Security specialists have issued fresh guidance after Meta made changes to Instagram direct messages, warning that chats may be less private than many users assume.
Meta, the company behind Facebook and WhatsApp, removed end-to-end encryption (E2EE) from Instagram DMs last week, after first rolling it out as an optional setting in 2023.
The company reportedly said the feature saw limited use, leading to the decision to discontinue it.
Although the change may not worry everyone, experts speaking to the Metro said the update raises important privacy considerations and shared steps users can take to reduce risk.
E2EE is intended to keep messages confidential by converting them into unreadable code while they travel between devices, only being decrypted when they reach the intended recipient.
With E2EE in place, no one in the middle—including the platform itself, internet providers, or criminals attempting to intercept data—should be able to read the content.
Kamran Bahdur, technical director at FLR Spectron, told the outlet the latest Instagram update means users shouldn’t assume their DMs are fully private.
“Without encryption, Meta can access, scan, store, and display message content,” Bahdur explained.
“Messages can also be used for AI purposes [to train large language models].”
He suggested moving any particularly sensitive discussions to other services that still offer E2EE by default, such as WhatsApp.
That includes messages containing financial information, National Insurance numbers, medical details, or home addresses, which experts said are best kept off Instagram DMs.
Javvad Malik, a cybersecurity advisor at KnowBe4, compared Instagram messages to something far less secure than many people imagine.
Javvad Malik, who works as a cybersecurity advisor at KnowBe4, described Instagram DMs as ‘more like postcards than locked boxes’.
He also noted that privacy concerns aren’t limited to extreme cases, but are about personal boundaries.
“Most people aren’t sending state secrets, but privacy isn’t about guilt. It’s about boundaries.
“You close your curtains at home not because you’re doing something illegal, but because you don’t want strangers looking in.”
As an extra precaution, Malik said users may want to remove older messages that include personal or sensitive details.
“Privacy is not one setting. The danger is not just one message, but the pattern. A scammer, stalker, data broker or hostile partner does not need your whole life story in one go. They can build it from fragments. Instagram DMs often feel casual, but casual information can become very powerful in the wrong hands.”