Microsoft crosses privacy line few expected

For years, we've been told that encryption is the golden modular for integer privacy. If information is encrypted, it is expected to beryllium locked distant from hackers, companies and governments alike. That presumption conscionable took a hit. 

In a national probe tied to alleged COVID-19 unemployment fraud successful Guam, a U.S. territory wherever national instrumentality applies, Microsoft confirmed it provided instrumentality enforcement with BitLocker betterment keys. Those keys allowed investigators to unlock encrypted information connected aggregate laptops.

This is 1 of the clearest nationalist examples to day of Microsoft providing BitLocker betterment keys to authorities arsenic portion of a transgression investigation. While the warrant itself whitethorn person been lawful, the implications agelong acold beyond 1 investigation. For mundane Americans, this is simply a wide awesome that "encrypted" does not ever mean "inaccessible."

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – escaped erstwhile you articulation my CYBERGUY.COM newsletter.

HACKERS ABUSE GOOGLE CLOUD TO SEND TRUSTED PHISHING EMAILS

In the Guam investigation, Microsoft provided BitLocker betterment keys that allowed instrumentality enforcement to unlock encrypted laptops. (David Paul Morris/Bloomberg via Getty Images)

What happened successful the Guam BitLocker case?

Federal investigators believed 3 Windows laptops held grounds tied to an alleged strategy involving pandemic unemployment funds. The devices were protected with BitLocker, Microsoft's built-in disk encryption instrumentality enabled by default connected galore modern Windows PCs. BitLocker works by scrambling each information connected a hard thrust truthful it cannot beryllium work without a betterment key. 

Users tin store that cardinal themselves, but Microsoft besides encourages backing it up to a Microsoft relationship for convenience. In this case, that convenience mattered. When served with a valid hunt warrant, Microsoft provided the betterment keys to investigators. That allowed afloat entree to the information stored connected the devices. Microsoft says it receives astir 20 specified requests per twelvemonth and tin lone comply erstwhile users person chosen to store their keys successful the cloud.

We reached retired to Microsoft for comment, but did not perceive backmost earlier our deadline.

How Microsoft was capable to unlock encrypted data

According to John Ackerly, CEO and co-founder of Virtru and a erstwhile White House exertion advisor, the occupation is not encryption itself. The existent contented is who controls the keys. He begins by explaining however convenience tin softly displacement control. "Microsoft commonly recommends that users backmost up BitLocker betterment keys to a Microsoft relationship for convenience. That prime means Microsoft whitethorn clasp the method quality to unlock a customer's device. When a 3rd enactment holds some encrypted information and the keys required to decrypt it, power is nary longer exclusive."

Once a supplier has the quality to unlock data, that powerfulness seldom stays theoretical. "When systems are built truthful that providers tin beryllium compelled to unlock lawsuit data, lawful entree becomes a lasting feature. It is important to retrieve that encryption does not separate betwixt authorized and unauthorized access. Any strategy designed to beryllium unlocked connected request volition yet beryllium unlocked by unintended parties."

Ackerly past points retired that this result is not inevitable. Other companies person made antithetic architectural choices. "Other ample exertion companies person demonstrated that a antithetic attack is possible. Apple has designed systems that bounds its ain quality to entree lawsuit data, adjacent erstwhile doing truthful would easiness compliance with authorities demands. Google offers client-side encryption models that let users to clasp exclusive power of encryption keys. These companies inactive comply with the law, but erstwhile they bash not clasp the keys, they cannot unlock the data. That is not obstruction. It is simply a plan choice."

Finally, helium argues that Microsoft inactive has country to alteration course. "Microsoft has an accidental to code this by making customer-controlled keys the default and by designing betterment mechanisms that bash not spot decryption authorization successful Microsoft's hands. True idiosyncratic information sovereignty requires systems that marque compelled entree technically impossible, not simply contractually discouraged."

In short, Microsoft could comply due to the fact that it had the method quality to bash so. That azygous plan determination is what turned encrypted information into accessible data.

"With BitLocker, customers tin take to store their encryption keys locally, successful a determination inaccessible to Microsoft, oregon successful Microsoft's user unreality services," a Microsoft spokesperson told CyberGuy successful a statement. "We admit that immoderate customers similar Microsoft's unreality storage, truthful we tin assistance retrieve their encryption cardinal if needed. While cardinal betterment offers convenience, it besides carries a hazard of unwanted access, truthful Microsoft believes customers are successful the champion presumption to determine whether to usage cardinal escrow and however to negociate their keys."

WHY CLICKING THE WRONG COPILOT LINK COULD PUT YOUR DATA AT RISK

When companies clasp encryption keys, lawful requests tin unlock acold much information than astir radical expect. (Kurt "CyberGuy" Knutsson)

Why this matters for information privacy

This lawsuit has reignited a long-running statement implicit lawful entree versus systemic risk. Ackerly warns that centralized power has a agelong and troubling history. "We person seen the consequences of this plan signifier for much than 2 decades. From the Equifax breach, which exposed the fiscal identities of astir fractional the U.S. population, to repeated leaks of delicate communications and wellness information during the COVID era, the signifier is consistent: centralized systems that clasp power implicit lawsuit information go systemic points of failure. These incidents are not anomalies. They bespeak a persistent architectural flaw."

When companies clasp the keys, they go targets. That includes hackers, overseas governments and ineligible demands from agencies similar the FBI. Once a capableness exists, it seldom goes unused.

How different tech giants grip encryption differently

Apple has designed systems, specified arsenic Advanced Data Protection, wherever it cannot entree definite encrypted idiosyncratic information adjacent erstwhile served with authorities requests. Google offers client-side encryption for immoderate services, chiefly successful endeavor environments, wherever encryption keys stay nether the customer's control. These companies inactive comply with the law, but successful those cases, they bash not person the method means to unlock the data. That favoritism matters. As encryption experts often note, you cannot manus implicit what you bash not have.

What we tin bash to support our privacy

The bully quality is that idiosyncratic privateness is not gone. The atrocious quality is that it present requires intention. Small choices substance much than astir radical realize. Ackerly says the starting constituent is knowing control. "The main takeaway for mundane users is simple: if you don't power your encryption keys, you don't afloat power your data."

That power begins with knowing wherever your keys are stored. "The archetypal measurement is knowing wherever your encryption keys live. If they're stored successful the unreality with your provider, your information tin beryllium accessed without your knowledge."

Once keys unrecorded extracurricular your control, entree becomes imaginable without your consent. That is wherefore the mode information is encrypted matters conscionable arsenic overmuch arsenic whether it is encrypted. "Consumers should look for tools and services that encrypt information earlier it reaches the unreality — that way, it is intolerable for your supplier to manus implicit your data. They don't person the keys." Defaults are different hidden risk. Many radical ne'er alteration them. "Users should besides look to debar default settings designed for convenience. Default settings matter, and erstwhile convenience is the default, astir individuals volition unknowingly commercialized power for easiness of use."

When encryption is designed truthful that adjacent the supplier cannot entree the data, the equilibrium shifts backmost to the individual. "When information is encrypted successful a mode that adjacent the supplier can't access, it stays backstage — adjacent if a 3rd enactment comes asking. By holding your ain encryption keys, you're eliminating the anticipation of the supplier sharing your data." Ackerly says the acquisition is elemental but often ignored. "The acquisition is straightforward: you cannot outsource work for your delicate information and presume that 3rd parties volition ever enactment successful your champion interest. Encryption lone fulfills its intent erstwhile the information proprietor is the sole enactment susceptible of unlocking it." Privacy inactive exists. It conscionable nary longer comes by default.

700CREDIT DATA BREACH EXPOSES SSNS OF 5.8M CONSUMERS

Reviewing default information and backup settings tin assistance you support power of your backstage data. (Kurt "CyberGuy" Knutsson)

Practical steps you tin instrumentality today

You bash not request to beryllium a information adept to support your data. A fewer applicable checks tin spell a agelong way.

1) Start by checking wherever your encryption keys live

Many radical bash not recognize that their devices softly backmost up betterment keys to the cloud. On a Windows PC, motion successful to your Microsoft relationship and look nether instrumentality information oregon betterment cardinal settings. Seeing a BitLocker betterment cardinal listed online means it is stored with Microsoft. 

For different encrypted services, specified arsenic Apple iCloud backups oregon Google Drive, unfastened your relationship information dashboard and reappraisal encryption oregon betterment options. Focus connected settings tied to betterment keys, backup encryption, oregon account-based access. When those keys are linked to an online account, your supplier whitethorn beryllium capable to entree them. The extremity is simple. Know whether your keys unrecorded with you oregon with a company.

2) Avoid cloud-based cardinal backups unless you genuinely request them

Cloud backups are designed for convenience, not privacy. If possible, store betterment keys offline. That tin mean redeeming them to a USB drive, printing them and storing them successful a harmless place, oregon utilizing encrypted hardware you control. The nonstop method matters little than who has access. If a institution does not person your keys, it cannot beryllium forced to crook them over.

3) Choose services that encrypt information earlier it reaches the cloud

Not each encryption works the aforesaid way, adjacent if companies usage akin language. Look for services that advertise end-to-end oregon client-side encryption, specified arsenic Signal for messages, oregon Apple's Advanced Data Protection enactment for iCloud backups. These services encrypt your information connected your instrumentality earlier it is uploaded, which means the supplier cannot work it oregon unlock it later. Here is simply a elemental regularisation of thumb. If a work tin reset your password and reconstruct each your information without your involvement, it apt holds the encryption keys. That besides means it could beryllium forced to manus implicit access. When encryption happens connected your instrumentality first, providers cannot unlock your information due to the fact that they ne'er had the keys to statesman with. That plan prime blocks third-party entree by default.

4) Review default information settings connected each caller device

Default settings usually favour convenience. That tin mean easier recovery, faster syncing and weaker privacy. Take 5 minutes aft setup and fastener down the basics.

iPhone: tighten iCloud and relationship recovery

Turn connected Advanced Data Protection for iCloud (strongest iCloud protection)

• Open Settings
• Tap your name
• Tap iCloud
• Scroll down and pat Advanced Data Protection
• Tap Turn On Advanced Data Protection
• Follow the prompts to acceptable up Account Recovery options, similar a Recovery Contact oregon Recovery Key

Review iCloud Backup

• Open Settings
• Tap your name
• Tap iCloud
• Tap iCloud Backup
• Decide if you privation it connected oregon off, based connected your privateness comfortableness level

Strengthen your Apple ID security

• Open Settings
• Tap your name
• Tap Sign-In & Security
• Make definite Two-Factor Authentication (2FA) is turned connected and reappraisal trusted telephone numbers and devices
• Review trusted telephone numbers and devices

Android: fastener your Google account and backups

Review and power instrumentality backup

Settings whitethorn alteration depending connected your Android phone’s manufacturer.

• Open Settings
• Tap Google
• Tap Backup (or All services past Backup)
• Tap Manage backup
• Choose what backs up and corroborate which Google relationship stores it

NEW ANDROID MALWARE CAN EMPTY YOUR BANK ACCOUNT IN SECONDS

Strengthen your surface lock, since it protects the instrumentality itself

Settings whitethorn alteration depending connected your Android phone’s manufacturer.

• Open Settings
• Tap Security oregon Security & privacy
• Set a beardown PIN oregon password
• Turn connected biometrics if you want, but support the PIN beardown either way

Secure your Google account

Settings whitethorn alteration depending connected your Android phone’s manufacturer.

• Open Settings
• Tap Google
• Tap Manage your Google Account
• Go to Security
• Turn connected 2-Step Verification and reappraisal caller information activity

Mac: alteration FileVault and reappraisal iCloud settings

Turn connected FileVault disk encryption

• Click the Apple menu
• Select System Settings
• Click Privacy & Security
• Scroll down and click FileVault
• Click Turn On
• Save your betterment method securely

Review iCloud syncing

• Open System Settings
• Click your name
• Click iCloud
• Review what apps and information types sync
• Turn disconnected thing you bash not privation stored successful the cloud

Windows PC: cheque BitLocker and wherever the betterment cardinal is stored

Confirm BitLocker presumption and settings

• Open Settings
• Go to Privacy & security
• Tap Device encryption oregon BitLocker (wording varies by device)

Check whether your BitLocker betterment cardinal is stored successful your Microsoft account

• Go to your Microsoft relationship page
• Open Devices
• Select your PC
• Look for Manage betterment keys oregon a BitLocker betterment cardinal entry
• If you spot a cardinal listed online, it means the cardinal is stored with Microsoft. That is wherefore Microsoft was capable to supply keys successful the Guam case.

If your relationship tin retrieve everything with a fewer clicks, a 3rd enactment mightiness beryllium capable to retrieve it too. Convenience tin beryllium helpful, but it tin besides widen access.

5) Treat convenience features arsenic privateness tradeoffs

Every shortcut comes with a cost. Before enabling a diagnostic that promises casual betterment oregon speedy access, intermission and inquire 1 question. If I suffer power of this account, who other gains access? If the reply includes a institution oregon 3rd party, determine whether the convenience is worthy it. 

These steps are not utmost oregon technical. They are mundane habits. In a satellite wherever lawful entree tin softly go regular access, tiny choices present tin support your privateness later.

Strengthen extortion beyond encryption

Encryption controls who tin entree your data, but it does not halt each real-world threat. Once information is exposed, antithetic protections matter.

Strong antivirus bundle adds device-level protection

Strong antivirus bundle helps artifact malware, spyware and credential-stealing attacks that tin bypass privateness settings altogether. Even encrypted devices are susceptible if malicious bundle gains power earlier encryption comes into play.

The champion mode to safeguard yourself from malicious links that instal malware, perchance accessing your backstage information, is to person beardown antivirus bundle installed connected each your devices. This extortion tin besides alert you to phishing emails and ransomware scams, keeping your idiosyncratic accusation and integer assets safe.

Get my picks for the champion 2026 antivirus extortion winners for your Windows, Mac, Android and iOS devices astatine Cyberguy.com

An individuality theft extortion work helps erstwhile vulnerability turns into fraud

If idiosyncratic information is accessed, sold, oregon misused, individuality extortion services tin show for suspicious activity, alert you aboriginal and assistance fastener down accounts earlier harm spreads. Identity Theft companies tin show idiosyncratic accusation similar your Social Security Number (SSN), telephone fig and email address, and alert you if it is being sold connected the acheronian web oregon being utilized to unfastened an account. They tin besides assistance you successful freezing your slope and recognition paper accounts to forestall further unauthorized usage by criminals.

See my tips and champion picks connected however to support yourself from individuality theft astatine Cyberguy.com.

Kurt's cardinal takeaways

Microsoft's determination to comply with the BitLocker warrant whitethorn person been legal. That doesn't marque it harmless. This lawsuit exposes a hard information astir modern encryption. Privacy depends little connected the mathematics and much connected however systems are built. When companies clasp the keys, the hazard falls connected the remainder of us.

Do you spot tech companies to support your encrypted data, oregon bash you deliberation that work should autumn wholly connected you? Let america cognize by penning to america astatine Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – escaped erstwhile you articulation my CYBERGUY.COM newsletter.

Copyright 2026 CyberGuy.com.  All rights reserved.