Microsoft has announced that it is updating a controversial new function it plans to implement with stronger privacy measures after experts raised concerns about its potential for compromising user data.
Recall, only available on Copilot+ PCs, is set to go live in preview mode on June 18. The feature attracted widespread backlash, with many security experts concerned about its threat to privacy and data safety.
Following the backlash, Microsoft said Friday that they are updating the function.
First, Recall, which was originally going to be enabled by default, will now be disabled by default on all Copilot+ PCs.
“These options help make it easier and safer to sign into your PC because your PIN is only associated with one device, and it’s backed up for recovery with your Microsoft account,” the company states.
Third, Microsoft is boosting data protection through the Windows Hello Enhanced Sign-in Security so that Recall snapshots can only be decrypted and accessed after user authentication. The search index database will also be encrypted.
“Obviously all eyes are on how this is actually implemented, eg they said the database was encrypted previously. I would suggest security researchers deep dive in the coming weeks.”
He asked Microsoft to commit that the company will not try to force users enable the Recall function in the future. In addition, Recall must be turned off by default in Microsoft’s Group Policy and Intune services for enterprise organizations, Mr. Beaumont stated.
Security Concerns
Microsoft claims that Recall screenshots are stored locally on the device and that the images won’t be used to train its artificial intelligence. In addition, it said Recall snapshots won’t be sent to Microsoft or other companies and applications.“Recall doesn’t share snapshots with other users who are signed into the same device, and per-user encryption ensures even administrators cannot view other users’ snapshots,” said the company.
In his blog, Mr. Beaumont notes that even though Recall snapshots are stored on user devices and will now be encrypted, the images can still be accessed by hackers and malware.
Even if a person were to delete their emails, WhatsApp messages, and other things from their PC, the Recall snapshots of these apps will remain in the device database indefinitely, the blog post stated.
The Recall feature comes as Microsoft’s security practices were recently blamed by a federal review board for a Chinese hacking incident last year.
The intrusion compromised U.S. national security interests as hacked email accounts included those run by Commerce Secretary Gina Raimondo and U.S. Ambassador to the People’s Republic of China Nicholas Burns.
In a March 2024 report, the Cyber Safety Review Board (CSRB) pointed out that the hacking incident was “preventable” and should never have happened.
“The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” the report said.
The CSRB noted that Microsoft needs to demonstrate the “highest standards of security, accountability, and transparency” given that its products support national security and act as the foundation of the American economy.