Researcher: Windows 11 Recall a ‘Disaster’ →

Windows 11’s Recall feature has garnered a lot of attention since being announced, and much of that has focused on the potential privacy implications of software that basically tracks everything you do on your PC.

Cybersecurity expert Kevin Beaumont has taken a look at the feature, and uhhhhhh:

Microsoft told media outlets a hacker cannot exfiltrate Copilot+ Recall activity remotely.

Reality: how do you think hackers will exfiltrate this plain text database of everything the user has ever viewed on their PC? Very easily, I have it automated.

He explains more in a post on Medium:

Every few seconds, screenshots are taken. These are automatically OCR’d by Azure AI, running on your device, and written into an SQLite database in the user’s folder. This database file has a record of everything you’ve ever viewed on your PC in plain text.

Tom Warren at The Verge:

Microsoft maintains Recall is an optional experience and that it has built privacy controls into the feature. You can disable certain URLs and apps, and Recall won’t store any material that’s protected with digital rights management tools. “Recall also does not take snapshots of certain kinds of content, including InPrivate web browsing sessions in Microsoft Edge, Firefox, Opera, Google Chrome, or other Chromium-based browsers,” says Microsoft on its explainer FAQ page.

However, Recall doesn’t perform content moderation, so it won’t hide information like passwords or financial account numbers in its screenshots. “That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry,” warns Microsoft.

Warren also notes:

Microsoft is currently planning to enable Recall by default on Copilot Plus PCs. In my own testing on a prerelease version of Recall, the feature is enabled by default when you set up a new Copilot Plus PC, and there is no option to disable it during the setup process unless you tick an option that then opens the Settings panel. Microsoft is reportedly discussing whether to change this setup process, though.