Microsoft delays rollout of “Recall” feature.

Microsoft has delayed the broad rollout of its controversial “Recall” feature, which takes periodic snapshots of a user’s screen activity, due to privacy and security concerns raised by security researchers.

Originally planned for release on June 18th with Microsoft’s new Copilot+ PCs, Recall will now first be previewed with Windows Insiders in the coming weeks before being made available more widely.

The decision comes after researchers discovered that Recall’s logs, which capture a user’s computer activities in plain text, could be accessed by anyone with device and user-level access, even on encrypted Windows 11 PCs when unlocked. In response, Microsoft has instituted several safeguards:

Recall will be opt-in by default during Copilot+ PC setup, instead of being enabled automatically.

Windows Hello biometric authentication will be required to enable and access Recall.

Additional encryption layers, including “just-in-time” decryption using Windows Hello, will be implemented to better secure Recall data.

Microsoft states this delay allows them to leverage feedback from Windows Insiders to ensure Recall meets high security and privacy standards before broader availability. The company maintains its commitment to providing a “trusted, secure and robust experience” with the feature.

While Recall promises to help users easily find previous computer activities, the need to address valid privacy concerns around its logging of potentially sensitive user data has prompted Microsoft to take a more cautious rollout approach.

Several privacy concerns were raised about Microsoft’s Recall feature:

Recall captures periodic screenshots of a user’s computer activities, including potentially sensitive information like documents, emails, or private messages, even if they were deleted or shared temporarily.

This raised fears that the recorded data could provide a window into a user’s digital life and enable surveillance.

Initially, the Recall data was stored in an unencrypted SQLite database, making it easily accessible to anyone with device and user-level access, even on encrypted Windows 11 PCs when unlocked.

This lack of robust encryption and access controls was criticized as a major security risk.

Recall was originally planned to be enabled by default on Copilot+ PCs, without giving users an opt-out choice during setup.

Privacy advocates argued this was an overreach, essentially installing “unrequested, pre-installed spyware” on new Windows computers without consent.

There were concerns around the potential for hackers or malicious actors to exploit vulnerabilities in Recall to gain unauthorized access to the captured data, creating a “dangerous honeypot”.

Some raised broader concerns about Microsoft’s motivations and the precedent of a major tech company capturing such extensive user data by default, even if the stated purpose was to enhance productivity and aid memory recall.

The combination of capturing potentially sensitive user data without robust security, encryption, and user consent triggered a significant privacy backlash that prompted Microsoft to delay Recall’s rollout and implement additional safeguards.