Security Management

Microsoft Recall Stirs Cybersecurity, Privacy Concerns

Credit: Adobe Stock Images

Microsoft may have done itself no favors with a new AI-like feature baked into its forthcoming Copilot+ PCs that takes screenshots of users’ activity every few seconds but doesn’t redact passwords or financial account numbers.

Even confidential work emails could be viewed through Recall. If, for example, you log onto your banking website, your account numbers, balances, statements, activity and the like will slip into Recall’s onboard database.

Microsoft unwrapped Recall at its recent Build conference as part of its new lineup of Windows PCs with support for AI features, slated to debut in June.

The company said its Recall tool is meant to give users the ability to “find the content you have viewed on your device.” It’s exclusive to the Copilot+ PCs release. The tech giant is currently showcasing Recall in preview mode to collect customer feedback, develop additional controls for enterprise customers and improve the user experience.

Microsoft Recall: Is it a Bad Idea?

Is Recall a cybersecurity nightmare? Boiled down, is Recall an infostealer like Raccoon, Redline and Vidar enabled by default in Windows OS? Was there no one at Microsoft who looked at Recall and said, “This is a bad idea?”

While Recall can gather three months of a user’s previous activity, including files, photos, emails and browsing history, can the mere fact that screenshots are taken during a computer’s use alarm people? It could feel like driving through a stop light changing from yellow to red while watching the traffic camera flash. That can make anyone nervous.

Considering that Microsoft has already been hit with some well-deserved attestations of negligence in its cybersecurity practices, are its claims for Recall enough to satisfy customers that their data are suitably safe as encrypted on a local hard drive?

The company said it has “built privacy into Recall’s design at the outset as users can opt out of capturing some websites." For example, private browsing on Microsoft’s Edge browser will not be captured.

“The snapshots are encrypted and saved on your PC’s hard drive. You can use Recall to locate the content you have viewed on your PC using search or on a timeline bar that allows you to scroll through your snapshots,” Microsoft said on its Shop Copilot+ PCs web page.

But, as Microsoft admits, “Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”

Rise of the Infostealer

Microsoft said that a cyber burglar would need physical access to a user’s device, unlock it and sign in before they could lift the saved screenshots. But infostealers already burrowing into a system to pilfer important information stored on local hard drives now can hijack three months of information in one shot as recorded by Recall. Infostealers can easily be installed on a computer or device via phishing, infected websites, malicious software downloads and advertisements.

Without question, the infostealer problem is booming, with Windows a favored target. In a recent study, Secureworks found that on one day, the number of logs, or data sets of stolen credentials among popular infostealers on the Russian market for sale were 2.1 million for Raccoon, 1.8 million for Vidar and 1.4 million for Redline.

"Infostealers are a natural choice for cybercriminals who are looking to rapidly gain access to businesses and then monetize that access," Don Smith, Secureworks' counter threat unit’s vice president, said in the report. "They are readily available for purchase, and within as little as 60 seconds generate an immediate result in the form of stolen credentials and other sensitive information."

Smith added, “However, what has really changed the game, as far as infostealers are concerned, is improvements in the various ways that criminals use to trick users into installing them, such as fake messaging apps and cloned websites. That, coupled with the development of dedicated marketplaces for the sale and purchase of this stolen data, makes it even harder for victims to detect and remove infostealers.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.