Instagram DMs are no longer private and no longer have end-to-end encryption: Meta can now read them
Meta quietly removed end-to-end encryption from Instagram direct messages, a move that affects billions of users, reverses years of privacy promises, and raises urgent questions about who really owns your conversations. There was no announcement, no banner inside the app, no email to your inbox. On Thursday, May 8, 2026, Meta simply updated a help page on Instagram's website with a quiet notice: "End-to-end encrypted messaging on Instagram is no longer supported as of 8 May 2026." Just like that, a layer of protection that shielded your private conversations from everyone including Meta itself was gone. Essentially, from May 8 onward Instagram DMs will behave like most other social chat platforms: messages transit through Meta’s servers unencrypted, giving Meta and, by extension, law enforcement or other agencies, the ability to read them if needed.
For most Instagram users, the practical change felt invisible. The majority never enabled the feature to begin with. But for those who had, and for anyone who cares about the future of digital privacy, the move signals something significant: one of the world's largest social platforms has chosen to open the envelope.
Instagram's end-to-end encryption (E2EE) for direct messages was introduced as an opt-in feature in 2023, itself a delayed fulfilment of a promise CEO Mark Zuckerberg made back in 2019 to make Meta's messaging platforms more private. It was never turned on by default. To activate it, a user had to navigate into a specific conversation, find a buried per-chat setting, and manually switch it on. Most people never did.
What Is End-to-End Encryption (E2EE)?
End-to-end encryption is a method of securing communications so that only the sender and recipient can read the message content. A helpful analogy is a letter sent in a sealed envelope: only the person with the key (the recipient) can open and read it. In practice, an E2EE chat app encrypts the message on the sender’s device and only the recipient’s device can decrypt it. Even the company operating the service cannot read the plaintext of the message because they do not possess the decryption keys. In most modern apps, this is implemented using a combination of asymmetric (public-key) and symmetric encryption (for example, the Signal Protocol). Each user has a private key on their device and a public key on the server. When two users start a chat, their apps perform a secure key agreement (e.g. elliptic-curve Diffie Hellman) to derive a shared secret session key. Then every message is encrypted with a fresh symmetric key that the sending app generates for that message (often via a double ratchet scheme). This provides forward secrecy, meaning that if a key is compromised in the future it only exposes a limited portion of the chat, not the entire history.
For example, WhatsApp’s implementation uses the Signal Protocol (double ratchet, Curve25519 key exchange, AES-256 for message encryption, and HMAC for integrity). Group messaging is more complex: WhatsApp (and other apps) use a “sender key” model where each group member shares a symmetric key with the group, rotating it when membership changes. Still, group E2EE is not as straightforward as one-on-one chat; cryptographers note that standard Signal-like protocols “aren’t optimized for broadcasting to many users,” making group chat encryption effectively a special case. Importantly, E2EE protects only the content of messages and calls. The service provider still sees metadata such as who is messaging whom, timestamps, and (often) sender/receiver IDs. As Bitdefender notes, encryption “protects the conversation text and media, not necessarily every surrounding signal about the chat”. In short, E2EE means the platform can’t read your words or hear your call, but it still must handle routing information to deliver messages.
Think of a public key as a padlock you hand out freely. Anyone can snap it shut around a message and send it to you. But only you hold the key that opens it. The postal service in this case, Instagram's servers can weigh the package and see who it's addressed to, but cannot see what's inside. Standard encryption, by contrast, is like putting your message in a transparent envelope: it's sealed while it travels, but the postal sorting facility can read it before passing it on.
How Instagram’s E2EE Worked (And Why It’s Gone)
Instagram introduced optional end-to-end encrypted chats around 2023. Unlike WhatsApp or Signal, it was an opt-in feature per chat users had to manually turn on “secret conversation” mode for each conversation, and it was never the default. Meta kept it in limited regions (for example enabling it for adults in Ukraine and Russia in early 2022 during the war). Usage remained very low, partly because the setting was hard to find and not all users had it. Officially, Meta says it is removing E2EE on Instagram due to this low adoption. A Meta spokesperson told The Verge: “Very few people were opting in to end-to-end encrypted messaging in DMs, so we’re removing this option. Anyone who wants to keep messaging with end-to-end encryption can easily do that on WhatsApp”. Instagram began notifying users of the impending change inside the app and on its support pages.
The updated Instagram Help documentation explicitly says: “End-to-end encrypted messaging on Instagram is no longer supported as of 8 May 2026.” Affected users are given instructions to export or download any media/messages they want before the cutoff. After that, their old “encrypted” chats either become regular chats or possibly inaccessible, Instagram has not clarified this; experts urge saving them locally to avoid losing content.
Messages on Instagram will now travel under standard (transport) encryption — the same technology used by Gmail and TikTok. This means your messages are encrypted while moving between your phone and Meta's servers, protecting them from outside hackers on the network. But once they arrive at Meta's servers, Meta can read them. The platform is inside the envelope now.
In technical terms, removing E2EE means Instagram’s servers will no longer receive only ciphertext. Going forward, when you send an Instagram DM it will travel (encrypted in transit) to Meta’s servers where it will be decrypted and then re-encrypted for the recipient. In practice this lets the service see the plaintext contents. Without E2EE, Meta’s servers handle the full plaintext message and can potentially store or analyze it. In other words, Meta (and anyone it cooperates with) can now see every DM on Instagram. Meta has not said exactly how it will use this newly available content, but it has justified the change based on low usage and the burden of supporting multiple chat systems.
The Real Implications for You
What does this mean in practice? Consider the breadth of what passes through Instagram DMs. For most people it's casual conversation, shared memes, and event planning. But for journalists protecting sources, activists in authoritarian countries, domestic abuse survivors communicating with support services, or anyone having a sensitive medical or legal conversation the stakes of an unencrypted channel are significantly higher. The loss of E2EE in Instagram DMs has immediate privacy implications. Instagram’s statements imply that after May 8, Meta “can potentially see what’s in [DM] messages” and could share that data with law enforcement worldwide. In practice, anything you text on Instagram from that date forward becomes visible to the platform. Even though Instagram still uses encryption in transit (HTTPS/TLS) and may encrypt data at rest on its servers, because the server holds the keys, a breach of Meta’s infrastructure could expose all your messages. In effect, users lose the confidentiality guarantee of E2EE.
Security experts warn this weakens overall security posture. As Privacy and Security advocate Jonathan Sulston (former OpenAI chief scientist) notes, end-to-end encryption is “essential” to keep communications private, and removing it means Meta and third parties can sift through DMs for any purpose – from moderation to targeted advertising or AI-training. Indeed, Meta could now, if it chose, feed Instagram DM content into its machine-learning pipelines (even if current policies say it won’t use them for ad targeting, the data becomes available). Meta publicly denies it uses DMs to target ads today, but internal policy documents allow “service improvement,” so monetization of DM content remains a concern.
On the user side, trust will erode. Many users assumed Instagram DMs were private (or had the option to be private). Having that privacy removed “reads as a clear reversal of Meta’s privacy-first posture”. In practice, even casual personal chats (e.g. between friends) are no longer shielded. This could reduce open communication. Some experts say it leaves users with essentially “no expectation of privacy” on Instagram DMs, akin to a phone call that can now be wiretapped.
What Meta Can Now Technically Access
Message content: the text, images, videos, and voice notes in your Instagram DMs are now accessible to Meta's systems.
AI training and personalisation: Meta's privacy policy lists message content among data collected that can be used for "product improvement." While Meta has stated DMs are not currently used for targeted ads or AI training, that commitment is backed only by policy, not by technical impossibility.
Law enforcement requests: without E2EE, Meta can hand over the content of your messages in response to legal demands from governments, including those in countries with limited rule of law.
Data breaches: should Meta's servers ever be compromised, message content stored or processed there is now part of the attack surface.
Moderation, Safety, and Legal Compliance
Why did Meta do this? Officially, low usage was one reason, but timing and context suggest compliance with new safety laws also played a role. In the US, the “Take It Down Act” was signed into law in May 2025, requiring social platforms to remove reported non-consensual intimate images (including deepfakes) within 48 hours. Proponents of this law point out that with E2EE, platforms cannot remove images or content they can’t see, making compliance impossible. Indeed, a Fox News report notes that enforcement of the law “requires platforms to have access to content. End-to-end encryption makes that access impossible,” so removing the feature “positions Instagram to comply” with the May 19, 2026 deadline. The coincidence of Instagram turning off E2EE just 11 days before the law’s enforcement date has drawn scrutiny.
Child safety and law enforcement groups have long pressured Meta to abandon or limit E2EE, arguing it allows child exploitation and criminal activity to flourish unchecked. (In fact, Reuters recently revealed Meta executives felt E2EE would make detecting child abuse material “so irresponsible”.) Similar concerns are raised by authorities in other countries. The European Commission, for example, is reportedly working on an “Encryption Roadmap” to balance lawful access and privacy. The UK’s Online Safety laws also target dangerous content, and Amazon’s “Chat Control” proposal in the EU would force platforms to scan messages for child abuse by design, effectively breaking E2EE (privacy advocates strongly oppose this). In short, Instagram’s move aligns with a broader international trend: governments are demanding access to user communications in the name of safety. Removing E2EE is one way platforms can technically comply with such laws and regulations (though it comes at the cost of user privacy).
However, while removing encryption allows Instagram to scan DMs for illegal or harmful content more easily, it also raises new security risks. With everything decrypted on the server, a hack or insider leak at Meta could expose all private chats. Before, even if Meta were compromised, the attackers would only see ciphertext (which they might not have keys to decrypt). This tradeoff – better moderation vs. potential centralized risk – is a major point of contention. Privacy advocates argue there are better technical solutions (see below) than throwing away encryption entirely.
What Should You Do Now?
Download your encrypted chat history: If you had E2EE enabled on any Instagram conversations before May 8, those chats may no longer be accessible through the app. Meta offered a download window use it if you haven't already, though the deadline may have passed.
Move sensitive conversations elsewhere: For anything you genuinely need to stay private medical matters, legal advice, journalistic communications, personal safety use Signal or WhatsApp, both of which offer robust, default E2EE.
Treat Instagram DMs as postcards, not sealed letters: Going forward, assume that anything you type in an Instagram direct message could, in principle, be read by Meta and plan accordingly.
The Bigger Picture
Instagram's move arrives at a moment when the future of encrypted communication is being contested at the highest levels of government. The UK's Online Safety Act, Australia's eSafety framework, and now the US Take It Down Act all create regulatory pressure on platforms to "see" more of what their users share. The tension between privacy, safety, and regulation is not going away.
What makes Instagram's decision feel particularly sharp is its quiet inevitability. There was no public debate, no opt-out mechanism, no prominent notice to users. A feature that existed to protect the most private category of digital communication direct messages between two people was simply switched off. And the justification offered too, few people used it ignores that the platform never meaningfully tried to help them. The sealed envelope has been opened. What goes in it now is up to you.
If you have a tip, a story, or something you want us to cover get in touch with us by clicking here. Sign up to our newsletter so you won’t miss a post and stay in the loop and updated also we will be launching a free basic cybersecurity short course for beginners to teach you how to protect yourself online. Just subscribe for free to our newsletter and create an account on perusee to be eligible.
Note: You can also advertise on Perusee, just contact us, call or app +263 78 613 9635
Click here to Follow our WhatsApp channel
Keep comments respectful and in line with the article, also create an account and login to chat with members in our forum, get help on issues you need help with from community members.