The headline is misleading. It says that Microsoft will provide the key if asked, but the linked statement to Forbes says Microsoft will provide the key if it receives a valid legal order.
These have different meanings. Microsoft is legally entitled to refuse a request from law enforcement, and subject to criminal penalties if it refuses a valid legal order.
It does illustrate a significant vulnerability in that Microsoft has access to user keys by default. The public cannot be sure that Microsoft employees or criminals are unable to access those keys.
Nah, you’re just not reading carefully. You must parse everything about this stuff carefully as the words are always crafted. It’s usually more productive to read with a goal to understand what isn’t said as opposed to what is said.
They said “legal order”, which includes a variety of things ranging from administrative subpoenas to judicial warrants. Generally they say warrant if that was used.
A “request” is “Hi Microsoft man, would you please bypass your process and give me customer data?” That doesn’t happen unless it’s for performative purposes. (Like when the FBI was crying about the San Bernardino shooter’s iPhone) Casual asks are problematic for police because it’s difficult to use that information in court.
What exactly was requested sounds fishy as the article states that Microsoft only gets 20 a year, and is responsive to 9 or fewer requests. Apple seems to get more and typically is more responsive. (https://www.apple.com/legal/transparency/us.html)
The other weird thing is that the Microsoft spokesman named in the Forbes article is an external crisis communications consultant. Why an use external guy firewalled from the business for what is a normal business process?
> Microsoft is legally entitled to refuse a request from law enforcement, and subject to criminal penalties if it refuses a valid legal order.
This is a problem, because Microsoft operates in a lot of jurisdictions, but one of them always wants to be the exception and claims that it has jurisdiction over all the others. Not that I personally am of the opinion, that it is wise for the other jurisdiction to trust Microsoft, but if MS wants to secure operating in the other jurisdiction it needs to separate itself from that outsider.
Note that they say "legal order" not, specifically, "warrant". Now remember that government agencies have internal memos instructing them that no warrants are needed for them to do things like the 4th amendment, stop citizens, detain citizens, "arrest" citizens, etc.
Exactly. The discussion should center on the fact that Microsoft's shift was a contingency, not a technical necessity. It cannot have escaped them that their design choices create a legal point of entry for data requests that they are then obligated to fulfill, which would not have been the case with proper end-to-end encryption; in that case they would have told authorities that they simply cannot fulfill these requests.
Crucially, the headline says Microsoft will provide the key if asked by the FBI, which implies a state entity with legal power that extends beyond a typical person's assumptions of "rule of law" and "due process," let alone ethics.
The latter is not news, it's the way it has been for quite some time, not just for IT providers, but for businesses in general.
If you are running any kind of service, you should learn how warrants work in the country you are hosting in, come the time, if your service grows, eventually you will have to comply with an order.
If you want anything else you will have to design your system such that you can't even see the data, ala Telegram. And even then, you will get into pretty murky waters.
That's a distinction without a difference. Microsoft should structure Windows such that they're unable to comply with such an order, however legal. There are practical cryptographic ways to do it: Microsoft just doesn't want to. Shame on them.
Microsoft is legally entitled to refuse absent a warrant, but generally all it takes is a phone call from the FBI to get big tech to cough up any authenticating info they actually have.
> The headline is misleading. It says that Microsoft will provide the key if asked, but the linked statement to Forbes says Microsoft will provide the key if it receives a valid legal order.
This is an odd thing to split hairs over IMO. Warrants or subpoenas or just asking nicely, whatever bar you want to set, is a secondary concern. The main issue is they can and will hand the keys to LEO’s at all.
Beyond the crypto architecture debate, I don't really understand how could anyone imagine a world where MS could just refuse such a request. How exactly would we draft laws to this effect, "the authorities can subpoena for any piece of evidence, except when complying to such a request might break the contractual obligations of a third party towards the suspect"?
Do we really, really, fully understand the implications of allowing for private contracts that can trump criminal law?
They could just ask before uploading your encryption key to the cloud.
Instead they force people to use a Microsoft Account to set up their windows and store the key without explicit consent
> How exactly would we draft laws to this effect, "the authorities can subpoena for any piece of evidence, except when complying to such a request might break the contractual obligations of a third party towards the suspect"?
Perhaps in this case they should be required to get a warrant rather than a subpoena?
Encrypt the BL key with the user's password? I mean there are a lot of technical solutions besides "we're gonna keep the BL keys in the clear and readily available for anyone".
This is being reported on because it seems newsworthy and a departure from the norm.
Apple also categorically says they refuse such requests.
It's a private device. With private data. Device and data owned by the owner.
Using sleight of hand and words to coax a password into a shared cloud and beyond just seems to indicate the cloud is someone else's computer, and you are putting the keys to your world and your data insecurely in someone else's computer.
Should windows users assume their computer is now a hostile and hacked device, or one that can be easily hacked and backdoored without their knowledge to their data?
> don't really understand how could anyone imagine a world where MS could just refuse such a request
By simply not having the ability to do so.
Of course Microsoft should comply with the law, expecting anything else is ridiculous. But they themselves made sure that they had the ability to produce the requested information.
Microsoft killed local accounts in Windows 11 and made this the default path by users: Your private encryption keys are sent to Microsoft in a way that requires no other keys. This is a failure and doesn't happen on systems like LUKS. I understand Microsoft wants to be able to look nice and unlock disks when people forget their passwords, but doing so allows anyone to exploit this. Windows systems and data are more vulnerable because of this tradeoff they made.
Sure that's valid, they do need to conply with legal orders. But they don't need to store bitlocker keys in the first place, they only need to turn over data they actually have.
I don't think that many people here are naive enough to believe that any business would fight the government for the sake of its customers. I think most of us are simply appalled by this blatantly malicious behavior. I'm not buying all these "but what if the user is an illiterate, senile 90-year-old with ADHD, huh?" attempts to rationalize it away. it's the equivalent of the guy who installed your door keeping a copy of your keys by unspoken default - "what if your toddler locks himself out, huh?"
I know the police can just break down my door, but that doesn't mean I should be ok with some random asshole having my keys.
> Do we really, really, fully understand the implication of allowing private contracts that trump criminal law?
...it's not that at all. We don't want private contracts to enshrine the same imbalances of power; we want those imbalances rendered irrelevant.
We hope against hope that people who have strength, money, reputation, legal teams, etc., will be as steadfast in asserting basic rights as people who have none of those things.
We don't regard the FBI as a legitimate institution of the rule of law, but a criminal enterprise and decades-long experiment in concentration of power. The constitution does not suppose an FBI, but it does suppose that 'no warrant shall issue but upon probable cause... particularly describing the place to be searched, and the persons or things to be seized' (emphasis mine). Obviously a search of the complete digital footprint and history of a person is not 'particular' in any plain meaning of that word.
...and we just don't regard the state as having an important function in the internet age. So all of its whining and tantrums and pepper spray and prison cells are just childish clinging to a power structure that is no longer desirable.
Actual freedom starts with freedom of thought which requires spaces that you can truly believe are safe. The push for the surveillance world is rapidly eroding the places someone can not only be safe to think but feel safe to think in. The 'feel safe' is deeply important here. The arguments of 'if you have nothing to hide' do not make anyone feel safe, they do the opposite and they chill free thought.
The second, very clear, argument is that the state can't be trusted in the long run. Period. Maybe you love your elected officials today but tomorrow they could be actively out to harm you. Every tool we allow the state to use needs to be viewed with this level of extreme skepticism and even very clear benefits need to be debated vigorously.
Encryption, and technologies like it, may allow hiding criminal activity but they also provide people a sense of security to think freely and stave off political power grabs. We recognize the fundamental right to free speech and give great latitude to it even when it is harmful and hateful, we need to recognize the fundamental right to free thought and recognize that encryption and similar tools are critical to it.
Exactly! I agree about feeling free to think is important. I am a legal immigrant here on the green card, and I was randomly looking at my iCloud photos, and there were two of them where I was wearing a 2024 elections t-shirt of the losing side. The t-shirt was given to me as a gag gift, and I just had taken a picture of it to show it to the sender for giggles.
Now looking at this old image. I had second thoughts. What if on the border crossing some officer sees a t-shirt and doesn't agree with it? Maybe I should delete the image. And it's not the first time I want to go post something online, but I've stopped myself. What if it comes back and bites me? Even though it might be an innocuous tweet, nothing egregious, but I just don't want to engage. And this is how freedom goes. This feels as bad as it was growing up in the Soviet Union.
I don't understand this, it's actually baffling. Why was the question being asked to begin with let along a whole post being made about this? If they have a legal request from a law enforcement agency of any country they operate in, they either comply or see executives in prison.
Is how bitlocker works not well known perhaps? I don't think it's a secret. The whole schtick is that you get to manage windows computers in a corporate fleet remotely, that includes being able to lock-out or unlock volumes. The only other way to do that would be for the person using the device to store the keys somewhere locally, but the whole point is you don't trust the people using the computers, they're employees. If they get fired, or if they lose the laptop, them being the only people who can unlock the bitlocker volume is a very bad situation. Even that aside, the logistics of people switching laptops, help desk getting a laptop and needing to access the volume and similar scenarios have to be addressed. Nothing about this and how bitlocker works is new.
Even in the safer political climates of pre-2025, you're still looking at prosecution if you resist a lawful order. You can fight gag-orders, or the legality of a request, but without a court order to countermand the feds request, you have to comply.
Microsoft would do the same in China, Europe, middle east,etc.. the FBI isn't special.
I’m not trying to defend Microsoft, but I think people are being a bit dramatic. It's a fairly reasonable default setting for average users who simply want their data protected from theft. On the other hand, users should be able to opt out from the outset, and above all, without having to fiddle with the manage-bde CLI or group policy settings.
With Intel Panther Lake (I'm not sure about AMD), Bitlocker will be entirely hardware-accelerated using dedicated SoC engines – which is a huge improvement and addresses many commonly known Full Disk Encryption vulnerabilities. However, in my opinion some changes still need to be made, particularly for machines without hardware acceleration support:
- Let users opt out of storing recovery keys online during setup.
- Let users choose between TPM or password based FDE during setup and let them switch between those options without forcing them to deal with group policies and the CLI.
- Change the KDF to a memory-hard KDF - this is important for both password and PIN protected FDE. It's 2026 - we shouldn't be spamming SHA256 anymore.
- Remove the 20 char limit from PIN protectors and make them alphanumerical by default. Windows 11 requires TPM 2.0 anyway so there's no point in enforcing a 20 char limit.
- Enable TPM parameter encryption for the same reasons outlined above.
If you are not typing in a passphrase or plugging in a device containing a key to unlock your disk then the secret exists somewhere else. Chances are that secret is available to others. The root issue here is that the user is not being made clearly aware of where the secret is stored and what third party(s) have access to it or reasonably might be able to get access to it.
These sorts of things should be very unsurprising to the people who depend on them...
Due to Third Party Doctrine, Microsoft doesn't even NEED a "legal order." It's merely a courtesy which they could change at any time.
Based on the sheer number of third parties we're required to use for our day to day lives, that is ridiculous and Third Party Doctrine should be eliminated.
And before that and before Trucrypt many used Jetico BestCrypt [1] not free... It can pretend the OS disk is invalid until a passphrase is typed. Only useful to fool smash-and-grab trash level thieves but I found it entertaining.
Either way once the Windows OS volume is unlocked it's all moot. There are many other ways to access ones machine remotely such as pushing a targeted update to the specific machine OS agnostic but easiest on Windows as Windows update fires off all the time despite patches being on a specific Tuesday. This method applies to phones as well, beyond the JTAG encryption bypass at power-up. Then a gag order is applied.
Everybody should have access to your hard drive, not just the FBI, so please do not encrypt your hard-drive.
If you encrypt your drive and upload the key to Microsoft, you are engaging in anti-competitive behavior since you give them access to your data, but not also to the local thief.
Just don't encrypt your drive if you cant be bothered to secure your key. Encryption-neutrality.
For a long time, if you used full disk encryption, the encryption key never left your machine. If you forgot your password, the data was gone - tough luck, should have made a backup. That's still how it works on Linux.
Pretty surprising they'd back up the disk encryption secrets to the cloud at all, IMHO, let alone that they'd back it up in plaintext.
If tech companies implemented real, e2e encryption for all user data, there would be a huge outcry, as the most notable effect would be lots of people losing access to their data irrevocably.
I'm all for criticizing tech companies but it's pointless to demand the impossible.
Just say "we are storing your keys on our servers so you won't lose them" and follow that with either "do you trust us" or even "we will share this key with law enforcement if compelled". Would be fine. Let people make these decisions.
Besides, bit ocker keys are really quite hard to lose.
is it just me or would "Microsoft refuses to comply with a legal search warrant" be an actual, surprising news story? like of course MSFT is going to hand over to authorities whatever they ask for if there's a warrant, imagine if they didn't (hint: not good for business. their customers are governments and large institutions, a reputation for "going rogue" would damage their brand quite a bit)
When someone is arrested, the police can get a subpoena to enter your house, right?
There they can collect evidence regarding the case.
Digital protections should exist, but should they exist beyond what is available in the physical world? If so, why?
I think the wording of this is far too lenient and I understand the controversy of "if asked" vs "valid legal order", neither of which strictly say "subpoena", and of course, the controversy of how laws are interpreted/ignored in one country in particularly (yes, I'm looking at you USA).
Should there be a middle ground? Or should we always consider anything that is digital off-limits?
Crazier question: what’s wrong with a well-intentioned surveillance state? Preventing crime is a noble goal, and sometimes I just don’t think some vague notion of privacy is more important than that.
I sometimes feel that the tech community would find the above opinion far more outlandish than the general population would.
If you have advanced data protection enabled, Apple claims:
“No one else can access your end-to-end encrypted data — not even Apple — and this data remains secure even in the case of a data breach in the cloud.”
Last time I onboarded a Mac (a few months ago), it would very explicitly ask if you want to enable support for remote FileVault unlocking.
That said, they could also roll out a small patch to a specific device to extract the keys. When you really want to be safe (and since you can be a called a 'left extremist' for moving your car out of the way, that now includes a lot of people), probably use Linux with LUKS.
iCloud login is still optional on macOS. Can't download stuff from the App Store and I think some continuity things require iCloud, but otherwise pretty solid.
Except you’re not coerced (near enough forced?) to use an account password managed by MS on Apple. Until MS themselves publish, for home users, how to set up without an MS account, I’m considering it forced.
Title should read "Microsoft confirms it will give the FBI your Windows PC data encryption key if court-ordered to do so".
Just because the article is click bait doesn't mean the HN entry needs to be, too.
Sure, the fact that MS has your keys at all is no less problematic for it, but the article clearly explains that MS will do this if legally ordered to do so. Not "when the FBI asks for it".
Which is how things work: when the courts order you to do something, you either do that thing, or you are yourself violating the law.
Not surprising. The whole Win11 feels like a spy-tool for the government. Just that "recall" anti-feature nobody needs - except for those who want to sniff and spy after people.
The origin of this is a Forbes article[0] where the quote is: "Microsoft confirmed to Forbes that it does provide BitLocker recovery keys if it receives a valid legal order."
It's already established that your disk encryption keys are in the Microsoft cloud whether you want them there or not. It's just a small step from there to your local government having the key too. Some governments claim to respect the privacy of their citizens, but there are always exceptions. Most governments likely have direct access to the keys, and don't even need to make the request.
The headline is slightly misleading. Microsoft can only provide the key if you are using a Microsoft Account which automatically escrows the BitLocker recovery key to OneDrive.
If you use a Local Account (which requires bypassing the OOBE internet check during setup) or explicitly disable key backup, the key never leaves the TPM. The issue isn't the encryption algorithm its the convenience selection.
This team was able to execute and investigate the loss of over $85,000.00 Usdt of I and my friend we have started getting our refunds and we are grateful
Apple will do this too. Your laptop encryption key is stored in your keychain (without telliing you!). All is needed is a warrant for your iCloud account and they also have access to your laptop.
You can (and should) watch all of https://www.youtube.com/watch?v=BLGFriOKz6U&t=1993s for the details about how iCloud is protected by HSMs and rate limits to understand why you’re wrong, but especially the time-linked section… instead of spreading FUD about something you know nothing about.
The major OS vendors (apple, google, ms) are complicit in data turnover and have been for over ten years now. It has been reported multiple times so I'm struggling to see the angle being projected here. This feels like click harvesting got the HN "Microsoft bad" crowd.
The segment of the population that is the target of political vindictiveness from the FBI seems to have changed somewhat with this administration so it makes sense to remind people of the vulnerabilities from time to time.
The problem is not that they will give the key (government can force them - this is expected), but that they even have the key in the first place.. I bet this is done without proper consent, or with choice like "yes" vs "maybe later"..
This issue aside, if anyone has the keys what value are they in the end? Has Microsoft ever refused to unlock someone's pc stating that they could not technically do that? Isn't storing keys like this akin to storing passwords in clear text?
My wife is an insurance litigation attorney and regularly requests social media data from Microsoft, Meta, etc. for people. Generally they hand it over without issue; I think Apple is the only one to have pushed back at times.
Why Microsoft stores the encryption keys of the users in their servers? Key recovery is convenient, but in my opinion it should exist the "opt out" option, without MS being involved in the key storage in their datacenters.
This is no different to Apple placing the encryption key for Filevault as plaintext on disk when it is turned off (the default). Both companies make it easy for you to recover data in event of a catastrophe.
No surprises here. There are people out there warning this would happen soon or later, and urging people to stop using Microsoft products, but of course, nobody cared about it as usual.
I do find it quite interesting how people support this idea (because they got a warrant), but are vehemently against the idea of backdooring encryption.
Technically it is possible to configure butlocker using passphrase instead of a TPM. It is not easy though. It is configured via GPO. However it is not a local account password. It is a separate passphrase which you need to provide early in boot process, similar to LUKS on linux systems. It works on windows computers without TPM, i’m not sure is it supported on systems that actually have TPM available.
it is perhaps mildly surprising that they have access to user encryption keys, but anyone surprised, over 20 years post-Patriot Act, that an American corporation is willing to cooperate with American federal law enforcement has maybe not been paying attention.
Which is really galling when you consider how many Windows 11 users have inadvertently been locked out of their own bought-and-paid-for computers thanks to BitLocker.
I have no idea what you mean. If the user keys were protected, that would not put Microsoft beyond the reach of the law. To Microsoft it's just a few bytes they never do anything with.
Zak|1 month ago
These have different meanings. Microsoft is legally entitled to refuse a request from law enforcement, and subject to criminal penalties if it refuses a valid legal order.
It does illustrate a significant vulnerability in that Microsoft has access to user keys by default. The public cannot be sure that Microsoft employees or criminals are unable to access those keys.
Spooky23|1 month ago
They said “legal order”, which includes a variety of things ranging from administrative subpoenas to judicial warrants. Generally they say warrant if that was used.
A “request” is “Hi Microsoft man, would you please bypass your process and give me customer data?” That doesn’t happen unless it’s for performative purposes. (Like when the FBI was crying about the San Bernardino shooter’s iPhone) Casual asks are problematic for police because it’s difficult to use that information in court.
What exactly was requested sounds fishy as the article states that Microsoft only gets 20 a year, and is responsive to 9 or fewer requests. Apple seems to get more and typically is more responsive. (https://www.apple.com/legal/transparency/us.html)
The other weird thing is that the Microsoft spokesman named in the Forbes article is an external crisis communications consultant. Why an use external guy firewalled from the business for what is a normal business process?
1718627440|1 month ago
This is a problem, because Microsoft operates in a lot of jurisdictions, but one of them always wants to be the exception and claims that it has jurisdiction over all the others. Not that I personally am of the opinion, that it is wise for the other jurisdiction to trust Microsoft, but if MS wants to secure operating in the other jurisdiction it needs to separate itself from that outsider.
JohnTHaller|1 month ago
DmitryO|1 month ago
stabbles|1 month ago
mossTechnician|1 month ago
0x262d|1 month ago
TZubiri|1 month ago
If you are running any kind of service, you should learn how warrants work in the country you are hosting in, come the time, if your service grows, eventually you will have to comply with an order.
If you want anything else you will have to design your system such that you can't even see the data, ala Telegram. And even then, you will get into pretty murky waters.
hinkley|1 month ago
quotemstr|1 month ago
bitwize|1 month ago
deadbabe|1 month ago
Forgeties79|1 month ago
This is an odd thing to split hairs over IMO. Warrants or subpoenas or just asking nicely, whatever bar you want to set, is a secondary concern. The main issue is they can and will hand the keys to LEO’s at all.
cornholio|1 month ago
Do we really, really, fully understand the implications of allowing for private contracts that can trump criminal law?
hermanzegerman|1 month ago
AnthonyMouse|1 month ago
Perhaps in this case they should be required to get a warrant rather than a subpoena?
ExoticPearTree|1 month ago
j45|1 month ago
This is being reported on because it seems newsworthy and a departure from the norm.
Apple also categorically says they refuse such requests.
It's a private device. With private data. Device and data owned by the owner.
Using sleight of hand and words to coax a password into a shared cloud and beyond just seems to indicate the cloud is someone else's computer, and you are putting the keys to your world and your data insecurely in someone else's computer.
Should windows users assume their computer is now a hostile and hacked device, or one that can be easily hacked and backdoored without their knowledge to their data?
constantcrying|1 month ago
By simply not having the ability to do so.
Of course Microsoft should comply with the law, expecting anything else is ridiculous. But they themselves made sure that they had the ability to produce the requested information.
ddtaylor|1 month ago
unknown|1 month ago
[deleted]
Saris|1 month ago
b65e8bee43c2ed0|1 month ago
I know the police can just break down my door, but that doesn't mean I should be ok with some random asshole having my keys.
contrarian1234|1 month ago
jMyles|1 month ago
...it's not that at all. We don't want private contracts to enshrine the same imbalances of power; we want those imbalances rendered irrelevant.
We hope against hope that people who have strength, money, reputation, legal teams, etc., will be as steadfast in asserting basic rights as people who have none of those things.
We don't regard the FBI as a legitimate institution of the rule of law, but a criminal enterprise and decades-long experiment in concentration of power. The constitution does not suppose an FBI, but it does suppose that 'no warrant shall issue but upon probable cause... particularly describing the place to be searched, and the persons or things to be seized' (emphasis mine). Obviously a search of the complete digital footprint and history of a person is not 'particular' in any plain meaning of that word.
...and we just don't regard the state as having an important function in the internet age. So all of its whining and tantrums and pepper spray and prison cells are just childish clinging to a power structure that is no longer desirable.
jmward01|1 month ago
The second, very clear, argument is that the state can't be trusted in the long run. Period. Maybe you love your elected officials today but tomorrow they could be actively out to harm you. Every tool we allow the state to use needs to be viewed with this level of extreme skepticism and even very clear benefits need to be debated vigorously.
Encryption, and technologies like it, may allow hiding criminal activity but they also provide people a sense of security to think freely and stave off political power grabs. We recognize the fundamental right to free speech and give great latitude to it even when it is harmful and hateful, we need to recognize the fundamental right to free thought and recognize that encryption and similar tools are critical to it.
vardalab|1 month ago
notepad0x90|1 month ago
Is how bitlocker works not well known perhaps? I don't think it's a secret. The whole schtick is that you get to manage windows computers in a corporate fleet remotely, that includes being able to lock-out or unlock volumes. The only other way to do that would be for the person using the device to store the keys somewhere locally, but the whole point is you don't trust the people using the computers, they're employees. If they get fired, or if they lose the laptop, them being the only people who can unlock the bitlocker volume is a very bad situation. Even that aside, the logistics of people switching laptops, help desk getting a laptop and needing to access the volume and similar scenarios have to be addressed. Nothing about this and how bitlocker works is new.
Even in the safer political climates of pre-2025, you're still looking at prosecution if you resist a lawful order. You can fight gag-orders, or the legality of a request, but without a court order to countermand the feds request, you have to comply.
Microsoft would do the same in China, Europe, middle east,etc.. the FBI isn't special.
maxglute|1 month ago
One would presume US agencies has leverage to access global data.
pregnenolone|1 month ago
With Intel Panther Lake (I'm not sure about AMD), Bitlocker will be entirely hardware-accelerated using dedicated SoC engines – which is a huge improvement and addresses many commonly known Full Disk Encryption vulnerabilities. However, in my opinion some changes still need to be made, particularly for machines without hardware acceleration support:
- Let users opt out of storing recovery keys online during setup.
- Let users choose between TPM or password based FDE during setup and let them switch between those options without forcing them to deal with group policies and the CLI.
- Change the KDF to a memory-hard KDF - this is important for both password and PIN protected FDE. It's 2026 - we shouldn't be spamming SHA256 anymore.
- Remove the 20 char limit from PIN protectors and make them alphanumerical by default. Windows 11 requires TPM 2.0 anyway so there's no point in enforcing a 20 char limit.
- Enable TPM parameter encryption for the same reasons outlined above.
RockRobotRock|1 month ago
Apple asks you when you set up your Mac if you want to do this. You can just ask the user, Microsoft!
hinkley|1 month ago
upofadown|1 month ago
These sorts of things should be very unsurprising to the people who depend on them...
caseysoftware|1 month ago
Based on the sheer number of third parties we're required to use for our day to day lives, that is ridiculous and Third Party Doctrine should be eliminated.
Ref: https://en.wikipedia.org/wiki/Third-party_doctrine
orbital-decay|1 month ago
Is it the case with BitLocker? The voluntary part.
sokoloff|1 month ago
Article and facts are “…if served with a valid legal order compelling it”
∴ Headline is clickbait.
iammjm|1 month ago
guerrilla|1 month ago
a3w|1 month ago
lifetimerubyist|1 month ago
shoknawe|1 month ago
sandworm101|1 month ago
https://ubuntu.com/download/desktop
https://archlinux.org/
https://www.kali.org/get-kali/#kali-platforms
https://fedoraproject.org/
Every bad day for microsoft is yet another glorious day for linux.
Bender|1 month ago
Either way once the Windows OS volume is unlocked it's all moot. There are many other ways to access ones machine remotely such as pushing a targeted update to the specific machine OS agnostic but easiest on Windows as Windows update fires off all the time despite patches being on a specific Tuesday. This method applies to phones as well, beyond the JTAG encryption bypass at power-up. Then a gag order is applied.
[1] - https://jetico.com/data-encryption/encrypt-hard-drives-bestc...
whoopdedo|1 month ago
There were questions about their motivation at the time. There still are questions.
ntoskrnl_exe|1 month ago
bdavbdav|1 month ago
zekica|1 month ago
dist-epoch|1 month ago
If you encrypt your drive and upload the key to Microsoft, you are engaging in anti-competitive behavior since you give them access to your data, but not also to the local thief.
Just don't encrypt your drive if you cant be bothered to secure your key. Encryption-neutrality.
takoid|1 month ago
davidguetta|1 month ago
michaelt|1 month ago
Pretty surprising they'd back up the disk encryption secrets to the cloud at all, IMHO, let alone that they'd back it up in plaintext.
hsuduebc2|1 month ago
jxdxbx|1 month ago
I'm all for criticizing tech companies but it's pointless to demand the impossible.
rocqua|1 month ago
Besides, bit ocker keys are really quite hard to lose.
zzzeek|1 month ago
pedalpete|1 month ago
When someone is arrested, the police can get a subpoena to enter your house, right?
There they can collect evidence regarding the case.
Digital protections should exist, but should they exist beyond what is available in the physical world? If so, why?
I think the wording of this is far too lenient and I understand the controversy of "if asked" vs "valid legal order", neither of which strictly say "subpoena", and of course, the controversy of how laws are interpreted/ignored in one country in particularly (yes, I'm looking at you USA).
Should there be a middle ground? Or should we always consider anything that is digital off-limits?
danans|1 month ago
That's a warrant. A subpoena is an order to appear in court.
_jab|1 month ago
Crazier question: what’s wrong with a well-intentioned surveillance state? Preventing crime is a noble goal, and sometimes I just don’t think some vague notion of privacy is more important than that.
I sometimes feel that the tech community would find the above opinion far more outlandish than the general population would.
cromka|1 month ago
nickmccann|1 month ago
https://support.apple.com/en-us/102651
microtonal|1 month ago
That said, they could also roll out a small patch to a specific device to extract the keys. When you really want to be safe (and since you can be a called a 'left extremist' for moving your car out of the way, that now includes a lot of people), probably use Linux with LUKS.
GeekyBear|1 month ago
Apple provides an optional encryption level (ADP) where they don't have a copy of your encryption key.
When Apple doesn't have the encryption key, they can't decrypt your data, so they can't provide a copy of the decrypted data in response to a warrant.
They explain the trade off during device setup: If Apple doesn't have a copy of the key, they can't help you if you should lose your copy of the key.
Hamuko|1 month ago
bdavbdav|1 month ago
TheRealPomax|1 month ago
Just because the article is click bait doesn't mean the HN entry needs to be, too.
Sure, the fact that MS has your keys at all is no less problematic for it, but the article clearly explains that MS will do this if legally ordered to do so. Not "when the FBI asks for it".
Which is how things work: when the courts order you to do something, you either do that thing, or you are yourself violating the law.
shevy-java|1 month ago
djoldman|1 month ago
This is blurring of fact drives click bait.
The origin of this is a Forbes article[0] where the quote is: "Microsoft confirmed to Forbes that it does provide BitLocker recovery keys if it receives a valid legal order."
[0] https://www.forbes.com/sites/thomasbrewster/2026/01/22/micro...
anonymousiam|1 month ago
nickevante|1 month ago
If you use a Local Account (which requires bypassing the OOBE internet check during setup) or explicitly disable key backup, the key never leaves the TPM. The issue isn't the encryption algorithm its the convenience selection.
daveheinrich|1 month ago
This team was able to execute and investigate the loss of over $85,000.00 Usdt of I and my friend we have started getting our refunds and we are grateful
ChrisArchitect|1 month ago
And earlier: https://news.ycombinator.com/item?id=46735545
daft_pink|1 month ago
Noaidi|1 month ago
sixcolors.com/post/2025/09/filevault-on-macos-tahoe-no-longer-uses-icloud-to-store-its-recovery-key/
betaby|1 month ago
Probably not if one is not using Apple cloud on their laptops.
> stored in your keychain (without telliing you!)
How to verify that? Any commands/tools/guides?
_blk|1 month ago
eddyg|1 month ago
You can (and should) watch all of https://www.youtube.com/watch?v=BLGFriOKz6U&t=1993s for the details about how iCloud is protected by HSMs and rate limits to understand why you’re wrong, but especially the time-linked section… instead of spreading FUD about something you know nothing about.
politelemon|1 month ago
sillyfluke|1 month ago
internet2000|1 month ago
unknown|1 month ago
[deleted]
zb3|1 month ago
uberman|1 month ago
chrisss395|1 month ago
faragon|1 month ago
commandersaki|1 month ago
akagusu|1 month ago
hdgvhicv|1 month ago
Given that the us government is happy to execute us citizens and invade other countries that basically means everyone.
Jigsy|1 month ago
How is this any different?
unixhero|1 month ago
TheRealPomax|1 month ago
wslh|1 month ago
Palmik|1 month ago
winstonwinston|1 month ago
b00ty4breakfast|1 month ago
daveheinrich|1 month ago
lingrush4|1 month ago
> Microsoft confirms it will give the FBI your Windows PC data encryption key if asked
> Microsoft says it will hand those over to the FBI if requested via legal order
Microsoft complying with legal orders is not news. But why hire actual journalists when you can just lie in your headlines and still get clicks?
unknown|1 month ago
[deleted]
bdhcuidbebe|1 month ago
banku_brougham|1 month ago
Timothycquinn|1 month ago
hohithere|1 month ago
0dayman|1 month ago
expedition32|1 month ago
MetroWind|1 month ago
grigio|1 month ago
anonnon|1 month ago
cynicalsecurity|1 month ago
jonplackett|1 month ago
Still crap but the headline is intentionally inaccurate for clickbaiting
rwmj|1 month ago
seanhunter|1 month ago
FabHK|1 month ago
betaby|1 month ago
modzu|1 month ago
dismalaf|1 month ago
Camiladiaz|1 month ago
[deleted]
junglistguy|1 month ago
[deleted]
chmorgan_|1 month ago
[deleted]
throwconsti|1 month ago
SketchySeaBeast|1 month ago
Edit: Nevermind.
cromka|1 month ago
lovebeans|1 month ago
preisschild|1 month ago
stabbles|1 month ago
Dylan16807|1 month ago