Recently Microsoft announced a feature for its Windows operating system called Recall.

Designed for ‘AI PCs’ it is a feature that saves all of a user’s activity by taking screen shots of every window, every five seconds. It performs Optical Character Recognition (OCR) to extract text from images and all other on-screen text. Then it saves it all in a local database. AI indexes the data, making it easy to find.

A nightmare for privacy

The idea is that with AI indexing that data, users can easily search and find content data on a PC, using natural language. This allows for finding a forgotten web site, documents and chatscan be brought up and shown. No data is shared to the cloud, it’s all local on the PC. From a utopian point of view, this would be ideal, especially for knowledge workers, a liberation of data with easy search and sort. But the reality is that Recall is a nightmare for privacy and security, both for individuals and for the enterprise.

Recall stores all its collected data in a local database, but in unencrypted form. Microsoft claims that the BitLocker encryption that is already on by default in Windows 11, is more than enough. However, anyone with the user’s Windows credentials can access the data. This is problematic on several fronts.

Employees doing a search for a health ailment or booking an appointment online with a specialist, would be available to the company. Internal documents and secrets, including PII information from others would be stored in the Recall database. Employees would worry that their every move is being recorded. Recall databases could be subpoenaed, creating yet another legal discovery headache. Passwords and other credentials could also be stored in the database.

Recall hacked

Soon after early release versions of Recall began surfacing in early Windows release candidates, a white hat hacker created a tool to steal Recall data, as proof of concept. It emphasises just how insecure Recall is and how dangerous it could be. Microsoft, for its part, has pulled Recall for now, promising to make several remedies to the security holes in Recall, such as unencrypted cleartext data in the data store.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

It’s good that Microsoft has recognised that there are problems with Recall and wants to fix them. But it’s not giving up on the concept, despite widespread shock and horror. Microsoft still insists that Recall is good and can be fixed.

Expect attacks   

There is nothing that is 100% secure. The treasure troves of data created by Recall will be the target of unceasing attacks and a new attack vector on enterprises and governments. Recall seems to be a poorly thought-out kneejerk reaction to the AI hype.

Due diligence, or frankly even a modicum of common sense, should have prevented this ‘feature’ from ever leaving the whiteboard. Enterprises should demand that Microsoft remove the code from Windows. The Recall feature can be turned off, but that’s not enough. An attacker could easily turn it back on and begin collecting data. Microsoft isn’t getting the message about Recall – but if enough enterprises customers speak out, Microsoft may wake up to its mistake.