Tech Tonic: No matter what Microsoft says, Recall still faces privacy questions

May 15, 2025 12:53 PM IST

Share Via

Copy Link

The sheer scope of data collection is staggering, and end result is, a treasure trove of personal information, stored on your Windows 11 PC

Just this week, I was setting up a new artificial intelligence (AI) laden Copilot+ PC for review (it is still under embargo), and a new step in the setup flow stood out. “Unlock your photographic memory with Recall”, it reads. This roll-out is finally happening, a year after it was first broached in public conversations, and was subsequently delayed after security researchers (including cybersecurity expert Kevin Beaumont who found this AI-powered feature had security flaws). My point is, it may be back and Microsoft can insist they’ve “implemented extensive security considerations”, but it doesn’t easily change the very nature of this searchable timeline from the past. But then again, the Copilot+ PC proposition, needs new chapters.

Recall takes screenshots of your screen every few seconds, stores and processes them locally to create what they believe will be a relevant and searchable timeline of your activities.

This is essentially “photographic memory” for your Windows 11 PC. Recall takes screenshots of your screen every few seconds, stores and processes them locally (that is, on-device — this is where the neural processing unit becomes important) to create what they believe will be a relevant and searchable timeline of your activities. Microsoft touts its potential to boost productivity by letting users retrieve past content effortlessly. Credit where it is due, Microsoft has detailed steps taken to rework the architecture of Recall, since it was first talked about a year ago.

First off, they have made in an opt-in, rather than an opt-out. As the setup screen also suggested, both choices are there. Even for Windows PCs that get this feature as a subsequent update, Recall will remain off till a user explicitly turns it on. Microsoft also talks about weaving in the Trusted Platform Module (TPM), tied to a user’s Windows Hello Enhanced Sign-in Security, to protect encryption keys for the vector database that stores these snapshots and any other information captured at the same time. They also say, services that process Recall screenshots are isolated within the operating system (OS).

Also Read: AI now writes up to 30% of Microsoft’s code, CEO Satya Nadella reveals

If you are setting up a new Windows PC, as I happened to be, or receiving Recall via a Windows update at some point, I’d suggest turning this off. And keeping it that way. Productivity boost and all that is good marketing spiel, but this still carries significant privacy risks. If I may be forthcoming here, this is the closest we’ve had to an opt-in surveillance tool on our computing devices — because this is significant chunk of very personal data, and threat actors will weaponise this at some point. Mark my words.

Every few seconds, it captures a snapshot of your active screen, whether you’re browsing the web, drafting an email, or entering sensitive information like passwords or financial details. I would not like my net banking login (even if it is just the login, not the password) to be visible in a screen grab that is stored somewhere within the depth of Windows 11, accessible and readable by AI in some form, and ripe for malware to take advantage of.

On the face of it, everything Microsoft is trying to say to convince the world that Recall is indeed a great thing, may sound reassuring. But at its core, we’re simply serving up on a platter, sensitive data to — and I’ll say it again — for an inevitable threat. A more sophisticated ‘key logger’ malware from the previous decade, but something on the same lines unfortunately.

The sheer scope of data collection is staggering. Recall doesn’t, at least not based on anything I’ve heard thus far, exhibit any understanding or censorship to sensitive activities visible on screen versus the more mundane stuff. It captures everything, be it online bank logins, online account logins, private messages, medical records, or even those disappearing messages in WhatsApp that are otherwise meant to go poof. I am not sure if Recall is primed to do any content moderation either, meaning it won’t automatically hide passwords or financial details unless you manually filter specific apps or websites.

The end result is, a treasure trove of personal information, potentially stored indefinitely on your device. For the average user, who may not meticulously configure privacy settings, this is a ticking time bomb. That leads me to the point of big tech often hiding behind the local storage argument. One that is often used to downplay privacy concerns. A red herring, if you may. The simple fact is, a locally stored database is only as secure as the device it resides in, and if a hacker or a sophisticated malware, were to gain access to the PC (it is easier than many of us imagine), even an encrypted Recall database risks being a prime target.

Also Read: Microsoft AI director laid off in bloodbath triggered by AI push: ‘Asked to stop work immediately’

Case in point — late last year, ethical hacker Alexander Hagenah developed a command-line tool called TotalRecall that could extract and display data from the Recall database in Windows 11, exposing sensitive information about a PC’s activity and previous snapshots. You may be putting a lot of faith in Microsoft, if you hope these issues have been patched perfectly, amidst a recalibrated privacy pitch the tech giant is giving now that Recall is rolling out.

There are personal and professional dynamics to the Recall play. An abusive partner in a relationship could gain unauthorised access to their partner’s Windows PC and leverage Recall to spy on their activities. In an organisation, information technology (IT) systems could do the same to monitor employees. And for all businesses, irrespective of size, there could be the concern about trade secrets getting revealed at some point (for now, Recall doesn’t seem to be rolling out for organisation-managed systems).

There can of course be an argument that is no different from existing cloud-based services such as web browsers and storage, which we as users willingly sign in to and give access to, that also track user behaviour and save data. And what while Recall is locally processed and encrypted, cloud services send data to online servers (their own, or third-party for storage). Yet, that comparison misses a key point. Unlike browser histories, which users can clear or limit, Recall’s snapshots are far more granular since they capture visual data across all applications without selective curation. Usually the sort of data you wouldn’t screenshot and store.

Recall is simply another chapter of big tech prioritising AI’s evolution, over risky moves that could prove a nightmare for user data privacy. And they will, one day. I may be overthinking this, but when it comes to the online footprint, it is always prudent to err on the side of caution. For now, Microsoft is keeping Recall as opt-in. At some point in the future, that might change. Till then, you’re better off keeping this toggle at position ‘off’. The quick guide is here: Windows Settings > Privacy & Security > Recall & Snapshots, toggle off “Save snapshots,” and delete any existing snapshot data.

Vishal Mathur is the technology editor for HT. Tech Tonic is a weekly column that looks at the impact of personal technology on the way we live, and vice-versa. The views expressed are personal