37
votes
Microsoft gave FBI keys to unlock encrypted data
Link information
This data is scraped automatically and may be incorrect.
- Title
- Microsoft Gave FBI BitLocker Encryption Keys, Exposing Privacy Flaw
- Authors
- Thomas Brewster
- Word count
- 1092 words
Just a heads up. For the moment it's still possible to use Windows without being logged in to a MS account and, even if you are logged in, you can choose not to store your bitlocker keys in the account.
Apple is also vulnerable to [EDIT: subpoenas similar to] this unless you turn on "Advanced Data Protection" btw, so Mac folks on here may want to make sure that's turned on: https://support.apple.com/en-us/108756
It is unavailable only in the United Kingdom because it is illegal under the Investigatory Powers Act.
Title feels a bit weird (and by weird I mean inflammatory). I feel like it would be better worded "Microsoft states that they would handover BitLocker recovery keys upon subpoena by US law enforcement".
Which is also.. like, yeah, they're legally obligated to do so.
An inflammatory title might be the best way to get people to read instructions on how to disable this function.
I just used (part of) the title from the article. I'm not attached to it if someone wants to change it.
However it's technically accurate, the article talks about specific examples.
If I'm reading this right, this largely lines up with the position that Apple has taken as well, along with other big tech companies. When a company has possession of a decryption key, they are legally require to turn it over turn it over when presented with a warrant.
The big fight from a few years back was the government demanding that Apple unlock a device they didn't have the key to, specifically by creating a bespoke version of the OS that would allow the FBI a backdoor of sorts.
EDIT: To clarify, I'm not suggesting that this is good or okay, or that I support this kind of seizure. I'm glad that the news is highlighting the risk of allowing any third-party to have access to your device's decryption keys.
The demand from the FBI back then was updating the software to remove the timeout between password attempts. Phone pins can be cracked within seconds without this limitation because they're on average 4-6 digit numbers.
EDIT: Forgot a detail, usually 10 failed attempts would also trigger the secure enclave to delete encryption keys, essentially wiping the device. They requested that be removed too iirc
Honestly, this isn't shocking or surprising and doesn't trigger any righteous outrage in me at all, despite being very pro privacy.
Companies are required to hand over info on their users if they receive a court order to do so. I don't think I have any issue with that. If someone is being investigated for murder or child exploitation or mass terrorism, I think the government should be allowed, with a formal process requiring a warrant from a judge, to be able to seize that data, just like I think they should be allowed to enter someone's house and search the premise.
I don't think that compaines should be compelled to build features that would compromise the security of their products to allow the government to do that though.
I don't see any way that Microsoft could simultaneously back up people's recovery keys so that they're able to hand them over to users on request while also not allowing themselves access to that key. You could end to end encrypt them... But then you just have a new key the user needs to remember. Not very helpful.