It’s only been two weeks since Microsoft unveiled Windows Recall as a key feature of its Copilot artificial intelligence tool, but the software feature is already being blasted by security experts.
The feature, which tracks all activity on a Windows computer to make things easier to find later using natural language, is being labeled a hackable security disaster. At least one white-hat hacker already created a tool that can extract sensitive data from Recall. It’s called, naturally, TotalRecall and is available on Github now.
The feature is part of a new generation of PCs that Microsoft announced at its Build event and that it labeled Copilot Plus, set to launch on June 18.
Using AI, Recall is supposed to capture data from across all applications, unless you exclude any, by taking a series of screenshots and storing these interactions in a database. It runs locally and can function without an internet connection and even when you’re not logged in to your Microsoft account.
Amid the controversy, guides on how to disable the feature are already being posted online ahead of the launch. The short version: go to Windows settings, select Privacy & Security, go to Recall & Snapshots and use these settings to toggle off the feature or delete any data that’s already been collected.
Security expert Kevin Beaumont posted a detailed analysis on Medium after testing out the feature, which is expected to be enabled by default on these new Copilot Plus systems. Beaumont said the feature will have niche uses for most users, but it presents such a huge security risk that it could take down the entire Copilot Plus brand.
“I think it’s an interesting entirely, really optional feature with a niche initial user base that would require incredibly careful communication, cybersecurity, engineering and implementation,” he wrote. “Copilot Plus Recall doesn’t have these. The work hasn’t been done properly to package it together, clearly.”
Barry Briggs, a former CTO at Microsoft’s information technology unit, wrote a post called Should Microsoft Recall Be Recalled at Directions on Microsoft. In the post, Briggs said that even though Recall is “at least on the surface… a cool-looking feature,” he has doubts about whether it adds real value for users or the enterprise space.
“It’s even harder to imagine that bad guys, such as well-funded and well-trained foreign actors, won’t expend a ton of energy working to break the code,” Briggs wrote.
Microsoft didn’t immediately respond to a request for comment.
You can read more of CNET’s hands-on reviews of AI tools like Copilot, Gemini, ChatGPT and Claude on our AI Atlas hub.
Editors’ note: CNET used an AI engine to help create several dozen stories, which are labeled accordingly. The note you’re reading is attached to articles that deal substantively with the topic of AI but are created entirely by our expert editors and writers. For more, see our AI policy.
+ There are no comments
Add yours