Microsoft has faced another setback in the release of its much-anticipated artificial intelligence tool, Recall. The tech giant has decided to delay the launch once more as it continues to address concerns regarding the security and privacy of the data collected by Recall.
The Recall tool, which is a part of Microsoft’s AI Assistant software, Copilot+, is designed to capture “snapshots” of user actions on their PC for easy access and retrieval. These snapshots include details of websites visited, apps used, and interactions with documents. While this feature offers valuable use cases, information security professionals have raised alarm about the potential for misuse by malicious actors.
In response to these cybersecurity concerns, Microsoft introduced additional privacy and security features to Recall in June. However, the planned rollout in October was postponed to address further security issues. Now, the release date has been pushed back again to ensure the tool’s security measures are robust and effective.
Brandon LeBlanc, senior product manager for Windows, emphasized Microsoft’s commitment to delivering a secure experience with Recall. He stated that the company is taking extra time to refine the tool before making it available for preview with Windows Insiders on Copilot+ PCs in December.
In late September, David Weston, Microsoft’s vice president of enterprise and OS security, reassured users about the security of Recall data. He highlighted that the tool is opt-in only, encrypted, includes malware protection, and stores data in a virtualization-based security enclave inaccessible without biometric authentication.
Weston explained that Recall uses VBS enclaves with Windows Hello enhanced sign-in security to decrypt data briefly for search purposes. The authorization times out, requiring user re-authorization for future sessions, preventing attempts by malware to steal data during authentication.
Furthermore, Weston outlined additional security measures, such as not saving in-private browsing information, allowing users to filter out specific sites or apps, and enabling the deletion of stored information by various criteria. The tool also includes visual indicators to show when snapshots are being saved, giving users control over the feature.
While Microsoft is focused on enhancing Recall’s security, industry experts suggest that the company may be taking cues from Anthropic’s Claude AI tool. Claude’s “computer use” feature, released recently, operates similarly to Recall, ingesting screenshots from connected computers but also presents inherent cybersecurity risks.
Casey Ellis, founder of Bugcrowd, believes that Microsoft is proceeding cautiously after the initial concerns raised about Recall’s implementation. He speculates that Microsoft may be observing how the market responds to Anthropic’s tool before finalizing Recall’s release to ensure privacy, security, and functionality align with industry standards.
As Microsoft and Anthropic navigate the security challenges posed by AI tools like Recall and Claude, security consultant John Bambenek highlights the substantial privacy implications of data collection for training AI models. Bambenek emphasizes the importance of minimizing risks and potential harms to end-users as these tools evolve.
Patrick Harr, CEO of SlashNext Email Security, warns that tools like Recall and Claude remain vulnerable to cyberattacks, particularly phishing and socially engineered attacks that target user data. Harr advises caution until these tools undergo comprehensive security updates to mitigate potential risks.
In conclusion, as Microsoft revises Recall’s release timeline to strengthen security measures, the tech industry closely monitors the evolving landscape of AI tools and their implications for data privacy and security. The delay in Recall’s launch underscores the company’s dedication to delivering a secure and trustworthy experience for users amid growing concerns about data protection and cybersecurity threats.