Tested: Microsoft Recall can still capture credit cards and passwords
64 points
by rntn
14 hours ago
| 2 comments
| theregister.com
| HN
Bender
14 hours ago
[-]
I still can not comprehend why Recall is not considered spyware, especially by people here on HN of all places. I would expect that by now there would be popular tools to real time stream-convert all data written to be RickRolls.
reply
JonChesterfield
10 hours ago
[-]
I'd like to know why the competitors, customers and suppliers of Microsoft are all completely at peace with sending their email through outlook, discussing their operations through teams, and running the entire stack on windows with built in telemetry features. I've never had a better result than blank incomprehension when raising that as a risk with IT teams.
reply
vips7L
8 hours ago
[-]
Because it genuinely doesn’t matter. All of those companies are still making money.
reply
ranger_danger
9 hours ago
[-]
I regularly work with a firm that specializes in security/crypto and reverse engineering... and their extreme reliance on Microsoft and proprietary software in general is baffling to me.
reply
dmitrygr
14 hours ago
[-]
Who said it was not considered such? It is spyware.
reply
Bender
14 hours ago
[-]
I've been gas-lit in the past here by people claiming its a great addition and can be ingested by AI and all the wonderful things they can do with it. I do not my data in anyone's AI. Not local. Not remote. Not for any reason.
reply
dmitrygr
13 hours ago
[-]
Something can both have high utility and be evil. For example 24/7 surveillance and universal shock collars would have great utility in ending crime. But would also be evil.
reply
Bender
13 hours ago
[-]
Indeed. I do not want any surveillance shock collars on my system. It should be trivial to remove it and have confidence it will never show up again.

I have installed many surveillance systems but the difference is I fully control them and I know that they can not upload data without going out of my way to make that happen. Local DMZ on separate physical network, Chroot SFTP-Only server, no internet routing, no DNS, etc... push-pull

reply
_zoltan_
8 hours ago
[-]
I think Recall is a great idea and there is little echo chamber here against it
reply
ranger_danger
13 hours ago
[-]
I have not seen any evidence that it actually ever sends any captured data over the internet... wouldn't that be a prerequisite for most definitions of 'spyware'?

There's also OpenRecall if you prefer a FOSS solution.

reply
Bender
13 hours ago
[-]
If it is stored locally that is the same as stored remotely as far as I am concerned. I have decades of experience with Microsoft to know better than to trust their pinky-promises. I do not need to wait and see evidence each time Microsoft does something shady. It might take a decade or more for the truth to leak out.

If some form of AI is running locally it can extract summarized information and upload it in a tiny file much like Discord can silently transcribe voice to obfuscated and compressed text in the background for private chats.

Anything that even smells like Recall must be opt in and give people good incentives to install it even before considering the possibility of anything being uploaded. If there isn't anything shady occurring then I should be able to click "Uninstall" in apps and it removes all the code. If I can't single click remove it there is a reason.

Regarding FOSS, whether a tool is open or closed source does not expose the dark patterns that can be implemented by the operator which in this case is not the owner of the laptop or workstation. I can do nefarious things with open source tools, as can Microsoft. They are the administrators of this service running on peoples machines. I can use powershell to upload files from a persons machine, as can Microsoft. Every operating system have all the tools a spy would need built in to gather, obfuscate and upload data silently in the background.

reply
JonChesterfield
10 hours ago
[-]
The problem there is the decades. They've done an extremely solid job with PR over the last five, maybe ten years. Now everyone knows Microsoft are lovely people making everything better. The prior behaviour can perhaps be forgotten.

Though they acquired github (to be nice) and fed all the GPL'ed code they could find into LLMs (to be nice) and now open source is moribund, which is rather in keeping with the effect of previous strategic moves, but sort of plausibly deniable as an aggregate effect.

reply
VohuMana
13 hours ago
[-]
I’m not up to date with how the filter is supposed to work, the article mentions it hides Google Password Manager but didn’t hide passwords in plain text in a notepad text file. Seems like maybe programs have to indicate they should be hidden from Recall?

That said the feature still seems kinda dumb to me and feels very much like a solution in search of a problem. There is a ton of data on a device which doesn’t require screen shotting everything. Want to help the user find some website they visited long ago? Just parse every web page the user visits and summarize it no screen shot necessary

reply
bastawhiz
9 hours ago
[-]
> Seems like maybe programs have to indicate they should be hidden from Recall?

That's not a solution, though. If I use Obsidian to store sensitive information about my business, does Obsidian need to know that the information is sensitive and to tell Windows not to look at it? How would it possibly know?

Fundamentally the user is the one who knows, and telling the OS whether every last thing is safe to index or not it's simply a non starter. Hell, even trusting the user to reliably and accurately tell you what is actually sensitive or not isn't going to work either.

reply
VohuMana
9 hours ago
[-]
Agreed, I don’t think there is a reliable way to actually achieve what Recall is trying to accomplish. I think if all the models and stuff strictly ran locally with no chance of leaving the box it wouldn’t be as much of an issue at that point it would be the same as if you stored all your passwords in a text file.
reply