Recall: What the Heck, Microsoft?

June 04, 2024

When Microsoft first announced their new Recall feature, I was intrigued. I had heard about a similar project, Rewind, discussed on ATP back in 2022 and it sounded like it would be genuinely useful.

Microsoft including Rewind as an OS-level feature means that it has full access to everything. Recall can have deeper functionality than a 3rd-party app like Rewind, which could provide a richer experience. But it also has access everything, which is troubling for privacy-minded individuals and CIOs. I’m not someone who would install Rewind, but I would give a system-level feature like Recall a shot. Providing it was private and secure, of course.

Recall is touted as being private, and I believe this. The feature is currently only available on new Copilot+ PCs, and analysis is done on-device, without help from a cloud provider. Great! But it turns out that it stores all the data from this analysis in an SQLite database in the user’s home folder. The folder is protected by UAC, but this can be bypassed by unprivileged malware. Better yet, the feature is on by default.

In this state, Recall users will be the juiciest targets for attackers. All the things that have been on your screen are stored in one place and in plain text. Think passwords, credit card information, emails, etc. Not great!

Microsoft’s history with security has been a series of peaks and valleys. In 2002, they launched their “Trustworthy Computing” campaign after a series of high profile issues with their products. Since then, Microsoft periodically sends a top-down message that security should be job #1. This most recently happened via memo a month ago. I feel like this feature missed that memo.

The good news is that Copilot+ PCs aren’t out until later this month. It’s likely that Microsoft can do something to mitigate this, even if it’s just making the feature opt-in. The feature seems legitimately useful to me, but I definitely wouldn’t want to use it in this state.