Microsoft’s Recall Feature Returns with Enhanced Security, But Caution Advised
Nearly a year after its problematic debut, Microsoft’s Recall feature is making a comeback. In a blog post dated April 25, Microsoft announced it will begin rolling out the Windows Recall tool on Copilot+ PCs, claiming significant security improvements for the previously controversial screen recording tool.
The tool’s security and privacy features have been notably improved from the earlier versions that faced backlash, prompting Microsoft to delay its release for further development and testing. Despite the improvements, some key security issues persist, particularly around biometrics and the recording of sensitive data. Users handling sensitive information are advised to remain cautious.
Recall is now available for Copilot+ PCs via the April 2025 Windows non-security preview update, with a broader rollout expected in the coming month through controlled feature rollout (CFR).
Remaining Security Concerns
Independent security researcher Kevin Beaumont, who initially raised concerns about Recall in June 2024, acknowledged Microsoft’s efforts to improve the feature. While the tool is now opt-in rather than enabled by default, and its core SQLite database is encrypted, some significant issues remain. For instance, while biometrics are used for Recall setup, they are not required after that initial setup, meaning someone with knowledge of the user’s PIN could gain access.
“The biometrics is just the initial onboarding. It doesn’t apply afterward,” Beaumont explained. “I think this is a big miss by Microsoft — biometrics should be required every time Recall is accessed to avoid a false sense of security.”
The sensitive data filter, which is designed to exclude information like credit card numbers, still doesn’t work reliably. Beaumont shared that a fake credit card number he typed while using the Vivaldi browser was still recorded by Recall.
He advised users to pause Recall before online shopping or sensitive activities to avoid unintended recordings, as it captures everything the user does. Beaumont also raised concerns that private conversations on messaging apps like Signal, WhatsApp, or Teams could be captured by Recall, even if users thought they had deleted them.
Who Should Avoid Microsoft Recall?
Beaumont cautioned certain individuals and professions against using Recall, including:
- People in domestic violence situations or troubled personal relationships
- Journalists and their confidential sources
- At-risk minority groups
- Politically exposed persons
- Companies that haven’t fully assessed Recall’s privacy and security implications
- Individuals traveling to countries with limited civil liberties
Though Microsoft has made strides in improving the Recall feature, its potential privacy risks make it unsuitable for those dealing with highly sensitive information.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
