Today we released a new version of O&O ShutUp10++. This is in fact nothing special, because we do it at regular intervals whenever there are new privacy settings to be set under Windows 10 or Windows 11. But this version is special because for the first time we are disabling a feature that doesn’t really exist in the wild yet: Windows Copilot+ Recall.
When Microsoft introduced this feature on May 20, 2024, I was pretty surprised. A quick note on what Recall does: essentially, it constantly takes screenshots of the entire display, which are then immediately evaluated using a local AI so that you can search for text in these images. And of course, the images are also saved, so that you can go back and forth in the history like with a search bar. At least that’s what the demos from Microsoft promise.
This immediately raises the question: what problem does it solve? There is the good old rule that a solution (especially software) should relieve you of pain that you yourself have as a developer. That is usually the best motivation for an application. So, I asked myself this question: when was the last time I wanted to know what I did on my PC three weeks ago?! Frankly, when programming, you tend to quickly forget what rubbish you tried two days ago. I really don’t need to see that again. But are there such use cases? Probably, but they are rather rare.
So, what does this feature actually mean? According to Microsoft, a good 25 GB of storage space is needed for around three months of “history”. This would allow you to store a year in 100 GB. That doesn’t seem like a lot, but it is. And you shouldn’t forget the data that it contains, because every screenshot contains all the data. Really, all of it – nothing is hidden. Microsoft explicitly points out that sensitive data could be compromised under certain circumstances.
Yes, correct, but if only it were just that data. What do we do on the PC all day? Work, surf, play, shop, etc. And we constantly create new accounts, both privately and at work. These accounts are supposed to be secure, which is why you activate two-factor authentication. And so that you can access them even if you lose your device, you get so-called backup codes. You must remember them and copy or write them down – from the screen. It’s worth repeating – from the screen! At least you won’t have to do that in the future as with Recall, you can just ask the AI! That’s great – isn’t it?
Well, the problem is that someone else could also ask for it, and they don’t necessarily have to have my consent. This means that if someone gets hold of my machine in any way, they can theoretically access this data. That’s a feast for all hackers. Whereas in the past they had to laboriously search for this information, today they can find everything in one place. And if Recall isn’t activated then the hacker simply activates it and then just waits until all the fish are in the net and then hauls them in.
For private, home users, this is not great, but what about companies? The devices used for work belong to the employer and so does everything on them (this is usually regulated in a company agreement). So far, it’s been OK, private data shouldn’t be on the computer anyway. But with a little helper like Recall, you can not only spy on the data but also ask the AI how productive an employee is on their PC. Or whether they don’t tend to use it much, and whether they do private things on the PC. It used to be quite difficult to determine all of this, but today it’s integrated as a feature in Windows. Nice (not).
I think Microsoft has overshot the mark with Recall. It’s a feature that nobody asked for and that creates a blatant security problem under Windows that is unnecessary. And even worse: it undermines not only trust in AI itself, but also in the PC. This abbreviation stands for “Personal Computer” – and the emphasis is on “Personal”.