Tested: Microsoft Recall can still capture credit cards and passwords, a treasure trove for crooks Microsoft Recall, the AI app that takes screenshots of what you do on your PC so you can search for it later, has a filter that's supposed to prevent it from screenshotting sensitive info like credit card numbers. But a The Register test shows that it still fails in many cases, creating a potential treasure trove for thieves. …
"I don't dispute that Microsoft has the best intentions at heart, along with doing as much as they can to ensure the security of this feature,"
I'm afraid that Mr Wright, while extremely generous with his remarks is Mr Wrong.
If Micros~1 had the best of intentions they would never have revised or resurrected this POS after they pulled it the first time.
It's going to be a nightmare for some and a target for all those calls from "Microsoft Support people" who want to help fix the "problem with your computer"
In corporate settings with confidential information (like HR), this would be a GDPR nightmare. The OS should absolutely and unequivocally respect its settings and configuration unless there are actual solid technical reasons why something needs to change, and if so, flag it visibly, on screen, each and every time. This quietly tweaking settings in the background should be considered an act of hostility and, given the potential GDPR implications, an act of corporate sabotage which will engender appropriate punitive relief.
I don't care if it's shiny, some of us just want to get work done without unnecessary headaches.
"I don't dispute that Microsoft has the best intentions at heart."
You have ALL misunderstood !!!
The statement quoted is 100% Accurate/True ... you simply parsed it wrong !!!
The 'Best' intentions were NOT in relation to 'YOU' ... BUT in relation to 'Microsoft'
The intentions were to further MS and to maximise the monitisation of 'You' the 'User'
These intentions are at the heart of everything MS does and so the quote is entirely True !!!
:)
>> The intentions were to further MS
If that's the case, it's failed, at least in my case.
Not bothering to get either extended support (ESU) or upgrade my Windows 10 gaming machine, even though I have more than enough points to do it for free. Don't trust them to try to install crap like copilot or their crappy "AI."
Same as I banished OneDrive. And I've set up Thunderbird to auto-delete anything from Outlook.com and gmail.com. If their " AI " is so great why can't they use it to remove spammers accounts?
My Linux box will probably get a fresh install of MX Linux or FreeBSD - no Agent Pee.
Trust - once it's gone, it's gone, Microsoft. Keep incentivizing people to switch - it's working. Same as Microsoft 2024 is forcing people to X-Plane.
Trust is totally GONE!! This is the key point, and quite frankly the only point worth bothering about. Microsoft seem to be (suicidally?) determined to make matters worse. I do not use anything made by M$ now, and have no intention of ever doing so again in the future. Win 8 was the last straw for me.
My trust was completely gone by Windows 7, when I caught them them spying on me. I was pentesting a corporate application on workstation with the recommended Microsoft defaults, when my intercepting proxy caught an out of band request to urs.microsoft.com. This request had an XML payload with my entire request (including a login credential and other sensitive info). The implications of this are clear. This is a straight up MiTM attack, enabled by default on Windows 7.
Anyone who thinks it isn't sending OCR metadata gathered from screenshots like your bank balance and PayPal username to Microsoft for advertising and data harvesting purposes is deluding themselves over what this "feature" was designed to accomplish.
> ...you'd block your browser apps, which effectively makes Recall useless..
Which also demonstrates how utterly pointless* Recall is - You normally want the current state of a web page, and can use your browser history to find it if you really can't construct a search query. But if you thought that an unscrupulous website owner would change e.g .Ts & Cs, you take a screenshot yourself (or use the wayback machine).
* Disclaimer - I know I'm something of a Luddite. If you have valid use cases that can't be handled in a better way, feel free to enlighten me!
Recall is useless for the user, by design. I've been asking for it for months and I've yet to be given one single case where your day could be saved by mighty Recall.
Indeed, the day you suddenly notice some site's Ts & Cs have changed, the snapshot of the old ones will be long out of Recall's memory, if it ever has been there in the first place. Using the Wayback machine is your easiest and fastest bet, there isn't even a single reason to rely on Recall.
The whole thing is very much a classic find a problem my solution solves! NPU being the solution DuJour. And ironically having created a massive (privacy) problem they are not using the NPU to solve it! Brilliant sh*t!
I expect whoever dreamed up copilot wasn't aware of 'browser tabs' which is more or less the reigning scheme for handling remembering wtf I was last doing... and its working just fine thank you.
It looks like typical US-centric crap that assumes all phone numbers are in "1 (xxx) mmm nnnn" format, all addresses have a "State" field, etc. Obviously won't properly filter fields from, say, a French site with an "identifiant fiscal" or "numéro de sécurité sociale" instead of an SS number, or a UK site with a "Unique Taxpayer Reference", etc.
You can never, ever, correctly filter all such fields through a blacklist-type mechanism, there are simply too many options.
Everyone in civilization receives mail, and post offices are deliniated by cities and towns in every nation so whether you live in one or not you're tagged to one. I live deep in the sticks, yet I am associated to a town several miles away due to where my mail goes.
"yet I am associated to a town several miles away due to where my mail goes"
Rural France here. I'm only associated with a nearby town (population about 2000) insofar as rurally the postal codes cover multiple villages (total population maybe 3000, we're far outnumbered by the pigs and cows); they are absolutely nowhere near as fine grained as the British postal codes.
So my address is:
My name, Property name, Postcode then My Village
Even local city dwellers have a habit of screwing up and telling me my address is incomplete, but since it's the one written on my tax return if it's good enough for both La Poste and the government, it's good enough for everybody else.
Yes, mine used to be My name, Hamlet name, Postcode then Commune.
Then Orange started rolling out fibre, and decided that every house in France had to have a street name and number. People on rural roads got numbers based on their distance in metres from the village, so 3456 Route de Bled Paumé wasn't unusual. In our village the mairie ran a survey asking if people would like to choose a name for their local lane. I didn't see any truly creative ones, we did consider suggesting "Chemin des Étrangers" for ours, just for the entertainment of future residents.
I don't think it was Orange that required numbering, I think it is the emergency services because what with local gendarmeries and fire stations closing the local knowledge is being lost. If you have a rozzer coming from thirty kilometres away...
My house number is a single digit, odd because I'm on that side of the road, and they don't run sequentially, it's like 2,4,5,6,9,13,14...
Better yet, the village is basically the place where two roads cross, so there are four roads in total, each one of them having a number that starts away from the village. So unlike a local town with American style numbering (first two digits mean the road, second two mean which house), my number is essentially useless as there are other places on the other roads with the same number. Duh.
Also the mayor wasn't inspired by naming. The roads are simply called "Route de" followed by where they go. The cut through by the church is "Contour de l'église". And my long access lane has the same name as the house (a "lieu dit", or place called) which means if you try to find me using Google you'll get dumped halfway up the lane, something Google seems utterly unable to deal with despite my pointing this out multiple times (to get proper navigation you need to use the house number then it realises you want the house and not the road).
So ultimately you still need to know where X is in order to know where X is. The number doesn't change anything really.
I think somebody far higher up the pecking order said "every house must have a number" and the local council did it in the least-effort way possible.
We were told by the Mairie that it was due to the fibre rollout, the systems which managed that needed number/road, so everyone had to have that before they could start (software written by someone in Paris, no doubt). There's a shiny new fire station in the village, manned by local volunteers, so no problem for them to find anything. Google hasn't a clue, it numbers the road from the wrong end so the post office agency, which is behind the Mairie and has street number 8, shows up on Google maps at a private house (our neighbours) 4km away on the other end of the road, and Google ignores all our attempts to correct it.
Indeed. @Phil O'Sophical
" most instances of Social Security numbers"
Given MS will have focused on US data, only getting most social security numbers is a concern & as you said, would give you zero confidence in it effectively filtering out UK NI Numbers (9 characters but a very different format).
Wonder how it deals with passport, driving licence, birth / wedding certificates etc all ripe for identity theft usage & things people occasionally have to upload to their PC for various proof of ID online (not thinking of the new Online age ID UK fiasco, but dealing with banks, lawyers during strict COVID lockdown as executor for some deceased relatives at that time & they wanted stuff submitted online & am sure since COVID restrictions ended they have probaby retained the preference for online document submission as it saves them money)
Most people view PCs and tablets as no different to their dishwasher or washing machine, it's just an appliance to get stuff done, nothing more. This makes these people ripe for exploitation and it's our job as techs with integrity to help where we can by ensuring relatives and friends are informed and helped. People are generally not stupid, just naive and maybe a tad ignorant, that's where we come in.
Sure, having systems settings in many files scattered all around the file system and each one with a diffrent syntax - without a coherent API to access them - is better.
They only Registry problem was incompetent developers who believed it was another file system. That's why Linix is successfiul with these people, it's as limited and osbolete as they are.
Recall instead of what you get when MS gets full of young people who need to make into the OS some new mobgly or webgly thing... since they are unable to think about anything else.
You've already heard that for Windows XP and Windows 7, and yet here we are, regretting the once so much maligned Windows 10 (oh the irony!!!...)
Microsoft can always do worse (they've got a proven track record on that), so I'm willing to bet in a couple years everyone will be regretting Windows 11...
> If I can do it, anyone can
Unfortunately this statement is pure survivor bias. How so? Imagine a Titanic survivor saying it and you'll understand.
"Recall" is a screen logger, the screen version of keyloggers.
As such, it can’t and won’t ever be safe. Machine-driven filters are doomed to fail, sooner or later.
How can any *serious* company promote such a BS?
Do you like sitting in front of your computer with someone looking over your shoulder all day long?
"How can any *serious* company promote such a BS?"
Simple, Recall is not about you searching your computer history, it is about MS harvesting computer user data to train their super-duper Mega all-included One Neural Network to rule al Neural Networks.
When they said "data is the new oil", they were serious.
You know what happened to the people who lived on top of the old oil? Then you know what will happen to the people who are live on top of, and are "producing", the new oil.
Out of all the hype and BS, this is the one true statement I believe. It's sold to us as helpful but truth is that it's simply for fattening up the knowledge store of some Sam Altman infested shit-fest that will sold back to everyone through CoPilot and ChatGPT.
Why are all the examples you cite web-page based?
There is more to using a PC than browsing the web you know?!
What if I open a text file or an email that contains sone sensitive data? Will recall ignore it?
As has been pointed out, this crap is a “solution” for a non-existent problem. It’s bloody stupid as well
This post has been deleted by its author
> run your programs, securely, then get out of the way
This ^^^! Unfortunately those who don't want "exciting new features" in the strangest places of an OS so "it looks less bland" are a disappearing species...
My priorities (decreasing) are work → programs → OS. The OS is just a requirement of the programs I use for work, I surely don't have any time to waste on any idiosyncrasies it might have.
If your system does not have the AI Snapdragon AI processor, Recall is NOT installed! Recall only installs on Copilot+ laptops and tablets, so unless you have upgraded to a Copilot+ laptop or tablet within the past year. There is no way Recall is on your system! Go into Settings, Recall settings are in Privacy & security > Recall & snapshots. If that is not there you do not have Recall installed.
Recall was 100% designed by Microsoft as a future store of blackmail material for presidents/politicians, company execs that rival microsoft etc.
they spent $50 BILLION on a datacentre JUST for recall for "reasons" even though they said they weren't permanently storing anyone's data.
In the TCs it says the definition of the short term storage is entirely at microsoft's discretion and no notification of changes/duration will be given.
Recall's encryption is already broken beyond repair, PLUS it can be remotely switched on 'accidentally' (and silently) by a windows update........
Bonus: Recall slows your PC like you installed mcafee norton AND kaspersky all at the same time. it occupies gigabytes of memory, takes most of the cpu to run AND will destroy your SSD/NVME drive by writing to it 24/7.
But ONE universe where this program is acceptable. And it's a universe where the concept of crime never entered human minds. Anywhere else it's a parody. Windows Recall is nothing more than an extremely advanced keylogger and, if it had been developed independently from Microsoft, would be considered malware by the creator of the OS. It's insane to me that Microsoft ever though this was a good idea much less one that should be automatically implemented.
I had a few weird Server 2025 cases recently (June/July) where some stopped working normal. You could RDP-login, but nothing moved. You could log out and log in, nothing moves. If you were patiend you could open a cmd box where shutdown -l -f did not work, and shutdown -r -f -t 0 did not work. Said "initiated", but nothing. A few minutes later even RDP refused, remote reboot too. We had to kill it using the "off" button in the hypervisor. Both times it came back without issue, but this was weird. The other bug, which does not matter that much as workstation, is the failure to detect your network unless you restart your network adapters. Especially nice for Domain Controllers, 'cause even if you have the "network list manager" set to treat "unidentified" and "Identifying" it still did not response. Latter trick worked until including Server 2022, since Domain controllers are always on a fixed IP and should be reachable according to your windows firewall rule, and not shut itself out 'cause it refuses to understand the configuration. There is more weirdness, but that won't keep us from using it. Simply for the reason of three years more support / updates. From my point of view: Buggy release, similar to Server 2008 (without R2, the Vista level). Server 2008 R2 up to including Server 2022 are more stable. I hope they get those weirdness-es fixed, but I suspect there are too many bugs below the hood to nail one weirdness to one bug.
Force Principal Product Managers Amanda Langowski and Brandon LeBlanc, Satya Nadella and the Microsoft Senior Manglement and the Board subscribe to the Windows Insider program, and enable this feature on their Windows devices, and then conduct personal financial transactions on them. If they come up with excuses, then, time for governments to step in (though, they may do a secret deal with Microsoft, if they've not already done so, to be able to peek at the data themselves)
You assume that these people have intelligence and insight. What if they were actually clueless and naive, but had only one talent in the form of climbing greasy corporate poles? Because if that's the case then they'd happily agree to have Recall on their devices.
In terms of "secret deals" we've already seen the morons of the British government trying to weaken encryption on user devices and hide that despicable act from public scrutiny, and insisting that sensitive data is shared with porn sites; the US government already requests large volumes of user data, both legally and reportedly illegally. The US data seizure numbers have been rising rapidly, doubling over the past 5-6 years, and affecting around 100,000 Google accounts every six months according to Google's own reporting. It would be prudent to assume that similar trends apply across all Meta products, to AWS, Microsoft, and to all financial services records.
Oh my, what a shock. A MS promoted (or forced) AI 'innovation' turns out to grab all the data we're told it won't.
Wow I can hardly believe it. I mean MS never ever shits the bed with its products does it? Never ever ever, or at least not more than once or twice a day.
Said no-one.
And it does not matter what changes M$ makes to the T&Cs. Linux Mint, which works almost the same as my old Win7 machine did. The main difference is I don't find myself having to revert to previous Restore Points every month or so because the machine started slowing down.
... what this thing is supposed to do.
Browsers have a History to go back to a website for something you were doing previously.
If you were editing a document then I'd hope you'd remember where it is and why.
It looks like a "solution looking for a problem" as the old saying goes.
I can't think of many reasons why I would use such a feature, but basically all the use cases involve searching for sensitive personal information.
"What's the name of that drug I was prescribed a couple years ago?"
"What's the parcel number of my house so I can pay my property taxes?"
etc.
etc.
If they're going to invade my privacy enough to take screenshots of everything I do, but not invade my privacy enough to allow me to search for my own private information, what is the point, exactly?
If it does nothing for you yet it's being pushed hard then it probably does something for them.
As others have said most likely it's data to feed tthe AI beast.
The more data it has on people the better it will be at simulating people so it can be used to umemploy people.
stupid fucking idea but stupid fucking people.
Old Ted down the road and and old Jen across the way, neither know how to use computers properly. THESE people WILL get breached by this shit and they are the people that will loose out when scammed.
Some people, for whatever odd reason might want to use this but make it 100% opt in ONLY. So if you want it, you go in an turn it on, its not on and needs to be turned off.
MS and Satnav have lost the fucking plot.
I wont continue the theme of mocking the author, as they KNOW what they did wrong but clearly dont seem to care.
Whats I dont get is why time was wasted on this article at all, M$R was dead on arrival and any good admin or engineer worthy thier sault will disabled or better, hard remove this crap so thats its NEVER able to run.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
