UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
THE TURKISH CONSTITUTION
Article 22 of the Turkish Constitution states that interception of communication will be granted if there is a decision duly given by a judge on one or several of the grounds of national security, public order, prevention of crime, protection of public health and public morals, protection of the rights and freedoms of others; or in non-delayable cases if there exists a written order of an agency authorised by law, again on the above-mentioned grounds.
‘Agencies authorised by law’ means any governmental body that is established pursuant to their establishment rules. Examples of agencies authorised by law or intelligence bodies are: the director general of public security, the commander of the Turkish gendarmerie forces (at their duty stations) and the director of intelligence agency.
The ‘law’ here can either be a Law, a Decree- Law or a Regulation which is below the Decree-Law in the hierarchy of laws, according to the Turkish legal system. The agency authorised by law includes the Information and Communication Technologies Authority (the BTK), establishment of which is required by the Law of Electronic Communications No. 5809 (5809 Sayılı Elektronik Haberleşme Kanunu). Unfortunately, ‘non-delayable cases’ are defined not within the Constitution but only in a variety of Regulations (eg the Regulation on Forensic Prevention (of Crimes) and Search and the Regulation on Seizure, Arrest and Interrogation). In general, as mentioned in the Regulation on Forensic Prevention (of Crimes) and Search, non- delayable cases include:
a. judicial reasons such as the risk of disappearing of tracks, traces, marks and evidence of a crime, escaping of a suspect or disability of identification in case of not taking necessary action immediately; and the fact of not being able to obtain a verdict of the judge by reason of inadequate time to prevent the said risks; and
b. prevention of crime when a condition is jeopardising the protection of or causing the breach of national security and public safety, general health and public moral or the rights and liberties of others, disability of locating any illegally carried or possessed weapons or materials because of not being able to obtain a verdict from the judge in adequate time to prevent those risks. However, the Court of Appeal may widen the scope of this definition depending on each case, so it remains open to potentially wide interpretation.
THE REGULATION ON THE PROCEDURES ORGANISING THE PUBLICATIONS ON THE INTERNET, PUBLISHED IN THE OFFICIAL GAZETTE NO. 27241 AND ENFORCEABLE SINCE 27 MAY 2009 (ELEKTRONIK HABERLESME SEKTORUNE ILISKIN YETKILENDIRME YONETMELIGI) (THE REGULATION)
Article 21 of the Regulation empowers the BTK to intercept (or suspend, interrupt or stop) electronic communications operators from providing a communications service (entirely or partially), if the ‘legal conditions of protecting the public safety, public health, public morals and other public interests as such’ are met. If these conditions are met, the BTK will obtain the opinion of the Transportation and Communication Ministry in order to decide on the interception of communications provided by the relevant operator(s).
For the purposes of the Regulation, ‘interception’ may also mean suspension, interruption, stopping and/or blocking. Note that according to the hierarchy of the governmental bodies, the BTK is bound to the Ministry of Transportation and Communication; hence the Ministry’s opinion will be taken where necessary. ‘Where necessary’ is an ambiguous expression because there are no absolute grounds or occasions that are objectively necessary for the Ministry’s opinion.
THE REGULATION ON THE PROCEDURES ORGANISING THE PUBLICATIONS ON THE INTERNET, PUBLISHED IN THE OFFICIAL GAZETTE NO. 26716 AND ENFORCEABLE SINCE ON 30 NOVEMBER 2007 (INTERNET ORTAMINDA YAPILAN YAINLARIN DUZENLENMESINE DAIR USUL VE ESASLAR HAKKINDA YONETMELIK) (THE INTERNET REGULATION)
As for communications made via the internet, Article 12 of the Internet Regulation states that, as a general rule, if there is ‘adequate doubt’ that publishing constitutes ‘promoting suicide’, ‘sexual harassment of children’, ‘expediting usage of drugs’, ‘providing material harmful for health’, ‘obscenity’, ‘prostitution’, ‘providing venues and opportunities for gambling’ and ‘crimes against Ataturk’ (the founder and the first president of the Republic of Turkey), access to that publishing will be intercepted and/ or blocked. This decision can be given as a protection measure by the judge or, in non-delayable cases, by the prosecutor to submit for the judge’s decision within 24 hours and then the judge will approve or abolish it within 24 hours. This article is in line with Article 8/1 of Law No. 5651 on the Regulation of Internet Publications and Prevention of Crime.
The same Regulation (Article 14) includes an ‘administrative measure’ and states that the Presidency of Telecom Communications (the TIB) may decide to intercept or block access to the relevant content on the grounds of ‘promoting suicide’, ‘sexual harassment of children’, ‘expediting usage of drugs’, ‘providing material harmful for health’, ‘obscenity’, ‘prostitution’, ‘providing venues and opportunities for gambling’ and ‘crimes against Ataturk’ (the founder and the first president of the Republic of Turkey) ex officio, if the content provider or the hosting service provider is located or residing abroad.
The orders of the TIB are sent directly to the internet access providers, including operators who provide access to the internet. The TIB may also decide to intercept or block access whether or not the content or the hosting provider is located or residing abroad, if the internet publishing constitutes ‘sexual harassment of children’ or ‘obscenity’, provided that its decision is submitted before the judge and the verdict on it is given within 24 hours. Article 16 of the Regulation states that access providers will set up the necessary hardware and software, and make the required arrangements in order to enable the immediate application of the access-blocking decisions via a connection between the TIB and the access provider.
While the BTK has its own administrative and financial autonomy, as mentioned in Article 4 of the Regulation for the Organisation of the BTK, the TIB is bound directly to the president of the BTK and serves within the BTK, according to Article 16 of the Regulation for Detecting, Recording and Wire-Tapping the Communications, and Evaluating the Signal Data, published in the Official Gazette No. 25989 on 10 November 2005 (Telekomünikasyon Yoluyla Yapılan İletişimin Tespiti, Dinlenmesi, Sinyal Bilgilerinin Değerlendirilmesi Ve Kayda Alınmasına Dair Usul Ve Esaslar İle Telekomünikasyon İletişim Başkanlığının Kuruluş, Görev Ve Yetkileri Hakkinda Yönetmelik).
According to Article 16 of the Internet Regulation, the order of the TIB is sent to the internet access providers, including operators, via electronic means and will be applied by the access providers within 24 hours of the delivery of the order. However, this order will be subject to legal examination.
THE REGULATION FOR THE ORGANISATION OF THE BTK, PUBLISHED ON A DECREE OF COUNCIL OF MINISTERS NUMBERED 2011/1688 AND DATED 4 APRIL 2011, PUBLISHED IN THE OFFICIAL GAZETTE NO. 27858 AND ENFORCEABLE SINCE 8.11.2011 (BILGI TEKNOLOJILERI VE ILETISM KURUMU TESKILAT YONETMELIGI– THE ORGANISATION REGULATION)
Article 5/(u) of the Organisation Regulation states that any and all types of information can be obtained by the BTK from operator enterprises, state institutions, real persons and legal entities and, if requested by the Ministry, the BTK will deliver the information deemed necessary for determining sector- specific strategies and policies(1) to the Ministry. Therefore, operators are obliged to provide the necessary information on the BTK’s request. Here ‘any and all types of information’ is a rather broad term and may include the documents and/or information relating to technical requirements for interception. In Article 5/(ü) of the Organisation Regulation, the BTK is entitled to take all precautionary actions stated by law so that the activities within the sector are carried out according to the requirements of national security, public order or public services.
Further to this, Article 5/1 of The Regulation on Authorisation within the Electronic Communication Sector, published in the Official Gazette No. 27241 and enforceable since 27 May 2009 (Elektronik Haberleşme Sektörüne İlişkin Yetkilendirme Yönetmeliği) states that the Transportation Ministry’s strategy and policies will be taken into account while the operators establish the technical infrastructure when authorised by the BTK. ‘Strategy and policies of the Ministry’ is another broad term which may conceivably be used by the Ministry to increase the flexibility of its actions within the communications sector.
Intelligence authorities and legal enforcement authorities (agencies authorised by law) have the technical and technological capabilities to access an operator’s systems. Therefore, a written order of the agencies authorised by law, including the BTK or a decision of a judge, is adequate for them to implement interception capabilities.
THE REGULATION FOR DETECTING, RECORDING AND WIRE-TAPPING THE COMMUNICATIONS AND EVALUATING THE SIGNAL DATA, PUBLISHED IN THE OFFICIAL GAZETTE NO. 25989 ON 10 NOVEMBER 2005 (TELEKOMUNIKASYON YOLUYLA YAPILAN ILETISIMIN TESPITL, DINLENMESI, SINYAL BILGILERININ, DEGERLENDERIRLMESI VE KAYDA ALINMASINA DAIR USUL VE ESASLAR ILE TELEKOMUNIKASYON ILETISIM BASKANLIGININ KURULUS, GOREV VE YETKILERI HAKKINDA YONETMELIK) ( THE WIRE-TAPPING REGULATION)
The Wire-Tapping Regulation is important because activities such as ‘wire-tapping’ mean accessing the content of telecommunications and require a high threshold. The Wire-Tapping Regulation gives wire-tapping powers to the intelligence bodies, such as the Security General Directorate or Intelligence Head or Gendarmerie General Command, by delivering their written order to the relevant offices for appropriate execution. These orders can be given in urgent cases for prosecution of specific sorts of crimes such as organised drug trafficking, organised economic crimes, sedition, crimes against the constitutional unity, national security and governmental confidentiality and espionage.
In a case where there is ‘serious danger’ against the essential interests of the country and the democratic constitutional state, and if the case is deemed to be ‘urgent’, written orders may be given to grant the security of the government, reveal espionage (spying activities), ascertain disclosure of state secrets and prevent terrorist activities. These orders would be given by the secretary and/or deputy secretary of the National Intelligence Organisation, and delivered to the relevant offices for appropriate execution (Article 7).
The ‘relevant offices’, where the written orders will be sent, appear to be those of the TIB. According to Article 10 of the Wire-Tapping Regulation, written orders and decisions will be sent to the TIB via the electronic means determined by the TIB. The orders and decisions are then applied under the TIB’s supervision. The date and time of the activity and the identity of the person who conducted the activity will be determined and recorded by a written report. Orders which do not comply with the rules set by the Wire-Tapping Regulation will not be applied or enforced in any case.
Disclosure of Communications Data
LAW NO. 5651 ON THE REGULATION OF INTERNET PUBLICATIONS AND PREVENTION OF CRIME
Before the Constitutional Court’s decision of 2 October 2014, numbered 2014/149 E 2014/151 K, which was given only eight months after the publication of Article 3/4 of Law No. 5651 on the Regulation of Internet Publications and Prevention of Crime, internet access providers were obliged to provide communications data requested by the TIB, including:
- a subscriber’s name;
- identity information;
- the address;
- the phone number;
- the date and time of logging into a system;
- the date and time of logging off a system;
- the IP address given for the relevant access and access points, and/or resource IP address and port number;
- the targeted IP address and port number;
- the protocol type;
- the URL address;
- the date and time of connection; and
- the date and time of ending of the connection
This data could only be obtained by the TIB where a court order was given in relation to the prosecution of a crime. However, this sentence in Article 3 (namely, Article 3/4) was cancelled and retroactively abolished by the decision of the Constitutional Court due to a breach of the Constitutional ‘principle of clarity and definiteness’ stated in Article 2 of the Turkish Constitution and due to a breach of Article 20 of the Constitution which determines the core of personal data protection in Turkey. Following the cancellation, internet access providers are now obliged to provide this data if requested by the courts.
The TIB’s and BTK’s actions may be brought before the administrative courts for cancellation.
As for the content of the communications, such data falls within the scope of personal data definition in the new Personal Data Protection Law No. 6698 (‘the new DP Law’). Although some Articles of this new DP Law will enter into force on 7 October 2016 (ie six months after the publication date), most protection clauses are already in force. According to the new DP Law, the ‘data controller’ will determine the purposes/objectives and instruments/manners of data processing and will establish and administer a data recording system. However, the obligation for data controllers to register with the ‘data controller’s registry’ will enter into force on 7 October 2016.
Considering that Vodafone deals not only with communications data, but also with other personal data, such as the customer’s ID number and other ID details such as location, phone number, etc, this Law may prevail on most cases. After the relevant Articles enter into force, transferring of personal data to third parties, either within or outside the Turkish Republic, will be subject to the explicit consent of the data owner (Article 8 of the DP Law), as a general rule. The most striking exceptions to this rule include the conditions when transferring of data is:
- mandatory in order to be able to use/grant/protect a right;
- necessary provided that transferring of that data directly related with reaching or performing of an agreement; and
- mandatory for the data controller to fulfill a legal obligation.
The content of communications cannot be accessed by the BTK or the TIB according to the Electronic Communication Sector legislation. However, if in a particular case pending before the prosecutor, the prosecution or the criminal procedure requires it, then the content may be disclosed to those administrations. This rule is also in line with the above-mentioned Articles of the new DP Law.
On 27 March 2015, the Electronic Communications Law Article 51/10-C introduced a change to the mandatory data retention period for communication data, according to which, the data retention period is reformulated to a maximum of two years and a minimum of one year.
National Security and Emergency Powers
THE TURKISH CONSTITUTION
Intelligence authorities and agencies authorised by law (including the BTK) have the power to intercept communications for national security, public order, prevention of crime, protection of public health and public morals, and protection of the rights and freedoms of others. Therefore, they are entitled to take all necessary actions relating to these reasons, as detailed in Article 22 of the Constitution.
According to Article 15 of the Constitution and Law No. 2935 enacted on 25 October 1983 on State of Emergency, communications may be intercepted permanently, or the tools to provide communications to customers may temporarily be seized for reasons of public emergency, national security, mobilisation or war.
In applying Law No. 2935, a declaration of extraordinary administration procedures may be the result of a natural disaster or a serious economic crisis, widespread acts of violence or serious deterioration of the public order. The right to communicate and the privacy of communications and personal life may be restricted entirely or partially, which could hand the control of all authorisations mentioned above to the entities indicated in the decree laws.
The Council of Ministers, under the chairpersonship of the President of the Republic and after consultation with the National Security Council, may declare martial law in one or 60 more regions throughout the country for a period of no more than six months in the event of:
- widespread acts of violence which are aimed at the destruction of the free democratic order or the fundamental rights and freedoms embodied in the Constitution and more dangerous than the cases requiring a state of emergency;
- the emergence of a situation requiring war;
- an uprising;
- the spread of strong and violent and rebellious actions against the motherland and the Republic; or
- widespread acts of violence of internal or external origin threatening the indivisibility of the country and the nation.
Oversight of the Use of Powers
Under Article 22 of the Turkish Constitution, an authorised agency’s order (apart from that of the BTK) will be submitted for a judge’s approval within 24 hours. The judge’s decision will be declared in the 48 hours following the submission; otherwise the order of the authorised agency will be abolished per se.
The Turkish legal system is based on the continental European legal system. In this respect, the actions, orders and decisions of a governmental body can be subject to cancellation or nullity claims before the administrative courts and not the civil courts.
Administrative courts cannot act on behalf of the administrative bodies, but merely implement precautionary suspensions of administrative actions and then decide on either the cancellation or nullity, or approval, of such actions. In that sense, the BTK’s decision and/or Transportation and Communication Ministry’s opinion are not subject to judicial oversight, unless they are brought before administrative courts for cancellation.
Although other authorised agencies’ orders, eg a prosecutor’s order in an urgent case, must be approved by a judge, it appears the BTK’s actions of interception of communication services are not subject to a judge’s prior approval. However, they can still be subject to litigation before administrative courts for their validity and enforceability.
According to Article 17 of the Internet Regulation, if the prosecutor decides there is no adequate evidence to create suspicion (an ‘adequate suspicion’ threshold) then the order will be abolished per se. In urgent cases during the prosecution process, however, the prosecutors themselves may decide to intercept or block the content. This decision must be brought before the judge within 24 hours and the judge will decide on the matter within 24 hours. Unfortunately, what amounts to an urgent case is not de ned within the Internet Regulation, so it remains quite open to interpretation.
Article 8 of the Wire-Tapping Regulation states that an authorised agency’s order, such as an order of the Security General Directorate or Intelligence head, the Gendarmerie General Command or the Secretary of the National Intelligence Organisation, will be submitted to a judge’s approval within 24 hours. The judge’s decision will be declared in the 48 hours following the submission; otherwise the order of the authorised agency is abolished per se.
The decision for conducting wire-tapping or other interception measures can be given for a period of three months at most. This period can be extended up to three times making a maximum period of nine months (ie 3 x 3 = 9). The decision of the intelligence bodies (Security General Directorate, Gendarmerie General Command or National Security Organization) or the prosecutor must be approved by the judge in the 24 hours following their submission, or the order will be abolished.
The decision of the intelligence bodies (Security General Directorate, Gendarmerie General Command or National Security Organization) or the prosecutor must be approved by the judge in the 24 hours following their submission, or the order will be abolished.
SHUT-DOWN OF NETWORK AND SERVICES
A network operator, such as Vodafone, must obtain authorisation of the Communication Technologies Authority (the BTK) to legally operate its network.
The Regulation on Information and Communication Technologies Authority Administrative Penalties Published in the Official Gazette No. 28914 and Enforceable Since 15 February 2014 (Bilgi Teknolokileri ve Iletism Kurumu Idara Yaptirimlar Yonetmeligi)
In cases of war, mobilisation and/or public emergency the BTK may order the shut-down of all or some of a network operator’s (such as Vodafone) services for a limited or indefinite period of time if requested to do so by government agencies responsible for public security and national defence. This is pursuant to Article 34 of the Regulation on Information and Communication Technologies Authority Administrative Penalties. Given the broad nature of such powers it is feasible that they might extend to ordering the shutdown of Vodafone’s entire network. If a network operator did not comply with such an order such non-compliance would constitute gross negligence and its authorisation to provide network services would be terminated.
The BTK can also terminate authorisation entirely where a network operator (such as Vodafone) breaches national security or public order rules under Articles 31 and 32 of the Regulation on Information and Communication Technologies Authority Administrative Penalties.
ELECTRONIC COMMUNICATIONS LAW
Network operators must comply with the procedures and proceedings in the Electronic Communications Law; this includes obtaining the BTK’s authorisation in order to legally operate as a network operator. The procedure for obtaining authorisation is set out in detail in Article 9. The BTK has the power to suspend or revoke authorisation to operate a network if the operator in question contravenes its obligations under the Electronic Communications Law or if the BTK considers the operator to have been grossly negligent in operating its network or services.
BLOCKING OF URLS & IP ADDRESSES
Law No. 5651 on Regulation of Publications on the Internet and Suppression of Crimes Committed by Means of Such Publications
Article 9 of Law No. 5651 obliges network operators (such as Vodafone) to take all technological measures to prevent access to IP addresses or URLs which are marked as providing access to illegal content by a court decision or by the Presidency of Telecom Communications Head Office (the TIB). The Union of Access Providers (established 19 May 2014) is responsible for notifying operators of a court or TIB decision; network operators are then obliged to carry out the necessary blocking within four hours of receiving such notice. A new omnibus law published recently provides the Chairman of the TIB with the power to request the blocking of websites and content in order to protect national security and public order, as well as to prevent crime. Upon receiving such a request, the service provider is required to shut down the website or remove the content specified within four hours.
In the past year, the Constitutional Court has annulled Article 4/3, Article 5/5 and Article 6/1/(d) of Law No. 5651, which obliged content providers, hosting service providers and access providers to share all the data kept by them with the TIB, in the manner requested by the TIB. These articles were found to be in breach of the Constitutional ‘principle of clarity and definiteness’ stated in Article 2 of the Constitution and of Article 20 on the protection of private life and personal data. The Constitutional Court also annulled an expression in Article 9/9 which stated that ‘a decision of a judge regarding a publication that breached a personal right’ will also apply to ‘identically similar publications’. In this article, the expression of ‘identically similar publications’ was annulled by the Constitutional Court on the grounds that it breached ‘freedom of thought’ in Article 26 of the Constitution and the rule of ‘limiting the fundamental rights only by Laws’ (and not hierarchically lower regulations) in Article 13 of the Constitution.
According to these changes, access providers can no longer be forced to block IP addresses which are similar to the IP addresses blocked previously. The Constitutional Court’s decision is enforced one year after publication in the Official Gazette. As the publication date was 28 January 2016, the changes are expected to be enforced one year after publication in the Official Gazette. The Court’s decision was published on 28 January 2016.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
The Regulation on Information and Communication Technologies Authority Administrative Penalties
See Section 1 ‘Shut-down of network and services’ above. In cases of war, mobilisation and/or public emergency, the BTK may take control of Vodafone’s network according to Article 34 of the Regulation on Information and Communication Technologies Authority Administrative Penalties. The BTK must have a written order from the government agencies responsible for public security and national defence to do so.
Oversight of the Use of Powers (Censorship-related)
The BTK’s decisions are administrative acts and subject to legal procedures. Therefore, a relevant party (eg in the circumstances described above, a network operator such as Vodafone) could commence a lawsuit to cancel a decision taken by the BTK before the relevant legal authorities.
Where the Chairman of the TIB requests the blocking of a website or removal of certain content, that request is submitted to the Criminal Court of Peace for approval by a judge within 24 hours. The judge must then decide whether to approve the request within 48 hours.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Yes. Turkish legislations do not directly mention any obligation for communications service providers (CSPs) to decrypt communications. However, the tools, infrastructure and any requirement for decrypting the data must be provided to the agencies authorised by law or intelligence bodies (eg the BTK or the TIB) when they require them in order to detect, wire-tap and record the communications under the legal conditions set out earlier in this chapter (see ‘Provision of real-time lawful interception assistance’).
In particular, the TIB is entitled to make CSPs establish and provide the necessary infrastructures, tools and means that enable wire-tapping, detecting and recording of communication (Regulation for Detecting, Recording and Wire-Tapping the Communications Article17/1/(e)).
Also, the TIB’s Department for Information System is entitled to integrate some mechanisms to decrypt the communications or order the integration of them, if and when an encrypted communication is detected during a wire-tapping mission. In the case of a CSP not complying with the obligation to provide necessary infrastructure to the TIB, administrative fines (eg up to 3% of the net sales profit of the previous calendar year) will apply.
Also, the BTK is entitled to inspect and control the CSPs to see whether they apply the technical requirements provided by laws and regulations, as stated in the Electronic Communications Law No. 5809 (Article 59). In order for the BTK to duly perform this ‘inspection’, it may request from the operators ‘any and all kinds of information’ which is a broad definition and may well include encrypted data. However, in theory, the content of the communication cannot be examined by the BTK but only by the agencies authorised by law or intelligence bodies.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
Even in cases where the communication data is encrypted by third parties, the above-mentioned rules will apply.
The legislation does not directly mention any obligation for CSPs to decrypt communication. However, the TIB’s Department of Information Systems can integrate or order to integrate necessary mechanisms in the system in order to decrypt the communication, according to Article 21/A of the Regulation for Detecting, Recording and Wire-Tapping of Communications. The same rule applies when a CSP does not produce the encryption system itself, but merely provides the infrastructure for third parties’ use of its network, as in an OTT service provider’s services. In such cases, decryption would be performed by the TIB not the CSP itself.
Hence, a judge’s verdict or, in non-delayable cases, an order of prosecutors (if the investigation has already started) or agencies authorised by law or intelligence bodies (if the aim is prevention of crime), will be enforced by the TIB’s Head of Information Systems Department. To do this, the Head can request that a telecommunications operator integrates the necessary systems accordingly, in order to let the Department decrypt the communication. Without that specific request, the telecommunications operator is not obliged to interfere with the communication to decrypt it. The decryption will be handled by the Department. All communications data will be held by the Department for 10 days at most, and destroyed after 10 days (Article11 of Regulation for Detecting, Recording and Wire-Tapping of Communications).
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
Turkish legislation and applications only cover, at least at the present time, the conditions when traditional encrypted communications systems are produced and applied by the CSPs themselves.
However, legislation does include a permission rule if the entity can be accepted as a ‘producer of encrypted communication device/systems’ according to the ‘Regulation on Principle and Procedures for Coded or Encrypted Communications of Public Entities and Real or Legal Persons’. Therefore, depending on the technical details of the encrypted communications services that a telecommunications operator conducts, the operator may have to apply to the BTK for a permit to produce the end-to-end encryption system.
This subject is relatively new for the BTK, because the laws were drafted when encrypted communications were only possible via devices that provided encryption; eg encrypted mobiles and transmitters. Accordingly, no practical approach of the BTK may be foreseen or indicated at the time of writing. However, the BTK may have to examine and decide whether or not such an encryption system needs official permission. In order to avoid any possible illegal conduct, the operator may use its ‘right to obtain information’ by explaining some technical details of the system, if not all, and obtain an official writ thereon, which may also be an example for future applications.
If the BTK requires official permission to start end-to-end encryption activities, the telecommunications operator must apply with:
• documents of the encryption technique/ device and technical specifications of the electronic communication to be used;
• the encryption algorithm;
• modules for producing, distributing and uploading the encryption key, and the software or hardware which decrypts the code/encrypted data if necessary;
• optional software/hardware, tools and other apparatus which will be used during a test if necessary;
• a signed circular of authorised real/legal persons; and
• the content of the technical document as stated in Annex 2 of the 1999/5/ EC Regulation for Transmitters and Telecommunications Terminal Equipment (applicable since 24 March 2007).
Permission of the BTK must also be secured for any kind of alterations or updates to be made to the encryption system (Articles 5 and 7 of the Regulation on Principles and Procedures for Coded or Encrypted Communications of Public Entities and Real or Legal Persons).
Whoever makes or provides encrypted communication without complying with these rules will face a judicial monetary sentence of 500 to 1,000 days (ie from 10,000 to 100,000 TL), as well as administrative fines up to 3% of net sales profit of the previous calendar year, according to Article 10 of the Regulation and to Articles 60 and 63 of the Electronic Communications Law No. 5809.
This Regulation also shows that the CSPs must only provide the BTK with some technical information, instead of decrypting the encrypted communications data themselves.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.
The legislation applied prior to the above-mentioned Regulation on Principle and Procedures for Coded or Encrypted Communications of Public Entities and Real or Legal Persons was called the ‘Regulation on Encrypted Transmitter Systems’, the latest version of which was dated 6 March 2004 and was published in the Official Gazette No. 25394. However, this Regulation was entirely abolished by the new Regulation. The other relevant previous legislation was the ‘Transmitter Law’ No. 2813 which was entirely abolished after the articles of the Electronic Communications Law No. 5809 entered into force.
In Turkey, unless a concrete case occurred on a date that the previous (abolished) legislation was in force, the abolished law cannot be applied whatsoever and it cannot override the current legislation. As with criminal legislations, if a case occurred on a date when the abolished legislation was applicable, the legislation which is more beneficial for the suspect or the accused will apply.
Note that this ‘beneficial code’ principle only applies to criminal matters and not civil ones. For instance, in a decision given by the Court of Appeal’s General Assembly of Civil Chambers dated 2 April 2014 and numbered 2013/13-661 E 2014/440 K, the abolition of the Transmitter Law was determined and the Articles of the new Electronic Communications Law were found applicable. Another example is the criminal case, which was decided by the 7th Circle of Criminal Chamber of the Court of Appeal, dated 1 January 2014 and numbered 2012/25235 E 2014/341 K. In this case, the Court of Appeal stated that the Transmitter Law was entirely abolished by the new Electronic Communications Law after the date of the alleged crime, but it also ordered the Criminal Court to examine the ‘beneficial law’ principle for the alleged criminal.
Although these cases do not include encrypted communication matters, they indicate that previous laws cannot override new laws, but that in some cases beneficial law may apply.