Signal Against AI Agents: Giving Chatbots Access to Messages and Calendar is Equivalent to a Backdoor
Signal Against AI Agents: Giving Chatbots Access to Messages and Calendar is Equivalent to a Backdoor
AI systems that propose themselves as all-purpose assistants, capable of reading messages and acting on behalf of the user, are incompatible with end-to-end encryption. This is supported by Meredith Whittaker, president of Signal, in an interview with Bloomberg: an agentic tool with pervasive access to applications, she explained, would constitute a sort of backdoor in the context of Signal.
Already in January, during a speech at the World Economic Forum in Davos, Whittaker described agentic AI as "dangerous" for secure applications, and in an essay for The Economist, she accused operating system producers of undermining Signal's ability to protect privacy by incorporating AI agents into their platforms. The Bloomberg interview reiterates and focuses on the same alarm.
Chatbots are Not Conversational Partners
The starting point is a warning about the way these tools are presented to the public. "They are not your friends. They are not conscious beings. They are not sentient interlocutors," declared Whittaker. She claims to use AI tools only for formatting documents, avoiding asking questions: "I don’t ask them questions. I take my thinking and writing very seriously, and I don’t want the process of crafting an idea to be precluded or obscured by the response of a system that averages what already exists."
The Copilot Scenario
The technical issue emerges from a concrete example raised in the interview. Mustafa Suleyman, head of Microsoft AI, suggested a Copilot capable of autonomously managing users’ Christmas shopping by intercepting family chats. For this to work, Whittaker notes, such an agent would need "my credit card, my browser, my Signal, the ability to message my siblings on my behalf, my home address, my calendar." It is at this point that the fundamental objection arises: "What you just described is a system with highly pervasive access across multiple applications and services. In the context of Signal, it would constitute a sort of backdoor."
The most likely attack vector against encrypted messaging platforms, according to Whittaker, is prompt injection: attacks that manipulate an AI agent into executing unintended commands. The scope of the issue is broad, given that Signal's encryption protocol is also used by WhatsApp, which has over two billion users. And the direction of the industry is moving towards agents as the primary interface: Microsoft is building an agent-oriented operating system with Project Solara, presented at Build 2026, that replaces traditional apps, with similar strategies pursued by Google, Apple, and OpenAI.
Regulatory Concerns
The concern aligns with the regulatory front. Whittaker reiterated that Signal would prefer to leave the European Union rather than weaken its encryption, in relation to the European Parliament's April vote on the ePrivacy exemption regarding the scanning of private messages for child pornography. For those who use encrypted messaging, Whittaker's words should sound like a warning bell: granting an AI assistant cross-access to chats, contacts, and calendars effectively means bypassing the guarantees that such encryption should provide.