One hundred Turkish lira for your data: How Turkish citizens lost all expectations of data security and privacy
Leaks have offered almost unlimited access to Turkish citizens’ data
Originally published on Global Voices
Image made by Giovana Fleck, used with permission.
Since 2018, Turkey has been experiencing a severe economic crisis, with rising inflation, a significantly devalued currency, and an increased cost of living. A few years ago, TRY 100 (around USD 17, pre-crisis) could last a few days in Turkey, but these days it doesn’t buy much anymore, especially in big cities.
In the megacity İstanbul, a single “balık ekmek,” a grilled fish and lettuce sandwich that used to be a cheap working-class staple, costs TRY 120 to 150 (around USD 3,50 to USD 4,50) nowadays. Even getting to Eminönü, a district on the coast where the Golden Horn and İstanbul’s historic old town meet, which is famous for its balık ekmek, costs TRY 105 using the city's public transportation network, assuming you have to change vehicles once. If you decide to stay home and order a Big Mac from the nearby McDonald’s, even that would cost TRY 170 today.
Sitting at home in your İstanbul apartment, eager to spend your TRY 100 and trying to forget that you had to skip lunch, what can you buy to keep yourself entertained? Those familiar with Turkey will not be surprised to hear that one option is all identity-related data of any citizen or resident of Turkey, including insurance numbers, phone numbers, addresses, employment information, healthcare information, property deeds, and all family relations. For the meager price of TRY 100, people can buy all this information and more about anyone who resided in Turkey in the recent past. (Current prices might differ slightly. Prices change fast in Turkey; inflation affects cybercriminals too. It is, however, still dirt cheap.)
How could such sensitive information be that cheap, you might ask? Well, when competition is high in a sector with low marginal costs, prices tend to decrease. In other words, it is cheap because everyone has it. So the real question then becomes, “Why does everyone have it?”
The answer to this is data leaks. Turkey has a long history of data leaks, and the scope of this article wouldn’t be enough to detail every single one of them. The latest significant public data breach happened less than a year ago, around June 2023, when 85 million citizens had their e-devlet (a web-based system that provides online access to government services for Turkish citizens and residents) data stolen. Apparently, the government’s measures to protect citizens’ data were so weak that even the hackers who leaked the data were complaining about it, as well as accusing the state of selling personal data to private companies.
The government itself, on the other hand, refuses responsibility. Ali Taha Koç, the ex-president of the Office of Digital Transformations (DDO), a department responsible for the digitalization of services and cybersecurity that is directly tied to Turkish president Recep Tayyip Erdoğan, claimed that the source of the leaks was the private sector and that the government has protected all data entrusted to it. While Koç did not give any names, he most likely implied the successive Yemeksepeti data leaks. The food delivery app that had a near-monopoly status in Turkey for years leaked information about its over 30 million users not once but twice in the span of a few months.
Regardless of who the real culprit is (the hackers themselves, as mentioned above, point toward the government), the result is an almost complete loss of any expectation of privacy. Turkish citizens do not expect any privacy online anymore. Whenever there is a data leak — and yes, they are frequent enough to talk about data leaks as such without specifying which one — social media users take a mocking tone, making fun of anyone who overreacts to it.
The fatalistic acceptance that is created in this environment can be summarized with this Twitter user’s discussion of the threat of doxxing: “You have my ID? So does everyone who can pay 2$ to get e-devlet leaks. You are not special.” When the expectation of a right does not exist, that right itself also tends not to exist practically, even if it exists legally. Law #6698 on protecting personal data is supposed to secure the constitutional right to privacy. Still, in practice, anyone who knows the right Telegram groups to search for can break this law for the equivalent of a couple of US dollars.
This loss of expectations means that many citizens have given up on other basic citizen entitlements as well. It is subtle but clearly visible in the public psyche. In May 2023, former Minister of Interior Süleyman Soylu, as a demonstration to the interviewer from a tech news site called ShiftDelete, showcased an application called KİM on his phone, which, after taking a photograph of the interviewer, accessed all information, including name, surname, ID number, and several other pictures concerning him. Naturally, this showcase, which Soylu claimed, in the video, “showed the power of the state,” caused quite a controversy.
Opposition politicians and public figures harshly criticized the use of such an app. Merve Kara-Kaşka of BBC Turkey interviewed many of these experts, who criticized the use of the app by the minister of interior, questioning who exactly has access to this program and who is allowed to use it — all very relevant criticisms. There was one line of questioning that was missing here, though, with the notable exception of Veysel Ok, the co-director of the Media and Law Studies Association Turkey (MLSA Turkey). Why does the state collect and keep all this data on its citizens in the first place? The expectation of data privacy has been so eroded that a lot of experts and the overwhelming majority of citizens did not even think to ask that fundamental question in the first place. So many public and private, legal, and illegal organizations have easy access to the personal data of Turkish citizens that the Ministry of Interior keeping that data seems like the most natural thing in the world.
After the 2023 elections, where the former Istanbul governor Ali Yerlikaya was elected to the office of the minister of interior, the new minister denied that the ministry had ever used the KİM app, implying that it was a personal, not institutional, problem that the former minister had access to the said app. With that, institutional responsibility was waived and any responsibility, legal or otherwise, of using the app was transferred to the person of the former minister Soylu. The question of the use of data was seemingly “resolved.” There is no reason to believe that the ministry still does not store the same data, but nobody talks about it.
It would be easy to blame Turkish citizens, accusing them of not being conscious enough of their rights and entitlements and giving up on online privacy too easily. However, one has to realize that the public reaction of indifference is perfectly reasonable. I am writing here about data privacy, but if someone had a problem with my article and decided to leak my personal information online, I would hardly be shocked, either. It is too normalized, and basic data regarding citizens, like everything valuable that was ever uploaded to the internet, will remain on the internet, easily accessible forever. How to approach this reality is a complex question for the politics of data privacy. On a theoretical level, policies are made with the assumption that private data can be kept private. The reality is far messier.