Microsoft on Friday said it will disable its much-criticized artificial intelligence (AI)-powered calling feature by default and make it an opt-in option.
Remember that it’s currently in preview and coming exclusively to PCs on June 18, 2024. Copilot+ functions as an “explorable visual timeline” by capturing screenshots of what’s appearing on users’ screens. every five seconds, which are then parsed and analyzed to surface relevant information.
But the feature, intended to serve as a kind of AI-enabled photographic memory, was met with an immediate backlash from the security and privacy community, which chided the company for not thinking enough about and implementing adequate safeguards that could prevent malicious actors from easily discovering a window into the victim’s digital life.
Recorded information may include screenshots of documents, emails or messages containing sensitive details that may have been deleted or shared temporarily using disappearing or self-destructing formats popular on instant messaging platforms.
WIRED’s Andy Greenberg called Recall “unwanted, pre-installed spyware built into new Windows PCs.” Windows Central reported that Microsoft was “too secretive” about Windows Recall during development and chose not to test it publicly.
In an effort to counter the growing barrage of criticism, Microsoft said users have full control over the entire Recall experience and that it launched the feature in preview to help gather customer feedback.
Among the significant changes introduced to the feature include security updates and a new setup process to enable it, giving users the choice to completely opt out of periodically saving screenshots via Recall.
The security changes also require users to sign up for a Windows Hello biometric scan to enable Recall, with proof of presence required to view the timeline and perform searches.
In addition to encrypting the search index database (which was previously stored in an unencrypted SQLite database), the tech giant noted that Recall snapshots will only be decrypted and accessible upon user authentication.
“Copilot+ PCs will launch with just-in-time decryption protected by Windows Hello Enhanced Sign-in Security (ESS), so Recall snapshots will only be decrypted and accessible when the user authenticates,” Pavan Davuluri, corporate vice president, Microsoft for Windows + Devices said.
“This gives an extra layer of protection to Recall data in addition to other default-enabled Window Security features like SmartScreen and Defender, which use advanced AI techniques to prevent malware from accessing data like Recall.”
Redmond also reiterated that Recall snapshots are stored and processed locally on the device and that they are not shared with other companies or apps. He also said that users can pause, filter and delete what is saved at any given time.
For users of managed desktop devices in enterprise environments, IT administrators have the control to disable Recall, although they cannot enable it themselves. Microsoft emphasized that the choice is left solely to users.
“You’ll see Recall pinned to your taskbar when you get to your desktop,” Davuluri said. “You’ll have a snapshot recall icon in the system tray that notifies you when Windows is saving snapshots.”
“It turns out that speaking works,” said security researcher Kevin Beaumont, who was a vocal critic of the initial implementation of Recall. “Obviously there will be devils in the details – potentially big ones – but there are some good elements here. Microsoft needs to commit to not trying to trick users into enabling it in the future.”
“I think generally having choice around the choice of home systems will save a lot of people security issues down the road.” This should never have been enabled by default.”
Microsoft’s reversal comes amid a series of security failures the company has faced in recent years at the hands of Russian and Chinese state actors, prompting the company to prioritize security above all else as part of its drive to secure future (SFI ).
“If you’re faced with a trade-off between security and another priority, your answer is clear: Do security,” Microsoft CEO Satya Nadella said in a memo to employees last month. “In some cases, this will mean prioritizing security over other things we do, such as releasing new features or providing ongoing support for legacy systems.”
