Windows 11’s Recall feature is back in play – in testing, and it just expanded to include AMD and Intel x86 Copilot+ PCs – but the controversial functionality has run into yet more trouble.
Recall’s Timeline of snapshots (Image Credit: Microsoft)
VIEW GALLERY – 2 IMAGES
As you’re doubtless aware, Recall is a supercharged AI search that uses regularly taken screenshots to find stuff on your PC. Those so-called ‘snapshots’ are not supposed to include any screen that has sensitive information on it, such as credit card details as an obvious example.
Tom’s Hardware has been testing Recall in this respect, though, and found out that the results are hardly ideal in terms of maintaining cast-iron privacy for your more sensitive data.
Recall’s ‘filter sensitive information’ setting (turned on by default) failed to prevent the feature from taking a screenshot of a credit card number in Notepad, despite Tom’s putting ‘Capital One Visa’ clearly next to the number. It similarly failed to avoid screen-grabbing a username plus password written in a text file.
When Tom’s constructed a web page and form that clearly stated it wanted a credit card number (and other details, such as the CVC), this was screenshotted too.
Another test of a PDF in Microsoft Edge, a loan application, ended up with Recall taking a snapshot of personal details that included a social security number and date of birth.
It wasn’t all failures, though, as the filter did perform correctly with details entered on two shopping websites, not taking snapshots of these. So, it seems in clear enough instances where an e-commerce site can be identified, the safeguards work, but in more informal scenarios, they don’t.
To be fair, Recall is still in testing, so the functionality going awry isn’t exactly a surprise. But this is such a crucial element of Recall privacy-wise, that it’s going to again cast clouds of doubt over the feature which is destined for Windows 11 on Copilot+ PCs.
As Tom’s points out, Microsoft said when introducing Recall into testing:
“We’ll continue to improve this functionality, and if you find sensitive information that should be filtered out, for your context, language, or geography, please let us know through Feedback Hub.”
We can expect it to be improved down the line, in short, and some failures are part and parcel of the testing experience.
It’s also true that Recall data is now properly secured and encrypted – kept on your PC locally, and not sent anywhere, Microsoft has always maintained – but there are potential weak spots.
Security concerns
Tom’s further notes that it’s possible to access the Recall timeline on a PC if you know the user’s PIN for the feature’s required Windows Hello login – and that you don’t necessarily need physical access to the Copilot+ laptop in question (remote access to the PC via TeamViewer can be leveraged).
All in all, it sounds like Microsoft still has some ground to cover security-wise. Sadly, we don’t have a huge amount of confidence that everything will be shipshape and fully watertight anytime soon, particularly given the shoddy state that Recall was originally revealed in (and nearly launched, before it was pulled after security experts around the globe expressed their serious misgivings).