Mastodawn

Charlie Stross Jun 4, 2024

Welp, I knew Microsoft's CoPilot+ Recall was going to be a privacy disaster but I didn't expect it to turn into an enterprise computing catastrophe for Microsoft *quite* this fast!

But this can't be a one-off. Any large enterprise that has to comply with a regulated privacy environment—HIPAA in the USA, GDPR in the EU, banking/insurance/finance globally—must be considering a ban on Microsoft installations on laptop/desktop computers right now or be breaking the law.

https://infosec.exchange/@SecurityWriter/112558224281615019

Security Writer :verified: :donor: (@[email protected])

If you’re wondering how the Microsoft Recall scandal is going, I’ve just had a client tell me they’ve replaced their order for 10k Microsoft Surfaces with new MacBook Airs, at nearly twice the cost, and that we need to start the ongoing 6 month endpoint security project over.

Infosec Exchange

Show thread

Why Not Zoidberg? 🦑Jun 4, 2024

@cstross also lawsuits from third parties getting their info recorded will be happening. Very soon.

Show thread

João Tiago Rebelo (NAFO J-121)Jun 4, 2024

@WhyNotZoidberg my thoughts exactly, as a lawyer I'll be all over that in discovery, even if where I practice it is rare to ask for computer records in possession of the parties unless specifically identified. With Recall I can ask for the whole database to be entered into evidence.
@cstross

Show thread

Jonathan Kamens 86 47 Jun 4, 2024

@jt_rebelo @WhyNotZoidberg @cstross I don't think you can. That would be the same as asking for someone's entire file cabinet or entire hard drive be entered into evidence. It would be ipso facto overly broad.
If you have probable cause to believe your opponent is concealing discovery information they're legally required to disclose, and there might be evidence of that in Recall, you might be able to convince the court to appoint a special master to examine the Recall data.

Show thread

João Tiago Rebelo (NAFO J-121)

@jik not in my country (no special master, not even a judge will preview what is entered), you can ask for documents/evidence that is (as far as you know) in possession of the other partie or even third parties. If you can identify the document/element in question and the Judge deems it necessary to rule according to what really happened, the Court will demand the partie to enter it into evidence.
Even if not entering the whole Recall database, the partie will have to produce the queries deemed necessary, along with all screenshots and text pertaining to that.
So, if it isn't the whole file cabinet, in your analogy, it is still much more that what is usually found in civil suits around here. The evidence that didn't exist because there wasn't a document or email at all, as it was never saved or sent and then deleted, with Recall is there.
We were thinking about calling non-lawyers/solicitors that give legal consultations (since they are now allowed to due to a recent legal change and aren't limited under professional privilege, there is none for them) to the stand, and now we can discover what a partie wrote but didn't send?
And I'm not taking it to criminal court levels, the Police and the Prosecution will have field days with it, thoughtcrime style...
@WhyNotZoidberg @cstross

Show thread

Jonathan Kamens 86 47 Jun 4, 2024

@jt_rebelo @WhyNotZoidberg @cstross
I agree with you 100% that you can probably demand queries for evidence to be run against Recall, which could quite possibly reveal evidence that pre-Recall never would have been discovered.
I am objecting only to the claim that you can demand that the entire database be entered into evidence.