Microsoft is delaying the release of its Recall feature in order to better incorporate security feedback. The delay comes a week after the company initially responded to widespread security concerns about Recall by making it opt-in only, instead of enabled by default on devices.
Recall was initially slated to be broadly available as a preview feature in Copilot Plus PCs next week. Microsoft on Thursday said that the feature will now become a preview feature in the Windows Insider Program in the coming weeks, instead. The company said it would then make Recall available in preview versions for Copilot Plus PCs “coming soon," but only after receiving feedback from the participants in the Windows Insider Program, which is its open software testing program that allows Windows users to preview and provide feedback on various builds.
“We are adjusting the release model for Recall to leverage the expertise of the Windows Insider community to ensure the experience meets our high standards for quality and security,” said Pavan Davuluri, corporate vice president of Windows and Devices with Microsoft in the update on Thursday. “This decision is rooted in our commitment to providing a trusted, secure and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users.”
When the feature was first announced, it was criticized for its ability to take continuous screenshots of users’ activity, which could include passwords or financial account numbers, and store those screenshots locally on their devices. That capability could make it easy for threat actors already on a system to target sensitive data, security experts said, and some security researchers even developed proof-of-concept tools to show how easy it would be to extract data from the Recall feature in Windows 11.
While Microsoft last week sought to improve some aspects of Recall - including giving it "additional layers of data protection” - some security and privacy experts called for the company to backtrack even more the feature, worrying about negative security and privacy consequences that could arise from the its capabilities.
Recall was one of many topics during Thursday’s House Homeland Security Committee hearing with Microsoft President Brad Smith, which focused on a scathing Cyber Safety Review Board report that outlined several internal security failures at Microsoft. When asked repeatedly by committee members about Recall, Smith said the product hasn’t been launched yet and the feature wasn’t finished, and that Microsoft has “had a process to share information and take lots of feedback.”
"It's a great lesson… if somebody's creating the Recall feature, they need to think about the security aspects of the Recall feature,” said Smith during the hearing.
Committee members in the hearing asked about various aspects of Microsoft’s security - from Microsoft’s ability to detect and respond to security incidents and reported vulnerabilities, to how it notifies victims, to how the CSRB itself operates. Overall, Smith said that Microsoft “accepts responsibility for each and every one of the issues cited in the CSRB’s report.” He pointed to steps Microsoft is taking to try to better improve its security across various areas, including to better protect identities and secrets, networks, engineering systems and tenants; monitor and detect threats; and enhance its response and remediation processes. From an organizational standpoint, the company has created an office of the CISO that includes senior-level deputy CISOs to better expand oversight of how security controls are baked into various engineering processes. It has also formalized a plan to tie one-third of the individual performance element for each senior leadership team member’s bonus to performance goals in meeting security milestones.
But hearing committee members pointed out that some of these plans were already announced as part of Microsoft’s Secure Future Initiative, weeks before the Recall feature was even launched.
“In May, Microsoft announced an expansion of the Secure Future Initiative that committed to making security a top priority,” said Rep. Bennie Thompson (D-Miss.) during the hearing. “But the same month, Microsoft announced Recall, a new feature that takes and stores periodic snapshots of a user’s computer screen, which has raised concerns amongst both privacy and security experts. Last Friday, Microsoft modified the rollout of Recall in order to incorporate significant changes. I hope it will continue to consider these concerns of security and privacy as it rolls out new products.”