WEBVTT

00:00:00.160 --> 00:00:08.160
This time last year, Microsoft rushed Windows recall into public testing,

00:00:04.880 --> 00:00:11.440
allowing AI PCs, whatever those are, to

00:00:08.160 --> 00:00:14.000
record, catalog, and even revisit all

00:00:11.440 --> 00:00:17.840
user interactions. You know, in case you forgot how to open up your browser

00:00:15.440 --> 00:00:22.960
history or scroll up in a chat window. And to say that that rollout went poorly

00:00:20.400 --> 00:00:26.320
would be a gross understatement. I really don't know what they were

00:00:23.920 --> 00:00:32.719
expecting, though. I mean, days prior, CEO Satin Nadella called for Microsoft

00:00:28.720 --> 00:00:34.960
to prioritize security above all else.

00:00:32.719 --> 00:00:39.040
And then they immediately start pushing this app that not only records

00:00:37.280 --> 00:00:44.800
everything that appears on the screen of your computer, but also utilizes the AI

00:00:42.399 --> 00:00:50.000
capabilities of said computer to turn everything it sees into an easily

00:00:46.879 --> 00:00:52.079
searchable database. Now, Microsoft

00:00:50.000 --> 00:00:56.879
claim was that all of that's fine and that recall is totally secure.

00:00:54.399 --> 00:01:00.000
Unfortunately, that held up for about as long as it took for someone to download

00:00:58.320 --> 00:01:04.239
the preview and then track down the folder that it was writing to, at which

00:01:02.079 --> 00:01:10.560
point the entire internet lost its collective mind over how absolutely not

00:01:07.520 --> 00:01:13.119
secure it actually was. Now, it was

00:01:10.560 --> 00:01:17.119
about that time that we wrote this video, tearing the whole thing apart.

00:01:15.119 --> 00:01:20.880
But then, as we were set to film it, Microsoft announced that they would

00:01:18.560 --> 00:01:26.799
postpone recall in response to the community's concerns. And here we are a

00:01:23.520 --> 00:01:28.560
year later and recall's back, baby. But

00:01:26.799 --> 00:01:33.119
have all the problems really been addressed? I mean, was it even that bad

00:01:30.799 --> 00:01:39.119
before it got delayed? Am I ever going to segue to our sponsor, Delete Me? Add

00:01:36.240 --> 00:01:43.439
another layer to your digital privacy cake with Delete Me's data removal

00:01:41.360 --> 00:01:50.960
services. Learn how they can help keep your information secure at

00:01:45.960 --> 00:01:50.960
jointdeme.com/ltt20 and get 20% off to

00:01:57.799 --> 00:02:06.520
boot. Before we go any further, what is recall again? And what was everyone so

00:02:02.799 --> 00:02:09.599
upset about last time? I can't seem to

00:02:06.520 --> 00:02:11.360
recall records everything that appears

00:02:09.599 --> 00:02:16.239
on the screen of your computer. Oh, that's it. Windows Recall takes

00:02:13.760 --> 00:02:20.400
screenshots, they call them snapshots, of whatever it is that you're doing on

00:02:17.680 --> 00:02:24.800
your PC every few seconds and then feeds them through AI assisted optical text

00:02:22.400 --> 00:02:30.400
recognition and image analysis, then stores it all in a local database for

00:02:27.040 --> 00:02:32.160
your convenience. And they only need 10%

00:02:30.400 --> 00:02:36.560
of your hard drive space to do it. Outstanding. The idea then is that you

00:02:34.560 --> 00:02:39.920
can fire up recall and ask it things like, "Hey, what was that Korean

00:02:38.640 --> 00:02:43.920
restaurant that Alice mentioned the other day?" And then without you needing

00:02:41.760 --> 00:02:48.640
to remember whether it was an email, a team's message, or a random calendar

00:02:46.080 --> 00:02:52.959
invite, Recall will crap out a snapshot that has the result for you. You can

00:02:50.480 --> 00:02:57.360
even copy and paste text and images from within those saved snapshots to easily

00:02:55.200 --> 00:03:03.680
search or share them, which I have to admit does sound kind of nifty. And

00:03:00.800 --> 00:03:07.840
supposedly it is a lot more secure now. But I am not going to take Microsoft's

00:03:05.920 --> 00:03:14.239
word for it. Not when I can compare them both side by side. You see, this machine

00:03:11.599 --> 00:03:18.080
is running new recall. You don't need anything super special to use it, just a

00:03:16.000 --> 00:03:21.920
co-pilot plus ready PC that meets the secured core standard. Also, a couple of

00:03:20.319 --> 00:03:26.800
other things that any such machine would likely have. But that wasn't always the

00:03:24.239 --> 00:03:31.680
case. See, the original Windows recall was only officially available on laptops

00:03:29.200 --> 00:03:37.040
with Snapdragon X Elite and X Plus processors, which unfortunately we

00:03:34.159 --> 00:03:40.720
didn't have access to at the time. But thanks to a legend by the name of

00:03:38.720 --> 00:03:46.239
Albaore, we were able to get it up and running on this old HP Elite Folio,

00:03:43.440 --> 00:03:51.519
which conveniently has been powered down with its radios off going I can't hear

00:03:49.280 --> 00:03:57.680
you Windows update since before Microsoft delayed the launch, allowing

00:03:53.519 --> 00:03:59.680
us to compare old recall to new recall.

00:03:57.680 --> 00:04:05.280
Let's see exactly what's different. Well, for starters, recall is now hopped

00:04:02.400 --> 00:04:11.200
in instead of being on by default. That is a very big improvement. But with that

00:04:08.799 --> 00:04:14.879
said, Microsoft has a long, proud history of using dark patterns to trick

00:04:13.519 --> 00:04:18.400
you into changing default system settings or even just changing them on

00:04:16.799 --> 00:04:23.280
their own. So, I'm going to believe that this is permanent when I see it. Uh,

00:04:20.639 --> 00:04:28.400
what else has changed? Well, Microsoft now says that recall is secure with the

00:04:25.600 --> 00:04:32.560
data encrypted, protected by Bit Locker, and requiring Windows Hello

00:04:30.759 --> 00:04:35.759
authentication. Of course, they said it was secure a year ago, too, though. So,

00:04:34.560 --> 00:04:41.440
uh, let's make our way through this helpful FAQ from 2024 and compare what

00:04:38.960 --> 00:04:45.919
they said then and how it behaves on both of our machines. Let's see here.

00:04:43.520 --> 00:04:51.199
Recall snapshots are kept on the local hard disk. Okay, that was true before.

00:04:49.040 --> 00:04:57.040
In fact, they're right here in this core AI platform folder under the user's

00:04:53.440 --> 00:04:59.919
local app data. And okay, uh, yep, that

00:04:57.040 --> 00:05:05.680
looks like it's still true. How about data is protected using disk encryption

00:05:02.400 --> 00:05:09.280
and Bit Locker? Well, that was at least

00:05:05.680 --> 00:05:12.240
partly true back in 2024, but was also

00:05:09.280 --> 00:05:17.120
pretty misleading. See, Bit Locker would protect your data, including your recall

00:05:14.320 --> 00:05:20.800
snapshots if somebody stole your device. But if you were logged in and you just

00:05:18.880 --> 00:05:25.440
stepped away for a moment, then those snapshots would be protected only by

00:05:23.039 --> 00:05:30.680
Windows permissions. And I don't know this for sure, but I think most elite

00:05:28.320 --> 00:05:35.520
hack source are pretty good at clicking continue. All right, let's see what else

00:05:33.039 --> 00:05:39.840
we got here. Uh, we've got show file extensions on, by the way. So, I'm going

00:05:37.600 --> 00:05:44.880
to go out on a limb and guess that this DB file here is the database. And if we

00:05:42.720 --> 00:05:48.720
look at the file header in a hex editor, it looks like it's just a SQLite

00:05:46.960 --> 00:05:51.400
database. So, we can use any of the dozens of free tools out there to

00:05:50.080 --> 00:05:56.280
interact with that. And there it is. Look at all Look at all

00:05:54.960 --> 00:06:02.000
that plain text. Oh my god. I read about this back

00:06:00.080 --> 00:06:08.400
then, but I didn't actually look at it for myself. It's just plain text. Yeah,

00:06:05.440 --> 00:06:12.560
that's wild. And if I stretch my detective skills just a little bit

00:06:10.240 --> 00:06:19.120
further, I would guess that that image store folder is full of

00:06:15.479 --> 00:06:22.720
images. Oh, no. They're not images.

00:06:19.120 --> 00:06:25.560
They're unknown files. I can't surely do

00:06:22.720 --> 00:06:28.960
anything about this. Open with hex

00:06:30.039 --> 00:06:37.680
editor. And would you look at that? JF,

00:06:33.840 --> 00:06:37.680
which means Oh my

00:06:38.759 --> 00:06:44.919
god. Boop. Watch this. I accidentally

00:06:41.840 --> 00:06:48.160
figured this out. If I click and

00:06:44.919 --> 00:06:49.880
drag, it previews it. Now all I need to

00:06:48.160 --> 00:06:57.440
do is open it. And wow, I hacked

00:06:53.639 --> 00:06:59.440
it. Oh man, that's a yikes. So that's

00:06:57.440 --> 00:07:06.560
it. That's what Jordan was doing on his computer at some time. All the metadata

00:07:02.479 --> 00:07:08.880
is just in there. Okay. Time stamp 2023

00:07:06.560 --> 00:07:13.599
uh December 4th because this computer is set to 2024. So that's Yeah, that

00:07:11.599 --> 00:07:20.000
probably is when we were looking at it. Pathetic. Let's look at the new one.

00:07:16.160 --> 00:07:22.240
this database file right there. AES

00:07:20.000 --> 00:07:28.000
encrypted. Also, where we had plain text before, now we have not so plain text.

00:07:25.680 --> 00:07:31.759
Scrambledy scrambled. That's what we want to see. Okay. What about the image

00:07:29.840 --> 00:07:36.319
store folder though? It's empty. It's a different folder now. A sim store. Okay.

00:07:34.000 --> 00:07:39.639
All right. Cleverly hid them. Yeah. This probably a JPEG. Let's try the same

00:07:38.560 --> 00:07:44.520
trick. Okay. No thumbnail preview. And if we

00:07:43.280 --> 00:07:50.000
try to open it, no dice.

00:07:47.000 --> 00:07:52.319
Okay, everything seems to be actually

00:07:50.000 --> 00:07:56.400
encrypted this time. So, I got to give Microsoft a point on our scoreboard for

00:07:54.720 --> 00:08:00.800
fixing that. But then I've also got to take a point away for lying about it in

00:07:58.479 --> 00:08:06.319
the first place. So then, okay, old recall minus one point, new recall zero

00:08:04.879 --> 00:08:11.360
points. Let's have a look at our next claim here. Microsoft won't view your

00:08:08.879 --> 00:08:14.720
recall data or make it available for targeted

00:08:12.680 --> 00:08:19.360
advertisements. Skeptic of me wants to add yet to the end of that statement,

00:08:17.280 --> 00:08:22.960
but I would say that it was probably true when they were first testing and is

00:08:21.360 --> 00:08:26.960
probably still true at the time we're filming this. Though once again, I feel

00:08:25.120 --> 00:08:31.759
it's a matter of time before they quietly change this and then hope that

00:08:29.360 --> 00:08:36.880
no one will notice. As for this next one, this is where things get

00:08:33.399 --> 00:08:38.640
objectively really bad. Snapshots are

00:08:36.880 --> 00:08:42.719
only available to the person whose profile was used to sign into the

00:08:40.560 --> 00:08:47.760
device. If two people share a device, they will not be able to access each

00:08:44.640 --> 00:08:50.880
other's snapshots. Okay, when we tested

00:08:47.760 --> 00:08:53.360
this back in 2024, that was a straightup

00:08:50.880 --> 00:08:58.000
lie and potentially a really dangerous one. By simply creating an administrator

00:08:56.000 --> 00:09:02.160
account on the same machine, I could easily navigate to any other user's app

00:09:00.080 --> 00:09:07.680
data folder and then check out anything that they had ever done on the computer.

00:09:05.200 --> 00:09:12.959
Now, I hate to even have to bring up such horrible scenarios, but guys,

00:09:10.000 --> 00:09:17.600
imagine this in the case of a journalist in an oppressive regime whose device was

00:09:15.120 --> 00:09:22.480
seized by force or for a victim of domestic abuse who was trying to find

00:09:19.600 --> 00:09:27.040
help online. As recall was implemented in 2024, a bad actor could have seen

00:09:25.360 --> 00:09:31.800
everything their victim had done on the computer, and that was enabled by

00:09:29.440 --> 00:09:38.160
default. Fortunately, that seems to have changed

00:09:34.720 --> 00:09:39.519
now. Okay, stop recording OBS. You'll

00:09:38.160 --> 00:09:46.240
have to take my word for it. I'm signing out. I'm signing in as other user. Core

00:09:42.160 --> 00:09:51.519
AI platform UKP continue. Okay, so all

00:09:46.240 --> 00:09:51.519
this still works. But because it's all

00:09:51.720 --> 00:09:57.360
encrypted, we can't view it. So, with

00:09:55.200 --> 00:10:01.920
the shift to optin, the addition of Windows Hello authentication, and things

00:09:59.680 --> 00:10:06.080
seemingly actually being encrypted this time, it is a little less horrifying.

00:10:04.560 --> 00:10:11.200
But I still don't think Microsoft has gone far enough to educate users on the

00:10:08.080 --> 00:10:13.680
dangers of this feature. See, people do

00:10:11.200 --> 00:10:17.839
still share accounts in 2025, and I guarantee you that most of your normie

00:10:15.920 --> 00:10:23.519
friends are not going to pay attention to all the little icons that are down in

00:10:20.240 --> 00:10:25.519
their system tray. So saying, "Oh yeah,

00:10:23.519 --> 00:10:31.040
that little blue squiggle, that means you're getting surveiled, that doesn't

00:10:27.680 --> 00:10:33.360
really cut it for me." Also, the old FAQ

00:10:31.040 --> 00:10:38.240
claimed that recall couldn't be accessed by other applications or services. But

00:10:36.399 --> 00:10:43.760
while it is possible that other Microsoft apps didn't access this stuff

00:10:40.640 --> 00:10:45.680
back in 24, within days of the preview

00:10:43.760 --> 00:10:51.200
launch, there were multiple tools that could extract recall data both locally

00:10:47.920 --> 00:10:53.920
and remotely. So that particular claim

00:10:51.200 --> 00:10:58.800
feels at the very least like a lie by omission. Take a look at Total Recall,

00:10:56.480 --> 00:11:03.519
for example. The media called this a hacker tool, but what it really is is a

00:11:01.440 --> 00:11:07.920
few dozen lines of Python that an AI assistant could probably crap out for

00:11:04.959 --> 00:11:11.839
you in about 30 seconds. Total Recall copied the images and the database

00:11:09.839 --> 00:11:15.200
folder, made a handy little report of all your window titles, and if you

00:11:13.760 --> 00:11:20.640
scrolled through it, led to the discovery of yet another lie from our

00:11:17.839 --> 00:11:25.519
pals at Microsoft. Microsoft claimed back then that recall didn't record

00:11:23.200 --> 00:11:29.120
incognito Windows in most common browsers, Edge, Firefox, Opera, and

00:11:27.839 --> 00:11:34.640
Google Chrome. plain as day. Here's a window title from

00:11:31.800 --> 00:11:39.440
farc.com, which we only visited in a brief incognito session. Anyway, back to

00:11:37.839 --> 00:11:42.880
other apps being blocked from recall data, at least on the new one, because

00:11:41.200 --> 00:11:49.279
they're encrypted. Something like Total Recall couldn't be just randomly created

00:11:45.440 --> 00:11:51.120
by a third party. But it's also clear

00:11:49.279 --> 00:11:55.680
that Microsoft isn't even pretending that their own apps can't access the

00:11:53.360 --> 00:12:00.800
data anymore. On our new machine, the new click to-do co-pilot feature

00:11:58.240 --> 00:12:07.519
requires recall to be enabled and is by all appearances a other app or service.

00:12:04.680 --> 00:12:12.200
So lie then and I guess it's gone from the FAQ now. So no longer a lie, but

00:12:10.639 --> 00:12:17.600
certainly a change. Anywh who, the 2025 flavor of

00:12:15.360 --> 00:12:21.360
recall adds a toggle that will filter sensitive information automatically,

00:12:19.360 --> 00:12:27.440
which seems to be enabled by default, which is something. But it relies on the

00:12:24.959 --> 00:12:31.760
AI recognizing that any information that you have on screen is sensitive. And I

00:12:30.240 --> 00:12:37.200
really don't know if I would trust this guy to determine if my on-screen data is

00:12:33.680 --> 00:12:39.760
sensitive or not. At least not yet. So,

00:12:37.200 --> 00:12:43.839
what's the bottom line here? Well, I got to give Microsoft some credit. They

00:12:42.160 --> 00:12:47.920
could have just powered forward and released recall in its primitive state,

00:12:45.680 --> 00:12:51.440
but instead they listened to the outrage of the tech community and are making

00:12:49.519 --> 00:12:57.200
what looks like a serious effort to address many of the issues with their

00:12:53.839 --> 00:12:59.760
original recall launch. But with that

00:12:57.200 --> 00:13:03.519
said, I still oppose the existence of this feature because of what it means

00:13:01.200 --> 00:13:08.639
for our collective privacy. Cuz here's the thing. Even if you don't turn on

00:13:06.079 --> 00:13:13.200
recall yourself, how do you know that everyone you're emailing or maybe

00:13:10.720 --> 00:13:18.560
messaging in Signal hasn't linked their PC that has recall turned on? Now,

00:13:15.920 --> 00:13:22.240
Signal has announced a new enabled by default setting to prevent screen

00:13:20.000 --> 00:13:26.320
capture of signal chats on Windows. But that doesn't cover you for any other

00:13:23.760 --> 00:13:31.680
chat, and it doesn't prevent someone from turning capture on in Signal if,

00:13:28.959 --> 00:13:36.800
say, Grandma likes to use recall to help her remember things. And I mean, yeah,

00:13:34.399 --> 00:13:40.399
that is pretty useful for her, but should baby pictures in a family

00:13:38.480 --> 00:13:44.800
WhatsApp really be slurped into a Microsoft managed database? And yeah, I

00:13:43.120 --> 00:13:49.279
know, I know, I know. It's stored locally and it's encrypted. But data is

00:13:47.360 --> 00:13:54.399
only local until it's been stolen and it's only encrypted until some quantum

00:13:51.440 --> 00:13:59.199
breaks that encryption. The very existence of recall makes Windows a

00:13:57.199 --> 00:14:03.920
less secure platform because in the very near future, all compatible Windows 11

00:14:02.160 --> 00:14:08.800
machines are going to have a built-in tool that gathers and catalogs an

00:14:06.800 --> 00:14:13.279
unprecedented wealth of information about Windows users and then stores it

00:14:11.040 --> 00:14:16.880
in a convenient place for attackers to target. So, if they're looking for some

00:14:15.279 --> 00:14:21.279
confidential information, the heavy lifting is done for them. What are we

00:14:19.760 --> 00:14:26.079
gonna have to do? Go back to writing letters? I mean, hey, at least we sell

00:14:23.440 --> 00:14:29.800
the Scribe Driver pen on ltstore.com. You can use that to write a letter,

00:14:28.079 --> 00:14:34.560
although then there's definitely a physical record of what you wrote. The

00:14:32.160 --> 00:14:39.279
point is, I think Andrew Cunningham said it best on ours Technica last year.

00:14:36.720 --> 00:14:44.800
Windows recall demands an extraordinary level of trust that Microsoft hasn't

00:14:42.040 --> 00:14:49.519
earned. What a great turn of phrase. And what a great opportunity to tell you

00:14:46.480 --> 00:14:51.519
about our sponsor, Delete Me. In a world

00:14:49.519 --> 00:14:55.120
where you need an email or phone number to sign in to just about everything,

00:14:53.519 --> 00:14:58.800
have you ever wondered who actually has access to your sensitive information?

00:14:56.959 --> 00:15:03.040
Delete Me is willing to bet that this list is longer than you might think or

00:15:00.880 --> 00:15:06.639
hope. And they're also here to help. Their data removal service will comb

00:15:04.800 --> 00:15:11.360
through an exhaustive list of data brokers who are looking to profit off

00:15:08.720 --> 00:15:15.519
your personal identifiers. Then they send regular removal requests on your

00:15:13.440 --> 00:15:19.440
behalf, providing you with quarterly reports of where your info may have been

00:15:17.680 --> 00:15:23.040
sitting around. And with their family plans, you and up to three other loved

00:15:21.279 --> 00:15:28.680
ones can receive their protection as well. So take the steps to keep your

00:15:25.120 --> 00:15:31.279
digital information secure. Visit

00:15:28.680 --> 00:15:35.519
jointdeme.com/ltt20 and use code ltt20 for 20% off their data removal plans

00:15:33.600 --> 00:15:42.240
today. If you guys enjoyed this video, maybe you'd like some mini rants about

00:15:37.839 --> 00:15:42.240
small problems that make tech big awful.