microsoft doubles down on recording your screen

00:00

a couple months ago Microsoft released

00:01

the preview build of its recall program

00:04

if you don't remember what that was and

00:05

I I hope you do because it's crazy uh

00:07

recall was a piece of software that

00:09

would sit on co-pilot plus arm CPUs that

00:12

ran windows and what it would do is it

00:14

would take screenshots of your computer

00:16

every 5 seconds and then collect

00:18

metadata about those screenshots like

00:20

the characters on the screen the images

00:22

on the screen using the local AI

00:24

processor in the Snapdragon CPU and then

00:26

store that metadata in a database that

00:28

you could query later to fure figure out

00:30

like when was the last time I looked at

00:32

purses was was the example that the news

00:33

did and obviously this program collected

00:36

a lot of negative feedback from the

00:38

security Community a lot of security

00:40

researchers were able to see that you

00:41

could just literally go and open the

00:43

database yourself even though it was

00:45

said to be encrypted at rest so

00:46

obviously it didn't get a lot of love

00:48

Microsoft just came back with a new

00:51

article a new update to their original

00:53

blog post that highlights some of the

00:55

new security features of recall there

00:57

are some slight improvements but I still

01:00

hate the idea as a whole so in this

01:02

video I want to talk about what the

01:03

updates are kind of give my thoughts on

01:05

those changes and kind of get your

01:07

opinion too I want to see in the

01:08

comments below what you think about the

01:10

recall program after these updates they

01:11

have made some improvements to how the

01:13

database is authenticated but overall

01:16

the idea of Microsoft taking screenshots

01:18

every 5 Seconds even if stored locally

01:20

scares the crap out of me so let's Dive

01:22

Right In also if you're new here hi my

01:23

name is Ed this is Ol learning Chann

01:25

we're talk about software security cyber

01:26

security so if you're into that or just

01:28

want to hang out hit that sub button

01:30

really appreciate it so first of all

01:31

Microsoft is making recall an optin

01:34

program so originally when it was

01:35

announced it was going to be an opt out

01:37

program meaning that to disable recall

01:39

you had to one no recall was enabled and

01:41

then turn it off meaning that you had to

01:43

opt out of the program a recall is now

01:45

an opt in program which overall is

01:47

obviously a good thing but I have had

01:50

weird instances on my own personal

01:52

computer where features like Cortana for

01:54

example that I disable when I turn

01:57

windows on when I install Windows on my

01:58

computer mag Ally get turned on without

02:01

my permission or consent so I don't know

02:03

if that's a misconfiguration thing if

02:05

that's a marketing thing where windows

02:06

or Microsoft are trying to push their

02:09

features and turning them on without my

02:10

consent um but I have seen that happen

02:12

before it's not only me but people

02:14

around the community have had like

02:15

magical Microsoft Windows features turn

02:17

on by themselves um so if that's going

02:19

to be the case with the recall not a

02:21

huge fan of that but I mean at least

02:22

we're going in the correct direction

02:24

where you know we're making it so that

02:25

it's not on by default the the example

02:27

that I give with all of these things is

02:29

I I I think of my grandmother who

02:31

doesn't know anything about computers

02:32

and is what should be thought of as like

02:34

the default user of of software if she

02:37

is not able to even understand the

02:39

technology or understand or consent to

02:42

the technology and just have this

02:43

repository of information about her

02:45

browsing history or or Computing habits

02:47

I think that's a bad thing I think the

02:49

average user should not be subjected to

02:51

that without consenting to it so optin

02:53

is a step towards getting consent right

02:56

the recall database now says that it

02:59

will only be decrypted once you've

03:01

authenticated Through the Windows hello

03:03

program so the windows hello program is

03:04

effectively they use not not biometric

03:06

authentication but you have to either

03:08

show your face or your fingerprint or

03:10

some other like I am actually this

03:12

person kind of authentication that's

03:14

processed in the CPU to decrypt that

03:16

database now the question is does that

03:18

mean that if I log into my computer with

03:21

Windows hello the database is now

03:23

decrypted until I log out is it when the

03:25

window is locked is it when the desktop

03:26

is locked how long does that data stay

03:29

decrypted at rest because if any kind of

03:31

malware is on the computer and they want

03:33

access to that data all they're going to

03:34

do is wait until I'm properly

03:36

authenticated to access that data and

03:38

then just steal it all I think the core

03:40

of my issue with the recall program is

03:43

that there is literally just a corpus of

03:46

data that is on my computer that I don't

03:48

want to be on my computer right it would

03:50

be like if I stored all of my personally

03:53

identifiable information about me and my

03:55

family and my kids like socials tax

03:57

returns uh school records I don't know

03:59

all that stuff in one folder and just

04:02

hoped that it was never accessible at

04:04

the wrong time that's why I have

04:05

literally in that closet is like a

04:07

cabinet full of records that no one can

04:09

get to unless you're in my house in the

04:11

backmost room of my of my house right

04:13

I'm literally in my basement right now

04:15

so I think that in and of itself just

04:17

having that data anywhere is a threat

04:19

now obviously making it authenticated

04:21

and making it decrypted at the right

04:23

time is a step in the right direction

04:25

right I mean originally the data was

04:28

just decrypted when bit loock was

04:30

decrypted which means that if the system

04:31

is on the data was decrypted that was a

04:34

huge security oversight on Microsoft

04:36

part I'm not really sure how that got

04:37

through any kind of Security review

04:39

given that if the computer is enabled

04:41

the database is encrypted therefore it

04:43

is not encrypted at rest like it's

04:45

encrypted at rest but in like a weird

04:47

scummy marketing way where like it's not

04:49

really you can just sell it like that

04:50

legally I don't know wasn't a big fan of

04:52

that now also in the blog post they did

04:54

update with like some major security

04:56

points to try to I think ease some of

04:58

the the fears about recall first of all

05:01

snapshots are stored locally co-pilot

05:02

PCS a powerful AI that work on your

05:04

devices behalf no internet or Cloud

05:06

connections are used to store and

05:07

process snapshot so that is one thing

05:08

that's like reassuring they're not going

05:10

to like take your your screenshot send

05:12

it off to the magical you know Microsoft

05:14

cloud Center process it there it is

05:16

happening locally on your own AI

05:17

processor uh snapshots are not shared so

05:20

this has gotten people a little nervous

05:21

because they say that snapshots are not

05:23

shared but like this this is the Crux of

05:27

every argument about corporate data

05:29

collection

05:30

okay so like the snapshots aren't shared

05:32

right but is the optical character

05:35

recognition data the metadata that is

05:37

stored in that database is that now

05:40

anonymized and then like sold to Google

05:43

as ad data so they can give me

05:44

personalized ads I mean there were even

05:46

ads that are paid out to Microsoft and

05:48

Google in browsers like Edge for example

05:51

and if this is just another clever way

05:53

of collecting personalization data I

05:56

don't think that that's cor I don't

05:57

think that's right I don't know if

05:58

that's happening or not I'm just saying

06:00

there is the potential for that kind of

06:01

overreach to happen I mean so like my

06:03

wife and I share uh Instagram reals with

06:05

each other and I know for a fact that

06:07

the minute I install Instagram on my

06:09

iPhone I get more personalized ads and I

06:12

get ads about things that we are talking

06:14

about like they are probably collecting

06:17

microphone data and anonymizing it for

06:19

personalized ad experience some legal

06:22

um but it it is not uncommon

06:24

for this to happen so while the

06:25

snapshots themselves are not shared is

06:28

the metadata about them shared what

06:30

what's going on with that you will know

06:32

when recall is saving snapshot so like

06:33

if you have an iPhone for example you

06:35

get a little light that lights up when

06:37

the camera is being used when your

06:38

location is being used when your

06:39

Bluetooth is being used so now they're

06:40

going to have a little thing that says

06:42

hey watch recall is actively taking

06:44

screenshots which again step in the

06:46

right direction but it doesn't fully fix

06:48

the problem of the fact that they're

06:49

taking screenshots in general digital

06:51

rights managed or in private browsing

06:53

snapshots are not saved so basically if

06:55

you are using a piece of content that

06:59

overly supports DRM or has in private

07:02

browsing in a way that the windows

07:04

interel knows about um it will not

07:06

capture those snapshots but again this

07:09

isn't security by default like I have to

07:11

now go into a more secure Mo mode to

07:15

avoid the snapshots now again at this

07:17

point obviously if you're using this

07:19

program you've opted in so I guess you

07:21

kind of know about that um I I just I

07:23

I'm not super sure how I feel about that

07:25

one and then this is a big one

07:26

Enterprise and customer choice so this

07:28

was a big concern concern for people

07:30

that worked as like it administrators at

07:32

big companies are they going to have to

07:34

now administer and monitor the recall

07:38

databases on every co-pilot enabled PC

07:41

that exists in their Network there are

07:42

some corporate networks that have

07:44

literally thousands tens of thousands of

07:46

PCS and if they have to worry about a

07:48

single compromise removing the security

07:52

of the last you know if it's gone on for

07:54

a long enough time 5 years of collected

07:56

data that's that's a really really

07:58

really bad thing so I think they're

07:59

going to give at the group policy

08:02

probably level the ability for it admins

08:04

to control this and by that likely

08:07

everyone that I know is going to disable

08:08

this feature right no no one in their

08:10

right mind at the corporate it level is

08:13

going to use this feature we're are on a

08:15

journey to build products experiences

08:16

that live up to our company Mission to

08:17

empower people and organizations to

08:19

achieve more and are driven by the

08:20

critical importance of maintaining our

08:22

customers privacy security and Trust

08:23

more corpo I don't know dude

08:26

I'm I'm going to make a whole separate

08:28

video about this I genuinely believe

08:31

that AI is evil and what I mean by that

08:34

is like the technology itself llms the

08:37

the the math and the science behind AI

08:39

is all well and good but we are just

08:42

creating another excuse for companies to

08:46

shill things at us that we don't need in

08:49

exchange for metadata collection to

08:51

improve ad experiences I I think that AI

08:56

is going to be in 10 years the Facebook

08:59

of 2016 right it was a feature that

09:02

started out as a good thing and once

09:04

companies realized that they could slurp

09:05

up a little bit of anonymized metadata

09:09

and use that to shill ads I I don't see

09:12

why they wouldn't and this just seems

09:14

like another way of getting really scary

09:17

personal information about people uh and

09:20

and knowing their trends that like every

09:22

Wednesday you know like can going back

09:23

to the news example every Wednesday you

09:25

know Danielle searches for purses on

09:28

eBay and now they know to send her ads

09:29

and like that I don't know man it

09:31

just scares me I hope you're not too

09:33

scared by this I hope that this goes in

09:35

in the correct again it's it's trending

09:37

in the right direction they're making it

09:38

a little more secure but just the fact

09:40

that we even have programs like this

09:42

features like this makes me a little uh

09:44

a little weird I don't know anyway if

09:46

you enjoyed this video if you thought it

09:47

was weird if you want to tell me what

09:48

you think put it in the comments down

09:49

below hit subscribe also I feel like no

09:51

one knows this but I stream on Twitch if

09:52

you want to hang out with me live I do

09:54

stream on twitch.tv/ LL learning I might

09:56

be live right now and I'll see you in

09:58

the next one thanks guys