Microsoft gave U.S. federal agents the digital keys needed to unlock three encrypted laptops linked to a massive COVID unemployment scam in Guam.
This case shows how cloud-stored encryption keys can help law enforcement, but also raises big privacy worries for everyday users.
Early last year, in 2025, FBI investigators in Guam got a search warrant for Microsoft. They wanted recovery keys for three laptops tied to a plot stealing funds from the island’s COVID relief program.
Crooks had handled unemployment aid and pocketed millions. The laptops held proof of the crime, but strong encryption blocked access.
BitLocker, Microsoft’s built-in tool on many Windows PCs, locked the data tightly. It scrambles files so only the right key can unscramble them. Without it, the drives stay sealed even from owners who forget passwords.
How BitLocker Keys Work and the Cloud Risk
BitLocker turns on automatically on newer Windows devices to protect hard drives. Users pick where to save the 48-digit recovery key:
- On a USB drive or printed paper, they control.
- Or in Microsoft’s cloud servers for easy access.
Storing in the cloud helps if you lock yourself out after wrong password tries. But it opens a backdoor. Law enforcement can demand the key with a valid warrant, and Microsoft must hand it over.
In Guam, that’s exactly what happened. Agents got the keys and cracked the laptops open.
Microsoft told Forbes it follows legal orders for BitLocker keys. Spokesperson Charles Chamberlayne said: “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide… how to manage their keys.”
The company gets about 20 such requests yearly. Often, it can’t help because users didn’t save keys in the cloud. Microsoft urges people to think twice about cloud storage for max privacy.
This isn’t new; tech giants like Apple and Google face similar demands. But it spotlights BitLocker’s double edge: great protection from hackers, yet vulnerable to government subpoenas.
Experts say: Export your key offline. Use hardware like YubiKey for better security. As scams evolve, balancing convenience and privacy remains key.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
