Recall is insane

A few days ago I said ‘Wait and see’ about Microsoft’s announced Recall feature. Initial discussions were a bit too ‘Henny Penny’ for me. Sometimes it’s good to base things on facts.

The security aspect is concerning. Snapshots seem to be protected only by disk encryption (which is fine when the PC is off), but there’s an open question as to whether tools with a high enough privilege (security tools) can view them as they’re stored in AppData. That’s a vector of attack for malware and perhaps APT. But in my view if you’re a business and someone gets to individual AppData folders…you’ve got bigger holes to close.

The privacy and protection aspect is much more interesting. I wonder if MS went “Oh it’s stored locally so no need for a DPIA or to think about GDPR”

Because that’s not wise. The ICO are already asking questions

Microsoft Copilot+ Recall feature ‘privacy nightmare’

The ICO wants to know the safeguards around Recall, which can take screengrabs of your screen every few seconds.

BBC NewsImran Rahman-JonesTechnology reporter

I’m quite sure it’s illegal to record people without their permission in at least Germany. So, with Recall active, if you’re on a video call with someone and don’t tell them - you’re breaking the law? That’s why video conference apps alert everyone. I’d look for other countries where that’s the case but Bing is down this morning and I use DuckDuckGo 🤷‍♂️

Also hearing from others that this could be potentially horrendous for people in abusive relationships was one of those ‘Dammit’ moments for me. I was just looking at it from a tech, infosec, privacy mindset. I’m grateful I read those comments.

Interesting reading anyway

Privacy Disasters: Microsoft, Just Because You Can

... Doesn’t mean you should. Here’s why.

Privacat InsightsCarey Lening