracy and/or gun rights web forums) claiming that the FBI used specific transponder codes, either 4414 or 4415, when doing surveillance.
Using historical sensor data to retroactively identify and track new government targets.
I realized I could use my database of transponder pings to do persistent sousveillance! My definition of sousveillance: They’re flying around looking down on us, but I’m looking up at them.
I have 7 billion raw transponder pings from about the past 3 years in a postgres database.
This is some of the code that ingests messages into the database. It’s clojure, because I like Lisp.
This is a neat little DSL for defining an SQL interface for a clojure program. It parses the metadata in the SQL comments and creates clojure functions to do queries and updates using the parameterized SQL.
When this screenshot was taken, I was receiving and ingesting about 300-350 messages/second.
What info do I have?
Presence, not position.
Speed, altitude, transponder squawk code
But the internet.
I had some information from direct observation using the RTL-SDR dongle to pick up aircraft transponders, and that was enough to leverage a lot of information that was publicly available on the internet, like FAA registration records. When I was doing this, amateur multilateration (“triangulation”) networks didn’t exist, so I didn’t yet have position info.
Starting to get weird: Two companies w/ PO boxes in Bristow VA?Seeing this output was the precise moment I began to think I might have stumbled on to something big.
I downloaded a copy of the FAA records and looked up the 8 aircraft that had squawked 4414. Seeing the output of this shell command is the precise point where I began to think it was possible that the paranoid fringe of the internet might be right about something.
N301A - Worldwide Aircraft Leasing Corp.
Also available on the internet are photos of almost every aircraft. Obsessive planespotters go around taking pictures, then post them and tag them with the tail numbers. I was able to find pictures of 4 of the 8 aircraft of interest.
N404KR - OBR Leasing
N496WW - National Aircraft Leasing Corp.
This one seems to have a camera turret...
N515JW - Aerographics Inc.
So does this one.
I searched the FAA records for every aircraft registered to a PO box in Bristow, VA, and the results were creepy: Most of these names fit the same simple pattern! These are totally front companies! This is like Trevor Paglen tracking down CIA fronts that own the planes involved in rendition flights--Did I discover an FBI program or a CIA program?!
Closer examination shows that whoever set up these front companies was kind of sloppy. Besides the repetitive naming pattern, they used the same PO box for a few companies--and that PO box is also used by the Department of Justice.
I was able to expand the list from the 8 aircraft I had directly observed to 105 (suspected)