Messaging apps retreat from privacy protections

Instagram has stopped end-to-end encryption of messages, TikTok has ruled out E2EE entirely, and WhatsApp is facing a lawsuit over employees being able to read user messages.

In May, U.S. company Meta removed end-to-end encryption on Instagram, citing a "too low activation rate.

It had introduced E2EE as an opt-in feature in 2021, requiring users to dig deep into settings to enable it.

In March, a TikTok spokesperson in the U.S. told U.K. state broadcaster BBC there were no plans to implement E2EE in its direct messaging feature.

Meta's other platform, WhatsApp, is entangled in privacy-related litigation in the U.S., with plaintiffs from countries including Australia, Brazil, and India.

According to Russian news outlet RT, the company is accused of allowing employees and third parties to access users' private messages in breach of its original security commitments.

In the wake of the WhatsApp controversy, X owner Elon Musk and Telegram founder Pavel Durov both declared that WhatsApp's security promises amount to "the lie of the century."

Durov wrote on X: "Only an idiot would trust WhatsApp in 2026. When analyzing how WhatsApp implements encryption, we found multiple vulnerabilities that could be exploited.

By removing E2EE, apps like Instagram revert to standard transport encryption (such as TLS/HTTPS), meaning messages passing through Meta's servers exist in plaintext that their systems can read.

If a message is the equivalent of a letter, the absence of E2EE means it is sent without being sealed in an envelope.

Postal workers (the messaging servers) or anyone else can read the contents.

Even more worryingly, the letter carriers (the messaging service providers) can log everything about a user's preferences, habits, and interests, and sell that data to advertising companies or use it to train AI.

A few popular messaging apps

About-face by major tech companies

According to British newspaper The Guardian, at Facebook's annual F8 developer conference in the United States in April 2019, CEO Mark Zuckerberg declared: "The future is private."

He committed at the time to restructuring the entire infrastructure and merging the messaging systems of WhatsApp, Messenger, and Instagram into a single privacy-focused platform, with end-to-end encryption at its core.

"I know that we don’t exactly have the strongest reputation on privacy right now, to put it lightly. But I’m committed to doing this well," Zuckerberg said.

However, Instagram's quiet killing of E2EE after seven years signals that Meta has changed course, willing to sacrifice user privacy when it conflicts with regulations or other business interests.

Similarly, TikTok has stated it does not apply end-to-end encryption to messages in order to "balance user privacy with the ability to respond to scams, harassment, and other safety concerns."

Experts point to two main reasons why some popular messaging services are dropping E2EE. First, user data can be used to train AI models or optimize targeted advertising algorithms, an increasingly vital interest for many companies in the current fierce race to develop AI and grow advertising revenue.

According to Forbes, in 2024 Meta updated its privacy policy in Europe to allow it to use posts, images, and interactions, including unencrypted messages, to train its Llama AI model.

The company is said to have used vague language in its terms of service to grant itself data collection rights without explicit user consent, drawing sharp criticism from European privacy rights group NOYB.

The second reason is that social media platforms are facing increasing regulatory scrutiny.

In the U.S., the Take It Down Act requires platforms to remove harmful content within 48 hours, giving companies a rationale for not adopting E2EE so they can more easily scan messages for prohibited content.

TikTok's decision not to use end-to-end encryption also received support from the Internet Watch Foundation (IWF), though experts warn that over one billion users could be left vulnerable without adequate data protection.

Users learning to protect their own data

Meta justified removing E2EE on open platforms like Instagram by saying it reduces friction for users who would otherwise need to verify security codes with each other, effectively signaling that privacy protection is no longer the company's top priority.

According to U.S. magazine Wired, this could trigger a domino effect, with other social networks using Instagram's reasoning as cover to strip their own messaging services of encryption.

According to cybersecurity expert Ngo Minh Hieu, the fact that a major app like Instagram has dropped E2EE is a worrying sign.

"We should treat services like Instagram and TikTok as no longer suitable for sharing passwords, OTP codes, financial information, personal documents, or sensitive content."

For important exchanges, he recommends users prioritize apps that offer E2EE by default, are technically transparent, and have undergone independent audits, and to never assume that any chat app from a well-known company is completely safe.

He also stressed that users need to develop stronger personal data awareness, since E2EE is not an absolute safeguard either. In practice, beyond message content, apps can still collect metadata, such as who is messaging whom, timestamps, device information, IP addresses, contact lists, and usage behavior, not to mention risks from cloud backups, compromised devices, AI features, and legal demands from authorities.