WEBVTT

00:00:00.000 --> 00:00:03.320
This time last year, Microsoft rushed Windows Recall

00:00:03.320 --> 00:00:07.840
into public testing, allowing AI PCs, whatever those are,

00:00:07.840 --> 00:00:12.840
to record, catalog, and even revisit all user interactions.

00:00:12.840 --> 00:00:17.840
You know, in case you forgot how to open up your browser history or scroll up in a chat window.

00:00:17.840 --> 00:00:22.800
And to say that that rollout went poorly would be a gross understatement.

00:00:22.800 --> 00:00:28.680
I really don't know what they were expecting though. I mean, days prior, CEO Satya Nadella called for Microsoft

00:00:28.680 --> 00:00:32.680
to prioritize security above all else.

00:00:32.680 --> 00:00:38.440
And then they immediately start pushing this app that not only records everything that appears

00:00:38.440 --> 00:00:44.240
on the screen of your computer, but also utilizes the AI capabilities of said computer

00:00:44.240 --> 00:00:48.640
to turn everything it sees into an easily searchable database.

00:00:48.640 --> 00:00:52.000
Now, Microsoft claim was that all of that's fine

00:00:52.000 --> 00:00:57.440
and that Recall is totally secure. Unfortunately, that held up for about as long as it took

00:00:57.440 --> 00:01:01.600
for someone to download the preview and then track down the folder that it was writing to,

00:01:01.600 --> 00:01:05.480
at which point the entire internet lost its collective mind

00:01:05.480 --> 00:01:10.000
over how absolutely not secure it actually was.

00:01:10.000 --> 00:01:13.720
Now, it was about that time that we wrote this video,

00:01:13.720 --> 00:01:17.080
tearing the whole thing apart. But then as we were set to film it,

00:01:17.080 --> 00:01:22.400
Microsoft announced that they would postpone Recall in response to the community's concerns.

00:01:22.400 --> 00:01:26.480
And here we are a year later and Recalls back, baby.

00:01:26.480 --> 00:01:32.200
But have all the problems really been addressed? I mean, was it even that bad before it got delayed?

00:01:32.200 --> 00:01:34.920
Am I ever gonna segue to our sponsor?

00:01:37.920 --> 00:01:42.920
Before we go any further, what is Recall again?

00:01:46.880 --> 00:01:54.560
And what was everyone so upset about last time? I can't seem to recall, records everything

00:01:54.600 --> 00:01:57.880
that appears on the screen of your computer. Oh, that's it.

00:01:57.880 --> 00:02:01.680
Windows Recall takes screenshots, they call them snapshots,

00:02:01.680 --> 00:02:06.040
of whatever it is that you're doing on your PC every few seconds and then feeds them

00:02:06.040 --> 00:02:10.920
through AI-assisted optical text recognition and image analysis, then stores it all

00:02:10.920 --> 00:02:13.960
in a local database for your convenience.

00:02:13.960 --> 00:02:17.560
And they only need 10% of your hard drive space to do it?

00:02:17.560 --> 00:02:21.280
Outstanding. The idea then is that you can fire up Recall

00:02:21.280 --> 00:02:24.480
and ask it things like, hey, what was that Korean restaurant

00:02:24.480 --> 00:02:27.720
that Alice mentioned the other day? And then without you needing to remember

00:02:27.720 --> 00:02:33.480
whether it was an email, a Teams message, or a random calendar invite, Recall will crap out

00:02:33.480 --> 00:02:38.200
a snapshot that has the result for you. You can even copy and paste text and images

00:02:38.200 --> 00:02:43.560
from within those saved snapshots to easily search or share them, which I have to admit,

00:02:43.560 --> 00:02:48.960
does sound kind of nifty. And supposedly it is a lot more secure now,

00:02:48.960 --> 00:02:52.160
but I am not gonna take Microsoft's word for it.

00:02:52.160 --> 00:02:55.520
Not when I can compare them both side by side.

00:02:55.520 --> 00:02:59.280
You see, this machine is running new Recall.

00:02:59.280 --> 00:03:02.920
You don't need anything super special to use it, just a co-pilot plus ready PC

00:03:02.920 --> 00:03:06.240
that meets the secured core standard. Also a couple of other things

00:03:06.240 --> 00:03:09.960
that any such machine would likely have. But that wasn't always the case.

00:03:09.960 --> 00:03:14.760
See, the original Windows Recall was only officially available on laptops

00:03:14.760 --> 00:03:17.760
with Snapdragon X Elite and X Plus processors,

00:03:17.760 --> 00:03:21.800
which unfortunately we didn't have access to at the time.

00:03:21.800 --> 00:03:25.080
But thanks to a legend by the name of Albuquer,

00:03:25.080 --> 00:03:28.840
we were able to get it up and running on this old HP Elite Folio,

00:03:28.840 --> 00:03:33.320
which conveniently has been powered down with its radios off going,

00:03:33.320 --> 00:03:38.560
la la la la la, I can't even use Windows update. Since before Microsoft delayed the launch,

00:03:38.560 --> 00:03:43.160
allowing us to compare old Recall to new Recall.

00:03:43.160 --> 00:03:48.320
Let's see exactly what's different. Well, for starters, Recall is now hopped in

00:03:48.320 --> 00:03:53.320
instead of being on by default. That is a very big improvement.

00:03:53.320 --> 00:03:58.440
But with that said, Microsoft has a long, proud history of using dark patterns

00:03:58.440 --> 00:04:02.600
to trick you into changing default system settings or even just changing them on their own.

00:04:02.600 --> 00:04:06.120
So I'm gonna believe that this is permanent when I see it.

00:04:06.120 --> 00:04:10.600
What else has changed? Well, Microsoft now says that Recall is secure

00:04:10.600 --> 00:04:13.800
with the data encrypted, protected by BitLocker

00:04:13.800 --> 00:04:17.320
and requiring Windows Hello authentication.

00:04:17.320 --> 00:04:23.400
Of course they said it was secure a year ago too though, so let's make our way through this helpful FAQ from 2024

00:04:23.400 --> 00:04:28.240
and compare what they said then and how it behaves on both of our machines.

00:04:28.240 --> 00:04:32.280
Let's see here. Recall snapshots are kept on the local hard disk.

00:04:32.280 --> 00:04:38.080
Okay, that was true before. In fact, they're right here in this core AI platform folder

00:04:38.080 --> 00:04:41.960
under the user's local app data and okay.

00:04:41.960 --> 00:04:46.400
Yep, that looks like it's still true. How about data is protected

00:04:46.400 --> 00:04:49.480
using disk encryption and BitLocker?

00:04:49.480 --> 00:04:52.840
Well, that was at least partly true back in 2024,

00:04:52.840 --> 00:04:56.080
but it was also pretty misleading.

00:04:56.080 --> 00:05:00.480
See, BitLocker would protect your data, including your Recall snapshots.

00:05:00.480 --> 00:05:03.640
If somebody stole your device, but if you were logged in

00:05:03.640 --> 00:05:07.760
and you just stepped away for a moment, then those snapshots would be protected

00:05:07.760 --> 00:05:11.600
only by Windows permissions. And I don't know all this for sure,

00:05:11.600 --> 00:05:14.880
but I think most lead hacksaws are pretty good

00:05:15.000 --> 00:05:19.600
at clicking continue. All right, let's see what else we've got here.

00:05:19.600 --> 00:05:22.680
We've got show file extensions on, by the way.

00:05:22.680 --> 00:05:27.680
So I'm gonna go it on a limb and guess that this .db file here is the database.

00:05:27.680 --> 00:05:32.920
And if we look at the file header in a hex editor, it looks like it's just a SQLite database.

00:05:32.920 --> 00:05:36.240
So we can use any of the dozens of free tools out there to interact with that.

00:05:36.240 --> 00:05:39.280
And there it is.

00:05:39.280 --> 00:05:41.720
Look at all that plain text.

00:05:42.880 --> 00:05:46.160
Oh my God. I read about this back then,

00:05:46.160 --> 00:05:50.320
but I didn't actually look at it for my... It's just plain text.

00:05:50.320 --> 00:05:54.600
Yeah. That's wild. And if I stretch my detective skills

00:05:54.600 --> 00:05:58.680
just a little bit further, I would guess that that image store folder

00:05:58.680 --> 00:06:01.880
is full of images.

00:06:01.880 --> 00:06:06.840
Oh no, they're not images. They're unknown files.

00:06:06.840 --> 00:06:10.040
I can't surely do anything about this.

00:06:10.040 --> 00:06:13.160
Open with hex editor.

00:06:15.360 --> 00:06:20.600
And would you look at that? J-F-I-F, which means...

00:06:20.600 --> 00:06:21.440
Oh my God.

00:06:25.280 --> 00:06:29.680
Boop. Watch this. I accidentally figured this out. If I click and drag,

00:06:31.360 --> 00:06:35.280
it previews it. Now all I need to do is open it and...

00:06:36.280 --> 00:06:39.160
Wow. I hacked it.

00:06:40.040 --> 00:06:43.440
Oh man, that's a yikes. So that's it.

00:06:43.440 --> 00:06:47.160
That's what Jordan was doing on his computer at some time.

00:06:47.160 --> 00:06:53.120
All the metadata is just in there. Okay, timestamp 2023, December 4th,

00:06:53.120 --> 00:06:57.600
because this computer is set to 2024. So that's, yeah, that probably is...

00:06:57.600 --> 00:07:01.600
Yeah, that's about right there. When we were looking at it, pathetic. Let's look at the new one.

00:07:01.600 --> 00:07:06.040
This database file right there, AES encrypted.

00:07:06.040 --> 00:07:11.160
Also, where we had plain text before. Now we have not so plain text.

00:07:11.160 --> 00:07:16.320
Scrambled, he scrambled. That's what we wanna see. Okay, what about the image store folder though?

00:07:16.320 --> 00:07:19.880
It's empty. It's a different folder now. A sim store. Okay, all right.

00:07:19.880 --> 00:07:23.400
Cleverly hid them. Yeah. This, probably a JPEG.

00:07:23.400 --> 00:07:28.360
Let's try the same trick, okay? No thumbnail preview.

00:07:28.360 --> 00:07:31.880
And if we try to open it, no dice.

00:07:31.880 --> 00:07:36.520
Okay. Everything seems to be actually encrypted this time.

00:07:36.520 --> 00:07:39.960
So I gotta give Microsoft a point on our scoreboard

00:07:39.960 --> 00:07:43.000
for fixing that. But then I've also gotta take a point away

00:07:43.000 --> 00:07:48.520
for lying about it in the first place. So then, okay, old recall minus one point,

00:07:48.520 --> 00:07:52.680
new recall zero points. Let's have a look at our next claim here.

00:07:52.680 --> 00:07:59.120
Microsoft won't view your recall data or make it available for targeted advertisements.

00:07:59.120 --> 00:08:02.720
The skeptic in me wants to add yet to the end of that statement.

00:08:02.720 --> 00:08:06.240
But I would say that it was probably true when they were first testing

00:08:06.240 --> 00:08:11.600
and is probably still true at the time we're filming this. Though, once again, I feel it's a matter of time

00:08:11.600 --> 00:08:16.360
before they quietly change this and then hope that no one will notice.

00:08:16.360 --> 00:08:21.280
As for this next one, this is where things get objectively really bad.

00:08:21.280 --> 00:08:26.720
Snapshots are only available to the person whose profile was used to sign into the device.

00:08:26.720 --> 00:08:31.840
If two people share a device, they will not be able to access each other's snapshots.

00:08:31.840 --> 00:08:34.840
Okay. When we tested this back in 2024,

00:08:34.840 --> 00:08:39.240
that was a straight up lie and potentially a really dangerous one.

00:08:39.240 --> 00:08:43.000
By simply creating an administrator account on the same machine,

00:08:43.000 --> 00:08:46.400
I could easily navigate to any other user's app data folder

00:08:46.400 --> 00:08:50.640
and then check out anything that they had ever done on the computer.

00:08:50.640 --> 00:08:54.340
Now, I hate to even have to bring up such horrible scenarios,

00:08:54.340 --> 00:08:58.560
but guys, imagine this in the case of a journalist

00:08:58.560 --> 00:09:03.840
in an oppressive regime whose device was seized by force or for a victim of domestic abuse

00:09:03.840 --> 00:09:09.320
who was trying to find help online. As recall was implemented in 2024,

00:09:09.320 --> 00:09:13.120
a bad actor could have seen everything their victim had done on the computer

00:09:13.120 --> 00:09:15.680
and that was enabled by default.

00:09:16.520 --> 00:09:21.200
Fortunately, that seems to have changed now.

00:09:21.200 --> 00:09:24.580
Okay, stop recording OBS. You'll have to take my word for it.

00:09:24.580 --> 00:09:29.360
I'm signing out. I'm signing in as other user. According to my platform.

00:09:29.360 --> 00:09:32.920
Okay, P continue, okay. So all this still works,

00:09:32.920 --> 00:09:35.740
but because it's all encrypted,

00:09:37.600 --> 00:09:42.280
we can't view it. So with the shift to opt in,

00:09:42.280 --> 00:09:47.960
the addition of Windows Hello authentication and things seemingly actually being encrypted this time,

00:09:47.960 --> 00:09:52.160
it is a little less horrifying, but I still don't think Microsoft has gone far enough

00:09:52.160 --> 00:09:55.600
to educate users on the dangers of this feature.

00:09:55.600 --> 00:09:58.600
See, people do still share accounts in 2025

00:09:58.600 --> 00:10:01.960
and I guarantee you that most of your normie friends

00:10:01.960 --> 00:10:05.060
are not gonna pay attention to all the little icons

00:10:05.100 --> 00:10:10.580
that are down in their system tray. So saying, oh yeah, that little blue squiggle,

00:10:10.580 --> 00:10:14.540
that means you're getting surveilled. That doesn't really cut it for me.

00:10:14.540 --> 00:10:17.700
Also, the old FAQ claimed that recall

00:10:17.700 --> 00:10:21.340
couldn't be accessed by other applications or services,

00:10:21.340 --> 00:10:24.820
but while it is possible that other Microsoft apps

00:10:24.820 --> 00:10:29.580
didn't access the stuff back in 24, within days of the preview launch,

00:10:29.580 --> 00:10:32.700
there were multiple tools that could extract recall data,

00:10:32.700 --> 00:10:38.340
both locally and remotely. So that particular claim feels at the very least

00:10:38.340 --> 00:10:42.920
like a lie by omission. Take a look at Total Recall, for example.

00:10:42.920 --> 00:10:48.340
The media called this a hacker tool, but what it really is is a few dozen lines of Python

00:10:48.340 --> 00:10:52.420
that an AI assistant could probably crap out for you in about 30 seconds.

00:10:52.420 --> 00:10:55.840
Total Recall copied the images and the database folder,

00:10:55.840 --> 00:11:00.140
made a handy little report of all your window titles, and if you scrolled through it,

00:11:00.140 --> 00:11:04.940
led to the discovery of yet another lie from our pals at Microsoft.

00:11:04.940 --> 00:11:11.900
Microsoft claimed back then that recall didn't record incognito Windows in most common browsers,

00:11:11.900 --> 00:11:18.200
Edge, Firefox, Opera, and Google Chrome, but plain as day, here's a window title from Fark.com,

00:11:18.200 --> 00:11:22.160
which we only visited in a brief incognito session.

00:11:22.160 --> 00:11:25.340
Anyway, back to other apps being blocked from recall data,

00:11:25.340 --> 00:11:29.940
at least on the new one because they're encrypted, something like Total Recall couldn't be just

00:11:29.940 --> 00:11:36.620
randomly created by a third party, but it's also clear that Microsoft isn't even pretending

00:11:36.620 --> 00:11:39.700
that their own apps can't access the data anymore.

00:11:39.700 --> 00:11:43.620
On our new machine, the new click-to-do co-pilot feature

00:11:43.620 --> 00:11:47.260
requires recall to be enabled and is, by all appearances,

00:11:47.260 --> 00:11:51.900
a other app or service, so lie then,

00:11:51.900 --> 00:11:57.320
and I guess it's gone from the FAQ now, so no longer a lie, but certainly a change.

00:11:58.620 --> 00:12:02.140
Anywho, the 2025 flavor of Recall adds a toggle

00:12:02.140 --> 00:12:08.460
that will filter sensitive information automatically, which seems to be enabled by default, which is something,

00:12:08.460 --> 00:12:11.820
but it relies on the AI recognizing

00:12:11.820 --> 00:12:17.460
that any information that you have on-screen is sensitive, and I really don't know if I would trust this guy

00:12:17.460 --> 00:12:20.500
to determine if my on-screen data is sensitive or not,

00:12:20.500 --> 00:12:24.060
at least not yet. So what's the bottom line here?

00:12:24.060 --> 00:12:27.300
Well, I gotta give Microsoft some credit.

00:12:27.300 --> 00:12:31.180
They could have just powered forward and released Recall in its primitive state,

00:12:31.180 --> 00:12:34.380
but instead, they listened to the outrage of the tech community

00:12:34.380 --> 00:12:38.620
and are making what looks like a serious effort to address many of the issues

00:12:38.620 --> 00:12:41.660
with their original Recall launch.

00:12:41.660 --> 00:12:45.780
But with that said, I still oppose the existence of this feature

00:12:45.780 --> 00:12:49.740
because of what it means for our collective privacy, because here's the thing,

00:12:49.740 --> 00:12:53.020
even if you don't turn on Recall yourself,

00:12:53.020 --> 00:12:59.300
how do you know that everyone you're emailing or maybe messaging in signal hasn't linked their PC

00:12:59.300 --> 00:13:04.700
that has Recall turned on? Now, Signal has announced a new, enabled-by-default setting

00:13:04.700 --> 00:13:09.820
to prevent screen capture of signal chats on Windows, but that doesn't cover you for any other chat

00:13:09.820 --> 00:13:13.940
and it doesn't prevent someone from turning capture on in signal

00:13:13.940 --> 00:13:18.220
if, say, grandma likes to use Recall to help her remember things.

00:13:18.220 --> 00:13:21.460
And I mean, yeah, that is pretty useful for her,

00:13:21.460 --> 00:13:24.500
but should baby pictures and a family WhatsApp

00:13:24.500 --> 00:13:28.100
really be slurped into a Microsoft-managed database?

00:13:28.100 --> 00:13:31.540
And yeah, I know, I know, I know. It's stored locally and it's encrypted,

00:13:31.540 --> 00:13:34.620
but data is only local until it's been stolen

00:13:34.620 --> 00:13:39.580
and it's only encrypted until some quantum bulls*** breaks that encryption.

00:13:39.580 --> 00:13:43.780
The very existence of Recall makes Windows a less secure platform

00:13:43.780 --> 00:13:48.220
because in the very near future, all compatible Windows 11 machines

00:13:48.220 --> 00:13:54.300
are going to have a built-in tool that gathers and catalogs an unprecedented wealth of information

00:13:54.300 --> 00:13:57.780
about Windows users and then stores it in a convenient place

00:13:57.780 --> 00:14:01.940
for attackers to target. So if they're looking for some confidential information,

00:14:01.940 --> 00:14:04.940
the heavy lifting is done for them.

00:14:04.940 --> 00:14:10.260
What are we gonna have to do? Go back to writing letters? I mean, hey, at least we sell the scribe driver pen

00:14:10.260 --> 00:14:13.500
on LTTstore.com. You can use that to write a letter,

00:14:13.500 --> 00:14:16.660
although then there's definitely a physical record

00:14:16.660 --> 00:14:20.460
of what you wrote and the point is, I think Andrew Cunningham said it best

00:14:20.460 --> 00:14:25.660
on Ars Technica last year. Windows Recall demands an extraordinary level of trust

00:14:25.660 --> 00:14:30.180
that Microsoft hasn't earned. What a great turn of phrase.

00:14:30.180 --> 00:14:33.260
And what a great opportunity to tell you about our sponsor.

00:14:33.260 --> 00:14:36.420
If you guys enjoyed this video, maybe you'd like some mini rants

00:14:36.420 --> 00:14:39.620
about small problems that make tech big awful.