I don't understand how recall even got launched. No one should have spent money developing it.
Yes, the idea is cool. But even if you trust Microsoft it's obviously a privacy and security nightmare. How many people would install a keylogger on their own system? And then make that keylogger trivial to search through? It just makes windows computers extremely valuable targets for hackers and I'll ban them on my networks even if relay isn't enabled.
The only good thing about Recall is that it has been the definitive decider of moving away from Microsoft permanently because for them to create such a ‘feature’ shows a complete lack of care about people’s private data - they’ll be leaving a huge jackpot prize for anyone who breaks into a system.
Just the kind of thing this NSA Prism-participating company would think was a top notch idea.
Not saying the real motive is surveillance… I’m sure a feature update or two away will also turn the data into a real money maker of advertising which instead of just being able to advertise to you, can kill two birds with one stone in being able to increase tenfold the ad revenue by watching who you’re talking with in your emails, your PM’s on Facebook (or wherever else) and then selling marketing data on you AND them.
If I was a purely profit driven individual - I’d be doing exactly that. But I have too much of a heart.
Even if they say that they’ll be abandoning this idea as they have ‘listened to user feedback’ or some other bull, the complete damage has already been done here.
Thank the lord there are an abundance of excellent OS alternatives.
It’s not about ‘privacy’ or having anything to hide, it is about the fact that some company wants to take control of you and letting people own you.
Recall is essentially the same as recording what you can see with your own eyeballs and what you are thinking and doing when you are on your system.
In a couple of updates, Microsoft will likely be able to recall data on any screen anywhere… you make a call to your insurance company, Recall will know all of the same info that the insurance agent can see from their screen.
You visit your therapist, then after you leave they write up notes on their Windows computer with Recall then somehow your insurance rates go up the next month.
When I was a scoundrel hacker in the 2000’s (I am not proud of it), the first thing I’d do is install keyloggers and screen grabbers - and let me tell you, although I never did anything with the data I can tell you categorically that it would have been pretty bad for these people had I doxxed the content. These people were probably the same kinds of people who would argue your kind of point, but it’s only because they haven’t thought about it enough to fully realise the damage that can be done.
Now when hackers break into a system, they will be able to grab that recall. Partners will be able to do it. Trolls will be able to.
Just like the power trip I was on, Microsoft are also on a power trip, except they go all in and have the backing of the NSA. They do not care about your privacy, they just want control/power/dominance and money.
Doxxing is about to hit the big time with this. Soon enough, you’ll find more than just a celebs full recall on a the darkweb you’ll have your friends and family looking over your own recall history when it gets leaked from some other massive malware scam.
File cryptor ransomware will soon be called Recall ransomware.
I think you are a psychopath if you don’t think long and hard on moving away from Microsoft inmediately.
I feel Recall got excessive backlash because of how ubiquitous and far reaching Windows is, and critics basically live and die by finding something popular to bitch about.
There are already many things that record our data and actions that most of us are otherwise fine with. Browsing history, Undo in any number of productivity software, search histories both local (eg: Windows) and remote (eg: Google, Bing), password managers and Post-Its on monitors(tm), chat logs, vidja gaem save files, and more.
Some of the issues floated like the seemingly complete lack of encryption are valid, but the overall response indeed felt very overblown and hypocritical.
This is the big thing I’m worried about with the AI revolution. If AI is being baked into your OS, where does usable training data end and your sensitive data start? Recall is pinkie promising that it won’t record sensitive data but at the same time it’s also saying “if your application doesn’t protect it well we mayyy see it and record it, whoops”. I can bet you 120% Recall is just a way for Microsoft to collect training data on millions of users every day. It is a privacy nightmare. But I don’t think the average consumer will care. Privacy died a long time ago.
That's old information. This is how Microsoft is intending to change Recall based on these criticisms:
Microsoft will also require Windows Hello to enable Recall, so you’ll either authenticate with your face, fingerprint, or using a PIN. “In addition, proof of presence is also required to view your timeline and search in Recall,” says Davuluri, so someone won’t be able to start searching through your timeline without authenticating first.
This authentication will also apply to the data protection around the snapshots that Recall creates. “We are adding additional layers of data protection including ‘just in time’ decryption protected by Windows Hello Enhanced Sign-in Security (ESS) so Recall snapshots will only be decrypted and accessible when the user authenticates,” explains Davuluri. “In addition, we encrypted the search index database.”
No, this is not what the article nor this discussion is about. Windows Recall is completely local and hence actually is in line with the argument of the article that stuff was local way before they were in the cloud. Those screnshots Recall takes pose a whole different security and privacy problem: that someone (bad actor, your employer, your partner) may access these screenshots and gleam a lot of information about you they shouldn’t get. Recall is not about „Microsoft having way, way more data about you“. Other MS products, sure - Recall isn’t the point here.
The point was that it’s unnecessary for a user to explicitly change the permissions of the home directory as you had described for the data to be at risk.
I agree with your last paragraph, and that is exactly what makes Recall such a big problem, and why the security community is reacting strongly against this feature.
Assuming the attacker wins, which they currently do on a regular basis, they get to know everything about everyone who has used the computer to a degree of detail that is unprecedented both in scope and in detail. The harm of losing this information to an attacker is potentially extreme, with obvious consequences.
Since this is an opt-out feature, Microsoft has essentially guaranteed that a sizable portion of their user base will overnight start feeding attackers more details than they could have ever hoped for.
It’s incompetent, irresponsible, and should be categorically rejected by the tech community.
I say this while also seeing the value of such a feature if it could be implemented safely. I hope someone figures out a safe architecture because I could see a local model trained on everything I’ve ever done on my PC being a transformational capability.
Law enforcement, attorneys, and three letter agencies must be extremely excited about Recall. Now they won't have to hope that MS has records of everything you've typed while using your device, because with Recall all of that evidence will be stored on the device itself.
"If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." imagine could be found using everything a person ever types on their computer.
Isn't MS Rewind/Recall supposed to be encrypted and offline, on-device only? I don't see how it could be anything else and pass any data-protection regulation (in the EU, at least).
It's a hazard and its usefulness needs to be balanced with other needs, but on a work machine that belongs to me, it could be useful.
Now, if my boss has unfettered access to this data, or any of it is online, then obviously it's a no no.
Understanding the implications of tools like this is necessary. I'm not too optimistic that the general user will fully understand these implications though. That's one of the main danger with these technologies: promises are made, people don't think twice and overshare, and the data is used against their interests.
However, I want it to exist, MS or Open Source, preferrably, but only if I get 100% control over it, and it is never accessible to anyone else.
Having said that, I'm very much aware that most implementation of these tools will become a security and surveillance nightmare.
The next few years are going to be interesting, and probably frightening.
I see strong potential in this feature, however given Microsoft's history in some regards I believe this feature should be (a) fully auditable and (b) not dependent on specific hardware (like Recall requires a special NPU chip) and (c) OS independent. There's still a lot of room of improvement but ultimately we believe that the community should decide what is important (is it encryption? is it blacklisting apps?) rather than the features are dictated by a megacorp.
What's really annoying me today is the security holes Microsoft is adding – by design – into Windows.
I mean of course Microsoft Recall. This delightful AI addition to the next generation of Windows PCs would have taken regular snapshots of everything you do on your computer.
Security and privacy are not the same thing. I get the frustration about Microsoft's security practices, but equating those two is a mistake.
No problem. Thanks for the apology and the explanation. I read an article recently how people have widely diverging views of privacy and think that explains the confusion. I'm fine with Microsoft learning from data derived by my behavior online if it helps them improve the software. I volunteer to give them telemetry if it's an option. But I understand some people have a much stricter sense of privacy and 'recall' crosses that line for them. If Microsoft had a copy of my private journal that would be a red line for me. Some people feel that way about the very idea of 'recall' I take it.
I feel like you are complaining about the first car. Yes, it sucks and, god, I'm not sure it's good for the world. But zoom out a bit and it seems fairly clear to me that this is what the future is going to look like and this is why Microsoft feels compelled to act.
This is the first step to creating an assistant that automatically does tasks for you on your computer driven by natural language. The context being collected by Recall is essential for this technology to work effectively as people frame natural language instructions with the assumption that the assistant shares your context. And they probably want to collect a training set, although it's excellent (and necessary for trust) that this data is local-only, which might mean this doesn't generate any useful training data. I'm super happy about that.
Despite occasional snarky comments from tech savvy people, people absolutely do want this - normal people like computing to be simpler.
I do agree that this feels a bit early, but I don't know enough to say yet. Rewind AI (the startup) handles privacy by not capturing incognito windows, which I feel is a good start and we need to keep iterating on techniques like that to balance trust against usefulness (of course with the ability to disable the whole thing if you are willing to lose the features). Hopefully Microsoft spent enough time thinking about this, but time will tell.
Fundamentally the need for AI to understand your context to correctly assist you as well as the feedback techniques essential to training effective AI are going to run up against privacy concerns and we're going to have to figure them out as an industry - preferably in public, preferably with a company that takes trust seriously. This is fundamental to the technology IMO. Is Microsoft that company? I don't know, but I wouldn't underestimate how valuable this data would be if it was on Microsoft's server, so I personally am quite happy that they made the right choice.
the concept is valuable but so ripe for abuse that even it existing at all is a threat to everyone's privacy.
I have been a windows user basically my whole life. 3 years ago I got an ipad pro (2018, 12.9") for drawing and I hate the operating system. 7 months ago I got a steam deck and its fine for games but doing anything in the OS is confusing and annoying.
Microsoft announced recall and suddenly I'm using a spare computer to test linux distros, and I suck at everything to do with linux and I'm doing it anyways.
It's too dangerous, to much an invasion of privacy, and too easily enabled completely outside of my control.
The fact that Recall data and screenshots are only protected at the file system level reinforces the reality that Windows lacks user-centered privacy and security. Microsoft is content to rest their laurels instead on system level control.
Yes, the idea is cool. But even if you trust Microsoft it's obviously a privacy and security nightmare. How many people would install a keylogger on their own system? And then make that keylogger trivial to search through? It just makes windows computers extremely valuable targets for hackers and I'll ban them on my networks even if relay isn't enabled.
reply