85 comments

[ 2.9 ms ] story [ 65.6 ms ] thread
> The case involved several people suspected of fraud related to the Pandemic Unemployment Assistance program

If it were preventing a mass murder I might feel differently...

But this is protecting the money supply (and indirectly the governments control).

Not a reason to violate privacy IMO, especially when at the time this was done these people were only suspected of fraud, not convicted.

> Microsoft told Forbes that the company sometimes provides BitLocker recovery keys to authorities, having received an average of 20 such requests per year.

At least they are honest about it, but a good reason to switch over to linux. Particularly if you travel.

If microsoft is giving these keys out to the US government, they are almost certainly giving them to all other governments that request them.

FYI BitLocker is on by default in Windows 11. The defaults will also upload the BitLocker key to a Microsoft Account if available.

This is why the FBI can compel Microsoft to provide the keys. It's possible, perhaps even likely, that the suspect didn't even know they had an encrypted laptop. Journalists love the "Microsoft gave" framing because it makes Microsoft sound like they're handing these out because they like the cops, but that's not how it works. If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.

This makes the privacy purists angry, but in my opinion it's the reasonable default for the average computer user. It protects their data in the event that someone steals the laptop, but still allows them to recover their own data later from the hard drive.

Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.

Unfortunately Microsoft are working hard to get rid of local accounts, meaning the alternative here isn't much of an alternative.
Microsoft did give them. Just because they have a warrant doesn't mean keys should be handed over in any usable form. As indicated in the Forbes [0] article - both Meta and Apple have the exact same convenience in place (cloud backup) with none of the direct risk.

So, yes. That is how it works: 1) Microsoft forces users to online accounts 2) Bitlocker keys are stored in an insecure manner allowing any US agency to ask for them. I intentionally say "ask for them" because the US government is a joke with respect to respecting its own citizens privacy [1] at this point.

This type of apologetic half-truth on behalf of a multi-billion dollar corporation is getting old fast.

[0] https://www.forbes.com/sites/thomasbrewster/2026/01/22/micro... [1] https://www.npr.org/2026/01/23/nx-s1-5684185/doge-data-socia...

"They have no choice" because they're "just doing their job" and "following the law."

Which are both choices. Microsoft can for sure choose to block the government and so can individual workers. Let's not continue the fascism-enabling narratives of "no choice."

As someone who has benefiter ones from this, I have to say: good.

In my humble opinion: the current state is better than no encryption at all. For example: Laptop theft, scavengers trying to find pictures, etc. And if you think you are target of either Microsoft or the law enforcement manage your keys yourself or go straight to Linux.

All that is true and the spin I focus on is can Microsoft have implemented it such that they have zero (ish) knowledge by default.

We know iCloud has configurations that can’t disclosed, and I wonder if there is a middle ground between if you loose the recovery key you are stuffed and maybe have a recovery key unblocked by a password similar to ssh keys

it's easy to design a system where the center doesn't have the key and thus can't be compelled.

but they didn't do so.

and it's surely just a coincidence, because m$ has always been such an ethical company.

and it's surely not by design to centralize power by locking out competing criminals from the user's data, but not themselves.

</s>

(comment deleted)
You’re ignoring the international element. If I’m a Danish organisation then sure, the Danish government can compel me to do things.

However a hostile foreign government has less control over me.

As such using a tool of a hostile foreign government (Microsoft) needs to be understood and avoided.

The "Microsoft gave" framing is the exact right wording!, because Microsoft should never have had these keys in the first place. This is a compromise on security that sidesteps back doors on the low level and essentially transforms all Windows installations into Clipper-chip products.
> "Microsoft gave"

While it is true that NSLs or other coercion tactics will force them to give out the keys, it is also true that this is only possible because Microsoft implemented a fatally flawed system where they have access to the keys.

Any system where a third party has access to cleartext or the keys to decrypt to cleartext is completely broken and must not be used.

Water is wet. More news at 11
This is almost certainly users who elect to store their BitLocker keys in OneDrive.

Don't think Apple wouldn't do the same.

If you don't want other people to have access to your keys, don't give your keys to other people.

This is by far one of the best advertisements for LUKS/VeraCrypt I've ever seen.
Is LUKS still secure if I'm not using secureboot?
> This is by far one of the best advertisements for LUKS/VeraCrypt I've ever seen.

LUKS isn't all rainbows and butterflies either [https://news.ycombinator.com/item?id=46708174]. This vulnerability has been known for years, and despite this, nothing has been done to address it.

Furthermore, if you believe that Microsoft products are inherently compromised and backdoored, running VeraCrypt instead of BitLocker on Windows likely won’t significantly improve your security. Implementing a VeraCrypt backdoor would be trivial for Microsoft.

This is why local account setup is so important on windows, and why microsoft makes it harder and harder each update.
This is disappointing but I wonder if this is quid pro quo. Microsoft and Nadella want to appear to be cooperating with the government, so they are given more government contracts and so they don’t get regulatory problems (like on antitrust or whatever).
(comment deleted)
It's interesting how many comments these days are like, "well of course".

Back in the day hackernews had some fire and resistance.

Too many tech workers decided to rollover for the government and that's why we are in this mess now.

This isn't an argument about law, it's about designing secure systems. And lazy engineers build lazy key escrow the government can exploit.

The engineers who developed this developed it to a spec so that microsoft demanded that allows them to get into the system at any time. There was nothing lazy about it. This would be easily found by anyone who has the impetus to encrypt their drive. Don't put things on your work laptop that you don't want Dom down in IT reading all of it or Phil the police forensics dick
> Back in the day hackernews had some fire and resistance

Hackernews is a public forum, and the people here change constantly. "Back in the day" there were mostly posts about LISP and startup equity. It's obviously not the same people here now.

> Too many tech workers decided to rollover for the government

Again, not the same group of people. In the 2000s "tech workers" might have mostly been Californians. Now they're mostly in India. Differing perspectives on government, to be sure.

> lazy engineers build lazy key escrow

Hey you should know this one, because it's something that HAS stayed constant since "back in the day": The engineers have absolutely no say in this whatsoever.

You are talking about Microslop. They have never been against government and in fact have always been anti consumer and in war with any hacker ethos.

There was no “back in the day” where big tech was on our side. Stop being a poser

Not your keys not your {thing}
Hear that? It's the sound of the year of the Linux desktop.

It's time - it's never been easier, and there's nothing you'll miss about Windows.

So, forcing user to connect to Internet and log in to Microsoft account has more to do than tracking you and selling ads -- Microsoft may be intentionally helping law enforcement unlocking your computer -- and that's not a conspiracy.
Here's a story about what the FBI may do when they don't unlock the laptop:

https://cointelegraph.com/news/fbi-cant-be-blamed-for-wiping...

Perhaps next time, an agent will copy the data, wipe the drive, and say they couldn't decrypt it. 10 years ago agents were charged for diverting a suspect's Bitcoin, I feel like the current leadership will demand a cut.

This is my biggest fear wrt gov't search-and-seizure. I know the police won't be able to get at my juicy encypted bits, but I also know they're vindictive basterds who'll be held to no accountability. Of course they'll wipe my drives just to get revenge for me "winning" by having blocked their access.
I don't know how many bad things Microsoft has to do before consumers realize they are a terrible company and you should stop buying their stuff.
(comment deleted)
The problems of centralization. Some economic sectors are centralized by nature, IT is not.
Based on the comments in the thread, I sense I will be in the minority, but for most consumers this is a reasonable default. Broadly speaking, the threat model most users are concerned with doesn't account for their government. The previous default is no encryption at rest, which doesn't protect from the most common threats, like theft or tampering. With BitLocker on, a new risk for users is created: loss of access to their data because they don't have their recovery key. You are never forced to keep your recovery keys in Microsoft's servers and it's not a default for corporate users.
I think it’s a reasonable default if Microsoft weren’t able to access your encryption keys.

Apple has that figured out. Your keys can be stored in your cloud synced keychain but only you can decrypt that keychain.

That’s why they couldn’t help the FBI to decrypt devices even when compelled.

Microsoft should have done the same. They should never find themselves in a place where they can be compromised like this.

If you use a local windows account does it still upload your bitlocker key to M$?
This isn't even about Microsoft or BitLocker. This is about the U.S.A.: anyone who thrusts the rule of law in the U.S. is a fool.

Yes, the American government retrieves these keys "legally". But so what? The American courts won't protect foreigners, even if they are heads of state or dictators. The American government routinely frees criminals (the ones that donate to Republicans) and persecutes lawful citizens (the ones that cause trouble to Republicans). The "rule of law" in the U.S. is a farce.

And this is not just about the U.S. Under the "five eyes" agreement, the governments of Canada, UK, Autralia and New Zealand could also grab your secrets.

Never trust the United States. We live in dangerous times. Ignore it at your own risk.

it's like microsoft has nothing better to do other than keep digging the hole to burry windows as mainstay operating system deeper and deeper with every new day.
I have opted out of all cloud services in my windows installation; I use a passphrase, too (it is even before booting the computer). I feel like this is pretty safe