Microsoft Recall still storing credit card, social security numbers

Original Article ↗ Hacker News Discussion ↗

Scope of Recall and Privacy Risks

  • Recall periodically screenshots the entire desktop, capturing anything visible, including credit cards, SSNs, and passwords—even with the “sensitive information” filter enabled.
  • Critics argue this effectively bypasses app- and website-level protections by duplicating sensitive data into a separate store and backups without explicit per-item consent.
  • Some compare it to whole-device backups and say the core idea (being able to “rewind” past work) is legitimate if the storage is genuinely local, encrypted, and controlled by the user.

Opt-in, Trust, and Microsoft’s Track Record

  • Supporters emphasize that Recall is currently opt-in, local-only, and (reportedly) access-controlled, framing it as a voluntary screen recording tool with real productivity benefits.
  • Skeptics counter that:
    • The feature ships with the OS and cannot be fully removed.
    • Microsoft has a history of re-enabling telemetry and features via updates.
    • Users may click through prompts without understanding implications, given low average computer literacy.
  • There is concern that “opt-in today” could become “quietly on” later.

Technical Debate: PII Detection and DLP

  • Several comments note that PII detection is inherently probabilistic, but say credit card numbers and similar identifiers are structured enough for robust heuristics (BIN ranges, length, Luhn algorithm, patterns like SSNs).
  • Others point out corner cases: not all card numbers use Luhn, card length varies, and false negatives are still possible.
  • Some argue Microsoft already has strong Data Loss Prevention tech in other products and should have reused it or designed Recall to err on the side of over-blocking sensitive data.

Security Model and Malware Comparisons

  • Critics say Recall’s behavior (stealth-like screenshot capture, obscure storage format, hard for users to inspect) resembles remote access malware patterns.
  • Counterpoint: the crucial difference is explicit user consent; if enabled knowingly, it’s closer to a self-configured surveillance tool than a RAT.
  • Disagreement persists on whether added attack surface is meaningfully worse than existing risks like keyloggers and manual screen recorders.

User Reactions and OS Alternatives

  • Some participants report Recall and broader telemetry/“user-hostile” design as the final push to abandon Windows for Linux, BSD, or macOS.
  • Others note that Linux and some distros also have growing background indexing/telemetry complexities, plus hardware support issues, so there is no perfectly “clean” alternative.

Financial Liability and Practical Pain

  • One side claims stolen credit card data is ultimately the bank’s legal problem.
  • Others respond that even if liability lies with banks, resolving fraud, identity theft, or repeated incidents is still a major burden for users.