Microsoft’s controversial Recall feature for Windows 11 could already be in legal hot water
Microsoft’s announcements around Build 2024 have certainly attracted some attention, but none more controversially than the AI-powered ‘Recall’ feature in Windows 11
Recall has stirred strong opinions left, right and center since its revelation, and now it appears to be under the microscope of the ICO, a British-based privacy watchdog.
The concerns being widely expressed online center on how this feature could impact the privacy of those who have it, which won’t be all Windows 11 users, we should note – only Copilot+ PC owners who have have the necessary hardware goods in terms of a powerful NPU.
For those who missed it, Recall records your PC usage, quite literally in terms of taking screenshots of your active windows every few seconds. This allows you to use powerful natural language-based search capabilities to search your previous PC usage, not just in terms of text, but also in terms of visual search – with AI pinpointing what you need by going through that huge library of screen recordings .
You can no doubt see the kind of privacy issues that could be caused by this constant stream of screenshots happening in the background, but the backlash and backlash has turned serious very quickly.
Sky News noted that in Britain, the Information Commissioner’s Office (ICO), which oversees data privacy and related regulations, is already cautious about the recall option.
After all the furor surrounding Recall, the ICO is investigating the feature, telling Sky: “We are making inquiries with Microsoft to understand the security measures in place to protect user privacy.”
Safety first
It is of course a good question: what security measures have been taken here to protect Windows 11 users?
For starters, Recall happens locally, so everything is stored on the PC and nothing is sent online to the cloud or Microsoft’s servers. So there is no risk of data being intercepted (or of there being a third party data breach that exposes the private data of how you use your Windows 11 machine).
Microsoft has emphasized that it does not have access to this data and that it will not be used to train its AI.
Additionally, the company pointed out that you can manually delete snapshots, or adjust the length of time for which they are kept – or pause them, or disable Recall entirely if you don’t want to. It’s also possible to prevent certain apps or websites from being used by Recall, so there’s effectively a lot of fine-grained control here.
However, will Windows 11 users bother to exercise that control and set up Recall correctly? Well, that’s one concern, and another is that while it’s all well and good to say that everything remains on the device, we have to trust that this is the case in the first place – and that it’s all is waterproof – and secondly, what if your PC is compromised by malware, or stolen. Than what?
Hackers or thieves could potentially gain access to your Recall library of screenshots, which could contain confidential information that is openly visible, like your banking or card details, or visible passwords, or, well, anything that happened on your PC ( that you have no outer limits marked with the Windows 11 settings for Recall).
As Muhammad Yahya Patel, chief security engineer at Check Point, put it: “It’s a one-time attack for criminals, like a grab and go, but with Recall they essentially have everything in one location (your screenshot database)… Imagine the gold mine of information before it is stored on a machine, and what threat actors can do with it.”
More questions than answers?
So there are definitely still some big concerns and question marks here, and it will be quite interesting to see what the ICO makes of Microsoft’s big AI play for Windows 11 to boost search.
We’ve already discussed other thorny issues surrounding Recall, such as Windows 11 Home users apparently not benefiting from encryption for the data used by the feature, and what type of encryption is actually available for Windows 11 Pro (or business) users?
In that article we also discuss the precautions you can take to make Recall as safe as possible, but really the best choice for paranoid people is to just disable it and don’t use it. And maybe Microsoft is wondering what all the fuss is about from naysayers, and why they don’t just take that approach.
But for the less tech-savvy, who may not even realize what Recall is, or that it’s enabled by default, it can be a risky feature, especially considering that these are the people most susceptible to malware or hacking .
With that in mind, shouldn’t the first sensible security step be to disable Recall by default? So that it is only enabled by those who know what it is for, and want it? Let’s see what the ICO also thinks of Microsoft’s ‘default on’ approach.