Every couple of years, some law enforcement agency bemoans the fact that they can’t just break into your devices. Pesky constitution getting in the way! Meanwhile, corporations won’t make backdoors for just anyone to wander through. It makes those power-hungry agencies sick. But Microsoft has another solution for them. Instead of building backdoor, they can just let cops in the front door! Why build a backdoor security vulnerability when you can just hand out the keys to the front door?
According to Microsoft’s own reporting, they have access to the encryption keys of many of their Windows users. If you’re using BitLocker, the standard whole-disk encryption tool used to secure PCs, you may have handed over the encryption keys to your computer to Microsoft inadvertently. Microsoft shouldn’t be collecting these encryption keys. After all, Apple has had full disk encryption for years with FileVault, and has no access to your encryption keys. The same is true of their mobile and tablet operating systems. Even Google, notoriously spying on everything you do online, has left that sacred. If you try to protect your devices with encryption, Apple and Google will let you.
Microsoft won’t give you such privacy or security.
If you’re not careful while setting up your Windows machine, those encryption keys you use to secure your device will be sent to Microsoft. This is a tool that should make your PC secure. Instead, it’s more like security theater. Because the keys you make with your password don’t just live in your mind, but also on Microsoft’s servers, and they’re not keeping them a secret. According to Microsoft, they share about 20 passwords with law enforcement a year. With ICE and the Trump administration being exceptionally invasive when it comes to your privacy, that number could skyrocket.
Here’s how to know if Microsoft has your passwords, how to change them, and how to encrypt your PC in a way that won’t let Microsoft—or anyone else—barge in.
How Microsoft’s Storing Encryption Keys
Bitlocker is supposed to make your PC more secure, but if Microsoft is storing the keys and willing to give them to any law enforcement agency who asks for them, you’re not much safer with it. If you’re a part of one of the many marginalized groups the Trump administration is currently targeting, you’re even less safe, as these keys could end up in the hands of ICE. A false sense of security is perhaps more dangerous than being too cautious.
“[It is] simply irresponsible for tech companies to ship products in a way that allows them to secretly turn over users’ encryption keys. Allowing ICE or other Trump goons to secretly obtain a user’s encryption keys is giving them access to the entirety of that person’s digital life, and risks the personal safety and security of users and their families.”
– Senator Ron Wyden
Your encryption keys are generated with your password. If you log into your Windows computer with a Microsoft account instead of a username and password unique to your computer, you likely have given Microsoft your encryption keys. You can double check it though via Microsoft’s own website. If you don’t see any BitLocker recovery keys uploaded to your account, you should be fine, for now. You’ll still want to learn how and when Microsoft uploads these keys to prevent it from happening on your own PC. If they are there, you turn off the backup of your keys, change your password and update your BitLocker encryption keys, and delete them from the website.
Avoiding Uploading and Deleting Your Keys
“The keys give the government access to information well beyond the time frame of most crimes, everything on the hard drive … Then we have to trust that the agents only look for information relevant to the authorized investigation, and do not take advantage of the windfall to rummage around.”
– Jennifer Granick, surveillance and cybersecurity counsel at the ACLU
Microsoft says they get about 20 requests for BitLocker keys every year. This isn’t many, but under the Trump administration, surveillance is increasing, as is scrutiny of average people living in America. Despite the increasing danger, in Windows Home edition, the uploading of BitLocker keys is by default. Encryption, real security, is a “feature” only given to the more expensive version of the operating system. Neither Apple nor Google do anything like this. In fact, Apple even allows you to encrypt all data you upload to their iCloud service with a key they will never store. Meanwhile Microsoft won’t even let you make your own hard drive secure.
During setup, a PC user could turn off the feature if they’re paying attention. Your best bet to avoid uploading your BitLocker keys, if you insist on using Microsoft’s encryption, is to either use the Windows 11 Pro edition from the start, or “upgrade” your Home Edition to the Pro version for $99 on Microsoft’s website. Once you have the Pro version, ensure you’re only creating a local account. You don’t want to link your account on your Windows machine to your Microsoft account. This will not be associated with Microsoft account. If you’ve already set everything up, your best bet would be to change your account to a local account, delete your keys from Microsoft’s site, and changing your passwords.
You’ll want to set this up in Security > Privacy & Security > Device Encryption. You can find more details on how to sidestep issues with this setup process in this great Ars Technica write-up.
Ditch Microsoft Encryption with VeraCrypt
People in security have known Microsoft has been doing this for years. However, with the increased threat of a fascist dictatorship in the United States, more people are worried about their privacy. Why trust a company that made uploading your keys the default? You’ll have to carefully watch every update forever.
Instead, encrypt your device with a third party tool. Obviously this isn’t something you have to do on macOS, FileVault is still a secure option. But on Windows, BitLocker is just too close to becoming a security threat. Unless you’re not using Windows for anything important, such as using it solely for gaming, you may want to consider changing your encryption.
I’m not personally a Windows user. Oh, I’ve played around with dual booting on my Mac before, just for games, but I avoid the OS if I can help it. However, I did a bit of searching. The most frequently suggested full-disk encryption tool I saw was VeraCrypt. VeraCrypt is free and open-sourced, based in the EU where privacy laws mean they have to disclose what they’d be doing with your data, and works on multiple platforms. Do your own research, but the best option for privacy is a third party tool that has been thoroughly vetted, and VeraCrypt seems to fit that criteria.
Not Enough Options
I hate what Windows has become. I’m not a Windows user, but I’ve seen what going up against Microsoft has done to macOS. Stagnant operating systems with a polish of glass or some sloppy AI will fix it. Microslop’s reputation is shot between Copilot’s failures, Windows 11’s adware, TPM chip issues, and even Recall, taking screenshots of everything you do with your computer. The problem when we allow corporations to become so big they only have one or two competitors is that, when those competitors falter, the entire industry freezes. Somehow, the operating systems we use to control all of our devices became the victim of this failed duopoly. Our hardware is getting faster and we’re not taking advantage of it except to generate awful things with “AI.” There’s no “Mac vs PC” argument anymore except amongst the most ardent of fanboys, no one can defend this. Perhaps, just due to a lack of jank and ease of turning off lousy features, Apple “won,” but, as a result, we all lost.
Ditch Microslop. Use macOS or even find a Linux distro you like. Ubuntu is notoriously beginner-friendly, but I may be a little out of date on that suggestion. Fedora, Elementary, Mint, Debian, Arch, Gecko, there are so many options, I don’t even remember them all. Whatever you use, make a strong password, encrypt your drive, and don’t hand your keys over to anyone. Maybe avoid any companies trying to collect as much data as they can to make AI, because they don’t have any qualms stealing data and art from across the net, what makes you think they’ll consider your data off-limits?
Sources:
- Simon Batt, XDA
- Zac Bowden, Windows Central
- Rob Braxman Tech, via YouTube
- Thomas Brewster, Forbes
- Andrew Cunningham, Ars Technica
- Lorenzo Franceschi-Bicchierai, TechCrunch
- Martin Gelin, The Guardian
- Bruce Gil, Gizmodo
- Microsoft
- Reddit Thread
- Y Combinator