Apple announced today via an open letter to their customers that they would not be complying with a court order to “assist in the enabling of the search of a cellular telephone”. This particular phone was owned by one of the San Bernardino shooters.

Part of Apple’s letter states:

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

It would be reasonable at this point to ask the question, “What’s the big deal, Apple?” Especially when Apple says in the previous paragraph, “We have great respect for the professionals at the FBI, and we believe their intentions are good.”

Here’s why this is a Big Deal, and why Apple giving in and creating such a piece of software truly is a Nightmare Scenario:

1. Apple can’t Just Decrypt This Phone

The FBI has already asked Apple to do this, and they said it’s not possible. Since iOS 8 was released, all iOS devices encrypt their contents with a combination of data that’s only on the device. Apple doesn’t have this data, and they can’t retrieve it, even if they wanted to. The only way to decrypt the phone is by entering the passcode.

2. The FBI can’t Guess the Passcode

The phone only allows 10 wrong guesses before it will erase its contents, and entering the code requires physically tapping on the screen, a process which takes several seconds per attempt. Even if there was not a 10 try limit, it would take years for the FBI to try every combination.

3. What the FBI Wants from Apple

The court order demands apple do 3 things:

  1. Turn off the Auto-Erase function.
  2. Allow passcodes to be entered electronically.
  3. Ensure that passcodes can be entered as quickly as possible by the software (no added delay).

4. How Apple Could Comply

Because the security features are a built-in part of iOS, the only way they could be bypassed would be for Apple to build a custom version of iOS that removed these security measures. Then, this custom version would have to be installed on the phone in question, where it would then allow the FBI to run their own software to attempt to guess the passcode. It is not clear if the FBI would be successful in this endeavor even given the opportunity.

5. Why Compliance Would be a Nightmare Scenario

If Apple were to create a version of iOS that could remove these security features when installed, then you can rest assured that it would only be a matter of months before:

  1. Other law enforcement agencies would demand access to this software to attempt to unlock phones for all sorts of petty crimes.
  2. Those same law enforcement agencies would immediately lose possession of the software to malicious parties.
  3. Exploits would appear online, tricking users into “upgrading” their phones to use this insecure software, making it instantly accessible to malicious hackers the world over.

The bottom line is that this is pandora’s box. If Apple creates a piece of software to turn off all these features, then the features might as well not exist for anyone, and that software will absolutely be used for evil in short time.

None of this addresses what is arguably a bigger issue: Whether or not government should be able to force companies to create new products with the purpose of rendering old products insecure and/or for the explicit purpose of acquiring their customers’ private data.