Close Menu
    Subscribe
    Thursday, February 5
    Tech

    Microsoft provides BitLocker keys to feds in alleged Guam fraud case

    Justin M. LarsonBy No Comments14 Mins Read


    NEWYou can now listen to Fox News articles!

    For years, we’ve been told that encryption is the gold standard for digital privacy. If data is encrypted, it is supposed to be locked away from hackers, companies and governments alike. That assumption just took a hit. 

    In a federal investigation tied to alleged COVID-19 unemployment fraud in Guam, a U.S. territory where federal law applies, Microsoft confirmed it provided law enforcement with BitLocker recovery keys. Those keys allowed investigators to unlock encrypted data on multiple laptops.

    This is one of the clearest public examples to date of Microsoft providing BitLocker recovery keys to authorities as part of a criminal investigation. While the warrant itself may have been lawful, the implications stretch far beyond one investigation. For everyday Americans, this is a clear signal that “encrypted” does not always mean “inaccessible.”

    Sign up for my FREE CyberGuy Report
    Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

    HACKERS ABUSE GOOGLE CLOUD TO SEND TRUSTED PHISHING EMAILS

    A view of the Microsoft headquarters

    In the Guam investigation, Microsoft provided BitLocker recovery keys that allowed law enforcement to unlock encrypted laptops. (David Paul Morris/Bloomberg via Getty Images)

    What happened in the Guam BitLocker case?

    Federal investigators believed three Windows laptops held evidence tied to an alleged scheme involving pandemic unemployment funds. The devices were protected with BitLocker, Microsoft’s built-in disk encryption tool enabled by default on many modern Windows PCs. BitLocker works by scrambling all data on a hard drive so it cannot be read without a recovery key. 

    Users can store that key themselves, but Microsoft also encourages backing it up to a Microsoft account for convenience. In this case, that convenience mattered. When served with a valid search warrant, Microsoft provided the recovery keys to investigators. That allowed full access to the data stored on the devices. Microsoft says it receives roughly 20 such requests per year and can only comply when users have chosen to store their keys in the cloud.

    We reached out to Microsoft for comment, but did not hear back before our deadline.

    How Microsoft was able to unlock encrypted data

    According to John Ackerly, CEO and co-founder of Virtru and a former White House technology advisor, the problem is not encryption itself. The real issue is who controls the keys. He begins by explaining how convenience can quietly shift control. “Microsoft commonly recommends that users back up BitLocker recovery keys to a Microsoft account for convenience. That choice means Microsoft may retain the technical ability to unlock a customer’s device. When a third party holds both encrypted data and the keys required to decrypt it, control is no longer exclusive.”

    Once a provider has the ability to unlock data, that power rarely stays theoretical. “When systems are built so that providers can be compelled to unlock customer data, lawful access becomes a standing feature. It is important to remember that encryption does not distinguish between authorized and unauthorized access. Any system designed to be unlocked on demand will eventually be unlocked by unintended parties.”

    Ackerly then points out that this outcome is not inevitable. Other companies have made different architectural choices. “Other large technology companies have demonstrated that a different approach is possible. Apple has designed systems that limit its own ability to access customer data, even when doing so would ease compliance with government demands. Google offers client-side encryption models that allow users to retain exclusive control of encryption keys. These companies still comply with the law, but when they do not hold the keys, they cannot unlock the data. That is not obstruction. It is a design choice.”

    Finally, he argues that Microsoft still has room to change course. “Microsoft has an opportunity to address this by making customer-controlled keys the default and by designing recovery mechanisms that do not place decryption authority in Microsoft’s hands. True personal data sovereignty requires systems that make compelled access technically impossible, not merely contractually discouraged.”

    In short, Microsoft could comply because it had the technical ability to do so. That single design decision is what turned encrypted data into accessible data.

    “With BitLocker, customers can choose to store their encryption keys locally, in a location inaccessible to Microsoft, or in Microsoft’s consumer cloud services,” a Microsoft spokesperson told CyberGuy in a statement. “We recognize that some customers prefer Microsoft’s cloud storage, so we can help recover their encryption key if needed. While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide whether to use key escrow and how to manage their keys.”

    WHY CLICKING THE WRONG COPILOT LINK COULD PUT YOUR DATA AT RISK

    New CISA warning: Thanksgiving clickjacking threat in popular browsers

    When companies hold encryption keys, lawful requests can unlock far more data than most people expect. (Kurt “CyberGuy” Knutsson)

    Why this matters for data privacy

    This case has reignited a long-running debate over lawful access versus systemic risk. Ackerly warns that centralized control has a long and troubling history. “We have seen the consequences of this design pattern for more than two decades. From the Equifax breach, which exposed the financial identities of nearly half the U.S. population, to repeated leaks of sensitive communications and health data during the COVID era, the pattern is consistent: centralized systems that retain control over customer data become systemic points of failure. These incidents are not anomalies. They reflect a persistent architectural flaw.”

    When companies hold the keys, they become targets. That includes hackers, foreign governments and legal demands from agencies like the FBI. Once a capability exists, it rarely goes unused.

    How other tech giants handle encryption differently

    Apple has designed systems, such as Advanced Data Protection, where it cannot access certain encrypted user data even when served with government requests. Google offers client-side encryption for some services, primarily in enterprise environments, where encryption keys remain under the customer’s control. These companies still comply with the law, but in those cases, they do not possess the technical means to unlock the data. That distinction matters. As encryption experts often note, you cannot hand over what you do not have.

    What we can do to protect our privacy

    The good news is that personal privacy is not gone. The bad news is that it now requires intention. Small choices matter more than most people realize. Ackerly says the starting point is understanding control. “The main takeaway for everyday users is simple: if you don’t control your encryption keys, you don’t fully control your data.”

    That control begins with knowing where your keys are stored. “The first step is understanding where your encryption keys live. If they’re stored in the cloud with your provider, your data can be accessed without your knowledge.”

    Once keys live outside your control, access becomes possible without your consent. That is why the way data is encrypted matters just as much as whether it is encrypted. “Consumers should look for tools and services that encrypt data before it reaches the cloud — that way, it is impossible for your provider to hand over your data. They don’t have the keys.” Defaults are another hidden risk. Many people never change them. “Users should also look to avoid default settings designed for convenience. Default settings matter, and when convenience is the default, most individuals will unknowingly trade control for ease of use.”

    When encryption is designed so that even the provider cannot access the data, the balance shifts back to the individual. “When data is encrypted in a way that even the provider can’t access, it stays private — even if a third party comes asking. By holding your own encryption keys, you’re eliminating the possibility of the provider sharing your data.” Ackerly says the lesson is simple but often ignored. “The lesson is straightforward: you cannot outsource responsibility for your sensitive data and assume that third parties will always act in your best interest. Encryption only fulfills its purpose when the data owner is the sole party capable of unlocking it.” Privacy still exists. It just no longer comes by default.

    700CREDIT DATA BREACH EXPOSES SSNS OF 5.8M CONSUMERS

    Person holds a phone

    Reviewing default security and backup settings can help you keep control of your private data. (Kurt “CyberGuy” Knutsson)

    Practical steps you can take today

    You do not need to be a security expert to protect your data. A few practical checks can go a long way.

    1) Start by checking where your encryption keys live

    Many people do not realize that their devices quietly back up recovery keys to the cloud. On a Windows PC, sign in to your Microsoft account and look under device security or recovery key settings. Seeing a BitLocker recovery key listed online means it is stored with Microsoft. 

    For other encrypted services, such as Apple iCloud backups or Google Drive, open your account security dashboard and review encryption or recovery options. Focus on settings tied to recovery keys, backup encryption, or account-based access. When those keys are linked to an online account, your provider may be able to access them. The goal is simple. Know whether your keys live with you or with a company.

    2) Avoid cloud-based key backups unless you truly need them

    Cloud backups are designed for convenience, not privacy. If possible, store recovery keys offline. That can mean saving them to a USB drive, printing them and storing them in a safe place, or using encrypted hardware you control. The exact method matters less than who has access. If a company does not have your keys, it cannot be forced to turn them over.

    3) Choose services that encrypt data before it reaches the cloud

    Not all encryption works the same way, even if companies use similar language. Look for services that advertise end-to-end or client-side encryption, such as Signal for messages, or Apple’s Advanced Data Protection option for iCloud backups. These services encrypt your data on your device before it is uploaded, which means the provider cannot read it or unlock it later. Here is a simple rule of thumb. If a service can reset your password and restore all your data without your involvement, it likely holds the encryption keys. That also means it could be forced to hand over access. When encryption happens on your device first, providers cannot unlock your data because they never had the keys to begin with. That design choice blocks third-party access by default.

    4) Review default security settings on every new device

    Default settings usually favor convenience. That can mean easier recovery, faster syncing and weaker privacy. Take five minutes after setup and lock down the basics.

    iPhone: tighten iCloud and account recovery

    Turn on Advanced Data Protection for iCloud (strongest iCloud protection)

    • Open Settings
    • Tap your name
    • Tap iCloud
    • Scroll down and tap Advanced Data Protection
    • Tap Turn On Advanced Data Protection
    • Follow the prompts to set up Account Recovery options, like a Recovery Contact or Recovery Key

    Review iCloud Backup

    • Open Settings
    • Tap your name
    • Tap iCloud
    • Tap iCloud Backup
    • Decide if you want it on or off, based on your privacy comfort level

    Strengthen your Apple ID security

    • Open Settings
    • Tap your name
    • Tap Sign-In & Security
    • Make sure Two-Factor Authentication (2FA) is turned on and review trusted phone numbers and devices
    • Review trusted phone numbers and devices

    Android: lock your Google account and backups

    Review and control device backup

    Settings may vary depending on your Android phone’s manufacturer.

    • Open Settings
    • Tap Google
    • Tap Backup (or All services then Backup)
    • Tap Manage backup
    • Choose what backs up and confirm which Google account stores it

    NEW ANDROID MALWARE CAN EMPTY YOUR BANK ACCOUNT IN SECONDS

    Strengthen your screen lock, since it protects the device itself

    Settings may vary depending on your Android phone’s manufacturer.

    • Open Settings
    • Tap Security or Security & privacy
    • Set a strong PIN or password
    • Turn on biometrics if you want, but keep the PIN strong either way

    Secure your Google account

    Settings may vary depending on your Android phone’s manufacturer.

    • Open Settings
    • Tap Google
    • Tap Manage your Google Account
    • Go to Security
    • Turn on 2-Step Verification and review recent security activity

    Mac: enable FileVault and review iCloud settings

    Turn on FileVault disk encryption

    • Click the Apple menu
    • Select System Settings
    • Click Privacy & Security
    • Scroll down and click FileVault
    • Click Turn On
    • Save your recovery method securely

    Review iCloud syncing

    • Open System Settings
    • Click your name
    • Click iCloud
    • Review what apps and data types sync
    • Turn off anything you do not want stored in the cloud

    Windows PC: check BitLocker and where the recovery key is stored

    Confirm BitLocker status and settings

    • Open Settings
    • Go to Privacy & security
    • Tap Device encryption or BitLocker (wording varies by device)

    Check whether your BitLocker recovery key is stored in your Microsoft account

    • Go to your Microsoft account page
    • Open Devices
    • Select your PC
    • Look for Manage recovery keys or a BitLocker recovery key entry
    • If you see a key listed online, it means the key is stored with Microsoft. That is why Microsoft was able to provide keys in the Guam case.

    If your account can recover everything with a few clicks, a third party might be able to recover it too. Convenience can be helpful, but it can also widen access.

    5) Treat convenience features as privacy tradeoffs

    Every shortcut comes with a cost. Before enabling a feature that promises easy recovery or quick access, pause and ask one question. If I lose control of this account, who else gains access? If the answer includes a company or third party, decide whether the convenience is worth it. 

    These steps are not extreme or technical. They are everyday habits. In a world where lawful access can quietly become routine access, small choices now can protect your privacy later.

    Strengthen protection beyond encryption

    Encryption controls who can access your data, but it does not stop every real-world threat. Once data is exposed, different protections matter.

    Strong antivirus software adds device-level protection

    Strong antivirus software helps block malware, spyware and credential-stealing attacks that can bypass privacy settings altogether. Even encrypted devices are vulnerable if malicious software gains control before encryption comes into play.

    The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

    Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com

    An identity theft protection service helps when exposure turns into fraud

    If personal data is accessed, sold, or misused, identity protection services can monitor for suspicious activity, alert you early and help lock down accounts before damage spreads. Identity Theft companies can monitor personal information like your Social Security Number (SSN), phone number and email address, and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.

    See my tips and best picks on how to protect yourself from identity theft at Cyberguy.com.

    Kurt’s key takeaways

    Microsoft’s decision to comply with the BitLocker warrant may have been legal. That doesn’t make it harmless. This case exposes a hard truth about modern encryption. Privacy depends less on the math and more on how systems are built. When companies hold the keys, the risk falls on the rest of us.

    Do you trust tech companies to protect your encrypted data, or do you think that responsibility should fall entirely on you? Let us know by writing to us at Cyberguy.com.

    CLICK HERE TO DOWNLOAD THE FOX NEWS APP

    Sign up for my FREE CyberGuy Report
    Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

    Copyright 2026 CyberGuy.com.  All rights reserved.

    Kurt “CyberGuy” Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on “FOX & Friends.” Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.



    Source link

    Share.

    Related Posts

    Add A Comment
    Leave A Reply

    News

    Company

    Services

    © 2026 The Politics Designed by The Politics.