Since its announcement in June, Microsoft's Windows Recall feature has been controversial and bumpy for a few months. It faced immediate backlash over security concerns when it was revealed. The concern was mainly around the fact that Recall takes screenshots of your entire PC so that you can find information later if desired.
The AI tool for Copilot + Pilots was recalled so Microsoft could tweak the program and work on the security issues. Since then, it's been delayed several times, and only recently became available for Windows Insiders, Microsoft's version of beta testers for early adopters.
According to Microsoft, the updated version of Recall still captures screenshots, but those screenshots are now supposed to be encrypted and have a "Filter sensitive information" setting enabled by default. This filter is meant to stop Recall from capturing apps or websites that show sensitive personal information like credit card numbers and Social Security numbers.
Unfortunately, this filter does not seem to be working. Our colleague, Avram Piltch, at Tom's Hardware, tested the revamped Recall and reported that the filter only worked a couple of times, "leaving a gaping hole in the protection it promises."
Piltch tested the filter by entering a credit card, random user and password into a Windows Notepad screen. Recall captured that information despite text denoting the number as a Visa card.
He also filled out a loan application PDF in Microsoft Edge, where a Social Security number was filled in alongside his name and date of birth. Recall captured that as well.
Pilch performed some other tests, but Recall seemed to filter out sensitive information only on a pair of e-commerce sites, Pimoronia and Adafruit.
In response to a query about the filter, Microsoft spokespeople sent him a blog post containing a Privacy section that reads:
"We’ve updated Recall to detect sensitive information like credit card details, passwords, and personal identification numbers. When detected, Recall won’t save or store those snapshots. We’ll continue to improve this functionality, and if you find sensitive information that should be filtered out for your context, language, or geography, please let us know through Feedback Hub. We’ve also provided an option in Settings that we encourage you to enable that will anonymously share the apps and sites you prefer to be excluded from Recall to help us improve the product."
What does Recall actually do?
Since few people have been able to try out Recall, here's a brief rundown of what the feature is supposed to do for you.
Microsoft pitches the tool to help you find things better by searching your PC for anything you've seen on it using natural language.
To do this, Recall takes "snapshots" of your screen at regular intervals, which are stored locally on your computer and analyzed and indexed by AI.
The obvious concern here is that this digital record of everything on your PC and things you've done on your PC can potentially be accessed by bad actors. When Recall first appeared in the spring, it didn't even have encryption on the snapshots, and the database was stored as plain text. Those things have changed in the past few months.
Microsoft has also made Recall opt-in, which was previously an opt-out option.
The new Recall does have the mentioned filter and appears to encrypt data. Login also requires biometric data and passwords. And information can only be viewed in the Recall app.
That said, a determined bad actor with access to your password or PIN could bypass the biometric checks. And you can view the Recall app via TeamViewer, which allows for popular remote access.
For now, if the filter isn't working, it means your data is being captured and that a series of missteps could make that information available to a bad actor.
