Microsoft upcoming Recall feature for Windows 11, has ignited a debate over privacy and security. The new functionality, which captures and stores snapshots of a user's active screen every few seconds, is still in its preview phase but has already drawn significant criticism from privacy advocates and cybersecurity experts. Recall can search through all users' past activity, including files, photos, emails, and browsing history.
Microsoft has clarified that the Recall feature will be exclusive to its forthcoming Copilot+ PCs. The company has also stated that Recall is an “optional experience,” and users can limit which snapshots are collected. Microsoft emphasized that Recall data is stored locally and is not accessed by Microsoft or anyone without device access. A hacker would need physical access to the device, unlock it, and sign in to access saved screenshots.
Functionality and Privacy Issues
The Windows Recall feature is designed to allow users to scroll through past screen content and interact with it, including reopening the original application or source document. According to Microsoft, all processing for this feature occurs on the user's device, and it is intended to improve over time. However, the handling of sensitive data has raised eyebrows. BitLocker encryption, which offers robust protection, is only available on Windows 11 Pro or Enterprise devices. Other users have to rely on less secure “data encryption“.
Microsoft's documentation for Recall indicates that the feature does not perform content moderation. This means that sensitive information, such as passwords or financial data, could be stored in snapshots if websites do not follow standard protocols for cloaking password entry. Users of Microsoft's Edge browser can filter out specific websites from being captured, but this functionality is not extended to other browsers. Additionally, Edge users can prevent Recall from saving content from private browsing sessions, a feature not guaranteed for other Chromium-based browsers like Google Chrome or Vivaldi.
Industry Reactions and Security Concerns
Mozilla's Chief Product Officer, Steve Teixeira, shared with The Register his concerns about the feature, noting that it stores not only browser history but also user-typed data with minimal control over what gets saved. He emphasized that while the data is encrypted, it introduces a new attack vector for cybercriminals and raises privacy issues for shared computers. Teixeira also criticized Microsoft for favoring its own Edge browser by allowing it to block specific websites and private browsing activity from Recall, a capability not extended to non-Chromium-based browsers like Firefox.
Kevin Beaumont, a cybersecurity expert, harshly criticized the technology, likening it to a keylogger integrated into Windows. AI expert Gary Marcus bluntly stated his opposition, expressing concerns about constant surveillance by the computer.
THIS is the company that wants to record literally everything you ever do on your computer.
(Report is re an attack last year.)
If you don't think Microsoft Recall, local or no, will be one of the biggest cybertargets in history, you aren't paying attention. pic.twitter.com/7xWEp3Amjd
— Gary Marcus (@GaryMarcus) May 21, 2024
Regulatory Scrutiny and Future Prospects
The UK's Information Commissioner's Office has announced that it is making inquiries with Microsoft to understand the privacy safeguards in place for Windows Recall. The office emphasized the importance of transparency and the necessity of processing personal data only to the extent required for specific purposes. The GDPR implications alone make the feature a subject of intense scrutiny. Their statement reads:
“We expect organisations to be transparent with users about how their data is being used and only process personal data to the extent that it is necessary to achieve a specific purpose. Industry must consider data protection from the outset and rigorously assess and mitigate risks to peoples' rights and freedoms before bringing products to market. We are making enquiries with Microsoft to understand the safeguards in place to protect user privacy.”