Ahead of its annual developer conference, Build, Microsoft released a range of AI PCs and new AI services powered by its Copilot assistant. However, one of the most controversial features, Recall, is now the target of a potential investigation by the UK data watchdog.
Recall aims to help laptop users easily identify websites and documents they have previously accessed by taking screenshots every few seconds.
While Microsoft stated that this feature was optional, the Information Commissioner’s Office (ICO) has contacted the company for more information on how Recall works and how its screenshots will be stored.
When contacted by Verdict, a spokesperson for the ICO stated that it was making these enquiries to Microsoft to understand what safeguards it had placed to protect Microsoft’s AI PC users.
“We expect organisations to be transparent with users about how their data is being used and only process personal data to the extent that it is necessary to achieve a specific purpose,” the spokesperson said
“Industry must consider data protection from the outset and rigorously assess and mitigate risks to peoples’ rights and freedoms before bringing products to market,” they added.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataOn its website, Microsoft explained that it had built security protections into Recall.
This includes giving users the option to limit or delete Recall screenshots and Microsoft clarified that Recall does not take screenshots of content viewed in Microsoft Edge InPrivate browsers. Any content protected by digital rights management will also not be captured by Recall.
According to Microsoft, any screenshot data captured by the feature is encrypted and not accessible by the company.
Also, the company said it does not moderate the content captured by Recall, meaning it cannot remove passwords or financial details from a screenshot.
David Ruiz, senior privacy advocate at malware protection provider for Windows Malwarebytes, believes that Recall could pose security risks to users.
“With Recall, a CEO’s personal laptop becomes an even more enticing target for hackers, a journalist’s protected sources are within easier grasp of an oppressive government, and your entire identity could be abused and impersonated by a separate device user,” he said.
Ruiz explained that, despite encryption, Recall required Microsoft’s users to extend their trust beyond Microsoft and to the other people potentially using the device.
“Recall’s most sensitive snippets of information can still be retrieved by someone else using the same device,” he explained, “That could be a curious family member, a device thief, or an abusive spouse.”
In a world where weak passwords are frequently causing security breaches, Ruiz also questioned how Recall could realistically be used safely.
“Recall only makes sense in a one-device-per-person world,” said Ruiz, “That’s a risk because of shared devices, but Recall’s next iteration may also create a risk for many devices for the same user.”
Defence evangelist at cybersecurity training provider KnowBe4, Roger Grimes, stated that attackers would have to access a user’s laptop to gain entry into Recall’s screenshots.
“Pulling up recalled screens is just one of your worries,” Grimes explained. “They can capture your passwords as you type them or dump them all from your password manager. They can put wiperware on your computer, steal banking credentials, or install ransomware.”
Speaking to Verdict, threat intel analyst at security company Expel, Aaron Walton, similarly questioned the validity of Recall’s potential in data breaches.
“While it’s natural to be wary of features like this, people tend to forget similar so-called privacy violations go unchecked every day,” said Walton.
Walton stated that bad actors and other people using the same device already have more access to personal information than most people realise without the need for Recall.
“Recall may be able to make private details more searchable, but most threats to privacy have already found ways to collect the same information,” he said.
Research and analysis company GlobalData forecast the total cybersecurity market will be worth over $290bn by 2027, achieving a CAGR of 13% from 2022.
Microsoft’s major laptop partners, including Dell and Lenovo, will supply laptops with Copilot’s features including image generation and document summarisation.