Skip to content

Microsoft Recall feature fails to protect sensitive information

  • by
  • 3 min read

Microsoft has reintroduced its Recall feature to Windows Insider builds, touting enhanced privacy safeguards after pulling it earlier this year due to security concerns. While the revamped tool aims to block the capture of sensitive information like credit card numbers and Social Security details, early tests reveal significant gaps in its performance outside controlled areas like Notepad or Edge, leaving users’ private data vulnerable in many everyday scenarios.

In testing conducted by Tom’s Hardware, the filter failed outside of controlled environments, such as e-commerce websites. When sensitive data, such as credit card numbers or Social Security numbers, was entered into other applications—like Notepad or a loan application PDF viewed in Microsoft Edge—Recall captured this information without hesitation.

Even a custom HTML page with clearly labelled credit card fields failed to trigger the filter. These failures highlight a significant gap in the tool’s ability to generalise protection to less conventional scenarios.

However, Recall successfully avoided capturing sensitive fields on some e-commerce sites, such as Pimoroni and Adafruit. Recall skipped the screens with payment fields when navigating their payment pages or displaying a blank form.

This shows the software’s filter can identify and block certain pre-configured or recognised scenarios.

The Recall feature has not gone well with the public and cyber security experts.

Microsoft’s filter relies on AI to detect and block sensitive content, but its effectiveness is limited to predefined use cases. This could leave users vulnerable in everyday situations, as many people write down sensitive information in text files or fill out forms in applications not explicitly flagged as risky by the filter.

The Recall feature utilises Copilot Plus to capture screenshots and subsequently allows users to search and retrieve items from a scrollable timeline. Following public outcry, Microsoft updated the Recall version by integrating a default setting to ‘Filter sensitive information.’

This filter is intended to prevent the capture of sensitive data like credit card numbers, Social Security numbers, and other personal identifiers.

While Microsoft acknowledges these limitations, the company has framed the feature as a work in progress. Microsoft encourages users to enable an anonymous reporting feature in Recall’s settings to help refine its AI detection capabilities.

Users should exercise caution when using Recall, especially when handling sensitive information. Until Microsoft addresses these gaps, the feature might pose more risks than benefits in certain contexts.

In the News: Character AI rolls out content filtering, parental controls and more

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>