Microsoft announced Recall in May 2024 as a flagship feature of Copilot+ PCs. The idea: you half-remember seeing something last week, so you type "that chart about rent prices" and Recall finds the moment it was on your screen. To make that work, the system continuously captures snapshots, extracts the text with OCR, and indexes everything locally.
Within days of the first preview builds, security researchers showed that the initial implementation stored those snapshots and the OCR database in a plain SQLite file readable by any process running as the logged-in user. Extraction tools appeared almost immediately. The backlash was loud enough that Microsoft pulled the feature before general release, made it opt-in instead of on-by-default, gated access behind Windows Hello, and moved the data into encrypted storage backed by virtualization-based security. It returned through the Insider program that autumn and shipped broadly in 2025.
Those fixes were real, and they addressed the sloppiest problems. They did not address the feature's actual privacy question, because that question has nothing to do with how well the database is encrypted.
The problem is the archive existing, not how it's stored
End-to-end encryption protects a message in transit and on the server. It has never protected a message from the screen it is displayed on. That was always true: the person you write to could screenshot anything. What Recall changes is scale and defaults. A manual screenshot is a deliberate act applied to one message. Recall is an automatic act applied to every message, from a system component the other person did not choose, may not know is running, and cannot see.
Play that forward for a disappearing message. You send something with a five-minute timer to a contact whose laptop runs Recall. The timer fires, the app deletes the message on both ends, and a snapshot of it sits in your contact's Recall archive anyway, indexed by its own text, retrievable by anyone who can unlock that PC. Neither of you did anything wrong. The operating system quietly overruled the messenger's deletion contract.
Recall's opt-in is granted by the PC's owner. The people whose messages, photos, and video calls appear on that screen were never asked. A messaging privacy decision that used to be bilateral (you and your contact) now has a silent third party: the endpoint's OS configuration.
Who this actually endangers
Microsoft is right that snapshots stay on the device and are not used for ad targeting. But "local only" describes where the data lives, not who can get it. The realistic threats are local too:
- Shared and supervised computers. Anyone who has or can demand your Windows Hello unlock (an abusive partner, a controlling parent, an employer with a legal right to the machine) gets a scrollable timeline of everything you did. For people in coercive situations, this converts a private conversation into standing evidence. Our guide on tech safety planning covers this threat model in depth.
- Device seizure and forensics. A forensic extraction of a PC used to yield files, browser history, and whatever apps chose to log. A Recall archive adds a time-lapse recording of the screen itself, including content from apps that deliberately keep no logs.
- Malware that logs in as you. The re-engineered storage keeps other users out. Code running in your session, with your credentials, at the moment you unlock Recall, is a harder boundary to hold, and infostealers already specialize in exactly this position. We covered that ecosystem in infostealers and session hijacking.
Microsoft added content filtering that tries to skip snapshots of passwords, payment card numbers, and private browsing windows. Independent testing since launch has repeatedly found the filtering inconsistent: it catches a checkout form, then happily captures the same card number typed into a chat or displayed in an email. Filters that work most of the time are a poor foundation for a guarantee.
What messaging apps can and cannot do about it
In May 2025 Signal shipped "screen security" on Windows: it marks its window with the same DRM flag video-streaming apps use, so screenshots and Recall snapshots of the chat window come back black. Other privacy-focused apps have since taken similar measures or announced plans to. It works, with real costs: it also blocks legitimate screenshots, breaks some screen readers and accessibility tooling, and it depends on the OS honoring a flag designed for a different purpose.
The deeper limitation is structural. An app can only flag its own window. The moment a message is copied into another app, quoted in a notification, or read aloud into a transcribed call, it leaves the protected surface. A messenger can raise the cost of ambient capture; it cannot make an operating system stop photographing itself.
A useful way to update your threat model: treat "what my contact's device does by default" as part of the conversation's attack surface. It always was, but the default used to be "nothing." The operating assumption we suggest for 2026
Practical steps
If you run Windows on a Copilot+ machine and care about the confidentiality of your communications:
- Check Settings → Privacy & security → Recall & snapshots. Off is a valid choice, and on machines used by more than one person we think it is the right one.
- If you keep it on, use the per-app exclusion list and add every messenger, mail client, and password manager you use. Set a retention limit so the archive is not unbounded.
- Enable screenshot protection in messengers that offer it, and prefer messengers that do.
- For conversations where deletion genuinely matters (sources, medical situations, escape planning), assume any Windows endpoint may retain screen captures, and move those conversations to a device you control. The same logic applies that we described for border crossings: the safest data is data the device never held.
None of this is a reason to abandon encrypted messaging, which still protects you from every network and server adversary it always protected you from. It is a reason to stop treating the endpoint as neutral ground. The industry spent fifteen years getting encryption in transit right. The next fight is over what the endpoint quietly remembers, and Recall is the clearest sign so far that the endpoint's defaults are moving in the wrong direction.