Microsoft Recall Triggers Enquiry From UK Data Regulator

Microsoft’s introduction a new feature bundled with Copilot+, has triggered a response from the British data protection watchdog.

The Information Commissioner’s Office (ICO) has announced it is contacting Microsoft for more information on the safety of the ‘Recall’ product, which privacy campaigners have described as a potential “spyware” or a “privacy nightmare”.

Microsoft this week highlighted its forthcoming Copilot+ PCs, which includes a feature called ‘Recall’, which will take a snapshot every two seconds of a user’s computer, and store encrypted snapshots locally. Microsoft has said the feature is optional and users “can limit which snapshots Recall collects.”

ICO response

Microsoft’s Recall will record everything a user does by taking screenshots every few seconds. It then allows the user to scroll back through their activity and search.

According to Microsoft, Recall is designed to “help you easily find and remember things you’ve seen using natural language”, using AI and “photographic memory.”

An example would be if a user was shopping online and spotted something they want to purchase later, such as a brown pair of leather shoes. Days later the user could use Recall to search for “brown leather shoes”.

But the fact that the Microsoft feature is repeatedly taking screenshots of a user’s computer has triggered privacy concerns, and prompted the ICO to make the following announcement.

“We expect organisations to be transparent with users about how their data is being used and only process personal data to the extent that it is necessary to achieve a specific purpose,” said the ICO. “Industry must consider data protection from the outset and rigorously assess and mitigate risks to peoples’ rights and freedoms before bringing products to market.”

“We are making enquiries with Microsoft to understand the safeguards in place to protect user privacy,” it added.

Cyber concerns

But some security experts have noted that Recall could present a potential goldmine of information for cybercriminals.

“With this feature, suddenly endpoints will become a more lucrative target,” warned Muhammad Yahya Patel, lead security engineer at cybersecurity company Check Point.

“With those screenshots, the world is in the cybercriminals hands, and they could launch credentials attacks, impersonation, identity theft, sensitive data breach and privilege access. It could be very damaging if not managed appropriately.”

“There is also a wider issue here around the trade of privacy for services and the concept of informed consent,” Patel said. “Too often we place little value on our data and give too much away believing that it will be used fairly and ethically.

“We as consumers must be more cautious about what we share, but the onus is on providers to clearly state the implications of their software and how they will protect it.”

Spyware feature?

Meanwhile Kevin Robertson, COO and co-founder of cybersecurity specialist Acumen added to the warning about Recall, but doubted that Microsoft will remove it.

“This is basically spyware,” said Acumen’s Robertson. “It’s good to see the ICO carrying out this investigation, but it’s unlikely to make any real difference.”

“Microsoft is too big and too powerful to be brought down,” said Robertson. “They’ll just say its optional and it’ll get implemented anyway. Most users will turn it on without realising the impact or it will be on by default.”

“How on earth can Microsoft even think about calling itself a security company with features like Recall? This is going to get abused on so many levels,” Robertson warned. “Imagine your PC taking screenshots of you putting in passwords, bank details etc, all just stored on your PC. If your PC is compromised, or if that info is shared into Copilot etc., it’s just liable to abuse.”

“This will be the next Microsoft ‘feature’ to hit the news when it’s exploited in a major way,” Robertson predicted.