Microsoft Recall – Overview and Risks
Microsoft Recall – Overview and Risks
What is Microsoft Recall?
Recall is a new AI feature announced by Microsoft for Windows Copilot+ PCs. This feature can best be described as a form of photographic memory for Windows computers. Every five seconds, screenshots are taken, though a new screenshot is only captured when there are sufficient changes compared to the previous one. With some exceptions, everything displayed on the screen at the time of capture is visible in these screenshots. Following the creation of a screenshot, an analysis occurs to store additional data in a database and include the screenshot in a timeline accessible to users. For this, Optical Character Recognition (OCR) is utilized to capture the visible text in the screenshots. This captured text allows for both textual searches in the timeline and the copying of text from the screenshots. Microsoft states that Recall aims to provide users the ability to retrospectively sift through their computer activities and resume past activities at any given time. However, we believe that the nearly comprehensive recording of user activities could also be utilized for other purposes, such as surveillance.
Controvery and Risks
Those who have heard of Recall are likely familiar with the numerous negative headlines. Following the announcement of Recall, criticism poured in from all sides, with data protection, privacy, and security at the center of the debate.
The biggest concern was regarding the sensitive data that Recall stores. Since there is no content moderation in place or it is left to the users, the feature could theoretically capture everything displayed on the screen, regardless of the sensitivity of the information. Additionally, concerns were raised that the data stored by Recall is not sufficiently protected.
As mentioned, content moderation is largely in the hands of the users, who can specify in the settings which applications and websites should be excluded from being recorded. These exceptions are stored in a special registry hive. However, the entries in the registry hive, which are stored in Base64 encoding, allow conclusions to be drawn about which applications are used and which websites are visited, which users consciously want to exclude from Recall's recording. Furthermore, we found that Recall, at least in the version we tested, did not create screenshots of the applications for which an exception was made but still wrote entries into the database.
Microsoft's Reaction
In response to the criticism, Microsoft decided to remove Recall from the insider builds and revise it. The key announced changes include:
- Recall will not be automatically enabled.
- Windows Hello must be set up to use Recall. Additionally, a "Proof of Presence" will be required to display the timeline.
- The search index of the database and the screenshots will be encrypted. Decryption will occur "just in time," meaning only when users access Recall.