by Dr. Yasir Gökce
Cambridge Analytica, a former British political consulting firm, illegally acquired personal data about Facebook users starting from 2013 and exploited them for disinformation campaigns, social media branding and voter targeting, including the ones employed in Trump‘s digital campaign in 2016, which has gone down in history as the Cambridge Analytica Scandal. A current revelation on the involvement of the Turkish authority for information and communication technologies (BTK) in bulk collection of telecommunication data on Turkish citizens indicates a Turkish-style Cambridge Analytica Scandal in the making.
According to a tweet tread by Onursal Adıgüzel, the vice president of the main opposition party (CHP), the BTK has long been retrieving personal data and communications metadata from internet service providers (ISP), including the big three providers, under the pretext of ‘national security’. A ‘confidential’ communique circulated to 313 ISPs by the BTK orders them to send ‘subscription textures’ once every hour.
Among the data encompassed by the subscription texture are name, ID number, date of place and birth, tax number, address, occupation, GSM numbers used for activation, log records, use of VPN, details of network technology used, network ports and protocols used, IP addresses occupied, and websites visited along with the duration of visit.
Documents shared by Mr Adıgüzel
The bulk and indiscriminate collection of personal and communications data points out to the scale of surveillance programs that the Erdogan government has initiated against Turkish citizens. The acquisition of these information literally enables the government to establish an illegitimate sovereignty and control over the digital presence of Turkish citizens. GSM numbers used for activation could be used to capture social media accounts of citizens critical to the government as it has turned out to be the case according to a video post by journalist Cevheri Güven. Likewise, the Erdogan government is very likely to have used the internet traffic (VPN, IP addresses, websites etc.) to profile the Turkish citizens based on their political views. Last but not the least, details on network technology (components, ports, protocols etc.) are convenient info that a hacker would mostly likely target to infiltrate in the information systems of victims.
This bulk collection of data by the BTK and the real perpetrator behind it –the Erdogan government– is featured as the Turkish-style Cambridge Analytica Scandal in the introduction due to similarities between the two incidents in terms of the purpose for which bulk data have been obtained. Owing to the amassed data, Cambridge Analytica Ltd. identified and profiled the personalities of American voters, exploited their social media activities, and influence their political behavior by exposing them targeted contents. Likewise, as the 2023 presidential election is nearing and as Erdogan is increasingly losing ground due to the rising economic crises, he seems to be looking ways, using almost all means at his disposal, to influence Turkish electorate, the considerable majority of whom have switched to social media as an alternative news source in the face of the dominance of Erdogan over traditional media. That said, the draft bill presented by the Erdogan government to “fight disinformation and fake news” aims to generate a chilling effect for those posing critical on social media as the bill paves the way for sanctions regarding social media posts that are decided by courts to have been produced to spread fake news and disinformation.
It is fair here to ask what is problematic with appealing to the voters using social media. Although the digital campaign run by the Erdogan government seems innocent in that sense, the means employed to achieve the end is highly problematic. Apparently, this wide range of information has been acquired in flagrant violation of privacy rights and without any regard to due process. Upon a parliamentary question posed by Mr. Adıgüzel, the practice of the BTK was justified, although poorly, by the Minister of Communications with reference to the ‘national security’ and ‘combatting against crime’. In a court proceeding initiated by an ISP against the communique in question, the BTK defended itself arguing that “the communique might interfere with human rights, but the intervention serves a legitimate constitutional purpose of combatting against crime”.
From a legal point of view, justifying such an intensive interference with human rights associated with personal and communications data is not as easy as advanced by the BTK and the Minister. Some of the data obtained by the BTK are of a private-communication nature, the interception of which is regulated by Article 135 of Code of Criminal Procedure. Accordingly, the foremost of the prerequisites prescribed in the article is the existence of a judge decision, which is apparently missing in the case at hand. Furthermore, for such practice, the BTK must have demonstrated that there are already-launched investigations/prosecutions namely against 85 million Turkish citizens as well as strong grounds of suspicion indicating their commission of crime.
It is worthwhile to note that the BTK practice cannot also be justified as preventive policing which is regulated under the Law no. 2559 on Police Duty and Authority and the Law no. 2937 Founding the National Intelligence Service. Article 7 and article 6(2) of the respective laws allow those institutions to perform interception of private communication and correspondence as preventive measures provided that a judge has so decided for the purpose of the prevention of disorder or crime. Under the probable reasoning of the invocation of these articles for justification, the BTK still fails to underpin its communique with the presence of a judge decision to that end.
As for the personal-data character of the obtained information, both international human rights law governing privacy and the law no. 6698 on the protection of personal data prohibits this intrusive practice by the BTK. Both envisage that the personal data may be collected, transferred, stored, or otherwise processed, either upon consent by the data subjects or when explicitly permitted by law. It is safe here to argue that the BTK has failed to obtain the respective consents of 85 million Turkish citizens, nor did it furnish an excerpt from the law permitting such practice.
The Judgment pronounced by the European Court of Human Right in the case of Ekimdzhiev and Others v. Bulgaria (70078/12) also sheds light on what the international human rights law on privacy envisages on this matter. In its ruling, the Court establishes the following findings:
- Mere storing of data relating to someone’s private life amounts to interference with the right to respect for “private life”,
- All types of communications data –subscriber, traffic and location data– can relate, alone or in combination, to the “private life” of those concerned,
- Retention amounts to interference with the right to respect for correspondence,
- Access by the authorities to the retained communications data constitutes a further interference with right to respect for one’s private life and one’s communications under Article 8 of the Convention,
- The general retention of communications data by communications service providers and its access by the authorities in individual cases must be accompanied, mutatis mutandis, by the same safeguards prescribed for secret surveillance,
- Safeguard system must contain effective guarantees –especially review and oversight mechanisms – which protect against the inherent risk of abuse and which ensures the interference to be restricted to what is “necessary in a democratic society”. Furthermore, effective safeguards must not be only prescribed in laws, but also adhered to in their evidenced actual operation.
Applying the findings above to the Turkish laws regulating data privacy, the laws fail to fulfill the criteria stemming from those findings as they fall far from providing effective safeguards and preventing arbitrary interference.
All in all, all stakeholders in Turkey, be it opposition parties, human rights NGOs, or any Turkish citizen concerned with the decline of fundamental rights in the country, should be well-aware that the bulk and indiscriminate collection of personal and communications data by the Erdogan government is illegal and illegitimate under the domestic and international law. With the conscientiousness distilled by this awareness, they should be vigilant in protecting their basic rights. They should hold responsible any entities involved in this violation, ranging from the BTK, or its accomplices such as ISPs or content analyzers/providers who turn the data into individually targeted contents. To uphold the justice, they should also make use of all domestic and transnational remedies, including data protection authorities, ombudsmanship, courts, and other international judicial/semi-judicial mechanisms. Last but not the least, they should use their social media platforms and digital systems responsibly and with utmost attention to security principles.
Dr. Yasir Gökce is a legal expert and information security consultant with over ten years of experience. He is a Harvard University alumni and former legal counsel to the Turkish Ministry of Foreign Affairs. He has specialized on cyber security, information security risks, privacy and data protection law (GDPR), IT law.