Comment by Zak
1 month ago
The headline is misleading. It says that Microsoft will provide the key if asked, but the linked statement to Forbes says Microsoft will provide the key if it receives a valid legal order.
These have different meanings. Microsoft is legally entitled to refuse a request from law enforcement, and subject to criminal penalties if it refuses a valid legal order.
It does illustrate a significant vulnerability in that Microsoft has access to user keys by default. The public cannot be sure that Microsoft employees or criminals are unable to access those keys.
Nah, you’re just not reading carefully. You must parse everything about this stuff carefully as the words are always crafted. It’s usually more productive to read with a goal to understand what isn’t said as opposed to what is said.
They said “legal order”, which includes a variety of things ranging from administrative subpoenas to judicial warrants. Generally they say warrant if that was used.
A “request” is “Hi Microsoft man, would you please bypass your process and give me customer data?” That doesn’t happen unless it’s for performative purposes. (Like when the FBI was crying about the San Bernardino shooter’s iPhone) Casual asks are problematic for police because it’s difficult to use that information in court.
What exactly was requested sounds fishy as the article states that Microsoft only gets 20 a year, and is responsive to 9 or fewer requests. Apple seems to get more and typically is more responsive. (https://www.apple.com/legal/transparency/us.html)
The other weird thing is that the Microsoft spokesman named in the Forbes article is an external crisis communications consultant. Why an use external guy firewalled from the business for what is a normal business process?
>the article states that Microsoft only gets 20 a year, and is responsive to 9 or fewer requests. Apple seems to get more and typically is more responsive.
That just makes me think that Windows is generally less secure and there are likely a larger number of instances where the AHJ doesn't have to request help from Microsoft to access the data.
Apple has a long history of automatically uploading (and/or "backing up") all documents and media of its customers to iCloud. Microsoft started doing that with OneDrive and OneDrive backups only recently. That + the work Apple put in locking down its phone from users and attackers alike, basically breaks down like this:
Definitely possible.
It just seems like a very low number considering the hundreds of millions or billions of Windows devices.
Hans George Gadamer over here with the advanced hermeneutic
> Microsoft is legally entitled to refuse a request from law enforcement, and subject to criminal penalties if it refuses a valid legal order.
This is a problem, because Microsoft operates in a lot of jurisdictions, but one of them always wants to be the exception and claims that it has jurisdiction over all the others. Not that I personally am of the opinion, that it is wise for the other jurisdiction to trust Microsoft, but if MS wants to secure operating in the other jurisdiction it needs to separate itself from that outsider.
Or maybe not stash everybody's keys?
You're arguing for corporate sovereignty.
I think you need to rethink your position.
Actually I think that corporate sovereignty is inevitable, hence countries should have never allowed companies to get that large. But for this discussion, yes Microsoft just needs to split and/or go to the Cayman Islands.
I don't think corporate sovereignty is needed for that; just blowing up Microsoft into a bunch of independently-operating entities, one per relevant jurisdiction.
Note that they say "legal order" not, specifically, "warrant". Now remember that government agencies have internal memos instructing them that no warrants are needed for them to do things like the 4th amendment, stop citizens, detain citizens, "arrest" citizens, etc.
The same way you cannot be sure that FBI is not criminals
It's a catchy meme for sure, but when people actually start to believe - like for real, not just the usual talking shit that passes for "conversation" with normal people - that law enforcement officers are worse thugs than regular thugs -- that's a fast way to turn into a failed state, where that actually is true.
Causality here actually works both ways, because in free(ish) societies, law enforcement derives its authority more from people's intersubjective belief in that authority, and less from actual use of force.
> when people actually start to believe... that law enforcement officers are worse thugs than regular thugs -- that's a fast way to turn into a failed state, where that actually is true.
It's quite clear that if law enforcement officers are indeed worse or just like regular thugs the failed state will soon materialize regardless of what people think about the issue.
Moreover, isn't the fastest way to a failed state to have people believe that their security agencies are good and proper when in reality they aren't? That kind of naivete is surely a lot worse than a bit of paranoia.
2 replies →
Two weeks ago this would have been completely uncontroversial, but given the repeated executions by shooting people of probable opposite political conviction in the face, things just got a lot more complicated.
1 reply →
Exactly. The discussion should center on the fact that Microsoft's shift was a contingency, not a technical necessity. It cannot have escaped them that their design choices create a legal point of entry for data requests that they are then obligated to fulfill, which would not have been the case with proper end-to-end encryption; in that case they would have told authorities that they simply cannot fulfill these requests.
Crucially, the headline says Microsoft will provide the key if asked by the FBI, which implies a state entity with legal power that extends beyond a typical person's assumptions of "rule of law" and "due process," let alone ethics.
This is all paraphrasing. The closest paraphrase of the original statement to Forbes, from Forbes' article, is:
> Microsoft confirmed to Forbes that it does provide BitLocker recovery keys if it receives a valid legal order.
I suspect the FBI part was added editorially since this specific legal order came from the FBI.
Typical person assumes that FBI is chasing aliens (from outer space) and hardened criminals so bad the local police can't handle them. At least that's what American TV teaches us.
Now CIA, on the other hand, ... well, they won't need to ask for the crypto keys anyway.
Is it meaningfully misleading? How often is this an obstacle for the FBI?
Yes, "asked" versus "ordered" is meaningfully misleading, especially in this context.
There is reasonable suspicion, some might argue evidence, that Microsoft voluntarily cooperated with U.S. Intelligence Community without being compelled by a court order, the most famous instances being leaked in the Snowden disclosures.
To be fair to Microsoft, here's their updated statement (emphasis mine):
"Microsoft confirmed to Forbes that it does provide BitLocker recovery keys if it receives a valid legal order. “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide... how to manage their keys,” said Microsoft spokesperson Charles Chamberlayne."
You’ve overly simplified the degree to which a company must accept a court order without pushback.
First they are capable of fulfilling the request in the first place which means their approach or encryption is inherently flawed. Second companies can very much push back on such requests with many examples of such working, but they need to make the attempt.
9 replies →
I would guess that the FBI never asks Microsoft for encryption keys without a valid legal order because it knows Microsoft will demand one, and because the FBI rarely has possession of suspect devices without a warrant to search for them and obtain their contents.
It could be a bigger obstacle for other agencies. CBP can hold a device carried by someone crossing the border without judicial oversight. ICE is in the midst of a hiring surge and from what I've read lately, has an abbreviated screening and training process likely not matching the rigor of the FBI. Local law enforcement agencies vary greatly.
>I would guess that the FBI never asks Microsoft for encryption keys without a valid legal order
I keep seeing mentions in the news of FBI agents resigning suddenly.
Great comment.
It’s immensely misleading. At least with a valid legal order we are still living by rule of law. With the recent actions I can’t say ICE is acting by rule of law.
Having said that I won’t go back to Windows.
Broader context isWindows defaults to making their access to your data legally accessible. Their entire windows platform and one drive defaults to this insecurity
Inlight of fascism coming to Democratic cities and anyone documenting it being a registered domestic terrorist...well thats pretty f'n insecure by default.
The latter is not news, it's the way it has been for quite some time, not just for IT providers, but for businesses in general.
If you are running any kind of service, you should learn how warrants work in the country you are hosting in, come the time, if your service grows, eventually you will have to comply with an order.
If you want anything else you will have to design your system such that you can't even see the data, ala Telegram. And even then, you will get into pretty murky waters.
CALEA and courts have compelled companies to install systems that allow them to track/record targets' communications and data, even if their own systems weren't designed with such abilities in mind.
From[1]:
> USA telecommunications providers must install new hardware or software, as well as modify old equipment, so that it doesn't interfere with the ability of a law enforcement agency (LEA) to perform real-time surveillance of any telephone or Internet traffic.
[1] https://en.wikipedia.org/wiki/Communications_Assistance_for_...
I’m sure there was a time in my life I would have taken those two sentences to mean the same thing but that time is long past.
That's a distinction without a difference. Microsoft should structure Windows such that they're unable to comply with such an order, however legal. There are practical cryptographic ways to do it: Microsoft just doesn't want to. Shame on them.
It is pretty uncontroverisal that the owner, in the sense of having responsibility and ultimate control, should control the cryptographic keys. I think the disagreement here is who owns the computer.
Exactly
Microsoft is legally entitled to refuse absent a warrant, but generally all it takes is a phone call from the FBI to get big tech to cough up any authenticating info they actually have.
In a society where laws don’t mean anything “valid legal orders” can quickly be drafted up even if not legal.
> The headline is misleading. It says that Microsoft will provide the key if asked, but the linked statement to Forbes says Microsoft will provide the key if it receives a valid legal order.
This is an odd thing to split hairs over IMO. Warrants or subpoenas or just asking nicely, whatever bar you want to set, is a secondary concern. The main issue is they can and will hand the keys to LEO’s at all.
If you don’t like the behavior of a company voluntarily doing something, your problem is with that company. If you don’t like a company complying with the law, your problem is with the law. It is unreasonable to expect anyone or any company to break the law or violate a court order to protect you.
If you don’t trust the institutions issuing those court orders, that is an entirely reasonable stance but it should be addressed at its root cause using our democratic process, however rapidly eroding that process may seem to be.
The fourth amendment protects against warrantless search and seizure, it is not carte blanche to fill up your hard drive with child porn and expect Microsoft to fall on their swords to protect you.
> The fourth amendment protects against warrantless search and seizure, it is not carte blanche to fill up your hard drive with child porn and expect Microsoft to fall on their swords to protect you.
I was understanding and felt your points had validity until you threw out this gross, emotionally manipulative, horrible misrepresentation of my stance.
3 replies →
The ideal is that they have no ability to comply or not comply: they shouldn't have the keys to begin with.
2 replies →
The even-more-main-issue is that there is > 0 number of people who thought they wouldn’t
I appreciate the sentiment and do think most people should know not to trust Microsoft by this point, but I do think we have to be a little careful not to steer too hard into caveat emptor and forget who the perpetrators are in the first place.
I hate MS as much as anyone else, but I don't have a problem with them doing this. Legally they have to comply if they have evidence in a legal action. Maybe they are at fault for not solely relying on the TPM, or not giving users informed consent about using the cloud, but I cannot fault them for not going to battle for civil liberties when they can't even implement notepad without screwing it up.
You absolutely can and should fault them. This is a choice they made.