Spyware as a service
-
New Windows AI feature records everything you’ve done on your PC
Recall uses AI features "to take images of your active screen every few seconds."
LMAOWTF?
-
@stillwater pretty much. It’s local for now but that doesn’t mean it won’t change in the future, and doesn’t mean it won’t phone home some condensed aggregate that isn’t raw snapshots.
And you can bet employers will want this for checking employees aren’t slacking.
There are some legit uses of that kind of monitoring (e.g. exam proctoring) but it isn’t core OS feature level.
-
@Arantor said in Spyware as a service:
exam proctoring
This does sound like Microsoft is preparing you for your proctologist's prostate exam.
-
I saw that article yesterday, and there aren't enough
and 
to adequately describe what a horrendously stupid idea this is."Recall uses Copilot+ PC advanced processing capabilities to take images of your active screen every few seconds .... and saved on your PC’s hard drive."
In addition to cluttering up your hard drive (good news for people selling bigger hard drives, I guess) this will immediately be exploited by malware.
-
** laughs in smug Debian user **
A couple of corpos I worked with bought this off the shelf, but it killed the VMS, so it was dropped. Will probably be delighted to see it inbuilt.
-
@topspin indeed, bend over, you “will” take it.
-
Here’s an interesting thought! How is any of this legal under the GDPR?
-
@Arantor said in Spyware as a service:
Here’s an interesting thought! How is any of this legal under the GDPR?
The same way most shit is legal under GDPR. You click a button selling your soul for funko pops and if its not deemed to be legal, well the fine is three hundred thousand but we earned ten million.
-
@DogsB about time the various policing bodies actually used the power of the GDPR to levy the fines they’re actually allowed to. The law gave you fuckers teeth, fucking bite Big Tech already.
-
@Arantor said in Spyware as a service:
And you can bet employers will want this for checking employees aren’t slacking.
I'm pretty sure that's illegal here, probably under GDPR. I know for a fact monitoring email metadata to check for private email is illegal.
-
@PleegWat sure, but you know MS will want to offer this everywhere it is legal because there are employers who will want this.
-
LOL. Everyone going this/that is illegal under GDPR or under the law should come work where I live. Even things that are illegal are legal here in India. You could mass deploy something like this and nobody would give a remote flying fvck.
I'm thinking the bunch of us who don't know Linux should get started.
Goddamn everything has become a fucking joke
-
@PleegWat said in Spyware as a service:
I know for a fact monitoring email metadata to check for private email is illegal.
You don't have google where you live anymore?
-
In yesterdays's MS Build, they were touting it as the next big thing with absolutely no hesitation about pushing this everywhere. What are we missing? How is everyone excited about this?
-
@Arantor said in Spyware as a service:
Here’s an interesting thought! How is any of this legal under the GDPR?
Is pressing Print Screen every so often against the GDPR? Feeding those pictures into a program running locally that does some processing on them? As announced, the pictures never leave your machine. Obviously "as announced" is not equivalent to "as implemented", but if taking screenshots violates the GDPR I should have been locked out of the EU ages ago.
-
@stillwater said in Spyware as a service:
In yesterdays's MS Build, they were touting it as the next big thing with absolutely no hesitation about pushing this everywhere. What are we missing? How is everyone excited about this?
They're always like that. (Graph Graph Graph...)
I didn't like Timeline either, and this is very similar. (Basically "Timeline that gets around those pesky requirements of only seeing the system's File/Open dialog, Explorer, and tabs from Edge.")
-
@Parody said in Spyware as a service:
Is pressing Print Screen every so often against the GDPR?
That would depend on who takes those screenshots and what they’re used for. If you’re taking them yourself for your own purposes, then there is obviously nothing illegal about it. If somebody else is doing it to keep tabs on you, though, I wouldn’t be so sure it isn’t illegal.
-
@Gurth its defenders (yes it already has some) are adamant that a) it is encrypted, b) its local only and c) it can be turned off.
The important one is the last one, if it’s true and once off stays off, but we know how good Windows is about respecting such things.
-
@Gurth said in Spyware as a service:
@Parody said in Spyware as a service:
Is pressing Print Screen every so often against the GDPR?
That would depend on who takes those screenshots and what they’re used for. If you’re taking them yourself for your own purposes, then there is obviously nothing illegal about it. If somebody else is doing it to keep tabs on you, though, I wouldn’t be so sure it isn’t illegal.
That'd fall under the fairly long-existing (predating widespread commercial use of the Internet, though they may have been updated since) hacking laws in the US, not any of the later privacy laws. If that's handled by the GDPR over there, then fine.
I do get annoyed at people (not just here, all over our digital world) saying everything is against the GDPR. I'm not quite sure how my Commodore 64 running a game from the '80s and no connection to any other computers does it, but I'm sure someone would say it does.
Anyway, if Recall works as described, images and related data never leaving your machine, I don't see how it's any different than you taking them yourself or telling some other program to do it. (Anyone leave the XBox/nVidia/AMD game software enabled that lets you grab the last 30 seconds (or whatever) of your game when not actively recording?)
On the plus side, this Recall feature requires a Copilot+ PC, which excludes all of our existing Windows machines. We'll have some time to let other people be guinea pigs. :)
-
@Parody the issue comes into play at least under GDPR around recording copies of personally identifiable data.
Now if I make a document with my PII in it, or I make a document with someone else’s PII, that’s on me. I made it, I’m notionally responsible for its lifecycle including dissemination to the likes of OneDrive. But since it’s under my control, I’m able to influence how far or not that gets spread. All good here.
The issue is that this thing will take screenshots periodically which can contain PII (because it won’t filter that out, it only filters out DRM content), potentially also including credentials for things, and it’s effectively a black box for that.
And while storage is local, and processing is local, there are two very very large caveats to both of those.
Firstly, they’ve not said in any incontrovertible way that data won’t leave your machine, they’ve said it’s processed locally, and nothing about that it’s not processed locally to be sent offsite later.
Secondly, there’s no clarity on lifespan of this storage or handling, nor apparently access to it so even though it is local, you have no idea what your liability for any of this now is. And more importantly, despite “being encrypted”, if your machine can decrypt it (if not, what’s the point), any attacker is going to be very very fucking interested in that data.
It suddenly raises all the threat assessments for anything you ever do on a Windows machine, by giving attackers a very juicy target indeed: because it’s not just the potential for credentials (consider things like passwords being visible), but all the data for things you do on your PC you might not on your phone. And it’ll be left on your PC just begging for exfiltration.
All of which is covered under responsible protection of data under GDPR, especially if any of that data is privileged (which it might be and Recall won’t know)
But I suppose it does explain the need for TPM in Win11, so that’s something.
-
@Arantor said in Spyware as a service:
@Parody the issue comes into play at least under GDPR around recording copies of personally identifiable data. ...
That's fine, though it's no different than you leaving your personal information on your machine in a readable way. The difference (and I think we're violently agreeing on this?) is how that information is used and whether it ever leaves your system. Just letting a program do it automatically isn't what matters, no matter how much people want to complain about it without introducing the privacy concerns. (I've seen some of that elsewhere. :sigh: )
The FAQ section of the Copilot+ marketing site does address some of your questions, though likely not in satisfactory ways. Ex: How long are these pictures stored? Until you delete them or you run out of disk space set aside for Recall and it starts deleting old ones.
Recall is not a feature I want, any more than anything else that records everything I do on my personal computers. Maybe if enough enterprise customers complain about someone other than them doing this sort of thing it'll disappear like Sets. I'm not holding my breath, though.
-
@Parody no, it’s not the same, that’s the problem.
If I make a file myself, I am responsible for it under GDPR. If I fail to adequately secure the machine with reasonable precautions, that’s on me.
This, however, is a thing I can’t really control, have no insight to and no reasonable ability to secure. But I’m still responsible for the breach if this is the vector.
The FAQ page doesn’t really cover the important things, and note the present tense in all the assertions with no guarantees that these situations won’t change in the future.
-
@Arantor said in Spyware as a service:
a) it is encrypted
So you trust MS's security?
b) its local only
So you trust MS's integrity?
-
@topspin it’s like you read my mind about this. I am amazed how many we defending this shit on Twitter though.
-
@Arantor said in Spyware as a service:
@topspin it’s like you read my mind about this. I am amazed how many we defending this shit on Twitter though.
AI has usurped the brain power previously reserved for crypto currency enthusiasm. There was lots of that going on, too.
-
@Arantor said in Spyware as a service:
which can contain PII (because it won’t filter that out, it only filters out DRM content)
This is also absolutely amazing. What does that tell you about their priorities?
-
@boomzilla said in Spyware as a service:
@Arantor said in Spyware as a service:
@topspin it’s like you read my mind about this. I am amazed how many we defending this shit on Twitter though.
AI has usurped the brain power previously reserved for crypto currency enthusiasm. There was lots of that going on, too.
I first read this as "crypto currency autism" and I think I'll stick with it.
-
@topspin said in Spyware as a service:
This is also absolutely amazing.
ITYM unsurprising.
@topspin said in Spyware as a service:
What does that tell you about their priorities?
Nothing new.
-
@topspin that filtering out DRM requires no effort because the OS already does it (you can’t screenshot from iTunes even on Windows for example) and it’s just using the existing APIs to screen cap, and that filtering out PII is far too much like effort (but also valuable enough to scrape)
-
@boomzilla said in Spyware as a service:
AI has usurped the brain power previously reserved for crypto currency enthusiasm. There was lots of that going on, too.
That sentence just made me think. When do we get the AI-crypto rush?
-
@Parody said in Spyware as a service:
That'd fall under the fairly long-existing (predating widespread commercial use of the Internet, though they may have been updated since) hacking laws in the US, not any of the later privacy laws. If that's handled by the GDPR over there, then fine.
I'd expect hacking laws to apply to anyone who is not already authorized to access the machine. Your employer is authorized to access your work PC, and very likely also any private PC you use for work purposes. However they must still respect your privacy if and when they do so.
@Arantor said in Spyware as a service:
there’s no clarity on lifespan of this storage or handling
This is another big one. While handling customer issues, I can and do handle PI and PHI from customers, and in certain cases this may involve storing it locally. There are strict handling policies on this, and violating them "can result in disciplinary action, up to and including termination of employment" (that's a direct quote from the policy).
Additionally, I must be able to purge this data at any time (such as when the ticket is closed), including all copies and recycle bin or trash contents, and faithfully confirm I did so to The System. Inability to do so is not an option.
-
@Arantor said in Spyware as a service:
and c) it can be turned off.
But that setting can be overridden with a group policy in the domain...
Big Employeris watching you.
-
every time i hear of a new "big" windows update i'm glad anew that i dont' use it....
ArchLinux has its own issues, but at least it doesn't spy on me and show me ads that i did not consent to, and have no meaningful way to opt out of.....
yep. yay enshitification of everything!
-
@dcon said in Spyware as a service:
@boomzilla said in Spyware as a service:
AI has usurped the brain power previously reserved for crypto currency enthusiasm. There was lots of that going on, too.
That sentence just made me think. When do we get the AI-crypto rush?
AI powered crypto trading bots have been a thing for a few years now.
I suppose you could store your AI datablob on the blockchain for some extra luls.
-
Related?
Uh-oh: Apple users are complaining that a new software update is resurfacing their deleted nudes
Yo, iPhone users, remember the photos you deleted years ago? How can those reappear unless Apple is storing them on their servers?
-
@boomzilla Supposedly, files were reappearing on devices that had been factory reset and were running with new users as well.
I would not trust anything apple again after this. They either store shit on their servers that shouldn't be, or they are leaking shit from user accounts that shouldn't leak, or the secure delete isn't secure. None of the options is at all in any way good.
Not that I'd trust MS anywhere near as much as I'd trust Apple anyway. Not even the Kola borehole has a shot at going below the low bar MS sets in trustworthyness.
-
@Carnage FWIW, I heard that it was some sort of database corruption being fixed that restored the files, but that doesn't explain a wiped device with a different account getting something from the old account back.
-
@topspin said in Spyware as a service:
@Arantor said in Spyware as a service:
a) it is encrypted
So you trust MS's security?
b) its local only
So you trust MS's integrity?
Somebody checking out the preview version of "Recall":
-
@JBert my late night cynicism actually hopes they all get pwned even harder than ever imagined. That’s what you get for being so apathetic to all the spyware shoved in you face.
But probably the fallout will be just barely awful enough that people in general will shrug it off.
-
The hilarity was that it was even less secure than we expected. Encrypted? Yes - with BitLocker. Only you can see it? Yes because userland restrictions prevent you, but are easily bypassed.
I like that Recall is now going to be opt-in rather than opt-out. I suspect it will not remain that way.
Still looking at moving off Win10.
-
@PleegWat said in Spyware as a service:
Additionally, I must be able to purge this data at any time (such as when the ticket is closed), including all copies and recycle bin or trash contents, and faithfully confirm I did so to The System. Inability to do so is not an option.
What about backups? My point is that we've already come up with solutions to the general question of "What are the rules around PHI/PII as it relates to normal IT recoverability responsibilities such as: backup, mirroring, hot spares, offsite recoverability, etc..."
The answer is that all of the artifacts produced by these process will be considered to contain PHI/PII, but the organization is under no responsibility to allow (or require) the end user to manage and/or maintain that data. So, if we get a GDPR request to remove someone from the system, we don't have to go into every single backup and purge their account data from there too. However, we do need to make sure that only users that actually perform backups and restores access that data, and only do so for a specific purpose and their activities are limited to those necessary to perform the task at hand.
This dumb AI feature will fall under the same rules.
To be honest, this comes up all the time in all sorts of contexts. Here's a page I ended up on recently to help a colleague deal with a similar question: https://www.linkedin.com/pulse/how-use-ringcentral-compliant-communications-finance-other-barnes/
The colleague wanted to know what the rules are for recorded phone calls in a call center if the callers discuss health issue.
-
@Jaime said in Spyware as a service:
What about backups?
Some employer told me that they do not accept job applications by email because of GDPR. If the candidate is not successful, they have to delete all his data from the system after a specified time. But they do backups of their emails, hence they would not be able to comply with that rule...
-
@Jaime said in Spyware as a service:
What about backups?
The post concerned my personal workstation. Any customer information stored on it is temporary. If it is lost for any reason that would require restoring a backup, I can re-fetch that data from the ticketing system.
-
@PleegWat The point is that any time a technology ends up creating copies of PHI/PII in the course of operating, your need to purge specific data elements don't apply to the copies created.
The fact that this is your personal workstation doesn't change the accepted practice, it just places you in a situation you haven't been in before. If you are in fact handling PHI for a client on your workstation in the course of doing business for them, you'll need to get a Business Associate Agreement signed between you and Microsoft. It's an online form and an automated process, but you are still required to do it. The agreement will detail Microsoft's responsibility to handle your data within the confines of HIPAA rules. Anything Microsoft does wrong that they said they'd do right in the document - well that's on them and you don't have to worry about it.
-
@BernieTheBernie said in Spyware as a service:
Some employer told me that they do not accept job applications by email because of GDPR.
That's because they know that every general-purpose email provider is not going to handle the data correctly and won't sign a BAA stating that they will do so. In this situation, it would be your employers responsibility to do so, and he simply isn't going to do it. Email systems store too many files in too many places for this to be practical - which is why the email provider refused in the first place.
Microsoft is a different story - as long as you pay for Office 365, Microsoft will manage your data in their data centers in compliance with pretty much every regulation that exists. They'll even let you manage the encryption keys if you buy a high enough tier.
-
@Jaime said in Spyware as a service:
So, if we get a GDPR request to remove someone from the system, we don't have to go into every single backup and purge their account data from there too. However, we do need to make sure that only users that actually perform backups and restores access that data, and only do so for a specific purpose and their activities are limited to those necessary to perform the task at hand.
I'm curious: if a restore from backup is required, does that not mean all that "deleted" information will suddenly reappear as part of the restoration? Or is a record of who has been purged kept so that during restoration process the forgotten information can be deleted from the backup being accessed prior to restoration?
-
@Watson said in Spyware as a service:
Or is a record of who has been purged kept so that during restoration process the forgotten information can be deleted from the backup being accessed prior to restoration?
I'm under the impression that this is indeed the allowed compromise to avoid needing to purge those backups.
-
Microsoft pulled the Recall preview build for the moment.
Microsoft pulls release preview build of Windows 11 24H2 after Recall controversy
Release Preview version of 24H2 was the only one where Recall could be enabled.
I missed this happening, actually; the update date in the Windows Insider blog post was last Friday.
-
@Watson said in Spyware as a service:
@Jaime said in Spyware as a service:
So, if we get a GDPR request to remove someone from the system, we don't have to go into every single backup and purge their account data from there too. However, we do need to make sure that only users that actually perform backups and restores access that data, and only do so for a specific purpose and their activities are limited to those necessary to perform the task at hand.
I'm curious: if a restore from backup is required, does that not mean all that "deleted" information will suddenly reappear as part of the restoration? Or is a record of who has been purged kept so that during restoration process the forgotten information can be deleted from the backup being accessed prior to restoration?
Once the backup restore is completed, your data is in the same state as it was after the business completed your GDPR request
