In 2019, Meta CEO Mark Zuckerberg penned a 3,000-word manifesto declaring a fundamental shift in the architecture of social media. "The future is private," he wrote, pledging to weave end-to-end encryption through the fabric of Meta’s empire: Facebook, WhatsApp, Messenger and Instagram. It was framed as an existential commitment to human rights in a digital age.
Seven years later, that future has been quietly rewritten.
On May 8 this year, Meta officially retired the optional end-to-end encryption feature for Instagram direct messages (DMs) globally. The digital ‘seal’ that once prevented anyone, including Meta itself, from reading your private chats was broken.
In its place, Meta has reverted Instagram to "standard encryption," a protocol similar to Gmail, where data is secure in transit but fully accessible on the platform's servers.
To the casual user, the shift can barely be noticed, buried under a sea of routine terms-and-conditions updates. But to digital rights advocates and policy experts, the rollback represents a seismic, alarming capitulation that upends the delicate balance between consumer privacy and corporate liability.
‘Low adoption’ gaslight
Meta’s official defence for the rollback is utility over unused security. A company spokesperson noted that "very few people were opting into" the encrypted chat feature on Instagram, steering security-conscious users toward WhatsApp instead.
To tech policy experts, blaming the consumer for low adoption of a hidden feature is classic corporate misdirection.
"The comment about adoption rate is perhaps a little bit disingenuous," Raman Jit Singh Chima, Global Cyber Security lead, and director at the international non-profit Access Now, told The Telegraph Online. "It’s alarming that Meta, after taking a clear step forward, has chosen to move back two steps, sending a signal to the tech sector that if you come under potential government pressure, yes, it’s fine to compromise on secure communications."
By shifting encryption from a default expectation to a revocable product feature, critics argue Meta has altered the very definition of digital autonomy.
Apar Gupta, advocate and founder director of the Internet Freedom Foundation (IFF), views this as a dangerous shift in digital governance.
"Meta spent years normalising E2EE [end-to-end encryption] as the future of private communication," Gupta told The Telegraph Online. "Citing 'low uptake' to withdraw it reframes privacy as a product metric rather than a rights baseline."
When the United Kingdom put pressure on Apple to weaken its encryption architectures, the tech giant threatened to disable specific cloud services entirely in that jurisdiction rather than compromise user integrity.
Similarly, platforms like Signal have made it clear they would rather exit a market than hand over a backdoor key.
Meta, in contrast, chose a quiet surrender.
Safety or ‘Magic Solution’?
The rollback has been vocally cheered by law enforcement agencies and child protection organisations globally, who have long argued that absolute encryption shields child sexual abuse material, cyber-harassment, and terror coordination from judicial oversight.
But does opening up the DMs actually solve the crisis of online harm, or does it merely give the illusion of safety? Digital security experts argued that treating encryption as the enemy of safety is a dangerous oversimplification.
They said that sophisticated bad actors do not rely on Instagram DMs to coordinate illicit activities.
"Determined offenders will simply migrate to specialised encrypted services," warned Gupta. "The likely result is asymmetric, as ordinary users lose privacy, while sophisticated bad actors adapt."
Stripping encryption creates a massive new honeypot of data.
"Just because law enforcement wants to target one criminal doesn't mean they should have a skeleton key to access every lock," Chima argued, pointing out that unsecured messages open ordinary citizens up to corporate data breaches, state surveillance and organised cyber-scams.
Chima also warned that weaponising child safety to dismantle encryption serves as an ideological cop-out.
"It becomes a sort of magic solution: 'let's just attack encryption as a threat to children', and then magically the solution will appear. It won't go away; it'll cause other risks instead."
He emphasised that platform safety requires holistic investment in gender-sensitive policing, preventative counseling, and resourced cyber-units, not the mass surveillance of everyday speech.
Hunger for AI data
Beyond the regulatory pressure to police content lies a deeper, distinctively 2026 tech incentive: the insatiable appetite of generative artificial intelligence.
Private text conversations are the holy grail for training Large Language Models (LLMs) as they provide high-quality, nuanced, idiomatic human interaction that public internet comments cannot replicate.
By removing the encryption block on Instagram, Meta technically regains the ability to index and analyse the text flowing through millions of active millennial and Gen-Z DMs.
"Meta will frame this as safety, but commercial incentives cannot be ignored," said Gupta. "Private messages are high-value conversational data. Safety cannot become a laundering label for data extraction."
While Meta has previously maintained that direct messages are not harvested for AI training, the lack of transparency surrounding the rollback leaves consumers profoundly vulnerable. Without encryption, users have no choice but to trust corporate promises, one that has historically depreciated rapidly in Silicon Valley.
Indian paradox: The DPDP limbo
For users in India, one of Instagram's largest global markets, the rollback lands squarely in a convoluted legal and regulatory crossfire.
Under India's Information Technology (IT) Rules, the government has fought a bitter, ongoing legal battle with Meta over the "Traceability Mandate," which requires platforms to identify the "first originator" of a message.
While WhatsApp has fiercely contested this mandate in Indian courts, arguing it would require breaking encryption, the rollback on Instagram provides the state with a friction-free victory.
Without encryption, Meta can seamlessly comply with intercept or decryption orders under Section 69 of the IT Act.
Compounding this vulnerability is the strange limbo of India’s Digital Personal Data Protection (DPDP) Act. Passed into law, its implementation remains stalled, a delay critics attribute to private sector and industry lobbying.
The lack of an active data protection regulator in India strips consumers of any leverage. In other global jurisdictions, data protection authorities dictate the boundaries of corporate data harvesting. In India, users are left exposed.
"The law talks about data minimisation by design and end-to-end encryption is often an enabling tool for that," said Chima. "The fact ultimately that in India we don't have the regulator allows this sort of unfortunate situation where the government is not recognizing the harms that take place by the removal of this key feature."
False choice for consumer
By creating a structural split within its ‘Family of Apps’, positioning WhatsApp as the secure fortress and Instagram as the unencrypted public square, Meta is forcing consumers into an unfair trade-off, digital privacy experts said.
It presents a false choice: if you want influence, networking, and discovery, you must sacrifice your privacy. If you want security, you must retreat to a utility app.
"Instagram’s rollback weakens the company’s own moral and policy position," concludes Gupta. "It signals that encryption within Meta’s apps is not a constitutional commitment, but a negotiable business and regulatory choice."
The message to the consumer is clear: If you want a private conversation on social media, you are on your own.