The UK data watchdog says it is “making enquiries with Microsoft” over a new feature that can take screenshots of your laptop every few seconds. Microsoft says Recall, which will store encrypted snapshots locally on your computer, is exclusive to its forthcoming Copilot+ PCs.
But the Information Commissioner's Office (ICO) says it is contacting Microsoft for more information on the safety of the product, which privacy campaigners have called a potential “privacy nightmare”. Microsoft says Recall is an “optional experience” and it is committed to privacy and security.
According to its website, users “can limit which snapshots Recall collects”.
“Recall data is only stored locally and not accessed by Microsoft or anyone who does not have device access,” the firm said in a statement. And it said a would-be hacker would need to gain physical access to your device, unlock it and sign in before they could access saved screenshots.
But an ICO spokesperson said firms must “rigorously assess and mitigate risks to peoples' rights and freedoms” before bringing any new products to market.
“We are making enquiries with Microsoft to understand the safeguards in place to protect user privacy,” they said.
‘Chilling'
Recall has the ability to search through all users' past activity including files, photos, emails and browsing history. Many devices can already do this – but Recall also takes screenshots every few seconds and searches these too.
“This could be a privacy nightmare,” said Dr Kris Shrishak, an adviser on AI and privacy.
“The mere fact that screenshots will be taken during use of the device could have a chilling effect on people.”
Microsoft says it “built privacy into Recall’s design” from the beginning, and users will have control over what is captured. For example, users can opt out of capturing certain websites, and private browsing on Microsoft's own Edge browser will not be captured.
“People might avoid visiting certain websites and accessing documents, especially confidential documents, when Microsoft is taking screenshots every few seconds,” said Dr Shrishak. And Daniel Tozer, data and privacy expert at Keystone Law, said the system reminded him of dystopian Netflix programme Black Mirror.
“Microsoft will need a lawful basis to record and re-display the user’s personal information,” he said.
“There may well be information on the screen which is proprietary or confidential to the user’s employer; will the business be happy for Microsoft to be recording this? And he asked how consent would work for people appearing on the screen on a video call or photo.
“Are they going to be given the choice as to whether to consent to that? User and access controls will be a key issue on which Microsoft will doubtless be focussing,” he said.
Passwords screengrabbed
Meanwhile, Jen Caltrider, who leads a privacy team at Mozilla, suggested the plans meant someone who knew your password could now access your history in more detail.
“[This includes] law enforcement court orders, or even from Microsoft if they change their mind about keeping all this content local and not using it for targeted advertising or training their AIs down the line,” she said.
According to Microsoft, Recall will not moderate or remove information from screenshots which contain passwords or financial account information.
“That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry,” said Ms Caltrider.
“I wouldn’t want to use a computer running Recall to do anything I wouldn’t do in front of a busload of strangers.
“That means no more logging into financial accounts, looking up sensitive health information, asking embarrassing questions, or even looking up information about a domestic violence shelter, reproductive health clinic, or immigration lawyer.”