15 votes

Microsoft Gave FBI Keys To Unlock Encrypted Data

Posted by post_below
https://www.forbes.com/sites/thomasbrewster/2026/01/22/microsoft-gave-fbi-keys-to-unlock-bitlocker-encrypted-data/

Link information

This data is scraped automatically and may be incorrect.

Title
Microsoft Gave FBI BitLocker Encryption Keys, Exposing Privacy Flaw
Authors
Thomas Brewster
Word count
1092 words

6 comments

  1. post_below
    Link
    Just a heads up. For the moment it's still possible to use Windows without being logged in to a MS account and, even if you are logged in, you can choose not to store your bitlocker keys in the...

    Microsoft confirmed to Forbes that it does provide BitLocker recovery keys if it receives a valid legal order. “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide... how to manage their keys,” said Microsoft spokesperson Charles Chamberlayne.

    He said the company receives around 20 requests for BitLocker keys per year and in many cases, the user has not stored their key in the cloud making it impossible for Microsoft to assist.

    Just a heads up. For the moment it's still possible to use Windows without being logged in to a MS account and, even if you are logged in, you can choose not to store your bitlocker keys in the account.

    12 votes
  2. [2]
    stu2b50
    Link
    Title feels a bit weird (and by weird I mean inflammatory). I feel like it would be better worded "Microsoft states that they would handover BitLocker recovery keys upon subpoena by US law...

    Title feels a bit weird (and by weird I mean inflammatory). I feel like it would be better worded "Microsoft states that they would handover BitLocker recovery keys upon subpoena by US law enforcement".

    Which is also.. like, yeah, they're legally obligated to do so.

    8 votes
    1. DeaconBlue
      Link Parent
      An inflammatory title might be the best way to get people to read instructions on how to disable this function.

      An inflammatory title might be the best way to get people to read instructions on how to disable this function.

      3 votes
  3. donn
    (edited )
    Link
    Apple is also vulnerable to [EDIT: subpoenas similar to] this unless you turn on "Advanced Data Protection" btw, so Mac folks on here may want to make sure that's turned on:...

    Apple is also vulnerable to [EDIT: subpoenas similar to] this unless you turn on "Advanced Data Protection" btw, so Mac folks on here may want to make sure that's turned on: https://support.apple.com/en-us/108756

    It is unavailable only in the United Kingdom because it is illegal under the Investigatory Powers Act.

    6 votes
  4. [2]
    DrTacoMD
    (edited )
    Link
    If I'm reading this right, this largely lines up with the position that Apple has taken as well, along with other big tech companies. When a company has possession of a decryption key, they are...

    If I'm reading this right, this largely lines up with the position that Apple has taken as well, along with other big tech companies. When a company has possession of a decryption key, they are legally require to turn it over turn it over when presented with a warrant.

    The big fight from a few years back was the government demanding that Apple unlock a device they didn't have the key to, specifically by creating a bespoke version of the OS that would allow the FBI a backdoor of sorts.

    EDIT: To clarify, I'm not suggesting that this is good or okay, or that I support this kind of seizure. I'm glad that the news is highlighting the risk of allowing any third-party to have access to your device's decryption keys.

    3 votes
    1. donn
      (edited )
      Link Parent
      The demand from the FBI back then was updating the software to remove the timeout between password attempts. Phone pins can be cracked within seconds without this limitation because they're on...

      The demand from the FBI back then was updating the software to remove the timeout between password attempts. Phone pins can be cracked within seconds without this limitation because they're on average 4-6 digit numbers.

      EDIT: Forgot a detail, usually 10 failed attempts would also trigger the secure enclave to delete encryption keys, essentially wiping the device. They requested that be removed too iirc

      7 votes