Microsoft Provides Update on Recall, Addresses Complaints

Responding to the criticisms, Microsoft is making changes to the Recall feature that will launch soon in preview on Copilot+ PCs.

“We know for people to get the full value out of experiences like Recall, they have to trust it,” Microsoft corporate vice president Pavan Davuluri writes. “That’s why we are launching Recall in preview on Copilot+ PCs – to give customers a choice to engage with the feature early, or not, and to give us an opportunity to learn from the types of real world scenarios customers and the Windows community finds most useful. [But] we have heard a clear signal that we can make it easier for people to choose to enable Recall on their Copilot+ PC and improve privacy and security safeguards.”

With that in mind, Microsoft is making the following changes to Recall:

• It will update the initial Setup experience to make Recall explicitly an opt-in feature. Yes, there are clear “Yes” and “No” choices now.
• It will also require users to enroll in Windows Hello before they can enable Recall. That one’s interesting because I was told that was already a requirement. (It’s possible that this change is related to a user disabling this requirement while signed in and then enabling Recall on a second user account without Windows Hello authentication configured.) It will also require “proof of presence” (whatever that means) to use Recall.
• Microsoft is also “adding additional layers of data protection including ‘just in time’ decryption protected by Windows Hello Enhanced Sign-in Security (ESS) so Recall snapshots will only be decrypted and accessible when the user authenticates.” ESS was already a requirement for Recall, and one of several reasons why many of the criticisms we’ve seen so far are off-base, but this addition is interesting.
• Finally, Microsoft is encrypting the search index database (which necessitates that above change). This, too, was something Microsoft had said was already a feature of Recall–which would prevent a user on a PC from accessing another user’s database–but I guess it’s there now.

Beyond this, Microsoft is reiterating that Copilot+ PCs and Recall are “secure by default and secure by design.” These PCs ship with additional data protections that already rendered most of the complaints about Recall moot, like Microsoft Pluton security chips and Windows Hello Enhanced Sign-in Security (ESS). Of course, I wrote about that previously. Twice.

Anyway, I’m not surprised Microsoft responded to the feedback. I am pleased it did so this quickly and before Copilot+ PCs arrived in the market.