Skip to main content

On 21 May 2024, Microsoft announced that it will release a new product in 2025, as part of the new Copilot+ PC range: Microsoft Recall.

Microsoft Recall is a new search function for Windows 11 that allows you to search through your PC activity history. Recall is intended to serve as a memory aid for the user by storing information or websites that the user has visited some time ago but can no longer remember exactly. Ultimately, Recall is the answer to today’s fast-moving consumption of information, whether in emails, video conferences or on the web.

How does Recall work? Recall takes screenshots of the entire screen every few seconds and stores the images in an SQLite database for a minimum of three months and up to 18 months, depending on the storage capacity of the PC.

Basically, a timeline of the user’s entire behaviour is created. The user can then query Recall via a prompt, and Recall delivers the screenshots that match this description. According to Microsoft, the aim is to imitate human memory.

However, if you take a closer look at this tool from a data protection perspective, it raises legal issues. Recall records everything that happens on the user’s screen and makes screen recordings of it. Microsoft has already confirmed that this also includes extremely sensitive activities such as online banking or entering passwords. However, video conferences can also be recorded. In addition to AI-based Copilot transcription, this is a completely new type of surveillance. The rights of external dialogue partners are also affected here.

At the interface between data protection and labour law, there is also the concern that Recall essentially allows employees to be tracked every second of their working day, which goes far beyond what the GDPR allows or justifies. Microsoft has already implemented mechanisms such as Purview or the Productivity Score, which, if used unregulated, are widely criticised in the data protection community. Recall goes far beyond simple logging and could be used for the commonly known ‘performance and behaviour monitoring’.

Although Microsoft asserts that Recall is consent-based, security tests of the new laptops with this function have shown that it is a standard setting. Microsoft Recall can be deactivated during laptop setup, but only by actively ticking a checkbox, although it also requires further user activity. Privacy by design is different!

To summarise, Recall goes far beyond simple logging. In addition, the SQLite database in which all screenshots are stored is accessible to users with administrator rights, i.e. IT can also access the locally stored data remotely, provided they have the appropriate rights.

In terms of information security, all passwords for access to the company systems, including the extremely sensitive administrator passwords, as well as all confidential company information are also recorded via screenshot and, depending on the configuration, stored for months.

Although Microsoft assures that the implemented security measures and local storage ensure that these screenshots are safe from access by third parties, we are all aware of the agility in the development of new mechanisms for ransomware and other types of cyberattacks. We also know how attractive backup systems of potential victims are. It is therefore likely that the storage location of recall screenshots will also be a favoured target in the future. A comparison with a Trojan is obvious, as the tool or the database behind it can provide hackers with all the information they need in the event of a cyberattack.

The British data protection authority ICO has already announced that it has contacted Microsoft due to the strong data protection concerns. It remains to be seen how other supervisory authorities in Europe, such as the French CNIL, will position themselves.

For the time being, Microsoft Recall will only be used on Copilot+ PCs, as it requires a lot of storage space. It is therefore not an immediate challenge for existing company hardware. However, any new acquisition of newer company hardware from 2025 onwards should have this functionality in mind in order to counter data protection and information security risks in advance.

Data protection remains exciting with such developments and legitimis naturally continues to monitor such developments. In order to support its customers legally, technically and personally.



Addendum from 18.06.2024

Microsoft has announced on its blog that it will now only make Recall available to a select group of developers as part of the Windows Insider Programme (WIP). Originally planned for all so-called optimised Colpilot+ PCs, the company now wants to introduce security measures such as additional authentication when accessing the database. This is in response to critical voices from the security industry and the data protection community, who have criticised the comprehensive monitoring and simultaneous inadequate protection of screenshots. In the meantime, legitimis recommends that its customers continue to use the old-fashioned but GDPR-compliant means of data storage and retrieval: human memory.