… it appears not everything is as it seems. While it’s true that Windows Recall doesn’t send any data to the cloud, the data it stores locally on your machine isn’t very well secured. Security researcher Kevin Beaumount has documented his findings on Windows Recall, and has revealed that the tool stores its data in an SQLite plaintext database. This means the data is readable, and not encrypted when the user is logged into their computer. The only time the data becomes encrypted is when the PC is not logged in. So, while that protects against someone accessing your data on a stolen laptop, it does not prevent potential malware designed to scrape Recall’s data while the user is logged in.
Unbelievable…
So is my browser history and all the files on my Mac. If I get infected with malware the intruder would have access to the data on my drive and could potentially monitor all my keystrokes.
Some users choose to protect data using encryption and password managers.
Recall is making all these choices obsolete to some degree. Sorry, I am with the security experts here. I value privacy and security. Recall does not respect that at all. Recall does not need a sophisticated keylogger to be compromised. It is compromised by design.
I am fine with everyone willing to “enjoy” this revolutionary experience. There are others that care about security and privacy. 
True, and then risk operating their computer with administrator privileges.
It appears that a user has the ability to customize Recall, and I would expect this to improve once the feature becomes more wide spread.
There is a market for apps like this, Rewind.ai is one for the Mac, and I wouldn’t be surprised if Apple chose to add something similar in the future. Time will tell.
Limitations
In two specific scenarios, Recall captures snapshots that include InPrivate windows, blocked apps, and blocked websites. If Recall gets launched, or the Now option is selected in Recall, then a snapshot is taken even when InPrivate windows, blocked apps, and blocked websites are displayed. However, Recall doesn’t save these snapshots. If you choose to send the information from this snapshot to another app, a temp file is created in C:\Users\[username]\AppData\Local\Temp to share the content. The temporary file is deleted once the content is transferred over the app you selected to use.
User controlled settings for Recall
The following options are user controlled in Recall from the Settings > Privacy & Security > Recall & Snapshots page:
- Website filtering
- App filtering
- Storage allocation
- When the storage limit is reached, the oldest snapshots are deleted first.
- Deleting snapshots
- Delete all snapshots
- Delete snapshots within a specific time frame
Storage allocation
The amount of disk space users can allocate to Recall varies depending on how much storage the device has. The following chart shows the storage space options for Recall:
From: Manage Recall for Windows clients - Windows Client Management | Microsoft Learn
There may be a market for apps like that, but I still think it’s a dumb idea to bake it into the operating system. It vastly increases the size of the target and makes it much more attractive to cybercriminals. Users will be enabling it who have no idea what the potential consequences could be, and worse, MS could ship it enabled by default.
Let those who want it install a specialized app for it, and leave everyone else’s computers free of it.
That’s a surprising approach they’ve taken. sqlite is fine, but Windows + the secure chip on the Snapdragon would let them whitelist access per app. Qualcomm’s is no T2, and Qualcomm + MS are going to be worse at coordinating secure hardware + software than Apple internally, but still…
Based on the number of vulnerabilities being exploited I wouldn’t be surprised to learn that smartphones may be the favorite target of criminals.
In any event, Windows users will likely be the ultimate judge of Recall.
Here’s Ars Technica’s take:
let’s put it this way: Microsoft is building a feature into Windows that is monitoring and logging a ton of data about you and the way you use your PC. Traditionally, we’d call this “spyware.” The difference is that Microsoft is giving this particular data collection feature its blessing and advertising it as a banner feature of its upcoming wave of Copilot+ PCs.
The fact that the data is processed locally rather than in the cloud is a good first step, but it’s also the bare minimum. Based on both the permissive default settings and the ease with which this data can be accessed, Recall’s security safeguards as they currently exist just aren’t good enough.
Saw this reflection about Recall on Mastodon today:
I read an earlier Ars article on Recall; I immediately downgraded my test machine to Windows 10 Pro. After seeing there might be “improvements” (read “AI integration”) to Windows 10 after all, I disconnected my test machine from the internet.
You didn’t need to do that.
Recall is not supported on any existing windows device. You will have to buy one of the next generation of Copilot+ machines, with one of the next generation Snapdragon ARM processors.
This post from Charles Stross may be of interest to readers of this thread:
I’m not defending Microsoft, but they have, apparently, already addressed many of Recall’s problems. And they have a story that may appeal to a lot of businesses.
To their credit they did address the glaring weaknesses. But it never should have gotten that far.
And Stross brings up some interesting points about more subtle issues.
I send you a draft email/text/document for review. You have recall on, I do not. The draft I did not expect to exist past the review stage now lives on in your Recall database.
I’m not an EU citizen so I’m probably getting this wrong, but how does one with Recall on respond to “right to forget” requests? How does anyone even know to make a request?
It was not enough for MS to think through the happy path use cases. They needed to plan for the unhappy path cases as well.
Once you send me that draft you have lost control of the document. End of story. That is why there is no such thing as privacy when it comes to (unencrypted) email.
AFAIK ‘right to forget” only applies to search engines.
There is no delete button on the Internet.
It’s not an issue on the face of it. The data is only stored for three months.
Private citizens aren’t covered by GDPR, and if you’ve sent the email/document to someone at a business and it contains your own private information you’ve given an implicit consent to process the data.
It’s more compliant, on the face of things, than Microsoft Outlook or your email client of choice is.
No, not at all. Any business that processes personal data of a UK or European citizen is covered by GDPR (which enshrines the right to be forgotten and other rights in European and UK law) regardless of purpose or jurisdiction.
Good to know.