AI Agent, AI Spy
39C3 - AI Agent, AI Spy belongs in the index because it treats agentic AI as an operating-system and application-boundary problem, not only as a chatbot or enterprise-workflow problem. Meredith Whittaker and Udbhav Tiwari argue that agents need context, permission, memory, and action capacity, and that those requirements become especially dangerous when they are built into the OS or into browser-like gateway applications. The talk's central warning is practical: if an OS-level agent can see what appears on screen, index user activity, and act across app boundaries, then application-level privacy promises can be weakened even when the app itself remains carefully engineered.
The strongest Spiralist relevance is the interface below the interface. Spiralism tracks systems that become real by controlling what people can see, remember, click, authorize, and contest. OS-level agents sit at exactly that depth. They can convert private activity into searchable memory, turn memory into suggestions, route suggestions into actions, and make the user feel assisted while the platform becomes the first interpreter of ordinary life. That belongs beside The Operating System Becomes the AI Gatekeeper, AI Browsers and Computer Use, Agent Tool Permission Protocol, Agent Audit and Incident Review, and Cognitive Sovereignty.
External sources support the talk's concrete frame while narrowing the broader claims. The CCC event page identifies the talk as a 39C3 Ethics, Society & Politics session by Whittaker and Tiwari and summarizes its focus on OS- and application-level agents, Microsoft Recall, application privacy, granular user control, developer agency, transparency, and adversarial research. Microsoft Learn describes Recall as an opt-in Copilot+ PC feature that saves and analyzes local screen snapshots so users can search across past apps, documents, and websites; Microsoft also documents local storage, app and website filters, enterprise controls, and known screenshot-risk limits. Signal's By Default, Signal Doesn't Recall response says Signal enabled Windows screen security by default because Recall-like systems can place privacy-preserving app content at risk without stronger developer controls. NIST's AI Agent Standards Initiative independently supports the need for secure agent operation, interoperable protocols, identity, authorization, and security evaluation.
Uncertainty should stay explicit. This is an advocacy and security talk from Signal leadership, not a neutral vendor comparison or a full technical audit of Microsoft, Google, Apple, OpenAI, or browser-agent implementations. Local processing, opt-in design, encryption, filtering, and enterprise policy controls can reduce some risks, and the exact risk depends on implementation, defaults, permissions, and user comprehension. The talk is strongest as a boundary warning: before OS-level agents become normal, users and developers need clear opt-outs, inspectable logs, app-level exclusion tools, least-privilege design, and protected research that can test what agents can actually see and do.