Allegations that the ‘Erdoğan leaks’ revealed sensitive and private information about women in Turkey have raised questions over data security in the country at a time when the government has stepped up the state’s powers to collect and store personal data.
Following Turkey’s attempted coup last week, WikiLeaks moved forward the publication date of controversial leaked government files it said it had acquired a week prior to the coup. It said the data was released early in response to the government’s post-coup purges.
‘We have verified the material and the source, who is not connected, in any way, to the elements behind the attempted coup, or to a rival political party or state,’ Wikileaks said in its release.
However, Zeynep Tüfekçi, a techno-sociologist at the University of North Carolina, claimed that the leak released sensitive and private information about ordinary people in Turkey rather than exposing anything relevant about those in positions of power.
In reference to how a leak of this magnitude occurred, Tüfekçi told Independent Turkey that: “Clearly, there should be better data protection. This is so clear. These files should have never been sitting there unencrypted.”
She wrote that the leak contained “spreadsheets of private, sensitive information of what happens to be every female voter” in nearly all of Turkey’s provinces. According to Tüfekçi, the databases included women’s home addresses and party affiliation. Given the current political climate, such a leak could pose a serious security threat to women. The controversial databases have since been removed from the leaks following Tüfekçi’s criticisms.
Michael Best, who claims he uploaded the data released by Phineas Fischer, another hacker, to the Internet Archive’s server, disabled the AKP hack after Tüfekçi’s article went viral.
“After the discovery of vast amounts of personal information in the release, the AKP hack on Internet Archive has been disabled,” he announced on Twitter.
“The personal data was of private citizens, and didn’t serve the public interest,” Best added.
Best also said that the files were obtained by Phineas Fisher. Fischer gave access to a part of the files to WikiLeaks, which published them earlier than Fisher intended. Thereafter, Fisher released the remaining files.
The release of the personal details of millions of citizens has reinforced concerns about data security in the country. Despite the magnitude of the recent leak, this is nothing new for Turkey. In April, Associated Press reported that the details of almost 50 million Turkish citizens were leaked online by Hacktivist group Anonymous, including those of President Erdoğan, Prime Minister Ahmet Davutoğlu and former President Abdullah Gül.
A controversial data protection law was passed shortly after the leaks in April. Although the expressed purpose of the law is to protect the rights of Turkish citizens with respect to data storage, it grants sweeping powers to the state as to when those rights may be overridden.
The law, which regards information pertaining to race, ethnicity, political, religious, sectarian and organizational affiliations, dress, sexuality and criminal records as personal data (article 6), states that such data cannot be collected without the consent of citizens.
However, the law also permits collection and storage of such data without the consent of those it concerns in cases where the law deems appropriate. Article 28 stipulates sweeping exceptions to data protection when it comes to the “protection and intelligence activities related to national defence, national security, public security, public order or economic security”. Critics have argued that this series of exceptions leaves citizens extremely vulnerable to privacy violations.
The collection of data regarding health and sexuality is also permitted without consent for purposes such as the protection of public health, the conduct of medical care and treatment services, as well as the planning and financing of health services. Thus, the state has huge leeway in collecting data without citizens’ consent.
Moreover, the law stipulates that data collection will be overseen by a personal data protection council. Of the nine members of the council, five will be appointed by parliament, two by the cabinet, and two by the President, raising serious questions about the extent to which the council will function and make decisions independent of political influence.
Leaving aside the limitations placed on citizens’ right to control the collection of their personal data, it remains extremely unclear what share of the Turkish population would actually have the knowledge and interest to pursue its personal data and hold to account the authorities in the first place.
According to the Turkish Statistical Institute, only 55.9% of the Turkish population has access to the internet; even fewer in rural areas where the number stands slightly above 30% according to 2013 data, demonstrating that knowledge and interest in data security is unlikely to be high in the country.
The increased powers of the state to collect and store data, coupled with a low level of access to the internet is cause for even greater concern regarding to the country’s poor track record in data protection.
“Data protection is clearly a major weakness of the government which is also collecting a lot of data about people,” Tüfekçi told Independent Turkey.
The data protection act provides the state with a wide range of exceptions by which restrictions on access to personal data can be overridden. Given the wave of hacking scandals hitting Turkey over the last few months, it remains unclear whether the necessary mechanisms are in place to protect the sensitive personal data and privacy of citizens.