Microsoft claws back Recall after privacy backlash

Microsoft has been forced to update its Recall feature before it even arrived, switching the controversial AI-powered tool to opt-in rather than enable it by default.

Unveiled in May, Recall is part of Microsoft’s Copilot+ suite of AI tools, and snaps a screenshot every few seconds to build a searchable database of images that can later be searched to find documents, websites and so on.

Unsurprisingly — to everyone except Microsoft, it would seem — the snapshot feature proved immediately controversial. The UK’s data watchdog raised instant concerns, as did privacy advocates and security experts, with one calling it a “nightmare”.

Recall becomes opt-in only

In response, before the feature even arrived, Microsoft said it would no longer enable Recall by default but make it opt-in only, requiring active approval during the setup of new PCs that come with Microsoft’s Copilot.

“Even before making Recall available to customers, we have heard a clear signal that we can make it easier for people to choose to enable Recall on their Copilot+ PC and improve privacy and security safeguards,” said Pavan Davuluri, Corporate Vice President for Windows and Devices, in a post on the Windows Experience blog.

And the first change is making it opt-in only rather than on by default. “First, we are updating the set-up experience of Copilot+ PCs to give people a clearer choice to opt-in to saving snapshots using Recall,” Davuluri explained. “If you don’t proactively choose to turn it on, it will be off by default.”

Security boost

Microsoft is also introducing a few security upgrades. To start, before letting a user search in Recall or see the timeline of snapshots, they will have to re-sign in, and they must be enrolled in Windows Hello, which is Microsoft’s login system that uses a PIN, facial recognition or fingerprints. That should make it harder for someone to step up and access a Recall timeline on a PC that’s been accidentally left unattended.

Security experts also raised concerns with how the Recall data was stored, in particular that it was stored in plain text.  In response, Microsoft is encrypting the dataset. “Third, we are adding additional layers of data protection including ‘just in time’ decryption protected by Windows Hello Enhanced Sign-in Security (ESS) so Recall snapshots will only be decrypted and accessible when the user authenticates,” said Davuluri. “In addition, we encrypted the search index database.”

Microsoft Recall privacy criticism

Security expert Kevin Beaumont, who has previously worked for Microsoft, was highly critical of Recall at launch, saying his former employer was “inventing a new security nightmare”. He also revealed that the database was stored in plain text.

After the changes were introduced, Beaumont welcomed the changes, in particular with Recall becoming opt-in only, though there may well be “devils in the details”.

For what it’s worth, Microsoft welcomed the Recall criticism. “We remain grateful for the vibrant community of customers who continue to share their feedback with us,” said Davuluri, adding that the preview is designed to “to give customers a choice to engage with the feature early, or not, and to give us an opportunity to learn from the types of real-world scenarios customers and the Windows community finds most useful”.

In other words, if you choose to use the preview of Recall, do let Microsoft know what you think. Or, as Beaumont said on “Turns out speaking out works.”

He added: “Obviously all eyes are on how this is actually implemented, eg they said the database was encrypted previously. I would suggest security researchers deep dive in the coming weeks.”

Beaumont also revealed that someone at Microsoft sent him the market research that sparked the development of Recall “…and its proper ivory tower stuff. All business managers who can’t figure out how to search.

“Microsoft are in an echo chamber of people who are in a cave and who are running out of oxygen. AI won’t grow that base; it will help accelerate the decline in trust.”

The preview of Recall will be available to customers beginning 18 June — those who want it, anyway.

Nicole Kobie
Nicole Kobie

Nicole is a journalist and author who specialises in the future of technology and transport. Her first book is called Green Energy, and she's working on her second, a history of technology. At TechFinitive she frequently writes about innovation and how technology can foster better collaboration.