Microsoft has announced that it will delay the broad release of its AI-powered Recall feature for Windows Copilot+ PCs, following heavy criticism from users and privacy advocates.
The feature, which was originally slated for wide availability on June 18, will now first be released as a preview to members of the Windows Insider Program in the coming weeks.
Recall is designed to periodically capture screenshots of a user’s active windows, creating a searchable visual timeline to help users quickly find previously viewed content across apps, websites, images, and documents.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot.
While Microsoft has promoted the feature as a productivity enhancer, concerns have arisen regarding the privacy and security implications of storing and analyzing such sensitive data.
In response to these concerns, Microsoft has made several changes to the implementation of Recall. The feature will now be opt-in, which will be disabled by default unless users choose to enable it.
Additionally, Microsoft is implementing enhanced security measures, such as requiring Windows Hello biometric authentication to access Recall data and encrypting the search index database.
Despite these changes, some experts remain skeptical about the potential risks associated with Recall. Professor Jen Golbeck of the University of Maryland’s AI department warned that the feature could be a “nightmare” if a device falls into the wrong hands, as it could provide access to sensitive information even with privacy settings like incognito mode enabled.
Cybersecurity researchers have also raised concerns about the potential for malware to compromise data stored by Recall. A new tool, TotalRecall, released exploiting the security vulnerability in Microsoft’s Windows Recall feature to capture screenshots and store them locally in an unencrypted database.
By delaying the broad release of Recall and first making it available to Windows Insiders, Microsoft aims to gather additional feedback and ensure the feature meets the company’s security and quality standards before rolling it out more widely.
The move reflects the growing scrutiny surrounding the deployment of AI capabilities as companies seek to balance the potential benefits with the need for responsible stewardship of the technology.
Privacy concerns associated with Microsoft’s Recall feature for Copilot+ PCs:
- Lack of opt-in mechanism: Initially, Recall was set to be enabled by default on Copilot+ PCs, which raised concerns about user consent and control over their data.
- Sensitive data exposure: By periodically taking screenshots of a user’s active windows, Recall could potentially capture and store sensitive information, even with privacy settings like incognito mode enabled.
- Data access and security: If a device with Recall falls into the wrong hands, it could provide unauthorized access to a user’s activity timeline and private data. Cybersecurity researchers warned that hackers could target the Recall database to scrape a user’s entire activity history quickly.
- Insufficient data protection: Before Microsoft’s recent changes, the Recall database and screenshots were stored unencrypted on devices, further increasing the risk of data breaches and misuse[3][4].
- Concerns for high-risk users: Privacy advocates highlighted that Recall could make the devices of CEOs, journalists, and other high-profile individuals even more attractive targets for hackers and oppressive governments[5].
Microsoft is implementing several specific security measures for the Recall feature in response to privacy concerns:
- Opt-in mechanism: Recall will now be disabled by default unless users choose to enable it during the Copilot+ PC setup process. Users must give explicit consent for Recall to capture screenshots and log their activities.
- Windows Hello authentication: To access the Recall feature and view the activity timeline, users must authenticate themselves using Windows Hello biometric methods like facial recognition or fingerprint scans.
- Encrypted storage: Recall snapshots will be protected by “just in time” decryption, which means they will only be decrypted and accessible after the user has authenticated with Windows Hello. The search index database used by Recall will also be encrypted.
- On-device processing: All Recall AI processing and data storage will occur locally on the user’s device, without sending any data to Microsoft or the cloud. Snapshots will be linked to user accounts and will not be used to train AI models.
- User control: Users can pause, filter, and delete Recall snapshots at any time. They can also disable saving snapshots, pause the feature temporarily, and filter out specific applications and websites from being captured.
- Secured-core PCs: All Copilot+ PCs will be Secured-core PCs, meeting the highest security standards for Windows 11 devices. They will also include the Microsoft Pluton security processor and Windows Hello Enhanced Sign-in Security (ESS) on compatible hardware.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free