Participants of the Windows Insider Program that have a Qualcomm Snapdragon-powered Copilot+ PC can now try out Recall, the infamous snapshot-taking, AI-powered feature that was met with much criticism when it was unveiled earlier this year.
“We heard your feedback on needing a secure, controllable experience for using Recall in your organizations. Recall will be disabled by default and IT can enable this feature through new policies before it will be made available to individuals for opting in,” Melissa Grant, Senior Director of Windows Marketing, stated last week.
Addressing complaints
Following the initial well founded criticism, Microsoft temporarily backed out of releasing the feature, and said it would make the feature opt-in (instead of “on” by default), and increase the protection of the data stored in the screen snapshots by encrypting them and having the encryption keys protected via the Trusted Platform Module, which is tied to a user’s Windows Hello Enhanced Sign-in Security identity.
Microsoft also:
- Implemented rate-limiting and anti-hammering measures to protect the data stored by Recall from brute-force attacks
- Made Recall not save information from private browsing sessions
- Enabled sensitive content filtering by default
Windows Recall is back – for Windows Insiders
On Friday, the company finally called on Windows Insiders to try out the feature.
They first have to opt-in to saving snapshots, and to be able to do it, they have to enable BitLocker and Secure Boot and enroll in Windows Hello (i.e., enable signing in via facial recognition, fingerprint, or a PIN).
Users can pause/resume the taking of snapshots; exclude apps, websites, and sensitive information from their snapshots; and delete the snapshots – all via the Recall-specific settings.
Windows 11 Recall Privacy and Security settings (Source: Microsoft)
But, most importantly, Microsoft has addressed some of the pain points raised by security researchers and privacy advocates.
For one, Recall will detect sensitive information – credit card details, passwords, and personal identification numbers – and won’t save or store snapshots that include them.
Secondly, the saved snapshots won’t leave the users’ PC, won’t be used by Microsoft for training purposes, and Microsoft won’t be able to access the keys required to view the encrypted data.
“We do not send your snapshots off your PC to Microsoft or third parties, and don’t use them for training purposes,” the company says.
Finally, Recall will be removed by default on PCs managed by an IT administrator for work or school and Enterprise versions of Windows 11.
“IT administrators fully control the availability of Recall within their organization,” Microsoft added.
“Employees must choose to opt-in to saving snapshots and enroll their face or fingerprint with Windows Hello for snapshots to be saved. Only the signed-in user can access and decrypt Recall data, so although enterprises cannot access employee Recall data, they can prevent Recall from being used altogether and prevent any saving of specific apps or sites.”
The feature will be available by default for devices that aren’t managed by an organization or school, and users will need to opt in to saving snapshots, Microsoft further explained in a separate guide on how to use the feature.
They will also be able to remove / turn off the feature by:
- Typing Turn Windows features on or off in the search box on their taskbar
- Unchecking Recall from the dialog and restarting their PC.
Looking for security bugs
While Windows Insiders are now able to try out Windows Recall and are urged to report problems they encounter to Microsoft, security researchers are expected to probe it for security vulnerabilities.
“I’ve been told Recall is eligible for bug bounty as part of the Insider programme. I think the process is supposed to be sandboxed so in theory (my reading) the payout limit should be $20k,” says security researcher Kevin Beaumont.
Microsoft did not say when it expects to make Recall available for the general public.