Microsoft’s Recall feature has undergone significant scrutiny from the infosec community, with concerns raised about its potential security risks. The AI-powered tool, which takes snapshots of a user’s work every five seconds, was met with backlash for its data security and privacy implications for both enterprises and consumers.
In response to the criticisms, Microsoft rolled out updates last week to address some of the concerns surrounding Recall. The feature is now disabled by default, and snapshots can only be decrypted and accessed with user authentication. These changes are set to take effect before Recall previews are shipped to customers on June 18.
Pavan Davuluri, corporate vice president of Windows+ Devices at Microsoft, acknowledged the feedback and stated that the company aims to make it easier for users to enable Recall on their Copilot+ PCs while enhancing privacy and security safeguards.
Prior to the updates, one of the biggest concerns raised by the industry was the default enabling of Recall. This raised fears about the vulnerability of stored data to potential attacks, as well as the risk of inadvertent exposure of sensitive information. Infosec experts warned that Recall could serve as an easy target for malicious actors looking to exploit a treasure trove of valuable data stored in one location.
Despite the updates aimed at addressing encryption and opt-out concerns, the infosec community remains wary of the risks posed by Recall. Experts point out that the feature’s keylogging and web tracking capabilities could be exploited for malicious purposes, making it a potential target for attackers. Gabe Knuth, a senior analyst at TechTarget’s Enterprise Strategy Group, criticized Microsoft for rushing the rollout of Recall without adequately considering the security implications.
Additionally, concerns about Recall’s potential misuse and unintended consequences have been raised by security professionals. Brian Reed, a cybersecurity evangelist at Proofpoint, expressed disappointment in Microsoft’s lack of security foresight with Recall. He highlighted the risk of the tool being exploited for malicious purposes, such as password exposure and unauthorized data access.
The debate around Recall continues, with experts questioning Microsoft’s commitment to privacy and security. While the company has made efforts to address some of the initial concerns, the lingering doubts about the feature’s potential misuse and the adequacy of its security safeguards remain. As the rollout of Recall approaches, stakeholders will be closely monitoring how Microsoft navigates the delicate balance between innovation and security in the AI era.