Internet Fragmentation > Turkey’s ‘Censorship Law’

A Backdoor for Law Enforcement Can Let the Bad Guys in Too

Region: Europe
Threat type: Blocking Security Technologies
Last updated: 1 December 2023

Turkey threatens its own security by requiring user data on encrypted platforms.

In October 2022, the Turkish legislature passed new legislation that amends several existing laws–including the Internet Law, the Press Law and the Turkish Penal Code. This new law–dubbed the ‘censorship law’–expands the scope of the Internet Law, the Press Law and the Turkish Penal Code to cover Internet-based services, that include email, streaming, and messaging services. In common parlance, they are referred to as ‘OTT services’.

One of the most troubling new requirements introduced through this law is a requirement for Internet-based services to remove online content and disclose user data to the government. There is also secondary legislation, which is used as a way to interpret and implement this law. If providers are required to disclose users’ messages on end-to-end encrypted services, such services will need to build vulnerabilities into their systems, in order to decrypt what should be private traffic and messages. This law could force them to undermine the security of their users in order to comply.

This means that service providers would have to make an impossible choice: should they undermine their users’ security and privacy, or leave the Turkish market? Some services would choose to leave, rather than break end-to-end encryption on their platforms. They might even geo-block Turkish users from accessing their services.

The result would be that only less-secure services would be available to users in Turkey, and the privacy and security of those users would be undermined. They would not have a secure and encrypted option to choose. This would put marginalized users and communities at even greater risk, since they have an added reliance on secure and private communications. This could lead to self-censorship or even put people at risk of physical violence.

Status

The law was passed in October 2022 in the Grand National Assembly of Turkey. The Information and Communication Technologies Authority (BTK, in Turkish: Bilgi Teknolojileri ve İletişim Kurumu) is now tasked with drafting this secondary legislation that would actually implement the new amendments that are part of this law. If they try to implement the surveillance and content disclosure requirements for Internet-based services, this could undermine the use of key cybersecurity tools. Without strong end-to-end encryption, users of these services would be less protected, if the services don’t leave Turkey entirely.

Our Position

Strong end-to-end encryption is vital to Turkey’s economic and security success. Any secondary legislation must be drafted in consultation with all stakeholders, including civil society, and must ensure that secure and private communications are not undermined, including end-to-end encryption.

Green background with patterns

Talking Points

  • End-to-end encryption is the strongest form of encryption available, and ensures our safety, security, and privacy.
  • Turkey’s recent amendment package compels Internet-based service providers including email and messaging that provide end-to-end encryption to undermine security for their users and disclose user data to the Turkish government.
  • There is no way for only the government to have access to encrypted data–this vulnerability in the technology gives bad actors a chance to gain access too.
  • It may be the case that end-to-end encrypted services leave the Turkish market, leaving only less-secure services available to users in the country. They would not have a secure and encrypted option to choose. This would put marginalized users and communities at even greater risk.