Microsoft said it has updated its controversial Recall feature with what it calls “privacy and security safeguards,” and will disable the feature by default in its Copilot Plus PCs.
The update comes on the heels of a torrent of backlash from privacy experts about the feature, which was previously enabled by default in Copilot Plus PCs. The criticism centered around the feature’s ability to take continuous screenshots of users’ activity, which could include passwords or financial account numbers, and store those screenshots locally on their devices.
In a Friday post, Pavan Davuluri, corporate vice president for Windows and Devices, said that enrollment in Windows Hello - Microsoft’s biometrics and PIN authentication process - will also now be required to enable Recall, and “proof of presence” will be required to search through the feature.
“Even before making Recall available to customers, we have heard a clear signal that we can make it easier for people to choose to enable Recall on their Copilot+ PC and improve privacy and security safeguards,” said Davuluri in the post. “With that in mind we are announcing updates that will go into effect before Recall (preview) ships to customers on June 18.”
Microsoft in its Friday update said it is adding "additional layers of data protection," including decryption protected by Windows Hello Enhanced Sign-in Security (ESS), which they said means that Recall snapshots will only be decrypted and accessible when the user authenticates. Davuluri said Microsoft also encrypted the search index database.
Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory, said that it is "gratifying that Microsoft responded to the unanimous public outcry against this feature, but making it opt-in still leaves unanswered questions."
"Will the company use dark patterns to get people to opt-in without fully understanding that they’re doing so?" said Pfefferkorn. "Will employers who want to surveil their employees’ every move - because let’s be honest, that’s the only real use case for this idea - get to turn this on for their employees? What about domestic abusers who could force their victims (such as a spouse or child) to turn this feature on? There is simply no good reason for this feature; nobody was asking for it, and the non-creepy use cases (such as finding a recipe you think you looked at once) are too minor to justify the creepy ones. It should be killed entirely."
The purpose of the feature is to help consumers better locate content they had previously viewed on their device. Microsoft during Recall's initial launch had argued that users would have control over what type of screenshots the feature collects and stores on their devices. It also said that Recall snapshots would be kept on the local hard disk of users' devices and protected using data encryption on these devices.
When the feature was initially launched, security professionals said these measures were not enough, and that Recall would provide another vector for threat actors to steal sensitive data. The initial announcement of the feature was also particularly dumbfounding as it occurred weeks after Microsoft declared updates to its Secure Future Initiative, where Charlie Bell, executive vice president with Microsoft Security said “we are making security our top priority at Microsoft, above all else—over all other features.”
Security researcher Alexander Hagenah earlier this week developed a proof-of-concept called TotalRecall that extracts data from the Recall feature in Windows 11. Hagenah in his description of TotalRecall earlier this week also called on Microsoft to recall and rework the feature, and review the internal decision making that led to this situation, "as this kind of thing should not happen."
"When you’re logged into a PC and run software, things are decrypted for you," said Hagenah in the description of TotalRecall earlier this week. "Encryption at rest only helps if somebody comes to your house and physically steals your laptop — that isn’t what criminal hackers do. For example, InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade — now these can just be easily modified to support Recall."