Meta dropped Instagram DM encryption. Why?

News
Written By Joel Folgner

All posts

Five days later, Meta added a new privacy feature to WhatsApp.

If your business or organization uses either app for anything you'd rather Meta not read, here's what changed.

What changed

On May 8, Meta turned off end-to-end encryption (the math that keeps Meta from reading the message) for Instagram Direct Messages. The feature had been opt-in since December 2023, and the toggle sat four menus deep inside individual conversation settings. Any new DMs sent after May 8 are now readable by Meta. Past DMs you sent with E2EE on aren't newly exposed. However, if you didn't export your encrypted history before the cutoff date, you may have lost access to your conversations.

On May 13, Mark Zuckerberg personally announced Incognito Chat for Meta AI on WhatsApp. The feature runs your AI conversations inside a hardware-isolated server enclave Meta calls Private Processing. Conversations don't get logged and disappear when you leave the session. These are text-only at launch. Independent security firms NCC Group and Trail of Bits audited the architecture.

Just a reminder that WhatsApp's regular messages stay end-to-end encrypted by default.

Meta's privacy history

In 2019, Zuckerberg publicly committed Meta to a privacy-focused future where, in his words, people's private communications should be secure. A 2022 Meta white paper said the company was building end-to-end encryption "by default across Messenger and Instagram DMs." Messenger got it, but Instagram never did. The feature shipped as opt-in in December of 2023, and Meta is now killing the opt-in instead of finishing the default rollout

Meta's official explanation is low adoption. The Electronic Frontier Foundation called out the circular logic: turning Instagram E2EE on was a four-step process buried inside individual conversation settings. Meta never advertised the feature and the company is using the entirely predictable low adoption as the excuse for shutting it down. It's self-fulfilling bureaucracy.

Why this week

The U.S. Take It Down Act enforcement deadline arrives on May 19, eleven days after the Instagram cutoff. The law requires platforms to remove non-consensual intimate imagery, including AI deepfakes, within 48 hours of a takedown notice. The FTC has set civil penalties at up to $53,088 per violation. End-to-end encryption is incompatible with that obligation. If Meta can't see the content, Meta can't act on a takedown request. The timing of the May 8 cutoff for Instagram encryption isn't a coincidence. Meta needs to become compliant.

It's worth noting that Meta is the outlier. Default encrypted platforms like Signal and Apple's iMessage aren't tearing down their encrypted messages to comply with the Take It Down Act.

What it all means

I'd treat Instagram DMs the way I'd treat a personal email site like Gmail. The company hosting the conversation can read it. Anyone with legal authority over that company can compel access. Anyone who breaches Meta's systems can potentially get to it. A week ago that was true only for the users who hadn't opted into E2EE, but now it's true for all users.

WhatsApp is still the better Meta option for sensitive person-to-person messages. Meta is openly pointing Instagram users there. Just be careful not to confuse WhatsApp's regular messaging (that is end-to-end encrypted by default) with the new Incognito AI Chat (privacy by Meta's design, not by math). Those two features are meant for two different purposes.

What to do

  • Stop sending anything sensitive through Instagram DMs. Passwords, account recovery codes, client information, HR matters, photos you wouldn't want a stranger to see. Treat them like you were sending a postcard in the mail.

  • Move sensitive conversations to an app that's end-to-end encrypted by default. Signal is the standard in this space. WhatsApp works for person-to-person messages, but you are still inside Meta's ecosystem.

  • Don't treat WhatsApp's Incognito AI Chat as encrypted communication. It's a real improvement over standard cloud AI, with independent audits behind the technology securing it. But it's still a conversation with a Meta-owned chatbot. Share only what you'd share with any other AI tool.

  • If you had Instagram E2EE on and didn't export your encrypted history before May 8, it's gone. Because the previous messages were truly encrypted, Meta had no access to previous messages. If you hadn't exported and backed up those messages, there is no recovery path. If you have or had important information in chats, maybe check out the ongoing case for backups.

WhatsApp's Private Processing is engineered well. The NCC Group and Trail of Bits audits are real third-party reviews, and the math behind end-to-end encryption is the same math that protects your banking. That means you are getting privacy vetted by actual third parties.

What changed is Meta's overall privacy ecosystem. Privacy at Meta is now per app and decided product by product. Just keep in mind Meta's broken promises of the past and contradicting marketing.

Joel

Sources

Source: Pieter Arntz, "Meta's confusing new approach to chat privacy", Malwarebytes Labs, May 15, 2026.

Also:"Broken Promises: RIP Instagram's End-to-End Encrypted DMs", Electronic Frontier Foundation, May 2026. "Warning: Instagram DMs Lose End-to-End Encryption Starting Today", MacRumors, May 8, 2026 (Take It Down Act timing). Kelvin Chan, "Meta launches WhatsApp 'incognito' mode", AP via US News, May 13, 2026.

All posts

Joel Folgner https://www.calmbit.net
Previous

CISA contractor posted admin keys to public GitHub
Next

What the heck is a Passkey?