'Simply irresponsible': Microsoft confirms it will give your BitLocker encryption keys to the FBI if asked - but there is a way to keep your data private

News
By published

Some call Microsoft move "simply irresponsible"

Privacy
Image credit: Shutterstock (Image credit: Shutterstock)
  • Microsoft confirms FBI can access BitLocker keys via valid legal orders
  • Cloud accounts store unencrypted keys, enabling law enforcement access; local accounts avoid this risk
  • Senator Wyden criticizes practice; FBI requests about 20 keys yearly, mostly unsuccessful

Microsoft has confirmed (via Forbes) it will hand over user BitLocker encryption keys to the FBI if the agency requests them via a valid legal order.

When a person installs Windows 11, they are asked to create a Microsoft account. That account can either be tied to the person’s cloud account, or can be stored locally. In both cases, the account holds all of the user’s data, and is protected by a BitLocker encryption key, a cryptographic key Windows uses to lock and unlock data on a drive protected by BitLocker Drive Encryption.

The cloud account is the default setting. While users can opt for a local one, Microsoft put in extra effort to hide that fact, essentially prodding users towards the cloud-based one.

Convenience and risk

For users with cloud accounts, Microsoft also retains the encryption keys in an unencrypted form, which means the company can technically access user data or provide it to law enforcement when legally required. Obviously, Microsoft frames it as “key recovery”, instead of “backdoor access to people’s data”:

"While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide... how to manage their keys,” Microsoft spokesperson Charles Chamberlayne told Forbes.

Obviously, the confirmation raised quite a few eyebrows. US Senator Ron Wyden, for example, told Forbes Microsoft's the behavior was “simply irresponsible”:

“Allowing ICE or other Trump goons to secretly obtain a user’s encryption keys is giving them access to the entirety of that person’s digital life, and risks the personal safety and security of users and their families,” he said.

Microsoft says that the FBI makes roughly 20 such requests every year. Most of them can’t be met because people create on-device accounts, instead of cloud ones.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.