It’s a nightmare scenario for Microsoft. The headlining feature of its new Copilot+ PC initiative, which is supposed to drive millions of PC sales over the next couple of years, is under significant fire for being what many say is a major breach of privacy and security on Windows. That feature in question is Windows Recall, a new AI tool designed to remember everything you do on Windows. The feature that we never asked and never wanted it.
Microsoft, has done a lot to degrade the Windows user experience over the last few years. Everything from obtrusive advertisements to full-screen popups, ignoring app defaults, forcing a Microsoft Account, and more have eroded the trust relationship between Windows users and Microsoft.
It’s no surprise that users are already assuming that Microsoft will eventually end up collecting that data and using it to shape advertisements for you. That really would be a huge invasion of privacy, and people fully expect Microsoft to do it, and it’s those bad Windows practices that have led people to this conclusion.
I’ve worked extensively in the Enterprise environment, and data exfiltration is a massive concern for any company with intellectual property, which is most of them.
Having data leak at all, another vector for exfiltration, is a huge huge risk.
Heck, I’d be surprised if Microsoft itself let its own developers run Total recall
As an infosec professional for way longer than I care to remember, you are preaching to the choir. That said, all of our clients are both large enterprise and critical infrastructure, and they all log (and mine) everything. Not only that, they are shipping this directly to third parties. It makes me break out into a cold sweat every time I think about it, but here we are.
PS: OK, all the US based ones. Our EU based client does not do this to my knowledge and I assume it has to do with EU regulations, but that’s just a wild guess.
Good point. But the companies are at least controlling the data pathway, being aware of it, signing off on it, doing it for their benefit.
And I imagine at least for the US companies, every company they exfiltrate data to, is contractually obligated to keep their data private