Meta and ISPs to Gain Access to Private Instagram DMs

Meta has disabled a privacy feature for Instagram Direct Messages, a move that allows both the company and internet service providers to access private communications between users. The change, identified on May 9, 2026, removes a layer of protection that previously restricted the visibility of these messages.

The removal of this feature means that messages sent via Instagram DMs are no longer shielded from the entities that facilitate the transmission of the data. Because the messages are no longer protected by the specific privacy mechanism in question, internet service providers (ISPs) can potentially intercept the data as it travels across their networks, and Meta can access the content within its own systems.

This technical shift is linked to concerns regarding pupils being influenced by harmful online content. The move aligns with the PA2026 framework, which focuses on the protection of minors and the mitigation of negative influences on students within digital environments.

The Technical Impact of Reduced Privacy

In typical encrypted messaging environments, end-to-end encryption ensures that only the sender and the recipient can read the content of a message. When such features are disabled or removed, the data is often encrypted only in transit between the user and the server, rather than from end-to-end.

This distinction is critical because it allows the service provider—in this case, Meta—to decrypt the messages on their servers. If the transport layer security is bypassed or if the provider is required to share data, the ISP can gain visibility into the traffic flowing through its infrastructure.

For the average user, Which means that the expectation of absolute privacy in Instagram DMs has changed. Communications that were once private are now subject to monitoring and data access by the platform operator and the network providers.

Safety and Regulatory Context

Meta has indicated that the decision to turn off this privacy feature is driven by the need to address the influence of online content on pupils. The platform is attempting to balance user privacy with the necessity of identifying and preventing the spread of harmful material among younger users.

The tension between encryption and safety has become a central point of contention for regulators. While encryption protects users from surveillance and data breaches, it also creates blind spots for platforms trying to enforce safety guidelines or detect illegal activity involving minors.

By removing these privacy barriers, Meta can more effectively implement automated scanning tools and human moderation to detect content that may violate safety policies or harm students. This approach is a direct response to the goals outlined in PA2026, which emphasizes the responsibility of platforms to safeguard pupils from digital harms.

Industry Implications

This move reflects a broader trend where internet platforms are prioritizing safety-by-design and regulatory compliance over total user anonymity. As governments introduce stricter laws regarding child safety online, tech companies are increasingly forced to modify their encryption standards to allow for lawful intercept or safety monitoring.

The fact that internet service providers can now also access these messages adds another layer of complexity to the data privacy landscape. It expands the number of entities that have potential access to private user data, increasing the surface area for potential data leaks or government requests for information.

Users who require high levels of privacy for their communications may need to seek alternative platforms that maintain strict end-to-end encryption, as Instagram’s current architecture now prioritizes content visibility for safety and regulatory purposes.