Instagram can now read your teen’s private messages
Instagram direct messages are no longer end-to-end encrypted. As of 8 May 2026, the privacy layer that meant only the sender and the recipient could read a message has been removed from Instagram entirely. Meta can now technically access the content of every DM, image, voice note and video sent through the app. The change applied to all users with no in-app notification beyond a quietly updated support page in March.
This is one of the most significant privacy rollbacks Meta has made in years, and most users have not heard about it.
What actually changed
End-to-end encryption is the feature that means a message is unreadable to anyone except the two people in the conversation. Not the platform. Not the company. Not anyone the company shares data with. Instagram offered this as an opt-in feature for direct messages from 2023 onwards, although it was never the default and required users to enable it conversation by conversation through a buried setting.
That option no longer exists. Every Instagram DM is now stored on Meta’s servers in a form the company can read. Meta has confirmed it may use this access for content moderation, safety features, AI development, and responding to legal requests.
For users who had encrypted chats before 8 May, those messages are still encrypted but cannot be added to. New messages in those threads are unencrypted.
The reason Meta gave, and the reason it probably did it
Meta’s official explanation is that too few users had opted in to encrypted chats to justify keeping the feature. A spokesperson told The Guardian in March: “very few people were opting in to end-to-end encrypted messaging in DMs, so we’re removing this option from Instagram.”
Low adoption is a defensible reason in isolation. It is also, on its own, an incomplete picture.
Eleven days after the removal of encryption, on 19 May 2026, the Take It Down Act came into force in the United States. The law requires online platforms to remove non-consensual intimate imagery, including AI-generated deepfakes, within 48 hours of receiving a takedown notice. A platform cannot comply with a takedown notice for content it cannot see. Encryption made compliance impossible. Removing it makes compliance possible.
Meta has not explicitly linked the two events. Independent analysts and security researchers have. The timing is too clean to be coincidence.
There is also a longer-term commercial logic. Meta is investing heavily in AI development, and AI models are trained on data. Encrypted messages are data the company cannot use. Unencrypted messages are. Meta says DMs are not currently used for ad targeting and has not committed to using them for AI training, but neither commitment is binding and both leave room for future change.
The genuine safety argument
There is a real argument on the other side of this. The NSPCC, the Internet Watch Foundation and other child safety organisations have long argued that end-to-end encryption shields predators from detection. Grooming, the sharing of child sexual abuse material, and coordinated abuse have all been documented as happening inside encrypted channels precisely because they cannot be moderated. When Meta announced the removal, the NSPCC welcomed the change.
That argument is genuine, and parents who are worried about contact risks to their children may find the trade-off acceptable. The point of this piece is not to argue that encryption is more important than child safety. The point is that the trade-off is real, and parents should understand what was traded away.
What was traded away: every Instagram DM your teen sends is now readable by Meta, by anyone Meta shares it with under legal request or commercial partnership, and potentially by future systems Meta has not yet built or disclosed. That includes ordinary conversations, private photos sent between friends, voice notes, and anything else exchanged through the app.
What this means for you right now
This is a conversation, not a setting. There is no toggle to turn encryption back on. There is no app update that will restore it. The useful thing is a short, direct talk with your teen about what changed and what it means.
The talk has three parts.
Instagram DMs were never truly private, and now they are definitively not. Anything your teen would not want a stranger, a company, a future employer, or a future partner to read should not live in there. Private things go to genuinely private channels. If a message contains anything that could be embarrassing if read aloud, that message should not be on Instagram.
For genuinely private chat, there are better options. Signal keeps end-to-end encryption on by default for every conversation. It is free, it works on iOS and Android, and it is the messaging app most security researchers and journalists use. WhatsApp is also still end-to-end encrypted by default, although it is owned by Meta and the longer-term trajectory is uncertain. Apple’s iMessage is encrypted between Apple users but not when messaging Android phones.
The bigger lesson outlasts any single platform. Assume the DM is not a diary. This is true on Instagram now, and it is the safer default to apply everywhere. Platforms change their privacy positions when the commercial or regulatory pressure shifts. The only way to be certain a conversation is private is to have it on a platform whose business model does not depend on accessing the content of the conversation.
What to expect next
Meta has not committed to a timeline for how long DM content will be retained, how it might be used for moderation or AI training, or whether DMs could eventually be used for ad targeting. None of these are ruled out.
Other platforms are watching. TikTok already does not offer end-to-end encryption for DMs and has cited safety considerations. Snapchat does not encrypt messages by default. The trajectory across the major teen platforms is away from encrypted messaging, not towards it. The Instagram change is the most significant single step in that direction so far, but it will not be the last.
Sources:
