Microsoft Recall: spyware or helpful tool? Regulators want to know

Microsoft’s latest AI tools have caught the eye of British regulators, who are “making enquiries” with the software giant about its recently unveiled Recall feature.

Unveiled last week alongside a host of Copilot+ PCs based on a Qualcomm ARM-based processor, Recall snaps a screenshot every few seconds, building a searchable database for users to look back through — and, perhaps, micromanaging bosses and cybercriminals.

The feature immediately raised concerns with the security community — “a new security nightmare,” said one expert — and caught the attention of the Information Commissioner’s Office, the UK data watchdog.

What is Microsoft Recall?

Part of the enhanced Windows Copilot suite of AI tools, Recall will snap screenshots every few seconds, using on-device AI to analyse the resulting image so it can be later searched if needed.

Recall aims to address the problem of searching across PCs: it can be difficult to find a document, website or photo that you know you’ve recently used but you can’t remember the file name, URL or location of. In a browser, you can search your history; Recall aims to replicate that using semantic search across those screenshots.

Microsoft’s safety plans

Microsoft Recall will be available via the new Copilot+ PCs, so there’s no need to panic that your Windows-based laptop will suddenly start screenshotting all your digital activity. Even on Copilot+ systems, it only records images; it doesn’t capture audio or playable video.

If you do upgrade to a Copilot+ PC, Microsoft will switch Recall on by default, though it can be disabled during setup or afterwards. These PCs will also have advanced security features, including the Microsoft Pluton security processor.

Recall can also be told not to screenshot specific websites and apps, doesn’t take screenshots in Incognito mode, and can be temporarily paused. 

Microsoft has stressed that the data is encrypted and held locally, with the analysis and search all on-device, rather than on Microsoft’s servers.

However, it’s worth noting that Microsoft says in its FAQ for the product: “Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers.”

That means login details for business platforms, bank accounts and everything else are likely to be captured and saved if they aren’t “cloaked” or obscured when entered.

Security concerns around Microsoft Recall

All that data on your device makes it one heck of an interesting target for hackers, especially since Recall will be on by default.

Cybersecurity expert Kevin Beaumont, who has previously worked for Microsoft, noted in a blog post that storing locally doesn’t address security problems but exacerbates them: “[Rather than] stealing your local browser password vault, now they can just steal the last three months of everything you’ve typed and viewed in one database.”

He notes that the “keylogger” database has been carefully analysed by AI to be searchable, making it easier to dig out key data. Beaumont added: “Microsoft [is] inventing a new security nightmare using Copilot, which will undoubtedly lead to increased fraud for consumers and other woes for businesses.”

Privacy challenges at work

One immediate question for end users who are given Copilot+ PCs by their employer is this: do you want your boss looking over your shoulder every few seconds? That’s effectively what’s happening with Recall, potentially at least.

And Recall may not be good news for businesses either, noted one legal privacy expert. Daniel Tozer, data and privacy expert at Keystone Law, said to the BBC: “There may well be information on the screen which is proprietary or confidential to the user’s employer; will the business be happy for Microsoft to be recording this?”

Outside of the office, the data collection raises the spectre of Recall’s data repository being accessed by law enforcement, employers or partners — particularly alarming for those in domestic abuse situations, noted Jen Caltrider, privacy team lead at Mozilla.  “I wouldn’t want to use a computer running Recall to do anything I wouldn’t do in front of a busload of strangers,” she told the BBC. (Don’t forget, though, that Recall can be paused and doesn’t record in private browsing modes in mainstream browsers.)

No wonder the ICO is asking Microsoft for more information about how the system works. “We expect organisations to be transparent with users about how their data is being used and only process personal data to the extent that it is necessary to achieve a specific purpose,” an ICO spokesperson said. “Industry must consider data protection from the outset and rigorously assess and mitigate risks to people’s rights and freedoms before bringing products to market.

The regulator’s spokesperson added: “We are making enquiries with Microsoft to understand the safeguards in place to protect user privacy.”

Microsoft has yet to respond to TechFinitive’s request for a response to the ICO’s Recall concerns.