Meta Just Made 2 Billion Instagram Users' DMs Readable Again

On May 8, Meta flipped a switch and every Instagram DM became readable by the company again. No pop-up. No confirmation screen asking "are you sure?" Users who had opted into end-to-end encrypted chats — the feature Meta introduced in 2023 as part of its "commitment to privacy" — simply found their conversations decrypted. A small in-app notification, easily dismissed, was the only signal that anything had changed.

The stated reason, from a Meta spokesperson to The Guardian in March: "Very few people were opting in to end-to-end encrypted messaging in DMs, so we're removing this option from Instagram."

That sentence does a lot of work. And almost none of it is honest.

What Changed on May 8

Instagram's optional end-to-end encryption launched in 2023 after years of testing. It was never on by default. Users had to actively enable it on a per-chat basis, and even then, it was only available in certain regions. When it was active, messages between two users were encrypted so that Meta's servers stored ciphertext — data that Meta itself couldn't read, even if compelled to by a court order or government request.

On May 8, that option disappeared. Instagram DMs now use standard encryption — transport-layer encryption that protects messages in transit between your phone and Meta's servers, but allows Meta to access, read, and process the plaintext content once it arrives. Photos, voice messages, video calls, text — all of it is now visible to Meta's systems.

Instagram has somewhere between 2 and 3 billion monthly active users, depending on whose estimates you trust (Meta doesn't publish exact figures). Not all of them used encrypted DMs — in fact, Meta's whole justification relies on the fact that most didn't. But the question isn't how many people were using the feature. The question is why Meta actively removed it rather than leaving it available for those who wanted it.

Keeping a low-adoption opt-in feature alive costs almost nothing. Removing it requires engineering work, generates negative press, and alienates privacy-conscious users. Companies don't take on that cost for no reason.

The Take It Down Act

On May 19, 2026 — eleven days after Meta killed Instagram encryption — the Take It Down Act becomes enforceable.

The Take It Down Act, signed into law by President Trump on May 19, 2025, criminalizes the nonconsensual publication of intimate images, including AI-generated deepfakes. The law gives platforms 48 hours to remove flagged content after receiving a valid removal notice. Platforms that fail to comply face FTC enforcement.

Here's the problem: if your messages are end-to-end encrypted, you can't comply with the Take It Down Act. You can't scan content you can't see. You can't verify a removal request against message content you don't have access to. You can't even confirm that a flagged image exists in a conversation, let alone remove it within 48 hours.

Meta knew this. The timing is not a coincidence.

By removing encryption on May 8, Meta gave itself eleven days to stand up whatever content moderation infrastructure it needs before the law kicks in. This isn't speculation — the regulatory pressure on platforms to retain the ability to scan and remove content has been building for years, and the Take It Down Act is the first federal law in the US that makes the tension between encryption and content moderation operationally unavoidable.

Meta hasn't acknowledged this connection publicly. The official line is still "low adoption." But consider what would have happened if Meta kept encrypted DMs and then failed to comply with a Take It Down Act removal notice in June. The headlines write themselves, and the FTC fines are real.

The Zuckerberg Reversal

In March 2019, Mark Zuckerberg published a 3,000-word essay titled "A Privacy-Focused Vision for Social Networking." The key passage: "I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won't stick around forever."

He laid out five principles: private interactions, encryption, reducing permanence, safety, and interoperability. The vision included building integrated messaging across Messenger, Instagram, and WhatsApp, all secured with end-to-end encryption. This wasn't a footnote in a blog post. It was a CEO-level strategic pivot, published during the company's worst privacy crisis, positioned as Meta's path forward.

Seven years later, Meta is actively reversing course on Instagram. Messenger completed its rollout of default E2E encryption in December 2023. WhatsApp has been encrypted by default since 2016. Instagram was supposed to be next. Instead, it's the first platform where Meta has deliberately removed encryption it had already shipped.

The defense is that WhatsApp "remains end-to-end encrypted by default" — Meta's spokesperson pointed users there if they want private messaging. But this framing treats encryption as a product feature you can shuffle between apps, rather than a security property that should apply to every platform where people share private information. Hundreds of millions of people use Instagram DMs for conversations they consider private. Telling them to "just use WhatsApp" isn't a privacy policy. It's an abdication.

What Meta Gets From Unencrypted DMs

Let's talk about what Meta gains by reading your messages.

Meta's advertising business depends on understanding user behavior and interests at a granular level. Every signal that helps Meta build a more detailed profile of a user makes its ad targeting more precise, which makes each ad impression worth more, which makes Meta more money. This is not a conspiracy theory — it's Meta's business model, disclosed in their SEC filings.

With encrypted DMs, Meta had a blind spot. It could see who you messaged and when, but not what you said. With encryption removed, Meta's systems can now process message content. Meta's privacy policy permits using data from Instagram to "provide, personalize, and improve" its products, which includes advertising.

There's also the AI training angle. Meta has been aggressively building its Llama model family and needs training data at scale. The company's privacy policy, updated in 2024, explicitly allows using data from its platforms to train AI models, unless users opt out (a process that varies by jurisdiction and is not straightforward). Unencrypted DMs are a massive new corpus of natural language data — conversations, reactions, preferences — that was previously inaccessible.

Meta hasn't confirmed that Instagram DM content will be used for ad targeting or AI training. But the privacy policy permits it, the infrastructure to do it exists, and there is no technical barrier remaining now that encryption is gone. The only thing standing between Instagram DM content and Meta's ad algorithms is a policy decision that Meta can change at any time.

The WhatsApp Question

If you're thinking "at least WhatsApp is still encrypted," you're right. For now.

WhatsApp's encryption is fundamentally different from Instagram's. It's been default-on since 2016, it's a core feature that defines the product, and it's the reason many users chose WhatsApp over SMS or other messaging apps. Removing WhatsApp encryption would be a much bigger business decision than removing Instagram's barely-adopted opt-in feature.

But the same regulatory pressure that pushed Meta to remove Instagram encryption applies to WhatsApp. The Take It Down Act doesn't carve out exceptions for end-to-end encrypted platforms. Neither does the UK's Online Safety Act, which requires platforms to use "accredited technology" to detect child sexual abuse material — technology that is functionally incompatible with E2E encryption. The EU's proposed CSA Regulation (the so-called "chat control" legislation) would go even further.

Meta is fighting these requirements for WhatsApp. But the Instagram decision establishes something: Meta will sacrifice encryption when the regulatory and business calculus tips against it. The question for WhatsApp isn't whether Meta is committed to encryption in principle. It's whether the business case for WhatsApp encryption remains stronger than the regulatory and commercial incentives to remove it.

Given that Meta just demonstrated exactly how quickly it can reverse an encryption commitment, WhatsApp users should be paying attention.

What the "Low Adoption" Excuse Reveals

Meta's defense — "very few people were opting in" — deserves scrutiny for what it reveals about how the feature was designed.

Instagram's E2E encryption was opt-in, per-chat, and only available in certain regions. There was no prominent setting to enable it globally. There was no onboarding prompt explaining what it did. It wasn't marketed, promoted, or even easy to find. Meta built the feature to meet a privacy commitment, then did almost nothing to ensure users would actually discover and use it.

Low adoption of a feature that was hidden, opt-in, and region-restricted is not evidence that users don't want privacy. It's evidence that Meta designed the feature to fail — or at minimum, designed it in a way where failure was the expected outcome that would later justify removal.

Compare this to WhatsApp, where encryption is on by default, requires zero user action, and has universal adoption precisely because Meta made it the default. Instagram could have followed the same model. It didn't. And now Meta is using the predictable consequence of that design choice as the justification for removing the feature entirely.

What to Do

1. Stop treating Instagram DMs as private. They aren't, and they won't be again. Any conversation you want to remain private should happen on a platform that provides end-to-end encryption by default and where the provider has a structural commitment to maintaining it.

2. Use Signal for private conversations. Signal is an independent nonprofit. Its protocol is open source. It doesn't store message content on its servers. It has no advertising business model that would benefit from reading your messages. This isn't a paid endorsement — it's a structural analysis of incentives. Signal has no reason to read your messages. Meta has many.

3. Don't assume WhatsApp is safe forever. It is today. Meta has strong business reasons to keep it encrypted today. But Meta just proved that "strong business reasons" can change. If you're building your communication habits around the assumption that WhatsApp will always be encrypted, you're trusting a corporation's current incentive structure rather than a technical guarantee.

4. Review Meta's privacy settings. In the EU, you can object to your data being used for AI training under GDPR. In the US, the controls are more limited. Go to Settings → Privacy → Data Use and review what Meta says it does with your information. The options are limited, but understanding what you're sharing is the first step.

5. Tell people. Most Instagram users won't see the in-app notification. They won't read the news coverage. They'll keep using DMs assuming their conversations are as private as they were last week. They're not.

The Uncomfortable Truth

Meta's 2019 promise was that the future of communication would be private and encrypted. In 2026, Meta is actively removing encryption from the platform where it was most optional and least adopted, under regulatory pressure from a law designed to fight deepfake abuse, while maintaining the right to use unencrypted message content for advertising and AI training.

Every actor in this story has a defensible position. The Take It Down Act targets a real problem — nonconsensual intimate images cause genuine harm. Meta is complying with a law that was passed with bipartisan support. The "low adoption" claim is technically true, even if the low adoption was a design choice.

But the net result is that 2 billion users just lost a privacy option they didn't know they had, on a timeline driven by regulatory compliance rather than user interest, with the side effect of opening a massive new data stream for the world's largest advertising company. Nobody voted for that specific outcome. It just happened, one defensible decision at a time.

Sources: The Hacker News, MacRumors, The Register, gHacks, Euronews, Congress.gov — Take It Down Act, Meta — A Privacy-Focused Vision for Social Networking (2019)