[sn_master]

Except this thing is opt-out and would put a whole lot of data on tens of millions of computers including things that were never stored by default (credit card numbers, reset codes, e2e encrypted messages etc).

Recall is a malware.

[its-summertime]

That is irrelevant to the topic of its security being exploited as claimed.

- - -

Most browsers beg to store credit cards by default, e2e encrypted messages are already accessible by the user (because they are one of the "ends"), reset codes are probably in most people's download folders, in the stuff-sent-to-the-printer cache, or forgotten completely (which IMO is worse)

[wormius]

The fact there's now a central repo for it all. Scraping far more than just "credit card" and "passwords/logins" (personal details ever shown on your screen? Porn? Blackmail much? and don't give me the "if you've nothing to hide" spiel) People you connect to? Hey, now we can make a social graph. Contacts is one thing, but contents of chats? Let's add on more graph data. I mean, sure FB already does that, but there's legal avenues to pursue remedies(in theory). Here? What can you do but get pwned harder. Stop excusing MS for this poorly thought out feature. They're returning the old ways and should not be given sympathy til they prove they are committed to privacy and security (which this seems to go against after Nadella's "WE MUST MAKE SECURITY FIRST" dictate)

[its-summertime]

The central repo is called the web browser. Porn is in your web browser's history. People you connect to is in your web browser's history. Content of your chats can be accessed using the cookies in your web browser's cookiejar.

If you are security-aware enough to avoid those issues, then you aren't using a closed-source operating system in the first place.

[lawlessone]

>If you are security-aware enough to avoid those issues, then you aren't using a closed-source operating system in the first place.

So what about everyone else?

[its-summertime]

Then they are going to have those issues regardless of recall.

[AlotOfReading]

And now your keylogger doesn't even need to clear the minimal hurdle of using the screen recording APIs to get screen data, it can simply read a folder to defeat "secure" onscreen keyboards and it'll work across the vast majority of (future) computers.

Now thousands of tech-impaired organizations have to proactively go out and find alternatives that don't alienate their users. How many of do you think will get it right as opposed to ever more inconvenient security theater to satisfy compliance checklists?