Instagram dropped end-to-end encryption from direct messages last week. Meta ended its opt-in E2EE feature, the one it had publicly promised in 2022 would eventually be default across Messenger and Instagram DMs. Three years later, the project is over. Meta's official excuse is that very few people were using it. The four-step opt-in was never default and was never visible enough for ordinary users to find.
The promise was not subtle. In a 2022 white paper, Meta said it wanted users to have a trusted private space that was safe and secure, and that it was taking its time to thoughtfully build and implement end-to-end encryption by default across Messenger and Instagram DMs. In 2023 it bragged about successfully encrypting Messenger and teased that Instagram was in progress. Last week, with no real fanfare, the feature was killed.
Meta's official statement said very few people were opting in to end-to-end encrypted messaging in DMs. The framing puts the failure on the user instead of on the design. Defaults shape behaviour. A four-step setting buried inside an account screen does not get adopted because nobody finds it. Meta knew that when it built the opt-in. Blaming users for not using a feature you buried is the playbook.
Every Instagram DM you send now sits in a place Meta can read. Without end-to-end encryption, the contents of your messages are visible to Meta, accessible to its automated scanning, available to subpoenas, and exposed to whoever breaches Meta next. The same is true for anyone you message. Encryption is what stops a conversation between two people from also being a conversation with the platform, the government, and any future attacker.
Instagram is not Meta's only undelivered promise. End-to-end encryption for Facebook Messenger group messages has still not shipped, another commitment Meta made years ago and quietly stopped mentioning. The EFF described the pattern bluntly. Most tech company promises die by attrition. They get left undelivered long enough to be forgotten. Meta's spokespeople now point users at WhatsApp for encrypted messaging, as if rationing one privacy feature across one of three apps counts as honouring an earlier commitment.
The same week, Apple and Google launched end-to-end encryption for RCS messages between iPhone and Android, after years of working through the GSMA protocol layer. Signal continues to make its app simpler and easier for ordinary users. Other companies, even ones whose business model depends on harvesting attention, are still adding default privacy. Meta is going the other way. It built a private room you had to find, then removed the room because few people found it.
Privacy that depends on a user opting in does not survive a single corporate strategy review. The only privacy that lasts is the kind that is on by default, baked into the protocol, and impossible for the operator to switch off when adoption numbers look bad in a quarterly review. Meta has now demonstrated, twice, that it will not be that operator. Instagram users have always been the inventory. The product was their attention and their data.
If you care about your Instagram DMs staying yours, the setting is gone. Sensitive conversations belong on a platform Meta does not own. Signal is the cleanest option for one-to-one and group messages. WhatsApp is still end-to-end encrypted, though it is the same company that just walked away from this commitment everywhere else. Encrypted RCS between iPhone and Android is now landing through carriers, with the usual caveats around metadata and unencrypted backups.
Australian users should treat this as the same lesson the UK and EU learned with age verification and data retention. The amount of trust you can extend to a platform is roughly equal to the amount of your conversation that platform cannot see. Meta has just lowered that number for hundreds of millions of Instagram users without asking. Reduce how much of your life lives inside Meta. The next promise will not save it.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What exactly changed on Instagram?
Meta ended the opt-in end-to-end encryption feature for Instagram DMs last week. The setting is no longer available. Meta now points users at WhatsApp for encrypted messaging.
Why does losing end-to-end encryption matter?
Without end-to-end encryption, Meta can read the contents of your DMs, hand them over under legal request, and lose them in a breach. The same applies to anyone you message on Instagram.
Does this affect Messenger and WhatsApp as well?
WhatsApp remains end-to-end encrypted. Messenger has E2EE for one-to-one chats but Meta has still not shipped the promised E2EE for group messages.
What did Meta give as the reason?
Meta said very few people were opting in. The opt-in was a four-step setting that was never default, so adoption was always going to be low.
What should I use instead for private messaging?
Signal is the cleanest option for one-to-one and group messages. Encrypted RCS between iPhone and Android is now rolling out through carriers and provides default encryption for SMS-style conversations.