Microsoft's New 'Recall' Feature Is Equal Parts Cool and Dangerous

We take the search function for granted—when it goes well. If you search for a particular email, photo, or document on your PC, and it pops right up, you don’t think twice about it. But if you spend 10 minutes scouring your hard drive looking for that one file, you lose your mind. That’s where Microsoft hopes its new Recall feature can help—even if it comes with some major security risks.

What is Recall?

Recall, at its core, is simple: The feature quietly takes screenshots of what you’re doing on your PC throughout your session. Whenever you perform a search with Recall, it pulls from all these screenshots to find relevant moments in your PC activity history that might be what you’re looking for, stitching them together into a scrollable timeline. For example, if you’re looking for a slideshow you were crafting for work, searching for it may pull up the times you were working on it in PowerPoint, as well as the presentation you gave with it. The same goes for an image: If you’re looking for the photo of your dog at the park, you may see it from the time you opened it in your photos library, but also in the messaging app you used to send the photos to friends and family.

Recall associates these screenshots with the active app, as well: As you scroll through your timeline, not only can you see which window you were looking at it with, Recall will tell you which app was running and when. So if you know you want the PowerPoint session itself from February, you can skip over any screenshots from Teams.

While it’s certainly a novel feature, Microsoft wasn’t the first to launch a feature like this. Rewind offers a similar experience over on macOS, recording all your activity (including transcribing your audio) in order to make everything you do on your Mac searchable. Of course, the big difference here is Recall is a Microsoft-built feature, while Rewind is only offered by a third-party developer on macOS.

You also won’t be able to use Recall on just any PC, even if its running Windows 11. Instead, this is a Copilot+ PC-exclusive, Microsoft’s new AI-powered PC standard. These machines are equipped with the Snapdragon X Plus and Snapdragon X Elite chips, which have a dedicated neural processing unit (NPU) for handling local AI processes. Unless you have one of these new machines, like the new Surface Pro or Surface Laptop, you won’t be able to try Recall when it launches. (At least, not officially.)

Is Recall safe to use?

The answer, from Microsoft’s perspective, is yes. Because it only runs on Copilot+ PCs, Recall is entirely handled on-device, with no processing outsourced to the cloud. That means everything, from the AI processing to the screenshots themselves, happen on your PC. Microsoft says the screenshots used for Recall are encrypted on your PC, too, even from other profiles on the machine: If you lock your PC, your Recall screenshots are locked, too.

Plus, you have control over which apps and websites Recall takes screenshots for. If you don’t want Recall to take screenshots when you use WhatsApp, you can tell it not to. You can choose to pause Recall for periods of time as well, and delete either recently taken screenshots, or all screenshots stored on your device. InPrivate browsing sessions in Microsoft Edge, as well as DRM content, like Netflix shows and movies, will also not be recorded. (Your secrets really are safe with InPrivate browsing, I guess.)

However, while Microsoft is all about the security of Recall, there is legitimate reason for concern—both in theory, and in practice. For one, Recall takes screenshots of almost everything you do on your PC (assuming you haven’t adjusted these settings yourself). That means it won’t stop taking screenshots when you enter or access sensitive information like passwords, your social security number, or banking data: If you can see it on-screen, chances are Recall is recording it. While it’s great that these screenshots are encrypted when you lock your device, if someone does manage to break into your PC, they’ll be able to access your entire Recall history, including this sensitive information. It seems like an unforced error to let a potential hacker open Recall, search “Bank of America” or “Turbo Tax,” and watch as you from the past enters all the relevant credentials and private information in for them.

We don’t have to speculate on this point, either. According to security researcher Kevin Beaumont, who tested the feature out for himself on a PC without an NPU, hackers will have no problem scraping your Recall information once you unlock your PC. Beaumont says when Windows saves these screenshots to your machine, it actually saves all of the text from the images and stores this data as plain text. That’s everything you do on your PC—including accessing banking information, private websites, and messages—saved as plain text, minus the aforementioned exceptions of course. This information isn’t deleted when you delete the associated data or app, either: If you delete a message in Teams, for example, it lives on in your Recall database forever. It doesn’t matter if they’re messages that are set to auto-delete: If it comes on screen, it’s likely saved to the database.

Further, Beaumont says hackers can employ readily-available infostealers to scrape your entire Recall database in seconds—again, that’s everything you’ve ever done on your PC since activating the feature. They don’t even need physical access to your computer. All they need from you is to log in, decrypt your drive, and they can use remote hacking software to steal your Recall data. Beaumont actually did it to his own PC: Windows’ built-in security tool, Microsoft Defender, did identify the infostealer Beaumont was using, but after taking over 10 minutes to block it, the infostealer had scraped all of Beaumont’s Recall data.

Even before Beaumont’s reporting, the feature was already under government scrutiny. The Information Commissioner’s Office (ICO), a U.K. data watchdog, contacted Microsoft for more information about Recall. The watchdog says all companies must “rigorously assess and mitigate risks to peoples’ rights and freedoms” before they offer a new product for consumers. As it’s still early days (Microsoft only announced the feature two days prior to this inquiry), it’s not clear what the watchdog will make of it, nor is it clear if other government agencies will launch their own investigations here.

Another problem? Recall appears enabled by default. According to The Verge’s Tom Warren, you can’t disable Recall when setting up a new Copilot+ PC. Instead, you can choose to “open Settings after setup completes so I can manage my Recall preferences.” That means many (if not most) of the people who buy a Copilot+PC will have this feature enabled.

This feature is obviously a boon for hackers. But when it was announced, I thought it came with some heavy privacy and security baggage, but not enough to actively persuade people to disable it immediately. Following Beaumont’s analysis, however, it’s clear Recall is not ready, and if it’s rolled out in its current form, it’ll put both individuals and organizations at risk. Not only can hackers steal your personal information by reviewing everything you’ve ever done, they can scrape any private company databases you’ve accessed, including your credentials to access them. It opens the door for truly massive hacking risks, and if Microsoft does decide to continue with its Recall plans, please: Disable the feature.

If you do want to try Recall, and any other Copilot+ PC-exclusive features, you can preorder one of Microsoft new Surface devices below:

Optimized with PageSpeed Ninja

Protected by Security by CleanTalk