Should Microsoft Have the Keys to My Stuff?
by Simon Tidnam
The technology behind computer security is getting more and more sophisticated, but the purpose behind it remains reassuringly simple. It all comes down to access. Who can see your stuff? Who can’t see your stuff? Who makes the decision? These are straightforward questions and when a security concern arises, these are the ones we should ask first.
Microsoft has been criticized this week after The Intercept reported that Microsoft is automatically uploading and storing a copy of your encryption key. Microsoft prefers to call this a “recovery” key and explains that it decided to create a backup to make sure that the user can always regain access to their encrypted files. How should Windows 10 users feel about this? Let’s go back to our three questions. Who can see your stuff? You and Microsoft, providing that Microsoft has physical access to your Windows device. Who can’t see your stuff? Anyone who doesn’t have both your encryption/recovery key and possession of your device. Who makes the decision? This is where it starts to get troubling. You can give people access, but so can Microsoft, and you won’t necessarily be aware if your key is being shared with others.
It’s true that keeping a copy of your encryption key is important. In fact, you probably have several keys to keep track of. If you have a smartphone, tablet, desktop, laptop, and an external drive, you should keep them all encrypted. That way, if one of your devices is lost or stolen, the damage is limited to inconvenience and the cost of a replacement. However, the fact that you should always use encryption doesn’t mean you should always share your keys with Microsoft.
It’s highly likely that Microsoft isn’t the only company that has been copying customer encryption keys. If you are a Windows user, Microsoft is a logical candidate as a third party for storing your keys. As the owner of the encrypted device, you should be given a transparent choice: do you want to create a recovery key? If you do, you should be able to choose from a list of encryption key providers. Perhaps you’d prefer to trust a company like Twitter, Facebook, or Google with your key? If you decline to create a backup with a third party, your wishes should be respected.
You should have the option of protecting your privacy perfectly. In this case, you won’t want to share your encryption key with Microsoft or anyone else.
Visit the Drive Trust Alliance to learn more.