Since its unveiling in June, Microsoft’s Windows Recall feature has stirred a mix of intrigue and concern within the tech community. Initially met with skepticism due to significant security issues, the feature’s design to take comprehensive screenshots of users’ PCs for future reference raised eyebrows. The backlash prompted Microsoft to pause the AI tool for Copilot + Pilots, allowing time for necessary adjustments and security enhancements.
After several delays, Windows Recall has recently become accessible to Windows Insiders—Microsoft’s beta testing group for early adopters. Avram Piltch of Tom’s Hardware took the revamped Recall for a spin, only to discover that its filtering capabilities fell short of expectations. In his tests, the filter managed to function correctly on just a couple of occasions, leaving considerable gaps in the promised protection.
Piltch’s experiments included entering sensitive information, such as a credit card number and personal identification details, into a Windows Notepad screen. Alarmingly, Recall captured this data despite clear indicators that it was sensitive. Furthermore, when he filled out a loan application PDF in Microsoft Edge, Recall recorded his Social Security number alongside his name and date of birth. It only seemed to successfully filter out sensitive information on a couple of e-commerce sites, namely Pimoronia and Adafruit.
In response to inquiries about the filter’s performance, Microsoft representatives directed Piltch to a blog post outlining their privacy measures. The post stated, “We’ve updated Recall to detect sensitive information like credit card details, passwords, and personal identification numbers. When detected, Recall won’t save or store those snapshots. We’ll continue to improve this functionality, and if you find sensitive information that should be filtered out for your context, language, or geography, please let us know through Feedback Hub.” They also encouraged users to enable an option in Settings that allows anonymous sharing of apps and sites that should be excluded from Recall to enhance the product’s effectiveness.
What does Recall actually do?
For those unfamiliar with Recall, its intended function is to assist users in locating previously viewed content on their PCs through natural language searches. To achieve this, Recall takes periodic “snapshots” of the screen, storing them locally and analyzing them with AI for indexing purposes. However, the inherent risk of such a digital record lies in the potential for unauthorized access by malicious actors.
When Recall first emerged, it lacked encryption for the snapshots, and the database was stored in plain text. Fortunately, Microsoft has since implemented several changes. Recall is now an opt-in feature, as opposed to the previous opt-out model. The updated version includes the aforementioned filter, encrypts data, and requires biometric authentication and passwords for access. Additionally, users can only view their data through the Recall app.
Nevertheless, it remains crucial to note that a determined individual with access to a user’s password or PIN could circumvent biometric security measures. Furthermore, the Recall app can be accessed via TeamViewer, a popular remote access tool. As it stands, if the filter fails to operate effectively, users may unwittingly expose their data, leaving it vulnerable to potential breaches.
