If you believe that your Windows computer is completely secure from surveillance, you might want to reconsider. Recent findings have indicated that Microsoft possesses the hard drive encryption keys, potentially sharing them with law enforcement entities like the FBI. Here’s an overview of the situation and some steps you can take to bolster your protection.
Story
This past January, Microsoft revealed a disconcerting lapse in user privacy. They acknowledged providing the FBI with BitLocker recovery keys for three Windows PCs connected to alleged fraud regarding unemployment benefits in Guam. With these keys, the FBI accessed files on those computers during their investigation.
There is a silver lining, however: users can take measures to prevent Microsoft and the government from gaining access to their sensitive information.
While it’s encouraging to see the government pursue criminal activity and fraud, this incident raises alarming questions about Microsoft’s capacity to access users’ encrypted files and disclose that information to authorities without a user’s awareness or approval.
The tech giant initially received inquiries from government officials back in 2013, during the Obama era. Reports suggest that their engineers resisted creating a back door into Windows that would allow unchecked access to user files. Nonetheless, Microsoft has confirmed that they provided BitLocker recovery keys to law enforcement, with around 20 requests from the FBI each year.
What is BitLocker?
BitLocker is an encryption program found on most current Windows computers. It secures files by locking them on your hard drive using Advanced Encryption Standard algorithms. The only means to access a BitLocker-protected machine would be through the user’s login password or bypassing security through a recovery key. These recovery keys are linked to your Microsoft account, making them accessible to both users and Microsoft.
Is your Windows computer at risk?
Your computer’s vulnerability to government oversight hinges on how BitLocker is configured on your device.
It could be risky if…
- You’re operating a Windows PC without a Microsoft account (i.e., not logged in with an Outlook email).
- You have a Microsoft account but chose to back up your recovery key locally during setup.
- You disabled BitLocker encryption when setting up your PC.
Conversely, it might be a danger if…
- You have a Windows PC tied to a Microsoft Outlook account and opted to back up your BitLocker recovery key there.
- Your PC is a work device managed by your employer.
For users deemed at risk, Microsoft maintains that it provides encryption keys solely in response to lawful governmental requests. But if Microsoft has access to your encryption keys, there’s little standing in the way of hackers attempting to obtain them. The issue with relying on cloud storage for your security keys is that anyone could potentially extract them using the right credentials or exploits.
How to stop the FBI from snooping on your PC
The good news? You can prevent both Microsoft and governmental agencies from accessing your crucial data. Removing your BitLocker recovery key from your Microsoft account is possible in just a few steps.
Caution: Deleting the recovery key means you cannot retrieve it later. Therefore, ensure you record your key ID and recovery key, keeping them safe in either a physical document or a reliable digital password manager. After you remove the key from Microsoft’s servers, it will still be active when needed. Here’s how to go about it:
- Visit the BitLocker recovery key section with your Microsoft account.
- Locate your device on the list, which may require some scrolling depending on your number of Windows devices.
- Record your key ID and recovery key securely.
- Click “Delete.”
Once this process is completed, the recovery key will be removed from your account. However, it may take up to 30 days for Microsoft to completely erase it from their servers.
Don’t trust your Windows PC
While it’s straightforward to avoid governmental surveillance by removing your BitLocker keys, privacy-conscious individuals may want to explore different operating systems. Companies like Apple and Google don’t retain copies of customers’ encryption keys, nor do they claim that user data will be disclosed to authorities. Linux machines, too, are particularly challenging to compromise from a security standpoint. Currently, Microsoft remains the only major tech company that holds encryption keys, rendering Windows less ideal for those prioritizing privacy.
