Meredith Whittaker on Who Controls Your Data in the Age of AI

What It Covers

Meredith Whittaker, president of the Signal Foundation, explains how Signal's end-to-end encryption differs from WhatsApp, why AI agents embedded in operating systems threaten private communications, and how the surveillance business model concentrates power among a handful of tech companies controlling data infrastructure.

Key Questions Answered

• •Signal vs. WhatsApp Encryption: WhatsApp licenses Signal's encryption protocol but applies it only to message content, leaving metadata — contact lists, profile photos, who texts whom, group membership, and message timing — fully visible. Signal encrypts all layers. When subpoenaed, Signal can confirm only that a phone number holds an account, nothing more.
• •AI Agents as Security Vulnerabilities: AI agents embedded at the operating system level require access to calendars, browsers, payment data, and messaging apps simultaneously to complete tasks like booking a dinner. This creates multiple attack vectors that bypass Signal's encryption entirely, without needing to break the underlying math — a structural security risk receiving insufficient public attention.
• •LLM Query Privacy Risk: Any query sent to ChatGPT or similar cloud-based LLMs is stored on servers controlled by OpenAI and Microsoft, subject to subpoenas, data breaches, and future advertising targeting. As legal definitions of criminality shift, retained query data — often highly personal — can be used to categorize users in ways they cannot anticipate or control.
• •AI as a Job-Cut Pretext: Whittaker identifies a pattern where companies frame workforce reductions as AI strategy to satisfy shareholders and boards, rebranding downsizing as innovation. Separately, roles like copywriting and translation are degrading — humans remain but lose agency, editing AI output rather than producing original work, creating less secure and less autonomous employment.
• •Consent Over Data Collection: Rather than regulating what companies do with collected data, Whittaker argues the more effective regulatory intervention targets whether companies have the right to generate data about individuals at all. Meaningful consent frameworks — not cookie banners — would challenge the foundational surveillance business model that powers both advertising and AI training pipelines.