Magic Pointer reads every pixel under the cursor — emails, documents, banking details, medical records — and sends context to Google servers for processing. No prompt required. Continuous screen capture via lightweight local heuristics combined with server-side multimodal encoders. Similar scrutiny as Circle to Search but at desktop scale.

March 2026: TotalRecall Reloaded bypassed VBS Enclave via AIXHost.exe injection. Extracted screenshots, OCR text, CSV metadata in plaintext. Beaumont confirmed: "yep, you can just read the database as a user process." Also found undisclosed tracking fields. SECOND time researchers fully extracted the Recall database.

In 2015, Dell shipped laptops with eDellRoot — a pre-installed root certificate with the private key included, enabling MITM attacks on HTTPS. The EFF called it Superfish 2.0. Dell had publicly mocked Lenovo for the identical Superfish scandal months earlier.

CVE-2017-8360: Researcher Thorsten Schroeder found Conexant's MicTray64.exe on 28 HP laptop models contained a keyboard hook that captured every keystroke to a world-readable log at C:\Users\Public\MicTray.log. Passwords, messages, everything typed was logged in plaintext since October 2016.

Acer UEIP Terms of Use (official Acer document) reveals collection goes far beyond device identification: lid switch status (knows when laptop is open/closed), audio mute state and volume levels, display on/off/dim status, user input methods (mouse/stylus/touchscreen/pen/fingerprint use), limited keyboard input, USB port usage, app install/uninstall events, taskbar pinned applications, desktop shortcuts, MAC addresses of nearby Wi-Fi access points, and HDD S.M.A.R.T. diagnostics. This constitutes real-time behavioral monitoring disguised as "device information" collection.

FTC settlement (2017) proved Lenovo pre-installed Superfish VisualDiscovery that performed man-in-the-middle interception of ALL encrypted HTTPS traffic — banking, medical, email — and sold captured browsing data to third parties. The root CA certificate used the trivially guessable password "komodia." This was not disclosed to consumers. CISA issued emergency alert TA15-051A. Lenovo paid $3.5M FTC fine and $7.3M class action settlement.

Google is 77% advertising revenue. Core Services have no ads but YouTube ("Additional Service") operates under consumer privacy terms with full ad tracking. Google Search same. Students use both daily via same account. When students turn 18, ecosystem familiarity converts into advertising relationship.

Operation ShadowHammer (2019): ASUS update servers compromised for 5 months pushing backdoored updates signed with legitimate certificates to 500K-1M computers. Attributed to APT41/BARIUM, Chinese state-sponsored group. CISA added to Known Exploited Vulnerabilities in 2025.