Available in Turkish here.
As Turkey faces threats to its security and economy, the reliance of Turkey’s residents, businesses, and government services on strong encryption to keep themselves safe and protected has never been greater. It is vital that Turkish authorities both encourage and protect the use of strong, end-to-end encryption.
On October 13th 2022, the Grand National Assembly of Turkey passed legislation (the “Law”) amending several existing laws, including the Electronic Communication Law, Internet Law, the Press Law and the Turkish Penal Code. The Information and Communication Technologies Authority (BTK, in Turkish: Bilgi Teknolojileri ve İletişim Kurumu) is now tasked with drafting secondary legislation that would implement the amendments introduced in the Law. If BTK attempts to implement the surveillance and content disclosure requirements under the Electronic Communications Law for over-the-top services (OTTs) , this could have the unintended consequence of undermining the use of key cybersecurity tools including strong end-to-end encryption and the protection it brings.
The undersigned civil society organisations and companies, including members of the Global Encryption Coalition, urge the BTK to ensure that the right to secure and private communications, including end-to-end encrypted communications are protected.
The Law expands the scope of existing laws, newly requiring that all OTTs fulfill new and existing requirements. OTT services encompass a broad range of Internet-based services previously not covered by the law, including email providers, social media companies, and providers of messaging services. Among the most concerning of these possible new requirements for OTTs, is a requirement to disclose user content and traffic data. Cybersecurity experts agree, there is no way for OTTs to access the contents of their user’s end-to-end encrypted communications without drastically undermining the security and privacy of all their users. In effect, platforms offering end-to-end encryption may become inaccessible in Turkey as a result of sanctions for failing to comply with requirements that are technically impossible.
End-to-end encryption provides the strongest level of security and trust, as only the intended recipients hold the key to decrypt the message. In end-to-end encryption, no third party — including the service provider or the government — can read users’ encrypted content. If secondary legislation were to require providers of end-to-end encrypted services to disclose users’ messages in decrypted form, it would force these providers to make the impossible choice between undermining the security of their users by building vulnerabilities into their systems or leaving the Turkish market.
Creating secondary legislation that will undermine secure and private communications will not only undermine the free flow of information accessed through these encrypted platforms, but will impact the security and privacy of Turkish citizens and businesses, weakening Turkish industry. In 2018, when Australia passed a similar law undermining end-to-end encryption, the Australian tech industry lost an estimated $AUS 1 billion in current and forecast sales as well as further losses in foreign investment because of decreased trust in their products. For Turkish businesses, weakened security and privacy will make them more susceptible to corporate espionage by foreign actors. In his speech at The National Cyber Incidents Response Center, President Erdogan emphasized the importance of cybersecurity and the cybersecurity threats facing the country. This is particularly a concern for the growing Turkish defence industry, whose confidential corporate information can have not only economic but national defence ramifications.
Strong end-to-end encryption is vital to Turkey’s economic and security success. Any secondary legislation must be drafted in consultation with all stakeholders, including civil society, and must ensure that secure and private communications are not undermined, including end-to-end encryption.