Recall may take snapshots of sensitive information, but Microsoft says you'll be fine

Recently, Microsoft introduced the review version of the Recall feature for insiders in the Dev channel. For those of you who don’t know, the feature uses Copilot and the NPU in a Copilot+ PC to take snapshots of your actions as you’re using the machine.

The feature is supposed to help you find relevant information and allow Copilot to provide you with better responses and suggestions about your content. However, Microsoft said that the preview version of Recall won’t save any snapshots just yet.

Recall may snapshot your credit card information and SSN

With an upcoming launch in progress, the users are discussing again about Recall’s privacy concerns. A user posted on Reddit that Microsoft Recall is capturing screenshots of sensitive information like credit card and social security numbers, triggering an avalanche of comments.

This is not the first time when Microsoft Recall is put under scrutiny by the community, but since then, Microsoft made a lot of changes to the feature’s security policies. In a Windows Blog post, Microsoft explains why Recall doesn’t represent a risk for the users.

Essentially, the software giant has four big privacy design principles for Recall that, according to them, makes the feature safe.

Microsoft has made efforts to secure the Recall feature

The first is that Recall is an opt-in experience. When you set up your Copilot+ PC, you have the option to save the snapshots or not and, by default, the feature will be turned off. Even if you chose to enable it, you can remove Recall entirely at any point.

Another argument is that the Recall stored data is encrypted with protected keys via the Trusted Platform Module (TPM). That is also why TPM 2.0 will soon be a mandatory requirement for Windows 11. Moreover the Recall stored data can only be used within a Virtualization-based Security Enclave (VBS Enclave) which is also a secure environment. That means only users that have access to Windows Hello sign-in.

The third privacy policy is that the Recall services that handle snapshots and data are also isolated within the VBS Enclave. According to Microsoft, The only information that leaves the VBS Enclave is what is requested by the user when actively using Recall.

Finally, the software giant basically says that you have to authorize Recall’s actions using Windows Hello such as changing any of its settings or accessing its user interface. They also mention that Recall currently supports PIN as a fallback method only after Recall is configured, and this is to avoid data loss if a secure sensor is damaged.

This is connected to another recent Microsoft announcement with plans to add another layer of protection using Windows Hello as additional validation of wide-system actions.

So, is it possible for Recall to get snapshots of your sensitive data? Yes, if the information is stored on your device and you allow it to do that. However, Microsoft basically implies that no one else can access it unless it has control over your PC via Windows Hello. That means PIN, fingerprint or face authentication.

For the moment, we remind you that Microsoft Recall is not implemented yet in its final form. Only the Windows Insiders can access the preview version of Recall that doesn’t yet take snapshots. We will see soon enough how this whole story will unfold.