New report finds security loopholes still exist in this controversial Windows 11 feature
(Image credit: Tom's Guide/Microsoft)
The controversial Microsoft Windows Recall AI app may still be in need of security work according to testing from the UK technology site, The Register.
The app, which takes screenshots of everything you do on your PC so you can find it later, supposedly has preventions to stop it from grabbing sensitive information like credit card numbers and passwords. However, the Register's team recently tested Recall and discovered that the filter actually fails "in many cases."
Recall has had a bumpy launch since it was announced as a new app for Copilot+ PCs in the summer of 2024. It was almost immediately pulled back due to security concerns, like capturing sensitive information.
With Recall still in preview mode, Microsoft claims it's safe and private with a filter called "Filter sensitive information" which is enabled by default and is supposed to prevent sensitive data from being captured.
The Register's Avram Piltch used a Lenovo Yoga Slim 7x Copilot Plus PC with Recall enabled and entered in several types of personal information. He does credit the filter with excluding financial data, "some" passwords, and "most instances" of Social Security numbers.
However, he found that Recall snapped screenshots of his bank's home page and a number of screens showing his balance and deposits. Though it did exclude his account and routing numbers.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
From there, Piltch performed a number of tests excluding certain language from forms or pages or storing information in different spots on his computer and much to his surprise, Recall captured that information. In one example, he wrote in a Word Doc "My SS#" and it was filtered out but when he changed it to Soc. # it did get captured.
And in one case, a document with passwords was totally captured, especially dangerous since many people might still keep their passwords in unsecure documents on their PCs (something we highly discourage given that several of the best password managers are completely free) even if they're not explicitly labeled "My passwords."
To be fair to Microsoft, the app is still in preview mode and has been since October of 2024. A blog post from November did state that Microsoft teams are working to improve the functionality of the security filter. Though, the app is being pushed during the Windows onboarding process, so perhaps that preview mode shouldn't be given as much slack.
You do have the option to block specific apps or websites from being captured. You have to go to Settings - Privacy & Security - Recall & snapshots. From there you can blacklist things. You could block your browser, though that might make Recall less useful especially if you work outside of Microsoft's office ecosystem.
If you're worried about Windows Recall potentially capturing your sensitive personal and financial data, there's an easy way to avoid this feature entirely: don't get a Copilot+ PC.
Windows Recall is designed to work specifically with laptops that use Qualcomm's Snapdragon processors, so by going with one of the best laptops powered by an Intel or AMD chip for your next upgrade, you won't have to worry about the potential security implications of this controversial feature at all.
Then again, Microsoft may decide to shelve Windows Recall for good at some point, especially given its lukewarm initial reception and the security and privacy issues it has faced already.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
Scott Younker is the West Coast Reporter at Tom’s Guide. He covers all the lastest tech news. He’s been involved in tech since 2011 at various outlets and is on an ongoing hunt to build the easiest to use home media system. When not writing about the latest devices, you are more than welcome to discuss board games or disc golf with him. He also handles all the Connections coverage on Tom's Guide and has been playing the addictive NYT game since it released.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
