Working at a company in the healthcare space, this raises so many HIPPA compliance questions for our customers it's hilarious.<p>And by hilarious, I mean bad. Screenshots of PHI? Sweet as, just chuck them in an SQLite DB, no worries there.
I work for a company that has a product that, as part of other functionality, can selectively block access to any file, so it could simply block access to the database, or even the Recall exe/dlls themselves. We’ve been debating about releasing a simple/free “always block access to these files” app because of all the BS Microsoft is putting in. We’d probably do it under a separate company to protect the main product from retaliation. Is this of interest? What else do we need to think of?
My understanding is that the Recall database is basically a plaintext local sqlite DB, and the only security measure is that it is stored in a folder for which you need admin rights to access?<p>If so, how is that excusable for a company like Microsoft? I'd say even a weekend hackathon project would implement more security than that?
The whole drama around with how Recall store data is misguided. The problem is not how this data is stored, it is more fundamental i.e how windows doesn't have a proper app sand boxing. MS App store apps have sandboxing and permission model but most of other apps on windows are still just bunch of DLLs and EXEs that run with all the permissions that the current user have. Until MS solves this problem there is no way to secure such things.
I have a different take on this.<p>If the same feature were built on Android or iPhone, the data would be encrypted, and the researchers would have had a hard time accessing the SQLite file itself.<p>Microsoft's takeaway from this negative news would be that it needs to lock down Windows 12 by adopting designs from Android and iPhone, effectively closing it off.
We've launched a FOSS alternative with OpenRecall <a href="https://github.com/openrecall/openrecall">https://github.com/openrecall/openrecall</a> to (hopefully) work towards addressing some of the concerns people have with Windows Recall. We think it could be a useful feature but it must be (1) fully auditable/open source (2) using open source local models (3) focused on privacy/security and (4) hardware/OS independent. We're working out the roadmap currently so any feedback is appreciated.
Sycophantic research chief scientist has no issues with Recall.<p>He cant recall what he really thinks of recall due to the serious business of getting his "sandwiches wrapped in a road map" and sent on his way.
Give it a few years. MS will 100% be using data collected by Recall for advertising purposes. I'm sure it will be anonymized, or at least they will attempt to anonymize it. But it will happen.<p>Part of the problem is that MS has never realigned their internal incentives with their stated goals. The best way to get a good bonus or a promotion is to deliver "impactful" features. Once recall is out there, teams will be chomping at the bit to (ab)use its data to quickly and easily demonstrate impact.<p>Compounding the problem is that MS has no overarching product vision. No one there is really championing the sort of clean, functional, no-nonsense OS that we all know Windows could be. Or if they are, they are being drowned out by people who have dollar signs in their eyes. Compounding that problem is that ICs and teams are strongly encouraged to be "data-driven", which means a sense of product vision is outright ignored unless you can repeatedly and consistently make up metrics that work towards a clean, functional, no-nonsense OS. This is difficult when your metrics are things like, "did the A group click this button more than the B group".
Realistically, who would ever use this? An OCR of everything on the screen, saved every few seconds? I can’t imagine finding something useful in a haystack of that size.
I swear I saw a comment or link on HN where somebody bemoaned a lack of innovation in computer interfaces, and provided some suggestions. What MS calls Recall is one of the things they suggested. When I saw Recall being announced I wondered if somebody at Microsoft had seen the same thing as me.<p>If only there was some way for me to find it...
Microsoft Research should really drop "research" from its name. We are not talking Bell Labs-level of research here. They come up with the most useless "inventions" like Multimouse <a href="https://www.microsoft.com/en-us/research/blog/multimouse-makes-computer-learning-communal-experience/" rel="nofollow">https://www.microsoft.com/en-us/research/blog/multimouse-mak...</a> so why are we surprised that Recall is criticised so much?
i dont understand why everyone is so confused and outraged. first off, it doesnt affect you. even if you do buy a microsoft laptop that is being marketed as the "ai powered technology revolotion" (or whatever), its shipping from the start with almost all the tools i can think of to help you only recall what you want. application exclusion by ifn, pause the stored data / purge stored data / or opt out forever. if you use edge, you can have it ignore incognito tabs or certain websites. The feature needs to be opt in without these restrictions set up because the people who might actually benefit here are people who don't want to be bothered with those power user features. like my grandma.<p>anyone who is worried about screenshots leaking, do you guys remember photoshop?<p>we already have keyloggers, banking trojans, infostealers, and for someone to access your recall screenshots they'll be in a position to infect your laptop with all the usual suspects in commodity malware. so they could start logging your keystrokes, pilfer your chrome browsing data, or they could start downloading a 25 GB file that they can't even decrypt, and (lets just allow them to decrpyt somehow). now they get the pleasure of looking through 25 gb of cat pics and reddit hoping they might find a picture of you logging into your bank where you toggle the show password field button. or maybe you don't ever reveal the password so he gets really mad because his ISP only gives him 30GB down / month and he just burned nearly all of it. he decides to dox you and your data, but there isnt anything connecting your real identity to these screenshots (which again, couldve been photoshopped, or you could create your win11 username as Sam Altman). And none of this is even going to happen this would be the first time ive ever heard of a hands on keyboard commodity malware controller who is targeting whomever he can breach and rather than just sitting back while keyloggers and bots phone home and exfil sensitive data as text in an automated way, he's at home dealing with these massive encrpyted archive files and bajillions of screenshots.<p>everyone be triflin' over some bullshit here, you guys know why they did this right, not because its useful or a good use of AI. all the big guys are racing to cash in on the consumer AI market and they want to tell wall st on the quarterly earnings reports that theyve got a new go to market strategy with AI and its going to lead to N revenue, and instead of slightly faster hardware the next surface launch is gonna be huge marketing event and if you guys in nyc want to bet on ai for consumers, buy more microsoft stock.<p>isnt this obvious my friends?