New Microsoft feature received security and privacy backlash

Cybersecurity experts have heavily criticized a recently revealed Windows feature called Recall. Microsoft explains that Recall offers an “explorable timeline of your PC’s past.” Recall repeatedly captures screenshots of a user’s desktop while they use Windows. Microsoft’s Copilot Artificial Intelligence then allows users to search through the screenshots and a locally stored database on the computer.

The concept and idea are generally neat. If you totally forget the video you watched that you want to send to a friend or the website you visited for that new recipe, being able to search Windows for them has its merits. However, the problem lies in the implementation of this feature.

Photo courtesy Microsoft.com
Recall’s data capture is a privacy issue

Recall’s implementation completely disregards the sensitive information it collects. The screenshots can capture credit card information input on a website, private conversations, photos, security settings, personal information, banking account numbers, and anything else displayed on the screen.

At first glance, this might not seem like a glaring problem since people perform these functions on personal computers every day. However, the privacy issue arises from how the data is stored. A central location associated with the user’s Windows account maintains screenshots and a database from Recall, all unencrypted. This setup creates a treasure trove of private data, stored in a central location that’s easy to find, and completely unprotected. Imagine a screenshot of what you’re doing every five seconds, stored in a folder for anyone to see.

Lack of security make Recall a major target

Hackers or malicious actors will directly target Recall because it saves private information without protection. Many types of computer malware already operate as InfoStealers. They infect a computer and aim to siphon off critical data to a malicious party, such as passwords or banking information. Recall provides an attractive target. Even if the user does not enable Recall on the computer, malware could activate it, wait for Recall to collect data, and then retrieve that data later.

To highlight the point, Alex Hagenah, a cybersecurity researcher, already developed a proof of concept called TotalRecall. Hagenah’s demo tool searches for the Recall database and extracts all the information from it.

Microsoft will update Recall after outcry

On 7 June, Microsoft announced updates to Recall. With the update, Microsoft announced new information including “privacy controls and additional details on our approach to security.” For the most part, Microsoft listened to the concerns over privacy and security with this feature. That is a great thing.

Frankly, I am glad to hear Microsoft took concerns to heart. At the same time, I believe companies need to do more to have security and privacy integrated into the development process. Normal users just want to play video games and search the web after all. This example is a good reminder to consider what information a new feature collects about you, and how secure that information is once collected.