From the Rubble | The Surveillance OS | Part 1

series: [“The Surveillance OS”]

In May 2024, Microsoft announced a feature called Recall.

The pitch was simple: an AI-powered photographic memory for your computer. It would take a screenshot of your entire screen every few seconds, run optical character recognition on every image, and build a searchable database of everything you’d ever looked at, typed, read, or done on your machine. Forget where you saw that document? Ask Recall. Can’t remember which website had that chart? Recall knows. Need to find a conversation from three weeks ago? It’s all there.

Microsoft called it a productivity feature.

Security researchers called it something else.

Within days of the announcement, experts had identified what Microsoft apparently hadn’t bothered to check: the database storing every screenshot, every OCR result, every word you’d ever typed or read - was stored in plaintext. Unencrypted. On your local drive. Accessible to any process, any user, any piece of malware that could read a file.

Passwords you’d typed. Banking sessions you’d conducted. Medical information you’d looked up. Private messages you’d sent and received. The contents of your therapist’s notes if you’d ever opened them on screen. Every document. Every search. Every moment of your digital life - in a flat, readable, searchable file that any halfway-competent attacker could exfiltrate in seconds.

One researcher built a tool called TotalRecall in a weekend that demonstrated exactly this. Another named the database file, showed its location, and documented how to pull it without elevated privileges. Security professionals who had spent careers defending systems against exactly this kind of data aggregation looked at Recall and said - publicly, on record - that they’d never seen anything like it shipped intentionally by a major OS vendor.

Microsoft pulled Recall. Said they needed more time. Rebuilt it with encryption and biometric authentication.

Then shipped it again.

And that’s where we are. But the Recall story - as disturbing as it is - is actually just the opening act. Because Microsoft wasn’t building a productivity feature. They were building the foundation of something much larger. They called it, without apparent irony, the Agentic OS.

This is what that means, and why it should concern anyone who still thinks their computer belongs to them.

series: [“The Surveillance OS”]

What Recall Actually Is

Let’s be precise before we go further, because Microsoft’s framing has been carefully constructed to obscure what’s actually happening.

Recall is not a search feature. It is a continuous surveillance system applied to your own machine, with a search interface bolted on the front to make it feel useful.

The technical implementation: Recall takes a screenshot every few seconds whenever content on your screen changes. It runs OCR on every screenshot, converting everything visible - text in documents, text in chat windows, text in browser tabs, text in images, text in videos - into searchable strings. It runs semantic indexing on those strings, organizing them by meaning rather than just keywords. It stores all of this in a local database that grows over time, building what Microsoft describes as a “photographic memory” of your entire digital life.

The original version stored this database unencrypted, in plaintext format including passwords and other sensitive information. Microsoft’s own researchers apparently didn’t threat-model what happens when malware, or a hostile family member, or law enforcement with a warrant, or an intelligence agency with a National Security Letter gets access to that file.

The rebuilt version - the one currently rolling out - adds encryption and requires biometric authentication (Windows Hello) to access the database. Microsoft also made it opt-in rather than opt-on by default, after the backlash made opt-in politically necessary.

Here’s what didn’t change: the fundamental architecture. Your machine is still taking a screenshot every few seconds. It’s still OCR-ing everything you look at. It’s still building a comprehensive, indexed, semantically searchable record of everything you do on your computer. The lock on the filing cabinet got better. The filing cabinet is still being filled, whether you want it or not - if you’re on Copilot+ hardware and haven’t explicitly disabled it.

And here’s the detail that should make you stop: when security researchers discovered an option to uninstall Recall through the Windows Features menu, Microsoft clarified it was a bug. Recall cannot be fully uninstalled. Only disabled. The capability lives in the OS whether you want it or not, waiting to be re-enabled by a future update, a policy change, or an entity with administrative access to your machine.

series: [“The Surveillance OS”]

The Hardware Lock Is a Sales Mechanism

Microsoft requires an NPU - Neural Processing Unit - capable of at least 40 TOPS (Trillion Operations Per Second) to run Copilot+ features including Recall. Along with 16GB of DDR5 memory and a 256GB SSD. This conveniently excludes the vast majority of existing hardware.

The framing is that NPU acceleration is necessary for these features to run efficiently. The reality is more interesting.

Researchers demonstrated Recall running on hardware without a dedicated NPU, using CPU processing instead. The feature works. It’s slower, but it works. NPU is not necessary for core Recall AI features - Microsoft may not want to enable these features for high-end GPU systems without NPU, as it could make Copilot+ PCs with NPU less appealing.

Read that again. The NPU requirement exists, at least in part, to protect the sales case for new Copilot+ hardware. Functional machines that could run the software are excluded not because they technically can’t, but because allowing them to run it would undermine the hardware upgrade cycle.

Windows 10 end of life in October 2025 pushes users to Windows 11. Windows 11’s most invasive features require hardware most people don’t have. New hardware just happens to be available. The pipeline is deliberate.

series: [“The Surveillance OS”]

Signal’s Response - And What It Tells You

When Recall was announced, Signal - the encrypted messaging app - did something remarkable. They implemented a “Screen Security” feature for Signal Desktop on Windows that uses DRM-like protections to block Recall from capturing screenshots of Signal chat windows. If Recall tries to screenshot a Signal window, it gets a black screen.

Think about what this means.

A privacy-focused application built specifically to protect communications had to implement Digital Rights Management - a technology historically used to restrict what users can do with their own content - to protect user conversations from the user’s own operating system.

The operating system had become the threat actor.

Signal’s move is a creative technical workaround, but it’s a band-aid on a structural problem. Signal can protect its own windows. It can’t protect your browser tabs, your documents, your email client, your notes app, or any of the hundred other things Recall is watching. And most apps aren’t Signal. Most apps aren’t implementing screen security. Most of what you do on your computer is fully visible to Recall.

The uncomfortable implication: if you’re communicating with someone who has Recall enabled and doesn’t use Signal, your conversation may be in their Recall database whether you consented to that or not. Your data, indexed on someone else’s machine, under Microsoft’s architecture, without your knowledge or consent.

series: [“The Surveillance OS”]

The Agentic OS - What’s Actually Coming

Recall is the visible piece of a much larger project. Microsoft has been explicit - in developer documentation, in executive interviews, in product announcements - about what they’re building.

They are calling it the Agentic OS.

The stated vision: Windows evolves from a platform where users manually control applications into one where AI agents operate autonomously on your behalf, managing tasks, interacting with apps, executing workflows, and taking actions without requiring your moment-to-moment input. You express an intention - in natural language, or implicitly through your behavior - and agents handle the execution.

Microsoft’s head of Windows described it as an OS that will be “ambient and multi-modal, capable of understanding the content on your screen at all times.” The OS will “semantically understand your intent.” You’ll be able to speak to your computer “while you’re writing, inking, or interacting with another person.”

Understanding the content on your screen at all times.

That’s not a feature. That’s a description of continuous monitoring as a platform primitive.

The Agentic OS architecture involves agents - autonomous AI programs - that can see your screen, read your files, interact with your applications, execute multi-step tasks, and take actions on your behalf. Microsoft is building infrastructure to support fleets of these agents, running in dedicated virtual environments called Agent Workspaces, with their own identities in Microsoft’s Entra identity system, manageable through a control plane called Agent 365.

Agents as employees. With identities. On your machine. Reporting to Microsoft’s management infrastructure.

series: [“The Surveillance OS”]

The Security Admission Nobody Should Have Missed

In their own documentation for the Agentic OS rollout, Microsoft included a warning that most coverage buried or ignored entirely:

“Malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation.”

Microsoft is shipping agents that can take autonomous actions on your machine - edit files, move documents, execute workflows, interact with applications - while simultaneously admitting that malicious content can hijack those agents and redirect them to exfiltrate your data or install malware.

They recommend that users “read through this information and understand the security implications of enabling an agent on your computer.”

The feature is shipping anyway. Gradually, opt-in, with security controls Microsoft describes as evolving. They’re asking users to accept a novel attack surface - autonomous agents that can be hijacked to steal your data - in exchange for the productivity benefits of not having to click buttons yourself.

This is the security posture of a company that has decided the competitive pressure to ship AI features outweighs the security implications of those features. The US government told Microsoft to fix its security before adding new features. Microsoft announced the Agentic OS anyway.

series: [“The Surveillance OS”]

The Intelligence Community Angle

I want to be careful here, because this is the territory where speculation can outrun documentation. So let me stay with what’s documented and let you draw your own lines.

What’s documented:

PRISM and its successors are real. NSA programs collecting data from major technology companies - including Microsoft - are not conspiracy theory. They’re documented by the Snowden disclosures, confirmed in Congressional testimony, and reflected in ongoing legal battles over government data access.

National Security Letters are real. Law enforcement and intelligence agencies can compel tech companies to provide data and prohibit them from disclosing the request. Microsoft has received these. All major US tech companies have.

The Recall database is a gold mine for law enforcement. Security researchers - not fringe commentators, but professionals at firms like Forrester and SonicWall - stated publicly that Recall’s comprehensive record of user activity represents exactly the kind of surveillance capability that law enforcement and intelligence agencies seek through legal process. One researcher said Recall is “a gold mine for law enforcement and the intelligence community” and suggested “the idea of taking continuous screenshots of your personal computer is so ridiculous and invasive, that we assume it was cooked up by the IC.”

That last part is speculation. Everything before it is documented.

What I’ll say: the question of whether Recall was designed with law enforcement and intelligence access in mind, or whether it just happens to be perfectly suited for it, is worth sitting with. Microsoft is a US company under US jurisdiction. PRISM happened. The architecture of Recall creates exactly the kind of comprehensive, indexed, searchable record of user activity that surveillance programs have historically sought.

Coincidence is a data point. Patterns are evidence.

series: [“The Surveillance OS”]

One of the more revealing aspects of the Recall story is how Microsoft handled consent.

The original version was opt-out - shipped enabled by default. The backlash forced a redesign. The relaunched version is opt-in - you have to explicitly enable it.

But opt-in is doing a lot of work here that it shouldn’t be trusted to do.

The typical Windows user clicks through setup screens. They accept default settings. They trust that an operating system sold by a major corporation and shipped on hardware they paid for has their interests in mind. Opt-in sounds protective until you consider who the typical Windows user is and how thoroughly the technology industry has trained users to click “Accept” without reading.

More structurally: Recall “cannot be fully uninstalled, only disabled.” The capability remains. The data collection infrastructure lives in the OS. What gets enabled or disabled is a setting - a setting that could change with a future update, a policy pushed by an employer managing corporate devices, or administrative access of any kind.

The consent architecture for the Agentic OS is the same. Features roll out as opt-in, in preview, to Windows Insiders first. They become gradually available. They become defaults over time. The trajectory of Windows over the past decade - from Windows 7’s relatively clean installation to Windows 11’s ads in the Start menu, mandatory Microsoft accounts, integrated telemetry that can’t be fully disabled, and now Recall - is a masterclass in consent erosion through incremental normalization.

Each step is small enough to seem acceptable. The destination is surveillance as a platform feature.

series: [“The Surveillance OS”]

The “It’s All Local” Defense

Microsoft’s primary defense of Recall has been that it’s local - the data doesn’t leave your machine, doesn’t go to Microsoft’s servers, isn’t used to train AI models.

This defense is less reassuring than it’s presented as.

“Local” does not mean “private.” Local means on your device, subject to:

  • Any malware that can read files
  • Any process running with administrative privileges
  • Law enforcement with a warrant or NSL
  • Intelligence agencies with appropriate legal authority
  • Anyone with physical access to your device
  • Anyone with remote access to your device
  • Any vulnerability in the encryption implementation
  • Any future policy change by Microsoft

The Recall database - even encrypted - is an extraordinarily high-value target precisely because it contains a comprehensive record of everything you’ve done. Attackers who successfully exfiltrate an encrypted Recall database have everything they need to wait for a decryption opportunity.

And Microsoft’s privacy statement still permits the company to use data to improve and develop products and to share that data with partners for targeted ads. While this doesn’t strictly apply to Recall, policies change. Microsoft’s history doesn’t inspire confidence that current commitments about data use will remain static.

“We’re not doing that yet” is not the same as “we can’t do that.”

series: [“The Surveillance OS”]

Why This Is Worse Than Telemetry

Windows telemetry - the background data collection that has been part of Windows since Windows 10 - is bad. It’s persistent, difficult to fully disable, and represents Microsoft treating your machine as a data collection endpoint for their benefit.

Recall is categorically different. Here’s why.

Telemetry collects metadata about your behavior - what apps you use, how long you use them, crash data, performance metrics. It’s invasive and shouldn’t be happening without meaningful consent. But it doesn’t capture the content of what you do.

Recall captures content. Not that you opened a Word document - what the document contained. Not that you visited a banking website - what your account balance was. Not that you used Signal - what the messages said before Signal’s screen security blocked the screenshot. Not that you had a medical appointment - what the telehealth session showed on screen.

The difference between behavioral metadata and content surveillance is the difference between knowing someone made a phone call and knowing what they said. Both are invasive. They are not equivalent.

Recall is a content surveillance system. The most comprehensive content surveillance system ever shipped as a default component of a consumer operating system, deployed at scale to hundreds of millions of machines, with consent architecture designed to minimize active refusal rather than require active acceptance.

series: [“The Surveillance OS”]

The Precedent Problem

Even if you trust Microsoft today - and I don’t, but grant it for the sake of argument - the architecture being built has implications that extend beyond Microsoft’s current intentions.

You are establishing, in the OS layer of your machine, the infrastructure for:

  • Continuous screen capture and content indexing
  • Autonomous agents with access to your files, applications, and actions
  • Centralized identity management for those agents through Microsoft’s cloud infrastructure
  • A searchable, indexed record of everything you’ve ever done

That infrastructure, once normalized, can be repurposed. By Microsoft, when commercial incentives change. By governments, through legal process or direct access. By attackers, through exploitation. By employers, on corporate devices. By anyone with the appropriate access.

The Agentic OS isn’t just a product decision. It’s a precedent about what an operating system is allowed to be. Once users accept that an OS takes continuous screenshots and runs autonomous agents on their behalf, the category has shifted. What follows will be built on that foundation.

series: [“The Surveillance OS”]

What You Can Do About It

The most direct answer appeared in this series before this article was written: you can leave.

Linux doesn’t do this. Not because Linux distros are morally superior organizations - they’re a diverse collection of communities and companies with their own values and failings. But because the architecture of mainstream Linux distributions doesn’t include continuous screen capture, doesn’t include autonomous agents managing your files and applications, doesn’t include a surveillance substrate baked into the OS that can’t be fully removed.

The sovereignty argument for Linux has always been values-based. But Recall makes it something more: a concrete, documented, present-tense reason to be running a different operating system.

If you’re still on Windows and this article concerns you, the path forward is in the Digital Sovereignty Series. Start with Episode 0, which shows you what the destination looks like before you commit to the journey.

If you’re already on Linux and you know people who aren’t, share this article with them. The mainstream technology press covered Recall as a privacy controversy, noted the changes Microsoft made, and largely moved on. The agentic OS story has barely been covered at all. Most Windows users have no idea what’s being built on their machines.

That’s by design.

series: [“The Surveillance OS”]

One More Thing

Signal had to implement DRM to protect your conversations from your own operating system.

Read that sentence again. Sit with it.

The privacy-respecting messaging app - the one built specifically so governments and corporations can’t read your communications - had to treat your computer like a hostile adversary and use the same technology content companies use to prevent piracy, in order to keep your messages private from the OS running on your own machine.

If you want a single image to carry away from this article, that’s it.

Your operating system has become the threat actor.

The only permanent solution is running a different one.

series: [“The Surveillance OS”]

Resources

  • Windows Recall documentation: support.microsoft.com - Microsoft’s own description of what Recall does
  • Kevin Beaumont’s Recall security analysis: doublepulsar.com - the most technically rigorous independent review
  • TotalRecall (proof of concept): Documented the original plaintext database vulnerability
  • Microsoft Agentic OS documentation: support.microsoft.com/windows/experimental-agentic-features
  • Signal Screen Security announcement: signal.org/blog - Signal’s response to Recall
  • From the Rubble Digital Sovereignty Series: Start with Episode 0 - what the alternative looks like

series: [“The Surveillance OS”]

The Surveillance OS is a separate series from the Digital Sovereignty Series, going deeper on the surveillance infrastructure being built into mainstream platforms. Part 2 covers Google’s equivalent architecture on Android and Chrome OS. Part 3 covers the legislative and intelligence community context.

series: [“The Surveillance OS”]

From the Rubble is written by Kala - veteran, 30-year conspiracy realist. Digital sovereignty, health sovereignty, and the overlap between them. No corporate funding. No ads. No permission required.