Microsoft is below scrutiny after it emerged that the corporate shared encryption keys with US regulation enforcement, an unusual transfer that has alarmed privateness specialists and reignited the talk over who actually controls encrypted knowledge.
Based on Forbes staffer Thomas Brewster, Microsoft offered the FBI with BitLocker restoration keys that allowed investigators to unlock knowledge on three encrypted laptops. The request got here by means of a sound search warrant issued in a federal investigation in Guam into alleged fraud within the island’s COVID-19 unemployment help program.
The laptops have been protected by BitLocker, Microsoft’s full-disk encryption software program that’s enabled by default on many trendy Home windows PCs. Whereas BitLocker is designed to maintain knowledge protected from unauthorized entry, the case exhibits that safety relies upon closely on the place the restoration key is saved.
Why Microsoft might entry the keys
BitLocker customers can retailer restoration keys domestically on a USB drive or one other system, however Microsoft additionally encourages customers to again them as much as its cloud for comfort. That possibility makes it simpler to regain entry if a password is forgotten, however it additionally means Microsoft can entry the keys if served with a authorized order.
Within the Guam case, the restoration keys have been saved in Microsoft’s cloud, making it attainable for the corporate to adjust to the warrant.
Microsoft confirmed the observe to Forbes. “Whereas key restoration gives comfort, it additionally carries a threat of undesirable entry, so Microsoft believes clients are in the most effective place to determine… learn how to handle their keys,” Microsoft spokesperson Charles Chamberlayne stated.
Chamberlayne added that Microsoft receives round 20 requests for BitLocker keys annually, although many can’t be fulfilled as a result of customers didn’t add their keys to the cloud.
A uncommon and notable disclosure
Forbes studies that is the primary publicly identified case wherein Microsoft has handed over BitLocker encryption keys to regulation enforcement. That element alone has raised concern amongst safety researchers, who say the choice highlights a design alternative that might give Microsoft entry to person knowledge.
“That is personal knowledge on a non-public pc and so they made the architectural alternative to carry entry to that knowledge. They completely must be treating it like one thing that belongs to the person,” stated Matt Inexperienced, affiliate professor on the Johns Hopkins College Data Safety Institute, in feedback to Forbes.
Critics name out ‘irresponsible’ design
The information has drawn criticism from privateness advocates and lawmakers who argue that Microsoft is lagging behind its friends in defending person knowledge. Senator Ron Wyden expressed his disapproval to Forbes, calling the state of affairs a serious safety lapse.
“It’s merely irresponsible for tech corporations to ship merchandise in a manner that enables them to secretly flip over customers’ encryption keys,” Wyden stated.
Consultants word that whereas corporations like Apple and Meta supply cloud backups, they usually depend on “zero-knowledge” architectures. This implies the keys themselves are encrypted earlier than they attain the cloud, making it unimaginable for the corporate at hand them over to the FBI even when they needed to.
“If Apple can do it, if Google can do it, then Microsoft can do it. Microsoft is the one firm that’s not doing this.” Inexperienced stated.
He warned that if Microsoft has entry to the keys, “ultimately regulation enforcement goes to come back.”
The BitLocker Phantasm
For a lot of Home windows customers, particularly these on Home windows 11, this cloud backup occurs by default throughout setup. With out these keys, the FBI would doubtless be caught; a 2025 courtroom doc from an ICE forensic knowledgeable admitted that the company did “not possess the forensic instruments to interrupt into gadgets encrypted with Microsoft BitLocker.”
The priority now could be that this case units a precedent. Jennifer Granick, surveillance and cybersecurity counsel on the ACLU, instructed Forbes that “distant storage of decryption keys might be fairly harmful,” particularly when international governments with poor human rights information start making related calls for.
Because the case in Guam continues, the tech world is left to wonder if Microsoft will change its “architectural alternative” or whether or not customers must take their privateness into their very own arms by shifting their keys off the cloud and onto bodily thumb drives.
Additionally learn: Microsoft is making Groups safe by default in January 2026 by robotically enabling key protections.
