larlet-fr-david-cache/cache/2024/e1f6125fe416ecd26f2804cdab5cc571/index.html

<!doctype html><!-- This is a valid HTML5 document. -->
<!-- Screen readers, SEO, extensions and so on. -->
<html lang="en">
<!-- Has to be within the first 1024 bytes, hence before the `title` element
  See: https://www.w3.org/TR/2012/CR-html5-20121217/document-metadata.html#charset -->
<meta charset="utf-8">
<!-- Why no `X-UA-Compatible` meta: https://stackoverflow.com/a/6771584 -->
<!-- The viewport meta is quite crowded and we are responsible for that.
  See: https://codepen.io/tigt/post/meta-viewport-for-2015 -->
<meta name="viewport" content="width=device-width,initial-scale=1">
<!-- Required to make a valid HTML5 document. -->
<title>Microsoft's new Windows 11 Recall is a privacy nightmare (archive) — David Larlet</title>
<meta name="description" content="Publication mise en cache pour en conserver une trace.">
<!-- That good ol' feed, subscribe :). -->
<link rel="alternate" type="application/atom+xml" title="Feed" href="/david/log/">
<!-- Generated from https://realfavicongenerator.net/ such a mess. -->
<link rel="apple-touch-icon" sizes="180x180" href="/static/david/icons2/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="/static/david/icons2/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/static/david/icons2/favicon-16x16.png">
<link rel="manifest" href="/static/david/icons2/site.webmanifest">
<link rel="mask-icon" href="/static/david/icons2/safari-pinned-tab.svg" color="#07486c">
<link rel="shortcut icon" href="/static/david/icons2/favicon.ico">
<meta name="msapplication-TileColor" content="#f7f7f7">
<meta name="msapplication-config" content="/static/david/icons2/browserconfig.xml">
<meta name="theme-color" content="#f7f7f7" media="(prefers-color-scheme: light)">
<meta name="theme-color" content="#272727" media="(prefers-color-scheme: dark)">
<!-- Is that even respected? Retrospectively? What a shAItshow…
  https://neil-clarke.com/block-the-bots-that-feed-ai-models-by-scraping-your-website/ -->
<meta name="robots" content="noai, noimageai">
<!-- Documented, feel free to shoot an email. -->
<link rel="stylesheet" href="/static/david/css/style_2021-01-20.css">
<!-- See https://www.zachleat.com/web/comprehensive-webfonts/ for the trade-off. -->
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<script>
    function toggleTheme(themeName) {
        document.documentElement.classList.toggle(
            'forced-dark',
            themeName === 'dark'
        )
        document.documentElement.classList.toggle(
            'forced-light',
            themeName === 'light'
        )
    }
    const selectedTheme = localStorage.getItem('theme')
    if (selectedTheme !== 'undefined') {
        toggleTheme(selectedTheme)
    }
</script>

  <meta name="robots" content="noindex, nofollow">
  <meta content="origin-when-cross-origin" name="referrer">
  <!-- Canonical URL for SEO purposes -->
  <link rel="canonical" href="https://www.bleepingcomputer.com/news/microsoft/microsofts-new-windows-11-recall-is-a-privacy-nightmare/">

<body class="remarkdown h1-underline h2-underline h3-underline em-underscore hr-center ul-star pre-tick" data-instant-intensity="viewport-all">


<article>
  <header>
    <h1>Microsoft's new Windows 11 Recall is a privacy nightmare</h1>
  </header>
  <nav>
    <p class="center">
      <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
        <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
      </svg> Accueil</a> •
      <a href="https://www.bleepingcomputer.com/news/microsoft/microsofts-new-windows-11-recall-is-a-privacy-nightmare/" title="Lien vers le contenu original">Source originale</a>
      <br>
      Mis en cache le 2024-05-24
    </p>
  </nav>
  <hr>
  <p><img alt="Windows 11 Recall" src="https://www.bleepstatic.com/content/hl-images/2024/05/20/windows-11-recall.jpg"></p>
<p>Microsoft's announcement of the new AI-powered Windows 11 Recall feature has sparked a lot of concern, with many thinking that it has created massive privacy risks and a new attack vector that threat actors can exploit to steal data.</p>
<p>Revealed during a Monday AI event, the feature is designed to help "recall" information you have looked at in the past, making it easily accessible via a simple search.</p>
<p>While it's currently only available on Copilot+ PCs running Snapdragon X ARM processors, Microsoft says they are working with Intel and AMD to create compatible CPUs.</p>
<p>Recall works by taking a screenshot of your active window every few seconds, recording everything you do in Windows for up to three months by default.</p>
<p>These snapshots will be analyzed by the on-device Neural Processing Unit (NPU) and an AI model to extract data from the screenshot. The data will be saved in a semantic index, allowing Windows users to browse through the snapshot history or search using human language queries.</p>
<div>
<figure class="image"><img alt="Windows 11 Recall" src="https://www.bleepstatic.com/images/news/Microsoft/windows-11/r/recall/windows-11-recal.jpg"><figcaption><strong>Windows 11 Recall</strong></figcaption></figure></div>
<p>Microsoft says that all of this data is encrypted using BitLocker tied to the user's Windows account and is not shared with other users on the same device.</p>
<p>While this sounds fun and interesting, it immediately raised concerns about obvious privacy risks and whether Microsoft plans on gobbling up all of this data.</p>
<p>However, Microsoft says Recall has been designed so that all of the data is saved directly on the user's device in an encrypted format, providing users with complete control over the feature, including if it's enabled and what apps it can take screenshots of.</p>
<div class="fan_quote">
<p>"Recall is a key part of what makes Copilot+ PCs special, and Microsoft built privacy into Recall's design from the ground up. On Copilot+ PCs powered by a Snapdragon® X Series processor, you will see the Recall taskbar icon after you first activate your device. You can use that icon to open Recall's settings and make choices about what snapshots Recall collects and stores on your device. You can limit which snapshots Recall collects; for example, you can select specific apps or websites visited in a supported browser to filter out of your snapshots. In addition, you can pause snapshots on demand from the Recall icon in the system tray, clear some or all snapshots that have been stored, or delete all the snapshots from your device."</p><p>
❖ Microsoft</p></div>
<p>Microsoft also says it will not create screenshots of Microsoft Edge's InPrivate windows (and other Chromium-based browsers) or content protected by DRM. However, they have not confirmed whether other browser's private modes, like Firefox, will be supported.</p>
<p>In a Monday press event, Yusuf Mehdi, Corporate Vice President &amp; Consumer Chief Marketing Officer, assured journalists that Microsoft is taking a very conservative approach with Recall.</p>
<p>"We're going to keep your Recall index private and local and secure on just the device," said Mehdi.</p>
<p>"We won't use any of that information to train any AI model, and we put you completely in control with the ability to edit and delete anything that is captured."</p>
<p>Furthermore, Microsoft also reiterated to BleepingComputer that data for Recall will only be available locally and not be stored in the cloud, with the company once again restating that "data is not accessed by Microsoft."</p>
<p>Microsoft has also started to share more technical details, such as <a href="https://learn.microsoft.com/en-us/windows/client-management/manage-recall#configure-policies-for-recall" target="_blank" rel="nofollow noopener">group policies</a> that can be used to disable Recall company-wide and how end users can <a href="https://support.microsoft.com/en-us/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15" target="_blank" rel="nofollow noopener">disable the feature</a>.</p>
<h2>Cybersecurity experts and regular users still concerned</h2>
<p>Microsoft's promises have not done much to reassure the cybersecurity community or its customers, with <a data-sk="tooltip_parent" data-stringify-link="https://x.com/BleepinComputer/status/1792631130983706926" delay="150" href="https://x.com/BleepinComputer/status/1792631130983706926" rel="noopener noreferrer" target="_blank">our tweet</a> regarding this new feature receiving over 90 comments, all negative.</p>
<p><a href="https://twitter.com/SchizoDuckie/status/1792640796333650342" target="_blank" rel="nofollow noopener"><img alt="Schizoduckie tweet" src="https://www.bleepstatic.com/images/news/Microsoft/windows-11/r/recall/security-concerns/schizo-tweet.jpg"></a></p>
<p>So, why are most cybersecurity experts, researchers, and analysts so worried about this feature?</p>
<p>First and foremost, large companies have a history of exploiting users' data for their own profit, making it <a data-sk="tooltip_parent" data-stringify-link="https://x.com/MegaMarian12350/status/1792642295814082659" delay="150" href="https://x.com/MegaMarian12350/status/1792642295814082659" rel="noopener noreferrer" target="_blank">hard for users to trust Microsoft</a> when they say they won't access the Recall data.</p>
<p>Users are not alone, as the United Kingdom's data protection agency, the Information Commissioner's Office (ICO), is also contacting Microsoft to ensure that users' data will be properly safeguarded and not used by the company.</p>
<p>"We expect organisations to be transparent with users about how their data is being used and only process personal data to the extent that it is necessary to achieve a specific purpose. Industry must consider data protection from the outset and rigorously assess and mitigate risks to peoples' rights and freedoms before bringing products to market," reads a <a href="https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/05/statement-in-response-to-microsoft-recall-feature/" target="_blank" rel="nofollow noopener">press statement</a> from the ICO.</p>
<p>"We are making enquiries with Microsoft to understand the safeguards in place to protect user privacy."</p>
<p>Even if we accept that Microsoft will not access Recall data, there are still massive security and privacy implications with this product.</p>
<p>Microsoft admits that the feature performs no content moderation, meaning it will gobble up anything it sees, including passwords in a password manager or your account numbers on your banking website.</p>
<p>Or if you are in Word, writing a confidential agreement, a screenshot of that content will be created, too. If you have a single PC and share it with others, then you may want to be careful about what pictures or videos you look at, as, guess what, those will be recorded as well.</p>
<p>Yes, you can block apps from being screenshotted by this feature, but most people will just let it run without mucking around with the feature's settings.</p>
<p>All of this information is now stored in Windows 11's semantic index and easily searchable by anyone with access to your PC, whether authorized or not.</p>
<p>That's just the tip of the iceberg, though.</p>
<p>If a threat actor or malware compromised your device, all of this data will already be decrypted by Bitlocker, making it accessible to the hacker. </p>
<p>For example, a threat actor or malware could simply steal a Recall database and upload it to their own servers for analysis. This information could then be used to extort users or potentially breach user's accounts if credentials were exposed.</p>
<p>Cybersecurity expert Kevin Beaumont, known to be an outspoken critic of Microsoft at times, also expressed concern about how this feature creates a massive attack surface, likening it to a keylogger "baked into Windows."</p>
<p>"If you look at what has happened historically with infostealer malware — malicious software snuck onto PCs — it has pivoted to automatically steal browser passwords stored locally," Beaumont explained in a <a href="https://doublepulsar.com/how-the-new-microsoft-recall-feature-fundamentally-undermines-windows-security-aa072829f218" target="_blank" rel="nofollow noopener">new blog post</a>.</p>
<p>"In other words, if a malicious threat actor gains access to a system, they already steal important databases stored locally. They can just extend this to steal information recorded by Copilot's Recall feature."</p>
<p>And it's not only information-stealing malware, as enterprise-targeting malware like TrickBot had previously included modules that would<a href="https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/" target="_blank"> steal a domain's Active Directory database</a> for offline cracking of credentials. There is nothing to stop malware from taking a similar approach and stealing the Recall databases as well.</p>
<p>Microsoft has always taken the stance with vulnerabilities and attacks that once a device is compromised, all bets are off, and security boundaries are thrown out the window.</p>
<p>Basically, you got infected or fell for a social engineering attack, so it's your fault all these bad things will happen to you.</p>
<p>However, as Microsoft is one of, if not <strong>the</strong>, largest caretakers of consumer data and computing security, it seems irresponsible to introduce additional risk into an already risky environment.</p>
<p>While we can go on and on expressing how this feature is a massive privacy risk, I will instead leave you with this quote from <a href="https://blogs.microsoft.com/blog/2024/05/03/prioritizing-security-above-all-else/" target="_blank" rel="nofollow noopener">Microsoft's recent pledge</a> to prioritize security above all else.</p>
<p>"If you're faced with the tradeoff between security and another priority, your answer is clear: <strong>Do security</strong>. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems," Microsoft's CEO Satya Nadella said in an email to Microsoft employees.</p>
<p>"This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all."</p>
<p><em>Update 5/22/24: This article previously said Microsoft is working with Intel and AMD to make all Windows 11 devices compatible, when they are instead working with them to make compatible CPUs.</em></p>
</article>


<hr>

<footer>
  <p>
    <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
        <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
      </svg> Accueil</a> •
    <a href="/david/log/" title="Accès au flux RSS"><svg class="icon icon-rss2">
        <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-rss2"></use>
      </svg> Suivre</a> •
    <a href="http://larlet.com" title="Go to my English profile" data-instant><svg class="icon icon-user-tie">
        <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-user-tie"></use>
      </svg> Pro</a> •
    <a href="mailto:david%40larlet.fr" title="Envoyer un courriel"><svg class="icon icon-mail">
        <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-mail"></use>
      </svg> Email</a> •
    <abbr class="nowrap" title="Hébergeur : Alwaysdata, 62 rue Tiquetonne 75002 Paris, +33184162340"><svg class="icon icon-hammer2">
        <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-hammer2"></use>
      </svg> Légal</abbr>
  </p>
  <template id="theme-selector">
      <form>
          <fieldset>
              <legend><svg class="icon icon-brightness-contrast">
                <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-brightness-contrast"></use>
              </svg> Thème</legend>
              <label>
                  <input type="radio" value="auto" name="chosen-color-scheme" checked> Auto
              </label>
              <label>
                  <input type="radio" value="dark" name="chosen-color-scheme"> Foncé
              </label>
              <label>
                  <input type="radio" value="light" name="chosen-color-scheme"> Clair
              </label>
          </fieldset>
      </form>
  </template>
</footer>
<script src="/static/david/js/instantpage-5.1.0.min.js" type="module"></script>
<script>
    function loadThemeForm(templateName) {
        const themeSelectorTemplate = document.querySelector(templateName)
        const form = themeSelectorTemplate.content.firstElementChild
        themeSelectorTemplate.replaceWith(form)

        form.addEventListener('change', (e) => {
            const chosenColorScheme = e.target.value
            localStorage.setItem('theme', chosenColorScheme)
            toggleTheme(chosenColorScheme)
        })

        const selectedTheme = localStorage.getItem('theme')
        if (selectedTheme && selectedTheme !== 'undefined') {
            form.querySelector(`[value="${selectedTheme}"]`).checked = true
        }
    }

    const prefersColorSchemeDark = '(prefers-color-scheme: dark)'
    window.addEventListener('load', () => {
        let hasDarkRules = false
        for (const styleSheet of Array.from(document.styleSheets)) {
            let mediaRules = []
            for (const cssRule of styleSheet.cssRules) {
                if (cssRule.type !== CSSRule.MEDIA_RULE) {
                    continue
                }
                // WARNING: Safari does not have/supports `conditionText`.
                if (cssRule.conditionText) {
                    if (cssRule.conditionText !== prefersColorSchemeDark) {
                        continue
                    }
                } else {
                    if (cssRule.cssText.startsWith(prefersColorSchemeDark)) {
                        continue
                    }
                }
                mediaRules = mediaRules.concat(Array.from(cssRule.cssRules))
            }

            // WARNING: do not try to insert a Rule to a styleSheet you are
            // currently iterating on, otherwise the browser will be stuck
            // in a infinite loop…
            for (const mediaRule of mediaRules) {
                styleSheet.insertRule(mediaRule.cssText)
                hasDarkRules = true
            }
        }
        if (hasDarkRules) {
            loadThemeForm('#theme-selector')
        }
    })
</script>
</body>
</html>