(By UMAR FAROOQ) In May 2017, Mustafa Yaman, a fifty-one-year-old lawyer in Istanbul, received a troubling phone call from a friend in the Turkish Ministry of Justice in Ankara. Prosecutors were preparing to bring terrorism charges against him, alleging he was part of a religious movement blamed for a bloody attempted coup the year before. The case, Yaman’s source said, was based on evidence that he had used a smartphone app called ByLock, a secure messaging program also allegedly used by the coup plotters. “Beware,” the source told Yaman. “Your phone number is on a list of ByLock users, and it’s going to be a problem.”
Nearly a year before that phone call, on July 15, 2016, Turkey had narrowly avoided what would have been its fourth military coup. Hundreds of thousands took to the streets and confronted soldiers with machine guns, tanks firing into crowds, and fighter jets dropping munitions on government installations. More than 250 civilians were killed. Recep Tayyip Erdoğan, Turkey’s president, quickly blamed Fethullah Gülen, an exiled cleric living in the United States who has a large following among the country’s most educated and conservative, including military officers and civil servants. After the failed coup, Turkey’s fractured political landscape was united in its demand that Gülen and his followers, whom the government alleged were more of a secret cult than a religious movement, be punished. They were declared terrorists, and the country was put under a state of emergency.
Over the next year, Erdoğan’s government, claiming it needed to excise Gülen’s followers to prevent a future takeover, embarked on the largest crackdown in Turkey’s modern history. More than 50,000 people were imprisoned, and another 150,000 purged from the public sector. Most were accused of being Gülenists, but many were not religious at all. The journalists, lawmakers, judges, and prosecutors ousted by the purge included many staunch secularists, leftists, and Kurdish political leaders. In Yaman’s case, he was a leader in the Saadet Party, an Islamist party that often aligned itself with Erdoğan, but which had been vocal in its criticism of Gülen even when he and the president were political allies.
The crackdown was sweeping and cast a huge net, counting as suspected Gülenists anyone who, for example, held an account at Bank Asya, one of Turkey’s largest banks, and allegedly the clearinghouse for Gülen’s multi-billion-dollar business network; or attended one of more than 4,000 educational institutions run by Gülen’s movement; or subscribed to one of Gülen’s newspapers. Prosecutors also sought the arrest of more than 102,000 people who had allegedly used ByLock. They claimed that ByLock, along with a handful of other secure messaging apps, was developed in 2014 by Gülen’s followers—some of whom worked in the Turkish equivalent of the National Security Agency—to communicate among themselves and plot the coup.
A month after receiving the tip from his friend, Yaman was attending a Saadet meeting in Istanbul. After leaving the building, police detained him. A week later, he was moved to a prison. “One hour a day I was let out into a garden, a small open area, with some windows above me. I could talk to other prisoners through those windows,” Yaman said. “Otherwise I was alone.”
Four months into his detention, Yaman finally faced a judge to be charged. There, a prosecutor presented the evidence against him: a report showing that his phone had allegedly accessed the ByLock server. “This was the last crime I ever thought I would be accused of,” Yaman said. “I had never heard of ByLock, and for the last 30 years I had spoken against Gülen. The only evidence [the government had] was that my phone accessed this server 178 times. There were no messages, no information about who I spoke to, or what I said if I had used ByLock.” Based solely on the ByLock allegations, prosecutors sought a 15-year sentence against Yaman for “being a member of an armed terrorist organization.”
Danny O’Brien, international director at the Electronic Frontier Foundation, has spent the past decade tracking how governments use secure communication apps to target political opponents and activists. “Turkey’s use of ByLock in these prosecutions quickly turned from being a way of (allegedly) finding Gülenists, to being used as an exclusive proof of conspiracy,” O’Brien wrote in an email. He said that this is an increasingly common tactic, used by authorities in Iran, Syria, China, and Ethiopia.
“We’ve seen the slow rise in governments not really trying too hard to break the security of an app, but instead switching to just identifying who has the app, and intimidating or arresting them,” O’Brien said. But no government has done it as widely, or as publicly, as Turkey. “Turkey,” he said, “seems to have jumped two steps ahead of everyone else.”
Through means that remain unclear, Turkish intelligence managed to access the ByLock server and its database, which included 215,000 usernames. Around 40,000 of those users could be easily identified because they had used their real names, or identified themselves in the messages they sent, which Turkish investigators were able to partially decrypt. Whoever administered the ByLock server regularly wiped the logs, so Turkish investigators could not simply obtain a list of IP addresses from there. To identify who had accessed the server, investigators analyzed Internet traffic, which, as Turkish law requires, is logged by the country’s Communication Technologies Authority, and made a list of around 102,000 phone numbers that had connected to the ByLock server at some point. This became, in effect, the government’s hit list of suspected Gülenists.
One night last October, Tuncay Beşikçi, a leading digital forensics experts in Turkey, stumbled onto evidence that would undo the case against Yaman, and tens of thousands of others accused of being Gülen’s followers based on alleged usage of ByLock.
Educated in Britain and Sweden, Beşikçi has been a digital forensics consultant for Turkish police, military, and prosecutors. He has also served as a technical expert in some of the most important criminal cases in Turkey over the last decade, both for the defense and prosecution. Before the coup attempt, when prosecutors sought to charge alleged Gülenists for crimes such as wiretapping the phone of the head of national intelligence, or manufacturing evidence against rival military officers, they called on Beşikçi’s expertise.
So Beşikçi was not surprised last fall when he got a call from a defense lawyer representing Emre İper, an accountant at Cumhuriyet, one of Turkey’s leading newspapers. İper’s trial was receiving widespread media coverage because he had been charged with being a follower of Gülen. Yet he worked at a newspaper known for its staunchly secular leanings, equally skeptical of Erdoğan and Gülen. The lawyer told Beşikçi that prosecutors had presented Internet traffic reports, like the one used against Yaman, that proved İper’s phone was connecting to a server in Lithuania hosting ByLock.
Like most people in Turkey, Beşikçi had never heard of ByLock until its name started popping up in cases after the coup attempt. The app first appeared in March 2014 in Google Play, and had few downloads until the end of that year, when it suddenly shot up to more than 100,000 downloads, coinciding with Erdoğan’s victory in the presidential elections and a crackdown against Gülen’s movement. It was a simple app: users created a username, and only needed to know one other user name to activate it. Once two users were connected, any messages they exchanged would be encrypted. Only the two users could read the messages, because only their phones had the proper keys to decipher them.
In November 2014, an obscure blog that claimed to be run by the app developer announced it would no longer support the software, citing unspecified “attacks” from “Middle East countries.” But the app continued to be used, and Turkish intelligence authorities, tipped off by a former Gülenist in custody, worked to hack the app. When the app was finally removed from Google Play and the Apple App Store, it had been downloaded more than half a million times.
Beşikçi and a handful of leading digital forensics experts in Turkey looked through İper’s phone, which his defense attorneys had provided. They found no trace of ByLock. How, then, as the prosecutor’s report showed, had it accessed the ByLock server?
The answer turned out to be buried deep in the source code of another app İper had on his phone—a music-streaming app called Freezy Music, which also had more than half a million downloads. This app was developed by a little-known development group called Mor Beyin (or “Purple Brain”). Mor Beyin had also created a dozen other apps for Android and iOS phones, including one for finding used cars, a few for translating Turkish, and another for calculating daily prayer times. While ByLock was not installed on İper’s phone, Beşikçi figured there might be other apps linked to it, and Freezy Music seemed like a good place to start.
Freezy Music, Beşikçi found, included a line of code that connected to the server hosting ByLock. There was no discernible reason for this connection between Freezy Music and ByLock, Beşikçi said, except that whoever created Freezy Music wanted its users to leave a trace on the ByLock server. As a result, prosecutors would later lump together Freezy Music users with ByLock users, even if they had never downloaded ByLock.
The other apps made by Mor Beyin, Beşikçi later discovered, also contained the same line of code that pinged the ByLock server, but did not send or receive any information. Those discoveries have led Beşikçi to believe that Gülenists are behind the Mor Beyin developer group—that they deliberately create apps to link unsuspecting users to ByLock so that prosecutors would have a much harder time finding the real ByLock users who are in their organization.
The more he looked into the similarities between ByLock and apps such as Freezy Music, the more Beşikçi became convinced they were all made by the same developers. And although the ByLock website was registered to someone in the United States with the American-sounding name of David Keynes, the source code, Beşikçi found, showed the app had been produced in Turkey for Turkish users. While the code relied primarily on widely available software libraries, error messages appeared in Turkish. The style of the code—such as how the programmer decided to tackle common algorithmic problems—Beşikçi said, also resembled the style used in other Mor Beyin apps, including the ones that help the user find the direction to Mecca and remember prayer times. “I think the same people who developed these Mor Beyin apps, also developed ByLock,” Beşikçi said. “I am a programmer myself, so I can see the similarities in the code.”
The night he discovered the evidence showing the Freezy Music app was the reason İper’s phone had connected to the ByLock database, Beşikçi was too frightened to sleep. But in the morning, knowing he had something important, he called up a prosecutor in Ankara and asked to meet. “I was terrified. At that moment I thought they are not going to let me reveal these things,” Beşikçi said. “Bylock is the only evidence [in many cases] and if I say half of these are not correct, it’s going to be chaos in the judicial system.” At the time, journalists in Turkey were being jailed simply for questioning the evidence used to prosecute alleged Gülenists. However, Beşikçi’s track record with the prosecutors gave him credibility.
Over the next few months, he would learn just how careless the Turkish investigators had been in their campaign to use ByLock to root out suspected Gülenists. “It’s been clear from the beginning that [prosecutors] were sloppy in terms of due process, how data was acquired, analyzed, stored,” Nate Schenkkan, the director of Freedom House’s Nations in Transit survey, told me. “In a proper functioning rule of law system, all of these things would be questioned by experts, by an independent court, and challenged by the defense.”
In his conversations with prosecutors, Beşikçi found that a prosecutor in Ankara had already intuited the connection between ByLock and the Freezy Music app more than a year prior. A suspect’s phone did not have ByLock, but their name did appear on the list of those who had accessed the ByLock server. This led the investigator to deduce that the Freezy app must be connecting to the same server, which Beşikçi’s forensic work had confirmed beyond a doubt. In other words, the prosecutor knew they were ensnaring innocent people in their investigations. “But they were so scared of it, because ByLock was the only evidence, and this was just after the coup, so it was a very difficult time to say, look ByLock is being manipulated, so they never told anyone,” Beşikçi said.
Beşikçi presented his findings to the court in the İper trial, but it would take another two months before prosecutors agreed to drop charges against him, and at least 11,480 others who were falsely accused. While Beşikçi faults Turkish investigators for their overzealous crackdown, he believes ultimate blame lies with Gülenists. The developers behind the Mor Beyin app, he says, deliberately set a plan in motion that would put thousands of innocent people in prison as a cover for the Gülen movement.
Turkish prosecutors have named two men, both former employees at Turkey’s top science and technology research agency, as the developers of ByLock, the Mor Beyin apps, and a handful of other communication apps allegedly used by Gülenists. Both are fugitives and believed to have fled Turkey.
After he appeared in the Cumhuriyet trial, Beşikçi received thousands of phone calls and emails from desperate relatives of suspects across the country seeking his help. One woman, he says, took a twelve-hour bus ride across the country, carrying her infant son and her husband’s old phone. “It was the last hope she had, the only evidence that could clear her, and she didn’t want to risk losing it to a delivery company . . . her husband was in prison and she was fired from work because of ByLock,” Beşikçi said.
Beşikçi and the handful of defense lawyers that worked on ByLock have now become overnight celebrities in Turkey. Around a thousand people, including Yaman and İper, have been released from prison so far, but most of the 11,480 others have not. Taner Kılıç, the chair of Amnesty International Turkey, remains in custody facing charges of belonging to Gülen’s organization, despite similar findings by another forensics expert, Koray Peksayar, showing he had never used ByLock. Beşikçi is now working to prove around 20,000 other alleged ByLock users were also falsely accused. Meanwhile, detentions of suspects based on ByLock continue: on April 12, police detained 45 people in Istanbul.
On December 28, 2017, nearly six months after he was detained, Yaman was released and all charges against him dropped. He missed the wedding of his son and the birth of his first grandchild. He believes his phone was listed as having accessed the ByLock server because he used the Mor Beyin app for calculating prayer times.
“They called me a terrorist. I am not a terrorist,” Yaman said. “There are soldiers out there who shot and killed people [the night of the coup attempt], maybe they should be called terrorists, but I am not one, and many other people who are being accused are not either.”