In a move that received far less attention than its significance warrants, Meta announced that end-to-end encryption on Instagram direct messages will be switched off from May 8, 2026. The disclosure was tucked into a help page update and a revised news post, without a major public statement or press release. For those who had enabled the encryption feature — or simply assumed their DMs were private — the change represents a notable loss of protection.
The encryption feature being removed was never universal. From its introduction in 2023, it required users to actively opt in — a design that inherently limited its reach. Meta CEO Mark Zuckerberg had framed the 2019 announcement of cross-platform encryption as a foundational commitment to privacy. The reality of how that commitment unfolded — opt-in, delayed, and now reversed — tells a different story.
Meta’s spokesperson attributed the removal to low uptake, saying the feature was simply not being used by most Instagram users. The company has pointed to WhatsApp as the appropriate channel for encrypted messaging within the Meta ecosystem. This response has done little to satisfy digital rights advocates, who argue that opt-in features will always have lower adoption than opt-out ones.
The commercial implications of this decision are significant. Without encryption, Meta can access the full content of private Instagram conversations. This data could, in theory, be used to refine advertising targeting, improve AI systems, or support other commercially valuable functions. Even if Meta does not use the data this way immediately, the ability to do so creates a structural incentive that may prove difficult to ignore over time.
Ultimately, users now have to make a choice: continue using Instagram DMs with the understanding that their content is accessible to Meta, or migrate sensitive conversations elsewhere. Digital rights groups are calling on legislators to respond — not just to Instagram’s specific decision, but to the broader pattern of platforms introducing and then quietly removing privacy features without meaningful accountability.