The UK privacy watchdog Information Commissioner’s Office (ICO) is investigating Microsoft Copilot’s new Recall feature.
The Recall feature is present in the new AI-assistant Copilot+ PCs that have been purpose-built to meet consumer demand for devices with artificial intelligence capabilities as a standard.
Concerns have been raised about data security with Recall as it takes screenshots progressively when using a Copilot+ PC. These screenshots record all data, including personal data, which has worried regulators like the British ICO.
The ICO is the United Kingdom’s regulatory watchdog responsible for reporting data breaches, threats to public information security, and the risks of illegal activity in the digital domain.
How does Microsoft Copilot’s Recall feature work?
The Recall feature is designed to find content on a user’s PC and support the generative AI data-compiling method.
To do this, the Recall feature must progressively take snapshots of the user’s screen content to create a library to enhance the AI responses. This is then sent to the Recall App, which uses these gathered contents to piece together the answers to a user’s AI queries.
Things like gaming snapshots, pulling a certain document from weeks past, or going back to an old Zoom meeting seem innocuous.
In theory, this is an AI “learning” a user’s patterns and favorite things to search for, but it can bring many security concerns.
Microsoft stated that Recall “will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”
The UK’s ICO has now raised concerns with Microsoft: “We are making inquiries with Microsoft to understand the safeguards in place to protect user privacy.”
Microsoft security guide
Microsoft has posted a guide to the new Recall features focusing on privacy and security. The computer giant states the Recall feature can be manually turned off by going to “Settings > Privacy & security > Recall & snapshots,” on Copilot+ PCs.
Despite this guide to pause or turn off the tool, the questions about how data is used and the safeguards in place remain.
Microsoft did say that the company does not use any mandatory internet or network connection to use the feature.
The company also stated that all data is stored locally on the device. The company said, “Snapshots are encrypted by Device Encryption or BitLocker, which are enabled by default on Windows 11.”
The ICO hopes Microsoft will be “transparent with users about how their data is being used and only process personal data to the extent that it is necessary to achieve a specific purpose. Industry must consider data protection from the outset and rigorously assess and mitigate risks to people’s rights and freedoms before bringing products to market.”
Other than the Recall privacy guide, Microsoft has yet to respond, but the ICO will be hoping for more reassurance that user data, even if encrypted, is safeguarded.
Image: Microsoft.