The controversial Microsoft Windows Recall AI app may still be in need of security work according to testing from the UK technology site, The Register.
The app, which takes screenshots of everything you do on your PC so you can find it later, supposedly has preventions to stop it from grabbing sensitive information like credit card numbers and passwords. However, the Register's team recently tested Recall and discovered that the filter actually fails "in many cases."
Recall has had a bumpy launch since it was announced as a new app for Copilot+ PCs in the summer of 2024. It was almost immediately pulled back due to security concerns, like capturing sensitive information.
The app stuttered into release and recall repeatedly, and was even caught capturing credit card numbers in December of 2024. It only recently returned to Windows Insiders in April of this year.
With Recall still in preview mode, Microsoft claims it's safe and private with a filter called "Filter sensitive information" which is enabled by default and is supposed to prevent sensitive data from being captured.
The Register's Avram Piltch used a Lenovo Yoga Slim 7x Copilot Plus PC with Recall enabled and entered in several types of personal information. He does credit the filter with excluding financial data, "some" passwords, and "most instances" of Social Security numbers.
However, he found that Recall snapped screenshots of his bank's home page and a number of screens showing his balance and deposits. Though it did exclude his account and routing numbers.
From there, Piltch performed a number of tests excluding certain language from forms or pages or storing information in different spots on his computer and much to his surprise, Recall captured that information. In one example, he wrote in a Word Doc "My SS#" and it was filtered out but when he changed it to Soc. # it did get captured.
And in one case, a document with passwords was totally captured, especially dangerous since many people might still keep their passwords in unsecure documents on their PCs (something we highly discourage given that several of the best password managers are completely free) even if they're not explicitly labeled "My passwords."
To be fair to Microsoft, the app is still in preview mode and has been since October of 2024. A blog post from November did state that Microsoft teams are working to improve the functionality of the security filter. Though, the app is being pushed during the Windows onboarding process, so perhaps that preview mode shouldn't be given as much slack.
You do have the option to block specific apps or websites from being captured. You have to go to Settings - Privacy & Security - Recall & snapshots. From there you can blacklist things. You could block your browser, though that might make Recall less useful especially if you work outside of Microsoft's office ecosystem.
If you're worried about Windows Recall potentially capturing your sensitive personal and financial data, there's an easy way to avoid this feature entirely: don't get a Copilot+ PC.
Windows Recall is designed to work specifically with laptops that use Qualcomm's Snapdragon processors, so by going with one of the best laptops powered by an Intel or AMD chip for your next upgrade, you won't have to worry about the potential security implications of this controversial feature at all.
Then again, Microsoft may decide to shelve Windows Recall for good at some point, especially given its lukewarm initial reception and the security and privacy issues it has faced already.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
More from Tom's Guide
- Microsoft's 'enigma of success' grows ever higher with $27 billion in revenue after laying off 9,000 people
- Microsoft study reveals the 40 jobs AI is most likely to impact — and 40 that are safe (for now)
- Microsoft Authenticator is going to delete your passwords on Friday — what to do right now
![HIDevolution [2024] ASUS ROG...](https://images.fie.futurecdn.net/products/848664f20a82da37ee7b66f813eb40cdef2cfcf5-100-80.jpg.webp "HIDevolution [2024] ASUS ROG...")
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
