I'm happy to have this setting. It's a great setting and I appreciate Signal adding it.
However, if an attacker has the ability to directly query the Recall database, they almost certainly have access to read all your Signal messages on your device. The locations where Recall files live are even more protected and isolated than your %APPDATA%\Roaming\Signal directory is.
Everything running as you on your computer has full control of all your Signal messages and your identity assigned to the device. This is untrue of your Recall data, which from last I saw required a lot of finagling to get the permissions right for you to access it raw.
I agree with Signal here and love their commitment. Strangely (to me) they do 'recall' things in other ways:
* They have a message retention setting, 'Disappearing messages'; it works on message correspondents' devices too (if Ali sets Disappearing messages' to '1 day' for the chat with Barry, and then texts Barry, 1 day later Signal deletes the message on both Ali's and Barry's devices).
However, 'Disappearing messages' applies only to text messages. For every voice and video call, Signal retains a record of the date and time and the participants, and Signal saves it on the devices of each participant. Beyond a doubt, Signal's developers are well aware of the value of such metadata - as valuable as call content, in different ways - and the need for confidentiality (if you aren't familiar with that particular issue, I promise that every security professional is).
I'm shocked that they do it. What about a human rights dissident who is arrested - or whose phone is stolen - their phone won't show any sign of the text messages but it shows everyone they called and when, implicating all those other people and putting them at risk, and also evidence against the phone's owner. And even if they are disciplined and manually delete each of those records - afaik you can delete each call record one at a time - the other call participants' phones still retain the records. There is nothing someone can do to protect themself.
Better security here doesn't seem hard to implement. Also, I think having different settings for text messages and for voice/video calls makes retention settings more confusing for users. Many will believe they are safe without realizing the risk of this metadata - they trust the experts at Signal to understand these things and keep them safe - and many will assume everything disappears. Just have one setting for all data and metadata in the chat.
* Also, afaik if you delete the entire correpondence with someone - delete their entire chat history and delete them from the Signal address book - Signal retains information on them, such as settings for that chat. It seems that an attacker could identify all the deleted correspondents; again, there's no way to protect yourself.
Windows has turned itself into spyware. Apple is too expensive and going the same way.
Meanwhile the user experience of Linux has dramatically increased. Put on a good skin and most people wouldn't notice the difference. You don't need to reply that you can, I know you can. You're on HN. But most people just use their computer for the browser and most people can't tell Chrome from Firefox. Most people get their lockin by their tech friend or child. Really, Microsoft's only lockin remains Office.
It won't be a complete shift but the signs of growing userbase is there. Would be a huge win for open source! If you haven't tried Linux in a few years try giving something like PopOS a go or if you want to say you use Arch then try EndeavourOS. Both are very stable, latter slightly less.
Edit: enfuse was right, I should have suggested EndeavourOS instead of Manjaro.
Maybe I'm nuts, but I absolutely love timesnapper (the non-LLM predecessor of Recall, but the same screenshot every few seconds concept).
I originally got it for it's main advertised function--making it easy to record hours for contract billing--but once I had it running I was hooked.
It's just incredibly useful to be able to pull up what you were doing at any given moment, or how you did a particular thing, a few months after the fact.
I haven't used Recall yet but hooking it up to a multimodal LLM seems like an obviously useful thing.
One of the driving forces of my full windows exodus was Recall. I knew they wouldn't seriously scrap the project. Glad to see measures are being taken to avoid the spies. Shame it comes to DRM though.
Fighting with the OS is futile. The OS is always in control and apps can only ask it nicely to do things.
Microsoft can simply change Recall to capture DRM-marked content too. And to avoid copyright issues, it will store some kind of visual summary (or whaterer the neural network can use) instead of plain screenshots like it is doing now.
Continue to be happy to have deleted windows from all my computers, including for gaming. There are issues with closed source OSs in general, but microsoft has continually shown that they make bad decisions and just aren't trustworthy.
It’s really come to this? As if accepting the 4 different data sharing Eulas required to install windows wasn’t enough, now apps need to DRM themselves…
Does anyone else feel like Signal is acting like Recall is the only app that could record your screen on Windows? It seems like this is something they should have been stopping for a long time and they are finally addressing this loophole?
I think this is quite strange, imo this is just virtue signalling / activism and much less about privacy. I install Signal on the Windows operating system on the computer I trust. If I wouldn't trust Windows, why would I install Signal? Also Recall is an opt-in feature, it's not spyware, that's simply FUD.
Second, Apple is doing something similar except they send all your data to the cloud (yes I know Apple says private cloud, but there's no such thing). What's Signal's take on that?
I respect their stance on privacy, but this doesn't feel like a rational decision to me.
this would presumambly also prevent signal from working over RDP/remote desktop.
With that said, anyone by default this seems somewhat pointless (though I might be wrong), as by default it seems signal keeps the entire message history in a sqlite DB on the machine. While one can argue that the screenshot history is problematic, the sqlite DB is just as problematic if one views it as a need to have good privacy defaults, and I'd argue that the sqlite DB is much more valuable to exfilitrate than the screenshot history.
Now, one can counter that one can purge the message history (all or in part) in a manner that is easier than with Recall, and I'd agree that Recall would be better if it gave the users fine grained ability to purge things from it, but that doesn't change the argument that we are simply seeing virtue signaling here (pun slightly intended), as this change to defaults doesn't really improve a user's privacy.
If an app did this without an off switch, what would be the easiest way to bypass it and take a screenshot anyway, assuming the goal is a higher quality result than taking a picture of the monitor?
As per the aicorp jurisprudence copyright doesn’t apply to AI usecases, so I’m sure they’ll fix the DRM „no screenshots“ flag preventing AI capture — it’s only legally self-consistent. Teams probably gets its own private API to exclude itself anyway (all Teams content must be privy only to the TeamsAI).
I have a very nice Microsoft Surface Pro running Windows 10. I refuse to update to Windows 11. Has anyone tried a Linux distribution on such a device? Which one would you recommend?
No OS or app should be able to stop me taking screenshots. Not my phone, not my desktop. It's MY device. I should be able to take screenshots of whatever the hell I want.
If you have to have this kind of monitoring on your OS, to circumvent spying on your apps, something is really wrong and you should probably take the nearest exit.
> If you’re wondering why we’re only implementing this on Windows right now, it’s because the purpose of this setting is to protect your Signal messages from Microsoft Recall.
To nitpick, that doesn't tell me why you're only implementing this now. That tells me why it's more important now, but it doesn't tell me why it wasn't good before now. But the word "only" suggests that there was a reason you didn't do this before now.
Hopefully Signal manages to turn all the recent press into a positive for user acquisition. It's a fantastic app and service. In an ideal world, laws could be updated for the digital age such that automated disappearing messages were not considered equivalent to deleting records, but rather to an in-person conversation or phone call for which records would not be expected to be kept in the first place. I'm not holding my breath on that one though.
> “Take a screenshot every few seconds” legitimately sounds like a suggestion from a low-parameter LLM that was given a prompt like “How do I add an arbitrary AI feature to my operating system as quickly as possible in order to make investors happy?”
No, actual AI is smarter than Microsoft managers, it seems:
Here are some ideas for adding an arbitrary AI feature to your operating system quickly to make investors happy:
- AI File Search: NLP for file/setting search (search files by NLP querying)
- Auto Window Layouts: AI-suggested window organization ("coding mode", "research mode" depending on detected usage patterns)
- Smart Notifications: automatic notification condensing to reduce clutter
- AI Clipboard: Keeping a categorized clipboard paste based on content
- Predictive App Launcher: Suggests apps based on daytime, usage, recently opened files
- AI Wallpaper/Theme: Smart visual suggestions, i.e. wallpaper based on current weather, mood, etc.
- Voice Quick Commands: AI-based voice OS control ("Open browser")
- AI System optimization: for example, content-based disk space cleanup
You know I understand this is HN so I might get downvoted for saying this (with no explanation) but we should start enforcing computer crimes when corporations do it
If Microsoft decides spying on you and inflicting DRM or whatever or any of the other companies they should be liable in criminal prosecution
At least some of these you could plausibly argue even violate the CFAA and is about on the same level of some lone black hat hackers
I switched to Linux permanently in 2015. Didn't know it would get this bad but forced updates was what convinced me to switch. It seems every time I see Microsoft in the news, it's very specifically NOT for good reasons. Grabbing my popcorn...
I look forward to the first report of domestic abuse or worse caused by recall. I really hope this never happens and pray it doesn’t but I am 100% sure someone is going to utilize this feature to see exactly what their bf/gf is doing when online.
Those who are not very tech savvy will ultimately do something online and their partner will look and see exactly what they did and snap.
This scenario will be Microsoft’s fault. They are literally installing spyware as a feature. I hope no one gets killed.
Microsoft really seems out of control. Yesterday I noticed that OneDrive was turned on automatically (I've always been very clear about not turning it on). Which was incredibly shocking to me, that they'd just turn on uploading my data to the cloud on the sly. And of course, it's nearly impossible to turn off Edge loading things. I'm really on the verge of switching to Linux, it's getting too awful
if signal tried to do something this bad themeselves, we wouldnt really be able to for it or switch to another client. Just another bad actor bitching about worse actors, huh?
>To help mitigate this issue, we made the setting easy to disable (Signal Settings → Privacy → Screen security), but it’s difficult to accidentally disable
It's easy to disable, but it's difficult to disable?
Yes sure. There isn't much a userland app can actually do if your OS wants to spy on you. I wonder why they spend their time on this?
Meanwhile, Signal still requires a phone number to register and use. It's terrible: phone numbers are easy to lose, and not everyone has a phone number.
I like the ideas behind the Session[0] messenger: create an account with no authentication (no phone number, no email, no nothing), get a list-of-words-to-note-down, which allows you to access your account from any device. You get a UUID or something as your user id. Share that with a QR code or send a link over an existing channel to connect to someone.
To me this seems way ahead of Signal. I'm not affiliated with Session and haven't actually persuaded anyone to start using it just yet, so I don't really know how it is in practice. But the UX of creating an account made me weep tears of joy and hope <3
By default, Signal doesn't recall
(signal.org)557 points by feross 21 May 2025 | 475 comments
Comments
However, if an attacker has the ability to directly query the Recall database, they almost certainly have access to read all your Signal messages on your device. The locations where Recall files live are even more protected and isolated than your %APPDATA%\Roaming\Signal directory is.
Everything running as you on your computer has full control of all your Signal messages and your identity assigned to the device. This is untrue of your Recall data, which from last I saw required a lot of finagling to get the permissions right for you to access it raw.
* They have a message retention setting, 'Disappearing messages'; it works on message correspondents' devices too (if Ali sets Disappearing messages' to '1 day' for the chat with Barry, and then texts Barry, 1 day later Signal deletes the message on both Ali's and Barry's devices).
However, 'Disappearing messages' applies only to text messages. For every voice and video call, Signal retains a record of the date and time and the participants, and Signal saves it on the devices of each participant. Beyond a doubt, Signal's developers are well aware of the value of such metadata - as valuable as call content, in different ways - and the need for confidentiality (if you aren't familiar with that particular issue, I promise that every security professional is).
I'm shocked that they do it. What about a human rights dissident who is arrested - or whose phone is stolen - their phone won't show any sign of the text messages but it shows everyone they called and when, implicating all those other people and putting them at risk, and also evidence against the phone's owner. And even if they are disciplined and manually delete each of those records - afaik you can delete each call record one at a time - the other call participants' phones still retain the records. There is nothing someone can do to protect themself.
Better security here doesn't seem hard to implement. Also, I think having different settings for text messages and for voice/video calls makes retention settings more confusing for users. Many will believe they are safe without realizing the risk of this metadata - they trust the experts at Signal to understand these things and keep them safe - and many will assume everything disappears. Just have one setting for all data and metadata in the chat.
* Also, afaik if you delete the entire correpondence with someone - delete their entire chat history and delete them from the Signal address book - Signal retains information on them, such as settings for that chat. It seems that an attacker could identify all the deleted correspondents; again, there's no way to protect yourself.
Windows has turned itself into spyware. Apple is too expensive and going the same way.
Meanwhile the user experience of Linux has dramatically increased. Put on a good skin and most people wouldn't notice the difference. You don't need to reply that you can, I know you can. You're on HN. But most people just use their computer for the browser and most people can't tell Chrome from Firefox. Most people get their lockin by their tech friend or child. Really, Microsoft's only lockin remains Office.
It won't be a complete shift but the signs of growing userbase is there. Would be a huge win for open source! If you haven't tried Linux in a few years try giving something like PopOS a go or if you want to say you use Arch then try EndeavourOS. Both are very stable, latter slightly less.
Edit: enfuse was right, I should have suggested EndeavourOS instead of Manjaro.
I originally got it for it's main advertised function--making it easy to record hours for contract billing--but once I had it running I was hooked.
It's just incredibly useful to be able to pull up what you were doing at any given moment, or how you did a particular thing, a few months after the fact.
I haven't used Recall yet but hooking it up to a multimodal LLM seems like an obviously useful thing.
Microsoft can simply change Recall to capture DRM-marked content too. And to avoid copyright issues, it will store some kind of visual summary (or whaterer the neural network can use) instead of plain screenshots like it is doing now.
Second, Apple is doing something similar except they send all your data to the cloud (yes I know Apple says private cloud, but there's no such thing). What's Signal's take on that?
I respect their stance on privacy, but this doesn't feel like a rational decision to me.
With that said, anyone by default this seems somewhat pointless (though I might be wrong), as by default it seems signal keeps the entire message history in a sqlite DB on the machine. While one can argue that the screenshot history is problematic, the sqlite DB is just as problematic if one views it as a need to have good privacy defaults, and I'd argue that the sqlite DB is much more valuable to exfilitrate than the screenshot history.
Now, one can counter that one can purge the message history (all or in part) in a manner that is easier than with Recall, and I'd agree that Recall would be better if it gave the users fine grained ability to purge things from it, but that doesn't change the argument that we are simply seeing virtue signaling here (pun slightly intended), as this change to defaults doesn't really improve a user's privacy.
(saying this as a Signal fan)
https://www.youtube.com/watch?v=lm51xZHZI6g
To nitpick, that doesn't tell me why you're only implementing this now. That tells me why it's more important now, but it doesn't tell me why it wasn't good before now. But the word "only" suggests that there was a reason you didn't do this before now.
No, actual AI is smarter than Microsoft managers, it seems:
Here are some ideas for adding an arbitrary AI feature to your operating system quickly to make investors happy:
- AI File Search: NLP for file/setting search (search files by NLP querying)
- Auto Window Layouts: AI-suggested window organization ("coding mode", "research mode" depending on detected usage patterns)
- Smart Notifications: automatic notification condensing to reduce clutter
- AI Clipboard: Keeping a categorized clipboard paste based on content
- Predictive App Launcher: Suggests apps based on daytime, usage, recently opened files
- AI Wallpaper/Theme: Smart visual suggestions, i.e. wallpaper based on current weather, mood, etc.
- Voice Quick Commands: AI-based voice OS control ("Open browser")
- AI System optimization: for example, content-based disk space cleanup
Any of the above are better than this nonsense.
If Microsoft decides spying on you and inflicting DRM or whatever or any of the other companies they should be liable in criminal prosecution
At least some of these you could plausibly argue even violate the CFAA and is about on the same level of some lone black hat hackers
Come on guys, come on...
The latest Android update already introduced screen sharing with Gemini. Their web app has that too.
It wont be long until people complaining here about DRM/Microsoft will have an always on AI watching their screen by their own choice.
It's easy to disable, but it's difficult to disable?
Meanwhile, Signal still requires a phone number to register and use. It's terrible: phone numbers are easy to lose, and not everyone has a phone number.
I like the ideas behind the Session[0] messenger: create an account with no authentication (no phone number, no email, no nothing), get a list-of-words-to-note-down, which allows you to access your account from any device. You get a UUID or something as your user id. Share that with a QR code or send a link over an existing channel to connect to someone.
To me this seems way ahead of Signal. I'm not affiliated with Session and haven't actually persuaded anyone to start using it just yet, so I don't really know how it is in practice. But the UX of creating an account made me weep tears of joy and hope <3
[0]: https://getsession.org/