- Updated: January 18, 2026
- 6 min read
Signal Warns Agentic AI Is Insecure, Unreliable, and a Surveillance Nightmare
Signal Issues Warning on Agentic AI: Insecurity, Unreliability, and Surveillance Risks
Signal’s leadership warns that current implementations of agentic AI are fundamentally insecure, unreliable, and create a massive surveillance threat for enterprises and end‑users alike.
What Signal Said at the 39C3 Conference
At the 39th Chaos Communication Congress (39C3) in Hamburg, Germany, Signal’s President Meredith Whittaker and Vice‑President of Strategy and Global Affairs Udbhav Tiwari delivered a stark presentation titled “AI Agent, AI Spy.” Their message was crystal clear: the rush to embed autonomous agents into operating systems, cloud services, and consumer apps is outpacing the development of essential safeguards.
The duo highlighted three inter‑locking dangers that, if left unchecked, could erode trust in AI forever:
- Insecurity – Agentic AI creates massive attack surfaces for malware and prompt‑injection attacks.
- Unreliability – Probabilistic decision‑making compounds errors across multi‑step tasks.
- Surveillance – Continuous data collection enables unprecedented user profiling.
These concerns are not abstract; they are already materialising in products such as Microsoft’s Recall feature for Windows 11, which continuously screenshots, OCRs, and stores user activity in a local database.
1️⃣ Insecurity: Agentic AI as a Malware Magnet
Agentic AI must access personal data—calendars, contacts, payment details—to act on a user’s behalf. When that data lives in a plain‑text or lightly encrypted repository, any compromised process can exfiltrate it.
Key Insecurity Vectors
| Vector | Why It Matters |
|---|---|
| Local database exposure | Malware can read the full timeline of user actions. |
| Prompt‑injection attacks | Adversarial inputs can hijack the agent’s reasoning chain. |
| Insufficient sandboxing | Agents run with elevated privileges, increasing blast radius. |
Signal’s own response was to add a screen‑recording block flag in its messenger, but Whittaker stresses that “patch‑level fixes are band‑aid solutions; the architecture itself must change.”
2️⃣ Unreliability: The Probabilistic Decay Problem
Unlike deterministic scripts, generative agents operate on probability. Each decision point introduces a margin of error that compounds across steps. Whittaker illustrated the math:
“If an AI agent performs each step with 95 % accuracy, a ten‑step workflow ends up with roughly a 60 % success rate. Extend that to thirty steps and you’re below 22 %.”
In real‑world deployments, accuracy often hovers around 90 % or lower, pushing success rates for complex workflows into single‑digit percentages. This unreliability is especially dangerous for mission‑critical tasks such as automated financial transactions or medical triage.
3️⃣ Surveillance: The New “Big Brother” of Personal Data
Agentic AI’s need for context drives continuous data capture. Microsoft’s Recall, for example, builds a forensic dossier that includes:
- Exact timestamps of every screen change.
- OCR‑extracted text from every window.
- Application focus and dwell time.
- Semantic topics assigned to each activity.
When such dossiers are stored locally without strong encryption, they become a goldmine for any entity that gains access—be it a state actor, a corporate data broker, or a malicious insider. The lack of explicit user consent amplifies the privacy breach.
A Direct Warning from Signal’s Leadership
During the session, Whittaker said:
“We are at a tipping point where the convenience of autonomous agents is being sold before we have any real guarantees of security, reliability, or privacy. If we continue down this path, the public will lose trust in AI faster than any technology has ever lost trust before.”
Tiwari added, “Opt‑out must be the default, and developers should be forced to provide auditable, granular transparency for every data point an agent consumes.”
What This Means for Enterprises and AI Researchers
For technology decision‑makers, the Signal warning translates into a concrete checklist of actions:
- Enforce Opt‑Out by Default – Require explicit user consent before any agent can access personal data.
- Adopt Zero‑Trust Architecture – Isolate agent runtimes, encrypt all local stores, and enforce strict API‑gateway controls.
- Implement Auditable Transparency – Provide logs that detail which data points were read, transformed, and acted upon.
- Limit Task Depth – Break complex workflows into independent, verifiable micro‑tasks to reduce error propagation.
- Continuous Red‑Team Testing – Simulate prompt‑injection and malware attacks on agent pipelines.
Companies that already embed AI agents can accelerate these safeguards by leveraging platforms that prioritize security‑by‑design. For instance, the Enterprise AI platform by UBOS offers built‑in encryption, role‑based access, and a visual Workflow automation studio that lets you design micro‑tasks with explicit success‑rate monitoring.
Start‑ups and SMBs can also benefit from the UBOS solutions for SMBs, which include pre‑configured UBOS templates for quick start such as the “AI Article Copywriter” or the “AI SEO Analyzer” that already embed privacy‑first data handling.
Take Action Today with UBOS Resources
Ready to future‑proof your AI strategy? Explore the following UBOS assets that align directly with Signal’s recommendations:
UBOS platform overview
Learn how UBOS isolates agent workloads, encrypts data at rest, and provides granular audit logs.
AI safety best practices
Step‑by‑step guide to building secure, reliable, and privacy‑preserving AI agents.
Agentic AI framework
Deep dive into the architectural patterns that mitigate the three risks highlighted by Signal.
UBOS pricing plans
Find a plan that fits your organization’s size, from start‑ups to large enterprises.
AI marketing agents
Deploy marketing bots that respect user consent and provide transparent performance metrics.
Web app editor on UBOS
Build custom agentic interfaces with built‑in security controls and audit trails.
For developers interested in cutting‑edge integrations, UBOS also offers ready‑made modules such as the OpenAI ChatGPT integration, the Chroma DB integration, and the ElevenLabs AI voice integration. These components are designed with end‑to‑end encryption and role‑based access from the ground up.
Explore Ready‑Made AI Templates
UBOS’s Template Marketplace accelerates secure AI development. A few examples that directly address Signal’s concerns:
- AI Survey Generator – Collects user feedback without storing raw responses in plain text.
- AI Video Generator – Generates media on‑demand, avoiding persistent storage of personal video data.
- AI Chatbot template – Includes built‑in prompt sanitisation to thwart injection attacks.
- GPT‑Powered Telegram Bot – Demonstrates secure messaging integration with the Telegram integration on UBOS.
These templates are pre‑audited for data minimisation, giving you a head start on compliance.
Conclusion: Heed the Warning, Build Responsibly
Signal’s alarm is a call to action, not a condemnation of AI itself. Agentic AI can unlock unprecedented productivity, but only if the industry adopts a security‑first mindset, enforces opt‑out defaults, and provides transparent, auditable pipelines.
By leveraging platforms like UBOS that embed these principles from the start, enterprises can enjoy the benefits of autonomous agents while safeguarding against the three critical risks highlighted at 39C3.
For the full original report and additional context, read the Signal AI warning article on Coywolf.