It’s a nightmare scenario for Microsoft. The headlining feature of its new Copilot+ PC initiative, which is supposed to drive millions of PC sales over the next couple of years, is under significant fire for being what many say is a major breach of privacy and security on Windows. That feature in question is Windows Recall, a new AI tool designed to remember everything you do on Windows. The feature that we never asked and never wanted it.

Microsoft, has done a lot to degrade the Windows user experience over the last few years. Everything from obtrusive advertisements to full-screen popups, ignoring app defaults, forcing a Microsoft Account, and more have eroded the trust relationship between Windows users and Microsoft.

It’s no surprise that users are already assuming that Microsoft will eventually end up collecting that data and using it to shape advertisements for you. That really would be a huge invasion of privacy, and people fully expect Microsoft to do it, and it’s those bad Windows practices that have led people to this conclusion.

  • Jo Miran
    link
    fedilink
    English
    205 months ago

    This is for the enterprise market more than anything. Large companies are already logging and mining everything. Slack, Teams chat, Teams voice, email, keystrokes…literally everything. Microsoft’s problem is that Enterprises are using third party products to do so. Recall solves that competitive issue for MS. I have no doubt that it will be tied to their cloud offerings, and I have no doubt that MS will retain the right to use it all of the data from the consumer side for AI training.

    • @jet@hackertalks.com
      link
      fedilink
      English
      36
      edit-2
      5 months ago

      I’ve worked extensively in the Enterprise environment, and data exfiltration is a massive concern for any company with intellectual property, which is most of them.

      Having data leak at all, another vector for exfiltration, is a huge huge risk.

      Heck, I’d be surprised if Microsoft itself let its own developers run Total recall

      • Jo Miran
        link
        fedilink
        English
        20
        edit-2
        5 months ago

        As an infosec professional for way longer than I care to remember, you are preaching to the choir. That said, all of our clients are both large enterprise and critical infrastructure, and they all log (and mine) everything. Not only that, they are shipping this directly to third parties. It makes me break out into a cold sweat every time I think about it, but here we are.

        PS: OK, all the US based ones. Our EU based client does not do this to my knowledge and I assume it has to do with EU regulations, but that’s just a wild guess.

        • @jet@hackertalks.com
          link
          fedilink
          English
          3
          edit-2
          5 months ago

          Good point. But the companies are at least controlling the data pathway, being aware of it, signing off on it, doing it for their benefit.

          And I imagine at least for the US companies, every company they exfiltrate data to, is contractually obligated to keep their data private