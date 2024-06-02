Key Takeaways Microsoft Recall's on-device 'memory' feature for Copilot+ laptops offers on-device processing and storage for enhanced privacy.

Misconceptions about Recall's security and privacy could stem from comparisons with cloud-based AI systems.

Personal data stored with Microsoft Recall can be exposed if an unauthorized person gains access to your computer.

Microsoft held a big Copilot and Surface event last week, and it announced a fresh suite of AI features exclusive to Copilot+ laptops. For now, those are the 14 laptops set for release next month powered by Qualcomm's Snapdragon X platform. The feature that drew the most attention was Recall, a tool that serves as a memory of sorts for your PC. It's designed to make searching your PC easier with the help of artificial intelligence, saving snapshots of your computing history that can be referenced later. We wouldn't blame you if you thought Microsoft Recall sounded a bit dystopian by the sound of it, but it's using on-device processing. That negates many of the arguments about the feature being 'spyware' or 'a Black Mirror episode,' as social media users put it, including those as high-profile as Elon Musk.

Still, the discourse sparks a good conversation. Before you go out and enable Microsoft Recall on a new Copilot+ laptop, you'll want to make sure it is actually private and secure. Some great questions have surfaced as a result of the generally-negative sentiments that social media users have had toward Recall. How secure is on-device processing? Are all types of on-device processing made equal? What greater implications could enabling Recall on a Copilot+ PC have? These are all fair things to ask, and you might be surprised by some of the answers.

Microsoft's Recall feature runs on-device

We've been waiting for on-device processing, so why aren't we more excited?

Most of the negativity we've seen on social media surrounding the Recall announcement comes from a place of ignorance, and that isn't necessarily the fault of users. Just about every major AI feature we've seen launch over the past year comes with a grueling set of terms and conditions, including high-profile chatbots like OpenAI's ChatGPT and Google's Gemini. These T&Cs permit companies to collect your queries and responses to help train future AI models, so there's no sense of privacy. If people have gotten used to this agreement, they may have assumed Copilot+ and Recall work the same way. But, they don't. All the data collected by Recall never leaves your device, and Microsoft won't see it.

Another thing people are getting wrong is whether the Copilot+ Recall feature is opt-in, opt-out, or enabled by default. In reality, it's actually none of the above. You'll choose how and if Recall saves snapshots of your system during the Windows 11 out of box experience (OOBE). And since Copilot+ is only available on new devices that meet Microsoft's new hardware requirements, everyone has to go through the OOBE. It's true that most users probably won't tweak the OOBE, but let's be honest. If a user isn't customizing their OOBE settings, they're consenting to personalized ads, data collection, and more. Microsoft Recall would be the least of a user's worries if they don't opt out of everything in Windows 11.

Related On-device AI processing is the breakthrough we're still waiting for Artificial intelligence is everywhere, but most of it happens in the cloud. The next big shift is bringing all that processing on-device.

It's also worth bringing up the irony of this situation. People have been clamoring for more things to run on-device, and it's not hard to see why. When data needs to leave your device, there are more ways it can end up in the wrong hands. At best, the data will be stored on another party's servers for a brief period of time, and needs to be sent back and forth. This creates new attack vectors, and we all know companies are not immune to large data breaches. Then, at worst, the company you're sending your data to may be actively collecting your data for its own purpose or selling off to a third-party company. On-device processing was supposed to be the solution to many of these issues, and yet Microsoft Recall is considered a problem.

There are varying levels of security for on-device processing

Just because it runs on device, doesn't mean it's inherently secure

Close

While some are inherently skeptical of on-device processing, others immediately trust it as completely secure, and neither approach is the correct one. Not every form of on-device processing has the same level of security. For example, most operating systems today have a Trusted Platform Module (TPM), including Windows 11. This hardware chip — or a part of the system-on-a-chip (SoC), when applicable — makes it possible to create a Trusted Execution Environment (TEE). In other words, it's a safe place where absolutely critical code execution happens and the most sensitive data is secured. It's not connected to your primary storage device, so things like malware can't get to it. Aside from Windows 11, all modern Apple devices and select Android devices have a TPM of some sort. Google has Titan M, Apple has Secure Enclave.

On-device storage and processing is good, but things that happen on a TPM are best. Apple's Secure Enclave is the only part of an Apple product that has access to biometric data. The company explains how it works best, saying the following about how Touch ID data is stored in a support document:

Your fingerprint data is encrypted, stored on disk, and protected with a key available only to the Secure Enclave. Your fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. It can’t be accessed by the OS on your device or by any applications running on it. It's never stored on Apple servers, it's never backed up to iCloud or anywhere else, and it can't be used to match against other fingerprint databases.

All that is to say that while some types of on-device processing and data storage are virtually impenetrable, others are more mortal. Anything that is stored on-device and is accessible from the main operating system could be compromised in the event of a hack, or if someone gains physical access to your computer. Since data from Microsoft Recall is stored on your storage device and is accessible from Windows 11, someone could see it if they gain access to your operating system.

Microsoft Recall running on-device is absolutely a good thing. It means that Microsoft won't be able to see your data, it can't be compromised as part of a data breach, and it won't be used to train AI models. But the way Microsoft Recall data is stored is effectively the same as any other file or app on your PC.

If you're not comfortable saving something as a file on your PC, you probably shouldn't let Recall capture it. Again, in order for it to actually be compromised, someone would need to gain access to your PC in some way — most likely through a remote hack or physical access to your device.

You're worried about all the wrong things

There are legitimate concerns tied to Microsoft Recall, but it isn't 'spyware'

I don't plan on buying a Copilot+ PC at the moment, so I don't need to make a decision on whether to enable Microsoft Recall or turn it off immediately. However, if I was making that choice, Microsoft collecting my data would be the least of my concerns. It's using on-device processing, so the company can't see it. It's really that simple. I would, however, be worried about my Recall preference being changed automatically. There is a long list of examples of people seeing their Windows settings being adjusted automatically after applying a system update. Accounts of the issue on Microsoft's forums can be found as recently as last month, and date back to the Windows 10 days.

There's another thing to consider. While on-device processing and storage prevents Microsoft from spying on you, it doesn't prevent people from spying on you. When agreeing to create a "memory" of your PC activity, you have to consider what consequences that may have. It's far from a conspiracy theory. People go searching through others' devices all the time, and law enforcement entities in many jurisdictions can search computers with a court order. Instead of needing to piece everything together, Microsoft Recall could hand your every computing move right to whoever is looking for it. Whether this sounds concerning to you will vary from person-to-person, but it's definitely something to think about.

As a general rule, I'm not going to tell anyone to trust any kind of tech feature — that's something for individuals to decide after weighing all the facts and figures. One thing is for sure, and it's that Microsoft won't be spying on your computer history using Recall. That isn't how it works, and that isn't what Recall is about. The data is far from impenetrable, but things that are stored on computers rarely are.