If you work in tech and have a pulse, you will have had an opinion handed to you over the last few weeks about the new wave of "AI PCs". The Copilot+ machines started reaching people in June, the marketing was relentless, and the centrepiece feature, Recall, has spent the time since being walked back, delayed, and quietly reshaped after a fairly comprehensive security mauling. I have watched the whole thing with the weary recognition of someone who has reviewed a few features that screenshot things.
Let me lead with the point, because the discourse around this has been long on heat and short on it. The problem with Recall was never the ambition. The problem was that the first design stored a searchable, plaintext-ish record of everything you ever looked at, sitting on disk, protected by not very much, and switched on by default. That is not a clever AI feature with a security wrinkle. That is a security incident with a clever AI feature bolted to the front.
what it actually did
The pitch is genuinely appealing, and I want to be fair to it. Recall takes periodic snapshots of your screen, runs them through on-device models to extract text and context, and lets you search your own past. "What was that bank statement I looked at on Tuesday" becomes a query rather than an archaeology project. For the right person this is brilliant. I have lost enough afternoons to "I definitely had this open somewhere" that I understand the appeal in my bones.
The trouble is the threat model. The moment you build a continuous, indexed, locally-stored history of a user's entire screen, you have created the single most valuable target on the machine. Anything that can read that store, malware, a nosy housemate, an abusive partner, a stolen laptop, gets the user's whole digital life in one searchable lump. Passwords typed into a field that briefly showed them. Messages they deleted. The lot.
And the early implementation, the one researchers got their hands on before the climbdown, made this far too easy. The database wasn't meaningfully protected from a process running as the same user. No special privilege required, no decryption hurdle worth the name. If you can run code as the user, you can read everything they ever saw. People built proof-of-concept extractors within days. That is not a hypothetical, it is a demo.
the climbdown was the right call
To their credit, the response was to delay rather than to ship and apologise later. Recall came off the initial Copilot+ launch, went back for rework, and the revised version that has been described since is a different animal: opt-in rather than on by default, gated behind Windows Hello, the data encrypted and only decryptable when you actually authenticate. That is roughly what it should have been on day one, and it is genuinely better.
But I want to sit with why it wasn't there on day one, because that is the interesting part and the part the keynote-reaction crowd mostly skips.
the keynote incentive problem
Keynotes are not engineering reviews. They are demos with a narrative, and the narrative this year is AI, urgently, everywhere, now. When the entire industry has decided that the next platform shift is on-device intelligence, the pressure to put a flagship AI feature on the box is enormous. "It records your screen and you can search your life" is a fantastic stage moment. "We spent six months getting the encryption and the consent flow right and it is opt-in and a bit boring" is not.
So the demo-shaped feature wins the slot, and the security review either happens too late or gets overruled by the calendar. I have been on both sides of that conversation. The honest version is that someone almost certainly raised these exact concerns internally and got told the date was the date. Reviewers on the outside then said the same things, louder, with working exploits, and the date moved. The process worked, eventually, it just worked in public and with reputational cost attached.
the boring opinion
Here is mine, and it is deliberately dull. On-device AI that indexes your own data is a good idea. Doing it by default, in plaintext, with weak access controls, was a bad idea, and predictably so. The fix was not to abandon the feature, it was to make it opt-in, encrypted, and tied to real authentication, which is exactly where it has landed. None of this required hindsight. It required someone with the authority to say "not yet" before the keynote rather than after the headlines.
The wider lesson, the one I keep relearning, is that "on-device" is not a synonym for "private". Local processing is great for latency and for not shipping your screen to someone's cloud, but the moment that data lands on disk it inherits every weakness of the endpoint it lives on, and the endpoint is usually the weakest link you have. Local and private are different properties. Marketing keeps conflating them because it is convenient, and we keep having to untangle it after the fact.
I am not anti-AI-PC. The hardware is genuinely capable and some of these features will be quietly excellent in a year once the rough edges are filed off. But the keynote everyone has an opinion on this summer is, underneath the noise, a very old story: a feature shipped ahead of its security model, got caught, and got fixed. Worth doing. Should have been done in the other order.