Microsoft addresses Windows Recall backlash, promises to fix security issues and make it opt-in
Microsoft is fixing Windows Recall's biggest concerns.
What you need to know
- Microsoft announced it’s shipping next-gen AI features, including Windows Recall, Live Captions, and more, to Windows 11 via its 24H2 release.
- Windows Recall has been received with a cocktail of emotions, with most users airing privacy and security concerns.
- Following these developments, Microsoft has implemented new measures to prevent security loopholes, including adding Windows Hello as an extra security layer when enabling Windows Recall.
Today, Microsoft announced it is addressing a recent backlash around Windows Recall, its controversial forthcoming AI-powered search service that works by taking a snapshot of your PC every 5 seconds.
Recently, it was discovered that the feature stores data unencrypted on the device. The company says it will ensure Windows Recall data is safe by employing "just-in-time" protection, which ensures the data is only decrypted when the user authenticates into the app with Windows Hello.
Read more: What is Windows Recall? Everything you need to know about Windows 11's new AI feature
Additionally, Microsoft says it will make Windows Recall an opt-in experience, meaning it won't be enabled by default on Copilot+ PCs. Users will be prompted to enable or disable it during Windows Setup, and if they choose not to enable It, the feature will not function.
Microsoft also says it's making further security improvements to Windows Recall. It will now require Windows Hello (via facial recognition and/or fingerprint) to be set up on the system and require the user to be present in front of the screen to access Recall data. If the user is not at their computer, Recall data will not be accessible.
Here are the changes Microsoft is making to Windows Recall:
- First, we are updating the set-up experience of Copilot+ PCs to give people a clearer choice to opt-in to saving snapshots using Recall. If you don’t proactively choose to turn it on, it will be off by default.
- Second, Windows Hello enrollment is required to enable Recall. In addition, proof of presence is also required to view your timeline and search in Recall.
- Third, we are adding additional layers of data protection including “just in time” decryption protected by Windows Hello Enhanced Sign-in Security (ESS) so Recall snapshots will only be decrypted and accessible when the user authenticates. In addition, we encrypted the search index database.
The Windows Experience Blog has more information about Microsoft's changes and explanations for them. Windows Central recently posted a how-to guide on disabling Windows Recall.
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
-
ShinyProton Pretty solid modifications.Reply
Yet, the press and bloggers crowd will find a way to vomit on the feature again - as they decided it's bad prior to its release.
Meanwhile, the mitigation measures announced should have been there day one. -
GraniteStateColin ShinyProton said:Pretty solid modifications.
Yet, the press and bloggers crowd will find a way to vomit on the feature again - as they decided it's bad prior to its release.
Meanwhile, the mitigation measures announced should have been there day one.
Yeah, pretty much agree with you on this. The criticisms about MS taking and using the data are not addressed at all by this, but of course that was never a valid concern anyway, so what can MS do to address an issue that doesn't exist?
If you're spouse accuses you of cheating, and you're not, there's not a lot you can do to fix things. Other than, as Zac already pointed out for how MS sort of set themselves up for this, always do things that engender trust and be transparent.
Perhaps their taking these steps helps demonstrate that the concern is not MS getting the data, but just security of the data on-device. I'm curious to see the reactions in the coming hours and days.
Especially for those who have already established their argument as, "MS can steal your data, even if not now, then in the future." Once someone stakes a position, they usually don't just abandon it without compelling proof to the contrary, because they want to save face. Key with them is to get to them BEFORE they announce their position. -
Arun Topez
If the press and bloggers and users didn't "vomit" on the feature, then they wouldn't have made these changes. As AI and privacy and security become increasingly important with how intrusive technology is getting, it's extremely important to hold all tech companies building these tools accountable to ensure they're not taking advantage of users (especially the majority of users who are non-techy and unaware of what the feature is doing in the background), and potentially putting them in danger.ShinyProton said:Pretty solid modifications.
Yet, the press and bloggers crowd will find a way to vomit on the feature again - as they decided it's bad prior to its release.
Meanwhile, the mitigation measures announced should have been there day one.
So if it's still deserved after these changes, then yes they should continue to "vomit" and call out privacy issues. -
naddy69 This is all so typical of Microsoft. Security/privacy is an afterthought. Why did it take people in the press screaming about this for MS to decide to encrypt this data? And Recall was going to be enabled by default?Reply
What were they thinking?
Easy prediction: "Copilot" PCs are not going to sell very well. Sellers will actively steer people away from them. The name "Copilot" will become - indeed is already becoming - synonymous with spyware.
I would also expect to see ads from HP/Lenovo/Dell/whoever stating they will continue to build/sell non-"Copilot" PCs. I guarantee you that there are some meetings scheduled for Monday morning about whether to back away from the "Copilot" branding.
The more I learn about this nightmare technology, the more I am convinced that running Windows 11 in a VM on a Mac is a good idea. None of this stuff is ever going to bother me. -
johnnypop
Microsoft shouldn't even include it without the user's express permission to download it, and users should be able to remove it outright from their system (not just turn it off, or disable it, or ignore it, or hide it).ShinyProton said:Pretty solid modifications.
Yet, the press and bloggers crowd will find a way to vomit on the feature again - as they decided it's bad prior to its release.
Meanwhile, the mitigation measures announced should have been there day one.
To that end, "the press and bloggers crowd" should escalate their pressure against Microsoft. -
Jack Pipsam
Without pressure from the press and users, these mitigations would have never been put in and Microsoft would have launched a frankly dangerous product on unaware users.ShinyProton said:Pretty solid modifications.
Yet, the press and bloggers crowd will find a way to vomit on the feature again - as they decided it's bad prior to its release.
Meanwhile, the mitigation measures announced should have been there day one.
The pressure needs to remain up to ensure the best outcomes. Apathy is a crime.