Microsoft: We Store Disk Encryption Keys, But We’ve Never Given Them to Cops
Microsoft says they never helped government decrypt customers’ data.
Microsoft says it has never helped police investigators unlock its customers' encrypted computers—despite the fact that the company often holds the key to get their data.
If you store important stuff on your computer, it's great to have the option to lock it up and encrypt your data so that no one can access it if you ever lose your laptop or it gets stolen. But what happens if, one day, you forget your own password to decrypt it? To give customers a way to get their data back in this situation, Microsoft has been automatically uploading a recovery key in the cloud for Windows computers since 2013.
In light of the ongoing battle between Apple and the FBI over encryption, surveillance experts and technologists have criticized Microsoft for this feature because it doesn't give users a choice (other than deleting the key afterwards), and it gives the government the option to request that key from Microsoft if it ever needs it to get into a suspect's Windows computer.
It's unclear if the US government, or any government, ever asked Microsoft for that, but a company spokesperson told Motherboard that Microsoft has never turned over customers' keys.
"We haven't provided a customer encryption key to law enforcement."
"We haven't provided a customer encryption key to law enforcement," a Microsoft spokesperson told me in an email.
A Microsoft spokesperson clarified that this includes all US government agencies, including those part of the intelligence community, such as the NSA.
Christopher Soghoian, a surveillance expert and the principal technologist at the American Civil Liberties Union (ACLU), believes this is bound to change one day, as more consumer laptops get encrypted by default. And this is a situation that poses interesting questions no one knows the answers to: Would the government need a search warrant to get a recovery or encryption key from Microsoft's cloud service OneDrive, or Apple's iCloud? Usually, tech companies insist on search warrants when it comes to customers' data that can be considered content. Is an encryption key content?
"This is uncharted territory," Soghoian told me over the phone.
In any case, this question highlights a fundamental challenge and a choice tech companies need to make: either give users a chance to recover their data when they forget their encryption password, or get ready to have the government knock at the door to get the key to unlock a computer when investigators need to.
"No one knows how to make online backups that are resistant to government surveillance."
"No one knows how to make online backups that are resistant to government surveillance that also provide users with the ability to get the data after they forgot their passwords," Soghoian said.
Just like Microsoft, Apple has turned on disk encryption by default on Mac computers and laptops. But unlike Microsoft, users' recovery keys don't get uploaded to iCloud automatically. An Apple spokesperson declined to comment, saying Apple doesn't "disclose the specifics of requests."
If you're worried one day your laptop could fall into the hands of cops or feds, you might want to avoid uploading your recovery keys to the cloud. (Here's a guide on how to delete your Microsoft key.) Otherwise, you'll have to choose convenience over total security.
This piece has been updated to add Microsoft's clarification that they haven't turned encryption keys over to any government agency, not just law enforcement.