How personal data collected with BTK-gate can be used: Profiling, blackmailing, political manipulation, and more

by Doğu Eroğllu & translated by Leo Kendrick

The websites you visit, the people you correspond with on WhatsApp, and your location data and more are sent to the Information Technologies and Communication Authority (BTK) every hour. Following Medyascope’s publishing of the first batch of documents, the BTK issued no denial regarding its data collection practices. Since the story broke, many in the public sphere have become curious about the purpose and collection of this user data. Medyascope asked the experts how the data held by the BTK could be used for profiling and political manipulation.

The documents obtained by Medyascope proved that the mass surveillance claims made last month are true. The documents show that the Information Technologies and Communications Authority (BTK), affiliated with the Ministry of Transport and Infrastructure, delivered mass surveillance instructions to internet service provider companies on December 15, 2020.

• BTK-gate: Internet activity, identity, and personal data of all users in Turkey has been collected by BTK for the past year and a half

In the article titled ISP Traffic Log Pattern sent to the companies, BTK requested that the internet traffic of all internet users in Turkey be sent every hour. Moreover, the institution requested that the traffic data be forwarded along with the names of the users.

The documents obtained by Medyascope show that the internet data of 88 million mobile and fixed line internet subscribers are delivered to BTK every hour. The mass surveillance scandal documented by Medyascope raises an important question in everyone’s mind: What will happen to this collected data?

The second part of Medyascope’s BTK-gate research series focuses on what can be done with the user internet traffic data obtained by BTK for about a year and a half from internet service providers.

But before we turn to what can be done with the data, it is necessary to answer two questions that arose in the discussions after the publication of the first part of our BTK-gate research series:

1. Is it technically possible to collect internet traffic data of 88 million users every hour, as predicted by the BTK?

2. Does the BTK have the technical capacity to process such a large amount of data?

Collecting instantaneous data of 88 million people: “The data is gone in 10 minutes!”

After publishing the BTK-gate news, one of the most frequently asked questions by the readers who reached out to Medyascope on social media was whether it is technically possible to transmit the personal internet traffic data of 88 million users to BTK on an hourly basis.

While preparing the BTK-gate file, I had the same doubts and asked this question to the internet service provider company officials with whom I interviewed.

BTK has unconditional control over the entire telecommunications industry. This ISP (Internet service provider) official, who behaved cautiously just like almost all of the telecommunication sector employees I interviewed, also answered my questions under the condition of anonymity.

“Isn’t it a laborious and technically difficult task to send all subscribers’ internet traffic to BTK?” His response: “It is enough to assign an employee at each ISP to do this job. According to Law No. 5651, we were already hiding the traffic of the subscribers we served. Now BTK wants us to send all subscriber traffic data to Ankara every hour. That data is gone in 10 minutes!”

The technical details in the document sent to the ISPs by the BTK are clear enough to assuage doubts about the feasibility of this work.

In the article titled ISP Traffic Log Pattern, which was sent to Internet service providers on December 15, 2020, it was explained that special servers should be reserved for sending traffic records to BTK. BTK described how the data would be sent to it as follows:

In other words, BTK considers it normal to receive 11 terabytes of data daily from an internet service provider. Considering that BTK requests traffic data from several hundred internet service providers, it is understandable that it expects to receive a few petabytes of data per day, that is, several million gigabytes.

In other words, ICTA’s data storage and processing capacity may be higher than originally thought.

BTK’s capacity to process huge data: “It is enough for them to submit the data to a competent company”

Another discussion is about the institutional capacity of the BTK.

Many who read the BTK-gate news commented, “I don’t think BTK has enough institutional capacity to process data of this size.”

An expert interviewed by Medyascope who works for one of the government’s security agencies disagrees. During our conversation regarding BTK’s capacity to process millions of users’ data, the experty laughed at my question, saying “BTK is omnipotent!”

All of the informatics experts that Medyascope interviewed agreed that the legal and technical infrastructure that needs to be established in order to collect this volume of data is one of the hardest parts of the job. Many also noted that once this data is collected, it is relatively easy to use.

Alper Atmaca, a lawyer from the Free Software Association, says that processing the data of a large number of citizens presents no significant technical difficulty: “Data processing is not a high-level skill. For example, going against the encryption habits of internet users is a tougher challenge, but if you have data at hand, finding 10 people to process it is not a big deal. There are a lot of international companies that do this. It is enough for them to present the data they collect to these companies.”

Echoing Mr Atmaca’s comments, Faruk Çayır, a lawyer at the Alternative Informatics Association also interviewed by Medyascope, estimates that the BTK already has a standing agreement with a company that processes and stores citizens’ data.

Onursal Adıgüzel from main opposition Republican People’s Party (CHP) is also of the same opinion: “The biggest job is to collect data. But what do they do after collecting the data? They may be receiving support from foreign companies. If they are handing over this big data to other companies, they can do anything.”

Commercial use of ICTA data: The easiest way for financial gain is blackmail

Our personal data is frequently used by social networking platforms such as Facebook or services such as Google. The companies that provide these services make the user data they collect available to advertisers. However, data protection laws created in recent years partially prevent our personal information from being transferred directly to companies. For example, when a company that wants to advertise through Google services notifies Google about whom its brand or product appeals to, Google (without transferring personal data to the company that will advertise) brings the product to the target audience and the brand through its own platforms.

Personal data collected is very important for product advertisements to reach the target consumers. This raises the question: does BTK data have a commercial counterpart in this sense?

When I ask an experienced digital marketer who has worked with many e-commerce brands in Turkey whether the traffic data obtained by BTK will be useful for marketing, he commented that this data will likely have minimal commercial value:

“If it’s legal, brands may want to use this data. But I am not sure how it can be used in marketing other than a geo-fencing technique [To show special location-related advertising content to customers whose devices share location data. For example, sending an advertisement from a nearby shopping mall to a nearby customer] that can be performed with location information. The segmentation that brands need is already done by the channels we work with, namely Facebook, Instagram, or Google. For example, Instagram even knows which colors and tones we like. I can also ensure that the ads marketed towards us are designed in those color schemes. Why would I need the data in BTK when these channels can process all kinds of data and deliver me to my customer base? Brands are not interested in who citizens are; After delivering the product to the right person, the brands do not care about the personal information of the citizens.”

The digital marketer I interviewed stated that even if brands can access the data in BTK legally, it would be very costly and difficult to match the data sets currently used in marketing with the data accumulated in BTK, and that Google and Facebook resources meet almost all needs.

The data BTK collects may not be easily used in marketing, but is there really no way to monetize this data?

I reached out to someone with ties to the groups that managed to access the information stored in e-Devlet [Turkey’s citizen-accessible government portal] illegally, which caused a stir in Turkey in April. I asked how this data can be turned into profit if they have internet traffic records of all internet users in Turkey. After a little thinking, my interlocutor said that the only way to make money with this data is to examine people one by one and look for blackmail material.

In short, it appears that the data obtained by mass surveillance from 88 million users is not easily converted to financial gain in the short term.

The political use of data: The possibility of blackmailing and profiling

The National Security Agency (NSA) went after Edward Snowden, who brought the scandal to the press, when it was revealed in 2013 that the NSA was tracking the personal correspondence of nearly all American citizens, spying on their browser histories, and reading their emails. Although US courts have given different rulings for and against Snowden, Snowden resides outside of the US today.

But after Snowden leaked documents showing the NSA’s mass surveillance and wiretapping activities, the world community has taken the debate between national security and the right to individual privacy more seriously than in the past.

For years, it has been debated how the mass surveillance, wiretapping, and data collection exposed by Snowden could be used by governments.

It is difficult to argue that there is one primary area of ​​use for the data that seems to have accumulated in the hands of the BTK in Turkey. However, the individuals Medyascope spoke to state that this data can be used for mass plagiarism and profiling, and blackmail.

Lawyer Alper Atmaca, from the Free Software Association, says that the collected data resembles a potential criminal record that can be processed retrospectively: “For example, you see the identities of all users who entered Syndicate.org with a single query in the database. Nobody collects such data for nothing.”

Atmaca also summarizes how very simple queries on the database will allow filings based on sensitive personal data: “For example, you want to identify homosexuals in Turkey. You have to filter it. Very simple. Find the IP addresses that go to the servers of dating sites or dating applications that are specially prepared for homosexual individuals [author note: Since BTK data contains IP addresses and user IDs together, detecting IP addresses means identifying users’ identities]. This gives you a huge social filter!”

Blackmailing for individuals, profiling for communities

Faruk Çayır, from the Alternative Informatics Association, says that there is a high probability of a profiling system that covers all citizens: “They will transfer it to a third company and then be able to do the filing and profiling whenever they want. They will create the profiles of the citizens, and on top of that, they will simply tag people who visit certain websites, regardless of who the person is or what they are, and declare them guilty.”

Through profiling, the characteristics of communities made up of people who are likened to each other can be deduced with the help of algorithms, and the reactions of these groups to certain events can become predictable. When it comes to filing, the information obtained about the citizens is somehow added either to the official records or to the unofficial information cards that certain groups can access. In this way, it may be possible for citizens to be systematically discriminated against when out in public because of the characteristics indicated on the receipt card. For example, these receipt cards may come to light or the personal data of the persons under investigation, recorded by the BTK and the identified relationship networks, may be brought before the prosecutor’s office.

The official security employee interviewed by Medyascope also believes that the best use of the collected data would be blackmail. According to this view, collecting the data of all citizens may even be an excuse to reach the internet traffic of a small number of influential individuals: “They want it for blackmailing, what else would they want it for! Let’s say you have 70 million subscribers; 69,950,000 of them are ordinary people anyway. In fact, there are very few people that the BTK should go after. They may even have dared to say, ‘We receive the data of all subscribers, it is not a private application,’ in order to reach the data of the 50,000 people whom they really find worth following.”

An IT scientist who we spoke to on the condition of anonymity points out that as the database expands and the techniques develop, the capacity for blackmailing will increase:

“When they say “Bring what we have about Doğu Eroğlu!”, a file indexed according to various criteria can be extracted. Which newspapers he reads, with whom he talks on WhatsApp. Which protocol-based websites he visits, what his political view is… Firstly, this removes the tagging. Secondly, he can reach unimaginable outputs of data with the help of a little artificial intelligence. When you have a lot of data, you can do an incredible amount of blackmail.”

Lawyer Alper Atmaca from the Free Software Association warns that accusations made through association may come into play at this point:

“Let’s say for example that somebody is out to get you. Finally, at some point, something will come up that will allow them to prove that you are a terrorist. The IPs of users who do not control their information systems can connect to unimaginable places.”

Lawyer Alper Atmaca reminds us that HTS records are also used as an accusation tool through association, and says that BTK data can lead to similar results: “For example, looking at phone calls and HTS records, the prosecutor’s office says, ‘You are selling drugs, you are part of a network. Because you called or searched for one another,’ he says. What if this is my friend, maybe I met him from prison? “You talked too often,” he says. There is no presumption of innocence, as the controls and guarantees on the basic judicial system in Turkey have disappeared. You have no protection when you encounter them.”

Political manipulation of elections is difficult but not impossible

One of the issues that Medyascope asked about the most, is the possible impact of BTK surveillance on the upcoming 2023 elections. The possibility of using the data collected by the BTK to influence the voters, before the ballot boxes are set up for both the presidential and parliamentary elections, is a common concern of many.

Lawyer Faruk Çayır from the Alternative Informatics Association is of the opinion that both the data collected by the BTK and the recent legal regulations can be used before the upcoming 2023 elections: “A very serious preparation is being made for the election in terms of digital infrastructures. This is how I see the things that BTK has done, the changes in the Law No. 5651 and the Penal Code. I believe that serious manipulation awaits us during the election period.”

The most concrete example so far of how personal data can be used to achieve political goals has been the Cambridge Analytica scandal.

The company Cambridge Analytica, which is thought to have worked on more than 200 election campaigns, analyzed the likes and personal information of voters and calculated what type of information fed to voters would influence their voting behavior.

A more simple explanation may be useful: Cambridge Analytica algorithms learned what users liked, commented or shared through a Facebook, and then proceeded to access these users’ basic personal information. Based on this personal data, users were shown news that fit their profile in order to influence their voting behaviour in favor of a certain candidate or party.

Let our example person be Mark Zuckerberg, the founder of Facebook.

While Mark wants to use an application called “This Is Your Digital Life” on Facebook, this application allows his personal information to be accessed: what he shares on Facebook, what he likes, and his friend lists.

Mark takes the test that This Is Your Digital Life app shows him and voluntarily sends information about his psychological profile to the app, more precisely to Cambridge Analytica.

Cambridge Analytica reaches the data of hundreds of thousands of people who use the application and calculates where they fall on the political spectrum and how they will vote if they come across the news. Cambridge Analytica shows the news to these users on Facebook in a way that encourages the people it has information on to vote for a specific political party (or, if it suits the relevant political party, not to go to the ballot box). The data collection and influencing process favors whichever party is supported by Cambridge Analytica, and in doing so tries to influence the outcome of the election.

The data collected by BTK brings to mind Cambridge Analytica. But there is something missing here. Cambridge Analytica was based on the principle of revealing the psychological and political profiles of the people whose data it accessed, and showing certain types of news or posts to users. The data collected by the BTK, if analyzed correctly, contains a lot of data that will help to make inferences about the political affiliation and socio-economic status of the citizens.

BTK data is a unique treasure in this sense. However, there is no method of transmission. In other words, in the technique used by Cambridge Analytica, if the analysis made on the data and certain news and posts to be shown to the people were a bullet, the weapon that would send this bullet to the target was Facebook. Even if the data collected by the BTK were to be used for election manipulation, there would be no ready delivery method like Facebook. It is unclear how news or posts that will affect voter behavior can be conveyed to voters.

Information strategist Füsun Nebil thinks that BTK data can still be used for political manipulation. But in a more roundabout way.

According to Nebil, the personal data collected by the BTK may affect the election results, even without the introduction of a transmission method such as Facebook. Nebil said that in-depth investigations on the internet traffic data of influential people can provide blackmail material.

says he will:

“What need is there to go after the whole population? It might be enough just to hunt down opinion leaders. For example, there is software on Twitter that shows who has the most domains. A person has 100 thousand followers on Twitter, but his domain is limited, his followers do not react very well to what this person writes. But the other has 10 thousand active followers, their posts are retweeted immediately. The people with the highest influence are identified, and if that person is also an opponent, you go against them. ‘Do these people have anything to blackmail? I wonder if it’s a heady thing you can manipulate?'”

Nebil recommends Gerrymandering as another method. In other words, the re-establishment of electoral districts in a way that will provide an advantage to a certain party and increase the number of deputies of the relevant party. If the political tendencies of 88 million users can be read with the right algorithms, it may be possible to make election projections for each district or neighborhood, since location information is also accumulated in the BTK. This, in turn, may lead to the redrawing of electoral districts before the elections in a way that will lead to more positive results for the ruling government.

Lawyer Faruk Çayır also mentioned the closed TİB (Telecommunication Communications Presidency) and added: “Where the BTK will store this data, how it will be secured, which data will be kept for how long… Nothing is clear. They do not know that they will follow the AKP members. AKP administrators are making an attempt to monitor themselves. Don’t they realize that?”

In the remaining three parts of the BTK-gate research series,

• The fate of the previous surveillance attempts of BTK, the general structure and public dominance of BTK’s broadband market, what kind of group is under the control of the data sent to BTK?
• What does internet traffic data going to BTK say about users?
• Is judicial remedy open to mass surveillance? Can users secure their own privacy?