Microsoft has brought back its Recall feature for Windows Insiders, months after pulling it from test builds due to security and privacy concerns. While the revamped version comes with encryption and a new setting to filter sensitive information, recent tests reveal that significant privacy vulnerabilities remain.
What is the Recall Feature?
Recall is an AI-powered tool that captures screenshots of users’ activities, allowing them to quickly retrieve information from past actions. Initially seen as an innovative productivity tool, Recall soon faced heavy criticism for its failure to protect sensitive data. Researchers discovered that malicious actors could access screenshots containing personal and financial information like credit card numbers and Social Security numbers.
Following this backlash, Microsoft temporarily suspended Recall and promised to address these privacy concerns. The new version now features encrypted screenshots and includes measures to filter out sensitive information.
New Security Enhancements in Recall
The updated version of Recall offers several key security improvements:
– Encryption: All screenshots are now encrypted, making it more difficult for unauthorized users to access sensitive data.
– Filter Sensitive Information: This feature, enabled by default, aims to prevent Recall from capturing personal or financial information such as credit card numbers or passwords.
– Opt-in Functionality: Recall is no longer activated by default, allowing users to opt in to the feature if they choose.
Additionally, Microsoft has added biometric login requirements to ensure further protection of stored data.
Ongoing Privacy Concerns
Despite these security upgrades, testing by Tom’s Hardware uncovered several flaws in the new version of Recall. The “Filter sensitive information” feature failed to prevent the capture of sensitive data in multiple scenarios:
– Credit Card Information: When entering a credit card number in Windows Notepad, Recall still captured the data, even with a label like “Capital One Visa” to trigger the filter.
– Loan Application: Recall also recorded sensitive information, such as fake Social Security numbers and personal details, when filling out a loan application in a PDF viewed through Microsoft Edge.
– HTML Forms: In another test, Recall captured genuine credit card data entered on a custom HTML page, although it correctly avoided sensitive details on two popular online stores.
These incidents highlight the inconsistencies in Recall’s filtering capabilities, raising concerns about its reliability and effectiveness in safeguarding privacy.
The persistence of these issues has alarmed privacy advocates. While the encryption and biometric login provide some level of protection, experts warn that they are not foolproof. If a malicious actor gains access to a computer, they could bypass biometric checks using a PIN code, potentially exposing sensitive information.
Microsoft’s Response and Plans for Improvement
Microsoft has acknowledged the ongoing issues with Recall and committed to continuous improvement. In a blog post, the company encouraged users to report instances where sensitive information was captured despite the filter, as well as any other feedback on the feature’s performance.
“We’ve updated Recall to detect sensitive information like credit card details, passwords, and personal identification numbers. When detected, Recall won’t save or store those snapshots,” Microsoft explained. “We’ll continue to improve this functionality, and if you find sensitive information that should be filtered out, please let us know through Feedback Hub.”
Additionally, Microsoft has introduced an option that allows users to anonymously share their preferences for excluding specific apps or websites from being captured by Recall, which will help refine the feature over time.
The Future of Recall
While Microsoft’s reintroduction of Recall signals progress in addressing privacy concerns, its current limitations suggest there’s still work to be done. The feature’s inconsistent filtering and potential for misuse underscore the ongoing challenges in balancing convenience with security.
Privacy experts recommend caution when using Recall, particularly for users dealing with sensitive data. Microsoft’s ability to fix these issues will be crucial in determining whether Recall can meet its potential as a secure, privacy-conscious tool.