The big news this week is that Microsoft has backed down from including Windows Recall in their next major Windows release. If you haven’t been up with the play, Windows Recall is an AI feature that was designed to take screenshots every few seconds of everything you do, process it with AI, and store that data for later recall. Can’t remember the name of the website you were viewing 3 weeks ago? Recall can tell you. Recall was set to be deployed in the next major release of Windows 11 (24H2) and would be on by default.
Some may find this feature helpful but from a security perspective it’s a nightmare. Recall would hold an absolute treasure trove of information on an individual or the business they work for, which could include such things as your physical address, your bank or credit card details, details about your family and their routines, and confidential business information. This is information many malicious people (read: hackers) would love to get their hands on.
Initially, Microsoft downplayed the security risk. The data is both processed and stored locally and is not linked to the cloud. It’ll be fine they said. Except it wasn’t. Security researchers quickly pointed out that the data wasn’t encrypted on disk. Microsoft responded by updating Recall to be encrypted using BitLocker (which was recently discovered to have vulnerabilities).
After more concerns over whether this data could still be lifted by Microsoft or its partners further down the track, Microsoft changed Recall to be an “opt-in” feature. Pushback continued from security researchers, businesses, and consumers, so for now Microsoft has pulled the feature entirely from its next update.
Recall is still available to Microsoft’s Windows Insider Programme, so you could sign up to that if you wanted to have a play with it. I would recommend only doing so in a test environment.
Personal Opinion: As someone who has been in the industry for many years, the security implications of a feature like Recall are massive, and a big company like Microsoft should know better. Lately there seems to be a rush to get products to market (both hardware and software), either incomplete, or without a full understanding of the implications. In our modern connected world, security needs to be at the forefront of any technology product design but it seems some companies are treating it as an afterthought.
Comments