Will enterprises find a role for Microsoft’s Recall?

Microsoft’s new screenshotting, timelining, data-finding Recall feature for its AI-enhanced Copilot+ PCs has many security and privacy pros concerned about a new potential trove of valuable data for malicious hackers.

Some IT practitioners see helpful retrieval benefits for the enterprise, while others have their doubts about the personal data protection that the Recall feature returns. As the debate extends to a new technology, IT pros will need to decide to keep it off, turn it on, or settle somewhere in between.

Peter Waxman, group program manager at Microsoft, told IT Brew that enterprise customers will need to evaluate the feature for themselves.

“IT pros...have different security postures. If I’m a fin sector customer, my trading systems, my treasury systems have a different set of policies and controls than a bunch of my information workers or my marketing department,” Waxman said.

What’s Recall? During a launch event on May 20, the Microsoft team unveiled the company’s Copilot+ PCs, including a Surface Laptop and Surface Pro, each equipped with a Recall feature that Microsoft EVP and Consumer Chief Marketing Officer Yusuf Mehdi told the crowd helps find “virtually anything you have ever seen on your PC.”

“Just describe how you remember it,” Microsoft’s guidance reads, “and Recall retrieves the moment you saw it.” According to Microsoft’s details, Recall takes screen snapshots every five seconds (when content differs from the previous screenshot) and stores them in a timeline.

At the product launch, Mehdi said, “We’re going to keep your Recall index private and local and secure on just the device. We won’t use any of that information to train any AI models, and we put you completely in control, with the ability to edit and delete anything that has been captured.”

Security and privacy concerns. To some security pros, the idea of “virtually anything” seen on a PC is an attractive target for hackers.

“In essence, a keylogger is being baked into Windows as a feature,” security researcher Kevin Beaumont wrote in a post on May 21.

Waxman cited Microsoft’s Windows 11 security controls, including personal data encryption and access control measures (like biometric sign-in), saying that being able to access screenshots would mean an attacker already achieved admin-level powers on the device.

“[Recall] doesn’t represent any new sort of opening from a risk or threat perspective,” Waxman said.

On June 7, Microsoft announced updates that will go into effect before Recall ships to customers on June 18: a clear opt-in message during setup, required enrollment in Windows Hello before use, and screenshot decryption allowed only when users authenticate.

The screenshot feature may snap a credit card number, or some proprietary information, or virtually anything else a user might want to be unseen—a concern for some. (Wired reported on June 4 that one ethical hacker’s demo tool can extract and display a laptop’s Recall records.)

“There will be cases of the screenshots being used against people, not only directly for blackmail, but also to create even hypertargeted phishing against executives of companies,” Pete Nicoletti, global CISO, Americas, at Check Point Software Technologies, said. “So there will be failures of this technology, regardless of the promises that Microsoft makes.”

Microsoft’s Group Policy and mobile device management policy options allow users to block captures of certain apps and websites.

What’s the use?! Dennis Perpetua, VP of generative AI digital workplace services and experiences at tech services firm Kyndryl, sees potential for the technology, especially in its ability to clear out the “noise” of data that arrives at our desktops daily—like email, chat, and text. He even sees accessibility possibilities, and imagines being able to use the screenshot recognition APIs to assist device-debugging problems for visually impaired colleagues someday.

Like most generative AI tech, however, Perpetua advises a role-by-role appraisal.

“This may be more effective for a task worker that may not be dealing with sensitive information, that may be processing various information on their desktop rather than an HR manager,” Perpetua says, advising clients to figure out who the “personas” in each organization are and how each would use the generative AI feature-of-the-moment, and determine the return on investment.

“I think it’s going to be a binary decision by a security executive saying, ‘Look, for corporate, we’re going to just turn this off,’” Nicoletti said.

CISA’s review of a summer 2023 Microsoft Exchange intrusion led the agency to say: “Microsoft’s security culture was inadequate and requires an overhaul.”