The FBI’s iPhone Backdoor Would Compromise Security For Everyone

The FBI wants Apple to produce a special version of its iPhone operating system that will allow them to hack into the phone of Syed Farook, one of the San Bernardino terrorists. They’ve generally been trying to portray this as a limited request that applies to just one case, but in testimony before Congress today they acknowledged explicitly that this isn’t true:

FBI Director James B. Comey appeared first, and while the Justice Department has tried to cast the issue as narrowly focused on one iPhone, he acknowledged early in the hearing that if the government succeeds in this case it could set a precedent for other cases.

….Comey acknowledged in his testimony Tuesday afternoon that this case could potentially set a precedent, pointing out that the same could be true of the ruling a day earlier in New York. “That’s just the way the law works, which I happen to think is a good thing,” he said.

If the federal government prevails here, Comey said they could go back and seek assistance in unlocking other devices in the future. But he also said that the larger questions about balancing encryption and the needs of law enforcement would not be resolved by a decision here.

This is the fundamental problem. When most people think about a “backdoor” for an encrypted device, they picture a master password of some kind. The danger, of course, is that if one person has that password, someone else might be able to get hold of it too.

But backdoors come in lots of flavors. The FBI wants a special version of iOS that allows them to try thousands of passcodes without bricking the phone. But engineers have to write that code. It gets stored in Apple’s version control system. Maintenance engineers update it when new iPhones come out. Librarians keep track of it. Other librarians make sure it’s backed up. That’s a lot of people who know how to access a very valuable piece of code. How safe do you think it would  be?

No telling. And even if you trust Apple’s legendary security, how about Microsoft’s? Or Google’s? Or Samsung’s? Once you build a backdoor, you’ve compromised security for everyone. This is the problem Congress has to deal with.