Signals intelligence (SIGINT) is a major segment of the intelligence discipline, and communications intelligence (COMINT) is a subset of SIGINT. In turn, “traffic analysis” (T/A) is a significant part of COMINT while also useful in other aspects of SIGINT.
This post defines and explains traffic analysis when used in this context, as part of the broader discipline of signals intelligence.(1) The post describes the elements of T/A and explains how T/A has been used for several purposes including to produce intelligence information, to aid cryptanalysis, and to support the collection of additional data. It then presents examples of intelligence contributions made by T/A during World War I, World War II, and the Cold War, including the Korean War and the Vietnam War.
Definition
The word traffic to a communicator or cryptologist referred to communications passed between a sender and an intended recipient. Thus, the study of traffic by unintended recipients was called traffic analysis.
T/A has been the study of “external” features of target communications. It also can be used against noncommunications electronic emissions and telemetry signals. It examined all aspects of communications transmissions excluding code or cipher message content, which was the purview of cryptanalysis (C/A). Traffic analysts studied signals’ characteristics, including radio frequency usage, callsigns, (a series of letters and/or numbers assigned to a specific radio station), transmission schedules, locations of transmitters, the routings and volumes of message traffic, informal “chatter” between the targets’ radio operators and the unique characteristics exhibited by manual Morse operators, referred to as their “fists.”
T/A and C/A historically have been the major technical approaches to COMINT, and information derived from traffic analysis and cryptanalysis can be combined to gain knowledge about the senders and receivers. This knowledge was provided to customers in “end-product” reports.(2)
The Elements of Traffic Analysis
Historically, the elements of communications subject to traffic analysis were among the following:
Callsigns – Usually a brief series of letters and/or numbers assigned to a specific radio station by a government authority. The radio operator transmitted a callsign to identify the station when making contact with other radio stations. Some callsigns were permanent, while others changed periodically according to a pre-arranged plan to confuse monitoring by unintended listeners. If the unintended listeners (COMINT units) solved the system by which the callsigns were generated and/or assigned, they could then predict the new callsigns used by individual radio stations following the periodic changes.
Frequencies – Organizations using radio communications were allotted various blocks of the radio frequency spectrum. Within these blocks, organizations selected frequencies which worked best for them. For example, in the high frequency (HF) range (3-30 MHz, which provided the bulk of the long-distance communications capability), frequency usage typically was divided between daytime and nighttime ranges, with the higher range used in the daytime for clearer reception. Radio signal propagation at nighttime usually required less power and could be heard well at the lower frequencies because of changes in atmospherics.
Military organizations, if given the capability/option, might rotate their use of individual frequencies among the stations of a network in an effort to foil COMINT units’ interception and identification of individual stations. Frequency rotations were designed in advance, with stations in a network each being assigned an individual starting frequency, from which they proceeded through periodic rotations in a prearranged manner. To be most effective in countering the COMINT unit’s attempt to listen to them, military organizations would simultaneously change callsigns and frequencies. When that was not done, it usually was an easier task for the traffic analyst to equate the new callsigns to old frequencies and vice versa.
Schedules – Military radio station networks usually operated according to prearranged schedules for making contacts and sending messages. The recovery of these schedules allowed the COMINT unit to allocate its monitoring resources most efficiently, without wasting time listening for an inactive station or network. It maximized the COMINT unit’s collection of messages from the network, messages that might be readable and of possible intelligence interest.
Additionally, if a station or network changed its callsigns and frequencies, but not its contact schedules, it might be possible to use communications schedules to identify stations and gain insight into the new callsign and frequency allocations, which could lead quickly to full recovery of the network and permit continued exploitation.
Address Systems – In addition to callsigns, radio stations often used message address systems to route messages to particular addressees or military units, several of which might be served by a single radio station. An example would be a radio station at an army post that housed infantry units, armored units, and a helicopter unit. Messages intended for any of these units typically would be accompanied by a message serial number, an indication of the urgency of it (message precedence), and an expression of the size of the message in some numerical form (so the recipient would know if he has received a complete message), and usually encrypted designators that specify the originator of the message as well as the specific addressees. If the address system could be solved by the traffic analysts at the COMINT unit, often with help from other information sources, unit identifications could be revealed. That “order of battle” information (usually describing a military unit’s identification, organization, strength, and location) could then be compiled and maintained.
Operator Chatter – Idle chatter between radio operators generally was unencrypted and in the native language of the country where the stations were located. If, for example, the radio signal was transmitted in international Morse code, three-letter brevity codes (called “Q” and/or “Z” signals) might be used simply to shorten the transmissions in much the same way that cell phone users send text messages today. (For example, “CUL” stands for “see you later.”) Chatter collected from careless radio operators often contained useful information that might not otherwise be known to the COMINT unit. Callsign, frequency, or contact schedule information might be disclosed, thus making the intercept operator’s job a bit easier. Security lapses in operator chatter could contain plaintext military unit designators and/or their locations–a “gold mine”: for example, “I don’t have time to send you those requisitions. The 509th is about to deploy.”
Some operators had distinctive transmission patterns that could be recognized even after a communications change that resulted in new callsigns, operating frequencies, and contact schedules. Further, often the type of chatter was service unique. For instance, ground forces would sign off one way and air forces another. With slim leads like those, the traffic analyst could begin to recover the new signal procedures, then identify the individual stations, and finally reconstruct the entire network. In the words of one former traffic analyst: “The traffic analyst used all of the tools described and was a miner of the repetitive idiosyncratic. Find that little piece that stands out and is different and sustains continuity through repetition.”(3) Although sometimes T/A information can be deduced from a few messages, generally the larger the volume of communications, the more that can be inferred.(4)
Location and Characteristics of the Transmitter – Radio direction finding (RDF) attempts to determine the azimuth (line of bearing between the source of the signal and the receiving station) of a propagated radio signal. If the azimuth of some signal can be determined from multiple locations, then perhaps the location of the transmitter can be derived, that is, obtain a “fix” on the transmitter’s location. At times even a single azimuth can be helpful. RDF was particularly useful in locating and following the movements of military units. Further, individual transmitters have unique technical characteristics which, if detected, can be useful to the traffic analyst.
The Role of Traffic Analysis
Production of Intelligence
The first step in intelligence production was to determine what the customers’ requirements for information were and how they could be satisfied by SIGINT, including T/A. Then collection managers identified the targets to be collected and assigned the specific tasks to be accomplished to stations, often based upon the station’s technical capabilities and its geographic access to the target signals.
Diplomatic, army, navy, air force, terrorist, commercial, and other foreign communications have been subject to traffic analysis. The structure of the military communications networks reflected the underlying structure of the military organizations they served. For example, a “net control” station and its “outstations” may portray a division and its regiments. T/A involves the study of the target’s radio communications features, thereby helping to identify and locate the communication units and keep track of their signal activity and location over a period of time. All of these actions helped produce information known as “order of battle,” which is critical to understanding enemy capabilities.
The value of any intelligence product, however, depended in part upon how effectively the recipient used the data. Throughout history, many of the so-called “intelligence failures” were incorrectly labeled. In all too many instances good intelligence had been forwarded to the user/customer only to have it ignored or rejected. This is as true of T/A as of any element of intelligence production.
Support to Cryptanalysis
T/A supported C/A by providing current information on the identity, location, and relationships of the originators and recipients of the messages, all of which offered help to the cryptanalysts in solving codes and ciphers.
One British author observed during World War II that “Only if the cryptanalyst were in close contact with those responsible for enemy interception and for Traffic Analysis could the cryptanalytical obstacles be surmounted with minimum delay.”(5)
Guiding the Interception of Communications
T/A was used to assist intercept operators by providing current data on radio frequencies, callsigns, and transmission schedules used by the targets. In return, the intercept operators assisted the traffic analyst by their recognition of unique identifying characteristics of the target radio operators and their equipment, somewhat similar to recognizing the voice of a telephone caller.
A significant challenge was maintaining a current database on all prospective targets. Having current technical data available allowed the intercept operator to access the desired communications without first spending weeks or months building background information on the target communications. Given the changing nature of communications, the building and maintaining of technical data were an important and never-ending process.
Countering Deception
The target forces took many measures to make it difficult to intercept and exploit their communications. Measures they used included constantly changing their radio frequencies, callsigns, and communications transmission schedules and reducing the length of time they were on the air. They also encrypted addresses and operator chatter or sent false (or “dummy”) traffic; they even rapidly switched from one mode of communications to another.
A challenge to traffic analysts was to determine when the target communications were being fabricated in an effort to mislead. Callsigns, frequencies, and other elements of radio transmissions might be altered to indicate that military units were neither the units they seemed to be nor were they located where they appeared to be. A good example of this type of deception was used by the Allies in WWII creating the illusion of an Allied army that did not exist. The ruse was supported by establishing a communications network across from the Pas de Calais just before the Normandy invasion.
Summary
A hypothetical analogy using postal mail may clarify the concept of T/A in more familiar terms. In the case of postal mail, the content of the envelope would be the purview of cryptanalysis, whereas the study of the address, the return address, and the date stamp would be akin to traffic analysis. Study of these external features could reveal identification of banks, stockbrokers, credit unions, employers, doctors, dentists, friends, relatives, etc., and how often and when mail contact is maintained with these recipients. For example, T/A in this context might reveal that an individual had been diagnosed as seriously ill based on communications with doctors and insurance companies, or that the person is under financial stress based on the volume of letters from collection agencies and banks.
Notes 1-5
1. The term SIGINT (signals intelligence) includes three subordinate sources of information: COMINT (communications intelligence), ELINT (electronic intelligence), and FIS (foreign instrumentation signals). The function of radio direction finding (RDF) normally is included within the discipline of COMINT but is applicable in the other areas as well. While ELINT was collected and analyzed during WWII, the term SIGINT did not come into the lexicon until after the end of the war, and COMINT was known as “radio intelligence” until the middle of the 20th century. Traffic analysis (T/A) and cryptanalysis
(C/A) were the two major components of COMINT, although exploitation of plaintext intercept, POW interrogations, captured documentation, open source publications (maps, transportation schedules) and the like were often helpful to both traffic analysts and cryptanalysts.
2. The authors of this brochure were engaged in traffic analysis during some portions of their careers in signals intelligence involving the various war periods listed subsequent to World War I. To facilitate the production of intelligence, NSA in 1965 formalized the technical career specialties such as T/A and C/A by establishing career panels to oversee training of personnel and their attainment of “professional” status. These panels developed specific training criteria, intern programs, rotating assignments, and formal examinations. Upon completion of the courses of study, an individual was certified as a professional in a specific field.
3. William Fromm, December 2012.
4. Raymond Schmidt, informal notes, January 2013.
5. F. H. Hinsley, British Intelligence in the Second World War, Vol. I (London: Stationery Office Books, 1988), 21.
Source: Center for Cryptologic History National Security Agency
Station HYPO 
19 March 2022 at 21:13
Just curious why you named the other branches of service involved in listening to Morris Code but you did not mention the Marine Corps. I know that you are aware we also worked with the Navy on ships, in planes, on the ground, etc. In VN, we had all Marines with the 1st Radio Bn if I recall correctly? Thanks for sharing this, it was very interesting. Also, does the Coast Guard also work listening to code, etc or did they really, I think all of what we did has been long gone?
LikeLike
21 March 2022 at 03:38
There were 5 marines in my CT(R) ‘A’ class at NCTC (Corry Station) Pensacola. Crazies one and all, became friends with the craziest one. I wouldn’t want to be without them in a tight situation. Semper Fi!
LikeLike
20 March 2022 at 10:09
I had several Marines in my group at school at Imperial Beach. Went to school at Imperial Beach, and were berthed at the Amphib Base for awhile. I think they were working on Barracks 66 so we had to bus down the Silver Strand to the Amphib Base
LikeLike