Microsoft has announced a change in the rollout plan for the Recall preview feature on Copilot+ PCs. Instead of a broad preview release on June 18, 2024, as initially planned, Recall will first be made available to the Windows Insider Program in the coming weeks. By gathering feedback from Insiders, Microsoft aims to refine the feature further before making it available to all Copilot+ PC users.
Microsoft recently announced the ‘Recall’ feature for Copilot+ PCs, an AI tool capable of recording everything on your screen. Recall is designed to act as a personal “photographic memory,” capturing periodic snapshots of your screen to create a visual timeline. It allows you to easily find and revisit content you’ve previously viewed across apps, websites, documents, and more.
While the ability to instantly recall on-screen information could be incredibly useful, security researchers have exposed potential flaws that could expose personal data to malicious code. Maybe that’s why Microsoft, for the moment, is delaying its implementation in new computers being delivered this week.
GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE
The nightmare scenario of recall as a spy tool
While Recall’s ability to surface past on-screen content could be incredibly useful, there are legitimate fears that the feature could become a potent spy tool and a potential “nightmare” if your device falls into the wrong hands.
Even if you use incognito mode or clear your browsing history, Recall still has full access to your entire on-screen history. Microsoft says the data never leaves your computer, but critics aren’t fully convinced.
BEST ANTIVIRUS FOR PCS – CYBERGUY PICKS 2024
Security researchers expose Recall’s risky flaws
The AI-informed system regularly snapshots what you’re doing on screen and lets you search for important data you may have lost track of as you work. However, security experts who examined Recall’s operation closely concluded that the system could pose serious security risks.
Recall is built into what Microsoft is calling “Copilot+” PCs—the tech giant’s vision of how traditional computers will become AI-powered workhorses. When it launched, Microsoft explained that Recall wouldn’t capture certain private content like Netflix videos or incognito browser sessions but would see everything else. In theory, this broad visibility makes Recall more useful for resurfacing lost work.
BEST DESKTOP COMPUTERS FOR 2024
Flaws could expose personal data to malicious code
But security researcher Kevin Beaumont has already found very worrying flaws. In particular, the system stores data in a straightforward plain text system that malicious code could easily trawl through to find any personal data, from sensitive work files to private communications. He says the fear is that Recall makes it easier for malware and attackers to steal information, Beaumont admits Microsoft made some “smart decisions” around encryption, but he says they ultimately don’t work.
Potential for exposing sensitive information
He’s withholding full technical details for now to give Microsoft time to fix the loophole. But the potential for exposing everything from financial data to private health information is clear. Even if you trust Microsoft, bad actors could potentially find ingenious ways to exploit the tool’s treasure trove of data.
Balancing innovation and data protection
Whether Microsoft can swiftly resolve Recall’s security gaps or not, the revelations highlight how new AI capabilities often raise new privacy minefields that need to be carefully navigated. Innovative features and robust data protection will need to go hand-in-hand as AI plays a bigger role on our devices. While the debate rages on about Recall’s potential privacy implications, there are some proactive steps you can take to protect your data and use the tool more securely.
Opt out if you’re uncomfortable
First and foremost, Recall is an opt-in feature during the initial device setup. If you have reservations, simply decline to enable it. Your computer will function normally without this “time machine” capability.
Customize what recall can see
If you do enable Recall, take advantage of the customization options to blacklist any apps, programs, or websites you want to exclude from being recorded and indexed. This lets you pick and choose what Recall has access to.
Use separate devices for different activities
One low-tech solution is to use dedicated devices for different purposes. Keep one computer for work, one for personal browsing, and one for any ultra-sensitive activities you want to completely wall off from Recall’s monitoring. As Recall evolves, look for guidance from Microsoft as adjusting your settings and adopting new privacy habits could become necessary.
Addressing privacy and security concerns
In response to these privacy and security concerns, Microsoft has announced several updates to Recall:
- Recall will be off by default, requiring users to proactively opt-in to enable it.
- Windows Hello enrollment and proof of presence will be required to view the timeline and search in Recall.
- Additional layers of data protection, including “just in time” decryption protected by Windows Hello Enhanced Sign-in Security (ESS), will be implemented, ensuring snapshots are only decrypted and accessible when the user authenticates.
- The search index database will be encrypted.
Microsoft has also reinforced its commitment to security, stating that all Copilot+ PCs will be Secured-core PCs with advanced firmware safeguards, Microsoft Pluton security processor enabled by default, and Windows Hello Enhanced Sign-in Security (ESS) for more secure biometric sign-ins.
Privacy controls and user choice
Microsoft emphasizes that users will have control over what Recall captures and saves:
- Snapshots are stored locally and not shared with Microsoft or other companies.
- Users can pause, filter, and delete snapshots at any time.
- Digital rights managed or InPrivate browsing content will not be saved.
- For managed work devices, IT administrators can disable the ability to save snapshots, but cannot enable it without user consent.
While Recall aims to provide a useful AI-powered experience, Microsoft acknowledges the importance of user trust and choice, positioning the preview as an opportunity to learn from real-world scenarios and refine the feature based on feedback.
Insider feedback and broader availability
Once the Recall preview is available in the Windows Insider Program, Microsoft will publish a blog post detailing how to access it. Participation in the Recall preview will require a Copilot+ PC due to hardware requirements.
After gathering feedback from the Insider community, Microsoft plans to make the Recall preview available to all Copilot+ PC users, incorporating insights and refinements based on real-world scenarios.
Microsoft’s response
We reached out to Microsoft, and a company rep steered us toward the company’s website, where they have this statement posted,
We are on a journey to build products and experiences that live up to our company mission to empower people and organizations to achieve more, and are driven by the critical importance of maintaining our customers’ privacy, security and trust. As we always do, we will continue to listen to and learn from our customers, including consumers, developers and enterprises, to evolve our experiences in ways that are meaningful to them.
Kurt’s key takeaways
Microsoft’s Recall AI is currently in preview status, and while it is undeniably useful, it is also undeniably concerning from a privacy perspective. Keeping all that rich data exclusively local is smart but probably not an ironclad guarantee against potential misuse down the road. As always, with new tech, users will decide if the convenience is worth the potential risks for their own situation. For some, Recall may be a dream; for others, it could be a nightmare. Regardless, the debate shows that we still have work to do in striking the right balance between innovation and privacy in the AI era.
How do you balance the benefits of innovative AI features like Recall with the need for personal data protection and privacy? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE