Meta’s removal of end-to-end encryption from Instagram direct messages by May 8, 2026, is a symptom of structural conditions that allow privacy rollbacks to occur without meaningful accountability. Preventing similar rollbacks in the future requires structural changes — to legal frameworks, industry standards, corporate governance, and regulatory enforcement. Here are five structural changes that would make a difference.
Structural change one: privacy by default as a legal requirement. Legislation should require that privacy-protective features — including end-to-end encryption for private messaging — be enabled by default rather than offered as opt-in options. This would prevent the design pattern that produced Instagram’s low adoption numbers and eliminate the circular justification that low opt-in rates warrant removal.
Structural change two: mandatory notification for material privacy changes. Platforms should be legally required to provide prominent, direct, user-facing notification for material changes to privacy conditions — not through help page updates or revised historical posts, but through explicit communication that users cannot miss. This requirement should include a minimum notice period before the change takes effect.
Structural change three: corporate accountability for privacy commitments. Public privacy commitments made by platforms should carry legal weight. Companies that make specific public commitments about privacy features should be held to those commitments, with regulatory consequences for reversals that are not adequately justified and that do not meet minimum standards for user notification and consent.
Structural change four: independent oversight of platform privacy decisions. Major platform privacy decisions should be subject to independent oversight — whether through dedicated regulatory bodies, privacy impact assessments conducted by independent auditors, or other mechanisms that provide a check on unilateral corporate decision-making about user data.
Structural change five: prohibition on using privacy feature adoption data to justify removal. The circular logic of designing a feature to underperform and then removing it due to underperformance should be specifically addressed in regulatory frameworks. Platforms should not be permitted to cite opt-in adoption rates as justification for removing privacy features that they could have made default.