The controversial Microsoft Windows Recall AI app may still be in need of security work according to testing from the UK technology site, The Register.
The app, which takes screenshots of everything you do on your PC so you can find it later, supposedly has preventions to stop it from grabbing sensitive information like credit card numbers and passwords. However, the Register’s team recently tested Recall and discovered that the filter actually fails “in many cases.”
Recall has had a bumpy launch since it was announced as a new app for Copilot+ PCs in the summer of 2024. It was almost immediately pulled back due to security concerns, like capturing sensitive information.
The app stuttered into release and recall repeatedly, and was even caught capturing credit card numbers in December of 2024. It only recently returned to Windows Insiders in April of this year.
With Recall still in preview mode, Microsoft claims it’s safe and private with a filter called “Filter sensitive information” which is enabled by default and is supposed to prevent sensitive data from being captured.
The Register’s Avram Piltch used a Lenovo Yoga Slim 7x Copilot Plus PC with Recall enabled and entered in several types of personal information. He does credit the filter with excluding financial data, “some” passwords, and “most instances” of Social Security numbers.
However, he found that Recall snapped screenshots of his bank’s home page and a number of screens showing his balance and deposits. Though it did exclude his account and routing numbers.
From there, Piltch performed a number of tests excluding certain language from forms or pages or storing information in different spots on his computer and much to his surprise, Recall captured that information. In one example, he wrote in a Word Doc “My SS#” and it was filtered out but when he changed it to Soc. # it did get captured.
And in one case, a document with passwords was totally captured, especially dangerous since many people might still keep their passwords in unsecure documents on their PCs (something we highly discourage given that several of the best password managers are completely free) even if they’re not explicitly labeled “My passwords.”
To be fair to Microsoft, the app is still in preview mode and has been since October of 2024. A blog post from November did state that Microsoft teams are working to improve the functionality of the security filter. Though, the app is being pushed during the Windows onboarding process, so perhaps that preview mode shouldn’t be given as much slack.
You do have the option to block specific apps or websites from being captured. You have to go to Settings – Privacy & Security – Recall & snapshots. From there you can blacklist things. You could block your browser, though that might make Recall less useful especially if you work outside of Microsoft’s office ecosystem.
If you’re worried about Windows Recall potentially capturing your sensitive personal and financial data, there’s an easy way to avoid this feature entirely: don’t get a Copilot+ PC.
Windows Recall is designed to work specifically with laptops that use Qualcomm’s Snapdragon processors, so by going with one of the best laptops powered by an Intel or AMD chip for your next upgrade, you won’t have to worry about the potential security implications of this controversial feature at all.
Then again, Microsoft may decide to shelve Windows Recall for good at some point, especially given its lukewarm initial reception and the security and privacy issues it has faced already.
Follow Tom’s Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
More from Tom’s Guide
Back to Laptops
