em360tech image

A UK privacy watchdog is investigating a new Microsoft Copilot+ feature called Recall after privacy experts raised concerns over its privacy implications. 

The Information Commissioner's Office (ICO) revealed today it was "making enquiries with Microsoft" for more information on the safety of the feature, which privacy advocates have called a potential nightmare for privacy and security.

Announced during Microsoft's Build Developer Conference, Recall will record everything a user does by taking screenshots every few seconds and allowing the user to scroll back through their activity and search to find previous pages and products they've looked at.

In a blog post, Microsoft says Recall, which will be able to store encrypted snapshots locally on people's computers, is exclusive to its forthcoming Copilot+ PCs and is an "optional experience."

It added that it "built privacy into Recall’s design" from the beginning, and users will have complete control over what is captured so their privacy is never put at risk.

But an ICO spokesperson said firms must "rigorously assess and mitigate risks to people's rights and freedoms" before bringing any new products to market.

“We expect organisations to be transparent with users about how their data is being used and only process personal data to the extent that it is necessary to achieve a specific purpose.”

"We are making enquiries with Microsoft to understand the safeguards in place to protect user privacy," the spokesperson added.

What is Microsoft Recall? 

Recall is a new feature for Microsoft's Copilot+ line of PCs that captures screenshots of your activity on the PC every few seconds. It uses these screenshots along with your other digital footprints to create a searchable history of your PC use. 

This includes things you've browsed, files you've opened, and even emails (if you use Microsoft Outlook). Microsoft said this will "help you easily find and remember things you've seen using natural language", using AI to give users a "photographic memory" of anything they’ve browsed. 

For example, if a user was shopping online and spotted a nice white t-shirt, days later they could search "white t-shirt" in Recall.

what is microosft recall
Recall features shared by Microsoft. Source: Microsoft

Recall would then pull up screenshots of the times they were looking at a brown leather bag, and link them to the websites they were on. 

It would also search through pictures, documents, presentations and files and pull up anything relevant on their laptop, and may even suggest actions the user would want to take with their search.

But Recall’s comprehensive data collection has raised privacy concerns as it includes potentially sensitive information like passwords.

A privacy nightmare

Microsoft said that recall files will all be stored locally on users' laptops and "not accessed by Microsoft or anyone who does not have device access", which should reduce the risk of hackers accessing the files on a cloud-based system.

But experts warn the files won't be censored in any way when they're stored, meaning personal information like visible passwords or visible medical information will be kept in the screenshots.

"Imagine the goldmine of information that will be stored on a machine, and what threat actors can do with it," Muhammad Yahya Patel, lead security engineer at Check Point, told Sky News. 

"It is a one-shot attack for criminals, like a grab and go, but with Recall they will essentially have everything in a single location."

Daniel Tozer, data and privacy expert at Keystone Law told BBC news that Recall reminded him of the dystopian Netflix programme Black Mirror - likely referring to one eery episode where people could retrace their every moment of their life. Of course, that episode didn't end happily ever after. 

"Microsoft will need a lawful basis to record and re-display the user’s personal information," Tozer told BBC News. 

"There may well be information on the screen which is proprietary or confidential to the user’s employer; will the business be happy for Microsoft to be recording this?

Microsoft said in a statement would-be hackers would need to gain physical access to a device, unlock it and sign in before they could access saved screenshots.

The tech giant also wrote in its blog post that the user "is always in control" and can "delete individual snapshots, adjust and delete ranges of time in Settings, or pause at any point". Users can also stop the feature from recording specific apps and websites.

But large companies have a history of exploiting users' data for their own profit, making it hard for users to trust Microsoft when they say they won't access the Recall data.

Read more: What is Privacy by Design and Default?