May 24, 2024 - Technology

New Microsoft AI PC feature faces a privacy conundrum

Illustration of an open house window with panes resembling the Microsoft Windows logo. Outside the open window is a bright blue sky filled with glowing binary code.

Illustration: Annelise Capossela/Axios

A new memory-searching function in Microsoft's highly anticipated AI PCs is spurring concern among privacy-conscious executives and consumers.

Why it matters: Microsoft will have to address a growing list of questions about the functions of its new Recall feature in some Copilot+ PCs if it hopes to make the PCs a ubiquitous household and workplace device.

Driving the news: The U.K. Information Commissioner's Office has already contacted Microsoft about Recall's potential privacy issues, a spokesperson told the BBC this week.

Catch up quick: New Copilot+ PCs will come with a feature called Recall that lets users search through their past computer activity to help bring up any old files, photos, emails or browsing history.

  • The information is stored locally on a user's PC, so intruders would need access to the physical device, as well as a stolen password, to successfully break in.
  • AI PC owners can choose whether they want to participate in Recall, and participants can limit what screenshots Recall takes.

Cybersecurity experts warn that if a hacker can break into a PC, they could trick Recall into looking up users' sensitive information.

  • A hacker could still use trojan malware to trick a device into giving them remote access to Recall, security expert Kevin Beaumont alleges on X.
  • "Stuff may stay on your device, but that doesn't mean people can't get to it," Jen Golbeck, a professor focused on AI and data privacy at the University of Maryland, told CNN.

Between the lines: Recall poses unique challenges for enterprises that are looking to switch their workforce over to Microsoft's AI PCs.

  • Recall can't detect when sensitive information is included in a screenshot, like a user's password or medical information.
  • And it could pose a risk for employees who mix personal and corporate work on one computer. Confidential corporate data could end up in an employee's personal devices' Recall feature, for instance.

What they're saying: "The Recall stuff is not a good idea," Phil Libin, co-founder and former CEO of Evernote, told Axios. "And I think it's not a good idea across many dimensions, not just security. I think it's a very bad idea for security and privacy."

Yes, but: Yusuf Mehdi, who leads consumer marketing for Microsoft, told Axios that when he showed Recall to Microsoft's CISO, he was excited by the feature — noting it could help security teams figure out when and how malware may have infected someone's device.

What we're watching: Microsoft is rolling out the feature as it overhauls its internal cybersecurity strategy, which prioritizes security features over speedy product development.

  • Microsoft president Brad Smith will testify before Congress about this plan and last summer's China breach next month.
Go deeper