The criticism of Microsoft’s Copilot+ AI PC recall feature was swift and harsh. It’s meant to let you search for what you’ve ever done on your PC, but it also requires you to constantly take screenshots of your PC, and critics say the information isn’t stored securely. I noticed. Microsoft ended up delaying the rollout to Windows Insider beta testers and announced stricter security measures in June. Recall is now opt-in by default. Windows Hello biometric authentication is required. and encrypt the screenshot database.
Today, ahead of the upcoming big Windows 11 announcement in November, Microsoft revealed details about Recall’s security and privacy measures. The company says Recall snapshots and related data are protected by VBS Enclaves, which it describes as “software-based trusted execution environments (TEEs) within the host application.” Users must actively turn on recall during Windows Setup, but they can also remove the feature entirely. Microsoft also reiterated that encryption will be a key part of the overall Recall experience and will use Windows Hello to interact with all aspects of the feature, including changing settings.
“Recall also protects against malware through rate limiting and anti-hammer protection,” David Weston, vice president of OS and enterprise security at Microsoft, said in a blog post today. “Currently, Recall supports PIN as a fallback method only after Recall is configured. This is to avoid data loss if a secure sensor is damaged.”
When it comes to privacy controls, Weston reiterates, “You’re always in control.” By default, Recall does not save your private browsing data across supported browsers such as Edge, Chrome, and Firefox. This feature also turns on sensitive content filtering by default to prevent things like passwords and credit card numbers from being saved.
microsoft
Microsoft says Recall has also been reviewed by an anonymous third-party vendor and has undergone penetration testing and security design overviews. The Microsoft Offensive Research and Security Engineering team (MORSE) has also been testing this feature for several months.
Given the immediate backlash, it’s not really surprising that Microsoft would be extra cautious about its eventual Recall rollout. The real question is how the company didn’t anticipate the initial criticisms, including that the Recall database was easily accessible from other local accounts. Thanks to the use of encryption and additional security, that shouldn’t be an issue anymore, but it makes me wonder what else Microsoft missed early on.
This article contains affiliate links. If you click on such links and make a purchase, we may earn a commission.
