Microsoft Recall continues to save sensitive personal information even after the filter is turned on

In June, Microsoft disabled the Recall user activity logging feature in test builds of Windows due to discovered issues with the security of personal data, but recently brought it back, giving users the ability to disable the recording of sensitive data. As it turns out, in practice, such a filter still does not guarantee the exclusion of important user data from the saved activity history.

Image source: Unsplash, Rupixen

According to the developers, the filter should exclude the collection of information from applications or websites that work with user bank card data or personal document numbers, which can be used by attackers to cause material damage to their owner. Representatives of the Tom’s Hardware resource found that in practice this filter does not always work.

Firstly, when you try to save the password and login for various systems in a simple text document via Notepad, the corresponding information is saved by the Microsoft Recall function. The presence of words with bank card designations in this document did not alert the filter in any way. Likewise, filling out personal information via a PDF file in Microsoft Edge also did not go unnoticed by Microsoft Recall, although the filter was active. Finally, a specially created HTML page with fields for entering bank card data also went through the filter. However, on the web pages of real online stores in the browser, sensitive information was filtered, and bank card data was not included in the saved history.

Microsoft, in response to the comments of the author of the experiments, only advised to follow the recommendations on the corporate blog, which encourage users to contact the company with comments about the operation of the Microsoft Recall function through the feedback form. The corporation also promised to continue improving this function in order to improve the protection of personal data.