Microsoft Recalls 'Recall'

Maybe don't roll out a new feature with questionable security when your security track record is questionable
Windows won’t take screenshots of everything you do after all — unless you opt in
Microsoft promises changes to Recall after security concerns.

Regardless of which way they were going to technically roll this out – and I mean that literally, technically – Microsoft clearly screwed up the roll out of their 'Recall' AI feature coming to Windows from a PR perspective, if nothing else. And so they had little choice but to roll back some of the promises, per Tom Warren:

Microsoft says it’s making its new Recall feature in Windows 11 that screenshots everything you do on your PC an opt-in feature and addressing various security concerns. The software giant first unveiled the Recall feature as part of its upcoming Copilot Plus PCs last month, but since then, privacy advocates and security experts have been warning that Recall could be a “disaster” for cybersecurity without changes.

Thankfully, Microsoft has listened to the complaints and is making a number of changes before Copilot Plus PCs launch on June 18th. Microsoft had originally planned to turn Recall on by default, but the company now says it will offer the ability to disable the controversial AI-powered feature during the setup process of new Copilot Plus PCs. “If you don’t proactively choose to turn it on, it will be off by default,” says Windows chief Pavan Davuluri.

For the record, I've been saying for months now that I thought this (then-rumored) feature sounded like a winner from both a Microsoft and an AI perspective. It seemed like the type of thing that could vault Windows back into the picture in terms of being a forward-thinking OS building for the future. Unfortunately, we don't live in a vacuum and Microsoft has not done themselves any favors with security mishaps over many years now. I mentioned this potential issue in a post last month, but I probably should have recognized it more fully. And certainly Microsoft should have.

Microsoft will also require Windows Hello to enable Recall, so you’ll either authenticate with your face, fingerprint, or using a PIN. “In addition, proof of presence is also required to view your timeline and search in Recall,” says Davuluri, so someone won’t be able to start searching through your timeline without authenticating first.

This authentication will also apply to the data protection around the snapshots that Recall creates. “We are adding additional layers of data protection including ‘just in time’ decryption protected by Windows Hello Enhanced Sign-in Security (ESS) so Recall snapshots will only be decrypted and accessible when the user authenticates,” explains Davuluri. “In addition, we encrypted the search index database.”

I won't speak directly to if this will ease the security concerns about the feature that others have had, but it all sounds like the right approaches to take on paper. Mainly, it felt like there was no way Microsoft could turn this feature on in Windows by default given the number of businesses that run on the OS and also manage the personal information of clients.

While I would have thought this was a feature that Apple would have done as well for macOS, perhaps even in time for WWDC in a few days, now I'm far less certain. Perhaps if Apple has a credible security narrative for such functionality, they'll roll it out. Otherwise, probably best to let Microsoft take the heat for now.

Here's Microsoft's own post on the matter:

Update on the Recall preview feature for Copilot+ PCs
Today, we are sharing an update on the Recall (preview) feature for Copilot+ PCs, including more information on the set-up experience, privacy controls and additional details on our approach to security. On May 20,