I'm not sure if you've heard yet or not, but Microsoft is planning a new feature for Windows 11 systems in the near future they are referring to as "Recall".

https://support.microsoft.com/en-us/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c

and uh. There are some "concerns" surrounding this new feature.

https://www.techradar.com/computing/computing-security/windows-recall-sounds-like-a-privacy-nightmare-heres-why-im-worried

I'm speaking for myself here. Nobody else. But as a cybersecurity professional with over a decade of experience, I have an obligation to formally say that this is the absolute worst idea I've ever seen come out of Microsoft.

While I'm sure this 'feature' was built with the best intentions in mind, its presence alone, enabled or not, undermines a wide variety of security and privacy controls, and undermines the user's safety.

Are you familiar with the concept "Living off the land"? In a nutshell, its a security term in which adversaries consider what tools, available by default on an operating system (Windows, MacOS or Linux), will help them achieve their goals. The advantage being that operating system provided tools are already "blessed" and are a lot less likely to cause problems with endpoint protection products. Rather than having to bring their own custom tools and implants, just use what the operating system gives you. Hence, "Living off the land."

Think about all the times you've heard about volume shadow copies being used to make copies of a Microsoft active directory database to enable ransomware operations, or other advanced threats complete access to a target network. Or about how certutil can decode base64 payloads to avoid network detection of tools actors bring with them. Now. Think about how spyware, banking trojans, infostealers, and stalkerware operate.

They exist to acquire credentials, access your sensitive data, and violate your privacy. Most of the time they are very "smash and grab", not wanting or need to persist. Now, apply this modus operandi to Recall, a database that can, by default, record up to three months of information about what you are doing on your PC. Every. single. detail. This is a stalker and/or information broker's wildest dream.

Even if the model data all supposedly stays local, there is nothing stopping an adversary from grabbing a copy of the database for themselves. Even if the service is disabled, adversaries with persistent access to a target system or network could enable the feature, come back later, and harvest credentials. This is the ultimate form of sustained data collection on a host. Advanced adversaries get a MS-blessed keylogger.

Even if the model is designed to be local only, what happens when cloud backup solutions get involved? What happens when EDR grabs the database and uploads it to virustotal? Its all so poorly thought out, I cannot comprehend how this got greenlit.

Its like none of the people involved in the design of this project have ever been the victims of information stealers, credential theft, stalkerware, or just plain blackmail.

I cannot in good faith stand by and say nothing. and I advise you to make your voice heard as well.