Microsoft Delays Recall Over Cybersecurity Backlash
- Microsoft introduced Recall, an AI-powered photographic memory in Copilot+ AI PCs at Microsoft Build 2024.
- While offering an exciting prospective functionality, Recall caused unease in privacy advocates and cybersecurity experts.
- Following a turbulent week at Redmond, the feature has now been pulled from release on June 18 with Copilot+ PCs.
Microsoft has relegated the opt-in Recall feature from being broadly available to the Windows Insider program as a preview. Slated for the latest version of Windows in the upcoming Copilot+ PCs, Recall’s public release has now been shelved for additional testing.
As it stands, Microsoft’s Copilot+ PCs will now ship without the Recall feature, which leverages artificial intelligence (AI) to navigate through their previous actions seamlessly. The only problem is that Recall takes screenshots for recordkeeping.
Cybersecurity expert Kevin Beaumont explained how Recall poses a grave security risk to anyone using it in a blog post.
To assuage cybersecurity and privacy concerns, Microsoft rolled out database encryption for Recall, implemented Windows Hello-based authentication, and made it an opt-in feature. That, and the fact that locally run models at the heart of the feature taking screenshots, which Microsoft says won’t be sent to the cloud for AI training, isn’t enough for the company to release it publicly and ride on the revenue it could have generated.
What changed?
Microsoft’s move to pull back the Recall rollout is possibly rooted in deep cybersecurity concerns the industry and the government have for the Redmond-based IT giant. ProPublica’s report last week on Microsoft’s security culture, or lack thereof, mentioned the tale of the current CrowdStrike CTO, Andrew Harris, who worked at Microsoft for six-and-a-half years.
See More: Russia-Based SolarWinds Hackers are Actively Targeting Microsoft
At Microsoft, Harris discovered a security weakness that would expand the scope of the SolarWinds software supply chain attack, one of the most profound cyberespionage attack campaigns ever. Harris has repeatedly said his discovery, which could’ve prevented the attack, was sidestepped for revenue gains.
“Everyone violently agreed with me that this is a huge issue,” Harris told ProPublica. “Everyone violently disagreed with me that we should move quickly to fix it.”
After ProPublica’s report was published, during a hearing before the House Homeland Security Committee members, Microsoft president Brad Smith said the company “accepts responsibility for each and every one” of its cybersecurity shortcomings.
Smith’s testimony before Congress on Capitol Hill came as he was grilled over the company’s poor cybersecurity culture, which led to large-scale cyberattacks by Russian and Chinese hackers.
The latter even managed to access the emails of U.S. government officials, including commerce secretary Gina Raimondo, Rep. Don Bacon (R-Neb), U.S. ambassador to China Nicholas Burns, in an incident involving Exchange Online Outlook, which the Department of Homeland Security independently reviewed.
The Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Safety Review Board’s May 2024 report on the summer 2023 hack of Microsoft Exchange Online also finds significant cybersecurity shortcomings by the company. “The Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management,” the report noted.
Smith told Congress that to build a solid security culture, Microsoft is instituting a bi-annual review for every employee pertaining to their cybersecurity contributions. The company also highlighted its work under the Secure Future Initiative (SFI) launched in November 2023.
Microsoft also reshuffled its cybersecurity leadership in December last year by parting ways with Microsoft CISO of 14 years, Bret Arsenault and others.
Following these proceedings, Microsoft CEO Satya Nadella wrote the following memo (obtained by The Verge) to its ~2,21,000 employees:
“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems. This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.”
As for Recall, expect Microsoft to approach it with the standards and objectives prescribed under SFI. For now, the company has taken a hit on the heels of the repercussions of previous disasters to avert a bigger disaster in the future. It remains to be seen how the recall Recall debacle affects customer trust in Microsoft and its second approach to AI PCs.