First experiences with Recall

Contents

The new device class with ARM CPUs and its own special AI chip (neural processing unit, NPU) is due to be launched on the market in mid-June. Micsrosoft's new recall function will only work with this NPU. However, creative talents have already found ways to activate the function on older ARM PCs. This requires a special pre-release version of Windows 11 in version 24H2 (build 26100.712) and a system with an ARM CPU, such as the dev kit from 2023 or a virtual machine in Microsoft's Azure cloud.

With the software Amperage, which is available on GitHub, and an over 2 GByte - and rather slow - download from Archive.org, Recall can be added to an ARM PC prepared in this way. The download contains additional AI data with which Recall also works without an NPU. After running Amperage, the function is available, but still needs to be activated in the Windows settings. The ARM PC then regularly collects screenshots and feeds these and apparently other data into a database that the Recall frontend can then search.

Rather slow

The search in the data collected in this way ran rather slowly in an Azure VM. It often took several seconds for Recall to show the first results, even though only a few operating steps had been performed in the VM so far. This may well be due to the lack of NP. The Azure VM certainly proves that the AI works in principle: the search also finds things that were never entered but were displayed on the screen as an image, providing plausible results, for example for a bicycle that was only visible as an image. The options for navigating through the recorded data via the timeline seem rather rudimentary. There seems to be no provision for fine sequential control of individual points in time.

From the search results, you can sometimes call up the application from which a search hit originated, sometimes you even end up directly on the open document, such as a specific web page - we couldn't figure out what the system was at first glance. The output clearly shows whether Recall has approached the result via a pure text search or via text recognition (OCR) on the screenshots taken. Apparently, it also records user input, for example when the user enters commands in the command line in Powershell.

Plain text for everyone

The data that Recall generates by observing the user ends up in the Windows user profile folder under AppData, for example in c:\Users\ps\AppData\Local\CoreAIPlatform.00\UKP. There is a subfolder with a GUID name that contains an SQLite3 database and an "ImageStore" subfolder with the screenshots in JPEG format.

The database and the screenshots are accessible to all users who are in the administrators group - which is the standard for individually used Windows PCs today. This means that every user who has their own account on the PC has access to this database. To access the profiles of other users, they must obtain access, but this can be done quickly by clicking on the UAC request (this is not recommended because it weakens the protection of the accounts against each other).

With conventional tools for editing SQLite3 databases (such as DB Browser for SQLite), you can gain detailed insights into what Microsoft stores. Background: SQLite is a library that is integrated into many applications and provides an SQL database interface. The files processed by it contain several tables and can be exchanged, viewed and edited across platforms.

On GitHub, Alexander Hagenah has published"TotalRecall", a Python script that saves and analyzes the data contained in the database. This makes it easy to check on the command line whether a particular word appears in the data. Hagenah demonstrates this using the search term "password" as an example, which inspires headlines suggesting that passwords can be extracted from the AI data fog. This is not wrong, but the password must presumably have been displayed legibly on the screen.

We had Recall observe the login to a Nextcloud instance on a trial basis and found no evidence that the function secures the password. The text recognition only shows the usual asterisks or dots. On the other hand, everything that can be read on the screen is of course available to the AI, such as account balances and QR codes. A user must always be aware of this. There are options to temporarily deactivate Recall or switch it off for individual programs.

The explosive nature

The explosive nature of the function lies less in the fact that it stores individual secrets in the database than in the aggregation of the data: if bad guys have intercepted the data, they can quickly obtain screenshots from the user's online banking thanks to AI and can assess whether the victim's account balance is worth further efforts. The data is presented on a silver platter and the database provides the table of contents.

But it's not just bad guys who might be interested in the aggregated data. After all, you can also learn a lot about the user's habits from this treasure trove of data. In the SQLite database, for example, we found a table that neatly documents how many seconds the user has spent in which application. Companies like to monitor their employees. With Recall, they only need additional software for targeted analysis. Perhaps specialized AI will help again?

Recall seems to be knitted with a hot needle and breaks with many traditions: Microsoft uses SQLite instead of using its own database technology. The data is in plain text instead of being convoluted, as is common in Windows. This means you can see exactly how Recall works, which is also atypical for Microsoft. If the feature wasn't promised for mid-June and the Copilot+ PCs, you might think it was a prototype.

(ps)