Recalling Everything You Do
Microsoft pilots a program that captures ALL of your activity on your computer
Visit the new Evidence Files Law and Politics Deep Dive on Medium, or check out the Evidence Files Facebook page; Like, Follow, Subscribe or Share!
Find the content you have viewed on your device
Microsoft has launched a beta version of its new Recall program. Recall’s primary purpose, according to Microsoft, is to find the content you have viewed on your device. At a glance, it sounds useful enough. After all, how many of us have accidentally clicked that X in the corner of a document or browser at just the wrong time? Then, in a subsequent panic, we searched far and wide to recover what we lost, sometimes to no avail.
Recall grabs a screenshot of what you’ve been up to on your computer every few seconds. It stores these screenshots on your local drive in encrypted format (more on this in a moment). Then, Microsoft utilizes (what it calls) Artificial Intelligence to allow the user to search these screenshots via plain language commands.
Here are the details:
Hardware and Software Requirements
For users concerned about Microsoft forcing Recall upon them, as the company seems wont to do, many current PCs and laptops probably lack the hardware necessary to run this program, for now at least. According to ArsTechnica, Recall requires an integrated neural processing unit, or NPU, to run. As of May 2024, only one chip exists that meets the minimum performance standards and is compatible with the Windows OS environment, and only a fraction of the PCs made in the last few months have it.
In addition, a user must have “a minimum of 256GB of hard drive space and 50GB of available space. The default allocation for Recall on a 256GB device is 25GB.” This allows the storage of snapshots for as many as three months. It is unclear whether the program will run without the minimum storage space.
What about Privacy?
The answer here is complicated. For starters, one must decide whether a screenshot of everything that pops up on their screen is something they want stored for retrieval later. As a person who writes articles on a variety of topics, some controversial or otherwise sensitive, you can only imagine what imagery occasionally appears on my desktop. If you indulge in pornography or work in journalism or some form of activism, you probably also prefer a pretty high degree of privacy.
But it is even more complicated than that. Recall captures almost anything, including passwords, bank account numbers, health information, and any other content that might make its way onto your computer. This also includes desktop messaging apps like WhatsApp or Signal and teleconferencing apps like Google Meet or Zoom.
Privacy implications, thus, extend to others beyond the owner of the computer. According to Windows Central, users have control over what apps and services are capturable by Recall. While this means users can limit the gathering of data from meetings and other services involving other parties, those parties remain entirely reliant on the user to do so.
Microsoft does claim to automatically exclude certain apps that already have restrictions on screen recording and imaging. Examples include Netflix and other streaming apps. For other content, though, it appears that the responsibility will fall upon the user to ensure sensitive data is excluded. Furthermore, it is not clear how user-friendly or intuitive manipulating settings will be for those less capable in operating computers.
Is it Secure?
The answer to this depends upon whom you ask. Microsoft states that Recall data is encrypted via Device Encryption and Bitlocker, and stored locally on the drive. Data from the Recall feature does not touch the cloud, including search queries made by the user. As such, a user can search Recall without an internet connection and data collected by the program does not require an internet connection. Moreover, it does not integrate with other apps and services, meaning data captured by Recall is not accessible by other programs.
Despite all of this, there are some obvious concerns. First, any time such a treasure trove of data is stored in a single place, here presumably a database, the risk factor rises. When sensitive data is stored in abundance, its location becomes a juicy target for bad actors.
As already noted, even for average users this database would be of considerable concern because it may contain usernames and passwords, bank information, or other valuable data. The data is not just encrypted, but also tethered to the specific user profile. Other users cannot search for or access data acquired by Recall under any other user profile. Yet, as David Ruiz, senior privacy advocate at Malwarebytes, noted:
With Recall, a CEO’s personal laptop becomes an even more enticing target for hackers, a journalist’s protected sources are within easier grasp of an oppressive government, and your entire identity could be abused and impersonated by a separate device user. Recall’s most sensitive snippets of information can still be retrieved by someone else using the same device. That could be a curious family member, a device thief, or an abusive spouse.
Microsoft claims that a thief would still need physical access to a user’s machine and also have login credentials. On the latter, this is not all that significant of a problem. Infostealers are quite popular on the web, acquiring credentials from any number of different types of accounts—including OS login info—and selling them to anyone with money. One study examined the number of infostealer accounts for sale on the Russian black market:
two million on a single day in June 2022
over five million on a single day in late February 2023
In a period of nearly 2 years (measured on a single day in June 2021 and single day in May 2023) the overall growth rate for the number of logs for sale on Russian Market was 670%.
Criminals acquire this data through fake messaging apps, cloned websites, phishing, malware, and other methods. Moreover, with physical access to a computer an adept attacker can acquire the login information of the various user profiles saved on a machine while logged on under his own profile. I have done this myself and have taught forensics students how to find it in some of my own classes.
Encryption is great for preventing remote attacks, though it is not 100% effective either. The problem with encryption is that obtaining credentials and logging in as the actual user typically decrypts the drive or volume associated with that user profile. Synced devices, which most people have now, makes bypassing encryption possible remotely. Also, with physical access to the machine, it is sometimes possible to find the encryption key (or a large enough remnant of it) to decrypt the data even without credentials.
My Ruling
Recall itself is not some novel cybersecurity nightmare. Our devices store so much data now that nothing new will erode security all that significantly—it already remains at significant risk. Recall does, however, make cyber attacks somewhat easier.
Under the current paradigm, certain sensitive data—passwords, in particular—are stored in various places using many different types of defense mechanisms. Part of the rationale behind this strategy is that hackers, like most criminals, target the low-hanging fruit. Why spend a lot of time on infiltration and decryption strategies for users employing some amount of defense, when many more will have no defense and thus require little effort or time?
As we regularly see with data breaches, there seems a tendency to compile more and more data into single locations making them ripe for attack. Recall, with its relatively indiscriminate capturing of data, and its storage into a singular location, simply adds to this ill-considered trend. While cyber attackers generally do not wish to bother with fortified defenses, the calculus changes when the loot is worth the exercise.
For this reason, few individuals are directly “hacked” (in the technical sense), but big businesses are targeted quite frequently. Most ‘regular’ people who become compromised were simply one of many victims of an attack that targeted some other entity that possessed a lot of information, like a bank or retail outlet. Information is rarely stolen from them individually.
By this reasoning, Recall is not a significant cyber threat to most individuals because few attackers will bother with the struggle required to access Recall information and decrypt it. For those who comprise juicier targets, such as CEOs or defense contractors, having Recall is unquestionably a terrible idea.
Returning to the common person, Recall does pose a threat in certain circumstances. If a potential attacker is someone who can easily access the machine itself, Recall may be a bad idea. This could include work computers in a small business, or perhaps that of a partner in a troubled relationship. Outside of that, for most people Recall is simply an unnecessary drain on resources (storage, primarily) for a function few will ever need, but is not excessively dangerous.
I will adjust my view on this should Microsoft change its mind and start sending and storing Recall snapshots to its cloud. Despite their usual resistance to disclosure, huge tech companies suffer breaches all the time, Microsoft included. Therefore, storing users’ Recall data on Microsoft cloud servers would be a hard no for me.
Sadly, I foresee that the company inevitably will eventually start putting Recall data on its cloud. The reason is that the data captured by this program will carry extraordinary value. We all know that tech companies continue to violate our privacy in the name of profit, particularly because virtually no government has shown any serious effort to stop it.
Since tech companies apparently cannot help themselves, some executive will almost certainly demand the monetization of this data. Once that happens, Windows PCs themselves will go the way of Google search and other products, especially once Recall is forcibly added to all Windows operating systems. By virtue of the effort to over-monetize them, they will turn into just another piece of unusable garbage. Frankly, Windows has been on that track for some time already.
For another piece on the use and abuse of our data, click below.
***
I am a Certified Forensic Computer Examiner, Certified Crime Analyst, Certified Fraud Examiner, and Certified Financial Crimes Investigator with a Juris Doctor and a Master’s degree in history. I spent 10 years working in the New York State Division of Criminal Justice as Senior Analyst and Investigator. I was a firefighter before I joined law enforcement. Today I work both in the United States and Nepal, and I currently run a non-profit that uses mobile applications and other technologies to create Early Alert Systems for natural disasters for people living in remote or poor areas. In addition, I teach Tibetan history and culture, and courses on the environmental issues of the Himalayas both in Nepal and on the Tibetan plateau. For detailed analyses on law and politics involving the United States, head over to my Medium page.
Very excellent article with serious implications for the whole world.
We are screwed in every direction and every place. Can we opt out ? Is my computer going to be forced into this crap ?