Writing in response to Adam Shostack’s excellent post “Bitlocker, the FBI, and Risk”. He nicely highlights the fundamental risk trade-off in data protection, and so long as we (often very rightly) prioritize availability we need measures that may compromise confidentiality. Also I especially liked the touch of a risk analysis not using numbers and explicitly pointing that out.
On the “tradeoff between availability and confidentiality” my best answer is independent third party key escrow as an option with the OS maker as default.
As I frame this, MSFT is mainly trading off three kinds of risk:
- Reputation: users lose the key and blame MSFT
- Legal: penalties resisting government requests with low chance of ultimately succeeding
- Bad PR: government compliance granting access is seen as a bad thing
To me it’s crystal clear that risk #3 is very minor in the big picture; compared to excuses #1 where they have “we told you so in fine print”, #2 saying “we were forced”. I’m not sure what choices users have or how clearly they are warned, but there is precedent that the great majority of users go with the defaults and cannot be bothered.
Incidentally, it’s long been unclear to me if in the security triad “availability” includes permanent data loss or just refers to temporary unavailability; that is, does it overlap integrity or not. I think less overlap is cleaner as a model, but on the face of the meaning of words once destroyed data certain is unavailable thereafter.
Finally, I have to add that a [public threat model](PTM https://arxiv.org/pdf/2511.08295) for BitLocker would have been great to really understand this!