- 885
- 242
Media reports revealed that last year, Microsoft provided law enforcement with encryption keys to unlock the laptops of Windows users accused of fraud. This is the first publicly known case of the company handing over BitLocker keys to authorities.
According to Forbes , the story began with a case in Guam, where defendants allegedly fraudulently received unemployment benefits during the coronavirus pandemic. The devices seized from the suspects were found to be protected with BitLocker, and Microsoft ultimately provided the encryption keys to investigators.
BitLocker, the data encryption system in Windows, operates in two modes: Simplified Device Encryption and Enhanced BitLocker Drive Encryption. In both modes, Microsoft stores recovery keys on its servers by default if configured through an active Microsoft account.
[td]"If you use a Microsoft account, your BitLocker recovery key is typically linked to your account and can be retrieved online," the company's documentation explains.[/td]There are alternatives : the key can be saved to a flash drive, a file, or printed. However, the company encourages users to trust it with the keys because it's more convenient. The problem is that this approach gives up full control over data access.
Apple offers a similar service, FileVault, with iCloud cloud storage. It has two modes: standard and enhanced data protection. In the first mode, Apple stores encryption keys for most iCloud data (except passwords and keychain). In the second mode, it stores only keys for mail, contacts, and calendars.
Microsoft and Apple are obligated to comply with lawful government requests for data. Companies cannot hand over keys only if they don't control them. Apple explicitly states in its advisory to law enforcement: "All iCloud data is further encrypted on our servers. For data that Apple can decrypt, encryption keys are stored in data centers in the United States. Apple does not receive or store keys for customer data protected by end-to-end encryption."
With BitLocker, things are different. Microsoft may have access to end-to-end encryption keys if the customer has enabled it during setup. In its guidance for law enforcement, the company states:
[td]"We don't provide government agencies with our encryption keys or the ability to break encryption. In most cases, Microsoft securely stores customers' encryption keys by default. Even the largest enterprise customers typically prefer that we store their keys to prevent accidental loss or theft. However, in many cases, we also offer consumers or organizations the option to store their own keys themselves, in which case Microsoft does not store copies."[/td]According to its most recent government requests report (from July to December 2024), Microsoft received 128 requests from law enforcement, 77 of which were from the US government. Only four requests during this period resulted in data disclosures—three in Brazil and one in Canada.
[td]"With BitLocker, our customers can choose to store their encryption keys locally, in a location Microsoft can't access, or in the Microsoft cloud. We understand that some customers prefer Microsoft cloud storage so we can help them recover their encryption key if needed. While key recovery is convenient, it also carries the risk of unwanted access, so Microsoft believes customers should be able to decide for themselves whether to store their keys or manage them themselves," Microsoft representatives commented.[/td]@ xakep.ru
According to Forbes , the story began with a case in Guam, where defendants allegedly fraudulently received unemployment benefits during the coronavirus pandemic. The devices seized from the suspects were found to be protected with BitLocker, and Microsoft ultimately provided the encryption keys to investigators.
BitLocker, the data encryption system in Windows, operates in two modes: Simplified Device Encryption and Enhanced BitLocker Drive Encryption. In both modes, Microsoft stores recovery keys on its servers by default if configured through an active Microsoft account.
Apple offers a similar service, FileVault, with iCloud cloud storage. It has two modes: standard and enhanced data protection. In the first mode, Apple stores encryption keys for most iCloud data (except passwords and keychain). In the second mode, it stores only keys for mail, contacts, and calendars.
Microsoft and Apple are obligated to comply with lawful government requests for data. Companies cannot hand over keys only if they don't control them. Apple explicitly states in its advisory to law enforcement: "All iCloud data is further encrypted on our servers. For data that Apple can decrypt, encryption keys are stored in data centers in the United States. Apple does not receive or store keys for customer data protected by end-to-end encryption."
With BitLocker, things are different. Microsoft may have access to end-to-end encryption keys if the customer has enabled it during setup. In its guidance for law enforcement, the company states: