Microsoft vice president for enterprise and OS security, David Weston, gave an update in a detailed blog post on Friday. The update discussed how security will work on the company's controversial Recall search feature, to be available on new Copilot Plus PCs. The feature, which uses AI to help users visually search through snapshots of their past PC activity, was met with a significant backlash after it was announced in May.
In the blog post, Weston details some of the security features that Recall will have when it begins rolling out, apparently in an attempt to make the case that the concerns about its underlying security and privacy controls have been overblown.
Read more: Microsoft's AI Recall Feature May Not Even Hit Your PC, but Here's How to Disable It
Weston stresses early in the post that Recall is opt-in and that Snapshots are not taken or stored unless a user enables Recall.
"You are always in control, and you can delete snapshots, pause or turn them off at any time," Weston writes. "Any future options for the user to share data will require fully informed explicit action by the user."
Read more: Microsoft's Controversial Windows Recall Now Coming to Testers in October
He also writes that Snapshots are not shared with Microsoft, third parties or even other users on the same PC.
There is no mention in the post about the option to uninstall the software option completely from a Copilot Plus PC. In an interview with The Verge, Weston confirmed that this option will be available.
"If you choose to uninstall this, we remove the bits from your machine," Weston said. The uninstall would include AI models that inform Recall.
Weston also says that sensitive data is always encrypted in Recall and that screenshots and associated data are isolated and local and are only accessible through a Windows Hello Enhanced Sign-in Security login. It also only runs on Copilot Plus PCs that meet Microsoft's "Secured-core standard." The post contains illustrations of Recall's security architecture.
The company has an internal team working on design reviews and penetration testing, a third-party vendor doing the same and a Responsible AI Impact Assessment completed, according to the post.