Microsoft Recall is bad at filtering sensitive information
Whenever there are privacy concerns voiced about software, they are almost always downplayed. But fears about Microsoft Recall appear to be well justified.
Announced and previewed last year, Microsoft Recall is a feature of Windows 11 which Microsoft says enables users to retrace their steps. It does this by capturing screenshots of computing activity, which can then be analyzed and searched using AI to home in on data, return to a project, and much more. But there have been lots of vocal protests about the potential for invasions of privacy.
Such was the concern about things going wrong with Microsoft Recall, that the company was forced to withdraw the feature and make significant changes to it – only re-releasing it to those willing to try it out fairly recently.
But it seems that even in its current, updated (and supposedly more secure) form, it is still a cause for concern.
Microsoft says that it has made numerous improvements to privacy and security, but when The Register conducted a series of tests with the tool, it made some worrying findings. The technology news stalwart investigated Microsoft Recall and describes the data collected by the tool as “a potential treasure trove for thieves”.
To help increase confidence in Microsoft Recall, a filtering system exists that is supposed to stop the tool from capturing sensitive information such as credit card details. This sounds great in principle, but in practice the filters do not seem to be doing what they are supposed to be doing.
That is not to say that the filters in Microsoft Recall are completely useless. Tests carried out by Avram Piltch gave very mixed results. Microsoft Recall captured some passwords that it was not supposed to. The tool was capable of identifying passwords it should not screengrab if they were clearly labelled, but this was not the case if labeling was poor or non-existent.
Tests also showed that there is work to do to improve the way in which Microsoft Recall identifies shopping and payment web pages. As these are where credit card details are often entered, it is not a good thing to have captured for posterity. And yet The Register found that Microsoft Recall would indeed, in some circumstances, still capture payment information. This is worrying because of the potential for this information to fall into the wrong hands and end up being expensive for victims.
It is not just payment details that may be captured, as Piltch writes:
In another instance, I had a photo of my passport visible on the screen and Recall correctly avoided it. However, when that photo was partially covered by another window, Recall took the screenshot.
Coupled with instances of Microsoft Recall capturing a few digits of a social security number, it is easy to see how there is the risk of things going wrong. While the tool may do a reasonable job of ignoring most sensitive data, it does not ignore enough of it. Over time, enough data slips through the net to represent a serious concern.
We have already seen numerous third-party software developers – including the Brave web browser – providing ways to block Microsoft Recall. Microsoft has already made improvements to how the tool identifies and captures data, but it is surely only a matter of time before something goes seriously wrong – and this could be for an individual or an organization.
Microsoft Recall feels like a good idea, but it is hard to see how it can be improved to a point that it correctly balances usefulness and security. It will either be secure and useless, or useful and be a vulnerability.
How do you feel about Microsoft Recall? Is there a solution?