microsoft doubles down on recording your screen
Summary
TLDRMicrosoft's Recall program, which takes screenshots every 5 seconds on co-pilot plus ARM CPUs running Windows, has received updates addressing security concerns. Originally an opt-out feature, it's now opt-in, and database access requires Windows Hello authentication. Despite improvements, privacy issues persist as the program collects metadata that could potentially be exploited. The video discusses these updates and expresses skepticism about the program's intentions, questioning the ethics of AI-driven data collection for personalized ad experiences.
Takeaways
- 😀 Microsoft introduced Recall, a program that takes screenshots every 5 seconds and collects metadata on Windows devices with Snapdragon CPUs.
- 🔒 Recall initially faced backlash due to privacy concerns, as the collected data was stored in an allegedly encrypted database that could be accessed.
- 🛡️ Microsoft updated Recall with new security features, making it an opt-in program instead of opt-out, enhancing user control over data collection.
- 👁️🗨️ The Recall database now requires Windows Hello authentication to decrypt, adding a layer of biometric security to access the data.
- 🔒 Despite improvements, concerns remain about the potential for unauthorized access to the data if malware is present on the system.
- 🚫 Recall does not save snapshots in private browsing or for content protected by digital rights management (DRM), addressing some privacy issues.
- 🏢 Enterprise users and IT administrators are given the choice to manage Recall through group policies, likely leading to widespread deactivation.
- 🤔 The video creator expresses skepticism about AI, fearing it may be used to collect metadata for targeted advertising without user consent.
- 👀 The creator suggests that Recall and similar programs could be exploited to gather personal data, similar to how social media platforms have been criticized.
- 🔄 The video concludes with a call for viewer engagement, inviting comments on the updated Recall program and its implications for privacy and security.
Q & A
What is Microsoft's Recall program?
-Microsoft's Recall program is a software feature that was designed to run on co-pilot plus ARM CPUs with Windows, taking screenshots of the user's computer every 5 seconds and collecting metadata about those screenshots, such as characters and images on the screen, using the local AI processor in the Snapdragon CPU.
Why did the Recall program receive negative feedback from the security community?
-The Recall program received negative feedback because it was seen as an invasion of privacy, as it collected a lot of personal data without explicit user consent. Additionally, security researchers found that the supposedly encrypted database could be accessed directly, raising concerns about data security.
What changes has Microsoft made to the Recall program in response to the feedback?
-In response to the feedback, Microsoft has made the Recall program an opt-in feature instead of opt-out, meaning users now have to actively choose to enable it. They have also improved the authentication process for accessing the database, requiring Windows Hello authentication to decrypt it.
How does the opt-in change affect the Recall program's default behavior?
-By making Recall an opt-in program, the default behavior is now that it is not enabled unless the user specifically chooses to enable it. This change is aimed at giving users more control over their data and privacy.
What is the Windows Hello program and how does it relate to the Recall program?
-The Windows Hello program is a biometric authentication system that uses facial recognition, fingerprint scanning, or other personal identifiers to verify the user's identity. In the context of the Recall program, it is used to authenticate the user before decrypting the database of collected metadata.
What concerns does the video presenter have about the decrypted state of the Recall database?
-The presenter is concerned that if the database is decrypted once the user has authenticated with Windows Hello, it might stay decrypted for an extended period, potentially allowing malware to access the data once the user has authenticated.
What is the presenter's view on the potential misuse of metadata collected by the Recall program?
-The presenter is worried that the metadata, even if not shared directly, could potentially be anonymized and used for personalized advertising, which he sees as an unethical use of personal data.
How does the Recall program handle snapshots in private browsing or with DRM-protected content?
-The Recall program does not save snapshots when the content is DRM-protected or when the user is in private browsing mode, as recognized by the Windows system.
What is the presenter's opinion on the future of AI in relation to data collection and privacy?
-The presenter expresses a concern that AI could become a tool for companies to collect metadata and use it for targeted advertising, similar to how Facebook was criticized in the past for its data collection practices.
What steps is Microsoft taking to ensure that Recall is used responsibly in enterprise environments?
-Microsoft is providing group policy controls that allow IT administrators to manage and potentially disable the Recall feature across their networks, giving enterprises the choice to opt out if they have concerns about its use.
Outlines
😟 Microsoft's Recall Program Raises Privacy Concerns
Microsoft's Recall program, initially an opt-out feature, has been updated to an opt-in feature after facing backlash due to its data collection practices. The program takes screenshots every 5 seconds on devices with co-pilot plus ARM CPUs running Windows, using local AI to collect metadata about on-screen content. This metadata is stored in a database that can be queried later. Despite improvements in database authentication, the core issue of continuous data collection remains a privacy concern. The video discusses the updates to Recall, including the requirement of Windows Hello authentication to decrypt the database, and raises questions about the potential misuse of collected data for targeted advertising.
🤔 Concerns Over AI and Data Collection in Recall Program
The video script addresses concerns over the Recall program's AI-driven data collection, which processes snapshots locally without internet or cloud connections. While snapshots are not shared, there are worries about the potential misuse of the collected metadata for personalized ad experiences. The script also mentions that Recall will now notify users when a snapshot is being taken, and it will not save snapshots during DRM-protected or private browsing sessions. The discussion highlights the need for enterprise and customer choice, suggesting that IT administrators may disable the feature due to security concerns. The video concludes with a critique of AI technology being used as a tool for metadata collection to enhance ad targeting, raising ethical questions about privacy and corporate responsibility.
Mindmap
Keywords
💡Recall Program
💡Co-pilot Plus ARM CPUs
💡Metadata
💡Opt-in Program
💡Windows Hello
💡Digital Rights Management (DRM)
💡AI Processor
💡Data at Rest
💡Group Policy
💡Cortana
💡Snapshots
Highlights
Microsoft released a preview build of its Recall program, which takes screenshots every 5 seconds and collects metadata using local AI processors.
Recall faced backlash from the security community due to privacy concerns.
Microsoft updated Recall with new security features in response to negative feedback.
Recall is now an opt-in program rather than opt-out, giving users more control.
Concerns raised about features like Cortana being enabled without user consent.
The Recall database will now only be decrypted after Windows Hello authentication.
Questions remain about how long the decrypted data stays accessible after authentication.
Snapshots are stored locally, and no internet or cloud connections are used for storage and processing.
Snapshots are not shared, but concerns exist about the potential misuse of collected metadata.
Users will be notified when Recall is actively taking snapshots.
Snapshots are not saved during digital rights management or private browsing sessions.
Enterprises will have the option to control Recall through group policy, likely leading to its widespread disablement.
The video creator expresses a broader concern about AI being used for metadata collection to improve ad experiences.
AI technology is seen as potentially harmful due to its use in personal data collection for targeted advertising.
The video concludes with a call for comments on the Recall program's updates and their implications.
Transcripts
a couple months ago Microsoft released
the preview build of its recall program
if you don't remember what that was and
I I hope you do because it's crazy uh
recall was a piece of software that
would sit on co-pilot plus arm CPUs that
ran windows and what it would do is it
would take screenshots of your computer
every 5 seconds and then collect
metadata about those screenshots like
the characters on the screen the images
on the screen using the local AI
processor in the Snapdragon CPU and then
store that metadata in a database that
you could query later to fure figure out
like when was the last time I looked at
purses was was the example that the news
did and obviously this program collected
a lot of negative feedback from the
security Community a lot of security
researchers were able to see that you
could just literally go and open the
database yourself even though it was
said to be encrypted at rest so
obviously it didn't get a lot of love
Microsoft just came back with a new
article a new update to their original
blog post that highlights some of the
new security features of recall there
are some slight improvements but I still
hate the idea as a whole so in this
video I want to talk about what the
updates are kind of give my thoughts on
those changes and kind of get your
opinion too I want to see in the
comments below what you think about the
recall program after these updates they
have made some improvements to how the
database is authenticated but overall
the idea of Microsoft taking screenshots
every 5 Seconds even if stored locally
scares the crap out of me so let's Dive
Right In also if you're new here hi my
name is Ed this is Ol learning Chann
we're talk about software security cyber
security so if you're into that or just
want to hang out hit that sub button
really appreciate it so first of all
Microsoft is making recall an optin
program so originally when it was
announced it was going to be an opt out
program meaning that to disable recall
you had to one no recall was enabled and
then turn it off meaning that you had to
opt out of the program a recall is now
an opt in program which overall is
obviously a good thing but I have had
weird instances on my own personal
computer where features like Cortana for
example that I disable when I turn
windows on when I install Windows on my
computer mag Ally get turned on without
my permission or consent so I don't know
if that's a misconfiguration thing if
that's a marketing thing where windows
or Microsoft are trying to push their
features and turning them on without my
consent um but I have seen that happen
before it's not only me but people
around the community have had like
magical Microsoft Windows features turn
on by themselves um so if that's going
to be the case with the recall not a
huge fan of that but I mean at least
we're going in the correct direction
where you know we're making it so that
it's not on by default the the example
that I give with all of these things is
I I I think of my grandmother who
doesn't know anything about computers
and is what should be thought of as like
the default user of of software if she
is not able to even understand the
technology or understand or consent to
the technology and just have this
repository of information about her
browsing history or or Computing habits
I think that's a bad thing I think the
average user should not be subjected to
that without consenting to it so optin
is a step towards getting consent right
the recall database now says that it
will only be decrypted once you've
authenticated Through the Windows hello
program so the windows hello program is
effectively they use not not biometric
authentication but you have to either
show your face or your fingerprint or
some other like I am actually this
person kind of authentication that's
processed in the CPU to decrypt that
database now the question is does that
mean that if I log into my computer with
Windows hello the database is now
decrypted until I log out is it when the
window is locked is it when the desktop
is locked how long does that data stay
decrypted at rest because if any kind of
malware is on the computer and they want
access to that data all they're going to
do is wait until I'm properly
authenticated to access that data and
then just steal it all I think the core
of my issue with the recall program is
that there is literally just a corpus of
data that is on my computer that I don't
want to be on my computer right it would
be like if I stored all of my personally
identifiable information about me and my
family and my kids like socials tax
returns uh school records I don't know
all that stuff in one folder and just
hoped that it was never accessible at
the wrong time that's why I have
literally in that closet is like a
cabinet full of records that no one can
get to unless you're in my house in the
backmost room of my of my house right
I'm literally in my basement right now
so I think that in and of itself just
having that data anywhere is a threat
now obviously making it authenticated
and making it decrypted at the right
time is a step in the right direction
right I mean originally the data was
just decrypted when bit loock was
decrypted which means that if the system
is on the data was decrypted that was a
huge security oversight on Microsoft
part I'm not really sure how that got
through any kind of Security review
given that if the computer is enabled
the database is encrypted therefore it
is not encrypted at rest like it's
encrypted at rest but in like a weird
scummy marketing way where like it's not
really you can just sell it like that
legally I don't know wasn't a big fan of
that now also in the blog post they did
update with like some major security
points to try to I think ease some of
the the fears about recall first of all
snapshots are stored locally co-pilot
PCS a powerful AI that work on your
devices behalf no internet or Cloud
connections are used to store and
process snapshot so that is one thing
that's like reassuring they're not going
to like take your your screenshot send
it off to the magical you know Microsoft
cloud Center process it there it is
happening locally on your own AI
processor uh snapshots are not shared so
this has gotten people a little nervous
because they say that snapshots are not
shared but like this this is the Crux of
every argument about corporate data
collection
okay so like the snapshots aren't shared
right but is the optical character
recognition data the metadata that is
stored in that database is that now
anonymized and then like sold to Google
as ad data so they can give me
personalized ads I mean there were even
ads that are paid out to Microsoft and
Google in browsers like Edge for example
and if this is just another clever way
of collecting personalization data I
don't think that that's cor I don't
think that's right I don't know if
that's happening or not I'm just saying
there is the potential for that kind of
overreach to happen I mean so like my
wife and I share uh Instagram reals with
each other and I know for a fact that
the minute I install Instagram on my
iPhone I get more personalized ads and I
get ads about things that we are talking
about like they are probably collecting
microphone data and anonymizing it for
personalized ad experience some legal
um but it it is not uncommon
for this to happen so while the
snapshots themselves are not shared is
the metadata about them shared what
what's going on with that you will know
when recall is saving snapshot so like
if you have an iPhone for example you
get a little light that lights up when
the camera is being used when your
location is being used when your
Bluetooth is being used so now they're
going to have a little thing that says
hey watch recall is actively taking
screenshots which again step in the
right direction but it doesn't fully fix
the problem of the fact that they're
taking screenshots in general digital
rights managed or in private browsing
snapshots are not saved so basically if
you are using a piece of content that
overly supports DRM or has in private
browsing in a way that the windows
interel knows about um it will not
capture those snapshots but again this
isn't security by default like I have to
now go into a more secure Mo mode to
avoid the snapshots now again at this
point obviously if you're using this
program you've opted in so I guess you
kind of know about that um I I just I
I'm not super sure how I feel about that
one and then this is a big one
Enterprise and customer choice so this
was a big concern concern for people
that worked as like it administrators at
big companies are they going to have to
now administer and monitor the recall
databases on every co-pilot enabled PC
that exists in their Network there are
some corporate networks that have
literally thousands tens of thousands of
PCS and if they have to worry about a
single compromise removing the security
of the last you know if it's gone on for
a long enough time 5 years of collected
data that's that's a really really
really bad thing so I think they're
going to give at the group policy
probably level the ability for it admins
to control this and by that likely
everyone that I know is going to disable
this feature right no no one in their
right mind at the corporate it level is
going to use this feature we're are on a
journey to build products experiences
that live up to our company Mission to
empower people and organizations to
achieve more and are driven by the
critical importance of maintaining our
customers privacy security and Trust
more corpo I don't know dude
I'm I'm going to make a whole separate
video about this I genuinely believe
that AI is evil and what I mean by that
is like the technology itself llms the
the the math and the science behind AI
is all well and good but we are just
creating another excuse for companies to
shill things at us that we don't need in
exchange for metadata collection to
improve ad experiences I I think that AI
is going to be in 10 years the Facebook
of 2016 right it was a feature that
started out as a good thing and once
companies realized that they could slurp
up a little bit of anonymized metadata
and use that to shill ads I I don't see
why they wouldn't and this just seems
like another way of getting really scary
personal information about people uh and
and knowing their trends that like every
Wednesday you know like can going back
to the news example every Wednesday you
know Danielle searches for purses on
eBay and now they know to send her ads
and like that I don't know man it
just scares me I hope you're not too
scared by this I hope that this goes in
in the correct again it's it's trending
in the right direction they're making it
a little more secure but just the fact
that we even have programs like this
features like this makes me a little uh
a little weird I don't know anyway if
you enjoyed this video if you thought it
was weird if you want to tell me what
you think put it in the comments down
below hit subscribe also I feel like no
one knows this but I stream on Twitch if
you want to hang out with me live I do
stream on twitch.tv/ LL learning I might
be live right now and I'll see you in
the next one thanks guys
5.0 / 5 (0 votes)