Data Breach News

Microsoft Makes Windows Recall Opt-in, Encrypted After Outcry

Microsoft responded to the outcry over Windows Recall with significant changes, but a key researcher plans to wait for the final product to judge.

by Paul Shread June 7th, 2024

Share on LinkedInShare on Twitter

Microsoft is making changes to its planned Windows Recall feature in response to growing criticism over the lack of privacy and cybersecurity controls of the AI screen recording feature.

The Recall concerns began with the work of security researcher Kevin Beaumont, first reported by The Cyber Express, and grew to include tools and demonstrations of how easy it would be to hack Recall’s corresponding database of screenshotted user activity.

Recall, planned for Copilot+ PCs starting June 18, would have taken frequent screenshots of user activity with inadequate security controls and would have been turned on by default, raising concerns about the ability of hackers, domestic abusers and other malicious actors to access a trove of personal and financial data with ease.

Microsoft Announces Windows Recall Opt-in, Authentication, Encryption

In a blog post today, Pavan Davuluri, Microsoft’s Corporate Vice President of Windows + Devices, said the company has heard those concerns.

“Even before making Recall available to customers, we have heard a clear signal that we can make it easier for people to choose to enable Recall on their Copilot+ PC and improve privacy and security safeguards,” Davuluri wrote. “With that in mind we are announcing updates that will go into effect before Recall (preview) ships to customers on June 18.”

The first change is to update the set-up experience of Copilot+ PCs “to give people a clearer choice to opt-in to saving snapshots using Recall,” Davuluri wrote. “If you don’t proactively choose to turn it on, it will be off by default.”

He provided a screenshot of what that opt-in screen will look like:

Windows Recall opt-in screen (source: Microsoft)

Enrollment in Windows Hello authentication will be required to enable Recall, he said, and “proof of presence is also required to view your timeline and search in Recall.”

Davuluri said Microsoft is also “adding additional layers of data protection including ‘just in time’ decryption protected by Windows Hello Enhanced Sign-in Security (ESS) so Recall snapshots will only be decrypted and accessible when the user authenticates. In addition, we encrypted the search index database.”

“This gives an additional layer of protection to Recall data in addition to other default enabled Window Security features like SmartScreen and Defender which use advanced AI techniques to help prevent malware from accessing data like Recall,” he added.

Beaumont Skeptical of Planned Recall Changes

In a Mastodon post, Beaumont said he’ll be skeptical of Microsoft’s planned changes until he sees the shipped product and can test it out.

“Obviously, I recommend you do not enable Recall, and you tell your family not to enable it too,” Beaumont said. “It’s still labelled Preview, and I’ll believe it is encrypted when I see it. There are obviously serious governance and security failures at Microsoft around how this played out that need to be investigated, and suggests they are not serious about AI safety.”

Source

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button