by Yasir Gökce*
Almost every smartphone user would have likely downloaded a sort of messaging app onto their phone and/or corresponded by means of it. Imagine that one day the government asserts that the messaging app you have been enjoying has long been used by a group that the government declares “terrorist” and that on that ground you have become a member of this terrorist organisation. This is what tens of thousands of alleged ByLock app users in Turkey have experienced after the app has been qualified as such and the waves of investigations, prosecutions and detentions that followed it. Ever since, they have desperately been trying to “prove their innocence” by advancing that they have never downloaded the app, or they downloaded it but have never used it for criminal/terrorist purposes.
Following the assertion of the Erdogan government, almost all first instance courts in Turkey consider the use of ByLock app sufficiently proves the affiliation of the accused with the Gülen Group, which the Erdogan government has branded as ‘Fetullahist Terrorist Organization’ (hereinafter FETÖ). Having endorsed the judgment by the first instance and turned it into its settled jurisprudence, the Turkish Court of Cassation establishes that any involvement in the ByLock network, if substantiated beyond any doubt, suffices to demonstrate terrorist membership and that the content of the messages might be relevant for convicting someone of belonging to the leadership of the group. Here, it is worthy to note the UN Working Group on Arbitrary Detention’s opinion that the actual use of ByLock app would merely constitute an exercise of freedom of expression.
An individual, Mr. Yalcinkaya, who was convicted of “FETÖ” membership for inter alia ByLock use, has exhausted the domestic remedies in Turkey and managed to bring his case before the European Court of Human Rights. Within the framework of communications with the Turkish government, the European Court posed critical questions, which the defendants have been asking since day one of the accusations and to which Turkish courts have so far been oblivious. These questions boil down to the legality, reliability, accuracy and integrity of the evidence which the allegations of the ByLock use are predicated on. This piece aims to address these questions from a legal and technical point of view, in light of the assertions and assumptions of the Erdogan government as well as current developments concerning the ByLock investigations.
What were the reasons which led the domestic judicial authorities to conclude that ByLock messaging application was exclusively used by the members of ‘FETÖ?
The claim that ByLock had been exclusively used by members of “FETÖ” is based on one of the conclusions of the ByLock Technical Report, which was issued by the Turkish intelligence service (hereinafter MIT) in the aftermath of the controversial July 15 coup attempt. In its report, the MIT asserts that an account opened in the ByLock network can only be activated, and thereby become usable, with an activation code sent by a system administrator exclusively appointed by ‘FETÖ’. However, the MIT has failed to substantiate this claim. One may think that the MIT might have come to this conclusion on the ground that ByLock was developed in the first place by ‘FETÖ’ merely for its secret communication needs. But the latter claim has also not been corroborated through the means of digital forensic analysis and runs against the statement by the ByLock developer.
Besides, a number of independent digital forensic experts (here, here, here and here) have conducted extensive analyses on the ByLock app and disputed the findings of the MIT. Highlighting the fact that ByLock could be downloaded via Google Play Store, Apple Store, apk-dl.com, apkpure.com and downloadatoz.com, they all found that the MIT’s conclusions are unsound and invalid.
Did the domestic authorities comply with the statutory provisions under Turkish law regulating the collection, examination and use of evidence, including electronic and digital evidence, in so far as the ByLock evidence is concerned?
In order for an interception of private communication to not violate the right to private life and to be presented before a court as an evidence, the following criteria envisaged in Article 135 of Code of Criminal Procedure must be fulfilled:
- There must be an already-launched investigation or prosecution.
- There must be strong grounds of suspicion indicating that the crime has been committed.
- There must be no other possibility to obtain evidence.
- On the condition that above-mentioned three criteria are met, a judge may decide to intercept or wiretap private communication of suspects.
According to the official figures in the MIT’s ByLock Technical Report, number of people whose metadata were obtained by the MIT is 215,000. However, one cannot document the investigations launched against those 215,000 individuals by the time the ByLock data were obtained. The ByLock Technical Report or the subsequently-produced reports have not cited any tangible evidence underpinning a strong suspicion of crime. They have also failed to evaluate whether there is another possibility to obtain evidence. Finally and importantly, there is no judicial decision ordering the interception of ByLock communication allegedly belonging to those 215,000 suspects.
Having been mindful of this legal truism, the ByLock reports of police forces listing the names of suspects as ByLock users placed the following legal warning on the very bottom: “The data about suspects’ phone records was retrieved through the intelligence work under the Law 2559 on Police Duty and Authority, which prevents these findings from being used as part of a judicial or an administrative investigation”.
On the other hand, if one assumes the accuracy of the official narrative that the MIT purchased the ByLock servers from the Lithuania-based company ‘Baltic/Cherry Servers’, the MIT can then be claimed to have relied on Article 134 of Code of Criminal Procedure, which necessitates a judge decision for seizure of electronic devices. In that regard, the warrant issued by the Ankara 4th Peace Judge to seize and search the hard drives containing the ByLock data has frequently been cited in an attempt to allude to the legality of the procedure of data acquisition under Article 134 of TCPC. Although this gives the impression of involvement of a judge prior to the acquisition of ByLock, it fails to capture the fact that, by the time the Ankara 4th Peace Judge decided a seizure order, the MIT had already acquired, processed and analysed the ByLock data, and prepared the ByLock user lists based on it.
Was the evidence concerning the applicant’s use of ByLock obtained lawfully, having regard to the allegation that the internet traffic information provided by the Information and Communication Technologies Authority (Bilgi Teknolojileri ve İletişim Kurumu, ‘BTK’) was not retained and disclosed lawfully, as it included information that predated the maximum time-limit set out in the law for the retention of such data?
The way the ByLock metadata was gathered also has legal implications in terms of the Turkish law on data retention. In its ByLock Technical Report, the MIT asserts that entries in the log tables of the ByLock database have been used to identify individuals. These entries involve the IP addresses of ByLock users during login and registration. An IP address is linked to an individual by matching it with the log data retained by internet service providers. The period within which internet service providers are allowed to retain metadata sheds light on the problematic aspect of the attribution of IP addresses to individuals by the MIT.
Under the Turkish Personal Data Protection Law, personal data shall not be processed without obtaining the explicit consent of the data subject unless it is expressly permitted by any law. The Regulation on Processing, Storage and Preservation of Personal Data ascertains the exact retention period of communication data as one year. Put differently, internet service providers cannot retain log data more than one year, otherwise the criminal offence of failure to destroy the data despite expiry of legally prescribed period would apply.
It is observed that a great majority of the ByLock metadata are dated late 2014. Applying the one-year data retention period, the internet service providers had to destroy the internet traffic data as of the end of 2015. Nevertheless, the ByLock investigations first took place in 2016. This demonstrates two possibilities: Either the internet service providers committed the aforementioned crime laid down in the Turkish Penal Code by retaining the data more than the legally prescribed period, or the MIT did not have any internet traffic data whereby it could compare and match the IP addresses it detected in the ByLock database.
Was the evidence concerning the applicant’s use of ByLock sufficiently reliable? In particular;
(i) To what extent was the digital evidence obtained regarding the applicant a reliable indicator of his use of ByLock, from a technical point of view? Did the domestic courts sufficiently assess the reliability of the digital evidence presented to it by the prosecution and did they respond to the applicant’s concerns regarding the reliability of that data?
(ii) What safeguards were available in domestic law to protect the integrity and authenticity of the ByLock data obtained by the MİT during the period preceding its submission to the prosecution authorities, given that the relevant procedural safeguards envisaged under the Criminal Code of Procedure were not found by the domestic courts to have any application during that initial period?
A number of independent digital forensic experts have conducted extensive analyses on the ByLock app and disputed the findings of the ByLock Technical Report by the MIT. Digital Forensic Expert Thomas Moore concludes that the argumentation of the MIT report is seriously flawed, incorrect and questionable, arguing that the report sets forth several inconsistencies which point out to manipulation of the data collected and was written in such a biased manner as to vindicate some pre-determined outcomes. Contrary to the assertion in the MIT report, digital forensic analyst Jason Frankovitz states that anyone who downloaded the ByLock app could create their own ByLock account and start sending messages to other users (before the system stopped operating in 2016). Information security legal experts Clegg and Baker found that the ByLock Technical Report by the MIT was insufficiently evidenced, not well-structured and lacking in essential details. Last but not the least, cyber security firm FOX IT notes that it “finds the quality of the MIT report very low, especially when weighed against the consequences of the conclusions.”
Moreover, disregard to very basic principles of digital forensics throughout the handling of ByLock data, from its acquisition to analysis and preservation, has been so intense that the data could not be claimed anymore to maintain its authenticity, consistency and integrity, a phenomenon that is also reiterated by the analysts cited above. As a result, the ByLock data has forfeited its legal character of being an admissible evidence. The foremost of such disregard is the lack of documentation during analysis. The MIT has failed to record, and thereby provide transparency for, the sequence of steps it took for its analysis, a deficiency which notably impair the chain of custody of the digital evidence. Besides, the MIT has apparently neglected to apply cryptographic hash functions to the clusters of ByLock data which would be subjected to digital forensics. Without such cryptographic procedure, data’s integrity cannot be guaranteed by the analysts, because they would lack the hashed values acting as anchors which enable them to prove that data has not been corrupted neither by them nor by third parties. Moreover, the results of the ByLock Technical Report are not repeatable nor independently verifiable, as suspects have never been provided with an exact bit-for-bit copy or a forensic image of the digital evidence against them. Lastly, neither in the Technical Report nor afterwards has the MIT specified how the security of the original or processed ByLock data is ensured or what measures are carried out to preserve its integrity, e.g. access controls, encryption, logging etc.
Finally, the mere fact that the MIT have reduced the number of people who downloaded ByLock from over 1 million to 215,000, then to 102,000, and then to 91,000depicts a gloomy picture about the accuracy and reliability of the ByLock data as an admissible evidence. Besides, the current revelations of a Turkish gang leader are eye-opening as they pointed out how the integrity of the ByLock user lists were corrupted through the inclusion of businessmen who are critical, competitive, or otherwise detrimental to the Erdogan government.
These questions of the European Court, which the Erdogan government has so far deliberately avoided, are pertinent and serious as they tackle with the issues around the legality, legitimacy, reliability, and integrity of the “ByLock evidence” which has been predominantly determinant on the detention and conviction of thousands of individuals somehow linked to the Gülen Group.
* Yasir Gökce is an Information and Cyber Security Officer at DB Netz AG. He is also a PhD researcher on Active Cyber Defense and International Law at Bucerius Law School and Member of instituDE.