When Meta decided to remove end-to-end encryption from Instagram direct messages while retaining it on WhatsApp, the company implicitly established a privacy double standard within its own product ecosystem. Understanding why this double standard exists — and what it means — is essential context for evaluating Meta’s overall approach to user privacy.
WhatsApp has encryption as a core feature that is default-on for all users. It was acquired by Meta in 2014, and one of the most significant commitments Meta made at the time was to preserve WhatsApp’s privacy-first approach. That commitment has largely been honored in the technical domain, even as WhatsApp has been integrated more deeply into Meta’s commercial infrastructure in other ways.
Instagram’s relationship with encryption was fundamentally different. Encryption arrived on Instagram as an opt-in feature in 2023, after years of delay. It was never default-on, never universal, and never central to Instagram’s product identity. The removal of this limited feature is, from Meta’s perspective, a much lower-stakes decision than removing encryption from WhatsApp.
The commercial logic behind this differentiation is clear. WhatsApp users have a strong, explicit expectation of privacy. Removing their encryption would generate immediate, intense backlash — not just from privacy advocates, but from the hundreds of millions of users who chose WhatsApp specifically because of its privacy credentials. The cost-benefit calculation for removing WhatsApp’s encryption is negative. For Instagram, where the encryption expectation was weaker and the feature adoption was limited, the calculation was different.
But the double standard has a structural implication that users should understand. If you use Instagram DMs for communication that you consider private, the platform’s treatment of your data is now fundamentally different from how WhatsApp handles it. The same company, operating two platforms with different privacy architectures, is applying different standards to different user populations. That differentiation is not incidental — it reflects Meta’s assessment of where privacy expectations are strongest and where they can be most easily revised without user backlash.