Recently Microsoft announced a feature for its Windows operating system called Recall. Designed for ‘AI PCs,’ Recall saves all of a user’s activity by taking screenshots of every window, every five seconds. It performs OCR to extract text from images and all other on-screen text. Then it saves it all in a local database. AI indexes the data, making it easy to find.
The idea is that with AI indexing that data, users can easily search and find content data on a PC, using natural language. This allows for finding a forgotten web site, and documents and chats can be brought up and shown. No data is shared to the cloud, it’s all local on the PC. From a utopian point of view, this would be ideal, especially for knowledge workers, a liberation of data with easy search and sort. But the reality is that Recall is a nightmare for privacy and security, both for individuals and for the enterprise.
Recall stores all its collected data in a local database, but in unencrypted form. Microsoft claims that the BitLocker encryption that is already on by default in Windows 11, is more than enough. However, anyone with the user’s Windows credentials can access the data. Further, in shared environments such as a family computer, or in the case of enterprises, for PCs that are shared with multiple people the risks go even higher. An example would be buying a birthday gift, where all the shopping sites visited, and the on-screen cart and receipt can be found via Recall. Searches on the web for things like health conditions can be unearthed. From a darker standpoint, it would allow abusive partners to monitor all activities, including looking at resources for domestic violence victims. It would also be easily subpoenaed by law enforcement or the opposing side in a civil suit. Corporations could track every move. Of course, hackers would have a field day with that data. Personally identifiable information is just the start, they could gain account numbers, credit card information, social security numbers, etc.
Soon after early release versions of Recall began surfacing, there was promptly a tool that could pull Recall data, created by a white hat hacker to emphasize the point about just how insecure Recall is and how dangerous it could be. Microsoft, for its part, has pulled Recall for now, promising to make several remedies to the feature’s security holes, such as unencrypted cleartext data in the data store.
It’s good that Microsoft has recognized that there are problems with Recall and wants to fix them. But it’s not giving up on the concept, despite widespread shock and horror. There is nothing that is 100% secure. The treasure troves of data created by Recall will be the target of unceasing attacks. Users from the home to the enterprise will never trust Recall, especially since it came to light with so many basic security issues. Recall seems to be a poorly thought-out kneejerk reaction to the AI hype. Due diligence, or frankly even a modicum of common sense, should have prevented this ‘feature’ from ever leaving the whiteboard.
IT Connection 