The FBI approached Microsoft last year with a warrant, asking for keys to unlock encrypted data on three laptops as part of an investigation into potential fraud related to the COVID unemployment assistance program in Guam—and Microsoft complied. Typically, companies push back against giving up encryption keys to authorities. A notable example is Apple, which refused to unlock a phone linked to the San Bernardino shooters in 2016. The FBI eventually found a third-party to hack into the phone but eventually dropped its case. Major tech players like Google and Facebook supported Apple in that confrontation, and even Microsoft backed Tim Cook’s stance, though perhaps not as vigorously as others.
In this situation, however, Microsoft appears to have yielded to government demands. The company confirmed to Forbes that it “does provide BitLocker recovery keys if it receives a valid legal order.” A spokesperson for Microsoft, Charles Chamberlayne, told The Verge that the company is legally obligated to produce the keys stored on its servers.
Chamberlayne elaborated, stating, “Customers can choose to store their encryption keys locally, in a location inaccessible to Microsoft, or in Microsoft’s cloud. We recognize that some customers prefer Microsoft’s cloud storage, so we can help recover their encryption key if needed. While key recovery offers convenience, it also carries a risk of unwanted access.”
Senator Ron Wyden of Oregon responded, calling it “irresponsible” for companies to “secretly turn over users’ encryption keys.” This move has raised alarms among privacy advocates, such as the ACLU, who worry about the precedent it sets and the potential for misuse. The current administration and ICE have shown a lack of regard for data security and the rule of law. Furthermore, Jennifer Granick, the ACLU’s surveillance and cybersecurity counsel, warned Forbes that “foreign governments with questionable human rights records” could also expect Microsoft to surrender keys to customer data.
