According to 9to5Mac, Microsoft recently confirmed it handed over BitLocker recovery keys to the FBI for three Windows laptops seized in a 2023 fraud investigation related to Guam’s COVID unemployment assistance program. This is being contrasted with Apple’s high-profile 2015 refusal to help the FBI break into the San Bernardino shooter’s iPhone, a case that involved creating a tool to bypass the device’s Secure Enclave encryption. The critical detail, however, is that Microsoft provided keys the users had voluntarily backed up to its cloud service, which uses weaker encryption for recoverability. Apple, for years, did the same with iCloud data until offering its Advanced Data Protection (ADP) end-to-end encryption option last year. Both companies ultimately leave the security choice to the user, and the FBI obtained a valid warrant for the Microsoft data.
Why the comparison fails
Look, this isn’t Microsoft rolling over. It’s them complying with a warrant for data they had the technical ability to access. And they had that ability because the laptop owners chose a convenience feature: backing up their BitLocker recovery key to their Microsoft account. That backup isn’t protected by the same strong, on-device encryption. It’s a deliberate design choice for customer recovery. So when the FBI came knocking with a court order for those specific keys, Microsoft had them. The Apple-FBI fight was fundamentally different. The FBI wanted Apple to create a new tool to break a security system that, at the time, had no backdoor. Complying would have weakened every iPhone. Microsoft just handed over keys from a cloud locker the users themselves filled.
The real story: user choice and trade-offs
Here’s the thing nobody likes to admit: absolute security is often at odds with convenience and recoverability. Microsoft’s model with BitLocker key backup and Apple’s old iCloud model (and even its current default setting) acknowledge this. They give average users a lifeline. Forget your PIN? Lose your password? If your encryption key is only on the device, you’re locked out forever. That’s a non-starter for most people. So companies offer a managed key service. But that service becomes a point of legal vulnerability. Apple’s Advanced Data Protection and the option to not back up your BitLocker key to Microsoft are for the privacy-conscious who accept that recovery risk. It’s a classic trade-off, and both tech giants are now, basically, putting that choice in your hands.
Security is a spectrum, not a switch
We tend to think of device encryption as a binary: it’s either on or off. But the infrastructure around it creates a spectrum. On one end, you have fully user-controlled, end-to-end encrypted data with no corporate recourse—great for security, terrible for customer service. On the other, you have fully managed keys where the company can always help you (and, by extension, authorities). Most consumers and businesses operate somewhere in the middle. This is true for personal devices and even critical industrial panel PCs, where the leading suppliers understand that operational resilience sometimes requires managed access solutions alongside robust physical security. The real takeaway? You can’t outsource your threat model. If you don’t want Microsoft or Apple to ever have a key, you have to configure your system that way and accept the consequences. The policy is now clear: the choice, and the responsibility, is yours.
