After weeks of being excoriated by cybersecurity experts, Microsoft is making moves to address concerns over its new AI-powered computer history-saving feature: Copilot+ Recall.
Most notably, Microsoft is switching Recall from a default feature to one that requires a user to opt-in first. The company is making the change before Recall officially rolls out on June 18.
“We are updating the set-up experience of Copilot+ PCs to give people a clearer choice to opt-in to saving snapshots using Recall,” wrote Microsoft Windows VP Pavan Davuluri in an official company update on the feature. “If you don’t proactively choose to turn it on, it will be off by default.”
Response to the Recall backlash
Last month, Microsoft announced a series of new AI-powered features coming to Windows. One central feature that the company announced was Recall.
Recall takes constant screenshots in the background while a user uses a device. Microsoft’s AI then scans the screenshots and makes a searchable archive of all the activity history that a user performed. Which websites were visited, what a user typed into forms – nearly everything is saved.
Cybersecurity experts were immediately concerned. A prominent former Microsoft threat analyst who had hands-on experience using Recall called the feature a “disaster.”
It turns out, Recall really does save pretty much everything including text passwords, sensitive financial information, private Google Chrome browser history, and more. And Recall saves it inside a database that can be easily accessed by a bad actor who gains remote control of a user’s device.
Making things even worse, Recall was going to be a feature turned on by default, meaning users might not have even been aware of what was going on in the background of their device.
Thankfully, users will now have to opt-in to the feature, fully aware of what they are turning on and what Recall does.
More Recall security features rolling out too
Microsoft isn’t just making Recall opt-in either. The company also announced that in order to enable Recall, users will have to enroll in Windows Hello, a security feature that requires users to sign in via facial recognition, fingerprint, or a PIN.
That same authentication will be required for a user to access or search through their Recall history timeline as well.
Plus, Microsoft says it’s “adding additional layers of data protection.” Recall snapshots will only be decrypted and accessible after a user authenticates. The search index database will also now be encrypted too.
Microsoft’s blog post about the Recall security update also runs through a number of security-related provisions that were already built in, such as the screenshots only being available locally on the device. The feature already provided imagery to show it was being used – a Recall icon pinned to the taskbar on a user’s desktop. However, many users would’ve likely been unaware of what the icon meant if Recall had just been on as a default.
The new opt-in option should hopefully make it crystal clear that a user is consenting to what Recall does.