Investigation Reveals Turkish Information and Communication Authority has been Collecting Private User Data for Over a Year Global Voices Français
On July 21, 2022, an online news platform Medyascope.tv published an investigation revealing how Bilgi Teknolojileri ve İletişim Kurumu (Information and Communication Technologies Authority, BTK) collected private user data in a massive violation of life privacy of users which began in 2021. The story confirmed what Onursal Adiguzel, the vice-president of the main opposition party, the Republican People (CH), shared in a series of tweets a little over a month ago.
Journalist @DoguEroglu obtained the documents confirming that the Information and Communication Technology Authority (BTK) collects hourly activity logs from Internet users. https://t.co/yhU2ZIkDFg pic.twitter.com/l52J1qLSkb
– Free Web Turkey (@FreeWebTurkey) July 21, 2022
The investigation, by journalist Doğu Eroğlu, says that the BTK started collecting monthly information on Internet subscribers from ISPs in December 2018. This data collected included the “names, surnames” of subscribers; Identification, tax and central register numbers (MERSIS); gender and nationalities; parents’ names; places and dates of birth; occupations; addresses; and old mobile numbers.
In December 2020, in a confidential letter, signed by Vice President Fethi Azakli, BTK asked local internet service providers and mobile operators for “internet traffic of all users in Turkey” on an hourly basis. If ISPs refuse to provide this information, BTK warned that they would be penalized.
The letter claimed that BTK was “responsible for detecting, monitoring, evaluating and recording data for lawful purposes in a timely and non-disruptive manner.” It is necessary to obtain more detailed information regarding the activities taking place on the Internet for forensic and preventive purposes.
In an interview with Medyascope.tv, Doğu Eroğlu said that there is no information on where this mass data is stored, for how long users’ private information is stored or which third parties have access to it. those data. Service providers told him they started providing the requested information in 2021.
In 2000, the government set up the Telecommunications Authority, “to carry out regulatory and supervisory functions in the electronic communications sector”. The agency was restructured in 2008, taking on a new name: the Information and Communication Technology Authority. It falls under the Department of Transportation and Infrastructure.
In 2016, following the failed coup attempt, Turkey shut down the Department of Telecommunications and Communications (TİB) – Turkey’s main internet censor – and handed over all its authority to the BTK.
The TİB was established in 2005 with the main purpose of centralizing, “from a single unit, the monitoring of communications and the execution of communications interception warrants subject to Laws No. 2559 (Law on Duties and powers of the police), No. 2803 (Law on the organization, duties and powers of the gendarmerie), No. 2937 (Law on the State intelligence services and the national intelligence organization) and No. ° 5271 (Criminal Procedure Law).
In the aftermath of the coup, authorities claimed that “TİB was used as a hub for FETÖ [The Fethullah Gulen Terrorist Organisation] for surveillance and wiretap purposes.
As such, with the new powers, BTK transitioned from a regulatory body to an authority with supervisory powers that included “the power to take any action it deems necessary to maintain” national security and the public order ; preventing crime; protect public health and public morals; or protect rights and freedoms and inform operators, access providers, data centers, hosts and content providers of said measure, who must then act within two hours.
In the same year authorities shut down TİB, the country passed Personal Data Protection Law No. 6698, which prohibited the processing or storage of personal data without the consent of the subject. However, according to the exceptions to the law, this data could be processed and stored if it were a matter of national security. As such, the law specifies, in the “processing of personal data in the context of prevention, protection and intelligence activities carried out by public institutions and bodies duly authorized and assigned to the maintenance of national defence, national security, public security, public order, or economic security”, the data protection law does not apply. In addition, three new Executive Orders – 670, 671 and 680 – allowed the interception of all Internet data, without court order or supervision, of individuals allegedly linked to the coup.
“Many of you remember the mass surveillance scandal that former NSA employee Edward Snowden made public in 2013,” wrote Onursal Adiguzel of the opposition Republican People’s Party (CH) in a series of tweets. June 8. “BTK has been doing something similar for a while. BTK’s president requested the log records and “publish-subscribe pattern from 313 ISPs through a ‘confidential’ letter,” he revealed.
In an opinion piece, Adiguzel described the act as “the biggest eavesdropping scandal in the history of the Republic”. The MP accused the BTK of “committing a crime” and violating the country’s constitution and laws.
Professor of law and specialist in internet freedom issues in Turkey Yaman Akdeniz confirmed these allegations in a tweet. According to Akdeniz, despite a Constitutional Court ruling overriding BTK’s power to make such requests, it continued to collect user data. Akdeniz then urged parliament to pursue an investigation into BTK’s activities.
Meanwhile, Adiguzel wondered if BTK was trying to create its own version of Cambridge Analytica by collecting and analyzing behavioral data from 85 million citizens, data that can be used for mass manipulation. After all, the data collected includes national identifiers, addresses, websites visited and content consumed. Turkey is due to hold general elections in 2023 and already, as some experts have pointed out, recent legal amendments, combined with manipulation tactics used in the past, may be part of wider measures deployed by the government in power before the next vote. “A very serious preparation is underway for the election in terms of digital infrastructure. This is how I see the things that BTK has done, the changes to Law No. 5651 and the Penal Code. I believe that serious manipulations await us during the election period,” lawyer Faruk Çayır of the Alternative Computing Association told Doğu Eroğllu.
Adiguzel also noted that attempts by the opposition party to request additional information on the wiretapping scandal were rejected by parliament.
Doğu Eroğlu also mentioned parallels with the Cambridge Analytica scandal. Although the purposes for which the BTK and the authorities plan to use the information received are not yet clear, the amount of data obtained can be used for mass profiling, have political implications and be used as blackmail against influential people. , he explained.
Speaking to Eroğlu, lawyer Alper Atmaca from the Free Software Association said data obtained by BTK through ISPs can also be used as a “social filter”. “For example, you want to identify homosexuals in Turkey. You have to filter it. Very simple. Find the IP addresses that go to the servers of dating sites or dating apps specifically designed for gay people. It gives you a huge social filter.
Faruk Çayır told Eroğlu that the data could be used as a “profiling system”. “They’re going to transfer it to a third party company and then they can do the ranking and profiling when they want. They’ll create the profiles of the citizens, and on top of that they’ll just tag people who visit certain websites, no matter who is the person or what they are, and convict them,” he explained.
In 2013, when Edward Snowden exposed the mass surveillance by the NSA, he said: “I will be satisfied if the federation of secret law, unequal forgiveness and irresistible executive powers which govern the world I love are revealed. if only for a moment,” in an interview with The Guardian. Recent revelations in Turkey have exposed the extent of surveillance in the hands of Turkish executive powers, but it remains to be seen whether BTK will face any consequences for their actions.