Microsoft Recall caught capturing credit card and Social Security numbers despite reassurances it won't

The Windows Rec
(Image credit: Tom's Guide/Microsoft)

Since its announcement in June, Microsoft's Windows Recall feature has been controversial and bumpy for a few months. It faced immediate backlash over security concerns when it was revealed. The concern was mainly around the fact that Recall takes screenshots of your entire PC so that you can find information later if desired.

The AI tool for Copilot + Pilots was recalled so Microsoft could tweak the program and work on the security issues. Since then, it's been delayed several times, and only recently became available for Windows Insiders, Microsoft's version of beta testers for early adopters.

According to Microsoft, the updated version of Recall still captures screenshots, but those screenshots are now supposed to be encrypted and have a "Filter sensitive information" setting enabled by default. This filter is meant to stop Recall from capturing apps or websites that show sensitive personal information like credit card numbers and Social Security numbers.

Unfortunately, this filter does not seem to be working. Our colleague, Avram Piltch, at Tom's Hardware, tested the revamped Recall and reported that the filter only worked a couple of times, "leaving a gaping hole in the protection it promises."

Piltch tested the filter by entering a credit card, random user and password into a Windows Notepad screen. Recall captured that information despite text denoting the number as a Visa card.

He also filled out a loan application PDF in Microsoft Edge, where a Social Security number was filled in alongside his name and date of birth. Recall captured that as well.

Pilch performed some other tests, but Recall seemed to filter out sensitive information only on a pair of e-commerce sites, Pimoronia and Adafruit.

In response to a query about the filter, Microsoft spokespeople sent him a blog post containing a Privacy section that reads:

"We’ve updated Recall to detect sensitive information like credit card details, passwords, and personal identification numbers. When detected, Recall won’t save or store those snapshots. We’ll continue to improve this functionality, and if you find sensitive information that should be filtered out for your context, language, or geography, please let us know through Feedback Hub. We’ve also provided an option in Settings that we encourage you to enable that will anonymously share the apps and sites you prefer to be excluded from Recall to help us improve the product."

What does Recall actually do?

Since few people have been able to try out Recall, here's a brief rundown of what the feature is supposed to do for you.

Microsoft pitches the tool to help you find things better by searching your PC for anything you've seen on it using natural language.

To do this, Recall takes "snapshots" of your screen at regular intervals, which are stored locally on your computer and analyzed and indexed by AI.

The obvious concern here is that this digital record of everything on your PC and things you've done on your PC can potentially be accessed by bad actors. When Recall first appeared in the spring, it didn't even have encryption on the snapshots, and the database was stored as plain text. Those things have changed in the past few months.

Microsoft has also made Recall opt-in, which was previously an opt-out option.

The new Recall does have the mentioned filter and appears to encrypt data. Login also requires biometric data and passwords. And information can only be viewed in the Recall app.

That said, a determined bad actor with access to your password or PIN could bypass the biometric checks. And you can view the Recall app via TeamViewer, which allows for popular remote access.

For now, if the filter isn't working, it means your data is being captured and that a series of missteps could make that information available to a bad actor.

More from Tom's Guide

Category
Arrow
Arrow
Back to Gaming Laptops
Brand
Arrow
Processor
Arrow
RAM
Arrow
Storage Size
Arrow
Screen Size
Arrow
Colour
Arrow
Condition
Arrow
Price
Arrow
Any Price
Showing 10 of 20 deals
Filters
Arrow
Load more deals
TOPICS
Scott Younker
West Coast Reporter

Scott Younker is the West Coast Reporter at Tom’s Guide. He covers all the lastest tech news. He’s been involved in tech since 2011 at various outlets and is on an ongoing hunt to build the easiest to use home media system. When not writing about the latest devices, you are more than welcome to discuss board games or disc golf with him.