Hagenah says an attacker could get a huge amount of information about their target, including insights into their emails, personal conversations, and any sensitive information that’s captured by Recall.
Hagenah’s work builds on findings from cybersecurity researcher Kevin Beaumont, who has detailed how much information Recall captures and how easy it can be to extract it. Beaumont also says he has built a website where a Recall database can be uploaded and instantly searched. He says he hasn’t released the site yet, to allow Microsoft time to potentially change the system. “InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade—now these can just be easily modified to support Recall,” Beaumont writes.
The criticisms come as hacks of Microsoft systems have led to various US government data breaches; Nadella has said security should be Microsoft’s “top priority.” Microsoft did not respond to WIRED’s request for comment about the security features of Recall by the time of publication.
Recall’s privacy pages say it is possible to disable saving screenshots (effectively turning Recall off), pause the system temporarily, filter applications where screenshots are taken, and delete what is gathered at any time. Recall runs on the laptop itself, storing data it captures on the device and not sending this information to Microsoft’s servers. Hagenah says this claim appears to be true, with no signs that data is sent to Microsoft.
Microsoft is, at least, aware of some of the possible privacy and security-related issues with Recall: Its help pages say the system does not perform any content moderation on what is contained in the images it saves. This means, Microsoft says in the guide, that it won’t “hide information such as passwords or financial account numbers.” Security researchers have already been able to extract passwords from Recall.
Recall’s main database is stored on the laptop’s system directory, and while it needs administrator rights to access, privilege escalation attacks have been around for years, making it theoretically possible for an attacker to gain initial access to a device remotely.
Hagenah says that in cases of employers with “bring your own devices” policies, there’s a risk of someone leaving with huge volumes of company data saved on their laptops. That’s a particular risk if they’re disgruntled or leave on bad terms, he says. The UK’s data protection regulator, the Information Commissioner’s Office, has asked Microsoft to provide more details about Recall and its privacy.
While Recall remains as a “preview” feature and, according to Microsoft’s small print, could change before it launches, Beaumont writes in his research that the company “should recall Recall and rework it to be the feature it deserves to be, delivered at a later date.” He adds: “They also need to review the internal decisionmaking that led to this situation, as this kind of thing should not happen.”
