Features – Like Backdoors – Are Forever

The news this week has been full of stories about Apple's resistance to a court order demanding they build a custom backdoor to a phone used by one of the San Bernardino suspects.

While I will leave deep analysis of the legal situation to experts of that domain, I believe that this instance holds valuable lessons for all software teams. One lesson in particular helps us understand why the creation of such a backdoor would inevitably become dangerous for innocent users.

Image of colorful doors Colorful doors in the UK, by Paul McIlroy under CC BY-SA 2.0.

People love useful software

Put simply: once a piece of useful software is created, its users won't want to give it up.

This is a phenomenon that is well-understood by many experienced software teams. It's part of why long-lived programs like Microsoft Word have so many features. There are strong incentives to add new functionality: niche users request them, salespeople see them as a competitive advantage, and developers get to work on building fun new things instead of just maintaining someone else's code. The incentives to remove functionality – making code simpler and faster, making the commonly-used tasks easier to find and use – are far outweighed by the pain that users experience when a beloved feature is taken away.

This is one reason that a human-centered design process is helpful. Working first to understand users' needs allows a team to start by developing a simple, well-targeted piece of software, rather than throwing a hodgepodge of features against the wall to see what sticks. Once a feature has hit the wall, chances are there are some users somewhere who see it as the product's core advantage – and would be sorely disappointed if it was ever taken away.

The moral is thus: always assume that people will use software more than you expect, and become attached to it in ways that you can't foresee. Don't ship software that you don't want to see used in new, creative, expansive ways.

Backdoors: popular to a fault

We can view a backdoor that circumvents the iPhone's security measures to be a software feature just like any other. If an entity like the FBI was able to get privileged access an iPhone for the San Bernardino case, it is safe to assume that they and other law enforcement entities would want to do so again for future cases – they wouldn't want to give such a useful feature up.

As the demand increased it would be hard to continue treating the backdoor software with tremendous care. More people at Apple would have to be given access to it to satisfy demand, or perhaps Apple would share the software with the law-enforcement agencies so they could take on the burden of fulfilling access requests directly.

As more people gained access to the software, the probability of malicious actors also gaining access would go up. It's hard to keep something that lots of people use every day secret. Given how much juicy data the backdoor could ultimately give access to, we have to assume that it would only be a matter of time before the backdoor was stolen and released into the wild.

Backdoors, like any software feature, will always become popular. If you don't want lots of people using them in new and unexpected ways, it's better to just not create them in the first place.


Some Of Our 2015 Favorites

2015 was our first full year in operation, and we’ve come a long way! Looking back at the past twelve months, here are some resources that we’ve found to be particularly useful (or entertaining). Let us know your favorites on Twitter! Ame’s picks Thinking back on 2015, I’m really glad to be part of Simply Secure and for the opportunity to be an evangelist for design. I’m thankful for resources that make design easier.

Your Software Can Help At-risk People, Too

Web browsers are utility software; they are designed to work for all people. Not only must their features meet the needs of average members of a population, they must also work for people with special needs. As Firefox says on its mobile accessibility features page, the browser has been "designed to meet the needs of the broadest population possible," but "sometimes that is not enough." In particular, software that is built for everyone can too often leave people with specific security or privacy needs at risk.

Notes on the O'Reilly Design Conference

Last week I went to the O'Reilly Design Conference and enjoyed learning about emerging UX trends. The conference was full of high-quality presentations on UX practice. Here are three of my favorite talks. The Many Minds of the Maker Knight-Mozilla Fellow Livia Labate shared examples of how designers can overcome barriers to learning code. Her experiences from the pragmatic (no you don't need to learn Rails) to the philosophical (to be good at something, be bad at it first) are relevant to people beyond designers.