Subscribe

i don't recall —

Windows Recall demands an extraordinary level of trust that Microsoft hasn’t earned

Op-ed: The risks to Recall are way too high for security to be secondary.

-

Accessing another user's Recall data from another admin account on the same PC. This UAC prompt is the only thing keeping me out, and it's easily dismissed. Once I access the folder, I can see every single screenshot plus the SQLite database with all the OCR data in it.
Enlarge / Accessing another user's Recall data from another admin account on the same PC. This UAC prompt is the only thing keeping me out, and it's easily dismissed. Once I access the folder, I can see every single screenshot plus the SQLite database with all the OCR data in it.
Andrew Cunningham

Beaumont says admin access to the system isn’t required to read another user’s Recall database. Another user with an admin account can easily grab any other user’s Recall database and all the Recall screenshots by clicking through a simple UAC prompt. The SQLite database is stored in plain text, and data in transit isn’t encrypted, either, making it trivially easy to access both the stored database of past activity and to monitor new entries as Recall makes them. Screenshots are stored without a file extension, but they're regular old image files that can easily be opened and viewed in any web browser or image editor.

The other big problem is that because Recall is on by default and you have to manually exclude specific apps or websites from being scraped by it, the SQLite database will keep records of activities that are explicitly meant to be hidden or temporary. That includes viewing pages in Incognito mode in some browsers, emails or messages that you delete from your device, and files that you edit or delete.

Beaumont says he is holding off on publishing some details to “give [Microsoft] time to do something” about the feature as it is currently implemented. But he has pointed to efforts like this “TotalRecall” script as an example of how quickly and easily Recall data can be stolen and searched.

  • Recall does give users some control over what it does; apps and websites can be excluded, recent data can be deleted without clearing the entire database; and the feature can be switched off entirely. But the default settings will capture a huge amount of user data.
    Andrew Cunningham
  • The UI for excluding apps from Recall's scraping.
    Andrew Cunningham
  • Filtering sites is done by entering URLs.
    Andrew Cunningham

There are mitigating factors here. Recall will begin by shipping on just a handful of new Windows 11 systems. It can be turned off entirely if you don’t want to use it, and the controls to disable Recall snapshots for certain apps or sites theoretically give users enough control that they can use Recall as intended without storing overly sensitive information in the database.

But given the sheer amount of data that Recall scrapes, the minimal safeguards Microsoft has put in place to protect that database once a malicious user has access to your PC, and the fact that many PC users never touch the default settings, the risks to user data seem far higher than the potential benefits of this feature.

Microsoft has struggled with security and privacy in its products. Not even a month ago, CEO Satya Nadella pledged to make security the most important thing at the company, following multiple high-profile data breaches and poorly handled information disclosures. Executive pay is being tied in part to security; rank and file employees are being told to “do security,” even when “faced with the tradeoff between security and another priority,” Nadella said. To launch Recall with such obviously exploitable security holes flies in the face of that directive.

Andrew Cunningham Andrew is a Senior Technology Reporter at Ars Technica, with a focus on consumer tech including computer hardware and in-depth reviews of operating systems like Windows and macOS. Andrew lives in Philadelphia and co-hosts a weekly book podcast called Overdue.

Promoted Comments

When this deploys, MS has effectively destroyed computer security altogether.

Sure, you can disable it on your machine. But since it's taking screen-grabs, you have to ensure that everyone else with whom you communicate has it disabled as well.

End-to-end encryption will be meaningless because it's taking screen-grabs at the end-points. That means Signal's security is borked, for example. For both ends, because the entire conversation appears in the app window on both ends. Doesn't matter if you exclude Signal from recording on your end.

You can't have any security unless you confirm that both ends have Recall disabled. Assuming it's really disabled when you turn it off, of course. And that the next OS update didn't turn it back on without telling you.

Channel Ars Technica

Related Stories

    Today on Ars