This is a special interview episode with Meredith Whittaker, the president of the Signal Foundation. I’m sure you all know, and maybe even use, the Signal messaging app. Here we sat down with Whittaker to talk all about the state of Signal today, the threat of AI to end-to-end encryption, what backdoors actually look like, and much more. This is a wide-ranging discussion where one of the few journalists who has revealed new details about backdoors (Joseph) gets to speak to one of the most important people in the world of encryption (Whittaker). Definitely take a listen.
3 Likes
Worth noting this interview was recorded in mid 2024.
One of Meredith’s better interviews, nice to see her with someone somewhat knowledgeable on the topic. Still, it feels like she has much more to offer but gets asked the same 6 or 7 questions (but what about the criminals??!?!1?!). Would love to hear her talk about what a private and secure digital infrastructure could look like and the future it might enable.
1 Like
This is not a disagreement. This is not a misunderstanding that we can educate away. This is a battle for power that we’re gonna have to contend with on those terms. (24:22)
Indeed. AFAICT some people believe politicians are just stupid or uneducated, and we can inform them about the issues they make policies for. The reality is we are up against politicians (big tech and governments too) who seek power and work to curtail human rights and civil liberties.
At about 26:00, Whittaker gets into operating systems that violate the paradigm that if you use Signal on a device that isn’t compromised then your messages remain secure. In light of operating system compromises (snapshots, AI systems, mercenary spyware etc) and that Signal probably won’t remove their Windows client even if Recall becomes mainstream, I wonder how Signal users can/should secure their communications by vetting their own and their contacts’ operating systems.
2 Likes
In this video, they mention that they are using DRM tech to keep Recall out of Signal messages for now. It doesn’t sound ideal but I’m glad they’re working on solutions.
I’m not sure there’s much we can do to audit our contacts’ systems.
I’ll check out the video when I got time. Thanks!
Edit to add link: AI Agent, AI Spy - media.ccc.de
It’s an unfortunate situation that spyware/malware operating systems are normalized, this undermines secure communications, and most people don’t seem to care. I guess people who have high risks could ask their contacts what operating systems they use (and other relevant security-related questions) before communicating with them.
It should be noted that this is why services like jmp.chat exists where you can get real numbers privately or anonymously for you to use to register with other companies and phone other numbers without relying on your country’s or local cellular service.
So that’s a way to mitigate this concern.
Forgive me, I don’t follow. Can you please explain what services like jmp.chat solve wrt. compromised operating systems, backdoors, AI etc?
I think I misunderstood. Disregard my earlier comment.
The best option would be to have them frequently restart their devices and download the iVerify app that has a good real world track record of detecting spyware.
Other than that, disappearing messages could mitigate some of the risk.
Restarting a device frequently can mitigate the effects of spyware that lacks persistence. I assume spyware like Microsoft Recall, agentic AI etc would run constantly and persistently. In the video, Meredith Whittaker identified such spyware as a security threat to Signal’s confidentiality. Disappearing messages and frequent restarts wouldn’t really mitigate such spyware.
You’re describing a “rootkit” which M$ Recall is not afaik. The problem with this yt video is that it’s from 2024, so it’s outdated now and M$ have walked back forcing Recall on everybody (again afaik). The problem with it was that it would “backup” all of your OS data in an insecure way that would be an easy target for hackers if they got into your OS. M$ have since started encrypting Recall data. I guess Recall could also take screenshots of your screen to try to offer you some agentic suggestions, but signal-desktop has apparently found a way to block it from being able to do that.
Ah yeah for “built in” spyware there isn’t much we can do except know whether or not someone were communicating with is likely to use those services or even be aware of them.
I had a real world issue not to long ago when I found out someone in a group Signal chat I was in had installed and was using Signal from his work laptop. 
This highlights the fact that it’s not and never was “just get your friends to switch to Signal and you’re done.” Contextual issues like what OS each party uses, what other software is installed on their devices, where they use their devices etc are relevant factors to the security of a communication system like Signal.
Yes you are right, the video was recorded in 2024 and Microsoft has stepped back on Recall due to the backlash it received. Considering the massive userbase of Windows and that Microsoft probably won’t abandon Recall, I still see it as an emerging threat. While Recall attempts to exclude sensitive information/apps like credit card numbers, as Whittaker put it, sensitive software like Signal that has not been specified were left to fend for themselves. Signal has found a solution (DRM), and we may see how effective it will be against Recall.
2 Likes