Jump to content

Here’s Why Windows 8.1’s Encryption Doesn’t Seem to Scare the FBI

securitybreach

By securitybreach
in Security & Networking

 Share

Recommended Posts

securitybreach

securitybreach

Posted
Posted

This article is from last year but worth a read if you haven't read it before.

 

The FBI isn’t happy about the latest versions of iOS and Android using encryption by default. FBI director James Comey has been blasting both Apple and Google. Microsoft is never mentioned — but Windows 8.1 uses encryption by default, too. The FBI doesn’t seem worried about Windows 8.1’s default “device encryption” feature. Microsoft’s encryption works a bit differently — Microsoft holds the keys and could hand them over to the FBI.

 

Why the FBI is Blasting Apple and Google

 

FBI directory James Comey has said Apple and Google are creating “a black hole for law enforcement.” Encryption “threatens to lead us all to a very dark place,” according to the FBI.

 

The latest versions of Apple’s iOS and Google’s Android automatically encrypt a smartphone or tablet’s storage by default. Previously, this was just an option most users wouldn’t enable. Because of the way encryption works, only a person who knows the key can decrypt it and access the unencrypted files. If Apple or Google received a warrant — or some sort of secret “national security letter” — they wouldn’t be able to decrypt the files even if they wanted to. They don’t have the encryption key. (A national security letter is a secret order that may contain a “nondisclosure” requirement, preventing the person who received the national security letter from ever talking about it for the rest of their life under threat of criminal prosecution.)...............................

 

Windows 8.1’s Device Encryption Gives Microsoft a Key

 

New Windows 8.1 devices ship with something called “device encryption” enabled by default. This is different from the BitLocker encryption feature, which is only available in more expensive Professional editions of Windows and not enabled by default.

 

If you have a supported device, the device’s storage comes pre-encrypted — but it uses an empty encryption key. When you sign in with a Microsoft account, the encryption is activated and a recovery key is uploaded to Microsoft’s servers. (If you sign in on a domain, the recovery key is uploaded to Active Directory Domain Services, so your business or school has it instead of Microsoft.) If you use a local account, there’s no way to enable the device encryption.

 

In other words, device encryption can only be used if you upload a recovery key to Microsoft’s servers (or to your organization’s domain server). If a thief stole your device, they wouldn’t be able to gain access. However, if law enforcement were to send a warrant (or a secret national security letter) to Microsoft, Microsoft would be forced to give the government your recovery key............

 

Overall, device encryption is still a useful feature in Windows. Encrypting files but allowing the FBI to gain access is still an improvement over not encrypting those files. The encryption at least prevents thieves from gaining access. Let’s not mince words: Device encryption is good. It’s better than the complete lack of default encryption Windows used to offer, even with this concern.

 

However, Microsoft’s means of allowing law enforcement to access encrypted files is something that’s flown under the radar. It’s particularly relevant when we see Apple and Google digging in and refusing to enable this covert access. Apple and Google can’t provide law enforcement with access to your encrypted data, but Microsoft can.

 

http://www.howtogeek...-scare-the-fbi/

Link to comment
Share on other sites
goretsky

goretsky

Posted
Posted

Hello,

 

Here's a paper I wrote mentioning device encryption in Windows 8.1 from 2013: welivesecurity.com/2013/11/17/windows-8-1-security-improvements. Actually, that's a blog post about the paper. The link is towards the bottom. In a nutshell, if you're not attached to an ActiveDirectory-managed domain, the key is stored as part of your Microsoft Account data at Microsoft.

 

I'm not sure what happens if you don't create a Microsoft Account during installation, though.

 

If you are concerned about this, and not in a managed domain, it might be a good idea to look into some other form of whole disk encryption.

 

Regards,

 

Aryeh Goretsky

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...