Microsoft Recall caught capturing credit card and Social Security numbers despite reassurances it won't
The sensitive information filter doesn't appear to work
Since its announcement in June, Microsoft's Windows Recall feature has been controversial and bumpy for a few months. It faced immediate backlash over security concerns when it was revealed. The concern was mainly around the fact that Recall takes screenshots of your entire PC so that you can find information later if desired.
The AI tool for Copilot + Pilots was recalled so Microsoft could tweak the program and work on the security issues. Since then, it's been delayed several times, and only recently became available for Windows Insiders, Microsoft's version of beta testers for early adopters.
According to Microsoft, the updated version of Recall still captures screenshots, but those screenshots are now supposed to be encrypted and have a "Filter sensitive information" setting enabled by default. This filter is meant to stop Recall from capturing apps or websites that show sensitive personal information like credit card numbers and Social Security numbers.
Unfortunately, this filter does not seem to be working. Our colleague, Avram Piltch, at Tom's Hardware, tested the revamped Recall and reported that the filter only worked a couple of times, "leaving a gaping hole in the protection it promises."
Piltch tested the filter by entering a credit card, random user and password into a Windows Notepad screen. Recall captured that information despite text denoting the number as a Visa card.
He also filled out a loan application PDF in Microsoft Edge, where a Social Security number was filled in alongside his name and date of birth. Recall captured that as well.
Pilch performed some other tests, but Recall seemed to filter out sensitive information only on a pair of e-commerce sites, Pimoronia and Adafruit.
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
In response to a query about the filter, Microsoft spokespeople sent him a blog post containing a Privacy section that reads:
"We’ve updated Recall to detect sensitive information like credit card details, passwords, and personal identification numbers. When detected, Recall won’t save or store those snapshots. We’ll continue to improve this functionality, and if you find sensitive information that should be filtered out for your context, language, or geography, please let us know through Feedback Hub. We’ve also provided an option in Settings that we encourage you to enable that will anonymously share the apps and sites you prefer to be excluded from Recall to help us improve the product."
What does Recall actually do?
Since few people have been able to try out Recall, here's a brief rundown of what the feature is supposed to do for you.
Microsoft pitches the tool to help you find things better by searching your PC for anything you've seen on it using natural language.
To do this, Recall takes "snapshots" of your screen at regular intervals, which are stored locally on your computer and analyzed and indexed by AI.
The obvious concern here is that this digital record of everything on your PC and things you've done on your PC can potentially be accessed by bad actors. When Recall first appeared in the spring, it didn't even have encryption on the snapshots, and the database was stored as plain text. Those things have changed in the past few months.
Microsoft has also made Recall opt-in, which was previously an opt-out option.
The new Recall does have the mentioned filter and appears to encrypt data. Login also requires biometric data and passwords. And information can only be viewed in the Recall app.
That said, a determined bad actor with access to your password or PIN could bypass the biometric checks. And you can view the Recall app via TeamViewer, which allows for popular remote access.
For now, if the filter isn't working, it means your data is being captured and that a series of missteps could make that information available to a bad actor.
More from Tom's Guide
- Microsoft will let you install Windows 11 on unsupported PCs after all — what you need to know
- AirDrop for Windows is finally here — Microsoft announces new way to easily share files between your iPhone and PC
- Microsoft just fixed 72 Windows security flaws — update your PC right now
Scott Younker is the West Coast Reporter at Tom’s Guide. He covers all the lastest tech news. He’s been involved in tech since 2011 at various outlets and is on an ongoing hunt to build the easiest to use home media system. When not writing about the latest devices, you are more than welcome to discuss board games or disc golf with him.