Meredith Whittaker, president of Signal, has warned that AI chatbots “are not your friends” and that agentic systems like Microsoft Copilot amount to a backdoor into encrypted communications. She made the comments in a Bloomberg interview published this week.
Whittaker said she uses AI tools occasionally to format documents but draws a hard line at anything more substantive. “I don’t ask them questions,” she said. Her concern is not just about utility but about what users unknowingly reveal when interacting with these systems.
The Signal Copilot backdoor framing came from her response to a prediction by Microsoft AI CEO Mustafa Suleyman. Suleyman suggested that users would one day let Copilot handle Christmas shopping by eavesdropping on family group chats to infer who wants what. Whittaker listed what that requires: “my credit card, my browser, my Signal, the ability to message my siblings on my behalf, my home address, my calendar.”
“What you’ve just described is a system with very pervasive access across multiple applications and services,” she said. “In the context of Signal, it would constitute a kind of a backdoor.”
Signal’s Copilot backdoor warning
The concern runs deeper than a single product. An AI agent that processes messages on a device reads them in plaintext, either before encryption or after decryption. The encryption protects data in transit, but that protection means little when software with deep system access is reading the content at the endpoint.
Whittaker has been making this argument for months. At Davos in January 2026, she called agentic AI “perilous” for secure messaging. In an essay for The Economist, she said operating system vendors are “hollowing out” Signal’s privacy guarantees by embedding agents at the platform level. She has also flagged prompt injection as the most likely early attack path, where an adversary uses a crafted message or document to manipulate an AI agent into executing unintended commands.
Microsoft is building its next operating system, Project Solara (announced at Build 2026), around agent-first computing, where AI agents replace traditional apps as the primary interface. Google, Apple, and OpenAI are pursuing similar architectural approaches. Whittaker argues that this shift, where agents mediate every digital interaction, creates a complete record of a user’s life that becomes a target for both hackers and governments.
AI chatbots are not confidants
Beyond encryption, Whittaker pushed back on the tendency to treat AI as a companion or trusted advisor. She described the mechanism as “averaging what’s already out there” rather than genuine comprehension. Sharing sensitive thoughts or personal details with a chatbot means handing that information to systems whose operators have commercial incentives to retain and analyse it.
Suleyman has himself warned about “AI psychosis” and users believing chatbots are sentient. Whittaker’s version of the same concern was more direct: companies design these systems to appear empathetic, but the mechanism is pattern-matching across training data, not understanding.
The productivity argument for agentic AI, central to the Silicon Valley pitch, is that AI agents will handle tedious tasks and free up time. Whittaker’s counter is that this productivity comes by surrendering control of messages, contacts, calendars, and financial information to a corporate system, a trade most users make without grasping the terms.