Instagram direct messages are no longer as private as many users assume, following Meta's decision to remove end-to-end encryption (E2EE) from the platform. The change, announced last week, has prompted digital security experts to warn users about the potential risks of sharing sensitive information through the app.
Why End-to-End Encryption Was Removed
Meta, which also owns Facebook and WhatsApp, first introduced E2EE as an opt-in feature for Instagram in 2023. However, due to low adoption rates, the company has now scrapped it entirely. While this may seem like a minor technical adjustment, the implications for user privacy are significant.
Kamran Bahdur, technical director at FLR Spectron, explains that without encryption, Instagram messages are not fully private. "Meta can access, scan, store, and display message content," he says. "Messages can also be used for AI purposes, such as training large language models."
The Postcard Analogy
Javvad Malik, cybersecurity advisor at KnowBe4, compares unencrypted messages to postcards rather than locked boxes. "Most people aren't sending state secrets, but privacy isn't about guilt. It's about boundaries. You close your curtains at home not because you're doing something illegal, but because you don't want strangers looking in," he notes.
Both experts advise moving sensitive conversations to more secure platforms like Telegram, Signal, or WhatsApp, all of which offer end-to-end encryption by default.
What Is End-to-End Encryption?
End-to-end encryption (E2EE) is a security feature that keeps messages private between the sender and recipient. When enabled, messages are scrambled into unreadable code during transmission and can only be decrypted by the recipient's device. This prevents the app provider, hackers, or internet service providers from reading the content.
Without E2EE, platforms may still protect messages in transit, but the company itself can potentially access, scan, or store conversation contents.
Risks of Sharing Personal Information
Users should be cautious about sharing any personal data on Instagram DMs, including:
- Bank details and financial information
- Dates of birth, home or work addresses
- National Insurance numbers
- Medical information
- Private disputes or legal issues
- Security codes and password recovery answers
Even seemingly harmless details, such as daily routines shared in real-time, can increase the risk of stalking. Biometric data, like clear facial images, poses a unique threat because it cannot be changed once exposed. Modern facial recognition systems can create a digital "faceprint" from high-quality images, potentially tricking verification systems used by banks and payment apps.
How to Protect Yourself
Meta has stated that instructions will be provided for users who wish to download their chat history. However, Javvad Malik recommends deleting sensitive conversations entirely to be safe. He emphasizes that privacy is a habit, not a single setting. "The danger is not just one message, but the pattern. A scammer, stalker, data broker, or hostile partner can build a profile from fragments," he warns.
Chris Linnell, associate director of data privacy at Bridewell, advises users to assume that anything shared in DMs could be accessed or exposed. "If privacy is a priority, people should familiarize themselves with the privacy features of different platforms and consider using services where end-to-end encryption is enabled by default," he says.
Ultimately, any information that could help someone impersonate, manipulate, locate, or profile you puts you at risk. By taking proactive steps—such as using encrypted apps and being mindful of what you share—you can better safeguard your digital privacy.
