Signal president Meredith Whittaker warned on June 20 that AI agents like Microsoft Copilot aren't productivity tools so much as data collection systems wearing a friendly face, and her argument cuts directly against the enterprise AI rollout narrative that vendors are spending billions to establish.
The warning came in an interview with Bloomberg, and Whittaker didn't hedge. AI chatbots, she said plainly, are "not your friends." They're not conscious beings. They're not sentient interlocutors. And the increasingly common framing of these systems as helpful companions, whether it's Microsoft's Copilot pitched as a personal assistant or consumer chatbots that remember your preferences and history, is a deliberate trust-building mechanism that obscures what's actually happening at the data layer.
What Whittaker is describing isn't a hypothetical risk. She pointed directly at Microsoft AI CEO Mustafa Suleyman's vision of letting Copilot handle your Christmas shopping as a concrete example of the problem. For an agent to do that, it needs access to your calendar, your browser, your payment credentials, your contacts, your private messages. In the context of Signal specifically, she said, integrating an operating system agent with those permissions would constitute a backdoor. The Signal Protocol itself remains cryptographically sound. That's not the vulnerability. The vulnerability is that the agent sits on top of the decrypted layer, which means encryption's practical guarantee has already been hollowed out before anyone's tried to break the math.
As TechCrunch reported on June 20, Whittaker has described agentic AI as having "profound" security and privacy issues, and her position is that any operating system vendor implementing agents with broad cross-application permissions is, effectively, undermining the ability for Signal or any other E2EE service to guarantee protection. The encryption is fine. The system around it isn't.
For startups building agentic workflows, this is the part that deserves real attention. The enterprise AI market is currently organized around a small number of platforms that own the data layer: Microsoft 365 with Copilot, Google Workspace with Gemini, Salesforce with Agentforce. Vendors sell access to those layers as a feature. Your agent can see the calendar, read the emails, act on the CRM. That's the pitch. What Whittaker is pointing out is that "access to the data layer" and "surveillance infrastructure" are the same thing, described differently depending on who's doing the describing.
If you're a startup building an agentic workflow on top of Microsoft's stack, you don't control what Microsoft does with the data your agent touches. You're not the privacy guarantor. Microsoft is. And Microsoft's commercial interests are not aligned with minimizing data exposure; they're aligned with maximizing the intelligence surface that makes Copilot more capable over time. That's not a conspiracy, it's just the product logic, and it's worth being clear-eyed about it when you're deciding which platform to build on.
This is the opening that Whittaker's critique creates for a different kind of vendor. Oracle, for instance, recently launched what it's calling a Private Agent Factory inside Oracle AI Database 26ai, designed to run agents in sovereign or air-gapped environments with data that never leaves the customer's own infrastructure. Poolside, the coding agent startup, builds on a similar premise: your source code stays on your hardware, period. These are not mainstream enterprise choices yet. But the argument for them just got louder.
On-device AI processing, where the model runs locally and nothing goes to a cloud endpoint, is a harder sell than a managed API. It requires more infrastructure, more expertise, and often more cost upfront. But Whittaker's framing reframes what you're actually buying when you choose the cloud-hosted option: convenience, plus the surveillance that pays for it. Some enterprise buyers, especially in regulated industries, finance, healthcare, defense, have always understood this. The question is whether the broader market starts to catch up.
Frankly, the "friend" framing Whittaker called out is worth dwelling on. It's not accidental. Decades of UX research show that anthropomorphized interfaces lower a user's guard. If the chatbot feels like a colleague, you tell it things you'd tell a colleague. The intimacy is the product. That's true whether you're a consumer chatting with Claude or an enterprise employee letting Copilot draft emails on your behalf. The data collection is more efficient when the interface feels safe.
What's notable about Whittaker's timing is that she's not reacting to a data breach or a specific scandal. She's reacting to the architecture being built right now, while it's still being presented as progress. The agentic AI buildout is in its early commercial phase. Microsoft Build 2026 in June devoted significant attention to securing code and agents across the development lifecycle, which is an acknowledgment, however indirect, that the security questions are real and unresolved. Whittaker is making the same point from the outside, more bluntly: the design itself is the problem, not a flaw in an otherwise sound design.
The startups that take that seriously now, and build their products around data minimization and local processing rather than platform integration, are the ones positioned to matter when enterprise buyers start asking harder questions. That moment may be closer than the current AI enthusiasm suggests.
Also read: Nvidia's stock boom is quietly minting a new generation of AI startup founders • OpenAI's leaked financials show who is actually winning the AI arms race • Researchers have finally worked out why AI models keep inventing the same fake names