Microsoft finally addressed customers’ and researchers’ concerns about its auto-screenshotting, AI-enabled Recall feature. The company promises the screencaps will have more encryption, and you’ll need to use your face, fingerprint, or PIN to access the feature. Most of all, the tech giant is telling anyone concerned about their privacy that they can say “no thanks” to Recall when they first set up their Copilot+ PC.
Recall is a new tool baked into the latest Windows 11 PCs that automatically screenshots what you’re doing on your PC every few seconds. Then, the PC uses an AI model to scan those screenshots for words and images. Users can then use the tool to search through their past PC activity and then go back to whatever web pages and documents they were on previously. Microsoft CEO Satya Nadella said it was as if your PC had a “photographic memory.”
The feature was supposed to be on by default, and users would need to dig into settings to turn it off. Now, Microsoft is revising its stance. The company’s VP of Windows and devices, Pavan Davuluri, wrote Thursday that Recall would be “opt-in” while users set up their PCs. The setting is turned off by default. Not only that, but users also need to enable the biometric sign in the Windows Hello system to access their Recall timeline. That means you’ll need a fingerprint scanner on your PC, use your camera, or input a PIN every time you try to access the feature.
After Microsoft unveiled its new PC designation during last month’s Build conference, folks online immediately voiced concerns about the privacy implications. The Mountain View tech giant tried to mollify their concerns by claiming that the feature works on-device, and Microsoft never sees any of the screenshots. The screencaps are supposed to be kept encrypted on the device, and only that user profile should be able to access them.
Things quickly unraveled for Microsoft when the well-established leaker Albacore showed Recall could work fine on a non-Copilot+ PC without the NPU that Nadella claimed was intrinsic to the program. Less than a week later, security researcher Kevin Beaumont broke down how all the OCRed plain text was easily accessible in the Windows AppData folders. It’s not just that Recall will automatically screenshot any passwords, financial information, or any other sensitive data that shows up on the screen. The files are pretty accessible for anybody with even a small amount of hacking experience.
Even though there’s still a week before release, cybersecurity strategist Alex Hagenah shared a free GitHub repository for “TotalRecall,” a tool that would let anybody with access to the Copilot+ PC extract the screenshots from the internal folders. One of the main fears so far has been a bad actor with some relatively simple malware could infiltrate a PC and recover all that data Recall stored up for an entire year.
Now Microsoft claims these screenshots will only be decrypted once users authenticate themselves with Windows Hello Enhanced Sign-in Security. All these new PCs will ship with that security software installed by default.
The Copilot+ PCs are still set to launch June 18, though it has meant Microsoft has had to go back in and change the software before it ships its new line of computers. As for whether the changes have assuaged the security researchers, Beaumont wrote, “There are obviously going to be devils in the details, potentially big ones, but there are some good elements here.” Still, he added that it’s pretty damn annoying it took “a cartoon porg with ‘portable toilet rentals’ as his Twitter bio… along with other people on social media” to point out the glaring security flaws in Microsoft headlining new software feature.