The FBI went to Microsoft last year with a warrant, asking them to hand over keys to unlock encrypted data stored on three laptops as part of an investigation into potential fraud involving the COVID unemployment assistance program in Guam — and Microsoft complied.
Typically, companies resist handing over encryption keys to authorities. Most famously, Apple refused to grant the FBI access to a phone used by the San Bernardino shooters in 2016. The FBI eventually found a third-party to hack their way into the phone, but ultimately withdrew its case. Most of the major tech companies, including Google and Facebook backed Apple in its battle with the FBI. Even Microsoft supported Tim Cook’s position, if a bit less forcefully than some others.
In this instance, however, it seems that Microsoft has decided to bow to government demands and confirmed to Forbes that it “does provide BitLocker recovery keys if it receives a valid legal order.” Microsoft spokesperson Charles Chamberlayne told The Verge that Microsoft is legally required to produce the keys stored on its servers.
Chamberlayne ellaborated saying, “customers can choose to store their encryption keys locally, in a location inaccessible to Microsoft, or in Microsoft’s cloud. We recognize that some customers prefer Microsoft’s cloud storage so we can help recover their encryption key if needed. While key recovery offers convenience, it also carries a risk of unwanted access.”
Senator Ron Wyden of Oregon countered, telling Forbes that it was “irresponsible” for companies to “secretly turn over users’ encryption keys.”
What alarms privacy advocates like the ACLU is the precedent this sets and the potential for abuse. The current administration and ICE have shown little respect for data security or the rule of law. And beyond American borders, Jennifer Granick, surveillance and cybersecurity counsel at the ACLU, told Forbes that “foreign governments with questionable human rights records” may also expect Microsoft to hand over keys to customer data.
