Recall Goes to the Theater (Premium)

Recall is finally here in preview, at least for those silly enough to put a Snapdragon X-based Copilot+ PC in the Dev channel of the Windows Insider Program. I am that silly, of course, but I at least followed my own advice and created USB-based recovery media so I can get it back when needed. As for Recall itself, now that I can finally access this useful feature, I’m even less clear what all the fuss was about.

Not that there aren’t improvements: Thanks to all the unnecessary drama about the non-existent security problems, Microsoft did make a few changes to Recall, the most important, arguably, being that it’s now testing it in preview in the Insider Program. It originally intended to ship this feature to the public, in preview, with no formal testing at all.

Microsoft also changed Recall to be opt-in for consumers–it was originally going to be opt-out–and uninstallable to silence the Luddites. And it’s not installed by default on PCs managed by businesses and other organizations. These changes are all important, positive differences from what Microsoft originally intended.

It feels like this was all so long ago.

But thinking back to the original Copilot+ PC announcement in May, I um, recall Microsoft telling attendees of the event that Recall would be optional. I and many others took it to mean opt-in, something one agreed to enable and use. But Recall was going to be enabled by default. Windows 11 Setup would alert the user to this fact, but then they would have to figure out how to disable it after the fact. In other words, it was opt-out. This is a form of dark pattern, where Microsoft wanted to lead users down a specific path using confusing language, and so I viewed its initial round of concessions as a victory for common sense and the rare example of Microsoft reversing what can only be described as yet another example of enshittification in Windows 11.

The original situation was even worse for businesses. At the time of the announcement, not only did Microsoft plan to enable Recall for people using PCs managed by businesses–in other words, those controlled by corporate policy–but it wasn’t going to let those businesses disable Recall. That is, Recall would exist outside of policy and was aimed at the people using those PCs, not at the companies managing them. Policy and control might come later, I was told. But in its initial form, Recall, for lack of a better term, was for the people.

This was a huge mistake. That this flies in the face of reality goes without saying. Commercial entities–companies, especially, but also governments, educational institutions, and other organizations–aren’t just the biggest customer base for Windows, they’re also the most important and financially lucrative. This is not an audience Microsoft can afford to anger, though consumers very clearly are. And so in the months since the Recall reveal and during the subsequent delays, Microsoft made an even bigger change: Now, Recall isn’t even installed by default on managed PCs or on any install of Windows 11 Enterprise. And organizations that want their users to have Recall have to specifically enable it using policy first.

These two changes represent a stunning turnaround for a part of Microsoft not known for common sense let alone quickly responding to customer complaints. More to the point, these changes address the only reasonable concerns that were voiced about Recall before its release. I wish Microsoft handled every example of terribleness in Windows 11 in a similar fashion. If it did, we would be having very different conversations about the OS.

But what about the “changes” to the security model that Microsoft announced in June and then again in September? Aren’t they meaningful as well?

I addressed both rounds of updates separately–in June and then in September, respectively–explaining both times that Microsoft had not really made any substantial changes, and that the built-in protections that were there from the beginning were moving forward largely unchanged. But there was one bit I wasn’t sure about at the time: In September, Microsoft noted that “access to Recall data will require Windows Hello (ESS) authentication every single time,” which it presented as a change. But it’s not: That’s how Windows Hello ESS works.

I view the situation with Recall the same way I view the news that Microsoft is auto-enabling BitLocker (Device Encryption) on new Windows 11 version 24H2 installs: It’s not materially different from the way it was before from a user experience standpoint, but the company talks about it like it’s new, and it makes it seem like it’s improving security. In both cases, there are literally changes being made under the hood, but those changes are subtle and almost immaterial. From the user’s perspective, it’s no different.

Even the functional improvements it’s made–like the new filtering capabilities that automatically filter out passwords, credit card numbers, and other sensitive information–were always going to happen. But because Recall has been delayed multiple times, Microsoft can now claim these changes happened in response to concerns and aren’t just due to the passage of time. But Recall was always going to appear in preview on a limited set of PCs–based solely on the Snapdragon X platform–and this feature was always going to improve before it was made available to more (AMD- and Intel-based) PCs, let alone exited preview. So we’re just seeing what was going to happen anyway. The only difference is that we’ve been deprived of Recall in the interim. Thanks!

Now that this little nightmare is over, however, we can see for ourselves how the feature works. And security experts are free to hammer away at it, for real this time, on the hardware and with the configurations Microsoft always intended. And we’ll see what they come up with. My bet is that it will mostly be a lot of patting themselves on the back for a job well done, which is undeserved but inevitable. Here we are, six months later, and Microsoft has yet to “thank” them for this work, something it does routinely when outside researchers discover flaws with their products and services and follow the correct reporting procedures. That’s telling.

What it did do Friday, for the first time, was “recognize the contributions of researchers and the security community in shaping Recall,” a hilariously backhanded non-compliment that’s accompanied by a plea that maybe this time they do the right thing: Provide feedback on Recall’s security and privacy architecture as it really is and not as they imagined it, and to do so through the right channels. What a concept.

And then there’s Recall. What’s that like?

The initial set-up process is curiously convoluted, but that’s only because it wasn’t installed with the OS as expected. All the AI-based features on Copilot+ PCs utilize one or more small language models (SLMs) that are installed on-disk alongside them, and to date, these things have all been preinstalled, so most users never really know this is happening or need to think about it. But after installing the Dev channel build of Windows 11 that includes Recall, you can’t just use Recall. No, you first need to install what Microsoft calls “updates for Recall” via Windows Update.

These updates consist of three SLMs, or what Windows Update identifies as AI components: Image Extraction, Image Search, and Semantic Analysis. They don’t all install at once, you have to manually check for updates three times in a row to get them.

But once that’s done, Recall will work normally. You have to authenticate with Windows Hello ESS–and then do so again and again–to access the dashboard, which lets you see and manage the snapshots it takes.

Those snapshots are saved to a timeline–yes, like the old Timeline feature that Microsoft briefly offered in Windows 10, but also like File History–that you can scroll (or scrub) through as needed.

More likely, you’ll use search. And so it’s not surprising that the Search box in Recall is selected by default. For example, when I search for “Richard,” I see results related to that name.

I’ve not used Recall a lot yet–I installed it less than 24 hours ago–but I can already see how its AI-based image extraction functionality is useful. For apps with text–like this document or a text document I created yesterday while talking to Richard about our plans for January–it does automatic text extraction and lets you copy some or all of it to the Clipboard immediately, similarly to how the Snipping Tool works.

This is a feature, as it turns out, called Click to Do, that Microsoft announced back in early October. Similarly to Google’s Circle to Search feature in Android and Chrome OS, Click to Do connects what you’re looking at–text, as in my example, or an image–with appropriate tools that help you do something with that content. For text, that means copying it to the Clipboard, opening it in a compatible app (like Notepad or Visual Studio Code), or searching the web (with Bing, of course).

Images produce arguably more impressive capabilities. In addition to the above, I see options for Visual Search with Bing, blurring the background and erasing objects with Photos, and removing the background with Paint.

Recall can be easily toggled off and then on again as needed via a system tray-based icon.

And there is a comprehensive set of options for it in the Settings app, in Privacy & security > Recall & snapshots. You can filter out apps and websites from being snapshotted, as promised, and it supports specific browsers (Edge, Chrome, Firefox, and Chromium-based browsers). It also automatically filters sensitive information like passwords, credit card numbers, “and more,” though this isn’t in any way configurable.

To test that, I viewed one of my credit card numbers in Proton Pass, my password manager, in a web browser. It didn’t hide that number in any way. THE SECURITY RESEARCHERS WERE RIGHT. Kidding. But still a great example of why things like this need to be, I don’t know, tested before being foisted on the public. At least that’s happening.

The one thing I’ve not experienced yet is how Recall is pushed on customers during Windows Setup. To do that, I will need to enroll a second PC in the Dev channel of the Windows Insider Program and then reset it. Which … I will try to do today. I’m a bit squeamish on this one because I need to be able to recover that PC back to its factory stable image, and only my Surface Laptop 7 has an official recovery image. But I will do it.

In any event, this doesn’t seem like something that deserved all the drama it received. Whether it’s helpful or not in the long run is an open question. But now it’s a question we can answer for ourselves. I’ll keep using Recall and see how it goes.