Privacy

The Problem with Microsoft Recall

There is a crucial issue with this story, and we want to see how quickly you can spot the problem. So, Microsoft has designed a new AI feature for its Copilot+PCs application called Recall. The purpose of this feature is to assist users with reconstructing their past activity (like the history feature in your browser, but at a larger scale) and storing this information locally. The user would then be able to search the Recall database for any previous images or text they viewed on their computer. The way this would work is that Recall would take screenshots of users’ activity every few seconds and would store these screenshots for up to three months. Because the goal of the virtual assistant is to provide the most comprehensive view of your past activity, it does not redact any part of the screenshots it takes.

Have you spotted the problem yet? Although these snapshots are encrypted, the feature does not perform content moderation, which means that it has the potential to reveal personal information if compromised through a cyberattack called infostealing. Recall could provide an attacker with information that would otherwise be protected, even if a network was breached by other means.With the increasing popularity of phishing and similar attacks, this feature could put users at risk if a malicious actor did manage to install an infostealer on a personal device.

According to Microsoft: “Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”

However, in response to the privacy concerns of researchers and users, Microsoft has decided to delay its Recall rollout: Microsoft’s Copilot+PCs will now ship without the Recall feature. This decision comes after Microsoft decided to play ball with its cybersecurity critics by adding database encryption for Recall, implementing Windows Hello-based authentication as well as making it an opt-in feature. The tech giant also promised that it would not send screenshots to the cloud; however, the overall pushback from concerned cybersecurity experts seems to have been enough to delay this feature. Will Recall still see the light of day? It is looking more and more like Microsoft is going to take the wait-and-see approach for the foreseeable future.