This browser does not support the Video element.
Instagram dropping encrypted DMs, privacy changes take effect Friday
A major privacy change is coming to Instagram. Meta is removing end-to-end encryption from some direct messages starting Friday, meaning those chats may no longer be fully private.
CHICAGO - Instagram is removing a privacy feature on May 8 that previously prevented the company from reading users’ direct messages, raising questions about what happens to old encrypted chats and why the timing aligns with a federal law targeting digital exploitation that takes full effect in 12 days.
The change affects users who turned on Instagram’s end-to-end encryption feature for direct messages. Most users never enabled it, according to digital privacy expert Harry Maugans. For those who did, the protection disappears on May 8.
The move lands 12 days before platforms must have a removal system in place under the Take It Down Act, a federal law signed in May 2025 that requires companies to remove non-consensual deepfake images within 48 hours of a victim’s report.
Maugans says the timing is not a coincidence.
What is end-to-end encryption:
End-to-end encryption is a security layer that scrambles the contents of a message so only the sender and recipient can read it. Not even the platform hosting the conversation can see what is inside.
Think of it like a sealed envelope. The postal service can see who sent it and who received it. But they cannot open it.
When Instagram removes this feature on May 8, it is removing the seal. Meta will be able to read the contents of those messages.
Not sure if you had it turned on? Users who enabled the feature would have seen a lock icon on their direct message threads.
Maugans said what happens to existing encrypted chats after the deadline is still unclear.
"The leading theories are either the messages are going to become public and join the rest of your chat flow, or the messages might just be deleted, which is why they’re saying download your encrypted messages while you still can," Maugans said.
What to do before May 8th:
If you turned on end-to-end encryption for Instagram direct messages, go into those chats and download a backup before the deadline.
But where you store that backup matters just as much as downloading it.
"If you turn around and upload that downloaded chat backup to Google Drive or iCloud or any other cloud provider, you’re uploading the unencrypted raw version of these chats," Maugans said. "If your whole purpose was to keep it out of the hands of data brokers, be cognizant of where you store that backup file."
Saving the backup to a cloud service defeats the purpose. Store it locally on your device only.
WhatsApp is not a complete fix:
Meta has suggested users who want continued encryption switch to WhatsApp, which the company also owns. Maugans says that is not a complete fix.
WhatsApp does encrypt the contents of messages. What it does not protect is what Maugans calls metadata.
"How often you’re communicating with that person, how many times per day, the time of day if it’s late at night, if it’s early morning," Maugans said. "They can see that network of who you communicate with, which is very valuable in their algorithm."
Meta cannot read what you said. But it can see who you said it to, when, and how often. That information still feeds the company’s advertising and content systems.
Maugans says if privacy is the goal, leave Meta’s platforms entirely.
"One of the more widely known names for secure chatting is Signal, which is a nonprofit organization that’s transparent about all of their security, all of their encryption," he said. "And it really does work well."
Signal is free and available at signal.org and in the App Store and Google Play.
Why is this happening now?:
Maugans says regulatory pressure is likely driving the timing.
Platforms cannot remove harmful content they cannot see. The Take It Down Act, signed by President Donald Trump in May 2025, requires companies to remove non-consensual deepfake images within 48 hours of a victim’s report. Enforcing that law requires platforms to have access to content. End-to-end encryption makes that access impossible.
By removing the feature, Instagram positions itself to comply ahead of the May 19 deadline.
What the Take It Down Act does:
Passed with bipartisan support and signed into law in May 2025, the Take It Down Act criminalizes the publication of non-consensual intimate images, including AI-generated deepfakes. It gives the Federal Trade Commission authority to penalize platforms that fail to remove reported content within 48 hours.
Platforms have until May 19, 2026, to have that removal system fully operational. That deadline is 12 days away.
The law covers both AI-generated deepfakes and any non-consensual intimate image, regardless of how it was created.
What's next:
For Instagram users with encrypted chats, the deadline is May 8. After that date, the option to download those chats may no longer be available.
For victims of non-consensual intimate images, the Take It Down Act provides a legal path to force removal once platforms have their systems in place after May 19. Reports can be filed directly with the platform. The FTC handles enforcement against companies that do not comply.
The Source: The information in this article was reported by FOX Chicago's Terrence Lee.