Under BTK’s eye: Turkey’s information authority collecting private data for months
Turkey’s Information and Communication Technologies Authority (BTK) has been confirmed to have spied on the country’s citizens since December 2018, according to an investigation by journalist Doğu Eroğlu.
Data surveillance in the country has shifted from processing court orders and warrants to “processing of personal data within the scope of preventive, protective and intelligence activities”, as Turkey’s Data Protection Act went into force in 2016.
Legal expert in cyber security Yasir Gökçe wrote in July that the indiscriminate collection of personal and communications data by the government was “illegal and illegitimate”.
Main opposition Republican People’s Party (CHP) deputy chairman Onursal Adıgüzel has been monitoring the issue and believes authorities are engaged in severe criminal activity.
“The recent revelations, in Turkey exposed the extent of surveillance in the hands of Turkish executive powers, but whether BTK will face any consequences for its actions is yet to be seen,” writes Global Voices columnist Arzu Geybullayeva in an article published on Friday.
A full reproduction of the article follows below.
On July 21, 2022, an online news platform Medyascope.tv published an investigation revealing how Turkey’s Information and Communication Technologies Authority (BTK) has been collecting private user data in a massive breach of privacy that began in 2021. The story confirmed what Onursal Adıgüzel, the deputy chairman of the main opposition Republican People’s Party (CHP), shared in a series of tweets a little over a month ago.
Journalist @DoguEroglu has obtained the documents confirming that the Information and Communication Technologies Authority (BTK) collects hourly activity logs of internet users. https://t.co/yhU2ZIkDFg pic.twitter.com/l52J1qLSkb— Free Web Turkey (@FreeWebTurkey) July 21, 2022
The investigation, by journalist Doğu Eroğlu, says the BTK started collecting information about Internet subscribers from Internet service providers (ISPs) on a monthly basis in December 2018. This collected data included subscribers’ “names, last names; ID, tax and central registry (MERSIS) numbers; gender and nationalities; parents’ names; birth places and dates; occupations; addresses; and old mobile numbers”.
In December 2020, in a confidential letter, signed by VP Fethi Azaklı, BTK asked local ISPs and mobile operators for “internet traffic of all users in Turkey” on an hourly basis. In the event ISPs refused to provide this information, BTK warned they would be penalised.
The letter claimed that BTK was “tasked with detecting, monitoring, evaluating, and recording data for legal purposes in a timely and non-disruptive manner. There is a need to obtain more detailed information regarding the activities taking place on the Internet within the scope of forensic and preventive purposes”.
In an interview with Medyascope.tv, Doğu Eroğlu said there was no information on where this mass data was being stored, the period the users’ private information was stored for, or which third parties had access to this data. The service providers told him that they first started delivering requested information in 2021.
In 2000, the government set up the Telecommunications Authority, “to perform the regulatory and supervision duties in the electronic communication sector.” The agency was restructured in 2008, taking on a new name: the Information and Communication Technologies Authority. It operates under the Ministry of Transport and Infrastructure.
In 2016, following the failed coup attempt of July 15, Turkey shut down the Department of Telecommunications and Communications (TİB) — Turkey’s leading internet censor — and handed all of its authority to the BTK.
TİB was set up in 2005 with the main purpose of centralising, “from a single unit, the surveillance of communications and execution of interception of communications warrants subject to laws No. 2559 (Law on the Duties and Powers of Police), No. 2803 (Law on the Organisation, Duties, and Powers of Gendarmerie), No. 2937 (Law on State Intelligence Services and National Intelligence Organisation), and No. 5271 (Criminal Procedural Act).”
In the aftermath of the coup, the authorities claimed that “TİB was used as a hub for FETÖ for surveillance and wiretapping purposes”, using an acronym for the followers of Islamic preacher Fethullah Gülen who Turkey holds responsible for July 15.
As such, with the new powers, BTK went from being a regulatory body to an authority with surveillance powers that included, “the authority to take any measure it deems necessary to uphold ‘national security and public order; prevent crime; protect public health and public morals; or protect the rights and freedoms’ and inform operators, access providers, data centres, hosting providers and content providers of the said measure, who then need to take action within two hours”.
The same year authorities shut down TİB, the country adopted Law No. 6698 on the Protection of Personal Data, which prohibited the processing or storage of personal data without consent from the subject. However, according to exceptions to the law, this data could be processed and stored if it was a matter of national security. As such, the law states, in the “processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations duly authorised and assigned to maintain national defence, national security, public security, public order, or economic security”, the Data Protection Law shall not apply. In addition, three new decree laws – 670, 671, and 680 – allowed interception of any internet data, without a court order or supervision, of individuals allegedly linked to the coup.
“Many of you remember the mass surveillance scandal former NSA employee, Edward Snowden made public in 2013,” Adıgüzel wrote in a series of tweets on June 8. “BTK has been carrying out something similar for a while. The President of BTK requested the log records and ‘publish-subscribe pattern from 313 internet service providers through a ‘confidential’ letter,” he revealed.
In an opinion piece Adıgüzel described the act as “the biggest tapping scandal in the history of the Republic.” The MP accused the BTK of “committing a crime” and violating the country's constitution and laws.
Professor of law and expert on internet freedom issues in Turkey Yaman Akdeniz confirmed these allegations in a tweet. According Akdeniz, despite there being a decision by the constitutional court cancelling the BTK's authority to make these requests, it continued to collect user data. Akdeniz then urged parliament to pursue an investigation into BTK's activities.
In the meantime, Adıgüzel wondered whether BTK was trying to create its own version of Cambridge Analytica by collecting and analysing the behavioural data of 85 million citizens, data that can be used for mass manipulation. After all, the collected data includes national IDs, addresses, websites visited, and the content consumed. Turkey is scheduled to hold general elections in 2023 and already, as pointed out by some experts, recent legal amendments, combined with manipulation tactics used in the past, can be part of broader measures deployed by the ruling government ahead of the upcoming vote. “A very serious preparation is being made for the election in terms of digital infrastructures. This is how I see the things that BTK has done, the changes in the Law No. 5651 and the Penal Code. I believe that serious manipulation awaits us during the election period,” lawyer Faruk Çayır from the Alternative Informatics Association told Doğu Eroğlu.
Adıgüzel also noted that the attempts by the opposition party to request further information into the tapping scandal were denied by the parliament.
Doğu Eroğlu also mentioned parallels to the Cambridge Analytica scandal. While the ends to which the BTK and the authorities plan to use the received information may not be clear yet, the amount of data obtained can be used for mass profiling, have political implications, and be used as blackmail against influential people, he explained.
Speaking to Eroğlu, lawyer Alper Atmaca from the Free Software Association said that the data obtained by BTK through ISPs can also be used as a “social filter”.
“For example, you want to identify homosexuals in Turkey. You have to filter it. Very simple. Find the IP addresses that go to the servers of dating sites or dating applications that are specially prepared for homosexual individuals. This gives you a huge social filter.”
Faruk Çayır told Eroğlu the data can be used as “profiling system”.
“They will transfer it to a third company and then be able to do the filing and profiling whenever they want. They will create the profiles of the citizens, and on top of that, they will simply tag people who visit certain websites, regardless of who the person is or what they are, and declare them guilty,” he explained.
In 2013, when Edward Snowden revealed the mass surveillance by NSA, he said, “I will be satisfied if the federation of secret law, unequal pardon and irresistible executive powers that rule the world that I love are revealed even for an instant,” in an interview with The Guardian. The recent revelations, in Turkey exposed the extent of surveillance in the hands of Turkish executive powers, but whether BTK will face any consequences for its actions is yet to be seen.
(The original version of the article can be found here.)