- Following significant backlash, Microsoft has made several changes to Windows Recall's implementation and security.
- Users would be able to disable Windows Recall during the onboarding setup. It's now opt-in by default.
- In addition, the local vector index will remain encrypted and will only be decrypted when the user authenticates using Windows Hello.
At the Copilot+ PC event, Microsoft announced the much-hyped Recall feature that takes screenshots of your screen and performs AI analysis in the background. You can later find things and activities using semantic search. However, just after a few days, a security researcher discovered many security gaps in Recall’s implementation and called the feature a privacy nightmare.
The main concern was that once the user logged in, the vector index remained unencrypted and any app or script could access it. Apart from that, the Recall feature was turned on by default, and there was no option to disable it during the onboarding setup.
Finally, after a huge uproar, Microsoft has responded. In a blog post, Pavan Davuluri, the Microsoft VP for Windows and Devices, confirmed that users could enable or disable Recall during the onboarding setup. It means Recall is now opt-in by default which is great.
Next, Microsoft is adding an additional layer of security to protect Recall’s vector index. The local database will now remain encrypted and will only be decrypted when the user authenticates using Windows Hello. Microsoft is using Windows Hello Enhanced Sign-in Security (ESS) for “just in time” decryption.
Finally, to even view your activity history and timeline on Recall, your presence will be required. It means that Windows Hello enrollment is now strictly required to use the Recall feature. There were criticisms from many quarters that law enforcement agencies or abusive partners may access the Recall timeline to find incriminating information from the past without user’s consent.
Besides that, Microsoft now says that “Recall doesn’t share snapshots with other users who are signed into the same device, and per-user encryption ensures even administrators cannot view other users’ snapshots.” We need to test whether other users on the same PC can view stored snapshots.
And all of these changes to Recall will come into effect before Copilot+ PCs ship on June 18. I think Microsoft has done a great job listening to users’ feedback. This will bode well for building user trust. I am also glad that Microsoft made Recall an opt-in feature, by default.
So will you use the AI feature or disable Recall on your PC altogether? Let us know in the comments below.