Turkey: Protect end-to-end encrypted services

As Turkey faces threats to its security and economy, the reliance of the country’s residents, businesses, and government services on strong encryption to keep themselves safe and protected has never been greater. It is vital that Turkish authorities both encourage and protect the use of strong, end-to-end encryption.

On 13 October 2022, the Grand National Assembly of Turkey passed legislation (the ‘Law’) amending several existing laws, including the Electronic Communication Law¹ Article 51/2 of the Electronic Communications Law states that electronic communications are private and cannot be listened to, recorded, stored, intercepted or tracked unless it is required by legislation or a court order. The new amendments have made OTTs subject to the Electronic Communications Law; however, how this provision will be applied to OTTs is to be clarified by secondary legislation by the BTK. , the Internet Law, the Press Law and the Turkish Penal Code. The Information and Communication Technologies Authority (BTK, in Turkish, Bilgi Teknolojileri ve İletişim Kurumu) is now tasked with drafting secondary legislation that would implement the amendments introduced in the Law. If BTK attempts to implement the surveillance and content disclosure requirements under the Electronic Communications Law for over-the-top services (OTTs), this could have the unintended consequence of undermining the use of key cybersecurity tools, including strong end-to-end encryption and the protection it brings.

The undersigned civil society organisations and companies, including members of the Global Encryption Coalition,² With over 300 members distributed across every region of the world, the Global Encryption Coalition promotes and defends encryption in key countries and multilateral fora where it is under threat. It also supports efforts by companies to offer encrypted services to their users. https://www.globalencryption.org/ urge the BTK to ensure that the right to secure and private communications, including end-to-end encrypted communications, are protected.

The Law expands the scope of existing laws, newly requiring that all OTTs fulfil new and existing requirements. OTT services encompass a broad range of internet-based services previously not covered by the Law, including email providers, social media companies, and providers of messaging services. Among the most concerning of these possible new requirements for OTTs, is a requirement to disclose user content and traffic data. Cybersecurity experts agree, there is no way for OTTs to access the contents of their users’ end-to-end encrypted communications without drastically undermining the security and privacy of all their users.³ https://academic.oup.com/cybersecurity/article/1/1/69/2367066?login=false In effect, platforms offering end-to-end encryption may become inaccessible in Turkey as a result of sanctions for failing to comply with requirements that are technically impossible.  

End-to-end encryption provides the strongest level of security and trust, as only the intended recipients hold the key to decrypt the message. In end-to-end encryption, no third party – including the service provider or the government – can read users’ encrypted content. If secondary legislation were to require providers of end-to-end encrypted services to disclose users’ messages in decrypted form, it would force these providers to make the impossible choice between undermining the security of their users by building vulnerabilities into their systems or leaving the Turkish market.

Creating secondary legislation that will undermine secure and private communications will not only undermine the free flow of information accessed through these encrypted platforms but will impact the security and privacy of Turkish citizens and businesses, weakening Turkish industry. In 2018, when Australia passed a similar law undermining end-to-end encryption, the Australian tech industry lost an estimated $AUS 1 billion in current and forecast sales, as well as further losses in foreign investment because of decreased trust in their products.⁴https://www.internetsociety.org/news/press-releases/2021/new-study-finds-australias-tola-law-poses-long-term-risks-to-australian-economy/ For Turkish businesses, weakened security and privacy will make them more susceptible to corporate espionage by foreign actors. In his speech at The National Cyber ​​Incidents Response Center, President Erdogan emphasised the importance of cybersecurity and the cybersecurity threats facing the country.⁵https://www.btk.gov.tr/haberler/cumhurbaskani-erdogan-yerli-5g-teknolojisi-altyapisini-kurmadan-5g-ye-gecemeyiz This is particularly a concern for the growing Turkish defence industry,⁶https://www.defensenews.com/top-100/2022/08/08/turkeys-defense-industry-eyes-export-expansion-as-government-navigates-geopolitical-stage/ whose confidential corporate information can have not only economic but national defence ramifications.

Strong end-to-end encryption is vital to Turkey’s economic and security success. Any secondary legislation must be drafted in consultation with all stakeholders, including civil society, and must ensure that secure and private communications are not undermined, including end-to-end encryption.

Signed

Access Now

Africa Media and Information Technology Initiative (AfriMITI)

ARTICLE 19

Associação Portuguesa para a Segurança da Informação (AP2SI)

Betapersei SC

Cartoonists Rights Network International

Coalition For Women In Journalism (CFWIJ)

Center for Law and Society – University of San Andres, Buenos Aires, Argentina

Centre for Democracy and Technology

Collaboration on International ICT Policy for East and Southern Africa (CIPESA)

Committee to Protect Journalists (CPJ)

European Centre for Press and Media Freedom (ECPMF)

Ikigai Innovation Initiative

Internet Society

Internet Society Ghana Chapter

Mailfence.com

Nameshop

Osservatorio Balcani Caucaso Transeuropa

OpenMedia

OPTF Ltd

PEN America

PEN Norway

Riana Pfefferkorn, Research Scholar, Stanford Internet Observatory

SecureCrypt

Superbloom

South East Europe Media Organisation (SEEMO)

Tutanota

Platform for Independent Journalism (P24)

• 1
  Article 51/2 of the Electronic Communications Law states that electronic communications are private and cannot be listened to, recorded, stored, intercepted or tracked unless it is required by legislation or a court order. The new amendments have made OTTs subject to the Electronic Communications Law; however, how this provision will be applied to OTTs is to be clarified by secondary legislation by the BTK.
• 2
  With over 300 members distributed across every region of the world, the Global Encryption Coalition promotes and defends encryption in key countries and multilateral fora where it is under threat. It also supports efforts by companies to offer encrypted services to their users. https://www.globalencryption.org/
• 3
  https://academic.oup.com/cybersecurity/article/1/1/69/2367066?login=false
• 4
  https://www.internetsociety.org/news/press-releases/2021/new-study-finds-australias-tola-law-poses-long-term-risks-to-australian-economy/
• 5
  https://www.btk.gov.tr/haberler/cumhurbaskani-erdogan-yerli-5g-teknolojisi-altyapisini-kurmadan-5g-ye-gecemeyiz
• 6
  https://www.defensenews.com/top-100/2022/08/08/turkeys-defense-industry-eyes-export-expansion-as-government-navigates-geopolitical-stage/