What must you know about dealing with the "Recall" feature in Microsoft Copilot+ PCs?

What must you know about dealing with the “Recall” feature in Microsoft Copilot+ PCs?

A few days ago, Microsoft announced their new product: Copilot+ PCs. One of the features of Copilot+ PCs that has been raising eyebrows among cybersecurity professionals is “Recall”. As Microsoft explained,

Now with Recall, you can access virtually what you have seen or done on your PC in a way that feels like having photographic memory. Copilot+ PCs organize information like we do – based on relationships and associations unique to each of our individual experiences. This helps you remember things you may have forgotten so you can find what you’re looking for quickly and intuitively by simply using the cues you remember.

The tech presses’ reactions to Recall had largely been negative. This blog article described it as “fundamentally undermining Windows security”. This BBC news article sees it as a privacy nightmare.

I assume that Microsoft will deliver this feature to other compatible Windows 11 PCs in future updates.

What does Recall do?

Recall takes images of your screen every few seconds and stores them encrypted on your Windows PC. Since Microsoft is going for broke with AI, I assume that Recall will allow you to search through your recorded screens by giving it some text prompts to its AI engine (Copilot). Without the AI, you would have to manually go through your recorded screen timeline to find what you want. With AI, all you need to do is to ask it questions on what you are looking for and it will do it for you.

What Recall does NOT do?

First, we need to clear the deck on what Recall does not do. As this FAQ implied,

  • It does not record keystrokes.
  • It does not record your clipboard.
  • It does not record sound output and microphone input.

It also explicitly stated that,

  • It does not record screenshots of InPrivate web browsing sessions in Microsoft Edge.
  • It does not record screenshots that contain content protected by DRM (a copy protection enforcement mechanism) to protect the commercial interests of content creators.
  • It does not send the recorded screenshots to the ‘cloud’. All of them are stored locally on the PC and encrypted. Furthermore, different users of the same PCs cannot access other users’ screenshots. But there is a caveat, which I will mention below.

What are the cybersecurity and privacy implications? What can you do? How should Microsoft implement Recall differently if they’re security conscious?

Despite the above-mentioned limitations of Recall, it still cannot differentiate between private and not-so-private information in its screen recordings.

For example, let’s say you log into your Internet banking website. Sure, your banking password will be protected because it is not shown on the screen. But your banking transactions, account numbers, and so on, which are private, will be recorded.

Another example: you may be using a state-of-the-art end-to-end encrypted messaging app. But do you want every message you receive and send to be recorded as screenshots on your PC?

This is where the cybersecurity and privacy nightmare begins.

Subscribe to continue reading

Subscribe to get access to the rest of this post and other subscriber-only content.