Microsoft Gave FBI Keys To Unlock Encrypted Data Exposing Major Privacy Flaw

Channel: Forbes Published: 2026-01-27 749 words Source: auto_caption
Intelligence Operations & Secrecy

Transcript

Here's your Forbes daily briefing for Tuesday, January 27th. Today on Forbes, Microsoft gave FBI keys to unlock encrypted data, exposing major privacy flaw. Early last year, the FBI served Microsoft with a search warrant, asking it to provide recovery keys to unlock encrypted data stored on three laptops. Federal investigators in Guam believed the devices held evidence that would help prove individuals handling the island's CO unemployment assistance program were part of a plot to steal funds. The data was protected with Bit Locker, software that's automatically enabled on many modern Windows PCs to safeguard all the data on the computer's hard drive.

Bit Locker scrambles the data so that only those with a key can decode it. It's possible for users to store those keys on a device they own, but Microsoft also recommends Bit Locker users store their keys on its servers for convenience. While that means someone can access their data if they forget their password or if repeated failed attempts to log in lock the device, it also makes them vulnerable to law enforcement subpoenas and warrants. In the Guam case, Microsoft handed over the encryption keys to investigators. Microsoft confirmed to Forbes that it does provide Bit Locker recovery keys if it receives a valid legal order.

Spokesperson Charles Chamberlain said, quote, "While key recovery offers convenience, it also carries a risk of unwanted access. So, Microsoft believes customers are in the best position to decide how to manage their keys." He said the company receives around 20 requests for Bit Locker keys per year and in many cases the user has not stored their key in the cloud making it impossible for Microsoft to assist. The Guam case is the first known instance where the Redmond Washington company has provided any encryption key to law enforcement. Back in 2013, a Microsoft engineer claimed he'd been approached by government officials to install back doors in Bit Locker, but had turned the requests down. Senator Ron Weiden said in a statement to Forbes that it is quote simply irresponsible for tech companies to ship products in a way that allows them to secretly turn over users encryption keys.

He added quote allowing ICE or other Trump goons to secretly obtain a user's encryption keys is giving them access to the entirety of that person's digital life and risks the personal safety and security of users and their families. This isn't just an issue in the US. Jennifer Granic, surveillance and cyber security council at the ACLU, noted that foreign governments with questionable human rights records also demand data from tech giants like Microsoft. She said, quote, "Remote storage of decryption keys can be quite dangerous." Law enforcement regularly asks tech giants to provide encryption keys, implement backdoor access, or weaken their security in other ways. But other companies have refused.

Apple, in particular, has repeatedly been asked for access to encrypted data in its cloud or on its devices. In a highly publicized showdown with the government in 2016, Apple fought an FBI order to help open phones belonging to terrorists who shot and killed 14 in San Bernardino, California. Ultimately, the FBI found a contractor to hack into the iPhones. Privacy and encryption experts told Forbes the onus should be on Microsoft to provide stronger protection for consumers personal devices and data. Apple with its comparable file vault and password systems and Meta's WhatsApp messaging app also allow users to back up data on their apps and store a key in the cloud.

However, both also allow the user to put the key in an encrypted file on the cloud, making law enforcement requests for it useless. Neither are reported to have turned over encryption keys of any kind in the past. Matt Green, a cryptography expert and associate professor at the John's Hopkins University Information Security Institute, said, quote, "This is private data on a private computer, and they made the architectural choice to hold access to that data. They absolutely should be treating it like something that belongs to the user." Professor Green added, quote, "If Apple can do it, if Google can do it, then Microsoft can do it. Microsoft is the only company that's not doing this.

It's a little weird. The lesson here is that if you have access to keys, eventually law enforcement is going to come." For full coverage, check out Thomas Brewster's piece on Forbes.com. This is Kieran Meadows from Forbes. Thanks for tuning in.