720-891-1663

Even Microsoft Bows to Pressure – Sometimes

I have written about Microsoft’s “Recall” feature before. I guess, in a perfect world it might be a nice feature, but we don’t live in a perfect world.

For those of you who are not familiar with this new feature, Recall takes screenshots of your computer every five seconds and keeps the data for three months. It is not smart enough to redact any information like passwords or banking information.

Microsoft says you can search for “remember that thing I was looking at last week that had xxx on the screen” or whatever, and tell you about it. Could come in handy, I suppose.

Microsoft also says that if you are a technical wizard you can control some of what it collects.

It was planned to be ON by default – more on that in a minute.

I can think of a number of uses for it:

  • Law enforcement looking for evidence of a crime or after they seize computers for some reason, to see what you were up to.
  • Divorce attorneys looking for evidence of wrong doing on the other party’s part
  • Hackers who break into your system will now have access to everything you have been doing
  • One more item I hadn’t thought of: your employer on company owned computers. This is one that could be out of your control

Researchers started looking at Microsoft’s implementation after it was announced and they discovered that the data was not encrypted and they could look at the data via multiple simple methods.

Privacy advocates have been screaming about this since Microsoft announced the feature. Microsoft realized this was a PR nightmare and changed course a few days ago. Here are some of the changes.

  • Instead of it being ON by default, it will be OFF by default
  • Now you will have to enable Windows Hello security in order to enable the Recall feature
  • Proof of presence will be required to view and search the screenshots (to stop malware from reading or stealing the data)
  • The data will be encrypted and only decrypted after the user authenticates
  • The search index will be encrypted

While these are good changes, it really doesn’t prevent the first two use cases above and it certainly doesn’t stop the last use case. In fact, the only use case it really slows down is the third one. That is important, but not sufficient.

The last case – your employer – is the one that is going to be the hardest to deal with. The good news is that in SOME states your employer must notify you if they are doing that. But not in all states. In those states that do require notification, at least some of them only require a vague warning that the system is being monitored.

While AI can be useful, it also has downsides. This is a case in which AI is not the main actor. The screen capture is merely a regular program or OS feature. AI is used to analyze and index the data.

Another use case I just thought of – a spouse who suspects their partner is doing something they don’t approve of. On a shared machine, there is nothing to stop it. No notification required. And, likely, no law would be broken.

We live in an interesting world. If you have questions, please contact us.

Credit: Security Week

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *