Microsoft is shifting its Copilot+ Recall feature, which captures and saves user activity on PCs, to an opt-in model following significant backlash from cybersecurity and privacy experts.
Recall operates by continuously taking screenshots in the background as a user interacts with their device, creating a searchable archive of detailed activity, including website visits and form inputs. Initial responses to the feature were fraught with concerns, particularly because of its capacity to store sensitive information like passwords and financial data. This vulnerability could potentially allow malicious actors easy access if they gained control over a user’s device.
The backlash began shortly after Microsoft unveiled new AI-powered features for Windows, with Recall being a central aspect of this update. Cybersecurity professionals quickly raised alarms about the potential dangers of such a feature. A former Microsoft threat analyst described Recall as a “disaster,” citing its ability to indiscriminately save sensitive data such as text passwords, financial information, and private browsing history within a database vulnerable to external access.
Microsoft’s Response to the Recall Backlash
Reacting to the criticism, Microsoft has shifted Recall to an opt-in feature, ensuring it remains disabled by default unless explicitly activated by users. Pavan Davuluri, Vice President of Microsoft Windows, detailed in a company update that the setup experience for Copilot+ PCs would be updated to clearly communicate the choice to users about opting into Recall.
Moreover, Microsoft is implementing additional security measures to safeguard user data further. Users will now need to enroll in Windows Hello, which requires authentication via facial recognition, fingerprint, or PIN, to activate Recall. This authentication will also be necessary to access or search through the Recall history timeline. Microsoft emphasized that additional layers of data protection are being introduced, including the encryption of the search index database and the decryption of Recall snapshots only after user authentication.
The company also highlighted that while the screenshots are stored locally on the device, the initial default setting of the feature could have led many users to remain unaware of its existence and function, as indicated by a Recall icon on the taskbar, which might not have been understood by all users.
The revised approach to Recall, transforming it into an opt-in feature with enhanced security protocols, aims to address the concerns raised by cybersecurity experts and reassure users about the safety and privacy of their data.
Microsoft’s blog post on these security updates also included a review of existing security provisions built into the feature, confirming that only after these extensive revisions did they decide to make the opt-in option a core aspect of the Recall experience.
Related News:
Featured Image courtesy of Bloomberg via Getty Images