Opinion: Microsoftβs Recall Feature Is A Total Security Nightmare, And Nobody Should Use It
With the announcement of Copilot+ PCs last month, Microsoft has also unveiled a new featuring coming later this year to AI-capable PCs, and itβs called βRecallβ. Since then, people has decried the feature for being what is effectively a built-in spyware, and even security experts have called it a built-in βTrojanβ, a security and privacy disaster waiting to happen.
In this blog, let me get you up to speed on what exactly is this highly-controversial feature, and why Iβm here to tell you that you should never use it.
Recall? Whatβs That?
According to Microsoft, Recall is a much more powerful version of search in Windows β it works by taking screenshots of your PCβs content once every few seconds, which gets analyzed by your PCβs onboard NPU (Neural Processing Unit), and you can find it later via keywords like βa PowerPoint presentation with a slide in a red backgroundβ, to name an example. All the screenshots will be stored on-device and be encrypted, meaning on paper nobody will be able to take a peek on the data inside. Emphasize βon paperβ here, which weβll delve into later.
This feature will be available to all qualified Copilot+ PCs, and to qualify for one, a system must feature 16GB of RAM, 256GB of SSD, and a processor featuring NPU with more than 40 TOPS of compute power. Currently, only Qualcommβs new Snapdragon X Elite / X Plus SoCs are qualified for this segment, but both Intel and AMD will soon follow with Lunar Lake and Strix Point (Zen 5) processors respectively, later this year.
Plenty Of Strings Attached
However, there are a few strings attached that Microsoft wasnβt very keen to advertise on. For one, itβll occupy at least 25GB of disk space (around 3 monthsβ worth of images). To give you a idea, thatβs roughly 10% of 256GB SSD β the minimum requirement for Copilot+ PCs β lost to this feature alone. A Windows installation itself already takes some 40GB away from the disk, which leaves you with a lot less storage available when this feature is turned on.
The biggest issue raised by everyone on the Internet comes down to how Recall deals with sensitive information. To put it simply: it doesnβt. Microsoft says Recall is incapable of distinguishing sensitive information such as passwords and IDs, and users are required to manually turn off Recall temporarily if the content on-screen contains sensitive information.
From a user experience perspective, this is certainly not something everyone will remember doing every time they needs to access banking websites, which means itβs only a matter of time before something slips in by accident. While the company says you can delete certain snapshots, not everyone is going to sift through possibly thousands of snapshots and pinpoint the one they need to delete after the fact β itβs just plain unintuitive to do so.
At one point, Microsoft even said this feature will be turned on by default, but the company has recently backtracked due to huge security concerns from users and security experts alike. The company has since promised stronger security, changed its policy to opt-in instead of opt-out, as well as mandating Windows Hello to enable the feature.
This Is Hackerβs Heaven
Before we talk about trust issues pertaining Microsoft as a company, letβs talk cybersecurity in general. There is no magic bullet here β cybersecurity is an eternal game of cat-and-mouse, and itβs constantly a race between threat actors and security firms to attack and defend, while all the PCs in the world is their battlefield. There is no such thing as βunbreakableβ or βunhackableβ β just ask NVIDIA about the LHR GPUs.
In cybersecurity (or security in general), thereβs one doctrine called βsecurity through obscurityβ: if bad actors thinks something is not worth the effort, they will not bother. This is why it is commonly believed that macOS and Linux are safer than Windows β there just isnβt enough users on those platforms for hackers to care, and itβs also why the Wannacry ransomware attack has mostly targeted Windows systems back in 2017.
The presence of Recall poses a serious problem in this case. Since Recall puts all snapshots on one spot, its inherently a data goldmine for hackers: all your sensitive data is now in one place, ready to be siphoned away! Forget phishing attacks, the presence of Recall will lure hackers into concentrating all their firepower against whatever encryption Microsoft uses for this feature, because remember β nothing is unbreakable. All it takes is an exploit, a wrong switch, or a simple social engineering attack (with the help of AI too, now that weβre in 2024).
In fact, tools has been created already to extract the data Recall uses, and itβs developed by cybersecurity researcher Alexander Hagenah dubbed βTotalRecallβ. Another security researcher, Kevin Beumont (also an ex-Microsoft employee) has wrote in a blog that all it takes is just βtwo lines of codeβ to steal data from Recall. I recommend you to read the blog which has simplified the whole ordeal into a few straightforward Q&As that a regular Joe should understand just enough to get the idea.
Β
Microsoftβs AI Endgame
Letβs take a step back and ask ourselves: why is Microsoft so aggressive at pushing AI at every chance it gets? The simple fact is, competition is very much heating up in this space, and OpenAI being the golden hen of Microsoftβs AI efforts (despite Microsoft having no direct ownership of the organization) meant itβs not going to lose this chance of locking users into its own AI-powered ecosystem. Apple has long proven the sheer power of ecosystem, and Microsoft wants to replicate that through AI.
So, itβs pretty obvious that the easiest way to introduce AI to the masses is by tying up AI in every service it offers. Windows 11, Office 365, Bing, Outlook, you name it β the company even reversed its decision of ending Windows 10 feature support just to add Copilot AI into Windows 10 systems, which still holds as much as 70% of the Windows market share today (while Windows 11 is just occupying roughly one-quarter of the market).
From the outside, the company is facing stiff competition from Google and Meta β both of which has introduced its implementation of AI chatbots, search engines, and all kinds of feature with AI added into the mix. Apple reportedly will join this race later this year, although weβll have to wait for a bit to know more (knowing Apple, itβs likely designed for its devices only).
Itβs A Matter Of Trust β Which Microsoft No Longer Has
So, it all boils down to this question: do you trust Microsoft?
The companyβs track record of security is well-known at this point, and itβs not a good one. Security problems aside, Microsoft has been known for many egregious attempts at upselling features such as Bing, Edge, OneDrive, which infuriate Windows 11 users; some of the tactics used has been borderline malware-like.
While Microsoft now promises the Recall feature will be opt-in, how long until it reverses the decision when it sees low user uptake? When would be the next time it turns on the feature by accident, just like Windows 10βs Windows Update fiasco? Implementing a feature like Recall demands a huge amount of trust towards Microsoft as a company, and the trust had been slowly eroded over the years.
When the tech industry is trying to protect userβs privacy (whether out of good faith or as a result of legislation), the Recall feature feels like a complete 180 to that, despite Microsoftβs promises. Even if the role is changed and Apple or Google is the one introducing the feature today, Iβm sure itβll receive just as much criticism β the truth is, security is as strong as its weak link, and a feature like Recall is something that, in my opinion, a risk simply too big to accept no matter how you put it.
![[WWDC 2024] Apple Vision Pro Expands To More Regions - Pre-Orders Begin Soon in New Countries - 42](https://dev.pokde.net/wp-content/uploads/2024/06/AVP2asd.jpg "[WWDC 2024] Apple Vision Pro Expands To More Regions - Pre-Orders Begin Soon in New Countries - 43")
