Summary Microsoft Recall continues to capture sensitive information, including credit card and social security numbers. Despite a setting to prevent harvesting sensitive data, Recall still captures this information. Recall is not entirely flawed, as it did not capture data from a proper payment website, but it's still worrying.
You know, at least Microsoft tried. In June, it pushed to make Recall a keystone of the Copilot+ experience, but it received much negative feedback about privacy. The company then did the right thing and delayed the Recall rollout until it resolved all the nasty privacy issues that came with it. Now, the company is rolling Recall back out again... except it's still harvesting people's private data, even when it's explicitly told not to.
Related Microsoft Copilot: What is it, and how does it work?
Is Microsoft Copilot the best AI chatbot available right now?
Posts Microsoft Recall is still capturing people's credit card numbers and social security numbers
As spotted by Avram Piltch of Tom's Hardware, it seems that Recall isn't doing what it claims it does. Part of the new rollout is a setting you can toggle that tells Recall not to harvest any sensitive information. Beforehand, Recall would take snapshots of private information without user control, so this new setting is Microsoft's way of telling Recall to double-check what it's storing and not save anything that could breach someone's privacy.
Well, it turns out it doesn't always work:
When I entered a credit card number and a random username / password into a Windows Notepad window, Recall captured it, despite the fact that I had text such as "Capital One Visa" right next to the numbers. Similarly, when I filled out a loan application PDF in Microsoft Edge, entering a social security number, name and DOB, Recall captured that. (Note that all info in these screenshots is made up).
That sucks, but there's a chance that Recall works off of context from a website instead of just a Notepad window. Turns out, when Avram made their own website for payment details, it still grabbed the data. Avram did note that it didn't capture credit card details entered into proper payment services such as Pimoroni and Adafruit, so Recall is doing some detection, at least; however, it doesn't seem perfect. As such, use at your own discretion.