BizOneness: Recall and Overlooked Security Risks

#BizOneness

For those not following the tech news, the nightmare that is Microsoft Recall is back. If not careful, Recall can become a huge security risk for SAP Business One Users.

In Spring 2024, Microsoft introduced a feature coming later that year to Microsoft Windows 11: Recall. Recall is effectively a personal search engine of the user's activity run by AI. Copying the users' work every few seconds, Recall would store the snapshot in a database as plain text and then scan it with an LLM. Microsoft's intention is an intelligent history of all applications. If you want to find some mention of macadamia nuts you saw on a website three months ago, Recall would find the web page. if you wrote a memo about those macadamia nuts in Microsoft Word, it would also find the document.

The tech press, especially the cybersecurity press, panned it for good reason. The potential of spying from either bad actors or from Microsoft (assuming you don't consider them a bad actor) is huge.

Microsoft's response apprently fixed many of the concerns and in April 2025, began rolling out Recall. Most importantly, it is opt-in and requires Copilot PC hardware to run. The data is stored locally, although at a large space cost for one's hard drive. Reports were as much as 150GB of hard drive space. Microsoft's security features will require the identification of the user before access or changes are made to recall settings. Microsoft also has on their website directions on how to disable or remove Recall if not desired.

Such changes bring along several common issues among big tech companies like Apple, Microsoft, Amazon, and Google. While opt-out and on-device are true for the current update, none of those promises might be kept in a later update. Even for users who opted out of Apple intelligence, for example, updates turned it on. Amazon changed private processing of Alexa conversations to mandaotry server processing. Microsoft decided to end privacy protection for Microsoft 365 users in early 2025.

While most people reading this newsletter may know about SQL and use SQL Server regularly, they may not know about SQLLite, one of the most ubiquitous but invisible data management systems. With estimates of over 1 trillion active instances, this C++ library creates lightweight, single-user databases for persistent memory handling in most popular Web browsers, mobile devices, Apple Macs, Windows PCs, Smart TVs, and even car entertainment systems. At its core is SQL. The original version of Recall kept data as plain text, making it simple to scrape full databases of private information with help from the onboard AI to filter for the good parts. Fortunately, this was one of the improvements made to the current version, as the data is now encrypted.

For most ERP systems, the issue is not the ERP itself. There's been no announcement that SQL Server will get Recall, and most server providers know how to handle security to some extent. The client systems sitting on user's desks are the vulnerability. Most companies I've worked with use PCs for their client machines. Most often, these are PCs dedicated to work processes. Lax security, purchasing the cheapest system at installation time, and the inevitable use of personal devices, especially among founders and c-suite people, mean that there is usually a hodgepodge of systems where Microsoft could install Recall without anyone's knowledge. While Microsoft put in safeguards, including Remote desktop screensfiltered out of Recall, malware will circumvent those safeguards eventually. According to some security researchers, the filtering mechanism is not consistent.

Not just files but everything shown on a PC screen, from banking records to confidential emails stored securely online, are now directly visible to attackers and governments. If someone has the security to get into such a machine, no technical knowledge will be necessary to find anything they want about the user. The biggest spyware package ever is included in every Microsoft Windows update. While it only affects Copilot+ systems today, Microsoft did promise to change that in the future.

Of course, this also includes screenshots of SAP Business One. Your server may be secure, but those client PCs are not, and a lot of data will be stored with easy access. If someone learns the PIN for someone else's Windows PC, they can easily query the AI to find out whatever they want about the primary user. Users may be giving away secrets and confidential information unwittingly.

Fortunately, there are a few things one can do. The easiest is to opt out of Recall. This setting is supposed to be the default, but making a regular check after updates if the update hasn't turned it on is a good precaution.

If Recall is on, Microsoft gives instructions on how to shut it off and even uninstall it. A system administrator can control the setting as part of the security policy. However, this will likely be a wack-a-mole problem in the SAP Business One world. Many client systems will be using independent PCs, including personal PCs the company may not control. Alarmingly, those personal pc's are the people with the most confidential data. Many small businesses cannot afford to use a single provider of PCs nor have an IT department to control their configurations. Some systems will have Recall turned on without comprehensive security controls on all systems.

While using Microsoft products and operating systems to communicate with a SAP Business One server is easiest, it is possible not to use Windows on a client. Some server-based web options only require a browser and are not dependent on an operating system. Even if a Remote Desktop session is necessary for your server connection, both Microsoft and third-party remote desktop applications are available.

An interesting alternative to Windows is Linux-based client systems. While seemingly bare-bones for most users, Linux operating systems do not work on the same business model as big tech companies, often open source. Thus, they are inexpensive and less intense on processors than Windows. Devices that run Linux can also be incredibly affordable; depending on the equipment purchased and the system's configuration, one might get a full client for under $200 or save money on hardware and convert the e-waste collected in some closet to usable systems.

In two weeks, I'll look at that possibility in more detail, setting up an old Raspberry Pi v1, a new Raspberry Pi 500, and a $200 Windows CPU lying around, converting them all to Linux, and connecting to SAP Business One.