Windows Recall has proven to be a highly controversial AI feature since it was first announced in May. What it does is it continually takes screenshots of everything you do on your PC and then puts the images into a searchable database on the device. And yes, that also includes images with sensitive information.
People were quick to call it a “security nightmare” after Microsoft openly admitted that the software wouldn’t hide “passwords or financial account numbers.” The company tried to defend its decision, but recently decided to make multiple security improvements to Recall before its June 18 launch quickly approaches.
Probably the most important of these changes is that Recall is no longer enabled by default when you wake up your PC. According to a recent post on the Windows Experience Blogthe feature is instead disabled by default, meaning you must enable it yourself during a computer’s setup process.
Next, signing up for Windows Hello is now a requirement to activate Recall and view your screenshot timeline. This means you must authenticate yourself as the primary user via a biometric entry or PIN before you can access the feature.
As for the latest update, Microsoft is improving security by adding additional “layers of data protection (including) ‘just in time’ decryption” of Windows Hello ESS (Enhanced Sign-in Security). As a result, snapshots can only be viewed when a user proves their identity. Additionally, Recall’s search index database is now encrypted.
The strange thing is that this suggests that the database that allegedly stored bank account number images was initially unprotected and vulnerable to outside forces. You might be surprised to hear how unsafe it was, but at least they fix it before launch and not after.
Analysis: Stay skeptical
The rest of the blog post reiterates the Windows Recall security features that were previously known. For example, snapshots are saved locally on your computer and not uploaded to Microsoft servers. An icon representing the feature sits in the system tray and lets you know when Windows saves images. Additionally, users can “pause, filter (or) delete” snapshots whenever they want.
Microsoft also emphasizes that Recall will only be available on the upcoming Copilot Plus PCs, as they have robust security to ensure privacy.
Does this mean we can fully trust Windows Recall to maintain data security? No not really.
Jake Williams, VP of R&D at cybersecurity consultancy Hunter Strategy, says Wired he “still sees serious risks (as well as) unresolved privacy issues.” People could be hit with a subpoena forcing them to cough up PIN numbers to access Recall databases.
Although Microsoft claims it can’t see snapshots, who’s to say the tech giant might not change its mind in a year or two and decide to collect all that sensitive information. They may find a legal loophole that gives them carte blanche to do whatever they want with Recall data. It’s scary, though.
If you’re looking for ways to improve your online security, check out Ny Breaking’s massive list of the best privacy tools for 2024.