Key Takeaways
- Microsoft is launching Recall, a feature that constantly takes screenshots of PC activity.
- This feature can capture and save secure or disappearing messages (like WhatsApp or Signal) if the recipient has Recall enabled, even if the sender doesn’t.
- Senders are not notified that their messages are being screenshot and stored by the recipient’s PC.
- Security expert Kevin Beaumont found potential security flaws, suggesting the stored data might be easily accessed.
- Critics argue Recall represents a significant privacy risk, making private conversations vulnerable on recipients’ devices without the sender’s knowledge.
- WhatsApp is also exploring AI features for message processing, adding another layer of complexity to user privacy concerns.
Concerns about secure messaging privacy have intensified recently. Just as experts warned about risks with linking phone apps to computers, a new feature from Microsoft has amplified these worries.
Microsoft is rolling out its Recall feature for new Copilot PCs. This tool continuously captures screenshots of everything happening on the screen, reads the content, and saves it locally, often protected only by a simple PIN.
This creates a significant issue for secure messaging. Even if you use encrypted apps like Signal or WhatsApp and never enable Recall yourself, your security can be compromised if you message someone who *is* using it.
As Forbes explains, if User A sends a message to User B who has Recall active, that message—along with almost everything else User B sees—will be screenshotted, analyzed by AI, and stored in a database on User B’s computer.
This means sensitive information like photos, private messages intended to disappear, medical details, or even login credentials could be captured and stored without User A ever knowing. Unlike call recording notifications, there’s no warning here.
Cybersecurity researcher Kevin Beaumont tested Recall and highlighted significant security and privacy gaps. Although the data is stored locally, he found it could potentially be accessed with relative ease, bypassing encryption protections once the user is logged in.
Beaumont demonstrated this by having someone guess his PIN and access his entire activity history captured by Recall, including Signal messages meant to disappear. This raises alarms about how easily this sensitive data trove could be exposed.
Recall was initially met with criticism and temporarily withdrawn for security improvements. While it now includes better opt-out options, the fundamental concept—secretly screenshotting interactions without the sender’s consent—remains controversial.
This situation highlights how AI can easily scale up activities that pose privacy risks. While someone could always manually screenshot a message, Recall automates this process constantly and invisibly for the sender.
Experts suggest secure messaging platforms might need to reconsider allowing linked devices or find ways to prevent messages from being displayed and captured on systems running tools like Recall.
For now, it’s crucial to remember that any message you send, even disappearing ones, could potentially be captured, analyzed by AI, and stored indefinitely on a recipient’s device if they use Recall.
Beaumont advises checking if contacts using Windows PCs have Recall enabled before sharing sensitive information, as the feature captures content even after it’s deleted from the original app.
Adding to the confusion, Meta has announced that its AI may process WhatsApp messages, although they assure users it will happen privately within a secure environment. This move still raises questions about introducing AI into end-to-end encrypted platforms.
Even if WhatsApp’s internal processing remains private, Microsoft’s Recall operates externally, capturing snapshots of these messages directly from the screen. For users, navigating digital privacy is becoming increasingly complex.
