Why Windows Recall Feature Creates a Data Privacy Nightmare

Having written about Windows since the days of Windows 3.1, I have witnessed plenty of changes to the operating system. Most of the time, these changes are no big deal. Sure, while there will always be critics of anything from Redmond, public outcry over OS updates is rare. It isn’t to say it never happens, however. We all remember the backlash when Microsoft removed the Start menu in Windows 8.

That said, the new Recall feature in Windows 11 may become the most widely opposed feature Microsoft has ever introduced.

For those unfamiliar with Recall, it is similar to the Windows 10 timeline feature (which Microsoft removed eventually) but far more intrusive. When Recall is enabled, Windows takes a screenshot every five seconds and uses AI to analyze the screenshots to determine what you were doing at a specific moment.

Recall’s Potential Benefits vs. Privacy Concerns

Microsoft promoted Recall as essentially a new type of search engine. For example, if wanted to revisit a document, video, or webpage but can’t remember where you saw it, you can enter what you remember into a text interface. Windows will then use AI to find what you are looking for.

Microsoft demonstrates Recall's explorable timeline.

My initial reaction to the Recall feature was that while it sounds useful, it seems like a security and privacy nightmare. Imagine having screen captures made of literally everything you do on your PC. Would these screen captures be of interest to your boss? What about the government? And cybercriminals? They could exfiltrate data or blackmail victims by threatening to make public sensitive screenshots.

Related:Data Privacy Explained: Protecting Your Online Information

The good news is that, as it stands, Microsoft will not enable the Recall feature by default. Additionally, most PCs won’t even be able to use the Recall feature. Initially, it will only be available on Copilot+ PCs, although some claim to have made it work on standard PCs.

Microsoft has done its best to reassure customers that the Recall feature is safe and won’t compromise privacy. According to Microsoft, all snapshots created by the Recall feature are stored locally on the device and not sent to Microsoft for analysis.

Additionally, Microsoft has introduced a feature allowing users to pause the snapshot creation process to avoid recording certain activities. You can also provide the Recall feature with an Exclude list for various websites, preventing it from taking screen captures of online banking or other sensitive activities.

Malware and Access Risks

Despite these reassurances, there are undeniable risks associated with using the Recall feature. Imagine a user accidentally clicks on a malicious link and installs malware on their Windows 11 PC. Generally, malware operates with the same permissions and within the same security context as the user who installed it. In theory, malware could interact with the Recall history programmatically, perhaps by silently submitting Recall queries in the background.

Related:Master AI Cybersecurity: Protect and Enhance Your Network

Prevailing wisdom suggests that malware cannot directly access the screen capture repository, as accessing the repository requires local administrative credentials. However, a recent blog post on Tyranid’s Lair explains that it would be relatively easy for a cybercriminal to gain access without administrative credentials. The blog post notes that since the user who creates the files owns them, you can rewrite the DACLs (discretionary access control list) to gain access without needing admin rights. The blog post also outlines another method involving opening an instance of AIXHost.exe, copying its token, and using the security token to gain access to the screen capture repository.

Even if the Recall feature were secure, the idea of a PC recording everything you do just seems creepy, even if all your activities are entirely innocent. Adding to this concern is that the Recall feature in the Windows 11 24H2 Build, which Microsoft hasn’t yet generally released, has already been compromised. It further underscores the idea that using the Recall feature poses significant risks.