A cybersecurity reporter from Forbes, Thomas Fox-Brewster, made headlines in Turkey this week by revealing that Procera Networks engineers quit over the company’s products being used by the Turkish government to spy on its citizens.
According to the leaked documents from the company, senior technical engineer Kriss Andsten blew the whistle in an email to all colleagues after seeing that Turkey’s largest ISP, Turk Telekom, whose 30 percent share is owned by the Turkish government, used Procera’s deep packet inspection (DPI) tools to monitor user and and extract “usernames and passwords from unencrypted traffic.” After many other engineers raised concerns over surveillance, Procera executives outsourced Turk Telekom’s password extraction feature to another company, according to the documents obtained by Forbes.
Given Turkey’s alarming internet freedom record, it is concerning that a U.S. company’s technology is helping an authoritarian government to spy on its own people. But censorship and surveillance is the reality of life in Turkey, and it’s also the reason why virtual private network (VPN) services and the Tor anonymity network are so popular among ordinary internet users in the country.
Besides, the news of Turkish ISPs using DPI is hardly new for many Turkish people.
Back in 2012, Turk Telekom started a partnership with a (now defunct) advertisement company named Phorm, which used DPI for behavioral targeting. Despite the partnership being fined 1.57 million Turkish lira (US $870,000) in 2013 for breaching user privacy with a default opt-in system, the company kept its operations by changing names and signing with eight more Turkish ISPs, until it pulled out of Turkey in 2015.
The government’s own interest in DPI technology started in 2014. When the Gezi protests of June 2013 showed the potential of Twitter in organizing mass demonstrations and YouTube proved an effective medium to leak the audiovisual evidence of a December 2013 corruption scandal, the Erdoğan government responded by quickly passing a series of amendments to the Internet Law (PDF). These changes obliged ISPs to keep traffic logs of all users for two years, and allowed the government to censor URL addresses prior to judicial review.
Both of these measures necessitated DPI technology as noted by Human Rights Watch: While blocking a website completely was previously done by removing its domain name from ISPs’ domain name servers (DNS), blocking specific URLs of news articles required monitoring digital communications more closely. Over the years, DPI was proven to be a more stealthy blanket censoring of corruption news without ISPs facing a backlash for banning news websites.
Regardless of the amendments on paper, not all of the ISPs were able to implement DPI technologies immediately on a mass scale. In April 2014, right after Erdoğan blocked both Twitter and YouTube nationwide during local elections, the Turkish government reportedly sent a directive to all ISPs detailing requirements for the DPI equipment. Then in June 2014, a tender notice from Turk Telekom was obtained by daily Taraf’s reporter Tunca Öğreten—the deal that is confirmed by Forbes this week, more than two years later.
After the Procera deal was finally confirmed, Öğreten wrote in more detail how the government pressured ISP executives to breach ‘HTTPS’ (encrypted connections between users and websites) despite technical and ethical concerns, wanted to analyze emails and instant messaging apps, and even to monitor VPN and Tor traffic, according a report by Turkey’s Alternative Informatics Association.
With the details of Procera and Turk Telekom deal finally revealed, a Turkish software engineer with years of experience on DPI technologies contacted the Daily Dot, in condition of anonymity, to clarify known unknowns of DPI use in Turkey.
Although there are only two documented cases, Phorm and Procera—both on Turk Telekom infrastructure—the engineer revealed that other ISPs had been using DPI tools as well; “at least since 2012.” However, government surveillance was not the initial aim, they said, but the growing market was, allowing ISPs to classify their user base and develop business strategies on customer profiles. With the 2014 amendment, all Turkish ISPs were obliged to use DPI to meet regulations on URL-based censorship and detailed traffic logs, the engineer noted, otherwise companies would risk losing their license to operate.
In response to our questions on the legality of the Procera deal, Turkey’s well-known internet rights activists and jurists, Yaman Akdeniz and Kerem Altıparmak, said collecting detailed traffic logs that include IP address and customer IDs violate users’ privacy, and extracting passwords without a court order is clearly illegal. Digital rights lawyer Serhat Koç suggested that users can apply to courts for damages but also noted the decline of the Turkish legal system, reminding how the criminal complaint by rights associations was disregarded and nothing has improved since 2014.
The software engineer was perhaps the most pessimistic: “We are too late to worry now. All ISPs are doing this in accordance with the law. This is, I think, what we should worry about most.”