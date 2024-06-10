Dubbed a potential security nightmare before its general release, the Recall system may be useful now that it’s more secure, but Microsoft needs to learn how to say sorry.

Microsoft’s AI-powered Recall system was called a possible nightmare by security and privacy experts almost as soon as the tech giant touted its presence in its soon-to-be released AI-powered PCs. The idea seemed useful–a friendly seeming AI system that keeps track of what you’re doing on a PC so it can help you find things you misplaced. Then reality hit, when a coding expert quickly showed Recall had flaws and could easily be hacked, giving hackers access to highly private info. Microsoft just announced a partial revamp and walk back of the feature before the product’s release to the general public, beefing up security and changing some details of how Recall works. But a little like the Recall launch itself, Microsoft somewhat botched the apology, in ways that can teach business owners some useful lessons.

Microsoft hears your complaints Microsoft, in an official blog posting, said it’s “heard a clear signal” about Recall’s failings “even before making Recall available to customers”–well ahead of its general release, when only developers have access to the code. Using critical feedback, Microsoft made changes to “improve privacy and security safeguards” that will go into effect before the June 18 official launch date.

These safeguards include what Microsoft calls “just in time” encryption via its Windows Hello “enhanced sign-in security” system. This means Recall data is likely encrypted the moment it’s captured, then decrypted when a user activates Recall to find something. The encryption and decryption processes rely on the user being properly signed into Windows: You won’t be able to use Recall unless you’ve got a Windows Hello enrollment, a process which requires a login, a verified email address, and a secure access system like a password, PIN code, fingerprint, and so on.

Microsoft also says a “proof of presence” is required to view the Recall timeline or search it. So you’ll have to authenticate yourself with Hello before accessing Recall, meaning if you leave your PC unlocked and someone happens to start typing at it, they’d need to know your login details to get access to your Recall history. But the most important thing Microsoft is doing to protect Recall users is making it an opt-in service instead of turning it on by default. That means if you or your company choose to splash out for AI-powered new PCs that brands like Intel and Microsoft are pushing as the next big thing in computing, you’ll have to turn on one of the landmark AI features manually. Hmm.

Microsoft explains The rest of Microsoft’s blog post explaining the changes to Recall covers all the bases: Microsoft insists the files are only stored locally, not sent to the cloud, and the whole thing will only work on new PCs with a special security chip aboard, acting as another encryption layer. It also says it’s seen the way users use Recall in testing, and says “people are taking advantage of the controls to exclude apps they don’t want captured in snapshots.” Microsoft is arguing the average user will do the same when they get their hands on the system in a week or so–dig into Recall’s settings and prevent it from watching them do things they want to keep private.

Is that all that’s being fixed? The problem with Recall is that for it to be genuinely useful, users have to place a lot of trust in Microsoft, and the security weaknesses of the system showed that the trust was misplaced. Microsoft can add in security now, but it should have been a fundamental part of the way Recall works right from the get-go.

Even more telling is its apology: Microsoft can say it’s seen a “clear signal” as much as it likes, but the word “sorry” doesn’t appear in its blog post, nor does “apology” or “error.” When Apple upset hordes of people with an ill-considered ad earlier this year, it reacted quickly and decisively: Apple executive Tor Myhren, the company’s vice president of marketing communications, spoke up and outright apologized. And this was for an ad, not a system that saves almost everything you do on your PC in a way that hackers could easily find, giving them access to everything important, private, or secret you’ve been working on on your personal or business laptop.