How a secretive, unknown smartphone app became the center of Turkey’s post-coup crackdown

52

Hamdullah faithfully served his country in the Turkish Armed Forces for more than two decades before retiring as a specialist sergeant. Needless to say, Hamdullah, who requested we only use his first name, was shocked when he suddenly found himself jailed upon suspicion of being a member of a terrorist organization in April of last year.

The charges were based on an unusual piece of evidence: the apparent presence of the messaging app ByLock on Hamdullah’s phone. In September 2017, Turkish courts ruled that having the app was sufficient proof to link one to a network made up of followers of the controversial Islamic cleric Fethullah Gülen, a Turkish national that has lived in Pennsylvania for nearly two decades. The government insists that the Gülen organization was behind a July 2016 coup attempt.

The aborted coup was a disturbing, nearly unbelievable affair. Tanks rumbled over Istanbul’s main bridge spanning the Bosphorus, while jets bombed the parliament in the capital of Ankara. F-16’s zoomed low, creating sonic booms that were initially thought to be explosions. More than 260 were killed before the coup was squelched. The government was quick to blame the followers of Gülen. Once allies of President Recep Tayyip Erdoğan, by early 2014 Gülenists were full-blown enemies of the state, and the government started branding Gülen’s followers as the Fethullah Terror Organization, or FETÖ.

In response to the coup attempt, Erdoğans government instituted a brutal crackdown, in which more 50,000 people were arrested and more than twice that many removed from their jobs in state institutions.

Many of those arrests and dismissals hinged on a previously unheard-of app called ByLock, which Turkish courts have since determined to be adequate evidence for membership in FETÖ. ByLock was released in March 2014 and registered under the name of David Keynes, a naturalized US citizen of Turkish origin who had changed his name. Keynes has said the app was developed by his old roommate, a Gülenist known as “The Fox.” The app was available on a variety of platforms until it was shuttered in early 2016. A standard messaging application along the lines of WhatsApp, ByLock lacks the end-to-end encryption of that popular program.

The app was actually used as a means of communication between Gülenists. “Think about a software that has more than 100,000 users but no one knows about it. The Gülenists use Twitter actively and we only found three tweets about it. So it was definitely covertly distributed among the group for a purpose,” digital forensics engineer and expert witness Tuncay Beşikçi told The Verge.

But even if possession of the ByLock app was reasonable evidence that the phone’s owner was a Gülenist, the ByLock witch hunt ensnared thousands of innocent individuals who had never interacted with the app at all. That included Hamdullah, who had never used ByLock; he didn’t even have the app on his phone. “From the moment I was arrested, I was astonished at what was happening to me,” he told The Verge.

Hamdullah was put behind bars in April 2017 and subsequently stripped of his status as a retired military personnel.

The long list of innocent victims also included people like the self-described anarchist and atheist Ishak Tayak, who was arrested in October 2017 on suspicion of using the app. Tayak swore that he had no connection to any religious organization and rejected the charges against him. Journalist Fatma Karaağaç was fired from her job as a sports presenter on the mainstream Habertürk channel in March 2017 following allegations that she’d used ByLock. She was subjected to harassment from trolls on social media who called her a terrorist and a spy. Semih Babacan, a public school teacher in the southeastern province of Urfa and member of the leftist teachers union Eğitim Sen, was booted from his job in February 2017, though he wasn’t told why. He eventually found out it was due to the suspicion that he was a ByLock user. To make ends meet, Babacan found work as an assistant at an auto repair shop run by a relative.

Emre İper was another innocent victim of the purge. İper is an accountant for the secular, opposition Cumhuriyet daily newspaper, known for its long critical stance against both Erdoğan’s AKP and the Gülenists. İper was arrested in April of last year on suspicion of being a ByLock user, charges which he vigorously denied. Prior to İper’s hearing in last October, Cumhuriyet approached digital forensics expert Beşikçi, who was among a small number of experts who began to recognize a pattern in the ByLock arrests. Beşikçi, a Certified Cyber Forensics Professional (CCFP), has worked with both prosecutors and defense lawyers on high-profile trials. For months, he has found himself embroiled in analyzing the app, becoming an authority on the subject.

Beşikçi analyzed İper’s phone, and though he found no trace of the ByLock app, he did find a music app called Freezy. An app similar to Spotify, Freezy was one of a number of apps that a digital expert in Ankara eventually determined were actually redirecting users to the ByLock server, making it seem like they had used the program even if it wasn’t on their phones. The group of apps is known as “Purple Brain” and included Freezy, a German-Turkish dictionary app, and a used car sales app, among others.

This diversion, according to Beşikçi, was a calculated trap set by the software engineer behind the Purple Brain apps — a Gülenist who once worked for the Scientific and Technological Research Council of Turkey (TÜBITAK) — in order to water down the pool of ByLock users and disguise actual Gülenists.

Other victims began to send Beşikçi their IP records and phones. Beşikçi, a lawyer, and another digital forensics expert were also was able to get the attention of prosecutors, who set up a technical team in Ankara. A budget was reserved for Beşikçi and his colleagues, and they started investigating all the IP records of the victims.

Through his research, Beşikçi also determined that another set of apps, one which pointed toward Mecca and another displaying the five daily Islamic prayer times, had redirected users to the ByLock servers.

On December 27th, Ankara prosecutors revealed that 11,480 people had been wrongfully accused of using ByLock because of redirect measures. İper and Hamdullah were among thousands released from jail or returned to their jobs after their names were cleared. Hamdullah’s retired military personnel status was returned on January 12th, and he was officially acquitted of the charges against him on January 30th.

When journalist Fatma Karaağaç found out her name was on the list of the falsely accused, she fired off a defiant tweet at her former employer: “@Haberturk Want to report on this?” she wrote. Anarchist Ishak Tayak was released from prison after two and a half months of incarceration, and public school teacher Babacan had his job officially reinstated in January.

Though thousands of people have been vindicated, released from jail, reunited with their families, returned to their jobs, and have had their reputations restored, the trauma is evident. The Verge contacted numerous innocent victims for this story, and all but Hamdullah declined to speak about their experiences.

And while it was the Turkish judiciary, under the thumb of Erdoğan and his AK Party, that ultimately accused thousands of using an application they had never heard of, falsely imprisoning them, and, at least temporarily, ruining their lives, their anger seems to be primarily directed at the Gülenists, who they believe set them up.

“The victims, if you ask them who is responsible, why were they in prison, they will blame FETÖ. But the government also made some mistakes while analyzing this group,” Beşikçi said.

Meanwhile, Beşikçi still has his hands full and is in contact with people who may have been falsely determined to have used ByLock but did not appear on the initial list of more than 11,000. He vows to continue working around the clock until all the names of the innocent are cleared.