c
christoph.kung
On my PC, I accidentally had Whatsapp in Web open when I clicked Recall Browser Extension, having the AI summarize very private conversations to me. I don't want Recall to have any access to this content.
Also, an attacker who has physical access to my device transiently, can use this to extract private information very quickly.
Solutions:
WHITELISTING:
  • have a whitelist of URLs where recall works, such as youtube, spotify etc.
  • users can submit and rank their own whitelists, so that as a new user, you can choose the most popular one
  • when opening a non-whitelisted URL, there is an option to override the Whitelist once or permanently for this URL. Confirmation can be configured to just be a button, or "heavy" confirmation, e.g. via confirmation code to SMS or EMail, to avoid accidental clicking.
BLACKLISTING:
  • same as above but with blacklist.
As a sidenote, I dislike that getrecall has access rights to all my Browsing, as per the Browser extension privileges. I understand that whitelisting/blacklisting can't affect the browser extension privilege settings, because this is not how extensions work. However, I would prefer if there was a clear statement that:
  • getrecall can only access pages where I click the extension
  • has no access to my browsing history
Both are not needed for delivering the service.