Microsoft hands over BitLocker keys to FBI, exposing users to major privacy flaw

Microsoft handed over BitLocker recovery keys to the FBI after it was served with a valid warrant, exposing Windows users’ privacy. The disclosure comes after an FBI investigation in Guam, where Microsoft supplied encryption keys to unlock three suspects’ laptops in a Guam fraud case.

Federal investigators in Guam believed the laptops included information that would prove individuals in charge of the island’s COVID-19 unemployment aid program were involved in a scheme to embezzle money.

Microsoft BitLocker key disclosure sparks global privacy concerns 

Microsoft provided the recovery keys to FBI investigators because the data was protected with BitLocker. This software protects all of the data on the computer’s hard disk and is automatically activated on many contemporary Windows PCs. Data is jumbled by BitLocker so that only those with the key can decipher it.

Although users can keep their keys on a personal device, Microsoft advises BitLocker customers to store their keys on its servers for easier management. This puts people at risk of lawsuits and law enforcement warrants, even though it also means they can access their data if they forget their password or lock the device after multiple unsuccessful login attempts.

The Redmond, Washington corporation has never before given law enforcement an encryption key, as far as is known, until the Guam case, where it handed over the encryption keys to investigators. However, Microsoft confirmed that it does offer BitLocker recovery keys in the event of a legitimate court order. 

Chamberlayne added that Microsoft receives about 20 requests for BitLocker keys annually. In many of these cases, customers have not saved their keys in the cloud, leaving the company unable to assist.

However, handing over the keys to law enforcement sparked privacy concerns. In a statement made by Senator Ron Wyden to Forbes, it is “simply irresponsible for tech companies to ship products in a way that allows them to turn over users’ encryption keys secretly. He went on to say that allowing ICE or other Trump thugs to steal a user’s encryption keys puts users’ and their families’ personal safety and security at risk and gives them access to the user’s entire digital existence.

This problem is not limited to the United States. The ACLU’s surveillance and cybersecurity counsel, Jennifer Granick, noted that countries with questionable human rights records also request data from tech giants like Microsoft. She added that storing decryption keys remotely can be very risky.

One participant on Hacker News claimed that the problem was that Microsoft already had those keys. If the key is accessible and free to use, what good is encryption? iCloud Email is the same, the user added.

The user also argued that human-made laws and regulations cannot provide privacy because they are abused and subject to change. The source of privacy is mathematics, which disregards rules and regulations.

Global governments push tech companies for encryption backdoors

Law enforcement frequently requests encryption keys, backdoor access, or other security flaws from computer corporations. Apple has been repeatedly asked for access to encrypted data in its cloud or on its devices. In October of last year, the UK government renewed its confrontation with Apple over access to customer data. The government demanded a backdoor into the tech company’s cloud storage servers, targeting only British users.

In a widely reported confrontation with the government in 2016, Apple resisted an FBI order to assist in opening the phones of terrorists who shot and killed 14 people in San Bernardino, California. In the end, the FBI managed to get a contractor to breach the iPhones.

In a separate report in April of last year, Florida lawmakers unanimously approved a draft bill that would mandate that social media companies provide law enforcement officers with access to user accounts through encryption backdoors.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.