Stop Using This Update With Your WhatsApp Messages
You have been warned — do not use this with WhatsApp.
You have been warned. There is a new threat to the privacy of your WhatsApp messages, and there’s nothing you can do about it. There is no fix and no prevention. You won’t even know your messages have been compromised. That threat has just been made very public and it has implications for the security of billions of users.
Just as WhatsApp launches its “biggest global campaign to date” to talk up the privacy of the platform, its uber-secure but much smaller rival Signal has issued a scathing warning that affects its users but affects WhatsApp users more.
Signal warns “the integration of AI agents with pervasive permissions, questionable security hygiene, and an insatiable hunger for data has the potential to break the blood-brain barrier between applications and operating systems.” It has Microsoft’s Recall upgrade in its crosshairs. “A significant threat to Signal, and to every privacy-preserving application in general.” WhatsApp is the biggest privacy-preserving app of all.
The issue is that Recall takes a continuous roll of screenshots of a user’s desktop, it sees what you see, and those images are stored, optically read and indexed. It’s a terrifying treasure trove of data were it ever to be hacked. And PCs get hacked.
Recall blocks some data — redacting passwords and some other sensitive information, and also stops screenshots of DRM protected media such as movies. But this does not apply to secure messages. If you see them on screen, so does Recall, And it takes photos and stores them outside the secure enclave of the messaging app.
Signal suggests “‘take a screenshot every few seconds’ legitimately sounds like a suggestion from a low-parameter LLM that was given a prompt like ‘How do I add an arbitrary AI feature to my operating system as quickly as possible in order to make investors happy?’ — but more sophisticated threats are on the horizon.”
Signal has updated its desktop app to hijack Microsoft’s DRM flag that’s intended to protect copyright material. “If you attempt to take a screenshot of Signal Desktop when screen security is enabled, nothing will appear… Apps like Signal have essentially no control over what content Recall is able to capture, and implementing ‘DRM’ that works for you (not against you) is the best choice that we had.”
The protection can be disabled in Signal’s settings, but “turning off ‘Screen security’ in Signal Desktop on Windows 11 will always display a warning and require confirmation in order to continue,” because Signal wants this left on. And for good reason. But for other apps — WhatsApp for example, this threat has not yet been stopped.
The issue for messaging users is that they can’t know if a recipient of their messages has a linked desktop or browser app, as such they can’t know if Recall is copying and saving all their secure messages on someone else’s PC. That’s a huge issue. Signal’s update is critical and WhatsApp should do the same. Until then, the use of Recall is a looming security and privacy risk to any app not updating its settings.
As I’ve said before, if you are using Recall and you are using secure messaging platforms on your desktop, you should advise those you message with. It seems completely out of kilter with WhatsApp’s privacy messaging, for example, that this is now being used. Similarly, Meta AI’s invasion of WhatApp has also prompted concerns. But at least you can remove Meta AI from your WhatsApp chats. Instructions on doing so here.