top of page
  • news602

"Recall" is a NO for me!

In a recent article written by Gavin Wilde, a senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace, he points out how Microsoft and the White House are not on the same page regarding its flagship cybersecurity initiatives?


Microsoft Corporate Vice President, Windows and Devices Pavan Davuluri speaks about Recall during a Microsoft event in Redmond, Washington, on May 20, 2024.


Over the past year, the Biden administration has rolled out a pair of banner cybersecurity initiatives that security and privacy advocates have hailed as small but positive steps toward a more secure digital ecosystem. The first is a “secure-by-design” partnership with the tech sector to shift the burden of software security toward its initial developers; the second is the formation of an international coalition to curb the proliferation of commercial spyware.


Recent developments in the tech sector, however, illustrate just how far both initiatives have to go in delivering actual security and privacy gains. Last month, Microsoft announced that it would roll out a feature dubbed “Recall” to its Windows PCs that would capture a detailed, indexed history of all on-device activities. The product purported to use AI to allow the user to recall any past activity, relying on archived screenshots of a user’s on-screen behavior — including log-ins, queries, financial account numbers and contacts. Google is reportedly considering rolling out a similar tool for its Chromebooks.


This rush-to-market approach is in conflict with the Biden administration’s initiatives on secure by design and countering spyware but has been met by silence from the White House and key cyber officials. Anyone with access to a Recall-outfitted device — whether a foreign intelligence service or an abusive spouse — would have been able to access this “photographic memory” with ease, suggesting a serious failure to beta-test or independently validate program security prior to its release. This runs contrary to the Microsoft’s commitment in CISA’s secure-by-design pledge to build products that “are conceptualized with the security of customers as a core business goal, not just a technical feature.”


For those who have ever worked in cybersecurity — or digital espionage, for that matter — creating such a granular, searchable history of one’s digital life, potentially accessible to outsiders, looks like a privacy and security catastrophe in a box. While the United States and its partners aim to “prevent the export of software, technology, and equipment to end-users who are likely to use them for malicious cyber activity, including unauthorized intrusion,” a vulnerable, on-device activity log all but invites malicious actors to target a system like

Recall, while diminishing their need for sophisticated intrusion tools entirely.


In recent days, researchers have demonstrated how easily circumventable Microsoft’s safeguards for Recall are and have spoken out in blunt terms to question how a company still under intense government scrutiny for neglecting basic cybersecurity measures — and signatory to CISA’s “secure-by-design” pledge — manages to sustain such a cavalier approach to product design.


Less a checklist than a philosophical approach to better security at earlier phases of product development, CISA’s secure-by-design pledge is a multi-national, public-private roadmap to push responsibility for securing digital systems “upstream, with the manufacturers, where it has the greatest likelihood of reducing the chances of compromise.” It is an approach minimizing both the risks to, and required vigilance by, the end-user. It aims to signify a shift in mindset among its signatories about what “security” entails — as something baked in from inception rather than bolted on after shipping. Recall appears to flout the pledge in both spirit and letter.


Amidst the rollout of the joint statement and executive order last spring, White House officials asserted that these initiatives were designed to leverage the substantial purchasing power of the U.S. and like minded governments, to render a chilling effect on the burgeoning market for commercial spyware. The United Kingdom and France followed suit soon thereafter with their own Pall Mall Process declaration — an international coalition designed to curb the proliferation of a broader suite of commercially available cyber intrusion tools. The implicit message to tech developers is that signatory governments with hefty budgets won’t buy products from vendors who cater to autocrats and illicit actors who disregard human rights and the rule of law. But Microsoft’s Recall begs the question of where the line between “catering to” and “leaving the door open for” might be drawn. Company representatives have been publicly evasive on that score.


Instead, a loud and growing chorus of criticism from techies and activists appears to have augured Microsoft’s partial retreat. The company finally agreed last week to make Recall dependent on customer opt-in and to add security features such as enhanced encryption and authentication measures to verify the activity log is accessed only by the device’s owner. Microsoft appears to have been cajoled by critics into offering such security measures as bolt-ons after the fact rather than introducing them by default. But researchers should not have been left to shoulder the burden of calling out these failures.

Advertisement


All this progress makes their relative silence amid the rollout of Recall — a product demonstrably insecure in its design and functionally spyware by another name — all the more deafening. The episode unfortunately demonstrates a remaining need to back up cyber platitudes and pledges both with more robust regulatory policy and a more active pulpit.


Sorry Microsoft, but this is a NO for me!


5 views0 comments

Comments


bottom of page