Signal Co-founder Launches Private AI Chatbot as Privacy Warnings Escalate

The Privacy Crisis in AI

Current AI chatbots collect unprecedented amounts of personal information through conversations. Users share intimate details, professional secrets, health concerns, and personal thoughts with AI assistants, creating datasets that reveal more about individuals than any previous technology. This data typically sits unencrypted on company servers, where it can be used for model training, targeted advertising, or accessed through legal demands.

Marlinspike framed the problem starkly, comparing advertising-supported AI to someone paying your therapist to convince you to buy something. He described an honest representation of current AI interactions as equivalent to a group chat that includes not just you and the AI, but also company executives and employees, their business partners, hackers who will eventually compromise the data, future advertisers, and lawyers and governments who will subpoena access.

How Confer Works

Confer, which launched in December 2025, addresses these privacy concerns through a fundamentally different architecture. The service encrypts user messages on their device using WebAuthn passkeys, the same technology that powers biometric authentication like Face ID and Touch ID. Users generate a keypair authenticated through biometrics, deriving a 32-byte secret from their private key that serves as the encryption foundation.

All AI inference processing occurs within a Trusted Execution Environment, a hardware-isolated secure enclave on the server side. Inside this environment, data is decrypted, processed by the language model, and responses are re-encrypted before leaving the enclave. The critical design element is that the host operating system, cloud administrators, and even Confer's own engineers cannot access the plaintext data or the model's memory while it operates.

Remote attestation systems continuously verify that the server environment has not been compromised, providing cryptographic proof of the system's integrity. This architecture makes it structurally impossible for Confer to access user conversations, use them for model training, or leverage them for advertising purposes.

Pricing and Access

Confer operates on a freemium model. The free tier limits users to 20 messages per day and 5 active conversations, while a 35 dollar monthly subscription provides unlimited access, more advanced models, and personalization features. The pricing is notably higher than competing services like ChatGPT Plus, but Marlinspike has positioned this as the authentic cost of privacy. Users either pay with money or pay with their data.

The service uses open-weight foundation models rather than proprietary systems, allowing response generation without storing or exposing conversation data. Since launch, the platform has reportedly seen steady traffic growth.

AI Agents and the Encryption Threat

In a parallel development that underscores the urgency of privacy concerns, Signal Foundation President Meredith Whittaker warned at the World Economic Forum in Davos on January 20, 2026 that AI agents pose a direct threat to encrypted messaging applications.

Speaking with Bloomberg, Whittaker described the deeper integration of AI agents into devices as pretty perilous for services like Signal. For an AI agent to function effectively, it requires broad access to apps storing sensitive information including credit card data, contacts, calendars, messages, and documents. She characterized this as breaking the blood-brain barrier between the application and the operating system.

The fundamental problem is that AI agents need what Whittaker called root access permissions to be genuinely useful. They must be able to read encrypted messages, access financial information, and interact with every aspect of a user's digital life. All of this information gets stored in the agent's context window, the memory space where it maintains conversation history and relevant data.

Whittaker's crucial observation was that encryption becomes meaningless if an attacker can simply hijack the context window. If you give a system like that root access permissions, it can be hijacked, she stated. All the mathematically proven encryption protecting individual apps becomes irrelevant when a single compromised agent can access everything.

The Technology Divide

Whittaker drew a sharp contrast between Signal's approach and AI systems. Signal's encryption protocols are based on mathematics that are auditable and proven, providing security guarantees that can be independently verified. AI systems, by contrast, are extraordinarily vulnerable, lacking the same foundation of mathematical certainty.

This vulnerability is architectural. AI agents, by their nature, require access to vast amounts of personal data to function. They need to understand context across applications, remember user preferences, and take actions on behalf of users. This requirement for comprehensive access creates an inherently large attack surface.

Industry Implications

The dual announcements highlight a fundamental tension in the technology industry. On one side, companies are rushing to deploy AI agents with ever-broader permissions and capabilities, prioritizing convenience and functionality. On the other, privacy advocates are demonstrating that truly private AI is possible, but requires architectural choices that limit business models based on data exploitation.

The question facing the industry is whether privacy and advanced AI functionality can coexist, or whether users will be forced to choose between them. Confer represents proof that encrypted AI is technically feasible, while Whittaker's warnings suggest that the broader industry trajectory may be moving in the opposite direction.

For consumers, the emerging landscape presents a stark choice between services that offer maximum convenience through deep data access, and alternatives that prioritize privacy at the cost of some functionality and higher prices. The resolution of this tension will likely define the next era of AI development.