by Doğu Eroğlu & translated by Leo Kendrick
The websites you visit, the people with whom you text or call on WhatsApp, your location data, and more are sent to the Information Technologies and Communications Authority (hereafter BTK) of the Ministry of Transport and Infrastructure every hour. Medyascope has obtained the documents of the mass surveillance activity that recently emerged. According to the documents, internet service providers transmit the traffic of all users connecting to the internet via computer or mobile device to the BTK every hour. This data sent to BTK is not anonymized. In other words, each data packet is sent to the institution with the identity of the user. It is still unclear how the BTK, which requests internet traffic on the grounds of “judicial and preventive measures”, will use the data of all citizens.
Mass surveillance online has been a matter of debate in Turkey since the widespread use of the internet and the legal regulations on the internet. But the biggest debates about the privacy and data privacy of communication in Turkey arose not because of internet surveillance, but due to illegal wiretapping. The Wiretapping Operation in 1999 and the 17-25 December operations in 2013 were recorded as the biggest wiretapping scandals in the country.
However, the documents obtained by Medyascope show that mass surveillance, which is much larger than previous wiretapping scandals, has been carried out by the Information Technologies and Communications Authority (BTK), which is affiliated to the Ministry of Transport and Infrastructure, for about a year and a half.
Republican People’s Party (CHP) Deputy Chairman Onursal Adıgüzel previously stated that BTK regularly requests user traffic data from internet service providers, a claim that the BTK has not disputed.
According to the 15-page documents obtained by Medyascope, dated December 15, 2020, the BTK requested internet service providers to send internet traffic records of all users to it hourly. The BTK explained in detail the format in which the data of millions of users will be recorded and how it will be sent to internet service providers in the technical detail document it sent with the letter of the institution.
The article titled ISP Traffic Log Pattern requests that user data be sent to the institution with the name and surname of the user, not anonymously.
BTK’s surveillance ensures that the institution records which websites they visit and which applications they use, along with their identities. The informatics experts interviewed by Medyascope report that by comparing the data obtained through this surveillance, it will be understood with whom users are texting or making audio-video calls on applications such as WhatsApp, Telegram, or Signal. If both of the users who are texting or calling each other from such applications receive service from internet providers in Turkey, it is quite easy to detect these two people.
The internet service providers we interviewed claim that users’ location information is among the data sent from mobile phone operators to BTK. However, Medyascope could not confirm this claim from Turkcell, Vodafone and Türk Telekom, who also offer mobile phone services.
In the document dated December 2020, there is also a warning that internet service providers who do not send users’ internet traffic data to BTK will be penalized.
The internet traffic of all users was requested by a presidential letter
The letter from BTK requesting the internet traffic of all users in Turkey, titled ISP Traffic Log Pattern and with the term ‘confidential’, was sent to internet service provider companies on 15 December 2020.
In the document, it was stated that “Our institution is obliged to fulfill the duties given within the scope of the procedures for detecting and listening to forensic communication, evaluating and recording the signal information in a timely and complete manner without causing any disruption. . . There is a need to obtain more detailed information regarding the activities taking place on the internet within the scope of forensic and preventive purposes.”
The letter sent from BTK to internet service providers bears the signature of Fethi Azaklı, who has the title of Vice President of the Authority, on behalf of the President of BTK.
Decisions made on behalf of the BTK are made by the board and executed by the executives. However, the article titled ISP Traffic Log Pattern does not refer to any board decision. On the BTK website, no similar decision made by the board is listed in the section where the board decisions are included. In other words, the letter sent to internet service providers to monitor internet traffic is not based on any decision made by the board.
It is estimated that the document labeled confidential and titled ISP Traffic Log Pattern was sent to hundreds of internet service provider companies on different dates in December 2020.
Internet service providers authorities, who spoke with Medyascope on the condition of anonymity due to BTK’s regulatory and supervisory position in the communications sector, claim that user traffic data flow from companies to BTK started as of 2021.
Turkcell, Türk Telekom and Vodafone, the three biggest internet service providers in Turkey in terms of subscriber numbers, did not respond to our questions about the data sent to BTK.
Traffic data is reported not anonymously, but with the name of the users
Mobile applications, social networking platforms such as Facebook, or services such as Google can frequently use the data they collect from their users in the marketing of products and services. However, in accordance with the personal data protection laws in force in Turkey and around the world, these data are masked in a way that prevents the identification of data subjects. In other words, the ties between the collected data and real people are broken.
This is not the case in the hourly data obtained by BTK from internet service. In other words, all incoming traffic information is recorded together with the identities of the users, without anonymizing the data.
Each line starts with the name of the subscriber in the traffic records, transmitted to the BTK by the Internet service providers.
Each line of traffic in packets sent to BTK by ISPs every hour looks like this:
Subscriber’s name-surname@Service provider | Subscriber’s IP number | Private Port | Real IP | real port start | real port ending | Traffic start date [Day-month-year-hour-minute-second] | Traffic duration [How long the connection lasts, in seconds] | Destination IP | Destination port | App protocol [If a connection is established for an application, the name of the application is written here, if a connection to a website is made, the address of the site is written. Example: WhatsApp or medyascope.com] | Network protocol | Amount downloaded [Amount of downloaded data in bytes] | Amount uploaded [Amount in bytes of data sent] | Connection PVC | Session ID | SSG IP | NAT device | DPI device | termination cause | Packet type | direction
In other words, in each line of the traffic records going to BTK;
- Name and surname of the subscriber (if it is a legal entity, the official name),
- The IP number that the subscriber is currently using,
- With which application or website it exchanges data,
- The start date and time of the relevant data exchange, how long the data exchange takes,
- How much data it receives and how much data it sends such as information.
The traffic data requested by BTK from internet service providers does not contain information about the content of e-mails or messages sent from WhatsApp or other applications. However, all of the informatics experts we consulted stated that because data is collected throughout Turkey, the individuals involved in a given correspondence can be understood using this big data.
The first pillar of “intel” data collection was the subscriber pattern
Before BTK started collecting traffic data, it started to obtain detailed information about internet subscribers from internet service providers under the name of subscriber pattern.
BTK, which sent a document called Subscriber Pattern Structure to the operators on 4 December 2018, requested that subscriber files, including the following personal information of internet users, be shared:
- Subscriber name-surname
- T.R. Identity and passport numbers, tax and MERSIS numbers
- Gender and nationality
- Mother’s and father’s name and mother’s maiden name
- Birth place and date
- ID volume, file, page number, ID serial number and the place where the ID was issued
- Subscriber’s address
- Subscriber’s old mobile phone number
The BTK also stipulated that the files containing the updated versions of this personal information should be sent back to it on the first day of each month.
In other words, BTK, which began to collect the personal data of all internet users in Turkey with the Subscriber Pattern Structure article in 2018, added the information it has about the subscribers to the user data it keeps in its archive with the ISP Traffic Log Pattern article in 2020.
The information in the files (file containing identity, profession, address) kept by BTK about subscribers is updated with data from internet service providers on the first day of every month.
Internet traffic of subscribers is sent to BTK by internet service providers every hour.
What will BTK do with the data it collects?
According to the Turkish Electronic Communications Industry Quarterly Market Data Report prepared by BTK for the first quarter of 2022, the number of internet subscribers in Turkey is approximately 89 million (88,847,744). 70 million of internet users are connected to the internet from their mobile devices, while the rest are connected to the internet via fixed services. The document published by Medyascope shows that the BTK collected hourly internet traffic data of each of the 89 million users, along with the identity information of the subscribers.
So, what does BTK do with this data?
In the remaining parts of Medyascope’s five-part research series,
- How can the data collected by BTK be used? Possibilities of intelligence interception, profiling, blackmail, and political manipulation,
- The fate of the surveillance initiatives carried out by the BTK before, the general structure of the broadband market of the BTK, what kind of group is under the control of the data sent to the BTK?
- What does internet traffic data going to BTK say about users?
- Is judicial remedy open to mass surveillance? Users protect their privacy
Research series glossary:
BTK: Information Technologies and Communications Authority. Operates under the Ministry of Transport and Infrastructure. One of the 11 regulatory and supervisory boards in Turkey. Some other publicly recognized supreme boards include the BRSA (Banking Regulation and Supervision Agency), SPK (Capital Markets Board), RTÜK (Radio Television Supreme Council), EMRA (Energy Market Regulatory Authority), Competition Authority and KIK (Public Procurement Authority). .
BTK-gate: Before the presidential elections in the USA in 1972, five people who entered the office of the Democratic Party in the Watergate building were caught trying to insert listening devices into the phones of the Democratic Party. The incident turned into a huge scandal when it was understood that the Republican Party and President Nixon administration had directed the five people who entered the Watergate building. The Watergate building, where the Democratic Party office is located, became the name of the scandal. From this date on, the world press began to add the suffix -gate, with reference to corruption and illegal wiretapping-surveillance scandals or major leaks, the Watergate scandal. For example, the incident in which Wikileaks leaked the US State Department correspondence was called Cablegate, and after the bribes that Nokia gave to ISIS were revealed, it was referred to as Nokiagate. In Turkey, the events that emerged with the shooting of former Emlak Bank General Manager Engin Civan, revealing the bribery network involving politics, the business world and the mafia, were also called Civangate. Based on this tradition, Medyascope labeled this event as BTK-gate, which showed that BTK massively spied on the entire society without any legal regulation.
ISP: Internet service provider. In the simplest definition, organizations that provide internet service to users can be described as ISPs. For example, when a citizen receives a monthly internet subscription service from Türksat to use the internet at his fixed address, Türksat performs an ISP service. Citizens also use the internet on their mobile devices through the telecommunication companies they receive service from. In this case, companies such as Turkcell, Vodafone and Türk Telekom, which offer mobile phone lines and connected services to their customers, also qualify as ISPs because they also provide internet access to their subscribers.
IP: Internet protocol. The unique address of devices on the Internet or local network. It consists of sequences of numbers separated by dots (Example: 192.168.1.1). These strings of numbers are often called IP addresses.
Dynamic IP: The IP address assigned to a device by the ISP when it connects to the internet. Unless a device is assigned a static or fixed IP, the device’s IP address changes every time it connects to the internet.
Static IP: Fixed or private IP address. Generally, servers, i.e. places that internet users frequently access, are assigned a static IP, thus facilitating communication from other devices to these servers. Unless the ISP changes it, devices with a static IP will have the same IP address every time they connect to the internet.
Application or app: Application. Software designed to perform certain functions, especially on mobile devices. Without needing to communicate with any address through an internet browser, applications can communicate with some addresses, either continuously or at the request of the users.
User internet traffic: All data exchanges made by an internet-connected device (computer or mobile device) over its connection. For example, websites that a computer or mobile phone visits via an internet browser (Firefox, Chrome, etc.), data exchanges over applications (Spotify, mobile bank applications, etc.) constitute a user’s internet traffic.
Log: System log. When a user’s internet traffic is recorded at certain periods (hourly, daily or weekly), this document consisting of user internet traffic records is called log. The logs sent to BTK by ISPs contain one hour of user internet traffic. With the amendment made in Law No. 5651 in 2020, ISPs were obliged to keep the internet traffic they provide to their subscribers for up to two years.