Radiofrequency and direction finding (RFDF) has been around since the early days of aviation. Today, communication intercept (COMINT), metadata collection, target, and identification/location play a major role in special operations and in the War on Terror. Bulk collection is essential for developing the “big picture,” as satellites, national agencies, and tactical forces complete it.

Bulk cell phone collection was in the news following the San Bernardino massacre. The media focus was on our inability to trace records past a certain timeframe. More to the point, a recovered cell phone was involved in French tactical units’ timely response following the Paris attacks, which led to a massive number of arrests and a successful final assault on the terrorists’ building in Saint-Denis. Much of the intelligence was likely derived from COMINT. Let’s examine how this works. For this discussion, we’ll focus on cell phones versus traditional field-radio communications.

Although metadata collection does not involve listening in on a phone conversation, while challenging, the listening capability certainly exists from both a national and tactical standpoint. Every commercial cell phone has an international mobile equipment identity (IMEI), equipment serial number (ESN), or mobile equipment identifier (MEID). Whichever term is used, it represents your cell’s fingerprint. The purpose is to make the equipment uniquely identifiable.

When a call is made, a temporary mobile subscriber identifier (TMSI) is assigned electronically by the visitor location register (VLR). The TMSI is designated by location and helps to narrow the search area for those of us in “tracking mode.” If the cell moves to a new area, a new TMSI is assigned, yet this original information may still be valuable. Once a cell travels outside of a few TMSIs, an international mobile subscriber identity (IMSI) is assigned and this is keyed into the GSM chip, which used to be easily transferred/removed. In some cases, by tracking the chip, we could identify multiple members of a planning organization. Those acronyms, along with the actual phone number of the caller and receiver, make up the metadata. These provide information in two ways, firstly from the tactical to the theater/national level, and secondly from theater/national to the tactical level.

Tactical to Theater

RC East Soldiers learn intelligence-gathering skills
U.S. and Polish Soldiers lay out all evidence found during a site exploration exercise at a training facility in Ferizaj, Kosovo October 15, 2019. (Photo by Sgt. Patrick Kirby/U.S. Army)

My team hits a target (say outside of Mosul) based on any combination of intel sources. During the Direct Action, we quickly gather all cell phones, pull the GSM chip (in the old days — today it can be a quick hardwire transfer), and upload all info onto a laptop via a sim card reader. Now we have three options:

First, take the information back to base, upload it to national agency assets that then scrub the data, reply back with correlating metadata associated with enemy combatants, and we develop new targets where we use tracking and Direction Finding (DF) gear to locate and hit these tangos. Repeat cycle.

Second, quickly upload the intel to portable COMINT equipment (I had gear small enough to mount on my M4). Listen to see who calls, and develop a new target(s) on-site of the original operation. When complete, repeat if possible, then fall back to option one with the remaining data.

Third, do not hit subsequent targets. Use the metadata to monitor and track movements, collecting intelligence on potential higher-echelon persons.

Strategic to Tactical. The F3 Method

Prior to deployment or in a time-sensitive target (TST) scenario, the metadata is provided to the operatives. Insert near the objective based on probable location(s) provided by originating collectors.

Find: Tactical assets close the circle and narrow the location of the target to a building, room, or even a spot as small as 10×10 feet depending upon the GPS accuracy.

Fix: The assault team conducts kill/capture mission.

Finish: This is the final part of the F3 method. From this point (with consideration for threat response time, etc.) we can consider the options that range from the tactical application back to the theater review and on-site target development for immediate action. Though most often, it is time to head out and head back to base, where we can evaluate and analyze (EA) all information and intelligence gathered at the objective. F3EA.

In the Paris attacks of 2015, the above scenario was very possible, if not probable. The metadata from the cell phone that was recovered following the terrorist attacks contributed significantly to the Direct Action on the housing building in Saint-Denis. Collection plans were developed from the IMEI phone numbers and other metadata in order to locate from potential facilitators and other participants to the terrorists in-country and abroad. That same intelligence will certainly be useful in preventing a future attack if it has not already done so. The potential gap in metadata information from the San Bernardino terrorists does not provide a service to our citizens.

Necessary Protections

The scenarios that were discussed are operations against a foreign enemy and as such, do not involve the same civil liberties that our constitution provides our citizens. Those protections are necessary, and strict measures are in place to protect privacy — the traitor Eric Snowden’s worthless opinions notwithstanding. Senator Rand Paul has been a vocal critic of bulk metadata collection. His opinion and words are an important voice, as there is potential for abuse from a public viewpoint, yet such abuse would not be as practical or as simple as it may appear.

I find it interesting when I hear individuals screaming about the violation of their privacy as they use a cell phone made in Japan, China, or Korea, then transfer data or voice comms over airwaves in open space that no one owns, to a cell tower — which was built by one of a number of publicly-traded companies — then transmitted to a satellite or series of satellites controlled by any number of nations.

‘COMSEC’ excerpt: How unsecure is your Smartphone? Learn the science behind the vulnerabilities

Read Next: ‘COMSEC’ excerpt: How unsecure is your Smartphone? Learn the science behind the vulnerabilities

Find, fix, and finish (F3) is a method that is both proactive and defensive. Considering the mounting threats against the U.S. and other Western countries, the metadata and the intelligence potential that they provide is a necessary resource. We know how it works; let’s allow it to work for our benefit.


Editor’s note: This article was written by Peter Morlock Jr, a retired Senior Chief Cryptologist in the Navy with service in intelligence and Special Operations agencies and units. It was originally published in 2016 and has been edited for republication.