While it does actually omit things that it knows are sensitive (e.g. incognito mode in recognized browsers) from the screenshots it saves, things that it does not know about are all fair game.
DuckDuckGo browser? Never heard of it. Let's hoover up all the data we can get.
Signal? 🤷♂️ I'll just default to saving everything I see there.
You get the picture...
@erickolb
Anything you do in a non-incognito (or other recognized equavalent) is fair game.
If you see something on the screen, Recall sees and indexes it.
@wdormann Makes sense re: LastPass/1Password plugins. There's clearly some mechanism to acknowledge that certain applications should not be captured ever, since private windows were excluded (save Firefox). Have we got any indication what that might be? Reg keys perhaps? Knowing that would be important for assessing both offensive and defensive capabilities.
@erickolb
TBH, I'm not sure what it takes for an app to be excluded from Recall snapshots.
Specifically if it's something the app needs to do explicitly, or if it's up to Microsoft to provide a list of things not to capture.
For example, the KeePassXC app isn't included, but the 1password session in a browser is.
@erickolb
I mean, it's better than nothing.
But at the same time, the 1password stand-alone app is NOT exempt from Recall indexing.
Is this 1password's fault for not exempting itself from Recall, or is this Microsoft's fault for not recognizing that 1password should be exempt?
@wdormann That is the operative question, and there's risks and opportunities that come from the answer to that.
If it is controlled locally, could the user/admin make any application invisible to Recall? If so, what permissions and knowledge would an adversary need to undo that and use Recall to harvest secrets? If it's controlled by MS somehow, then wow that is an egregious power grab of privacy isn't it?
@erickolb
You can manually exclude apps and websites.
But both of these lists are empty, at least from the GUI perspective.
So how Recall knows to ignore the KeePassXC app, but doesn't know to ignore 1password is beyond me...