Governance & Risk Management , Privacy
Microsoft's Recall Stokes Security and Privacy Concerns
UK Privacy Watchdog Launches Probe Into Microsoft Screenshot Storage FeatureMicrosoft's new automatic screenshot retrieval feature could enable hackers to steal sensitive information such as online banking credentials, security experts warned. Also, the U.K. data regulator will probe Recall for compliance with privacy law.
See Also: Using the Netskope HIPAA Mapping Guide
Unveiled on Monday, Recall is a preview feature that will be added to Microsoft's artificial intelligence system Copilot+ and to Windows devices. The company claims the tool will provide its users with "photographic" memory by allowing Windows to take snapshots of the user's screen periodically to find data from apps, websites, images and documents.
According to the company, the feature can store nearly 25 gigabytes of data, amounting to screenshots of a user's activities for up to three months. The images will be coupled with AI tools to help users to search for specific content to identify their past activities.
"It is not keyword search. It is semantic search over all your search history. We can recreate moments from the past, essentially," Microsoft CEO Satya Nadella said in an interview with The Wall Street Journal.
To address potential privacy concerns, Microsoft said that it will store screenshots locally on the user's system. It will also allow users to disable the feature or temporarily pause it. Recall cannot record audio or save videos, Microsoft added.
Some security experts say these measures aren't enough to ensure the security of Recall users. A company spokesman directed a request for comment to a web page discussing Recall privacy and security.
Security researcher Kevin Beaumont, who also analyzed the Copilot interface said he could enable "save snapshots" within the application feature using a PowerShell. He added that since Recall does not hide passwords on a user's system, this means that when a user is accessing a banking app, then their banking credentials will be captured and stored in the device.
"If you look at what has happened historically with info stealer malware - malicious software snuck onto PCs - it has pivoted to automatically steal browser passwords stored locally," Beaumont said. "In other words, if a malicious threat actor gains access to a system, they already steal important databases stored locally."
The scale of a potential security incident involving Recall could be "immense," since hackers could potentially infiltrate the credentials of billions using info-stealing Trojans on Windows systems.
Steve Teixeira, chief product officer of browser-maker Mozilla, said in an email that Recall will store the data users type into browsers "with only very coarse control over what gets stored."
"While the data is stored in encrypted format, this stored data represents a new vector of attack for cybercriminals and a new privacy worry for shared computers," he said. He also accused Microsoft of again favoring in-house products to the detriment of third-party software such as the Firefox browser. Microsoft's Edge browser "allows users to block specific websites and private browsing activity from being seen by Recall." Other Chromium-based browsers can filter out some activity but can't block sensitive websites such as financial sites from Recall, he said. But there's no documentation for a browser not based on Chromium - such as Firefox - to implement privacy controls over Recall.
Kevin Robertson, COO and co-founder of security firm Acumen, called Recall "spyware" and added that Microsoft is likely to go ahead with its implementation despite the security concerns.
"Microsoft is too big and too powerful to be brought down. They'll just say it's optional and it'll get implemented anyway. Most users will turn it on without realizing the impact or it will be on by default. This is going to get abused on so many levels," Robertson told Information Security Media Group.
Microsoft could also face regulatory headwinds in Europe due to the General Data Protection Regulation, which mandates that companies evaluate the necessity and the proportionality of the recording of personal data. But even if Microsoft undertakes such as assessment, the company is not obliged to publish it.
The U.K. Information Commissioner's Office on Wednesday said the agency is making inquiries with Microsoft to determine Recall's security safeguards. The announcement from the agency comes a day after the regulator urged AI developers to assess privacy risks before releasing their products.