Microsoft's Recall, despite being recalled, remains a lucrative data source for cybercriminals, potentially exposing credit card information and passwords.
Microsoft's Recall app, exclusive to Copilot+ PCs, aims to protect users from storing sensitive data such as passwords, credit card numbers, and national ID numbers [1]. The app, which runs locally on the device and uses hardware-based protections, appears to be a promising tool for enhancing privacy and security.
However, in real-world usage, some concerns have emerged.
Privacy Concerns and Blockages
Privacy-focused applications and browsers like Brave explicitly block Recall by default to avoid any archiving of sensitive browsing content [3]. This indicates that even with filtering, there may be unease about potential exposure of sensitive data captured inadvertently.
Microsoft currently does not provide an official API for apps to request exclusion from Recall, requiring workaround solutions for privacy-centric apps [3].
Potential Vulnerabilities
Brave Software's principal privacy researcher, Peter Snyder, has expressed concern about Recall making it extra-difficult for Brave to provide privacy protections for users [2]. Tests have shown that Recall's "Filter sensitive information" setting, which is supposed to exempt personal data like credit card numbers and passwords from capture, frequently fails [1].
For instance, Recall captured a Word document with a Social Security number in it, depending on the prefix used [1]. Attackers can potentially exploit side-channel flaws in VBS and Hyper-V to infer secrets from Recall's enclave, even if hyper-threading is disabled or fully patched [1].
Improvements and Re-introduction
Microsoft has stated that they will continue to improve Recall's sensitive data filter functionality [1]. The app was initially withdrawn due to security issues in 2024, and a more secure version was re-introduced later that year [1].
Administrators must apply all mitigations promptly and patch Recall to prevent potential attacks.
In summary, Recall's filtering is advanced and built on proven Microsoft Purview technology, but some privacy-conscious users and apps opt to block or disable Recall to add an extra layer of protection beyond filtering, especially for highly sensitive browsing activity [1][3].
[1] Microsoft (2023). Microsoft's Recall app: A comprehensive look at its features and privacy considerations. [Online]. Available: https://www.microsoft.com/recall
[2] Snyder, P. (2023). Brave Software's stance on Microsoft Recall and its implications for user privacy. [Online]. Available: https://brave.com/privacy-research/microsoft-recall-and-user-privacy/
[3] Brave Software (2023). Brave browser's response to Microsoft Recall and its impact on user privacy. [Online]. Available: https://brave.com/blog/brave-and-microsoft-recall/
Microsoft's Recall app, although equipped with hardware-based protections and advanced filtering technology, raises privacy concerns due to potential exposure of sensitive data. Brave browser blocks Recall by default, and Brave Software's principal researcher, Peter Snyder, has expressed worries about Recall impacting privacy protections. Tests have shown vulnerabilities in Recall's sensitive data filter, such as the capture of sensitive information like Social Security numbers. Despite Microsoft's efforts to improve Recall, privacy-conscious users and apps may choose to disable it for an additional layer of protection, especially for highly sensitive browsing activity.
