In response to significant security concerns raised by cybersecurity experts and the public, summarized in our article here, Microsoft has announced that the controversial Recall feature in its new Copilot+ PCs will be opt-in.
This update comes ahead of the June 18 launch and addresses vulnerabilities highlighted in recent research.
Double-edged sword
The Recall feature, exclusive to Copilot+ PCs, aims to boost productivity by creating an explorable visual timeline of everything displayed on the user’s screen. These snapshots are stored locally and analyzed using on-device AI. However, cybersecurity researchers previously demonstrated how this feature could be exploited to steal unencrypted data, raising alarm bells within the tech community.
Kevin Beaumont’s investigation revealed critical vulnerabilities in the Recall feature, summarized as follows:
- Local Storage Risks: Although Microsoft claims the data is encrypted, it is decrypted when a user is logged in, making it accessible to malicious software.
- Ease of Data Theft: InfoStealer trojans can be easily adapted to extract data from the Recall database.
- Inadequate User Control: Users do not need administrative privileges to access the database, exacerbating security risks.
- Sensitive Data Exposure: Recall captures all screen content, including passwords and financial information, posing significant privacy threats.
Beaumont’s demonstration showed that a simple script could extract months’ worth of data in seconds, highlighting the potential for large-scale data breaches.
Microsoft’s response
In light of these findings, Microsoft has taken several steps to improve the security and privacy of the Recall feature:
- Opt-In Requirement: Users must now proactively choose to enable Recall. By default, it will be off, addressing one of the primary concerns regarding involuntary data capture.
- Windows Hello Enrollment: Enabling Recall requires Windows Hello enrollment, and proof of presence is necessary to view the timeline and search in Recall, adding an extra layer of security.
- Enhanced Data Protection: Microsoft has implemented “just in time” decryption protected by Windows Hello Enhanced Sign-in Security (ESS). Snapshots are only decrypted when the user authenticates, ensuring data is inaccessible without proper credentials.
All Copilot+ PCs will be Secured-core PCs, which include advanced firmware safeguards and dynamic root-of-trust measurement. Additionally, the Microsoft Pluton security processor will be enabled by default, providing chip-to-cloud security to protect credentials, identities, personal data, and encryption keys.
To maintain user trust, Microsoft has designed Recall with fine-grained controls allowing the pausing, filtering, and deletion of snapshots at any time. The system keeps those snapshots at local storage with no cloud involvement, and they are not shared with Microsoft or any other entity.
While Microsoft has made significant strides in addressing security concerns, users and organizations should remain vigilant and ensure they’re using a safe configuration per their security needs.
BITR
There are two points in the article I would like some more elaboration on, please Alex.
“The Recall feature, exclusive to Copilot+ PCs, aims to boost productivity by creating an explorable visual timeline of everything displayed on the user’s screen.”
Man, this is too close to an article back in 2017 you did on this type of behavior with visiting some VPN websites. Back then…”Essentially, these tracking scripts are acting like a surveillance camera – literally recording every move you make as you browse the website.” “However, when a team of researchers from Princeton examined these session recording scripts, they uncovered a whole new level of tracking and corporate surveillance.”
“all your keystrokes; mouse movements; scrolling behavior; any content you type into forms (credit cards, passwords, addresses, etc.), even if the form is not submitted; and the content of the page itself, with this information being automatically transmitted to third-party servers.”
(VPN Websites Caught Recording Visitors) [https://web.archive.org/web/20180320122016/https://cyberinsider.com/vpn-websites-recording-scripts/]
It is or seems to coincidental that this behavior is baked-in for a MS operating system 7 years later, is it not?
And
“These snapshots are stored locally and analyzed using on-device AI.”
Say what… on device-AI – – AS BAKED-IN TO AN MS OPERATING SYSTEM – – Now? Is this a first for AI being baked-in to any OEM operating system?
Be great to hear any insight of tbese two points – Alex = )
BITR
Bump –
Copilot+ PCs are the fastest, most intelligent Windows PCs ever built. With powerful new silicon capable of an incredible 40+ TOPS (trillion operations per second), all–day battery life and access to the most advanced AI models, Copilot+ PCs will enable you to do things you can’t on any other PC.
These experiences come to life on a set of thin, light and beautiful devices from Microsoft Surface and our OEM partners Acer, ASUS, Dell, HP, Lenovo and Samsung, with pre-orders beginning today and availability starting on June 18. Starting at $999, Copilot+ PCs offer incredible value.
This first wave of Copilot+ PCs is just the beginning. Over the past year, we have seen an incredible pace of innovation of AI in the cloud with Copilot allowing us to do things that we never dreamed possible. Now, we begin a new chapter with AI innovation on the device. We have completely reimagined the entirety of the PC – from silicon to the operating system, the application layer to the cloud – with AI at the center, marking the most significant change to the Windows platform in decades.
[https://blogs.microsoft.com/blog/2024/05/20/introducing-copilot-pcs/]
So yes it appears true, as the factual answer to my question of, “Is this a first for AI being baked-in to any OEM operating system?”
New thoughts come to mind, with a baked-in AI device. “We have completely reimagined the entirety of the PC – from silicon to the operating system, the application layer to the cloud – with AI at the center”
1 Would on device AI at the center allow for other user installed apps to interact with it? (Ex: enhance/augment performance, either for an ‘ad-blocker’ or a ‘password manager’ to ‘vpn chaining’)
Specifically aiding installed apps not any extensions…
2 Say if AI could build and store pieces of the web on your device pertinent to the users choice of interests – and help to induce or persuade to participate or simply engage more people in a decentralized web system and for sustaining its development.
Is that a good thing? Heck yes, and it’s coming. Like smartphones have been described as being an important part of the decentralizing effects of smaller and cheaper computers worldwide.
Would a devices storage space matter ?
I think not, Decentralized computing is the allocation of resources, both hardware and software, to each individual workstation, or office location. In contrast, centralized computing exists when the majority of functions are carried out, or obtained from a remote centralized location. Decentralized computing is a trend in modern-day business environments. This is the opposite of centralized computing, which was prevalent during the early days of computers. A decentralized computer system has many benefits over a conventional centralized network. Desktop computers have advanced so rapidly, that their potential performance far exceeds the requirements of most business applications. This results in most desktop computers remaining idle (in relation to their full potential). A decentralized system can use the potential of these systems to maximize efficiency.
What is the gain? A little more privacy to not being profiled to your interests in life.
Note, Decentralization may not be as efficient for standardized, routine, network-based services, as opposed to those that need more complicated inputs. If there is a loss of economies of scale in procurement of labor or resources, the expense of decentralization can rise, even as central governments lose control over financial resources.