Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Simon Cocks/Flickr

Microsoft is storing users' sensitive encryption keys in the cloud

The action could make it possible for malicious hackers to gain access to a person’s Windows 10 device.

MICROSOFT BACKS UP users’ encryption keys to its servers, The Intercept’s Micah Lee reports — arguably undermining security protections.

Like other tech companies, Microsoft now automatically encrypts devices with Windows 10 installed. This makes it (in theory) impossible for someone to access your data if they don’t have your password.

But if you want to use encryption on Windows 10 Home Edition, the cheapest version of the operating system, it uploads your key to Microsoft’s servers.

Now, this probably isn’t going to bother ordinary users. In fact, having a backup on their encryption key in the cloud in case they get locked out is likely a benefit for many people.

But users who work in more sensitive roles (journalists, activists, researchers, and so on) could be concerned by the fact that a key that grants access to their devices is on another company’s servers, where it could – theoretically – be accessed by law enforcement or malicious hackers.

More expensive versions of Windows 10 – Pro and Enterprise – have software installed called BitLocker, which allows the user to encrypt their device without sending the key to Microsoft (They have the options to print it or save it to an external drive instead). But this isn’t available to Windows Home users.

Windows / YouTube

It’s also possible for a user to delete their key from Microsoft’s servers once it has been uploaded. But there’s no way to avoid uploading it in the first place, which may put off the most security-conscious users.

Business Insider has reached out to Microsoft for comment. A company spokesperson told The Intercept that ”when a device goes into recovery mode, and the user doesn’t have access to the recovery key, the data on the drive will become permanently inaccessible”.

Based on the possibility of this outcome and a broad survey of customer feedback we chose to automatically backup the user recovery key … The recovery key requires physical access to the user device and is not useful without it.

Of course, even if your keys aren’t backed up elsewhere, that doesn’t mean your data is completely safe from adversaries.

Multiple countries – including Britain, France, and Australia – have “key disclosure” laws, that force users to surrender passwords to authorities in certain circumstances under threat of criminal punishments, including fines and jail time.

And as freelance journalist Joseph Cox pointed out in September 2015, there’s another risk: “Thuggish threats. When a police officer discovers a journalist has an encrypted phone, they may just beat up the reporter until the password is revealed.”

Read: The next Google Glass is taking shape, and it’s aiming for the workplace >

Read:The new year might bring with it a much better way to track your fitness >

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Published with permission from
View 7 comments
Close
7 Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.
    JournalTv
    News in 60 seconds