Mastodon

Vibes-based security and Windows Recall

Posted by Matt Birchler
— 2 min read

Paul Thurrott: Windows 11 Recall Is Not a Privacy Concern

But we all knew this was coming, that privacy advocates would immediately stomp all over this functionality without taking the time to understand how it even works. To be fair, it doesn’t help that we’re still reeling from and dealing with very real privacy concerns related to AI and the data-stealing monsters in Big Tech that are pushing forward in that area without any regard whatsoever to ethics or the law. And that Microsoft, the maker of Recall, is in bed with the worst offender, OpenAI. Suspicion in some cases is warranted.

And:

An article on Microsoft Learn provides more information, noting that Recall only works with supported web browsers (Chromium-based), supports policies so that organizations can simply disable it entirely, can’t save snapshots of InPrivate windows, blocked apps, and blocked websites, and supports many user-facing settings for filtering which apps and websites can be included in snapshots.

From my perspective, Recall is a cool feature that some people will immediately find useful, and I think others will discover they’re happy they have it when it saves their bacon down the road. Personally, I’d prefer to have this feature built by the operating system owner rather than a third party.

Thurrott is frustrated with the vibes-based response to this feeling like a privacy nightmare, even though looking into how it technically works reveals many of those fears are unfounded. I will say that a lot of privacy for normal people is how things feel, and not necessarily how they actually work. Microsoft still needs to actually make this a private feature, but it also needs to demonstrate to users that it’s as private as they say it is. They’d never do this on stage, but based on the reactions I’ve seen, they really could have nipped a lot of this in the bud by showing that looking at porn in a private window would not be captured.

I’ve also seen privacy experts express concern that if someone got access to your computer, Recall would allow them to get at all this history, so the fact that it’s all local and never leaves your device is still a problem. A part of me gets that, but at the same time, if someone has full access to your entire PC, then they have access to basically everything in your life already. They have your whole file system, they have your browser history, and they have access to your communication – the fact they now could also get access to screenshots of you using those same things doesn’t feel like that much more to me. Maybe being able to see when you looked at a file or website has consequences I’m not thinking of, but again, it’s already a nightmare scenario, and the best way to resolve this is to have a way to remotely wipe or lock down your device from the cloud (which Microsoft does offer).

Finally, this feature is opt-in and organizations can disable it for their managed devices so employees don’t turn this on when their company’s security team doesn’t want them doing that.

I’ll be keeping an ear out to see if this new feature is used for any notable security breaches in the future, but for now I guess I’d say I understand why people find this creepy, but I also think it’s something cool that I hope to see from Apple sooner rather than later.