Your Instagram privacy settings after encryption removed are now the only line of defence you have left. Meta killed that on May 8. Not end-to-end protection gone. What remains are a handful of account-level controls that most users have never touched, buried inside menus designed to be ignored.
This is not a scary article. These are seven specific settings, with exact navigation paths, that reduce your exposure starting right now.
Why Instagram Settings Matter More Now Than They Ever Did
This shift toward AI training is a primary reason for the sudden policy change. To understand the timeline of the Take It Down Act and how it forced Meta’s hand, see our full analysis of the encryption rollback.
E2EE Is Gone Account-Level Settings Are Your Only Remaining Shield
As of May 8, every Instagram DM you send travels from your device to Meta’s servers where it lands in a readable, scannable, legally requestable format. Without end-to-end encryption, Meta regains the ability to access message content for purposes including content moderation, safety scanning, advertising, and compliance with legal requests.
The encryption layer was your technical guarantee. It did not rely on trusting Meta. Account settings, by contrast, rely entirely on Meta honouring them. That is a weaker protection. But it is what you have.
What Meta Can Collect From Your Account Right Now
Messages are not the only exposure. Instagram tracks attention patterns, how long you pause on posts, whether you rewatch Stories, which Reels you skip measured in milliseconds. It tracks engagement velocity: how fast you like, comment, and respond to specific content types. None of the seven settings below stop that collection. They reduce your messaging exposure, limit third-party access, and cut off the most preventable data leaks.
Setting #1 Restrict Who Can Message You
How to Limit DM Access to “People You Follow” Only
Path: Settings → Privacy → Messages → Message Controls → set “Message Requests” to People You Follow
This stops strangers from landing in your main inbox entirely. Unrecognised senders go nowhere.
How to Turn Off Message Requests From Strangers Completely
Under the same menu, set “Others on Instagram” to Don’t Receive Requests. Combined with the above, only accounts you already follow can initiate a conversation.
Why This Matters: Unknown Senders Are the Highest-Risk Entry Point
Over a million seniors fell victim to fraud in the past year, with AI-powered attacks including deepfakes, voice cloning, and romance scams growing at an estimated 17 times year over year. The entry point for almost all of them: a cold message from a stranger. Closing this door costs you nothing.
Setting #2 Disable Meta AI Training on Your Conversations
What Meta AI Collects From Your Instagram DMs in 2026
Meta AI can access message content, search queries, engagement patterns, and interaction history to provide contextual responses. After May 8, that content is no longer encrypted. Meta AI and your unprotected DMs now occupy the same infrastructure.
How to Submit an AI Data Objection via Account Centre (Desktop Only)
Navigate to Account Center → Your information and permissions → Your activity off Meta technologies. An objection form is available there. Submit it with a reason such as “I object to my data being used for AI training.”
This only works on desktop. Meta has not explained why. The friction is intentional.
Users Outside EU/UK: What You Can and Cannot Opt Out Of
Users outside the EU and UK cannot fully disable AI data training. Setting accounts to private reduces data exposure but does not stop scrapping of public posts. Even if you opt out, Meta can use photos and comments that others post about you.
Indian users: the DPDP Act (Digital Personal Data Protection Act, 2023) gives you the right to object to automated data processing. Use the Account Centre form and cite this right explicitly.
Setting #3 Switch From SMS 2FA to an Authenticator App
Why SMS Two-Factor Authentication Is Actively Dangerous in 2026
SMS 2FA is vulnerable to SIM-swap attacks. In a SIM swap, a criminal calls your mobile carrier, impersonates you using personal information found online, and convinces the carrier to transfer your phone number to a SIM card they control. Once they have your number, they have your 2FA codes. Your account is gone in minutes.
Step-by-Step: Setting Up Aegis (Android) or 2FAS (iOS/Android) With Instagram
- Download Aegis (Android, free, open-source) or 2FAS (iOS and Android, free)
- In Instagram: Accounts Centre → Password and Security → Two-factor Authentication → Authentication App
- Scan the QR code shown with your chosen app
- Enter the 6-digit code to confirm
- Save your backup codes somewhere offline printed paper, not a screenshot
Path: Accounts Centre → Password and Security → Two-factor Authentication → Authentication App
What to Do If You Lose Access to Your Authenticator App
Instagram generates backup codes during 2FA setup. Each code is single-use. If you did not save them, go to Settings → Accounts Centre → Password and Security → Two-factor Authentication → Recovery Codes to regenerate a new set. Do this now, before you need them.
Setting #4 Audit and Revoke Third-Party App Access
How to See Which Apps Have Access to Your Instagram Account Right Now
Path: Settings → Privacy → Apps and Websites
Every app listed here has some level of access to your Instagram data. Most users have five to fifteen apps they have forgotten about old contest entries, third-party schedulers, quiz sites.
What to Remove Immediately
Start by removing anything you do not actively use. Any app requesting “read messages” permissions should go next. If you cannot identify the developer, delete access immediately.
The January 2026 Instagram Data Breach
In January 2026, a dataset containing 17.5 million Instagram records including 6.2 million email addresses and partial phone numbers appeared on BreachForums. Third-party apps with stale permissions are a primary vector for this type of breach. Revoking access costs you nothing. Leaving it costs you everything if a connected app is compromised.
Setting #5 Lock Down Your Profile Visibility
Private vs. Public Account: What Actually Changes for Your Data Collection
Switching to private stops non-followers from seeing your posts. It does not stop Meta from collecting your data. The distinction matters. You are reducing public exposure, not platform-level surveillance.
Path: Settings → Privacy → Account Privacy → toggle Private Account
How to Hide Your Activity Status, Online Presence, and Read Receipts
Path: Settings → Privacy → Messages → Show Activity Status → Off
This hides when you were last active and removes read receipts from DMs. Small change. Meaningfully reduces social engineering risk.
Business and Creator Accounts: The Hidden Privacy Trade-Off
Business and creator accounts cannot be set to private. Their contact button is fully public and every visitor sees your listed phone number and email. If you switched to a professional account purely for analytics access, ask yourself whether that trade-off still makes sense after May 8.
Setting #6 Control What Meta Shares With Advertisers
How to Turn Off “Activity Off Meta Technologies” Data Sharing
Path: Accounts Centre → Your information and permissions → Your activity off Meta technologies → Disconnect Future Activity
This stops Meta from receiving data about you from third-party websites and apps that have Meta’s tracking pixel embedded. It does not delete historical data already collected that requires a separate deletion request.
What These Settings Do and What They Deliberately Cannot Do
These controls stop future data sharing from external sites. They do not stop Meta from collecting data generated by your activity inside Instagram. Browsing Explore, watching Reels, liking posts all of that continues feeding Meta’s ad profile on you regardless of this setting.
Know what you are actually changing before assuming you are protected.
Setting #7 Move Sensitive Conversations Off Instagram Entirely
Signal vs. WhatsApp vs. Telegram: Which Is Right for Which Conversation Type
| Platform | E2EE Default | Metadata collected | Best for |
| Signal | Yes (open-source, audited) | Minimal | Journalists, activists, high-sensitivity |
| Yes (Signal protocol) | Who/when/how often | Friends, family, general private use | |
| Telegram | No (opt-in Secret Chats only) | Significant | Broadcast channels, not private DMs |
Meta’s own spokesperson confirmed that users who want end-to-end encryption can move to WhatsApp. That is accurate WhatsApp still uses the Signal protocol for one-to-one chats as of May 2026. Signal, however, is owned by a nonprofit foundation and collects no advertising data.
For Indian Users: DPDP-Aligned Platforms
Signal and WhatsApp both operate data centres outside India but provide DPDP-compliant data deletion mechanisms. Under the DPDP Act 2023, you have the right to request deletion of your personal data from either platform. Telegram does not have a clear DPDP compliance framework to avoid it for anything sensitive.
The Settings Meta Hopes You Never Find
How to Download Everything Instagram Holds on You
Path: Settings → Your activity → Download your information → Request a download
Choose JSON format. Request all categories. This file includes your messages, search history, ad interests, inferred data, and every interaction Instagram has logged. Read it once. It is instructive.
Check If Your Email Was in the January 2026 Breach
Go to haveibeenpwned.com and enter the email address associated with your Instagram account. The January 2026 Instagram breach added 6.2 million email addresses to HaveIBeenPwned’s database. If your email appears, change your Instagram password immediately and check whether that password was reused on any other service.
Add a Carrier-Level SIM PIN The Step Most Guides Skip
Call your mobile carrier and request a SIM PIN and in-store-only verification requirement for number transfers. Even after upgrading from SMS 2FA to an authenticator app, your phone number remains a target; a determined attacker can still attempt a SIM swap if your carrier has no additional friction in place. This takes five minutes. Most people never do it.
Frequently Asked Questions
The Hard Truth About Instagram Privacy in 2026
None of these seven settings restore what May 8 removed. End-to-end encryption was a technical guarantee. Settings are a contractual promise and Meta can change that contract.
In the span of two weeks, two of the world’s largest social media platforms signalled they are done treating privacy as an unconditional promise. TikTok never had E2EE. Instagram just removed it. The direction of travel is clear.
Apply these settings today. Move sensitive conversations to Signal. And treat every Instagram DM you send from May 8 onwards the same way you would treat an email because that is exactly what it is now.
No comments yet. Be the first to share your thoughts!