Some bits of good news for Microsoft’s ill-received Recall feature originally destined for Windows 11 Copilot+ PCs: the software giant has announced several new measures to improve the feature’s privacy and security, and if that isn’t enough for some, they can choose to remove it from the system entirely.
Recall Is Now Opt-In
Microsoft has detailed on several new additions and improvements on the feature that is soon under re-testing among Windows Insiders. Most importantly, Recall “is an opt-in experience,” the company wrote in its blog post. (Technical readers can read the blog and see how the new security architecture works in detail.)
The feature will be off by default unless users “proactively” turns it on in the initial setup process of Copilot+ PCs – as seen in the screenshot above, no buttons are highlighted to avoid the so-called “dark patterns” that tricks the user into clicking the wrong option. (The use of dark patterns is very widespread today, mainly to benefit companies and service providers in a malicious way that has since drawn regulatory attention across the world.)
Alternatively, users can remove all components of Recall feature entirely in Settings through the “Optional Features” page under the System tab. “That’s obviously super important for people who just don’t want this, and we totally get that,” Microsoft VP of Enterprise and OS Security, Devin Weston, told The Verge. “If you choose to uninstall this, we remove the bits from your machine.”
In this iteration, all contents within Recall will always be encrypted via Trusted Platform Module (TPM), a hardware component that was mandatory for Windows 11 installs (and a big reason why many Windows 10 systems are unqualified for the upgrade). To access it, you must use Windows Hello, and under this condition the feature is running on two principles – VBS Enclaves with Zero Trust security, and runtime authorization of access to the Recall UI.
“This area acts like a locked box that can only be accessed after permission is granted by the user through Windows Hello,” the blog wrote, noting that VBS offers a complete isolation from the rest of the system, including both the OS kernel and administrative users. Barring any zero-day exploits, this means Recall data should be extremely resistant to attacks (it won’t stop the hackers from trying, though). Additionally, the feature will remain locked once the user leaves the UI, and will once again require Windows Hello for subsequent access.
Sensitive content such as passwords and IDs will be filtered by default, though Microsoft’s wording does suggest that it won’t be 100% effective at doing so. (Recall be using the company’s enterprise-level tools to help with the detection, however.) Contents within private browsing sessions from all major web browsers will not be recorded, and users can delete or filter specific content as needed.
Pokdepinion: I’m personally satisfied with the changes, particularly the option to remove it completely from the system if needed. (I still wouldn’t use it, though.)
