While only “insiders” will get to test drive the feature, expect the enhanced security and control functions to undergo intense scrutiny
Do you recall the saga about the feature in Microsoft’s experimental Copilot+ laptop feature that was designed to capture screenshots of users’ desktop actions periodically — in order to help them “instantly and securely find” what had seen on screen?
After a raft of negative feedback and security warnings from researchers and beta testers, the feature was, well… recalled to the proverbial drawing board.
Subsequently, in a 27 Sep blog post, the firm had declared the feature to be sufficiently sanitized, and would be rolled out to Windows Insiders in Oct 2024. Reassurances include:
- First, since the feature is “designed with security and privacy in mind” like all other software by the firm, ergo, the revised feature can be trusted by trusting users.
- Next, users do not even have to use the feature, as it is not active until manually turned on. The feature can also be removed entirely via optional settings in Windows.
- When in use, the feature’s snapshots and associated information in the vector database are stored locally on the host devices, and always encrypted and protected by the Trusted Platform Module tied to users’ Windows Hello Enhanced Sign-in Security. The data can be used only by operations within a Virtualization-based Security Enclave. Enclaves also have rate limiting and anti-hammering protections to mitigate the risk of brute force attacks.
- The blog explained: “Services that operate on screenshots and associated data or perform decryption operations reside within a secure VBS Enclave. The only information that leaves the VBS Enclave is what is requested by the user when actively using Recall.”
- The feature currently supports personal identity numbers as a fallback method after configuration, to avoid data loss if a secure sensor is damaged. Users are always in control, and can delete, pause or turn them off at any time. “Any future options for the user to share data will require fully informed explicit action by the user.”
- The feature will not recall certain things content in private browsing on supported browsers. Activities within user-designated apps and websites (only via supported browsers) can also be excluded.
Finally, sensitive content filtering, active by default, tries to prevent passwords, national ID numbers, and credit card numbers from being recorded. Users will have be able to control content retention time, disk space allocation for snapshot storage, and record deletion – by time, app, website, or the entirety of what the feature can search.
With security safeguards that should have been in place right from the start finally slated for release some time in 2025, Copilot+ PC users can look forward to uninstalling Recall to eliminate the myriad cyber risks (and reduce hardware-resource draining) and bugs inevitable in complex globally-marketed systems.