Microsoft’s announcements around Build 2024 have certainly grabbed some attention, but none more so on the controversy front than the AI-powered ‘Recall’ feature in Windows 11
Recall has been stirring up strong opinions left, right and center since its revelation, and now it appears to be under the microscope of the ICO, a UK-based privacy watchdog.
The worries expressed widely online are focused on how this feature may affect privacy for those who have it, which won’t be all Windows 11 users, we should note – just Copilot+ PC owners who have the necessary hardware goods in terms of a powerful NPU.
For those who missed it, what Recall does is record your PC usage, very literally in terms of taking screenshots of your active windows every couple of seconds. This then allow you to exercise powerful natural language-based search capabilities to rifle through your past PC usage, not just in terms of text but also visual search – with AI locating what you need by going through that huge library of screen grabs.
You can doubtless see the kind of privacy concerns that might be sparked by this constant stream of screenshots going on in the background, but the pushback and reaction has got serious very quickly.
Sky News spotted that in the UK, the Information Commissioner’s Office (ICO), which oversees data privacy and related regulations, is already cautious about the Recall capability.
Indeed, following all the uproar around Recall, the ICO is investigating the feature, and told Sky: “We are making enquiries with Microsoft to understand the safeguards in place to protect user privacy.”
Safety first
It’s a good question, of course – so what safeguards are in place here to protect Windows 11 users?
For starters, Recall happens locally, so everything is stored on the PC, and nothing is sent online to the cloud or Microsoft’s servers – so there’s no risk of having data intercepted (or a third-party data breach leaking the private details of how you use your Windows 11 machine).
Microsoft has underlined that it doesn’t have access to any of this data, and it won’t be used to train its AI.
Furthermore, the company pointed out that you can manually delete snapshots, or adjust the timeframe they’re kept for – or pause, or turn off Recall entirely if you don’t want it. It’s also possible to block certain apps or websites from being used by Recall, so effectively there’s a lot of fine-grained control here.
However, will Windows 11 users be bothered to exercise that control and properly set up Recall? Well, that’s one worry, and another is that while it’s all well and good to say everything stays on the device, we have to firstly trust that’s the case – and it’s all watertight – and secondly, what if your PC is compromised by malware, or stolen. Then what?
Hackers or thieves could potentially have access to your Recall library of screenshots, which may contain confidential information, openly available to see, such as your bank or card details, or visible passwords, or, well, anything that has happened on your PC (that you haven’t marked out of bounds using Windows 11’s settings for Recall).
As Muhammad Yahya Patel, who is lead security engineer at Check Point, put it: “It is a one-shot attack for criminals, like a grab and go, but with Recall they will essentially have everything in a single location [your screenshot database] … Imagine the goldmine of information that will be stored on a machine, and what threat actors can do with it.”
More questions than answers?
So, there are definitely still some major concerns and question marks here, and it’s going to be pretty interesting to see what the ICO makes of Microsoft’s big AI play for Windows 11 to supercharge search.
We’ve already discussed other thorny areas around Recall – such as Windows 11 Home users apparently not benefiting from encryption for the data used by the feature, and what type of encryption is in place for Windows 11 Pro (or business) users anyway?
In that article, we also go over the precautions you can take to make Recall as secure as possible, but really, the best bet for the paranoid might be – simply turn it off and don’t use it. And maybe Microsoft wonders what all the fuss is about from naysayers, and why they don’t just take that approach.
But for the less tech-savvy, who might not even realize what Recall is, or that it’s turned on by default, it could be a risky feature – particularly considering these are the people who are most prone to getting hit by malware or hacked.
With that in mind, shouldn’t the first sensible security step be to have Recall off by default? So that it’s only turned on by those who know what it’s for, and want it? Let’s see what the ICO makes of Microsoft’s ‘default on’ approach, too.
