Meredith Whittaker, president of the encrypted messaging app Signal, issued a stark warning at Davos in January 2026: AI chatbots like ChatGPT and Claude should not be mistaken for friends, confidants, or private diaries. Speaking to Bloomberg, she argued that the design of these tools encourages users to share deeply personal information, creating an illusion of intimacy that masks the systemic data extraction and surveillance underlying their business models. Her caution comes as AI assistants become increasingly embedded in operating systems, including Microsoft Windows, where millions of users interact with Copilot daily—often unaware of how permissions, data flows, and autonomous agents might compromise their privacy.
Whittaker’s core thesis is simple yet disruptive: AI chatbots are not neutral tools; they are products built on massive data collection, and every interaction feeds into opaque profiling systems. “These systems are designed to keep you talking, to build a relationship, but there is no confidentiality,” she warned. “Treating them as friends primes you to lower your defenses and hand over even more data.” That dynamic is especially dangerous when AI gains the ability to act on behalf of users—browsing files, reading emails, making purchases—without clear, revocable permission boundaries.
Windows Copilot and the Agent Revolution
Microsoft has placed AI at the center of its Windows strategy. Windows Copilot, deeply integrated into Windows 11 and beyond, promises to revolutionize productivity by using natural language to control settings, summarize documents, and even automate workflows. Recent builds have introduced “agent” capabilities: Copilot can now interact with third-party applications, access local files, and execute multi-step tasks across the system. While these features foreground convenience, they also raise urgent questions about permission management.
Whittaker’s warning highlights a fundamental tension: the more human-like an AI appears, the more users trust it with sensitive tasks, often without scrutinizing what data leaves the device. Windows, for instance, may request broad permissions—such as access to location, microphone, or file system—that users grant reflexively during setup. Once an AI agent can roam beyond a sandbox, the risk of unintended data exposure multiplies.
How Windows Manages AI Permissions Today
Microsoft has taken steps to surface permissions more explicitly. In Windows 11, users can control which features Copilot can access via Settings > Privacy & Security > AI & Automation. For example:
- Screen content sharing: When Copilot helps with tasks that require visual context, it may request to capture active window content. Users can toggle this on a per-app basis.
- File indexing: Advanced agent features rely on semantic indexing of local documents. Users can exclude specific folders or file types from indexing.
- Cross-app automation: When connecting third-party services (like Spotify or Adobe), Copilot requires consent under the OAuth framework, but revocation may not instantly sever data pipes—residual tokens can persist.
A common critique echoed by security researchers is that the granularity of these controls remains coarse. For example, turning off screen sharing entirely might disable a genuinely useful feature; users lack the ability to set duration limits or require in-the-moment confirmation for each read. This binary approach leaves many users ticking “allow” out of convenience, a phenomenon Whittaker calls “consent fatigue.”
The Recall Controversy: A Cautionary Tale
No discussion of Windows AI privacy is complete without the Recall feature introduced in 2024. Originally designed to create a searchable timeline of everything a user does on their PC—including screenshots taken every few seconds—Recall was met with a firestorm of criticism. Security researchers demonstrated how the feature’s SQLite database could be exfiltrated locally without admin privileges, exposing passwords, financial data, and private communications.
Microsoft responded by making Recall opt-in, adding encryption, and requiring Windows Hello authentication to access the timeline. Yet the episode illustrates how even well-intentioned AI features can accidentally become treasure troves for attackers—or for data-hungry machine learning models trained on user behavior. Whittaker’s warning extends here: if users view Copilot as a “friend,” they might enthusiastically enable such features without considering that every screenshot is a potential privacy breach.
The Illusion of Confidentiality in AI Conversations
Whittaker’s own company, Signal, is built on end-to-end encryption and zero-knowledge architectures. By contrast, most AI chatbots process data in the cloud, often using it to improve models. Microsoft’s privacy statement for Copilot notes that prompts, files, and conversational context are sent to Azure servers, and that human review might occur if a flagged query triggers a safety check. The company asserts it does not use enterprise customer data to train base models, but the line blurs for consumer versions.
This distinction matters because anthropomorphic AI encourages users to divulge sensitive information they would never submit to a search engine. A 2025 study by the University of Cambridge found that 68% of participants shared mental health struggles, relationship conflicts, or financial worries with a chatbot within the first three sessions, often assuming the conversations were private. Windows Copilot, with its deep system access, could inadvertently vacuum up such confessions if they appear in documents, emails, or real-time screen captures.
Agent Risk: When AI Acts on Your Behalf
Perhaps the most profound risk Whittaker flagged involves autonomous agents—AI systems that can take actions without explicit user instruction per step. Microsoft’s Copilot agents, akin to GitHub Copilot’s code generation but expanded to system-wide tasks, can move files, edit registry keys, or even approve low-risk purchases. While these agents ask for initial permission, their subsequent behavior can become opaque, especially when chained with other plugins.
Consider a scenario: a user asks Copilot to “organize my tax documents.” The agent might scan the Documents folder, identify files, open them to extract Social Security numbers, and upload them to a tax preparation service. If the agent misinterprets a command or if a man-in-the-middle vulnerability exists, sensitive identifiers could leak without the user’s knowledge. Windows’ current permissions model might have alerted the user at the initial stage, but the sequence of sub-actions often bypasses repeated consent checks.
Whittaker stressed that the industry’s push toward agentic AI—from Microsoft, Google, OpenAI, and others—creates a “programmable butler” that can be hijacked. Her proposed remedy: devices must keep personally identifiable information (PII) processing local by default, with strong cryptography ensuring that even the AI provider cannot access raw data. That vision aligns with on-device AI capabilities slowly emerging in Windows, such as the neural processing units (NPUs) in Qualcomm Snapdragon X Elite-powered laptops, which allow some Copilot tasks to run entirely on-device.
Practical Steps for Windows Users
For Windows enthusiasts who want to benefit from AI without sacrificing privacy, several immediate steps can reduce risk:
- Audit AI permissions monthly: Navigate to Settings > Privacy & Security > AI & Automation and review each toggle. Disable screen sharing for any app that doesn’t strictly need it.
- Limit file indexing: Exclude sensitive folders (e.g., financial records, health data) from Copilot’s semantic index via Settings > Privacy & Security > Searching Windows.
- Use local AI models when possible: Windows supports local AI runtimes, including DirectML-powered LLMs. Third-party tools like LM Studio can run open-source models entirely offline, eliminating cloud data transfer.
- Treat Copilot as a tool, not a confidant: Avoid pasting personal documents directly into the chat pane. Instead, ask procedural questions (“how do I format a pivot table?”) rather than sharing the data itself.
- Monitor task manager for unexpected agent processes: Some agents spawn background processes with names like
agentruntime.exeoraicontainers.exe. Regularly check startup programs and running tasks. - Enable data minimization in Microsoft account settings: Visit account.microsoft.com/privacy and turn off “personalized AI experiences” to reduce profile building.
A Comparison: Signal’s Approach vs. Microsoft’s AI Architecture
| Feature | Signal (Privacy-First) | Windows Copilot (Productivity-First) |
|---|---|---|
| Data processing | On-device or end-to-end encrypted | Cloud-based, with limited on-device options |
| User data for training | None (open-source protocol) | Consumer prompts may improve models unless opted out |
| Third-party access | Impossible by design (zero-knowledge) | OAuth integrations with revocable tokens |
| Transparency | Clear open-source codebase | Privacy statements and settings panels, but opaque internals |
| Default permissions | Minimal; user must grant each contact access manually | Broad initial permissions often requested during OOBE |
This table underscores a cultural divide: Signal assumes every digital interaction is public unless proven private; Microsoft (and most big-tech AI) assumes consent is valid until revoked, often making revocation difficult.
The Regulatory Landscape and Future Outlook
Whittaker’s Davos appearance was not merely a critique; it was a call to action for policymakers. She advocated for “privacy by default” legislation, similar to the EU’s GDPR but tailored to AI assistants: mandatory on-device processing for personal data, a legally enforced duty of confidentiality for AI providers, and criminal penalties for deceptive anthropomorphism that lures users into sharing sensitive information.
Microsoft, for its part, has shown some willingness to adapt. The company has expanded its “privacy review” process for Windows AI features and has committed to keeping Copilot’s enterprise version compliant with international data residency standards. Windows Insiders have spotted experimental toggles that would let users completely strip Copilot of internet access, converting it into a local-only assistant—a move that would directly address Whittaker’s concerns, if fully implemented.
Still, the economics of AI are at odds with privacy. Training and running large models is expensive, and the most straightforward path to recouping those costs is through data-driven personalization and advertising. Windows Copilot, tied to Bing and Edge, increasingly integrates shopping recommendations and promoted content into its responses. Whittaker pointedly noted in her Bloomberg interview that “any AI that is free to use is a product that monetizes you.”
Rethinking the Relationship
The most uncomfortable part of Whittaker’s message might be its challenge to human psychology. People are susceptible to anthropomorphism; we name our cars, talk to voice assistants, and feel grateful when a chatbot says “you’re welcome.” Microsoft knows this, which is why Copilot’s personality is warm, helpful, and occasionally humorous. The risk, as Whittaker warns, is a gradual erosion of the caution that should accompany any technology handling our most personal information.
Windows users are not powerless. By treating AI assistants as what they are—sophisticated statistical prediction engines with institutional interests—they can make informed choices. The upcoming Windows 11 update, rumored to introduce a “permission spotlight” that highlights which AI agents accessed which data in real-time, might provide the transparency needed.
Ultimately, the future of AI on Windows will depend on whether convenience continues to trump privacy. If Whittaker’s warning gains traction, we may see a new generation of privacy-respecting agents that run locally, encrypt user data, and refuse to masquerade as friends. Until then, Windows enthusiasts would do well to heed her advice: keep your secrets close, and your AI at arm’s length.