Daily Newsletter

Daily Newsletter

Why enterprises should reject Microsoft Recall

The Recall feature can be turned off, but that’s not enough.

GlobalData Technology June 17 2024

Passwords and other credentials could also be stored in the database. Credit: Tada Images via Shutterstock.

Recently Microsoft announced a feature for its Windows operating system called Recall.

Designed for ‘AI PCs’ it is a feature that saves all of a user’s activity by taking screen shots of every window, every five seconds. It performs Optical Character Recognition (OCR) to extract text from images and all other on-screen text. Then it saves it all in a local database. AI indexes the data, making it easy to find.

A nightmare for privacy

The idea is that with AI indexing that data, users can easily search and find content data on a PC, using natural language. This allows for finding a forgotten web site, documents and chatscan be brought up and shown. No data is shared to the cloud, it’s all local on the PC. From a utopian point of view, this would be ideal, especially for knowledge workers, a liberation of data with easy search and sort. But the reality is that Recall is a nightmare for privacy and security, both for individuals and for the enterprise.

Recall stores all its collected data in a local database, but in unencrypted form. Microsoft claims that the BitLocker encryption that is already on by default in Windows 11, is more than enough. However, anyone with the user’s Windows credentials can access the data. This is problematic on several fronts.

Employees doing a search for a health ailment or booking an appointment online with a specialist, would be available to the company. Internal documents and secrets, including PII information from others would be stored in the Recall database. Employees would worry that their every move is being recorded. Recall databases could be subpoenaed, creating yet another legal discovery headache. Passwords and other credentials could also be stored in the database.

Recall hacked

Soon after early release versions of Recall began surfacing in early Windows release candidates, a white hat hacker created a tool to steal Recall data, as proof of concept. It emphasises just how insecure Recall is and how dangerous it could be. Microsoft, for its part, has pulled Recall for now, promising to make several remedies to the security holes in Recall, such as unencrypted cleartext data in the data store.

It’s good that Microsoft has recognised that there are problems with Recall and wants to fix them. But it’s not giving up on the concept, despite widespread shock and horror. Microsoft still insists that Recall is good and can be fixed.

Expect attacks   

There is nothing that is 100% secure. The treasure troves of data created by Recall will be the target of unceasing attacks and a new attack vector on enterprises and governments. Recall seems to be a poorly thought-out kneejerk reaction to the AI hype.

Due diligence, or frankly even a modicum of common sense, should have prevented this ‘feature’ from ever leaving the whiteboard. Enterprises should demand that Microsoft remove the code from Windows. The Recall feature can be turned off, but that’s not enough. An attacker could easily turn it back on and begin collecting data. Microsoft isn’t getting the message about Recall – but if enough enterprises customers speak out, Microsoft may wake up to its mistake.

Uncover your next opportunity with expert reports

Steer your business strategy with key data and insights from our latest market research reports and company profiles. Not ready to buy? Start small by downloading a sample report first.

Browse reports

Newsletters by sectors

Pharmaceutical Technology open-new-tab

Just Auto open-new-tab

Leasing Life open-new-tab

View more newsletters

Sign up to the newsletter

I consent to Verdict Media Limited collecting my details provided via this form in accordance with Privacy Policy

close

Sign up to the newsletter: In Brief

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Thank you for subscribing

View all newsletters from across the GlobalData Media network.

close