top of page

Microsoft's Windows Recall Captures Everything Is a Compliance Risk

Updated: Aug 13

Microsoft Windows Recall is a relatively new feature that was introduced with Windows 11. You can think of it as a quick and easy way to go back to things you were working on in the past, even if it was on a different device.


Here's how it works:


1. As you use your Windows 11 device for various tasks - like writing a document, browsing a website, or working on a project in an app - Windows automatically saves little snapshots of what you're doing.


2. Later on, if you want to go back to something you were working on before, you can use Windows Recall. It will show you a timeline of your past activities, organized by date and time.


3. From this timeline, you can click on any item to jump right back into that task, with everything set up just the way it was when you left off. This works even if you were using a different Windows 11 device at the time.


4. Windows Recall can be really handy if you often switch between a desktop PC and a laptop, or if you just want a quick way to resume a task from a few hours or days ago without having to dig through your files and apps.


The feature uses Microsoft's cloud services to sync this activity data between your devices, so it works best if you're signed in with a Microsoft account. And of course, you can control what gets saved and synced in your Windows privacy settings.


So in a nutshell, Windows Recall is a productivity feature that automatically saves your work and lets you quickly jump back to past tasks, even across different Windows 11 PCs. It's designed to save you time and mental energy in a world where we often have to juggle lots of digital tasks and tools.


But Recall's ability to track, classify and store almost every action taken on PCs has raised serious privacy concerns among its users. Microsoft assures them that sensitive information such as passwords entered in private browsing windows won't be captured; however this doesn't address other potential concerns.


Recall is a treasure trove for hackers or thieves; even with strong password protection in place. Should an attack happen to either your PC or laptop, its snapshots of everything you've ever done become an open door into everything you know and did on that device. This presents an immense risk.

Generative AI

Generative AI can be an extremely beneficial asset to enterprises, yet it presents considerable risks that need to be mitigated. These include data leakage, hallucinations and inappropriate outputs. To minimize these risks, organizations should make sure not to input personal information into generative AI programs like ChatGPT with privacy settings activated preventing it from recording conversations; additionally they should audit any outputs generated from these AI models to make sure they do not contain sensitive material or violate compliance policies.


Generative AI presents the biggest risk when it comes to security and privacy policies, so it is critical that any security team have the expertise and resources necessary to oversee this risk effectively - this includes making sure underlying technology can be updated quickly to address new vulnerabilities as they emerge, while setting up an ethical review process so as to evaluate any generated content generated by AI systems.


Generative AI raises additional security and compliance concerns as it can produce highly personal data - this risk being particularly acute for industries that impose stringent data compliance, like health care and financial services. Generative AI may generate records such as medical files, personal finance advice and investment recommendations - leading to HIPAA violations or unintended customer data access issues.


Generative AI may present antitrust risks by aiding unlawful anticompetitive conduct. For instance, AI systems could be used to generate pricing algorithms that facilitate price-fixing agreements among competitors - potentially violating antitrust laws as well as other federal or state statutes.

Generative AI is an exciting technology with immense potential to increase business efficiency and productivity, but as its use becomes more widespread it also creates significant security and compliance concerns that must be managed carefully. Organizations should educate their employees about safe use of this technology as well as provide them with security frameworks to safeguard their data.


Data Retention

Microsoft's Recall feature captures periodic screenshots of user computers for semantic search. Recall can capture everything from email content and browser tab content, enabling the user to rediscover moments in time using Recall. For instance, Recall can help a user recall meeting details, taking them back in time with stored screenshots as well as opening relevant applications that were open at that moment in time.


Recall is a feature that uses an NPU chip to capture and process data on devices, then stores snapshots locally. However, users can adjust their privacy settings to disable Recall completely, delete individual snapshots, or alter how long snapshots are kept for. Users may also select which apps and websites they don't wish Recall to record from within its Settings, as well as pausing it at any point in time.


Microsoft has stated that Recall will not record sensitive information such as passwords, material typed in private browsing windows or credit card numbers displayed on a webpage; however, this doesn't ensure complete immunity; indeed Recall can record everything visible on screen and this could prove concerning to some.


Recall can present businesses that use it with security risks. If its software gets compromised, unauthorized individuals could gain access to employee search histories stored by Recall; similarly, theft of corporate laptops could expose such data.


Microsoft insists that their encrypting the snapshots stored on devices and will only use them to improve large language models or target targeted ads, while not uploading or uploading to cloud servers; so even though Recall raises privacy issues, it remains an invaluable tool for those needing quick access to important or memorable content from their PC's past.


Co-Pilot

Recall AI, one of the mainstays of Copilot+, records every action you take on your PC and reports back to Microsoft about what it finds. While Microsoft claims this feature can help users quickly locate important files and information more quickly, privacy advocates remain wary about its implementation - similar to Windows 10's now defunct Timeline feature it raises suspicions of Big Brother watching your every move and reporting back on what it finds back to them.

Recall is a new feature in Windows 11 designed to record and leverage the activities on both desktops and web pages, providing search results based on semantic analysis. Recall is intended to help you recall things seen or done, like where an application or file resides; or bring back memories about specific meetings from your calendar.


This feature works by using your PC's NPU to take periodic screenshots of the screen and analyze and decode text into an index which is stored locally on the device. According to Microsoft, no data will be sent into the cloud nor used for targeted advertising - although some images or videos may still not be captured completely and you cannot turn it off completely.


Microsoft notes that snapshots are stored securely using BitLocker encryption on local storage, meaning no other apps can access them. Unfortunately, however, it's only compatible with PCs equipped with an NPU, meaning older laptops and tablets won't be capable of using this feature. Furthermore, Home and Education editions of Windows 11 with 40 TOPS NPU support come equipped with this feature by default in 24H2.


The company emphasizes that the entire process takes place on-device, with no snapshots or index data leaving your device. Furthermore, no snapshots or index data will be used to improve Microsoft's large language models or target advertisements; you can adjust settings to filter out certain apps or websites as desired; also the index remains private on your device, meaning you can stop or pause this experience at any time.

Compliance

Windows Recall's ability to capture screenshots of everything you do on your PC has raised serious privacy and compliance concerns, though Microsoft insists sensitive data such as passwords, private browsing windows usage data and credit card information won't be recorded or saved by Windows Recall at regular intervals. Regardless, this feature logs and saves all activity on your device at regular intervals.

As such, it seems likely that the British data watchdog will launch an investigation to assess Recall's compliance with regulations such as GDPR, NIS2 and CCPA which require users' explicit consent before their personal information can be collected. Furthermore, Recall's ability to decode text within images and chronicle meetings has already raised security and privacy concerns similar to that seen in Netflix series Black Mirror - further fuelling security and privacy fears.

Microsoft claims that snapshots taken with Copilot+ PCs are analyzed using the NPU and an AI model which extract information about what was being done on-screen, then organized into a new semantic index so users can search specific items or browse a timeline of their activities. Microsoft claims this data does not get shared or uploaded to servers and that users may opt-out at any time.

However, Recall does not have an evidential plan in place to guarantee it does not violate privacy standards or lead to misuse of user data. So far all that has been offered as evidence of its security measures is an explanation that Recall adheres to Microsoft's Responsible AI principles - but this does not provide details as to how the tool will manage things like email addresses or credit card numbers displayed online.

As a safeguard against potential privacy violations, Microsoft has integrated features into Recall snapshots that enable users to selectively opt-out of certain apps and websites they don't wish for to appear in them. Users can delete snapshots altogether, block specific apps/websites or temporarily snooze Recall for set periods of time.

7 views0 comments

Comments


bottom of page