Turkey Abused Western Dual-Use Technology to Inject Spyware

Turkey’s leading internet service provider, Turk Telekom, in which the Turkish government owns a minority golden share, has been reportedly using web-filtering technology to install spyware on customers’ computers – an allegation the company denies. The Citizen Lab, an award-winning digital freedom watchdog at the University of Toronto, announced on March 9 that Turkish internet users who sought to download popular programs, including Skype and Avast Antivirus, were being redirected surreptitiously to versions of those applications bundled with spyware. To manipulate Turk Telekom customers this way, spyware operators appears to have used British, Canadian, German, and U.S. hardware and technology currently not subject to export-control laws.

According to the Citizen Lab, the spyware operators targeted IP addresses in five cities, including the country’s capital Ankara and the city of Adana, home to the Incirlik Air Base and the U.S. 39th Air Base Wing. To embed the spyware, the Turkish operators used “deep packet inspection” middleboxes –networking equipment that examines and manipulates web data – built by a Canadian-American company and intercept technology developed by an Anglo-German firm that sells its products “exclusively to government law enforcement and intelligence agencies.” Although these technologies have legitimate uses to improve network security and performance, authoritarian regimes exploit them for censorship and eavesdropping.

Turkey’s strongman Recep Tayyip Erdogan has long received criticism for his ongoing crackdown on digital freedoms. Freedom House, in its latest “Freedom on the Net” study, ranked Turkey as “not free” and reported that “internet freedom sharply declined in 2017.” Ankara’s mass censorship of the internet continues to deter conscientious technology experts from offering their services to the Turkish government. In April 2017, a senior technical engineer resigned from a U.S. technology firm, complaining that the company was selling a deep packet inspection product to Turkey “for extracting usernames and passwords from unencrypted traffic.” Following threats of resignation from other engineers, the company outsourced the implementation of Turkey’s controversial mass surveillance system to a Canadian software development company.

The Turkish government’s latest attempt at wide-scale spyware injection illustrates a worrying trend that necessitates improved regulation of military-civilian dual-use technologies in the West. Comprehensive export-control reform appears to be out of reach as an immediate solution. However, introducing compulsory self-identification and reporting requirements for intercept, filtering, and deep packet inspection service providers could ensure greater transparency. Furthermore, providing victims of authoritarian regimes access to remedy through civil and criminal litigation against dual-use technology companies can encourage industry self-regulation and corporate social responsibility through the adaption of terms of service (TOS) agreements.

TOS agreements are voluntary rules delineated by manufacturers that clients need to abide by before using a service. By altering the existing TOS agreements to state that any attempts to use their product for malicious purposes would be in violation of the agreement, manufacturers would attain the ability to revoke software licenses for products while also protecting their brands and reputation.

In the absence of comprehensive export-control reform, compulsory reporting requirements, and effective industry self-regulation, authoritarian regimes such as Turkey will continue their abuse of Western dual-use technology for mass censorship and wide-scale surveillance. For the time being, the awareness raising and global shaming efforts of the Citizen Lab and other digital rights watchdogs will be one of the few deterrents against such malfeasance.

Aykan Erdemir is a former member of the Turkish parliament and a senior fellow at the Foundation for Defense of Democracies, where Trevor Logan is a research associate focused on cyber issues. Follow them on Twitter @aykan_erdemir and @TrevorLoganFDD.

Follow FDD on Twitter @FDD. FDD is a Washington-based, nonpartisan research institute focusing on national security and foreign policy.