It turns out that the storm of criticism Microsoft’s recently unveiled Recall feature has actually pushed Microsoft to change its mind and make some very significant changes to the feature. Today, after over a week of sustained criticism and worries, Redmond announced it’s going to implement Recall very differently.
First and foremost, instead of Recall being enabled by default and only configurable after installation and the out-of-box experience, it will not be disabled by default, and the user will be prompted during the OOBE if they want to enable the feature or not. This in and of itself should alleviate quite a few worries, since having this on by default without most users really realising it was a recipe for disaster and privacy issues.
Second, Recall will not be taking advantage of Windows Hello, and using Window Hello will be a requirement before you can use Recall. On op of that, Recall will use Windows Hello presence detection, so that it will only show any collected and saved data if you’re the one sitting behind the computer. It’s wild to me that they didn’t think of this one sooner, but alas – I have a feeling a lot of this “AI” stuff has been implemented in a bit of a hurry.
Last but definitely not least, the Recall database, where information extracted from the screenshots is stored as well as the search index will now be properly encrypted. They will only be decrypted once the user in question is authenticated. Here, too, one really has to wonder why it wasn’t implemented this way from the very beginning, and the fact that it wasn’t makes me think we’ll be finding more questionable security and implementation details as the feature becomes widely available in a few weeks.