When Meta Kills the Lock on Your Door
Image Courtesy: Wikimedia Commons
On May 8, 2026, Meta quietly shut down one of the more consequential privacy features it had ever introduced on Instagram: end-to-end encryption (E2EE) for direct messages. The company’s stated rationale was straightforward to the point of being dismissive: very few users were opting into it, so it was being removed. That explanation, however convenient, obscures a far more complex set of trade-offs that deserves serious public scrutiny, particularly in a country like India, where Instagram’s user base runs into hundreds of millions and where the regulatory landscape around data is still finding its footing.
To understand why this matters, it is worth understanding what end-to-end encryption actually does. In a standard messaging environment, data is encrypted in transit, meaning it is scrambled between your device and the platform’s servers, but the platform itself can decrypt and read it.
E2EE goes a step further: messages are locked in a way that only the sender and recipient can ever unlock them, and even the platform operator cannot access the content. When Instagram introduced the optional E2EE feature in late 2023, it was deploying the Signal Protocol, the same cryptographic architecture that underpins WhatsApp. As of this month, that protection no longer exists on Instagram, regardless of whether you had it turned on.
Meta’s argument that low adoption justifies removal is, at best, circular. Adoption was low partly because the feature was never made the default. Unlike WhatsApp, where E2EE is automatic and invisible to users, Instagram required deliberate opt-in, and the platform did little to promote it.
The internal contradiction within Meta’s own product suite is telling: Facebook Messenger, the company’s other major messaging platform, rolled out default E2EE for all personal chats and calls in 2023. Instagram launched the same optional feature in the same year and then reversed it three years later. It is difficult to reconcile these two moves as anything other than a deliberate choice to treat Instagram’s user base differently.
Removing a privacy feature because people did not voluntarily go looking for it is not a neutral business decision; it is a choice that effectively downgrades the privacy floor for every user on the platform, including those who never knew the feature existed.
There is, however, a legitimate and important counterargument that privacy advocates have tended to under weigh. Child safety organisations and law enforcement agencies have long raised an alarm about the role of strong encryption in shielding serious abuse from detection. Facebook and Instagram together have historically accounted for over 85% of global referrals of child sexual abuse material from technology companies.
In the UK alone, data shared by social media platforms contributes to approximately 800 arrests of suspected child sex offenders and the safeguarding of roughly 1,200 children every month. End-to-end encryption, implemented at scale without compensating safety mechanisms, would make this kind of detection nearly impossible. This is a real and documented cost, not a hypothetical one.
The honest answer, then, is that there is no clean resolution to this tension. Strong encryption protects ordinary users, journalists, activists, lawyers, and anyone else with a reasonable expectation of private communication. It also, as a mathematical consequence, extends the same protection to those who would use private channels for serious harm. The question is not whether encryption is good or bad, but whether the specific architecture of a given platform, with its particular user base and social functions, makes it a suitable candidate for end-to-end encryption without additional safeguards.
It is also worth placing this decision against the broader direction of the messaging industry. The technology sector’s trajectory over the past decade has been, overwhelmingly, toward more encryption rather than less. Signal, widely regarded as the benchmark for secure messaging, provides default E2EE for all messages and calls. Apple’s iMessage deploys it by default between Apple devices. Viber does the same for personal chats. Even Telegram, often criticised for making E2EE optional rather than default, has moved incrementally toward stronger protections.
Against this backdrop, Instagram’s rollback is not merely a corporate product decision; it is a conspicuous regression at a moment when the rest of the industry is moving in the opposite direction. That should prompt questions about motivation that go beyond the low-adoption explanation Meta has offered.
What makes Meta’s decision troubling is not that it removed E2EE per se, but that it did so without articulating a coherent alternative framework for user privacy. The company has pointed users toward WhatsApp as the appropriate venue for sensitive communication, which is a reasonable suggestion, but it does not absolve Instagram of the responsibility to be transparent about what is now technically possible with message data.
Without E2EE, Meta can, in principle, scan message content for moderation and safety purposes, serve it in response to lawful government requests, and potentially use it to refine advertising and AI systems, subject to applicable legal constraints.
For Indian users, this is not an abstract concern. India is one of Instagram’s largest markets, and under the Digital Personal Data Protection (DPDP) Act, 2025, the Central government has explicit authority to direct data fiduciaries to share user information. With E2EE gone, Instagram DMs are no longer beyond the reach of such directives.
For civil society actors, investigative journalists, lawyers, and political organisers who may have used Instagram’s messaging feature under the assumption of some elevated privacy, this represents a material change in their risk environment. That assumption was always somewhat optimistic given that E2EE was never the default, but the complete removal forecloses even the option.
The broader lesson from this episode is structural. Privacy protections on commercial social media platforms exist at the pleasure of the platforms, subject to regulatory pressure and business incentives. The Internet Society has long argued that encryption is not merely a technical feature but a prerequisite for meaningful freedom of expression and secure civic participation. If that argument has merit, and there is substantial evidence that it does, then leaving the encryption question entirely to the discretion of private companies is an inadequate governance arrangement.
India, as it develops its data protection ecosystem, has an opportunity to think carefully about baseline encryption standards for platforms operating within its jurisdiction. The DPDP framework addresses how data is stored and processed after it is collected; it does not, as yet, prescribe minimum cryptographic standards for what is collected in the first place. That gap deserves legislative attention.
The Instagram rollback is a useful prompt to ask a more fundamental question: should the right to a private digital conversation be contingent on whether a corporation finds the feature commercially worthwhile?
The answer, in a constitutional democracy with a recognised right to privacy, ought to be ‘no’.
The writer teaches at the School of Management, Indian Institute of Technology, Mandi (Himachal Pradesh). He is also a King’s College London – Charles Wallace India Trust Visiting Fellow. The views are personal.
Get the latest reports & analysis with people's perspective on Protests, movements & deep analytical videos, discussions of the current affairs in your Telegram app. Subscribe to NewsClick's Telegram channel & get Real-Time updates on stories, as they get published on our website.
