Microsoft backs up users’ encryption keys to its servers, The Intercept’s Micah Lee reports — arguably undermining security protections.
Like other tech companies, Microsoft now automatically encrypts devices with Windows 10 installed. This makes it (in theory) impossible for someone to access your data if they don’t have your password.
But if you want to use encryption on Windows 10 Home Edition, the cheapest version of the operating system, it uploads your key to Microsoft’s servers.
Now, this probably isn’t going to bother ordinary users. In fact — having a backup on their encryption key in the cloud in case they get locked out is likely a benefit for many people.
But users who work in more sensitive roles (journalists, activists, researchers, and so on) could be concerned by the fact that a key that grants access to their devices is on another company’s servers, where it could — theoretically — be accessed by law enforcement or malicious hackers.
More expensive versions of Windows 10 — Pro and Enterprise — have software installed called BitLocker, which allows the user to encrypt their device without sending the key to Microsoft. (They have the options to print it or save it to an external drive instead.) But this isn’t available to Windows Home users.
It’s also possible for a user to delete their key from Microsoft’s servers once it has been uploaded. But there’s no way to avoid uploading it in the first place, which may put off the most security-conscious users.
Business Insider has reached out to Microsoft for comment. A company spokesperson told The Intercept that “when a device goes into recovery mode, and the user doesn’t have access to the recovery key, the data on the drive will become permanently inaccessible. Based on the possibility of this outcome and a broad survey of customer feedback we chose to automatically backup the user recovery key … The recovery key requires physical access to the user device and is not useful without it.”
Of course, even if your keys aren’t backed up elsewhere, that doesn’t mean your data is completely safe from adversaries.
Multiple countries — including Britain, France, and Australia — have “key disclosure” laws, that force users to surrender passwords to authorities in certain circumstances under threat of criminal punishments, including fines and jail time.
And as freelance journalist Joseph Cox pointed out in September 2015, there’s another risk: “Thuggish threats. When a police officer discovers a journalist has an encrypted phone, they may just beat up the reporter until the password is revealed.”