The tech company’s new Windows machines can take constant screenshots of users’ every action – quelle surprise , it’s a privacy minefield

On 20 May, Yusuf Mehdi, a cove who rejoices in the magnificent title of executive vice-president, consumer chief marketing officer of Microsoft, launched its Copilot+ PCs , a “new category” of Windows machines that are “designed for AI”. They are, needless to say, “the fastest, most intelligent Windows PCs ever built” and they will “enable you to do things you can’t on any other PC”.

What kinds of things? Well, how about generating and refining AI images in near real-time directly on the computer? Bridging language barriers by translating audio from 40-plus languages into English? Or enabling you to “easily find and remember what you have seen in your PC”.

Microsoft recently caught state-backed hackers using its generative AI tools to help with their attacks. In the security community, the immediate questions weren’t about how hackers were using the tools (that was utterly predictable), but about how Microsoft figured it out. The natural conclusion was that Microsoft was spying on its AI users, looking for harmful hackers at work.

Some pushed back at characterizing Microsoft’s actions as “spying.” Of course cloud service providers monitor what users are doing. And because we expect Microsoft to be doing something like this, it’s not fair to call it spying.

We see this argument as an example of our shifting collective expectations of privacy. To understand what’s happening, we can learn from an unlikely source: fish.

In the mid-20th century, scientists began noticing that the number of fish in the ocean—so vast as to underlie the phrase “There are plenty of fish in the sea”—had started declining rapidly due to overfishing. They had already seen a similar decline in whale populations, when the post-WWII whaling industry nearly drove many species extinct. In whaling and later in commercial fishing, new technology made it easier to find and catch marine creatures in ever greater numbers. Ecologists, specifically those working in fisheries management, began studying how and when certain fish populations had gone into serious decline.

One scientist, Daniel Pauly , realized that researchers studying fish populations were making a major error when trying to determine acceptable catch size. It wasn’t that scientists didn’t recognize the declining fish populations. It was just that they didn’t realize how significant the decline was. Pauly noted that each generation of scientists had a different baseline to which they compared the current statistics, and that each generation’s baseline was lower than that of the previous one.

What seems normal to us in the security community is whatever was commonplace at the beginning of our careers .

Pauly called this “ shifting baseline syndrome ” in a 1995 paper. The baseline most scientists used was the one that was normal when they began their research careers. By that measure, each subsequent decline wasn’t significant, but the cumulative decline was devastating. Each generation of researchers came of age in a new ecological and technological environment, inadvertently masking an exponential decline.

Pauly’s insights came too late to help those managing some fisheries. The ocean suffered catastrophes such as the complete collapse of the Northwest Atlantic cod population in the 1990s.

Internet surveillance, and the resultant loss of privacy, is following the same trajectory. Just as certain fish populations in the world’s oceans have fallen 80 percent, from previously having fallen 80 percent, from previously having fallen 80 percent (ad infinitum), our expectations of privacy have similarly fallen precipitously. The pervasive nature of modern technology makes surveillance easier than ever before, while each successive generation of the public is accustomed to the privacy status quo of their youth. What seems normal to us in the security community is whatever was commonplace at the beginning of our careers.

Historically, people controlled their computers, and software was standalone. The always-connected cloud-deployment model of software and services flipped the script. Most apps and services are designed to be always-online, feeding usage information back to the company. A consequence of this modern deployment model is that everyone—cynical tech folks and even ordinary users—expects that what you do with modern tech isn’t private. But that’s because the baseline has shifted.

AI chatbots are the latest incarnation of this phenomenon: They produce output in response to your input, but behind the scenes there’s a complex cloud-based system keeping track of that input—both to improve the service and to sell you ads .

Shifting baselines are at the heart of our collective loss of privacy. The U.S. Supreme Court has long held that our right to privacy depends on whether we have a reasonable expectation of privacy . But expectation is a slippery thing: It’s subject to shifting baselines.

The question remains: What now? Fisheries scientists, armed with knowledge of shifting-baseline syndrome, now look at the big picture. They no longer consider relative measures, such as comparing this decade with the last decade. Instead, they take a holistic, ecosystem-wide perspective to see what a healthy marine ecosystem and thus sustainable catch should look like. They then turn these scientifically derived sustainable-catch figures into limits to be codified by regulators.

In privacy and security, we need to do the same. Instead of comparing to a shifting baseline, we need to step back and look at what a healthy technological ecosystem would look like: one that respects people’s privacy rights while also allowing companies to recoup costs for services they provide. Ultimately, as with fisheries, we need to take a big-picture perspective and be aware of shifting baselines. A scientifically informed and democratic regulatory process is required to preserve a heritage—whether it be the ocean or the Internet—for the next generation.

This essay was written with Barath Raghavan, and previously appeared in IEEE Spectrum .

Enlarge / Recall is part of Microsoft's Copilot+ PC program. (credit: Microsoft)

Microsoft will be delaying its controversial Recall feature again, according to an updated blog post by Windows and Devices VP Pavan Davuluri. And when the feature does return "in the coming weeks," Davuluri writes, it will be as a preview available to PCs in the Windows Insider Program, the same public testing and validation pipeline that all other Windows features usually go through before being released to the general populace.

Recall is a new Windows 11 AI feature that will be available on PCs that meet the company's requirements for its "Copilot+ PC" program. Copilot+ PCs need at least 16GB of RAM, 256GB of storage, and a neural processing unit (NPU) capable of at least 40 trillion operations per second (TOPS). The first (and for a few months, only) PCs that will meet this requirement are all using Qualcomm's Snapdragon X Plus and X Elite Arm chips , with compatible Intel and AMD processors following later this year. Copilot+ PCs ship with other generative AI features too, but Recall's widely-publicized security problems have sucked most of the oxygen out of the room so far.

The Windows Insider preview of Recall will still require a PC that meets the Copilot+ requirements, though third-party scripts may be able to turn on Recall for PCs without the necessary hardware. We'll know more when Recall makes its reappearance.

Read 7 remaining paragraphs | Comments

Enlarge / Brad Smith, vice chairman and president of Microsoft, is sworn in before testifying about Microsoft's cybersecurity work during a House Committee on Homeland Security hearing on Capitol Hill in Washington, DC, on June 13, 2024. (credit: SAUL LOEB / Contributor | AFP )

Microsoft is pivoting its company culture to make security a top priority, President Brad Smith testified to Congress on Thursday, promising that security will be "more important even than the company’s work on artificial intelligence."

Satya Nadella, Microsoft's CEO, "has taken on the responsibility personally to serve as the senior executive with overall accountability for Microsoft’s security," Smith told Congress.

His testimony comes after Microsoft admitted that it could have taken steps to prevent two aggressive nation-state cyberattacks from China and Russia .

Read 30 remaining paragraphs | Comments

Les consoles Xbox n'étaient capables de garder en mémoire qu'un seul réseau Wi-Fi à la fois. La dernière mise à jour rectifie ce problème, qui forçait à toujours repasser par la case configuration quand on se déplaçait.

Enlarge / Teams is being decoupled from the other Office apps worldwide, six months after Microsoft did the same thing for the EU. (credit: Microsoft/Andrew Cunningham)

Months after unbundling the apps in the European Union, Microsoft is taking the Office and Teams breakup worldwide. Reuters reports that Microsoft will begin selling Teams and the other Microsoft 365 apps to new commercial customers as separate products with separate price tags beginning today.

This is a win for other team communication apps like Slack and videoconferencing apps like Zoom, both of which predate Teams but haven't had the benefits of the Office apps' huge established user base.

The separation follows an EU regulatory investigation that started in July of 2023 , almost exactly three years after Slack initially filed a complaint alleging that Microsoft was "abusing its market dominance to extinguish competition in breach of European Union competition law."

Read 5 remaining paragraphs | Comments

C'est bientôt la fin pour WordPad. Après 30 ans d'activité, l'outil de traitement de texte de Windows va être désinstallé lors d'une mise à jour de Windows 11. Celle-ci arrivera à l'automne 2024.

Les images d'une nouvelle Xbox Series X ont fait l'objet d'une fuite. Mais il n'y a pas de quoi s'exciter : il s'agirait d'un modèle avec le même design que celle sortie en 2020. Elle perdrait simplement son lecteur de disque et arborerait une couleur blanche.

Enlarge / The basic requirements for an AI PC, at least when it's running Windows. (credit: Intel)

Microsoft said in January that 2024 would be the year of the "AI PC," and we know that AI PCs will include a few hardware components that most Windows systems currently do not include—namely, a built-in neural processing unit (NPU) and Microsoft's new Copilot key for keyboards. But so far we haven't heard a whole lot about what a so-called AI PC will actually do for users.

Microsoft and Intel are starting to talk about a few details as part of an announcement from Intel about a new AI PC developer program that will encourage software developers to leverage local hardware to build AI features into their apps.

The main news comes from Tom's Hardware , confirming that AI PCs would be able to run "more elements of Copilot," Microsoft's AI chatbot assistant, "locally on the client." Currently, Copilot relies on server-side processing even for small requests, introducing lag that is tolerable if you're making a broad request for information but less so if all you want to do is change a setting or get basic answers. Running generative AI models locally could also improve user privacy, making it possible to take advantage of AI-infused software without automatically sending information to a company that will use it for further model training.

Read 5 remaining paragraphs | Comments