The huge Microsoft encryption mushroom cloud in the news isn’t a surprise, yet it still hurts to watch.

Microsoft just seized the dubious award for being the only major platform that enterprise customers can NOT trust.

The only real moat of Microsoft, giving their users a safe island if you will, was that it represented enterprise values. The CEO has completely bombed this, within a decade, especially the past five years.

Every C-level who reads the news today about safety of their stored data has to answer to their board tomorrow: why are we still running Windows?

Get rid of it.

DO NOT delay.

The infamous Ireland encryption case, that we all spilled so much ink about five years ago, was a decision point.

…Microsoft was told by the US government to hand over data in Ireland. Had Microsoft built a private-key solution, linked to the national identity of users, they could have demonstrated an actual lack of access to that data. Instead you find Microsoft boasting to the public that state boundaries have been erased, your data moves with you wherever you go, while telling the US government that data in Ireland can’t be accessed.

Microsoft said back then they fought for privacy. The evidence however reveals Microsoft built a lock where they personally kept a copy of every key for them to use without transparency.

I warned about this back then, and unfortunately I’m right. They sold borderless access to users while claiming territorial limits to courts. The architecture was secretly designed to serve Microsoft’s interests, not corporate or anyone else’s privacy. Ireland was theater. Guam is the reveal.

Five years and the Brad Smith stage lipstick rubbed off, exposing a monster CEO that no corporation should be buying anything from anymore. As I asked three years ago:

Nadella’s hidden persona pushes a cut-throat culture of blood-curdling calls to jump into thoughtless action regardless of societal cost. A wolf in lamb’s clothing. So, will Microsoft’s Mister Hyde manifest in changes noticable to the public?

The investigators would have lacked what force of conviction in Guam without the keys? I suspect Brad Smith could have threaded this needle, maybe. He would have laid out some kind of ethical rules and order, maybe. Holding a key is dangerous. Immanuel Kant would have said you don’t give keys to the barbarians; you must lie. Instead, Microsoft did the exact opposite and went public with their data leaking Mister Hyde.

To be clear, I’m an old hat at encryption and digital forensics. I’m an advocate and practitioner of complex key management systems designed to serve lawful purposes. In 2019 I delivered field-level key management into one of the most popular databases, which I had initiated and championed in 2017. And I’ve also been known to defend Microsoft, despite hating them in almost every way for four decades. But this Guam news goes beyond the pale for me, and proves the Samaritan exceptions of Brad Smith were never the rule in Redmond.

The keys likely never were needed in Guam. The keys instead are a political statement about divisiveness and authority. Balance evaporated into propaganda, the kind that Microsoft probably thinks curries favor with the American dictator.

Being a long-time designer and practitioner of emergency exits for worker safety (e.g. avoiding horrible tragedy in Switzerland on New Year’s Eve), to me this is like reading how a construction company kept keys to give out on their authority, which coincides with their political corruption aims.

That’s neither proper design or operation of emergency exits. It’s not invalidation of the exits, it’s condemnation of the builder. It’s Facebook levels of immorality. Ugh.

Microsoft blew it.

Boom.

They took a dangerous design that had the power of undermining their entire value proposition, like a nuclear warhead never meant to be used, and they just punched a giant self-destruct button, presumably as their proof of loyalty to a dictator.

Matt Green, renowned expert of cryptography (different from social science of key management, but adjacent), told Forbes:

If Apple can do it, if Google can do it, then Microsoft can do it. Microsoft is the only company that’s not doing this.

An ICE forensic expert in early 2025 court documents said they need encryption vendors to hand over keys:

…does not possess the forensic tools to break into devices encrypted with Microsoft BitLocker, or any other style of encryption.

Let me explain the gap between “just do it” and “just do it”, given they are exact opposite expectations. It’s all about the long-known political economy of enterprise software, creating small authority within larger authority. I mean here’s why it’s not a surprise failure, just a huge disappointment.

Apple and Google were built and marketed under libertarian values for radical user authority. Individuals are expected to hold absolute sovereignty, tied to themselves and no one else. Your device, your data, your keys, answering to no one ever (Steve Jobs infamously refused to register a license plate for his cars, Larry Page would rather exile himself to a deserted island than pay a tax). That’s the extreme individualist consumer model, ideologically committed to the “übermensch” who uses tools in opposition and against any other hierarchy.

Enterprises were wisely reluctant to adopt such consumer-only flat hierarchy devices because of obvious misalignment. The whole point of the enterprise is how an organization has leadership that holds mutually respected authority over its individuals.

Microsoft monetized the business of non-state hierarchy. That was the product. Exchange, Domains, SharePoint, Active Directory, Group Policies were all proprietary implementations of standards built on the assumption that any organization of any size wants to pay for trusted group controls. Admins and “master keys” developed as the whole point, with all the baggage of that phrase, while “golden keys” were a clear danger. The exec team can see everything, while role-based staff get limited and revokable grants. The enterprise entity, not the subjects, was the primary Microsoft customer (direct consumer focused products fizzled and failed repeatably).

Enterprise customers wanted governance with a known “master”, a parental-like authority structure. They paid for it. Microsoft delivered it. And it made corporations more legal, more aligned with safety in group contexts, not less.

The betrayal isn’t that Microsoft built hierarchical key systems, which remain a foundation of ethics in business. The betrayal is that Microsoft violated the balance, pierced the boundary instead of honoring it for the enterprise. The keys that were supposed to serve organizational authority far too easily serve someone outside the organization. The enterprise naturally sits between the individual and the state. The NGO even more so. Does your Church run on Windows? Uh oh.

Did the CEO of Microsoft think he could curry political favor by blowing away the balance? What’s the real trigger for such a key release? Apple and Google, by never building balance for hierarchy in the first place, accidentally ended up being more trustworthy by being extremist and less caring. They didn’t betray any enterprise authority because they never claimed to serve it properly. Anti-group is still anti-group, but what now for groups that don’t want to be so far out and anti-group?

Microsoft failed harder than Apple or Google ever did, by advertising they could deliver balance while delivering the exact opposite.

Goodbye Windows.

If you aren’t migrating keys out of Microsoft’s surrendered hands and removing their OS within the next 60 days, scrubbing Windows out of everything, you’re about as cooked as the Bikini Islanders who were told the mushroom cloud wasn’t anything to worry about.

The Microsoft radiation danger in your systems isn’t compatible with market values.