Microsoft Recall Screenshots Credit Cards, Social Security Numbers

An anonymous reader quotes a report from Tom's Hardware, written by Avram Piltch: Microsoft's Recall feature recently made its way back to Windows Insiders after having been pulled from test builds back in June, due to security and privacy concerns. The new version of Recall encrypts the screens it captures and, by default, it has a 'Filter sensitive information,' setting enabled, which is supposed to prevent it from recording any app or website that is showing credit card numbers, social security numbers, or other important financial / personal info. In my tests, however, this filter only worked in some situations (on two e-commerce sites), leaving a gaping hole in the protection it promises.

When I entered a credit card number and a random username / password into a Windows Notepad window, Recall captured it, despite the fact that I had text such as 'Capital One Visa' right next to the numbers. Similarly, when I filled out a loan application PDF in Microsoft Edge, entering a social security number, name and DOB, Recall captured that. (Note that all info in these screenshots is made up). I also created my own HTML page with a web form that said, explicitly, 'enter your credit card number below.' The form had fields for Credit card type, number, CVC and expiration date. I thought this might trigger Recall to block it, but the software captured an image of my form filled out, complete with the credit card data. Recall did refuse to capture the credit card fields on the payment pages of Pimoroni and Adafruit. 'So, when it came to real-world commerce sites that I visited, Recall got it right,' adds Piltch. 'However, what my experiment proves is that it's pretty much impossible for Microsoft's AI filter to identify every situation where sensitive information is on screen and avoid capturing it.'

Read more of this story at Slashdot.