Microsoft provided the FBI with BitLocker recovery keys to access encrypted data on user devices, revealing a significant privacy gap that undermines trust in the company’s security architecture.
The incident reportedly occurred early in 2025, when federal investigators served Microsoft with a search warrant during a fraud probe related to Guam’s Covid-era unemployment assistance program. Believing that three laptops seized in the case contained incriminating data, the FBI requested BitLocker recovery keys to unlock the devices. Microsoft complied, handing over the keys, which enabled law enforcement to decrypt the contents.
BitLocker, Microsoft’s full-disk encryption solution, is automatically enabled on many consumer-grade Windows PCs. While it protects user data with strong encryption, Microsoft encourages users to store recovery keys in the cloud via their Microsoft account, a convenience that also grants the company access. According to Microsoft spokesperson Charles Chamberlayne, the company receives approximately 20 such requests per year and complies when legally compelled, but often cannot assist if the user hasn’t uploaded the key.
The case involving the Guam investigation is the first publicly known example of Microsoft handing over BitLocker keys to law enforcement. The defendant, Charissa Tenorio, has pleaded not guilty. Court documents reviewed by Forbes confirm that the government received BitLocker keys from Microsoft, which were then used to extract data from Tenorio’s laptop.
In contrast, Apple’s FileVault and Meta’s WhatsApp offer cloud backup options that maintain end-to-end encryption. Even when data is stored in the cloud, users can retain sole possession of the decryption key, preventing companies from accessing the data even under government pressure.
Although Microsoft allows users to manually store BitLocker keys on a hardware device such as a USB drive, this option is not enabled by default. That default prioritizes convenience over security, creating an exploitable path for state actors. Without Microsoft’s cooperation, BitLocker-encrypted drives remain largely impenetrable, as admitted in a 2025 court filing by an ICE forensic expert who confirmed the agency lacks tools to bypass BitLocker or similar encryption systems.
Users worried about their data safety should avoid storing BitLocker recovery keys in their Microsoft accounts, and instead, save them offline on a secure USB drive or encrypted external medium. For sensitive data, use third-party encryption tools where only the user holds the key.
Leave a Reply