News: 0180621552

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

AI Agents 'Perilous' for Secure Apps Such as Signal, Whittaker Says

(Tuesday January 20, 2026 @05:40PM (msmash) from the context-is-everything dept.)


Signal Foundation president Meredith Whittaker warned that AI agents that autonomously carry out tasks [1]pose a threat to encrypted messaging apps

[2]non-paywalled source

because they require broad access to data stored across a device and can be hijacked if given root permissions.

Speaking at Davos on Tuesday, Whittaker said the deeper integration of AI agents into devices is "pretty perilous" for services like Signal. For an AI agent to act effectively on behalf of a user, it would need unilateral access to apps storing sensitive information such as credit card data and contacts, Whittaker said. The data that the agent stores in its context window is at greater risk of being compromised.

Whittaker called this "breaking the blood-brain barrier between the application and the operating system." "Our encryption no longer matters if all you have to do is hijack this context window," she said.



[1] https://www.bloomberg.com/news/articles/2026-01-20/ai-agents-perilous-for-secure-apps-such-as-signal-whittaker

[2] https://www.livemint.com/technology/ai-agents-perilous-for-secure-apps-such-as-signal-whittaker-says-11768918327159.html


Containers (Score:3)

by TGK ( 262438 )

I'm increasingly convinced that if you're running an AI interaction at all it needs to live in a container. Somehow the sci-fi wisdom of "no seriously, don't give an AI access to the internet" flew right out the window when AI could tell us when our boss' emails actually had something in them worth reading. I get that, but ESPECIALLY for software developers, if you're going to make use of agentic AI systems, you need to have a metaphorical (if not literal) moat around the agent before you just turn it loose.

That was true before we started talking about the security implications of an AI with privileged access coming under attack.

Re: Containers (Score:3)

by liqu1d ( 4349325 )

Ideally it'll all go local eventually. The idea of giving data hoovers access to everything on your device is insane.

Re: (Score:2)

by Teun ( 17872 )

Quite insane!

Re: (Score:2)

by Cley Faye ( 1123605 )

The issue is that to maybe have some grand purpose, these "agents" require access to both data and a mean to action. And you can bet that for most people, if you have actual safeguards outside of the control of these "agents", say, a confirmation box with a sequence of actions, most people will blindly click "ok", while most other people will look for a way to disable the confirmation.

It's not a new problem either. The attack surface provided by the human interface was always a good one; keylogger, screen c

Re: (Score:2)

by gweihir ( 88907 )

While I agree on the isolation need, the problem is that AI Agents only make sense if they can actually do things. And then the isolation will probably not help.

Root? What century did they crawl out of? (Score:2)

by dgatwood ( 11270 )

A modern technology ecosystem doesn't really even have a notion of root. Every process has ACLs that give them access to certain things within their sandbox. An AI agent running on a modern device should not have any access to anything from Signal unless Signal deliberately exposes it to a system-wide search system like Spotlight.

The only rational solution is for apps like Signal to integrate local on-device AI with limited capabilities to assist with searching messages, provide a means for the user to e

Duh (Score:2)

by gweihir ( 88907 )

Does this even need to be stated? Well, apparently id does because most people have no clue what a massively bad idea AI agents are.

I have the simplest tastes. I am always satisfied with the best.
-- Oscar Wilde