Secret U.K. spy order imperils press freedom

New revelations by The Washington Post about a secret spying order in the U.K. should ring alarm bells for journalists everywhere.

On Friday, the Post reported that the U.K. government obtained a secret order requiring Apple to create a “back door” that allows security officials to retrieve all content uploaded to the cloud by any Apple user worldwide. The order doesn’t just require Apple to turn over data from a specific account for a specific criminal case; rather, it “requires blanket capability to view fully encrypted material.”

The target of the order is reportedly Apple’s Advanced Data Protection setting, which uses end-to-end encryption to protect certain data stored in a user’s iCloud account, including notes, photos, and iMessage backups.

If you’re a journalist who follows digital security tips from Freedom of the Press Foundation (FPF), Advanced Data Protection should sound familiar. FPF and other experts frequently recommend that journalists enable it to protect against data breaches, hacking, and government orders demanding journalists’ data. Because Advanced Data Protection end-to-end encrypts more data stored in iCloud, Apple simply doesn’t have access to it and cannot turn it over when governments come knocking or criminals break down the doors.

Why would journalists in the U.K. need to worry about legal orders for their iCloud data? Perhaps because of the U.K.’s excessively harsh secrecy laws that have been used to target the press. Politicians are constantly trying to expand those laws in ways that would criminalize whistleblowing and journalism. Not to mention the fact that the U.K. has illegally spied on journalists to try to uncover their confidential sources in the recent past.

And it’s not just U.K. journalists who need to be concerned. As others have pointed out, once the U.K. claims this power, it will be a hop, skip, and a jump to other countries — including authoritarian ones or ones on their way there — demanding similar powers. It’s not hard to imagine what Russia, China, or the Trump administration would do with a built-in back door that allows them to spy on the encrypted iCloud backups of journalists, dissidents, and government critics.

The U.K. could also use these powers to target journalists in other countries. According to news reports, the U.K. government could issue demands for the data of any iCloud user, not just U.K. citizens, and Apple would be legally prohibited from telling the targeted user about the order.

In theory, then, the U.K. could compel Apple to turn over the iCloud data of journalists living and working in other countries with stronger protections for freedom of the press. The journalists may not know their data has been demanded, so they wouldn’t be able to fight back in court.

That will leave journalists in the U.K. and around the world much less able to protect their confidential data, including the identities of confidential sources. That’s a huge problem for the public’s right to know. Sources who need anonymity won’t be as likely to come forward if they know that governments can glean their identities by spying on journalists.

Case in point: This very news story. We only know about the secret U.K. surveillance order because unnamed sources spoke to journalist Joseph Menn at The Washington Post. U.K. law makes it a crime to reveal it.

If the U.K. government could go digging through Menn’s encrypted iCloud data (or other encrypted services, should the U.K. expand its back door demands) to try to find out his sources’ identities so it can criminally prosecute them, those people will be much less likely to blow the whistle.

Legal demands for data aren’t the only concern for journalists as a result of the U.K.’s order. Bad actors may also try to take advantage of any back door built for the U.K. government by targeting it for hacking. That’s exactly what China did to the legal back door built into the U.S. telecommunications system, which inspired the FBI to encourage Americans to (surprise!) use encryption. The result is a loss of security for journalists and everyone else who relies on Advanced Data Protection.

But foreign governments and hackers may not even need to come in the back door as a result of the U.K. order. Apple is reportedly likely to stop offering Advanced Data Protection in the U.K. rather than comply with the order and break its promise to users that their iCloud data is secure. That’s the right move, and it’s admirable that Apple is refusing to lie to its U.K. users. But it also means that the U.K. government may just have ensured that its own citizens don’t have access to the most secure way to store their iCloud data.

All of this to say, the U.K. is in cloud cuckoo land if it really believes this order will make its citizens safer. The U.K.’s demand that Apple break iCloud encryption by adding a back door is a gift to hackers and dictators around the world, at the expense of U.K. citizens and journalists everywhere.