Microsoft shared a suspect’s Bitlocker keys in a fraud investigation. An exception, or a dangerous precedent?
Last year, the American FBI approached Microsoft in connection with a fraud investigation on the island of Guam in the Pacific Ocean. For the investigation, the investigators wanted access to data protected with Bitlocker. Microsoft complied with the request and shared the suspects’ keys with the FBI.
According to Forbes, this is the first known case of Microsoft complying with such a request. The company confirms that it will only hand over a BitLocker recovery key with a valid legal warrant and that it receives about twenty such requests annually. Nevertheless, the incident raises quite a few privacy eyebrows.
Key to the vault
Bitlocker is an encryption service that is built into the business versions of Windows. It offers an extra layer of encryption to protect data on your device. The Bitlocker recovery key consists of 48 characters and in rare cases you need to enter it when starting your PC, for example when you tamper with the BIOS settings, or when a Windows update doesn’t quite go as planned.
read also
Microsoft handed over Bitlocker key to FBI
Microsoft gives you two options for storing the Bitlocker key. By default, it is stored in your Microsoft account on the company’s servers. Normally, Microsoft will stay away from it, but in this rare case, the Bitlocker keys of the suspects in question were transferred to the police services.
If you want to completely protect yourself against this, you can also indicate that you want to keep your key yourself. This can be locally on your PC, or on an external USB or hard drive. Then, of course, you are also fully responsible for the key.
Dangerous precedent?
Although it is a (as far as we know) rare case, the news that Microsoft is willing to share Bitlocker keys of business customers with the FBI is causing a stir. Senator Ron Wyden (Democrats) calls it ‘irresponsible for technology companies to supply products in a way that allows them to secretly hand over users’ encryption keys’.
Forbes refers to an earlier case from 2025 in which the notorious ICE unsuccessfully tried to crack Bitlocker encryption. Experts fear that this case could serve as a precedent. “Once the US government gets used to a certain capability, it is very difficult to abolish it again,” an American cryptography expert is quoted as saying in Forbes. In the European Union, too, policymakers with the contested ‘Chat Control’ law were only too happy to put an end to encryption, but the bill has been (provisionally) withdrawn.
Those same experts note that other tech giants such as Apple and Meta protect their users much better against such requests. For example, iCloud and WhatsApp users have the option to store their keys in an encrypted file in the cloud.