Monday, September 16, 2024
Latest:
ZDNet | Security 

As Microsoft breaks awkward silence around its controversial Recall feature, privacy questions remain

TH Author
Microsoft Copilot

Andrey Rudakov/Bloomberg via Getty Images

When Microsoft rolled out its AI-powered Copilot+ PCs back in May, the big reveal was a new feature called Recall, which promised to “make it easier to find information faster.”

That signature feature turned into one of Microsoft’s biggest headaches in years, as security researchers warned that it would be a “privacy nightmare.” In response, Microsoft abruptly put the Recall feature on hold. A month later, it delayed the rollout indefinitely, promising to make it available to members of the Windows Insider Program “in the coming weeks.”

Also: 7 password rules to live by in 2024, according to security experts

In an update this week, after two months of awkward silence, Microsoft finally laid out its plans for Recall.

With a commitment to delivering a trustworthy and secure Recall (preview) experience on Copilot+ PCs for customers, we’re sharing an update that Recall will be available to Windows Insiders starting in October. As previously shared on June 13, we have adjusted our release approach to leverage the valuable expertise of our Windows Insider community prior to making Recall available for all Copilot+ PCs. Security continues to be our top priority and when Recall is available for Windows Insiders in October we will publish a blog with more details.

That’s a pretty stunning schedule change for what was supposed to be a flagship feature of these new AI PCs, and it suggests that the privacy issues associated with Recall can’t be resolved with a few simple tweaks.

Just look at how the timeline has changed over the course of the last 90 days.

  • May 20: In the original announcement, the Recall feature was going to ship with every new Copilot+ PC on June 18.
  • June 7: The schedule didn’t change, but Microsoft Corporate VP Pavan Davuluri promised new “privacy and security safeguards … that will go into effect before Recall (preview) ships to customers on June 18.”
  • June 13: In another update, Microsoft says, “Recall will now shift from a preview experience broadly available for Copilot+ PCs on June 18, 2024, to a preview available first in the Windows Insider Program (WIP) in the coming weeks…”
  • August 21: After 10 weeks of silence, another update promises that an Insider preview will be available “starting in October,” with no additional information about wider release plans.

Because Microsoft typically slows its Insider development cycle during the holidays, it’s fair to assume that the Recall feature will not be widely available until sometime in 2025.

As security expert Kevin Beaumont noted in his brutal assessment after trying the original version of Recall back in May, this feature is most likely to appeal to a “niche initial user base” of knowledge workers that might benefit from quickly being able to pluck an important detail out of a mountain of information on a well-secured business PC. It’s not clear that this feature will benefit casual PC users who just use their computers to do basic business tasks or homework, with a little light web browsing tossed in.

Also: Stop paying for third-party antivirus software. Here’s why

And when that preview release finally hits Insider builds, I’m going to have some questions:

  • Microsoft says Recall will be off by default and will be enabled only if the user chooses to enable it. Will the Windows Setup screens encourage customers to turn this feature on? How complete will its disclosures be?
  • Will programs that include sensitive information by design, like password managers and encrypted messaging apps, be shielded from Recall? (It’s unrealistic to expect people to manually curate lists of apps that should be protected.)
  • What happens when a user visits a webpage that includes sensitive information, such as a healthcare portal or a bank account? Will details of that page be captured in Recall’s database?
  • Will biometric authentication be required to access the Recall database, or will a Windows Hello PIN suffice? That question is of particular interest to people who are trying to get help without alerting an abusive partner or a hostile member of the family.

Also: How to upgrade your ‘incompatible’ Windows 10 PC to Windows 11

These are, of course, questions that should have been asked before this feature was ever announced. They need to be answered before it becomes widely available. 

READ MORE HERE