Originally launched by Microsoft last July, Windows Recall faced a swift withdrawal due to a wave of security and privacy concerns. Now, it has made a return, equipped with modifications aimed at enhancing user experience, yet lingering apprehensions about its functionality remain.
For those unfamiliar with the concept, Recall is an AI-driven feature designed to serve as a memory aid for your computer. It captures and analyzes screenshots of your activities, making it easier to retrieve documents or messages from weeks past. While this can be incredibly useful, it also raises significant alarms regarding the storage of your past Windows activities.
Having tested an early iteration of Windows Recall towards the end of last year, I found it to be genuinely beneficial at times, albeit with considerable security and privacy caveats. The initial version felt incomplete, lacking essential features like the ability to filter snapshots by application.
To access Recall today, users must possess a Copilot+ PC, equipped with the requisite AI processing capabilities. If your computer is compatible and running the latest version of Windows, you can find the Recall app nestled within the Start menu. Notably, it will not be activated by default; this opt-in approach is one of the adjustments Microsoft has implemented following the initial backlash.
Additional changes have been made to bolster security. Data stored by Recall is now encrypted more securely, and Windows Hello authentication is mandated each time you wish to access it. Moreover, sensitive information such as passwords, credit card numbers, and official IDs are filtered out, though the effectiveness of this measure remains to be seen.
Recall still has problems
Security researcher Kevin Beaumont has delved into the latest version of Recall and uncovered several concerning issues. Firstly, if someone gains access to your PC and knows your computer PIN, they can potentially access Recall. While biometric authentication is required for initial setup, users can revert to a PIN when accessing or searching through screenshots. This scenario is reminiscent of someone hacking into your phone using your PIN, and while you may trust that your digits are secure, the risk remains if they fall into the wrong hands.
Secondly, Beaumont noted that the filtering of sensitive data is inconsistent. During my own testing, I observed similar shortcomings; users cannot fully rely on the system to eliminate details of credit cards or medical histories. While this may not pose a significant issue for individual users, it raises concerns about data exposure.
Another complication arises when someone you know enables Recall and syncs photos and chats you’ve shared with them. This means your data can be captured and organized on their PC without your consent, increasing the likelihood of exposure.
One potential solution could be for Microsoft to enforce biometric authentication every time Recall is accessed, thereby safeguarding your data on both your PC and that of others. The notion that your emails, photos, or chats could be aggregated in someone else’s Recall library feels unsettling.
Enhanced filtering tools would also be a welcome addition. While Windows Recall currently allows users to exempt specific sites and apps from being captured, the process is somewhat cumbersome. Improved automatic censoring would certainly enhance user confidence. For now, users must weigh the decision to enable Recall while also considering the activities of their family and friends.
