Summary

  • Having plain-text logs leaves Recall open to remote hackers due to its MySQL database storage.
  • If someone gains access to the database, they can cause serious damage and retrieve personal information.
  • Recall indiscriminately saves everything seen, including sensitive data, putting user privacy at risk and raising legal concerns.

Microsoft has had a real tug-of-war trying to convince people that Copilot+'s new Recall feature is worth using. When we first saw it, we were awed that it could remember how you use your PC and recall things like the text messages you received, the apps you opened, and the websites you visited. Then we discovered that Recall could do this because it took a screenshot of your entire desktop every time it wanted to remember something, and suddenly, it wasn't so exciting anymore.

Microsoft scrambled to reassure people that Recall wouldn't be a privacy threat by stating that all of the data it collected was encrypted and couldn't be used by anyone except the end user. And then cybersecurity expert Kevin Beaumont discovered that Recall saves all of its information as plain text in a MySQL database, which caused people to worry again. And then Microsoft finally backed down and changed how Recall worked, including disabling it by default. However, the service still needs a lot of work before its big release, or else Microsoft may be walking head-first into legal issues.

Having plain-text logs leaves Recall open to remote hackers

If someone gets access to the database, it can cause serious damage

One of the biggest defenses Microsoft had for Recall was its encryption. The idea is that, if a remote attacker tries to gain access to the screenshots that Recall is taking, it's automatically encrypted by BitLocker and thus stops them from stealing information. This was a strong enough argument for Microsoft to justify having Recall run on people's computers by default.

However, Kevin Beaumont's discovery of the plain text MySQL database throws a wrench into this argument. If Microsoft ships Recall in its current state, there's a very good chance that malicious agents can find a way to grab this file and read all of the logs Recall is keeping. Recall uses the database to store its memory by looking at the screenshot, grabbing the text it sees, and writing it into the database. As such, getting a hold of this database gives a malicious agent all of the victim's emails, text messages, websites visited - you name it.

Screenshot of the Windows 11 Start menu with the Copilot logo overlaid on top
How to disable Microsoft Copilot

Microsoft Copilot might get in the way of your Windows experience. If it does, here's how to disable it.

1
By 

Recall doesn't care what it stores - it'll save everything it can see

A lot of personal data is up for grabs

The above scenario wouldn't have been such a big deal if Recall doesn't save any personal data. However, Kevin Beaumont also notes that Recall doesn't really care about what it saves. As stated on Double Pulsar:

Q. What kind of things are in the database?

A. Everything a user has ever seen, ordered by application. Every bit of text the user has seen, with some minor exceptions (e.g. Microsoft Edge InPrivate mode is excluded, but Google Chrome isn’t).

Every user interaction, e.g. minimizing a window. There is an API for user activity, and third party apps can plug in to enrich data and also view store data.

It also stores all websites you visit, even if third party.

Q. If I delete an email/WhatsApp/Signal/Teams message, is it deleted from Recall?

A. No, it stays in the database indefinitely.

As such, sensitive data could fall into the wrong hands if someone manages to get their hands on Recall's data. We're talking about information entered into banking websites, messages that were meant to be secret, deleted media, and everything you can imagine. It could have a huge impact on people's lives if this information leaks online.

Satya Nadella Copilot (6)
Microsoft Copilot+: Everything you can do with your new AI PC

AI PCs are here, and there's a lot you can do with them

By 

Governmental eyes are already on Copilot+

Microsoft can't slide Recall under the noses of those who make the laws

Microsoft Recall running on a Copilot+ device.

Unfortunately for Microsoft, people are going to be poring over Copilot+ with a scrutinizing eye the moment the update is released. Ever since Recall was announced, Microsoft has come under scrutiny from governments who are concerned about this new technology and how it can affect its citizens. For example, as reported by the BBC, a UK watchdog didn't like the sound of Recall's privacy issues and opened communications with the Redmond giant to ask for more information about the feature. As such, you can be certain that researchers will be prodding Recall's defenses the moment it's available, and if they find something bad, it could land Microsoft in big trouble.

Copilot (24)
Copilot, Copilot Pro, and Copilot+ — breaking down Microsoft's confusing AI products

Confused by Microsoft's Copilot products? We're here to help.

By 

Microsoft needs to be careful with Recall

In its current state, Microsoft may get into some serious legal trouble if it continues with its rollout of Recall. If Kevin Beaumont's claims are right and remote agents can pilfer people's computer activities through a plain text database, it could be catastrophic for anyone affected by the attacks. As such, it'd be best if Microsoft, ironically, recalled Recall for the time being until it managed to iron out these privacy holes. If it decides to throw caution to the wind and forge ahead to outdo its competitors, it may end up doing more harm than good.