Microsoft handed over BitLocker encryption keys to FBI: Report
What's the story
Microsoft has reportedly provided the Federal Bureau of Investigation (FBI) with recovery keys for its BitLocker hard drive encryption software. The move came in response to a search warrant linked to a fraud investigation in Guam, according to Forbes. This case is one of several instances where Microsoft has provided BitLocker recovery keys to law enforcement, as the company receives around 20 such requests per year.
Encryption risks
BitLocker encryption: A double-edged sword
BitLocker, which comes pre-installed on many Windows PCs, is designed to encrypt a computer's data in case it gets lost or stolen. The encryption can be unlocked with a recovery key stored on the user's device. While this makes data recovery easier if passwords are forgotten, it also means that law enforcement can access user data through legal processes, and hackers could potentially access the data if they compromise Microsoft's cloud infrastructure.
Case details
Federal investigation linked to Pandemic Unemployment Assistance program
The request for BitLocker recovery keys came from a federal investigation into a fraud ring linked to the Pandemic Unemployment Assistance program in Guam. Several people were charged in the case, including family members of the island's Lieutenant Governor, Josh Tenorio. Local news outlets reported last summer that unsealed search warrants showed investigators were seeking BitLocker recovery keys for three computers seized during an FBI raid on a business owned by Charissa Tenorio, the lieutenant governor's sister.
Company stance
Microsoft responds to concerns over key recovery
In response to the concerns raised by cybersecurity experts, a Microsoft spokesperson told Forbes that "While key recovery offers convenience, it also carries a risk of unwanted access." The spokesperson added that "Microsoft believes customers are in the best position to decide... how to manage their keys." They also revealed that Microsoft gets around 20 requests for BitLocker recovery keys each year but can't fulfill those where the keys aren't stored in the cloud.
Security concerns
Cybersecurity experts raise alarms over Microsoft's key recovery process
The news of Microsoft handing over BitLocker recovery keys has raised alarms in the cybersecurity community. Matthew Green, a cryptography expert at Johns Hopkins University, expressed his concerns on Bluesky about how easily authorities were able to obtain the keys. He warned that "anyone who compromises their cloud infrastructure (and customer service infrastructure, or can forge a plausible LE request) can potentially access that data."