For almost two years, the Telecommunications and Information Technology Authority, a Turkish ministerial body, has been requesting the metadata of all their customers' traffic from Internet service providers. This mass surveillance operation was revealed by an investigation by journalist Dogu Eroglu
An investigation by journalist Dogu Eroglu for the Turkish portal Medyascope reveals the documents whereby, as of December 2020, the Telecommunications and Information Technology Authority (BTK), which is dependent on the Ministry of Transport and Infrastructure, requested 313 Internet service providers (ISPs) logs of all their customer traffic. Hourly.
The metadata collected do not concern the content of communications, as long as they are protected by encryption, but rather the how, when, and where a certain exchange takes place. They involve all the traffic carried out via computers and mobile devices by about 88 million users for the last 18 months: the websites they consulted, the messaging applications they used, the IP addresses involved and that can match a geolocation and a physical address, the date and time of the start and end of each exchange, the amount of data exchanged, but also the possible use of VPNs – software solutions widely used in Turkey to circumvent censorship and partially protect one's anonymity online. Each log is accompanied by name and surname, thus allowing to trace, almost in real time, the digital habits and social contacts of each citizen. 11 terabytes of data collected daily by BTK, according to the documents analysed. A huge amount.
Metadata are often an even more valuable source than the content itself. They help the profiling of each citizen, especially if aggregated with other data. Back in 2018, BTK had asked suppliers to forward personal data relating to each user to the authority: not only name and surname, date of birth, tax code, but also profession, registration in chambers of commerce for legal persons, number of passport, name of parents, current and previous telephone numbers. The ISPs, over 200 gathered under a common association, opposed this request in court, with a judgment that has not yet been pronounced. They fear that consenting to BTK's requests will result in a violation of the duty of confidentiality, established by the law on the protection of personal data.
"But in the case of data traffic logs, ISPs fear even more that disobeying means economic retaliation by the authority they depend on for market access", Eroglu explains.
A mass surveillance, preventive and indiscriminate, which produces an enormous mass of data that is set aside because it could be useful in the future. But for what? “We know nothing of the specific purposes of this data collection”, continues Eroglu. Much less information exists on how information is stored, with whom it is shared, who has access to it, who is responsible for its supervision. "This is the next step in this investigation".
According to Republican MP Onursal Adiguzel, who had already begun to shed light on the BTK scandal in a series of Tweets last June, one of the confidential letters that the authority sent to suppliers speaks of "obtaining more detailed information regarding the activities that take place on the Internet in the context of forensic and preventive purposes".
The construction of one or more datasets linked to this data collection can meet various needs, ranging from statistical analysis to intelligence collection. But some also argue that "the revelation that a government agency is collecting data from all Turkish Internet users brings the Cambridge Analytica scandal to mind", said Yasir Gokce, cyber security legal expert and information security consultant, to the newspaper Ahval. According to Gokce, these data can be used for profiling and political marketing campaigns in view of the next elections in 2023.
"There have been suspicions about mass surveillance activity for years", continues Eroglu. Today we know at least in part how this happens, for what has already been baptised the BTK-gate.
"A completely illegal activity", says Eroglu, which would simultaneously violate the data protection law No. 6698, the articles of the criminal code such as 135, which provide for cases of acquisition of personal data by the public authority, and article 20 of the constitution which protects the right to privacy.
In the background there is law 5651, the so-called "Internet Law", which in articles 6 and 10 defines the duties of ISPs regarding the retention of user data (between a minimum of six months and a maximum of two years), their transmission to the authorities, the collaboration between ISPs and authorities in the field of national cybersecurity, and sanctions for non-compliance. ISPs are also obliged to protect the confidentiality of information, and this is where one of the profiles of illegality with respect to the non-anonymised information that BTK has requested may reside.
“Also because such data requests must be supported by a request from a judge”, concludes Eroglu, thus highlighting one of the most critical aspects of the BTK-gate scandal: the total absence of judicial supervision. In fact, "all citizens are treated as potential culprits", continues Adiguzel, so much for the presumption of innocence.
A scandal born of a rampant political culture, which unfortunately does not belong only to Turkey, and which since 11 September 2001 promotes an approach to the issue of security that is inextricably linked to pervasive control, in real time, preventive, and sometimes even predictive, of all citizens.
This publication has been produced within the DJAS project, supported in part by a grant from the Foundation Open Society Institute in cooperation with the OSIFE of the Open Society Foundations. The contents of this publication are the sole responsibility of Osservatorio Balcani Caucaso Transeuropa
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 765140