In a noteworthy development last year, the FBI approached Microsoft with a legal warrant, seeking access to encryption keys that could unlock data on three laptops. This move was part of an investigation into suspected fraud linked to the COVID-19 unemployment assistance program in Guam. Microsoft complied with the request, handing over the keys to the authorities.

Traditionally, tech companies have resisted such demands for encryption keys from authorities. A prominent example is Apple’s refusal in 2016 to grant the FBI access to the phone of the San Bernardino shooters. Despite the FBI’s efforts, they had to rely on a third-party to unlock the device, eventually dropping the case. At that time, major tech giants like Google and Facebook rallied behind Apple, advocating for user privacy. Microsoft also supported Apple’s stance, albeit with less fervor than some of its counterparts.

However, in this particular situation, Microsoft chose a different path. The company confirmed to Forbes that it does provide BitLocker recovery keys when presented with a valid legal order. Microsoft spokesperson Charles Chamberlayne explained to The Verge that the company is obligated by law to produce keys stored on its servers.

Chamberlayne further clarified that customers have the option to store their encryption keys either locally, where Microsoft cannot access them, or in Microsoft’s cloud. He acknowledged, “While storing keys in the cloud offers convenience for recovery purposes, it also introduces the risk of unauthorized access.”

In response, Oregon Senator Ron Wyden criticized the practice, labeling it “irresponsible” for companies to “secretly turn over users’ encryption keys,” as he stated to Forbes.

This situation has raised concerns among privacy advocates, including the ACLU. They worry about the precedent this sets and the potential for misuse. Under the current administration, and particularly with agencies like ICE, there have been instances of disregard for data security and legal protocols. Jennifer Granick, counsel for surveillance and cybersecurity at the ACLU, pointed out to Forbes that this compliance might embolden foreign governments with dubious human rights records to demand similar access to Microsoft’s customer data.