Under BTK's eye: investigation reveals Turkey's information and communication authority has been collecting private user data for over a year

Image by Chris Yang. Free to use under Unsplash license.

On July 21, 2022, an online news platform Medyascope.tv published an investigation revealing how Bilgi Teknolojileri ve İletişim Kurumu (Information and Communication Technologies Authority, BTK) has been collecting private user data in a massive breach of user privacy that began in 2021. The story confirmed what Onursal Adiguzel, the vice president of the main opposition Republican People (CH) party, shared in a series of tweets a little over a month ago.

The investigation, by journalist Doğu Eroğlu, says the BTK started collecting information about internet subscribers from ISPs on a monthly basis in December 2018. This collected data included subscribers’ “names, last names; ID, tax and central registry (MERSIS) numbers; gender and nationalities; parents’ names; birth places and dates; occupations; addresses; and old mobile numbers.”

In December 2020, in a confidential letter, signed by VP Fethi Azakli, BTK asked local internet service providers and mobile operators for “internet traffic of all users in Turkey” on an hourly basis. In the event ISPs refused to provide this information, BTK warned they would be penalized.

The letter claimed that BTK, was “tasked with detecting, monitoring, evaluating, and recording data for legal purposes in a timely and non-disruptive manner. There is a need to obtain more detailed information regarding the activities taking place on the Internet within the scope of forensic and preventive purposes.”

In an interview with Medyascope.tv, Doğu Eroğlu said there was no information on where this mass data was being stored, the period the users’ private information was stored for, or which third parties had access to this data. The service providers told him that they first started delivering requested information in 2021.

BTK and its powers

In 2000, the government set up the Telecommunications Authority, “to perform the regulatory and supervision duties in the electronic communication sector.” The agency was restructured in 2008, taking on a new name: the Information and Communication Technologies Authority. It operates under the Ministry of Transport and Infrastructure.

In 2016, following the failed coup attempt, Turkey shut down the Department of Telecommunications and Communications (TİB) — Turkey’s leading internet censor — and handed all of its authority to the BTK.

TİB was set up in 2005 with the main purpose of centralizing, “from a single unit, the surveillance of communications and execution of interception of communications warrants subject to laws No. 2559 (Law on the Duties and Powers of Police), No. 2803 (Law on the Organisation, Duties, and Powers of Gendarmerie), No. 2937 (Law on State Intelligence Services and National Intelligence Organisation), and No. 5271 (Criminal Procedural Act).”

In the aftermath of the coup, the authorities claimed that “TİB was used as a hub for FETÖ [The Fethullah Gulen Terrorist Organisation] for surveillance and wiretapping purposes.”

As such, with the new powers, BTK went from being a regulatory body to an authority with surveillance powers that included, “the authority to take any measure it deems necessary to uphold ‘national security and public order; prevent crime; protect public health and public morals; or protect the rights and freedoms’ and inform operators, access providers, data centers, hosting providers and content providers of the said measure, who then need to take action within two hours.”

The same year authorities shut down TİB, the country adopted Law No. 6698 on the Protection of Personal Data, which prohibited the processing or storage of personal data without consent from the subject. However, according to exceptions to the law, this data could be processed and stored if it was a matter of national security. As such, the law states, in the “processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations duly authorized and assigned to maintain national defence, national security, public security, public order, or economic security,” the Data Protection Law shall not apply. In addition, three new decree laws – 670, 671, and 680 – allowed interception of any internet data, without a court order or supervision, of individuals allegedly linked to the coup.

Parallels to Snowden revelations and Cambridge Analytica scandal

“Many of you remember the mass surveillance scandal former NSA employee, Edward Snowden made public in 2013,” wrote Onursal Adiguzel from the opposition Republican People (CH) party in a series of tweets on June 8. “BTK has been carrying out something similar for a while. The President of BTK requested the log records and ‘publish-subscribe pattern from 313 internet service providers through a ‘confidential’ letter,” he revealed.

In an opinion piece Adiguzel described the act as “the biggest tapping scandal in the history of the Republic.” The MP accused the BTK of “committing a crime” and violating the country's constitution and laws.

Professor of law and expert on internet freedom issues in Turkey Yaman Akdeniz confirmed these allegations in a tweet. According Akdeniz, despite there being a decision by the constitutional court cancelling the BTK's authority to make these requests, it continued to collect user data. Akdeniz then urged the parliament to pursue an investigation into BTK's activities.

In the meantime, Adiguzel wondered whether BTK was trying to create its own version of Cambridge Analytica by collecting and analyzing the behavioral data of 85 million citizens, data that can be used for mass manipulation. After all, the collected data includes national IDs, addresses, websites visited, and the content consumed. Turkey is scheduled to hold general elections in 2023 and already, as pointed out by some experts, recent legal amendments, combined with manipulation tactics used in the past, can be part of broader measures deployed by the ruling government ahead of the upcoming vote. “A very serious preparation is being made for the election in terms of digital infrastructures. This is how I see the things that BTK has done, the changes in the Law No. 5651 and the Penal Code. I believe that serious manipulation awaits us during the election period,” lawyer Faruk Çayır from the Alternative Informatics Association told Doğu Eroğllu.

Adiguzel also noted that the attempts by the opposition party to request further information into the tapping scandal were denied by the parliament.

Doğu Eroğlu also mentioned parallels to the Cambridge Analytica scandal. While the ends to which the BTK and the authorities plan to use the received information may not be clear yet, the amount of data obtained can be used for mass profiling, have political implications, and be used as blackmail against influential people, he explained.

Speaking to Eroğlu, lawyer Alper Atmaca from the Free Software Association said that the data obtained by BTK through ISPs can also be used as a “social filter.” “For example, you want to identify homosexuals in Turkey. You have to filter it. Very simple. Find the IP addresses that go to the servers of dating sites or dating applications that are specially prepared for homosexual individuals. This gives you a huge social filter.”

Faruk Çayır told Eroğlu the data can be used as “profiling system.” “They will transfer it to a third company and then be able to do the filing and profiling whenever they want. They will create the profiles of the citizens, and on top of that, they will simply tag people who visit certain websites, regardless of who the person is or what they are, and declare them guilty,” he explained.

In 2013, when Edward Snowden revealed the mass surveillance by NSA, he said, “I will be satisfied if the federation of secret law, unequal pardon and irresistible executive powers that rule the world that I love are revealed even for an instant,” in an interview with The Guardian. The recent revelations, in Turkey exposed the extent of surveillance in the hands of Turkish executive powers, but whether BTK will face any consequences for its actions is yet to be seen.


Please visit the project page for more pieces from the Unfreedom Monitor.

 

Start the conversation

Authors, please log in »

Guidelines

  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.