Your Instagram DMs Are No Longer Private: Here's What Meta Can See Now

If you've ever sent a private message on Instagram thinking it was just between you and the other person, that changed on May 8, 2026.

Meta quietly removed end-to-end encryption from Instagram direct messages. Here's what that means in plain English, and what you should know.

What Actually Changed

Instagram used to offer an optional feature that let you send encrypted messages, meaning only you and the recipient could read them, not even Instagram. It's gone now.

As of May 8, your Instagram DMs use standard encryption. That's not the same thing. Standard encryption protects your messages while they travel between your phone and Instagram's servers. But once they arrive, Meta can read them.

Meta says the reason is low adoption. Not enough people used the encrypted option. Critics point out it was never turned on by default, so most users never knew it existed.

What Meta Can Now See in Your DMs

According to Meta's own privacy policy, Instagram collects and can access:

The content of your messages, meaning what you actually wrote
Photos and videos you send in DMs
Who you message and how often
Voice messages shared in chats
Links and content shared between users

And here's the part that surprises most people: this data doesn't stay inside Instagram. Meta shares information across its family of apps: Instagram, Facebook, and Messenger all operate under the same data infrastructure. A DM you send on Instagram feeds into the same system as your Facebook activity.

We ran Instagram's privacy policy through our analysis tool. Beyond messages, Instagram also collects your precise GPS location, device identifiers, browsing activity outside the app, and voice interactions with Meta AI. See the full breakdown here.

Why This Matters More Than You'd Think

Most people didn't know Instagram had any encryption option at all. So why does removing it matter?

Because the assumption of privacy matters. People share things in DMs they wouldn't post publicly: personal news, relationship conversations, health questions, financial details. The reasonable expectation was that private messages stayed private.

Now they don't. Meta can access that content, for moderation, for safety enforcement, and according to their policy, potentially in response to legal requests from law enforcement agencies worldwide.

This also comes just weeks after a separate Instagram breach exposed 20,000+ accounts including private messages, a reminder that any data Meta holds is only as safe as Meta's security.

What You Can Do

1. Use a messaging app that has end-to-end encryption on by default. Instagram DMs never had encryption turned on by default, and now the option is gone entirely. If you need to share something sensitive, look for messaging apps that explicitly state end-to-end encryption is on by default, meaning even the app maker can't read your messages.

2. Assume anything in your Instagram DMs could be read. Don't send anything in Instagram DMs you wouldn't be comfortable with Meta, or a court, reading. That's not paranoia, it's just the reality of how the platform works now.

3. Check whether your other messaging apps offer encryption. Not all messaging apps are equal on privacy. Before sending something sensitive, it's worth checking whether the app you're using has end-to-end encryption, and whether it's on by default or something you have to enable manually.

4. Review what else Instagram collects. Messages are just one part of Instagram's data picture. The app also tracks your location, activity outside the app, and device information. See the full plain-English breakdown of what Instagram collects.

The Bigger Picture

Instagram is not unique in this. Most social media platforms can read your private messages. What changed here is that a feature that gave users more control was taken away, without much notice, and without being replaced by anything better.

If private communication matters to you, the safest approach is to use a dedicated messaging app that offers end-to-end encryption by default, rather than the DM feature built into a social platform. Social platforms are built for engagement, not privacy.

WhatDoTheyCollect is a privacy policy research tool, not a cybersecurity firm. This post summarises findings from reputable sources to help everyday users understand what's happening with their data.