Recall feature in Microsoft Copilot+ PCs raises privacy and security concerns

UK data watchdog is investigating Microsoft regarding the new Recall feature in Copilot+ PCs that captures screenshots of the user’s laptop every few seconds.

The UK data watchdog, the Information Commissioner’s Office (ICO), is investigating a new feature, called Recall, implemented by Microsoft” Copilot+ PCs that captures screenshots of the user’s laptop every few seconds.

“You can use Recall on Copilot+ PCs to find the content you have viewed on your device. Recall is currently in preview status; during this phase, we will collect customer feedback, develop more controls for enterprise customers to manage and govern Recall data, and improve the overall experience for users.” reads the announcement.

Microsoft explained that the Recall feature will store encrypted snapshots locally on the user’s computer, the feature will be only implemented in forthcoming Copilot+ PCs. Microsoft doesn’t have access to the snapshot.

Privacy advocates fear the potential abuses of the feature and have called it a potential “privacy nightmare”.

The IT giant attempted to downplay the risks for the users, it pointed out that the feature was developed with privacy and security by design and it is an “optional experience.”

Microsoft added that Recall does not take snapshots of certain kinds of content, such as InPrivate web browsing sessions in Microsoft Edge.

Users can manage which snapshots Recall collects, excluding specific apps or websites. They can also pause snapshot collection, clear some or all stored snapshots, or delete all snapshots from their device.

The only way to access Recall data is to gain physical access to the user’s device, unlock it and sign in.

“We are making enquiries with Microsoft to understand the safeguards in place to protect user privacy,” an ICO spokesperson told BBC.

The snapshots could grab users’ passwords with a severe impact on their privacy and security

“[This includes] law enforcement court orders, or even from Microsoft if they change their mind about keeping all this content local and not using it for targeted advertising or training their AIs down the line,” said Jen Caltrider, who leads a privacy team at Mozilla.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Copilot)