The headline is misleading. It says that Microsoft will provide the key if asked, but the linked statement to Forbes says Microsoft will provide the key if it receives a valid legal order.
These have different meanings. Microsoft is legally entitled to refuse a request from law enforcement, and subject to criminal penalties if it refuses a valid legal order.
It does illustrate a significant vulnerability in that Microsoft has access to user keys by default. The public cannot be sure that Microsoft employees or criminals are unable to access those keys.
Nah, you’re just not reading carefully. You must parse everything about this stuff carefully as the words are always crafted. It’s usually more productive to read with a goal to understand what isn’t said as opposed to what is said.
They said “legal order”, which includes a variety of things ranging from administrative subpoenas to judicial warrants. Generally they say warrant if that was used.
A “request” is “Hi Microsoft man, would you please bypass your process and give me customer data?” That doesn’t happen unless it’s for performative purposes. (Like when the FBI was crying about the San Bernardino shooter’s iPhone) Casual asks are problematic for police because it’s difficult to use that information in court.
What exactly was requested sounds fishy as the article states that Microsoft only gets 20 a year, and is responsive to 9 or fewer requests. Apple seems to get more and typically is more responsive. (https://www.apple.com/legal/transparency/us.html)
The other weird thing is that the Microsoft spokesman named in the Forbes article is an external crisis communications consultant. Why an use external guy firewalled from the business for what is a normal business process?
>the article states that Microsoft only gets 20 a year, and is responsive to 9 or fewer requests. Apple seems to get more and typically is more responsive.
That just makes me think that Windows is generally less secure and there are likely a larger number of instances where the AHJ doesn't have to request help from Microsoft to access the data.
Apple has a long history of automatically uploading (and/or "backing up") all documents and media of its customers to iCloud. Microsoft started doing that with OneDrive and OneDrive backups only recently. That + the work Apple put in locking down its phone from users and attackers alike, basically breaks down like this:
| Apple | Microsoft |
---------------+---------------+------------|
Users with | approximately | small but |
data in cloud | everyone | growing |
---------------+---------------+------------|
Access to | denied via | easily |
data on device | cryptography | available |
| by default | by default |
> Microsoft is legally entitled to refuse a request from law enforcement, and subject to criminal penalties if it refuses a valid legal order.
This is a problem, because Microsoft operates in a lot of jurisdictions, but one of them always wants to be the exception and claims that it has jurisdiction over all the others. Not that I personally am of the opinion, that it is wise for the other jurisdiction to trust Microsoft, but if MS wants to secure operating in the other jurisdiction it needs to separate itself from that outsider.
Actually I think that corporate sovereignty is inevitable, hence countries should have never allowed companies to get that large. But for this discussion, yes Microsoft just needs to split and/or go to the Cayman Islands.
I don't think corporate sovereignty is needed for that; just blowing up Microsoft into a bunch of independently-operating entities, one per relevant jurisdiction.
Note that they say "legal order" not, specifically, "warrant". Now remember that government agencies have internal memos instructing them that no warrants are needed for them to do things like the 4th amendment, stop citizens, detain citizens, "arrest" citizens, etc.
It's a catchy meme for sure, but when people actually start to believe - like for real, not just the usual talking shit that passes for "conversation" with normal people - that law enforcement officers are worse thugs than regular thugs -- that's a fast way to turn into a failed state, where that actually is true.
Causality here actually works both ways, because in free(ish) societies, law enforcement derives its authority more from people's intersubjective belief in that authority, and less from actual use of force.
> when people actually start to believe... that law enforcement officers are worse thugs than regular thugs -- that's a fast way to turn into a failed state, where that actually is true.
It's quite clear that if law enforcement officers are indeed worse or just like regular thugs the failed state will soon materialize regardless of what people think about the issue.
Moreover, isn't the fastest way to a failed state to have people believe that their security agencies are good and proper when in reality they aren't? That kind of naivete is surely a lot worse than a bit of paranoia.
> isn't the fastest way to a failed state to have people believe that their security agencies are good and proper when in reality they aren't?
No, but it used to be.
The fastest way right now is propaganda.
I'm not sure when the transition happened exactly, given we've had smartphones and social media lies going around the world before fact checkers wake up (even a while back there were questions about if some violence or other was the same country or year), but right now any group with convenient access to a suitable AI can do something that passes well enough to fool a sufficient number of people to break everything.
This means that even if all the current stuff dies down in the USA, you can't go back to the old status quo. Free speech is really important (and not just for the public to take down the powerful, even the powerful themselves benefit from it to not become emperors who wear no clothes), but it's also extremely easy to exploit, and you can't even just rely on people learning to distrust certain sources as you have already started fighting over which sources to trust and fighting over the ability of anyone to say "${foo} is an untrustworthy source".
You are quite right about the dangers of propaganda in the time of AI and social media which is not only easily accessible but also addictive. I've observed people around me being misled despite their best intentions and above average abilities.
I also agree that we can't go back to the old status quo but we don't have to - it probably wasn't the right thing to do if it led to the current state of affairs.
I think, there's still a chance for positive change, not going back but forward. I'm not saying it's going to be easy but the implication of giving up warrant the pursuit of that chance no matter how small.
Two weeks ago this would have been completely uncontroversial, but given the repeated executions by shooting people of probable opposite political conviction in the face, things just got a lot more complicated.
Yes agreed. And while I respect the FBI employees who stepped down because they refused to comply with such a shitty system, it's becoming only thugs being the only ones left in the FBI.
Exactly. The discussion should center on the fact that Microsoft's shift was a contingency, not a technical necessity. It cannot have escaped them that their design choices create a legal point of entry for data requests that they are then obligated to fulfill, which would not have been the case with proper end-to-end encryption; in that case they would have told authorities that they simply cannot fulfill these requests.
Crucially, the headline says Microsoft will provide the key if asked by the FBI, which implies a state entity with legal power that extends beyond a typical person's assumptions of "rule of law" and "due process," let alone ethics.
Typical person assumes that FBI is chasing aliens (from outer space) and hardened criminals so bad the local police can't handle them. At least that's what American TV teaches us.
Now CIA, on the other hand, ... well, they won't need to ask for the crypto keys anyway.
Yes, "asked" versus "ordered" is meaningfully misleading, especially in this context.
There is reasonable suspicion, some might argue evidence, that Microsoft voluntarily cooperated with U.S. Intelligence Community without being compelled by a court order, the most famous instances being leaked in the Snowden disclosures.
To be fair to Microsoft, here's their updated statement (emphasis mine):
"Microsoft confirmed to Forbes that it does provide BitLocker recovery keys if it receives a valid legal order. “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide... how to manage their keys,” said Microsoft spokesperson Charles Chamberlayne."
You’ve overly simplified the degree to which a company must accept a court order without pushback.
First they are capable of fulfilling the request in the first place which means their approach or encryption is inherently flawed. Second companies can very much push back on such requests with many examples of such working, but they need to make the attempt.
I don't think it's reasonable to expect businesses to spend money fighting court orders for customer data, especially if the orders are more or less reasonable.
They do seem to be reasonable in the case that brought about this reporting, with substantial evidence that the suspects committed fraud and that evidence is on the devices in question.
Never means the specifics are irrelevant, you’re making the sad argument on the worst possible case and the best one.
So why should customers entrust their data to the company? It’s a transactional relationship and the less you do the less reason someone has to pay you.
Further, our legal system is adversarial it assumes someone is going to defend you. Without that there’s effectively zero protection for individuals.
People shouldn't entrust highly sensitive data to third parties who aren't highly motivated to protect it. That means different things in different situations, but if you're likely to be investigated by the FBI, don't give Microsoft the encryption keys to your laptop.
As many, many people have pointed out -- many people don't know that their drives are encrypted or know that these protections exist. You're also assuming that the FBI doesn't investigate just random people. "I'm not doing anything bad, why should I worry?"
You're making a lot of assumptions about how people use their computers, their understanding of their own devices, and the banality of building argumentation around what someone should have done or should not have done in the face of how reality works.
I am not assuming the FBI doesn't investigate random people. I am, however assuming that the FBI does not randomly seize computers and obtain court orders demanding encryption keys for them from Microsoft. Unless Microsoft is lying, that happens about 20 times a year.
One of the privacy protections is simply that it's a lot of work to go through that process. The FBI wouldn't have the resources to do it to everyone it's merely curious about even if it had the authority, which it doesn't because warrants require probable cause.
I believe that it's generally acceptable that when law enforcement has probable cause for a search warrant, third parties grant them what access they reasonably can. I also believe people who actually want to protect their privacy and security should learn fundamentals like whoever has the key can unlock it and if nobody has the key, it's gone forever. If I was building a consumer product, I'd have to care quite a bit about the fact that many people won't do that, but I'm not so I don't.
Heh, I subpoena'd Microsoft once in part of some FOIA litigation I did against the White House OMB back in 2017. They, in no unclear terms, denied it. We were seeking documentation.
I realize it's not a court order, but just want to add to the stack that there are examples of them being requested to provide something within the public's interest in a legal context (a FOIA lawsuit) where their counsel pushed back by saying no.
How did you sub poena Microsoft without a court order? Are you saying the court denied your application for an order to produce after Microsoft objected?
I might actually the details wrong. We requested informally at first whether Microsoft could provide information and they declined. Doesn't look like we ended up going down the subpoena route in the end so it didn't really matter.
I would guess that the FBI never asks Microsoft for encryption keys without a valid legal order because it knows Microsoft will demand one, and because the FBI rarely has possession of suspect devices without a warrant to search for them and obtain their contents.
It could be a bigger obstacle for other agencies. CBP can hold a device carried by someone crossing the border without judicial oversight. ICE is in the midst of a hiring surge and from what I've read lately, has an abbreviated screening and training process likely not matching the rigor of the FBI. Local law enforcement agencies vary greatly.
It’s immensely misleading. At least with a valid legal order we are still living by rule of law. With the recent actions I can’t say ICE is acting by rule of law.
Broader context isWindows defaults to making their access to your data legally accessible. Their entire windows platform and one drive defaults to this insecurity
Inlight of fascism coming to Democratic cities and anyone documenting it being a registered domestic terrorist...well thats pretty f'n insecure by default.
The latter is not news, it's the way it has been for quite some time, not just for IT providers, but for businesses in general.
If you are running any kind of service, you should learn how warrants work in the country you are hosting in, come the time, if your service grows, eventually you will have to comply with an order.
If you want anything else you will have to design your system such that you can't even see the data, ala Telegram. And even then, you will get into pretty murky waters.
CALEA and courts have compelled companies to install systems that allow them to track/record targets' communications and data, even if their own systems weren't designed with such abilities in mind.
From[1]:
> USA telecommunications providers must install new hardware or software, as well as modify old equipment, so that it doesn't interfere with the ability of a law enforcement agency (LEA) to perform real-time surveillance of any telephone or Internet traffic.
That's a distinction without a difference. Microsoft should structure Windows such that they're unable to comply with such an order, however legal. There are practical cryptographic ways to do it: Microsoft just doesn't want to. Shame on them.
It is pretty uncontroverisal that the owner, in the sense of having responsibility and ultimate control, should control the cryptographic keys. I think the disagreement here is who owns the computer.
Microsoft is legally entitled to refuse absent a warrant, but generally all it takes is a phone call from the FBI to get big tech to cough up any authenticating info they actually have.
> The headline is misleading. It says that Microsoft will provide the key if asked, but the linked statement to Forbes says Microsoft will provide the key if it receives a valid legal order.
This is an odd thing to split hairs over IMO. Warrants or subpoenas or just asking nicely, whatever bar you want to set, is a secondary concern. The main issue is they can and will hand the keys to LEO’s at all.
If you don’t like the behavior of a company voluntarily doing something, your problem is with that company. If you don’t like a company complying with the law, your problem is with the law. It is unreasonable to expect anyone or any company to break the law or violate a court order to protect you.
If you don’t trust the institutions issuing those court orders, that is an entirely reasonable stance but it should be addressed at its root cause using our democratic process, however rapidly eroding that process may seem to be.
The fourth amendment protects against warrantless search and seizure, it is not carte blanche to fill up your hard drive with child porn and expect Microsoft to fall on their swords to protect you.
> The fourth amendment protects against warrantless search and seizure, it is not carte blanche to fill up your hard drive with child porn and expect Microsoft to fall on their swords to protect you.
I was understanding and felt your points had validity until you threw out this gross, emotionally manipulative, horrible misrepresentation of my stance.
The ideal is that Microsoft's customers are not idiots who will lose their keys. But that's just not reality, and those customers matter more than using what is arguably the objectively correct design in a certain light
I appreciate the sentiment and do think most people should know not to trust Microsoft by this point, but I do think we have to be a little careful not to steer too hard into caveat emptor and forget who the perpetrators are in the first place.
I hate MS as much as anyone else, but I don't have a problem with them doing this. Legally they have to comply if they have evidence in a legal action. Maybe they are at fault for not solely relying on the TPM, or not giving users informed consent about using the cloud, but I cannot fault them for not going to battle for civil liberties when they can't even implement notepad without screwing it up.
These have different meanings. Microsoft is legally entitled to refuse a request from law enforcement, and subject to criminal penalties if it refuses a valid legal order.
It does illustrate a significant vulnerability in that Microsoft has access to user keys by default. The public cannot be sure that Microsoft employees or criminals are unable to access those keys.