Recall drawing regulatory scrutiny in the UK — Microsoft's AI Copilot+ feature a 'privacy nightmare'

 Microsoft branding for Copilot+ PC.
Microsoft branding for Copilot+ PC.

Microsoft's new AI tools are drawing concern from the UK's Information Commissioner's Office (ICO), with the recently announced "Recall" feature of Copilot+ PCs being named a potential security risk. The ICO joins industry veterans and privacy campaigners in investigating the safety of Recall, a snapshot-collection feature turned "privacy nightmare".

"We are making enquiries with Microsoft to understand the safeguards in place to protect user privacy," said an ICO spokesperson. The ICO, the UK's office over data protection and user privacy, says that firms like Microsoft "must rigorously assess and mitigate risks to peoples' rights and freedoms" before offering new products or services. Dr. Kris Shrishak, adviser on privacy at the Irish Council for Civil Liberties, went a step further, saying that "[Recall] could be a privacy nightmare. The mere fact that screenshots will be taken during use of the device could have a chilling effect on people."

As we previously reported, Recall could potentially pose some serious privacy risks even if it works as advertised. The new feature is a part of Microsoft's new Copilot+ PC family of laptops, Arm-based Windows machines tuned for AI performance, and a suite of AI upgrades to leverage their new NPU power. Recall remembers what you've seen on your computer for you, taking screenshots every few seconds to curate a full log of your activity in case you forget where you've seen something. The AI comes in as you search your history, for example bringing up all images with "red shoes" in them when you search for "red shoes".

While Microsoft claims the snapshots are entirely locally stored, this still poses a massive potential privacy risk. Anyone who can log into your computer—locally or remotely—could be privy to your Social Security numbers and uncensored passwords, sensitive chats, or other private matters. Recall can be paused, or certain applications can be excluded from Recall's snapshots, but it will be baked into the Windows operating system starting with Windows 11 24H2 on Copilot+ PCs, and can't be fully removed or disabled (perhaps it could by editing the registry, but that carries risk).

Microsoft, for its part, claims that Recall is a safe feature. "Microsoft built privacy into Recall’s design from the ground up," says an FAQ on the Microsoft blog. Recall will not capture any DRM-protected content, and its snapshots will be doubly protected through data encryption and BitLocker, which will be automatically installed on all Windows 11 24H2 updates. But beyond not snapping DRM content (more an anti-piracy than pro-safety decision), Recall won't perform any content moderation, leaving passwords and sensitive info fully unblurred in its storage. "Recall is a key part of what makes Copilot+ PCs special", after all, so Microsoft will do its utmost to keep it around; without Recall, Copilot+ gets pretty boring.

Copilot+ PC's features may help the new laptops sink or swim, so its flagship gimmick being such a risk does not bode well for the release on June 18th. This casts a slight fog on Qualcomm's triumphant entry into the Windows laptop space with its groundbreaking Snapdragon X series processors.  Copilot+ and Snapdragon X also mark Microsoft's first real attempt to make Windows-on-Arm really work, which is to some the most exciting facet of Copilot+ PC. And Qualcomm won't be alone for long, as Dell hinted at Nvidia-made Arm processors for PC coming soon.