- Microsoft introduced Recall, an AI-powered photographic memory in Copilot+ AI PCs at Microsoft Build 2024.
- While offering an interesting forward-looking feature, Recall has sparked unease among privacy advocates and cybersecurity experts.
- After a hectic week in Redmond, the feature was removed from the June 18 launch with Copilot+ PCs.
Microsoft has relegated opt-in Reminder function to be widely available in the Windows Insider Program as a preview. Scheduled for the latest version of Windows in upcoming Copilot+ PCs, the public release of Recall has now been paused for further testing.
As it stands, Microsoft’s Copilot+ PCs will now ship without the recall feature, which leverages artificial intelligence (AI) to seamlessly navigate their previous actions. The only problem is that Recall takes screenshots for record keeping.
Cybersecurity expert Kevin Beaumont explained how Recall poses a serious security risk to anyone using it in a blog post.
To ease cybersecurity and privacy concerns, Microsoft rolled out database encryption for Recall, implemented Windows Hello-based authentication, and made it an optional feature. That, and the fact that locally running models at the heart of the feature taking screenshots, which Microsoft says won’t be sent to the cloud for AI training, isn’t enough for the company to release it publicly and benefit from the revenue it generates. could have generated.
What changed?
Microsoft’s decision to withdraw the recall rollout may be rooted in deep cybersecurity concerns that industry and government have with the Redmond-based IT giant. Last week’s ProPublica report on Microsoft’s security culture, or lack thereof, mentioned the story of CrowdStrike’s current CTO, Andrew Harris, who worked at Microsoft for six and a half years.
See more : Russia-based SolarWinds hackers actively target Microsoft
At Microsoft, Harris discovered a security flaw that would expand the scope of SolarWinds Software Supply Chain Attack, one of the largest cyberespionage attack campaigns ever. Harris has repeatedly stated that his discovery, which could have prevented the attack, was misused for revenue gains.
“Everyone agreed with me that this was a huge problem,” Harris told ProPublica. “Everyone vehemently disagreed with me that we should move quickly to resolve this issue. »
After the release of ProPublica’s report, in a hearing before members of the House Homeland Security Committee, Microsoft President Brad Smith said the company “accepts responsibility for each” of its cybersecurity shortcomings .
Smith’s testimony before Congress on Capitol Hill came as he was questioned about the company’s poor cybersecurity culture, which led to large-scale cyberattacks from Russian and Chinese hackers.
The latter even managed to access emails from U.S. government officials, including Commerce Secretary Gina Raimondo, Rep. Don Bacon (R-Neb.), and U.S. Ambassador to China Nicholas Burns, in an incident involving Exchange Online Outlook, which the Department of Homeland Security reviewed independently.
The Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Review Committee May 2024 report When Microsoft Exchange Online was hacked in the summer of 2023, the company also noted significant cybersecurity gaps. “The Board has identified a series of operational and strategic decisions by Microsoft that, collectively, point to a corporate culture that has deprioritized both investments in enterprise security and rigorous risk management », notes the report.
Smith told Congress that to build a strong security culture, Microsoft was instituting a semi-annual review for each employee regarding their contributions to cybersecurity. The company also highlighted its work under the Secure Future Initiative (SFI) launched in November 2023.
Microsoft too reshuffled its cybersecurity department in December of last year by parting ways with Microsoft’s CISO of 14 years, Bret Arsenault and others.
Following these proceedings, Microsoft CEO Satya Nadella wrote the following memo (obtained by The Verge) to his ~2,21,000 employees:
“If you’re faced with a tradeoff between security and another priority, your answer is clear: do security. In some cases, this means prioritizing security before other things we do, like releasing new features or providing ongoing support for existing systems. This is essential to improving both the quality and capabilities of our platform, so that we can protect our customers’ digital assets and build a safer world for everyone.
As for the recall, expect Microsoft to approach it with the standards and goals prescribed by SFI. For now, the company has suffered the consequences of previous disasters in order to avoid a more serious disaster in the future. It remains to be seen how the recall debacle affects customer confidence in Microsoft and its second approach to AI PCs.
