What Instagram's Encryption Reversal Says About How Tech Companies Treat Privacy
Decode spoke to researcher Davi Ottenheimer about Instagram stepping back from end-to-end encryption for DMs and what it signals for platform privacy.
Instagram’s move to remove E2EE for DMs marks a shift in private communication. We examine not just the technical impact, but the questions it raises about tech companies’ privacy promises.
Instagram has removed end-to-end encryption (E2EE) for direct messages, walking back a feature Meta once placed at the centre of its case for private communication. The company has blamed low user adoption. What that explanation leaves out is that the protection was never on by default on Instagram.
It stayed an opt-in setting buried inside menus, and it has now been removed altogether.
That detail matters because Meta had publicly committed to the opposite. A 2022 post by Meta announced it was testing default end-to-end encryption for Instagram DMs; the same post has since been edited to announce the feature's removal, again citing low opt-in.
Privacy advocates have called the reasoning disingenuous, arguing that adoption was low precisely because the option was hard to find and harder to turn on.
The reversal also lands at a moment when governments are pressing platforms for greater access to private communications to tackle terrorism, child sexual abuse, and trafficking.
The UK Online Safety Act, EU "chat control" proposals, and pressure from the US Department of Justice have all put encryption in the crosshairs. That raises a longer-running question: are features like end-to-end encryption genuine commitments, or do they shift with usage and incentive?
To understand what the decision means for users, Decode spoke to Davi Ottenheimer, a security expert with more than three decades of experience across security engineering, incident response, and digital forensics. He has led security and trust roles at companies including Yahoo, VMware, and MongoDB.
Here are the edited excerpts from the interview.
Meta says low user adoption is the reason why it is ending E2EE on Instagram. What do you make of that claim?
I think it is pretty clear they made it difficult for people to use it. So saying it is the user's fault, that they didn't use it, is disingenuous. People didn't use it because it wasn't made usable, and that is the fault of the company, not the user. The company also never disclosed the actual opt-in numbers.
One of the things we see most often with big tech is a lack of transparency around decisions. They say there is low adoption, but they don't give us visibility into the numbers. They didn't show us at the beginning, nor did they show progress over the years or the lack of it.
Suddenly, they have a reason and we are supposed to accept it without independent validation. You can also look at it the opposite way. In a properly regulated environment, not having encryption would be a risk. Failing to get adoption would actually be a liability, because they are introducing risk by not pushing encryption.
Can you walk us through the technical difference between end-to-end encryption and standard encryption? What changes now?
End-to-end encryption means a message stays private the entire time it is being sent. For instance, from the moment Alice sends it to when Bob receives it, no one in between, not even the platform itself, can read it.
Standard or stored encryption works differently. In that case, messages are protected while they sit on servers, but the service provider can still decrypt them if required.
In practice, strong security is built in layers. Messages are protected while they travel across the internet, while they are stored, and sometimes even while they are being processed. End-to-end encryption is one of those key layers. When you remove it, you are not removing encryption altogether, but you are taking away the layer that ensures no intermediary can read the message.
The UK Online Safety Act, EU chat control proposals, and US DOJ pressure have all targeted encryption. Is this decision about adoption, regulation, or both?
The best way to look at it is that Meta isn’t really driven by regulation. They flagrantly violate regulations, pay fines, and continue.
So the idea that they are reacting to regulation doesn’t add up to me. It is almost the opposite. There is very little that actually holds them accountable. When they give reasons, they are usually self-serving. They are doing what they think is best for them, not for users, and certainly not for regulators, who are supposed to represent users.
On child safety vs privacy debate, can platforms balance both, or is this still an unresolved trade-off?
I have worked on this for a long time, and I think the answer is to innovate in ways that benefit users. Weakening encryption is not the solution. There are still ways to go after criminals, especially by targeting endpoints, where the data is actually accessible.
Weakening encryption just exposes more people to harm. It’s like asking everyone to remove locks from their doors so law enforcement can do their job more easily. That doesn’t make sense. You make systems stronger and still find ways to enforce the law. Regulators should be pushing for stronger encryption, better key management, and better collaboration with those working to protect people.
At the same time, I am a big believer in regulation. You can’t have completely unregulated speech, but it’s complicated. Who defines harm, and who decides what to act on?
That said, removing encryption clearly increases harm. Encryption is a protection. If you lose privacy, you increase exposure to harm. Yes, bad actors use privacy too, which is why detection matters, but weakening protections for everyone is not the answer.
There have been lawsuits in the US questioning whether WhatsApp’s encryption was as absolute as claimed. When a platform says that it is end to end encrypted, what would it take to truly verify such a claim?
I have been an outspoken opponent of how WhatsApp was marketed as secure. I believe it was misleading from the beginning.
There have been multiple instances, reported by journalists and observed by experts, where the encryption didn’t work the way people thought. In some cases, messages could still be accessed, which means it wasn’t truly end-to-end encrypted.
Even beyond that, people assume end-to-end encryption also protects the endpoints, which it doesn’t. This distinction is often misunderstood. End-to-end encryption protects messages in transit, but not on the sender’s or receiver’s device. This leaves room for access through backups, compromised devices, or platform-side processes.
To fix this, we need more transparency and better scrutiny. Meta should allow journalists and independent experts to evaluate these claims more critically.
Also, Meta used Signal’s encryption but modified it. When they adapted it into WhatsApp, they made changes that made it less secure than Signal itself. So they pushed users toward a weaker version, even though a stronger one was available.
In 2019, Zuckerberg said “the future is private” and promised encryption across Meta apps. By 2023, Messenger had it. Now Instagram is rolling it back. What does that say about Meta’s privacy promise?
To me, it shows these are not durable commitments—they’re situational.
Big tech say things to convince people to join. Their metric is getting the most people in, as fast as possible. So they will say “privacy” today because that’s what people want in the market.
It’s like—what is everyone asking for? Bananas. Okay, then we serve bananas. Do you actually have bananas? No. But say you do, get people into the restaurant, and figure it out later.
That’s classic hype marketing. The messaging changes based on what works in the moment, but the underlying behaviour doesn’t. There is no real long-term accountability to the promise itself.
So “the future is private” ends up being more of a branding exercise than a real technical or policy commitment. And without transparency or accountability, there is nothing stopping them from reversing course when it suits them.
