UK watchdog probes Microsoft over its Copilot+ ‘Recall’ feature

22 May 2024

Image: © photo for everything/Stock.adobe.com

Microsoft has introduced a new feature to let users ‘Recall’ content they have seen before on Copilot+ PCs, but the feature is raising concerns among privacy experts.

The UK’s Information Commissioner’s Office (ICO) is making enquiries into a new feature Microsoft is offering for Copilot+ PC users, which takes screenshots of the user’s screen every few seconds.

This feature – Recall – is designed to help users find content that they have previously seen on the device. The optional feature will take regular screenshots of a user’s activities, which are then encrypted and stored on the Copilot+ PC.

“You can use Recall to locate the content you have viewed on your PC using search or on a timeline bar that allows you to scroll through your snapshots,” Microsoft said in a blogpost. “Once you find the snapshot that you were looking for in Recall, it will be analysed and offer you options to interact with the content.”

An ICO spokesperson said the organisation is making enquiries with Microsoft to “understand the safeguards in place to protect user privacy”.

“We expect organisations to be transparent with users about how their data is being used and only process personal data to the extent that it is necessary to achieve a specific purpose,” the spokesperson said. “Industry must consider data protection from the outset and rigorously assess and mitigate risks to peoples’ rights and freedoms before bringing products to market.”

Microsoft says Copilot+ PC users can limit the screenshots that Recall collects and that certain content will never be screenshotted – such as InPrivate web browsing on Microsoft Edge. But it also noted that Recall does not perform “content moderation”.

“It will not hide information such as passwords or financial account numbers,” the company said. “That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”

Jake Moore, a global cybersecurity adviser with ESET, said enabling a feature that captures screen data not only offers more data for a company, but also “opens up another avenue for criminals to attack”.

“Whilst this feature is not on by default, users should be mindful of allowing any content to be analysed by AI algorithms for a better experience,” Moore said. “Although it may produce better results, there is a balance that must be kept regarding functionality versus privacy and so users must remain aware of the potential risks should any sensitive data ever become compromised.

“Creating and storing more private data seems unnecessary when cybercriminals continually look for any given vulnerability to exploit.”

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com