End-to-End Encryption Is Gone From Instagram DMs. Why Now, and What Kenyans Should Do

On 8 May 2026, Meta switched off the option to send end-to-end encrypted direct messages on Instagram. The feature had been opt-in since December 2023, buried in a per-conversation setting most users never found, and from that date onward Instagram only operates on standard encryption. That means Meta can technically read the contents of every DM sent on the platform, the same way it can read messages on Facebook Messenger group chats that have not been encrypted.

The company’s official explanation is short. “Very few people were opting in to end-to-end encrypted messaging in DMs, so we’re removing this option from Instagram,” a Meta spokesperson told The Guardian in March, adding that anyone who wants encrypted messaging “can easily do that on WhatsApp.” That is the entire public reason.

This is an incomplete story.

The timeline does not flatter Meta

In March 2019, Mark Zuckerberg published a 3,200-word manifesto titled “A Privacy-Focused Vision for Social Networking,” promising to extend end-to-end encryption across all Meta apps. People’s “private communications should be secure,” he wrote. WhatsApp had been encrypted by default since 2016. Messenger got default encryption in late 2023. Instagram got an opt-in version the same year, then never made it default, never rolled it out globally, and never told users it existed beyond a small notification.

Seven years after the pledge, encryption is being rolled back on the platform with Meta’s heaviest legal exposure and richest advertising revenue. The Center for Democracy & Technology, the Global Encryption Coalition and Mozilla all asked Meta to reverse course in April. Meta did not.

Why now: the Take It Down Act

The encryption removal landed eleven days before the TAKE IT DOWN Act came into force in the United States on 19 May 2026. Signed by President Trump in May 2025 after passing the House 409-2 and the Senate unanimously, the law requires every covered platform to take down non-consensual intimate imagery, including AI-generated deepfakes, within 48 hours of a victim’s report. The Federal Trade Commission enforces it, with civil penalties capped at $53,088 per violation.

The math is simple. A platform that cannot read message content cannot scan it for prohibited material. A platform that cannot scan cannot meet a 48-hour removal window across two billion users. FTC Chair Andrew Ferguson sent formal warning letters to Meta and fourteen other major platforms — Alphabet, Amazon, Apple, Discord, Microsoft, Reddit, Snapchat, TikTok, X and others — in early May, reminding them compliance was not optional.

Meta has not publicly linked the encryption rollback to the law. But it doesn’t need to.

There is also a separate, expensive piece of context. On 24 March 2026, a New Mexico jury ordered Meta to pay $375 million in civil penalties after finding the company willfully misled users about the safety of Facebook, Instagram and WhatsApp while children were targeted by predators. The state’s attorney general is now seeking another $3.7 billion in an abatement phase and asking the judge to order design changes, including restrictions on encrypted messaging for minors. Meta is appealing. The verdict landed three weeks after the encryption rollback was disclosed.

What changed for the average user, technically

If you never turned on encrypted DMs — which is almost everyone — nothing visible has changed. Your messages were already passing through Meta’s servers in readable form. What is gone is the option to lock them. There is no longer any path to send an end-to-end encrypted message on Instagram, full stop.

If you did turn it on, you had until 8 May to download your encrypted chat history through Settings → Your Activity → Download Your Information. After that date, what happens to the old encrypted threads is unclear. Meta has not said whether they will be converted to standard format, retained as inaccessible blobs, or deleted.

Without encryption, Meta can run automated content scanning, respond to law enforcement subpoenas with message contents, and, under privacy-policy language that permits using user data “to improve our products,” potentially feed conversation data into AI training or advertising models. Meta has said DMs are not currently used for ad targeting or AI training. That is a policy commitment, not a technical limit. Policies can change. Technical limits cannot, except by rebuilding the feature Meta has just removed.

Is WhatsApp safe? Is Messenger?

For now, yes. But with caveats.

WhatsApp messages and calls remain end-to-end encrypted by default. Messenger one-to-one chats are also encrypted by default as of late 2023, though group chat encryption is still opt-in. Both are owned by Meta. That ownership is not a disqualification on its own, but it is relevant context: the same company that just walked back a 2019 encryption commitment on Instagram is the company holding the encryption promise on WhatsApp and Messenger.

Encryption protects message content. It does not protect metadata — who you talk to, when, how often, for how long, from where. Meta sees all of that on WhatsApp and Messenger today, and the company uses it. Digital privacy researcher Harry Maugans put it bluntly to FOX 32 Chicago: Meta cannot read what you said, but it can see who you said it to, when, and how often, and that network “is very valuable in their algorithm.”

There is also the small matter that WhatsApp has stopped being just a messaging app. In the past three years it has added Channels, Communities of up to 2,000 members, in-app payments in some markets, voice chats in groups, AI image generation through Meta AI, business marketing APIs, and an upcoming usernames system rolling out later in 2026. Meta AI is now embedded in the chat interface. WhatsApp’s Advanced Chat Privacy setting, launched in 2025, exists specifically to stop Meta AI from being invoked in a chat — a feature that only needs to exist because the AI is now woven into a product that used to be a messaging app and nothing else.

For the everyday user, more features is not the same as more safety. It is more surface area.

And Kenya cannot just switch to RCS

In other markets, the standard advice when a messaging app gets worse is to fall back on the default texting layer. On Android that means RCS, the protocol Google has been pushing as an iMessage equivalent, with typing indicators, high-quality media, and — since the GSMA’s MLS rollout earlier in 2025 — end-to-end encryption between Android and iPhone.

That is not an option here. We already covered how RCS stopped working on Safaricom, Airtel and Telkom around August 2025, and how Safaricom has since started sending SMS prompts telling users to turn the feature off entirely. Apple never enabled RCS on iPhones connected to Kenyan carriers in the first place. The carriers are not incentivised to fix it: Safaricom alone earned KES 5.5 billion from SMS in the six months to September 2025, and a data-based replacement that does not generate per-message revenue is not a priority.

So in Kenya, the realistic options if you want a private conversation are narrower than they look from a US article. WhatsApp remains encrypted by default and is what most people already use. Signal works, costs nothing, and is the option privacy researchers recommend without hesitation. iMessage works between Apple devices. Instagram DMs are now off the list.

What to actually take from this

Instagram is still a fine place to send a meme. It is no longer a private place to send anything else. The encrypted-by-default option you might have assumed existed on a Meta platform never really existed on Instagram, and the workaround that did exist is now gone. If a conversation needs to stay between you and the person you are talking to, move it to WhatsApp, Signal, or iMessage, and accept that on WhatsApp the metadata trail is still visible to Meta.

The bigger thing to watch is whether the same logic comes for WhatsApp. The Take It Down Act applies to messaging platforms. The law does not carve out encrypted communications. The FTC’s warning letter does not address what happens when a covered platform cannot scan content because it has been mathematically prevented from doing so. If the answer to that question turns out to be “remove the encryption,” the next conversation will not be about Instagram.