Beginning on May 8, end-to-end encryption (E2EE) was removed from Instagram's direct messages (DMs). Meta said the reason for reversing this policy was that too few people used the encryption feature.

Though Instagram had experimented with encrypted direct messaging in 2021 and rolled it out as an optional (opt-in) feature in 2023, it was never set as the default. Because the feature was buried too deeply, most users were unaware of its existence, allowing Meta to use the low adoption rate as the justification to eliminate it.

This decision is seen as a clear reversal of the privacy-first stance that CEO Mark Zuckerberg announced seven years ago. In reality, every message you send on Instagram today travels in a format that Meta can read. The company's privacy policy also lists the content of messages sent and received by users among the data they collect.

In principle, this allows Meta to use the data to personalize features, train artificial intelligence (AI) models, and deliver targeted ads. The policy leaves open the possibility that the company could use unencrypted Instagram messages for advertising purposes.

Commenting on Meta’s move, cybersecurity expert Ngo Minh Hieu, CEO of Chong Lua Dao (Anti-Scam) said that users have lost the most important layer of protection, which ensured that only the sender and recipient could read the content. 

When that security layer disappears, messages can be processed, stored, and analyzed by the platform’s systems, or provided upon legal request.

“That doesn’t mean anyone can eavesdrop immediately, but the risk of exposure, internal misuse, server breaches, or data abuse becomes much higher,” Hieu emphasized.

Hieu also explained why messaging apps are becoming “data mining machines”: messages today are not just for communication, but also contain data about relationships, habits, locations, shopping preferences, and financial status.

For ad-driven platforms, the more detailed the data, the better the targeting. The “free” nature of these apps is sometimes paid for with users’ personal data and privacy.

Surge in “tailored” scam risks 

Meta often cites pressure from law enforcement agencies and child protection organizations, which argue that end-to-end encryption creates spaces where child sexual exploitation cannot be detected. However, research on sextortion shows that more than 50 percent of victims reported that perpetrators typically asked them to move to other platforms after initial contact.

Perpetrators contacted about 23 percent of sextortion victims in Australia through Instagram, making it the second most common contact method after Snapchat. 

So, the company’s safety approach needs to work effectively for both Instagram and its end-to-end encrypted services. Beyond online safety concerns, the biggest risk for ordinary users when messages are not encrypted is financial crime. 

Hieu warned that if behavioral data and chat contents are exploited, cybercriminals can build more personalized scam scenarios. They may know whether users are borrowing money, shopping, or traveling, which bank they use, and what problems they are facing.

“From this data source, bad actors can create more convincing phishing messages, impersonate managers or relatives, or use old voices and images to create deepfakes requesting money transfers. The most dangerous aspect is that scams are no longer mass-produced but ‘tailor-made’ for each victim,” Hieu said.

Given these risks, the expert advised users to be extremely cautious when discussing sensitive work, and financial, personal identification or bank account information. 

Users should prioritize applications with default end-to-end encryption, enable two-factor authentication and lock applications using biometrics. In particular, they should never send OTP codes, passwords, ID photos or card information through ordinary messages.

For any financial transaction, the golden rule is to always verify through an independent channel, such as a direct phone call or face-to-face confirmation, especially when there is an urgent request for money transfer.

Du Lam