When Microsoft introduced the Copilot+ PC two weeks ago, Recall that the target is the star function of all announced, which are based on artificial intelligence calculated on the device itself, that is, without dependence on the cloud. And it’s true that from the point of view used to announce it, having a “photographic memory” that they told us at the event, and that would make it easier for us to get any “memory” of the activity carried out on the PC for the last few months, it seemed like a pretty interesting proposition.

However, as expected, It didn’t take long for the first regrets to appear. o Recall, and within days the first official investigation by the UK regulator was launched to examine the feature’s potential privacy issues, which is exactly what has been warned about since the first issue, along with potential security issues.

Microsoft told the media that a hacker could not remotely exfiltrate Copilot+ Recall activity.

Reality: how do you think hackers break into this plain text database of everything a user has ever viewed on their PC? Very simple, I have it automated.

HT Detective pic.twitter.com/Njv2C9myxQ

— Kevin Beaumont (@GossiTheDog) May 30, 2024

So far, concerns have been based on conjecture. Credible, yes, but assumptions, but as you can see in the tweet above this paragraph, a security researcher has already identified the issue which can potentially compromise the privacy and security of any users who choose to use Recall on their systems. And that, as we’ll see a little later, points to a huge number of people in the medium term.

The problem is that, as expected, Recall stores all the information it collects in a database, and as the researcher was able to verify data is stored in plain text. What does it mean? Very simple, if a potential attacker manages to gain access to the system and escalates to obtain administrative privileges, there is nothing to prevent him from accessing the folder in which the said database is stored, taking it over and, of course, accessing its contents from that point on.

It is surprising, very surprising, that in order to store potentially sensitive information like this, Microsoft did not choose to encrypt the database, which would mean that its theft would not be such a serious security problem. And as we told you back then, Recall doesn’t discriminate about the type of information it stores. This is stated in their FAQ in this regard «Note that Recall does not moderate content. It will not hide information such as passwords or financial account numbers. This data may be in the images that are stored on your device, especially if the sites do not follow standard Internet protocols, such as entering a masking password.«.

I hear this may change before the Copilot+ PCs launch on June 18th. The option to disable Recall during OOBE is actively discussed internally. https://t.co/zBXLECxIvu

— Zac Bowden (@zacbowden) June 1, 2024

Given the controversy and risks, it was to be expected that Microsoft decided to provide the Recall feature disabled by default. However, as we read in Neowin, Windows 11 OODB (Out of the Box) on Copilot+ computers enables Recall by default and does not allow you to disable it during configuration.. During this process, an informative screen about the function will appear, which also allows us to get more information, but there is no button or other element that will allow us to deactivate it from this point.

Fortunately, as we read in said publication, It appears that a discussion has been opened within Microsoft, in which they consider whether this should be changed and Summons should be disabled by default and it would be up to the user to enable the feature (or not). The problem is that we expect the Copilot+ PC devices to launch in just two weeks, so even if they make the most appropriate decision, which would be to disable them by default, it’s not clear that there’s time for this news. policy to be applied to these teams.

Concerns from users and experts, alert regulators, security professionals who have already identified potential problems… the debut of Recall looks much worse than Microsoft should have imagined when designing and presenting the feature, but they still have some room to realize it Invocation should be disabled by defaultand let users decide whether they want to activate what more and more voices are describing as a privacy and security nightmare.