Microsoft’s Recall puts the Biden administration’s cyber credibility on the line
Over the past year, the Biden administration has rolled out a pair of banner cybersecurity initiatives that security and privacy advocates have hailed as small but positive steps toward a more secure digital ecosystem. The first is a “secure-by-design” partnership with the tech sector to shift the burden of software security toward its initial developers; the second is the formation of an international coalition to curb the proliferation of commercial spyware.
Recent developments in the tech sector, however, illustrate just how far both initiatives have to go in delivering actual security and privacy gains. Last month, Microsoft announced that it would roll out a feature dubbed “Recall” to its Windows PCs that would capture a detailed, indexed history of all on-device activities. The product purported to use AI to allow the user to recall any past activity, relying on archived screenshots of a user’s on-screen behavior — including log-ins, queries, financial account numbers and contacts. Google is reportedly considering rolling out a similar tool for its Chromebooks.
This rush-to-market approach is in conflict with the Biden administration’s initiatives on secure by design and countering spyware but has been met by silence from the White House and key cyber officials. Anyone with access to a Recall-outfitted device — whether a foreign intelligence service or an abusive spouse — would have been able to access this “photographic memory” with ease, suggesting a serious failure to beta-test or independently validate program security prior to its release. This runs contrary to the Microsoft’s commitment in CISA’s secure-by-design pledge to build products that “are conceptualized with the security of customers as a core business goal, not just a technical feature.”
For those who have ever worked in cybersecurity — or digital espionage, for that matter — creating such a granular, searchable history of one’s digital life, potentially accessible to outsiders, looks like a privacy and security catastrophe in a box. While the United States and its partners aim to “prevent the export of software, technology, and equipment to end-users who are likely to use them for malicious cyber activity, including unauthorized intrusion,” a vulnerable, on-device activity log all but invites malicious actors to target a system like Recall, while diminishing their need for sophisticated intrusion tools entirely.
In recent days, researchers have demonstrated how easily circumventable Microsoft’s safeguards for Recall are and have spoken out in blunt terms to question how a company still under intense government scrutiny for neglecting basic cybersecurity measures — and signatory to CISA’s “secure-by-design” pledge — manages to sustain such a cavalier approach to product design.
Less a checklist than a philosophical approach to better security at earlier phases of product development, CISA’s secure-by-design pledge is a multi-national, public-private roadmap to push responsibility for securing digital systems “upstream, with the manufacturers, where it has the greatest likelihood of reducing the chances of compromise.” It is an approach minimizing both the risks to, and required vigilance by, the end-user. It aims to signify a shift in mindset among its signatories about what “security” entails — as something baked in from inception rather than bolted on after shipping. Recall appears to flout the pledge in both spirit and letter.
Products like Recall not only run counter to the Biden administration’s efforts to promote the development of secure software but also undermine the administration’s attempts to stunt the proliferation of spyware. Last year, the Biden administration rolled out its Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware, which has now been signed by 17 democracies. That document references the need to prevent “the export of software, technology, and equipment to end-users who are likely to use them for malicious cyber activity, including unauthorized intrusion into information systems.” A complementary executive order forbids U.S. agencies from using commercial spyware solutions that pose a national security threat to the United States.
Amidst the rollout of the joint statement and executive order last spring, White House officials asserted that these initiatives were designed to leverage the substantial purchasing power of the U.S. and likeminded governments, to render a chilling effect on the burgeoning market for commercial spyware. The United Kingdom and France followed suit soon thereafter with their own Pall Mall Process declaration — an international coalition designed to curb the proliferation of a broader suite of commercially available cyber intrusion tools. The implicit message to tech developers is that signatory governments with hefty budgets won’t buy products from vendors who cater to autocrats and illicit actors who disregard human rights and the rule of law. But Microsoft’s Recall begs the question of where the line between “catering to” and “leaving the door open for” might be drawn. Company representatives have been publicly evasive on that score.
This is where CISA Director Jen Easterly, National Cyber Director Harry Coker, Deputy National Security Advisor Anne Neuberger and Ambassador at Large for Cyberspace and Digital Policy Nate Fick might have taken the lead to demand clarification on behalf of the public and ask how Microsoft’s product announcements align with its security commitments. Instead, a loud and growing chorus of criticism from techies and activists appears to have augured Microsoft’s partial retreat. The company finally agreed last week to make Recall dependent on customer opt-in and to add security features such as enhanced encryption and authentication measures to verify the activity log is accessed only by the device’s owner. Microsoft appears to have been cajoled by critics into offering such security measures as bolt-ons after the fact rather than introducing them by default. But researchers should not have been left to shoulder the burden of calling out these failures.
The Biden administration and its unquestionably qualified team of cyber leaders deserve immense credit for the unprecedented degree of public and policy focus they’ve lent cybersecurity. Democratic governments deserve credit for the diplomatic heft they’ve applied to the cause. They deserve plaudits for their past willingness to call out major tech companies for flawed strategies and harmful practices. All this progress makes their relative silence amid the rollout of Recall — a product demonstrably insecure in its design and functionally spyware by another name — all the more deafening. The episode unfortunately demonstrates a remaining need to back up cyber platitudes and pledges both with more robust regulatory policy and a more active pulpit.
Gavin Wilde is a senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace, where he applies his expertise on Russia and information warfare to examine the strategic challenges posed by cyber and influence operations, propaganda, and emerging technologies.