Still collecting your data: Microsoft’s “Recall” surveillance feature fails to protect sensitive data, tests confirm

• Microsoft’s Windows Recall feature collects encrypted screen captures of user activity, including passwords and credit card details.
• Despite filters, tests reveal persistent vulnerabilities allowing sensitive data capture despite Microsoft’s security claims.
• Accessible via PIN-based Windows Hello, Recall’s “encrypted” archives remain at risk of exploitation.
• Privacy-conscious browsers like Brave block Recall entirely to shield vulnerable users.
• Security experts urge users to disable Recall to avoid compromising personal data.

Microsoft’s controversial Windows Recall feature, marketed as an AI-driven productivity tool, continues to capture and store sensitive user data—from credit card numbers to medical records—despite upgrades aiming to make it safer. Released in 2024, the feature takes constant screen snapshots for searchability but has sparked backlash after vigilant users and testers found its filters for sensitive information unreliable. New tests conducted this summer confirmed the tool still poses privacy risks, underscoring growing tensions over corporate oversight of personal devices.

The recall, rolled out with Copilot+ PCs and now integrated into Windows 11, stores encrypted screenshots locally on user devices. While Microsoft claims this protects privacy, independent researchers and Brav? browser developers argue the feature’s flaws make it a liability for consumers and a potential gateway for exploitation.

Tests expose filter flaws, credit card details and more

The Register’s recent analysis highlighted Recall’s inconsistent ability to block sensitive information.

• Credit card data: When testers removed form labels like “Payment” or “Card Number,” Recall captured full card details alongside transaction amounts.
• Passwords: While password fields on login screens were occasionally masked, typed passwords in unlabelled text files or partially obscured windows were stored unfiltered.
• Health and financial data: Bank account balances and medical search terms were recorded even when account numbers or Social Security digits were hidden.

“The filters are good, but not good enough,” said one cybersecurity researcher, emphasizing that inconsistent keyword recognition leaves users exposed. Microsoft’s filters also failed to uniformly block sensitive documents, with passports recorded when partially covered by other windows.

Encryption isn’t enough: PINs and remote access pose risks

While Microsoft stresses that snapshots are encrypted within a “Virtualization-based Security Enclave,” security experts contend this offers false comfort. The enclave relies on Windows Hello authentication—often a simple PIN—that can be bypassed.

“A four-digit PIN isn’t a secure barrier for someone determined to snoop,” explained O’Shea Randle, a privacy advocate at the Digital Civil Rights Foundation. “Remote access tools like TeamViewer can exploit weak PINs, granting unauthorized users full access to your Recall archives.”

This vulnerability heightens risks for domestic violence survivors and others in vulnerable situations. Brave browser developers recently blocked Recall entirely to prevent abusive partners or hackers from accessing browsing histories linked to support sites or medical consultations.

Brave’s defiance: Prioritizing privacy over productivity

In July 2025, Brave became the first major browser to disable Recall by marking all tabs as private. “Users shouldn’t have to choose between productivity and safety,” said Brave’s lead developer, Peter Snyder. “Privacy is a fundamental right, and we won’t let corporate shortcuts undermine it.”

Microsoft defended Recall as strictly local and under user control, but critics argue the invasive data capture—notably of unencrypted text files—contradicts this. “The ‘always-on’ tracking model inherently violates the spirit of user autonomy,” said security journalist Ken Macon.

Security experts demand corporate accountability

Analysts like Hans-Christian Dirscherl of PC-WELT warn that Recall’s flaws reflect deeper issues in AI-driven features requiring “opt-out of surveillance” rather than permission. “Consumers are told convenience justifies this data collection, but when safeguards fail, it’s privacy that pays the price,” he said.

Microsoft maintains that Recall is optional and transparent, with deletion features showing users how to purge archives. Yet, the tool’s auto-installation on Copilot+ PCs and 2025’s stealth rollout in mandatory Windows updates raise concerns about covert data harvesting.

The coming privacy clash: Innovation at what cost?

As AI reshapes tech landscapes, stories like Recall’s illustrate the need for strict corporate accountability. For now, privacy experts recommend disabling the feature via tools like O&O ShutUp10 or Group Policy edits. “Tech users must demand transparency—and lawmakers must act to enforce it,” said Randle.

With major browsers taking a stand, Microsoft faces mounting pressure to rethink its approach. Until then, Recall’s encryption-enclave system remains a metaphor for modern tech surveillance: half-hearted protections masking a system prone to exploitation.

Sources for this article include:

ReclaimTheNet.org

PCWorld.com

MojoAuth.com

BornCity.com