Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Zak 3 hours ago

The headline is misleading. It says that Microsoft will provide the key if asked, but the linked statement to Forbes says Microsoft will provide the key if it receives a valid legal order.

These have different meanings. Microsoft is legally entitled to refuse a request from law enforcement, and subject to criminal penalties if it refuses a valid legal order.

It does illustrate a significant vulnerability in that Microsoft has access to user keys by default. The public cannot be sure that Microsoft employees or criminals are unable to access those keys.

Spooky23 3 hours ago | parent | next [-]

Nah, you’re just not reading carefully. You must parse everything about this stuff carefully as the words are always crafted. It’s usually more productive to read with a goal to understand what isn’t said as opposed to what is said.

They said “legal order”, which includes a variety of things ranging from administrative subpoenas to judicial warrants. Generally they say warrant if that was used.

A “request” is “Hi Microsoft man, would you please bypass your process and give me customer data?” That doesn’t happen unless it’s for performative purposes. (Like when the FBI was crying about the San Bernardino shooter’s iPhone) Casual asks are problematic for police because it’s difficult to use that information in court.

What exactly was requested sounds fishy as the article states that Microsoft only gets 20 a year, and is responsive to 9 or fewer requests. Apple seems to get more and typically is more responsive. (https://www.apple.com/legal/transparency/us.html)

The other weird thing is that the Microsoft spokesman named in the Forbes article is an external crisis communications consultant. Why an use external guy firewalled from the business for what is a normal business process?

b00ty4breakfast 2 hours ago | parent [-]

Hans George Gadamer over here with the advanced hermeneutic

stabbles 3 hours ago | parent | prev | next [-]

Exactly. The discussion should center on the fact that Microsoft's shift was a contingency, not a technical necessity. It cannot have escaped them that their design choices create a legal point of entry for data requests that they are then obligated to fulfill, which would not have been the case with proper end-to-end encryption; in that case they would have told authorities that they simply cannot fulfill these requests.

DmitryO 3 hours ago | parent | prev | next [-]

The same way you cannot be sure that FBI is not criminals

2 hours ago | parent [-]
[deleted]
hinkley an hour ago | parent | prev | next [-]

I’m sure there was a time in my life I would have taken those two sentences to mean the same thing but that time is long past.

mossTechnician 3 hours ago | parent | prev | next [-]

Crucially, the headline says Microsoft will provide the key if asked by the FBI, which implies a state entity with legal power that extends beyond a typical person's assumptions of "rule of law" and "due process," let alone ethics.

JohnTHaller 2 hours ago | parent | prev | next [-]

Note that they say "legal order" not, specifically, "warrant". Now remember that government agencies have internal memos instructing them that no warrants are needed for them to do things like the 4th amendment, stop citizens, detain citizens, "arrest" citizens, etc.

0x262d 3 hours ago | parent | prev | next [-]

Is it meaningfully misleading? How often is this an obstacle for the FBI?

runjake 3 hours ago | parent | next [-]

Yes, "asked" versus "ordered" is meaningfully misleading, especially in this context.

There is reasonable suspicion, some might argue evidence, that Microsoft voluntarily cooperated with U.S. Intelligence Community without being compelled by a court order, the most famous instances being leaked in the Snowden disclosures.

To be fair to Microsoft, here's their updated statement (emphasis mine):

"Microsoft confirmed to Forbes that it does provide BitLocker recovery keys if it receives a valid legal order. “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide... how to manage their keys,” said Microsoft spokesperson Charles Chamberlayne."

Retric 2 hours ago | parent [-]

You’ve overly simplified the degree to which a company must accept a court order without pushback.

First they are capable of fulfilling the request in the first place which means their approach or encryption is inherently flawed. Second companies can very much push back on such requests with many examples of such working, but they need to make the attempt.

Zak an hour ago | parent [-]

I don't think it's reasonable to expect businesses to spend money fighting court orders for customer data, especially if the orders are more or less reasonable.

They do seem to be reasonable in the case that brought about this reporting, with substantial evidence that the suspects committed fraud and that evidence is on the devices in question.

Retric 19 minutes ago | parent [-]

Never means the specifics are irrelevant, you’re making the sad argument on the worst possible case and the best one.

So why should customers entrust their data to the company? It’s a transactional relationship and the less you do the less reason someone has to pay you.

Further, our legal system is adversarial it assumes someone is going to defend you. Without that there’s effectively zero protection for individuals.

Zak 2 hours ago | parent | prev | next [-]

I would guess that the FBI never asks Microsoft for encryption keys without a valid legal order because it knows Microsoft will demand one, and because the FBI rarely has possession of suspect devices without a warrant to search for them and obtain their contents.

It could be a bigger obstacle for other agencies. CBP can hold a device carried by someone crossing the border without judicial oversight. ICE is in the midst of a hiring surge and from what I've read lately, has an abbreviated screening and training process likely not matching the rigor of the FBI. Local law enforcement agencies vary greatly.

bnjms 3 hours ago | parent | prev | next [-]

It’s immensely misleading. At least with a valid legal order we are still living by rule of law. With the recent actions I can’t say ICE is acting by rule of law.

Having said that I won’t go back to Windows.

cyanydeez 3 hours ago | parent | prev [-]

Broader context isWindows defaults to making their access to your data legally accessible. Their entire windows platform and one drive defaults to this insecurity

Inlight of fascism coming to Democratic cities and anyone documenting it being a registered domestic terrorist...well thats pretty f'n insecure by default.

deadbabe 2 hours ago | parent | prev | next [-]

In a society where laws don’t mean anything “valid legal orders” can quickly be drafted up even if not legal.

TZubiri 34 minutes ago | parent | prev | next [-]

The latter is not news, it's the way it has been for quite some time, not just for IT providers, but for businesses in general.

If you are running any kind of service, you should learn how warrants work in the country you are hosting in, come the time, if your service grows, eventually you will have to comply with an order.

If you want anything else you will have to design your system such that you can't even see the data, ala Telegram. And even then, you will get into pretty murky waters.

Forgeties79 2 hours ago | parent | prev | next [-]

> The headline is misleading. It says that Microsoft will provide the key if asked, but the linked statement to Forbes says Microsoft will provide the key if it receives a valid legal order.

This is an odd thing to split hairs over IMO. Warrants or subpoenas or just asking nicely, whatever bar you want to set, is a secondary concern. The main issue is they can and will hand the keys to LEO’s at all.

bdangubic 2 hours ago | parent | next [-]

The even-more-main-issue is that there is > 0 number of people who thought they wouldn’t

Forgeties79 2 hours ago | parent [-]

I appreciate the sentiment and do think most people should know not to trust Microsoft by this point, but I do think we have to be a little careful not to steer too hard into caveat emptor and forget who the perpetrators are in the first place.

gosub100 an hour ago | parent | prev [-]

I hate MS as much as anyone else, but I don't have a problem with them doing this. Legally they have to comply if they have evidence in a legal action. Maybe they are at fault for not solely relying on the TPM, or not giving users informed consent about using the cloud, but I cannot fault them for not going to battle for civil liberties when they can't even implement notepad without screwing it up.

Forgeties79 19 minutes ago | parent [-]

You absolutely can and should fault them. This is a choice they made.

bitwize an hour ago | parent | prev | next [-]

Microsoft is legally entitled to refuse absent a warrant, but generally all it takes is a phone call from the FBI to get big tech to cough up any authenticating info they actually have.

quotemstr 2 hours ago | parent | prev [-]

That's a distinction without a difference. Microsoft should structure Windows such that they're unable to comply with such an order, however legal. There are practical cryptographic ways to do it: Microsoft just doesn't want to. Shame on them.