Be careful what you say about data leaks in Turkey, new law could mean prison for reporting hacks

The Turkish government is proposing a controversial new cybersecurity law that could make it a criminal act to report on data breaches. 

The new legislation proposes penalties for various cybersecurity-related offences. But they key one which has people concerned is this:

“Those who carry out activities aimed at targeting institutions or individuals by creating the perception that there has been a data breach in cyberspace, even though there has been no data breach, shall be sentenced to imprisonment for a term of two to five years.”

The problem is, of course, that such a law may discourage the reporting of any potential data leaks. 

Opposition leaders in Turkey have criticised the legislation as a way to stifle journalism and free speech, arguing that it could be used to target journalists or individuals who report on suspected data breaches or cybersecurity vulnerabilities, even if their reporting is accurate. 

It’s easy to see how journalists – concerned that they could face a jail term if their reporting is flawed, or if the authorities simply deny a breach has occurred – could choose not to report on the topic at all. 

The new legislation has been proposed in Turkey amid a background of journalists being intimidated in the country. 

Turkish journalist İbrahim Haskoloğlu announced he was leaving the country last month following what he described as mounting death threats. In April 2022, Haskoloğlu reported on how hackers had stolen sensitive personal information from government websites, including the ID cards of President Erdoğan and the head of Turkey’s national intelligence agency, Hakan Fidan. 

In the wake of his report, Haskoloğlu was arrested, and prosecutors sought a 12 year prison sentence, alleging he had illegally obtained and spread personal information. 

Some suspect that the new legislation is being introduced as a response to Haskoloğlu’s findings. 

One thing is clear. It is not going to improve the state of cybersecurity if those who attempt to raise concerns are silenced by accusations that they are creating unnecessary panic or damaging the reputations of institutions. 

There has been a long history around the world of whistleblowers and cybersecurity researchers raising concerns about data security, and defences improving as a direct result. The people of Turkey will be poorly-served if their government discourages reporting of vulnerabilities and security failures just to save its face. 

It is a sorry state of affairs if more attention is given to punishing those who report on poor security, hacks, and breaches rather than the cybercriminals who commit the crimes themselves.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.