Microsoft is taking a step back with its controversial Microsoft Recall feature, a key component of its Copilot+ initiative for next-gen PCs, starting with Snapdragon X Elite/Plus systems. Recall aims to simplify user experience by constantly capturing snapshots of on-screen content, thus making search more seamless and eliminating the need to sift through lengthy Discord chats or browser histories. However, the feature has raised significant privacy and security concerns due to its frequent five-second screenshot intervals.
Cybersecurity expert and former Senior Threat Intelligence Analyst at Microsoft, Kevin Beaumont, labeled Recall a “disaster” in a blog post. He warned that InfoStealer trojans could be easily adapted to exploit Recall, posing serious security risks. Another expert, white hat hacker Alexander Hagenah, demonstrated through a proof-of-concept tool on GitHub called TotalRecall, how malicious actors could extract and display data from the Recall feature in Windows 11.
TotalRecall works by copying databases and screenshots, then parsing the database for interesting artifacts. Users can define dates and search for strings extracted via Recall’s OCR (Optical Character Recognition). Hagenah emphasized the simplicity of the process, describing it as basic SQLite parsing.
In response to the uproar, Microsoft is reassessing how to safely roll out Recall. In a recent blog post, Microsoft outlined significant changes to the feature, currently in preview for Copilot+ PCs, to address user concerns.
One major change is that Recall will now be an opt-in feature, rather than being enabled by default. Users must proactively choose to turn it on.
Additionally, enabling Recall will require Windows Hello, a biometric security feature. This ties into a proof of presence requirement to view timelines and search within Recall, adding an extra layer of security to prevent remote hackers from exploiting the feature.
Microsoft also announced additional data protection measures, including ‘just in time’ decryption protected by Windows Hello Enhanced Sign-in Security (ESS). This ensures that Recall snapshots will only be decrypted and accessible upon user authentication. Furthermore, the search index database will be encrypted.
Most of Microsoft’s blog post reiterated existing Recall protections, such as storing snapshots locally on PCs instead of in the cloud, allowing users to filter out apps and websites from snapshots, and providing options to sift through and delete snapshots. The inherent security features of Copilot+ PCs, including the default enabling of Microsoft’s Pluton security chip, were also highlighted.
These changes will be implemented in the final version of Recall, set to exit preview and ship to customers on June 18 with the Windows 11 24H2 release. Microsoft may continue to make further adjustments based on user feedback.