I’m beginning to hear fearmongering around Microsoft’s new Windows 11 feature, named, Recall. I want to address the concerns and help add some clarity to the discussion.

If you haven’t heard of it yet, Recall is a new feature being rolled out to Windows 11 that records everything you do on your PC, allowing you to review and even search your timeline using built-in AI functions. Sound a little creepy? Your computer is recording everything you do! Isn’t that a security concern? Isn’t this Microsoft acting as “Big Brother”?

You’re right to be concerned about any new technology that automatically stores your data. There are quite a few potential security concerns. I believe, however, that most of these have been or can be addressed. Here’s how:

Is Microsoft spying on me?

The biggest question people have when they first hear about this feature is, “Is Microsoft spying on me?” The short answer is that Microsoft is not using Recall to spy on you. Recall collects screenshots every few seconds and uses AI to process the images and text in these screenshots so that you can later search the contents and find anything you were looking at or working on previously. The screenshots and the data about them are stored locally, on your PC, in an encrypted database that is only accessible by you. The encryption keys are stored in a secure enclave that is part of your computer’s circuitry and cannot be stolen. Even the AI processing happens locally on your computer. No data is transmitted to Microsoft.

And that brings us to the next point: Recall is only designed to work on PCs with specific hardware, so-called “Copilot+PC” systems that have a built-in neural processing unit (NPU). Microsoft is not sneaking this into existing PCs. (Yes, the Recall code will likely be shipped with upcoming updates to Windows 11, but it won’t be active on older computers.)

What are the risks of Recall?

So, what are the risks of using Recall? There are a few, but they’re not new:

  1. If an attacker can gain access to your computer, and they are able to copy the Recall database to another computer, there is a risk that they would be able to decrypt the database and access all your data. As of this writing, this risk seems to be very low, given the strength of the encryption and the protections that exist with the encryption key.
  2. If an attacker can gain access to your user account on your computer, they would be able to review and search your Recall data just as you would.

In either case, if an attacker can access your computer, you already have big problems.

As with any feature, if you don’t intend to use it, it’s best to turn it off. As of this writing, it’s unclear if Recall will ship enabled or disabled. My guess is that it will be enabled by default on new, Copilot+PC devices and that it will be disabled by default on any computers that receive it as an update. Either way, it will be an optional feature that can be enabled or disabled at will. Additionally, Recall will be automatically disabled in corporate environments. Presumably, the enterprise administrators will be able to enable Recall if they wish.

Recall does present security concerns for organizations that deal with sensitive data:

  1. Organizations that handle Controlled Unclassified Information (CUI) as part of the DoD supply chain will likely want to leave Recall turned off, as the Recall database would contain CUI and the regulatory ramifications of this are not yet clear.
  2. Organizations that process personally identifiable information (PII) such as social security numbers or payment card information (PCI) will also want to eschew Recall, as it could store this data longer than retention rules allow.

Ultimately, in a corporate environment, Recall is not different than any other data storage mechanism, but it presents a challenge because regulated data might be stored on local PCs, where it never was before.

A big unknown

One area of concern is in organizations where users are allowed to use personal computers to remotely access work systems. Traditionally, remote desktop over a VPN or other encrypted means is seen as relatively secure (in unregulated environments) since data is never sent to the user’s device. A user could always manually take screenshots to steal data, but, in the case of Recall, this is happening all the time by default. A terminated employee, who had remote access and used Recall on their personal computer could retain company data long after their separation from the company. As of this writing, it is unclear if there are any mitigations to this risk other than disallowing remote access from personal devices.

Conclusion

For small business leaders, Microsoft Recall represents both an opportunity and a responsibility. While it offers powerful productivity benefits through its ability to search and recall past work, it requires thoughtful consideration of your organization's specific security needs and compliance requirements. If your business doesn't handle regulated data and you're using Copilot+PC hardware, Recall could be a valuable tool for increasing productivity and information retrieval. However, if your organization deals with sensitive information or is subject to specific data handling regulations, you'll want to carefully evaluate the feature and potentially disable it company-wide. As with any new technology, the key is to make an informed decision based on your specific business context rather than reacting to fears or hype.