In March 2026, Instagram updated its Help Center with a message – “End-to-end encrypted (“E2EE”) messaging on Instagram will no longer be supported after May 8, 2026”. Neither Instagram nor Meta stated why they have selected reverse gear on a feature that is meant to ensure privacy by design as well as online safety. In an article published soon thereafter, a Meta spokesperson cited low user adoption as the primary reason for rolling back E2EE on Instagram. As a member of the Global Encryption Coalition, SFLC.in analyses this development in light of the growing threat against strong encryption from governments across the globe as well as its dilution owing to design choices by platforms and Big Tech companies.

 

Meta’s changing stance on E2EE

 

Little over a year ago, Meta announced how it had undertaken a multi-billion dollar investment to rebuild its products with a privacy-preserving design. One of the significant steps to fulfill this ambition was to support e2ee for Messenger and view once functionality. Meta’s shift towards adopting strong encryption began with the integration of the Signal Protocol in WhatsApp. Committing to privacy-by-design ethics on one of Meta’s most widely used messaging applications signified the first step towards a more privacy-first ethos for instant messaging applications.

 

However, in 2021, Meta introduced an update to its Privacy Policy for its users in India. The update required all of WhatsApp’s users in India to agree to a greater amount of data collection (usage, log information, battery levels, signal strength, IP addresses, phone number area codes for general location estimation, payment method information, shipping details and transaction amount) or risk losing access to the messaging platform. Given its implications on competition and consumers, the matter was litigated before the Competition Commission of India, with subsequent appeals being filed in the National Company Law Appellate Tribunal as well as the Supreme Court of India.

 

Efforts to safeguard privacy were largely undermined by this update as it was resulting in extensive data collection and profiling of its users anyway. Comparatively, WhatsApp scored the lowest in SFLC.in’s Privacy Policy Analysis of Messaging Applications. Such concerns for digital privacy were further amplified when the former head of National Security Agency and Central Intelligence Agency stated that metadata profiling could be used to target and kill people.

 

Furthermore, unlike Messenger and WhatsApp, e2ee was never really rolled out as a default feature on Instagram. Instead, users had to opt-in to enable e2ee for their chats (which required quite a bit of navigation through a multiple series of menus). Citing low user adoption as the primary reason to deprive all users from privacy-by-design could be attributed to the fact that e2ee was never enabled as a default safeguard in the first place. Pushing the blame back onto users without analyzing the implications of such a design choice seems to miss the larger point.

The Bigger Picture: Analyzing the Security and Safety Imperative

Over the decades, governments, law enforcement agencies, child safety groups have asserted upon the necessity of diluting encryption to trace and arrest people who are engaging in terrorist activities, sharing and engaging in child sexual abuse and exploitation or online gender based violence. In numerous countries including India, laws have been passed to trace first originators of unlawful content on social media as well as instant messaging platforms. Some of the major instances of such laws are as follows –

 

• India: Rule 4(2) of the IT Rules 2021 required intermediaries to trace the first originator of a message on their platforms. This raised serious concerns for digital privacy, given that encryption cannot be diluted for a targeted set of users from a technical standpoint. This legal provision, along with many others in the IT Rules 2021, were later challenged in several petitions and is currently pending adjudication. Additionally, the Income Tax Act, 2025 was brought into force this year, a law that empowers the government officials to search and seize evidence including electronic devices as well as data stored on them. This law was also opposed by several civil society organisations, companies, and cybersecurity experts, including Global Encryption Coalition members, for establishing a dangerous precedent that undermines digital security and privacy.

 

• EU Chat Control: Initial versions of the proposed legislation would have mandated providers of encrypted communication services to introduce client side scanning capabilities to scan their users’ messages for child sexual abuse material. While recognizing the intention to protect children’s safety online, the Global Encryption Coalition Steering Committee underscored that this would undermine security and privacy for everyone who relies on encryption to preserve the confidentiality and security of their communication, including young people and survivors.

 

• United Kingdom: Despite being a landmark development in the space of online safety, the Online Safety Act, 2023 was criticised for including invasive mandates such as client-side scanning and age verification as measures to prevent harms such as child sexual abuse material, violence against women and girls, underage access to pornography, and misinformation.

 

Additionally, upon the notification of the Digital Personal Data Protection Rules (2025) (“DPDP Rules”), Rule 23 of the DPDP Rules along with Section 36 of the DPDP Act empowers the Central Government to call for information (which includes but may not be limited to personal data) from a platform company. The provision, however, is devoid of any procedural safeguards and therefore, severely undermines digital privacy of Indians. This provision (along with others) has been challenged in the matter of Geeta Seshu v. Union of India W.P. 9C) 275/2026. Instagram’s decision to discontinue e2ee, coupled with the extant legal frameworks that either allow unfettered access to a person’s private communications or require platforms to scan all content before transmission, poses serious concerns for government-led surveillance on platforms.

 

While protecting online safety for everyone in the online community is paramount, e2ee has served as a vital layer of protecting private communications. Technically, there are no ways in which encryption can be selectively diluted for a few bad actors and would have to be diluted for everyone. While combating harms such CSAM and online gender-based violence is critical, establishing safe harbor conditions that obligate platforms to implement technologies/mechanisms will undermine encryption, privacy and security for everyone. Both of these outcomes will undoubtedly compromise privacy as well as safety for individuals and groups who have long relied on encryption as a key safeguard.

 

The reality is far more nuanced and complex. Policymakers and governments do not have to choose safety over privacy, as both of these values run hand-in-hand. Organisations like Chayn have argued that the policy and technology interventions towards online gender based violence (“OGBV”) must ensure the human rights and civil liberties of women and gender minorities, and that privacy, security and free expression, are protected through the use of encryption. In their briefing, they have advocated for a human-rights centric approach rather than a protectionist approach to online safety for women and children. Additionally, they emphasize the fact that encryption ensures and protects all human rights, including those of women, gender and sexual minorities, girls and youth in at-risk communities.

 

Conclusion

 

As pressure from governments across the world continues to mount, Instagram’s decision to silently discontinue e2ee could be the first domino that sparks a chain reaction. Such developments cannot be viewed in isolation alone, given Instagram’s engagement in terms of monthly active users and messages sent on a daily basis. Going forward, it will be critical to focus on technological and legal solutions that do not juxtapose safety, privacy and free speech but instead harmonize these rights to build safer spaces for everyone online.