When you log into Windows with a Microsoft account, your recovery key is often automatically uploaded to Microsoft’s servers as a backup in case you forget your password. Legally, this means Microsoft owns the key and must surrender it under the U.S. CLOUD Act.

Experts like Matt Green of Johns Hopkins University warn that, unlike Apple or Google, Microsoft does not encrypt these keys in a way that makes them unreadable even to the company itself. The result is a fundamental breach of data sovereignty