Microsoft Hands Your Encryption Keys to the FBI | Jan 19-26

Microsoft hands over BitLocker encryption keys to the FBI, exposing a fundamental privacy flaw in Windows disk encryption.

Photo by Tadas Sar / Unsplash

On Our Radar 🎯

Microsoft Is Handing Your Encryption Keys to the Government

For years, privacy advocates warned about centralized encryption key storage. This latest news speaks to why: Microsoft confirmed it provides BitLocker recovery keys to law enforcement with valid warrants, roughly 20 times a year.

BitLocker is the encryption software built into modern Windows PCs that scrambles your hard drive data. It works well, except for one architectural flaw: Microsoft recommends users store recovery keys on its servers "for convenience." This means if you forget your password or get locked out, you can recover your data. We now also know this means the FBI can subpoena those keys.

In a Guam fraud investigation, federal agents served Microsoft with a warrant for BitLocker keys from three laptops. Microsoft complied. The FBI unlocked the devices and accessed everything on them. One could argue this is literally a front door Microsoft built and left wide open. The technical solution exists. Cryptography experts point to hardware-based recovery keys (like storing your key on a USB drive) or encrypted cloud backups where the company can't access the key. Microsoft offers the USB option, but it's not the default. The default is "upload your key to our servers where we can give it to anyone with a warrant."

VeraCrypt—a free, open-source encryption tool—simply doesn't have this problem. It encrypts your disk locally, you control the keys, and there's no cloud backup option to compromise. Yet Ars Technica's guide on "How to encrypt your PC without giving keys to Microsoft" suggests upgrading to Windows 11 Pro ($99) to get more BitLocker control. I wish they mentioned VeraCrypt, which costs $0 and gives you far greater control.

What you can do: If you're using BitLocker, check if your recovery key is stored with Microsoft (Settings > Privacy & Security > Device Encryption) If it is, back it up locally and delete it from your Microsoft account. Better yet, consider VeraCrypt for full disk encryption you actually control, especially for sensitive data. If you're on macOS, Filevault is an excellent native option that you can choose to use without iCloud quite easily. And Linux users should utilize LUKS for their disk encryption.

Bits & Bytes 🤖

~ Snapchat's Fake Notifications Violate EU Law

New research exposed how Snapchat manipulates users with misleading notifications. The study monitored notifications for six weeks and found Snapchat sends fake friend requests (they're actually suggestions), false time-sensitive alerts, and recapture notifications designed to pull you back to the app. The most notifications appeared when researchers didn't open the app—the platform desperately trying to recapture attention.

Users interviewed thought they were receiving personal messages when it was recommended content. They couldn't turn off in-app badges (those red dots). Some disabled all notifications entirely just to escape the manipulation.

Our take: As the EDRi mentions, this likely violates the EU's Digital Services Act Article 25 on manipulative design. Bits of Freedom is contacting Dutch regulators to force compliance. The study recommends notifications should be disabled by default and users should control categories. Platforms compete for attention because they profit from time-on-app—your mental bandwidth is their business model. This is just one of many manipulative patterns utilized by big tech companies to capture your most valuable asset: your attention. Hopefully this story is a reminder to double-check all apps on your phone and the influences they have on your attention.

~ F-Droid Basic 2.0 Brings Modern Design to Privacy App Store

F-Droid released the first alpha of its 2.0 app after a year-long redesign. Built from scratch with Kotlin Compose, it features improved search (now searches descriptions and translations), highlights most-downloaded apps for discovery, and adds Material You theming.

Installation workflows improved, downloads require approval first, multiple updates can run in parallel, and the app alerts you to signing key changes (critical for security). Some features are still missing (IPFS support, screenshot prevention, installation history) and there are minor bugs, but it should be stable enough for daily testing.

Our take: This matters because F-Droid is the primary alternative app store for privacy-focused Android users. While Google Play tracks everything and Apple's App Store is a walled garden, F-Droid distributes open-source apps without surveillance. A modern UI removes friction for newcomers. Privacy tools shouldn't require tolerating 2015-era interfaces, and F-Droid modernizing will make life better for everyone trying to escape big tech!

~ Nova Launcher's New Owner Plans Ads

Instabridge acquired Nova Launcher and immediately started "evaluating ad-based options" for the free version. Users already report seeing ads, and code analysis found Facebook Ads and Google AdMob trackers in the latest update. The paid version (Nova Launcher Prime) will supposedly remain ad-free.

This follows drama where original developer Kevin Barry left after Branch Metrics laid off the team and stopped his open-sourcing effort. Branch promised to open-source Nova if Barry left—they didn't. Barry says he already did the prep work (cleaned code, stripped API keys, got legal approval) but the decision now rests with Instabridge.

Our take: Another trusted Android tool degraded by acquisition, quite similar to Simple Tools. The difference? Simple Tools was open source and within weeks we got a new open source clone, Fossify. Sadly, Nova Launcher didn't have this option as it never reached full open source status. Now you'll see ads unless you pay, and the open-source promise remains broken. The pattern repeats: indie developer builds something users love, sells to company that "evaluates monetization options," community loses trust. Using tools like F-Droid are a great protection against this, as they only allow free and open source software, regardless of acquisitions.

This Week on Techlore 📺

It's been a lighter week as we're navigating some transitions. Thank you all for your patience, we'll have an extra juicy Surveillance Report this week since we missed last weeks.

On Techlore Talks, we had Evgency from SimpleX come on to discuss the messenger and the overall network:

We also did some coverage for new age verification proposals being pushing in the UK and in the US state of Florida:

Action Item ✅

Check where your BitLocker recovery key is stored. Go to Settings > Privacy & Security > Device Encryption (or search "BitLocker" in Settings). If your key is backed up to your Microsoft account, save it locally (write it down, store on USB, use a password manager) and then delete it from Microsoft's servers. Or better yet, research VeraCrypt for full control over your encryption. Because your data shouldn't have a backdoor labeled "For FBI access"