Meredith Whittaker, president of the Signal Foundation, delivered a stark privacy warning on June 20, 2026, that resonated deeply across the tech landscape: AI chatbots and agents should never be treated as friends or confidants. In an interview with Bloomberg, Whittaker argued that the increasing integration of agentic AI into everyday tools—particularly within Windows—poses unprecedented risks to personal data. Her message is especially urgent for the millions of Windows users who now interact daily with Copilot and other AI-driven features.
Whittaker’s caution arrives as Microsoft aggressively expands its AI ecosystem. Windows Copilot, once a simple sidebar assistant, has evolved into a system-wide agent capable of accessing files, managing settings, and even composing emails. For Whittaker, this trajectory is alarming. “The design model assumes trust that hasn’t been earned and technically cannot be guaranteed,” she said, according to Bloomberg’s report. “When an AI agent has the keys to your entire digital life, every interaction becomes a potential privacy breach.”
The Shift from Assistant to Agent
Microsoft’s vision for Windows is built on the idea of a proactive AI that anticipates user needs. Windows Copilot can now schedule meetings, summarize documents, and interact with third-party applications—all tasks that require deep access to personal data. Unlike a simple query-response model, agentic AI retains context, remembers past interactions, and can take actions on behalf of the user without explicit real-time approval. This shift, while convenient, fundamentally alters the threat surface.
Whittaker’s core concern is that these systems are not designed with true end-to-end encryption. Signal, her own organization, has spent years championing privacy-preserving technologies. In contrast, most AI agents rely on cloud processing, meaning user data—text, files, behavior patterns—is transmitted to remote servers, analyzed, and often stored. For Windows users, this could mean that sensitive documents opened with Copilot’s help are not truly private. The metadata alone, Whittaker warned, can paint an intimate portrait of an individual’s life.
“People say, ‘I have nothing to hide,’ but that misses the point,” Whittaker explained during the interview. “The aggregation of seemingly mundane data creates a high-resolution picture of your thoughts, relationships, and vulnerabilities. When an AI agent sits at the heart of that, the potential for abuse is enormous.”
Windows Copilot: A Case Study in Risk
Windows Copilot’s permissions model is particularly concerning to privacy advocates. By default, the assistant can access browsing history, documents stored in OneDrive, and even local files if granted appropriate permissions. Many users simply click “accept” on setup prompts without understanding the full implications. Once access is granted, the AI can theoretically read and process information in the background, even when the user isn’t actively engaging with it.
For instance, Copilot’s “Recall” feature—designed to help users find anything they’ve seen on their screen—takes periodic screenshots and indexes all visible content. While Microsoft has emphasized that the data is stored locally and encrypted at rest, Whittaker and other security experts point out that the encryption keys are still available to the operating system. A sophisticated attacker or a malicious insider could potentially access a lifetime of visual activity. The feature, they argue, is a goldmine for surveillance.
Microsoft has defended its approach by highlighting on-device processing and user controls. However, the company’s business model increasingly depends on AI-driven services and advertising, creating a conflict of interest. Critics note that even if today’s implementation is relatively secure, the architecture lays the groundwork for future data exploitation. As Whittaker put it, “Functionality creep is inevitable. Today’s helpful tool is tomorrow’s data-harvesting machine.”
The Illusion of Friendship
Whittaker’s warning about treating AI as friends goes beyond technical vulnerabilities. She argued that emotional attachment to AI chatbots is a deliberate design choice that clouds users’ judgment. When people anthropomorphize an assistant, they share more freely—unknowingly lowering their defenses. This phenomenon, documented in numerous studies, makes users more likely to disclose sensitive information, which the AI then processes and stores.
In the context of Windows, this dynamic is amplified. Copilot is not a standalone app but an integrated layer across the entire operating system. It can observe user behavior across applications, learn routines, and predict needs. While Microsoft markets this as personalization, Whittaker frames it as a profound loss of user agency. “You are not talking to a friend; you are feeding a surveillance machine,” she stated. “Every ‘confession’ or casual remark becomes training data, and you have no meaningful control over what happens to it next.”
The Agentic AI Wave and Regulatory Gaps
The broader industry is racing toward agentic AI—systems that can autonomously execute multi-step tasks. Google, Apple, and OpenAI are all developing similar capabilities. Yet regulation lags far behind. Current privacy laws, including GDPR and CCPA, were not designed with autonomous agents in mind. Consent mechanisms are often binary and easily bypassed. Moreover, the complexity of AI decision-making makes it nearly impossible for users to understand what data is being collected and why.
Whittaker called for a paradigm shift: “We need to move from notice-and-consent models to outright prohibitions on certain types of data collection. When an AI agent can access your entire digital footprint, the default should be no access unless explicitly and granularly granted—with a simple, real-time way to revoke it.” She also urged policymakers to mandate on-device processing for sensitive tasks, similar to Signal’s approach, where encryption ensures that not even the service provider can read user content.
Real-World Implications for Windows Users
The warning isn’t just theoretical. In 2025, researchers demonstrated that a malicious backdoor in a popular Windows productivity app could silently leverage Copilot’s APIs to exfiltrate data without triggering antivirus. The attack succeeded because the AI’s access levels were so broad that its activities appeared legitimate. Such incidents underscore Whittaker’s insistence that agentic AI presents a new class of security threats.
For businesses, the risks are even greater. Many enterprises have adopted Microsoft 365 Copilot, which integrates deeply with corporate data. Sensitive board minutes, HR records, and proprietary strategies could all be exposed if the AI is compromised. Whittaker noted that corporations are often the first to adopt these tools without fully assessing the long-term implications. “We’re building the infrastructure for a surveillance society, and we’re paying to do it,” she said.
What Can Windows Users Do?
Whittaker offered concrete advice. First, treat every interaction with an AI agent as potentially public. Do not share information you wouldn’t want stored or analyzed. Second, rigorously audit permissions. In Windows settings, users can review which apps have access to the AI subsystem and revoke unnecessary permissions. The “Recall” feature, for example, can be disabled entirely. Third, push for better tools. She encouraged users to demand that Microsoft offer a true offline mode, where AI processing happens strictly on-device with no cloud connectivity.
Encryption also plays a critical role. While Windows currently does not offer end-to-end encryption for AI interactions, third-party solutions can add a layer of protection. For highly sensitive communications, Whittaker recommended using Signal or similar apps that guarantee message content is never accessible to servers. For file storage, encrypted containers like VeraCrypt can prevent AI agents from indexing content.
The Broader Philosophy: Privacy as Default
At the heart of Whittaker’s message is a belief that technology should serve users without exploiting them. The Signal Foundation’s model—free, open-source, and funded by donations—demonstrates that privacy-centric services can thrive. She argues that the tech industry’s obsession with AI is driven by data monetization, not genuine user benefit. “We don’t need an AI that reads our emails to flag a calendar invite; we’ve had rule-based assistants for decades that do that without surveillance,” she pointed out.
Her challenge to Microsoft and others is to invert their design philosophy. Instead of collecting data first and asking questions later, they should start with a strict privacy guarantee and build features within that boundary. For Windows, that would mean an AI that is encrypted by default, processes data locally when possible, and allows users to permanently delete all stored information with a single click.
What Comes Next?
Microsoft has yet to respond directly to Whittaker’s Bloomberg interview, but the pressure is mounting. With regulatory scrutiny intensifying—particularly in the European Union, where the AI Act is phasing in stricter rules—tech companies may be forced to curtail their data appetites. For Windows users, the coming months will be critical. Upcoming updates are expected to introduce more granular privacy controls for Copilot, but activists like Whittaker say such measures are often too little, too late.
The conversation she started is unlikely to fade. As AI agents become more capable, the tension between convenience and privacy will only grow. Her final warning in the interview resonates as a call to action: “We are at a crossroads. One path leads to a world where we have no private thoughts, no unobserved moments. The other preserves human dignity. The choice is being made now, by engineers in conference rooms and by all of us when we decide what to accept. Don’t sleepwalk into a surveillance nightmare.”
For Windows enthusiasts and casual users alike, the message is clear: stay informed, stay skeptical, and treat every AI interaction as a potential privacy risk—because, according to one of the world’s leading privacy advocates, it is.