Microsoft Copilot ‘Recall’ Relaunches With Enhanced Security After Privacy Controversy

Microsoft is relaunching Copilot’s “Recall” feature on its upcoming Copilot+ PCs with security enhancements after the company “listened to feedback” about the product’s initial privacy concerns.

Recall initially drew criticism when it was unveiled in May after Microsoft illustrated that the process stores a screenshot of what a user does every few seconds and stores it in a file on the device. Recall could scroll through this user’s activity, encompassing their files, photos, emails and browsing history. Users could visit this repository to retrace their steps, similar to how they can go back through their web browser history, to help them locate previously viewed or worked-on items.

Microsoft says it has taken on board feedback about the tool as a potential “privacy nightmare”, as described by Dr Kris Shrishak, an adviser on AI and privacy. Having removed several contentious features, including Recall as an opt-in capability rather than enabled by default, Microsoft plans to relaunch Recall on Copillot+ PCs in November.

What Happened Back In May?

When Recall was presented in great detail during Spring’s Microsoft Rebuild, the tech giant pre-empted privacy concerns surrounding the solution, stating that screenshots captured by the tool remained on the user’s computer and were inaccessible to Microsoft. The company also said in the FAQ section that Recall would not filter or censor sensitive information, such as passwords and bank details.

Despite Microsoft’s anticipatory attempts to calm the storm, the tool inevitably prompted myriad concerns. Critics highlighted the potential risks posed by harvesting such significant quantities of sensitive data, including making users’ data a target for hackers or misuse by domestic abusers.

In response to the growing scrutiny, the UK’s Information Commissioner’s Office (ICO) confirmed that it was in discussions with Microsoft to understand better the privacy protections built into Recall.

The ICO emphasised the importance of transparency in data usage, stating on its website, “We expect organisations to be transparent with users about how their data is being used and only process personal data to the extent that it is necessary to achieve a specific purpose.”

The ICO added that companies should consider data protection from the outset, rigorously assessing and mitigating risks to users’ rights and freedoms before launching new products. It confirmed it was making inquiries with Microsoft to ensure adequate privacy safeguards were in place.

Although Recall was intended to be included with Copilot PCs when the first iterations arrived in June, it was never made generally available. Microsoft explained the delay as their intention to make the service more secure.

How Has Recall Changed To Be More Secure And Compliant?

Microsoft has introduced several significant security enhancements that assuaged many, if not quite all, of the privacy fears Recall initially triggered.

As well as being opt-in, Microsoft has stressed that all screenshots and the data they convey will be encrypted while outlining the introduction of several tools to support users in customising their privacy options. The encryption keys are safeguarded by the Trusted Platform Module (TPM) tied to a user’s Windows Hello Enhanced Sign-in Security identity. These keys can only be accessed for operations within a secure environment known as a Virtualisation-based Security Enclave (VBS Enclave).

Meanwhile, the company also highlighted that screenshots captured by Recall can only be accessed through biometric login, adding an extra layer of security. Sensitive information such as credit card details will not be captured by default, while Recall services that operate on snapshots and associated data are isolated.

Pavan Davuluri, Microsoft’s Corporate Vice President of Windows and Devices, said in a statement:

Recall is an opt-in experience. Snapshots and any associated information are always encrypted. Windows offers tools to help you control your privacy and customise what gets saved for you to find later.”

The ICO released a statement last week that it had been made aware of a “series of changes” to Recall. “We will be continuing to assess Recall as Microsoft moves toward launch”, the ICO expanded.

However, according to a technical blog by Microsoft’s David Weston, Vice President of Enterprise and OS Security at Microsoft, the tool’s “diagnostic data” might be shared with the company, contingent upon individual privacy settings.

Microsoft Has ‘Equivalent Of 34K Engineers’ Working On Security Projects

Last week, Microsoft outlined that it has “the equivalent of 34,000 full-time engineers” working on its Secure Future Initiative (SFI) project to bolster its security infrastructure significantly.

The figure was revealed in Microsoft’s recent SFI report for September 2024, where the company described its efforts to enhance security systems as the “largest cybersecurity engineering project in history”. Microsoft highlighted the vast amount of expertise and person-power dedicated to this initiative.

The tech giant launched its first SFI in November 2023, following several major security breaches, including the high-profile Storm-0558 cyberattack in July 2023. In that attack, Chinese hackers breached US government emails through vulnerabilities in Microsoft Exchange Online. In April 2024, the US Cyber Safety Review Board (CSRB) criticised Microsoft for being unprepared to prevent the incident.

In response to the CSRB’s findings, Microsoft has reinforced its SFI by committing to implement the board’s recommendations. The company has also laid out a set of comprehensive security principles and objectives, reaffirming its dedication to bolstering cybersecurity.