Skip to content

Microsoft Recall Is A Very, Very Bad Idea

Microsoft’s new AI-powered ‘Recall’ feature saves frequent screenshots along with associated data for access by the Copilot+ AI assistant.

If you know anything about cybersecurity—and I mean literally anything—Recall seems like a really bad idea. The idea is to store hundreds of snapshots of your potentially sensitive computer activity, in order to allow Copilot to assist you in finding things you previously looked at. Essentially it’s browsing history, but for the entire scope of your computer use. Anything from your bank account password to sensitive health records will be saved, along with not-clearly-defined metadata about what you’re using.

The purpose behind the idea would be great in a world without security concerns.

Being able to ask your computer something like, “hey what was the ingredient list for that baklava recipe I was looking at last week?” would be great in theory. If Microsoft planned to roll Recall out with a robust list of things it cannot capture, it might even be good in practice for most people. As of right now, the only things on that list are private browsing sessions and DRM video content.

What’s even more worrying is that despite Microsoft claiming that Recall’s data will be stored in a secure, encrypted fashion, cybersecurity expert Kevin Beaumont found that the OCR-ed screenshots and other metadata are stored in a plain-text SQLite database in the user folder on their computer. He even went so far as to demonstrate how easy it is to automate exfiltration of that data. (Here’s a link to his post detailing all of that.)

As of right now, the only computers that will be shipping with Recall are the Copilot+ ARM-based laptops. During the Windows 11 setup process you’ll be able to select not to enable Recall, but of course it is enabled by default. That means anyone not knowing what it is (i.e. most people) will almost certainly leave it enabled. Of course, if you know what it is, you could just turn it off and solve that problem, right? Well… no.

The problem isn’t just what information Recall collects on your computer. It’s what it collects from someone else’s computer that has your information on it.

Imagine your landlord has Recall enabled and has your lease application on their computer. Now a hacker has your social security number, a history of your addresses, and possibly your bank account information. Let’s say you see a private mental health professional who has Recall on their work computer. Now the hacker has your entire medical and mental health history from your intake form.

As you scale up to small business and organizations—or even larger ones with poor information security—the possibilities get even more horrifying. So can we do in a world where many computer users don’t understand basic information hygiene, let alone more complex cybersecurity?

First, obviously don’t install Recall on your own device (which you won’t be able to do anyway without an NPU-containing processor). Second, tell everyone you know who takes technology advice from you (looking at you, boomer relatives) to pay attention during windows setup on a new computer and disable Recall. Lastly, take a good, hard look at who you’re sharing any potentially sensitive data with.

Remember: it’s never a bad idea to operate under the assumption that any data you share is not going to protected by the people you share it with.

If you want to support my blog and other creative content, please consider buying me coffee, or more importantly, donate to an organization working to protect and save lives in Gaza.

Published inopinionsecuritytechnology

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.