Meta's Messenger application gathers 32 out of 35 possible data types tracked by app stores - more than any other messaging platform currently available, according to new research from cybersecurity firm Surfshark. The findings land at a particularly sensitive moment: Meta has announced it will remove end-to-end encryption from Instagram direct messages starting May 8, 2026, a move that cybersecurity experts say fundamentally alters what users can expect when they communicate privately on the platform.
What "Data Hungry" Actually Means for Ordinary Users
The phrase "data collection" is easy to tune out - it has become ambient noise in the digital age. But the scale Surfshark identifies with Messenger is worth pausing on. Collecting 32 out of 35 data types means the application is gathering information that spans your identity, your behaviour, your contacts, your location, your browsing habits, and more. This data feeds the machinery of behavioural analysis and personalised advertising - the economic engine that powers Meta's business model.
Nikodemas Zaliauskas, a cybersecurity expert at Surfshark, put it plainly: "It's crucial to understand that users aren't just sharing information with a friend, but they're actually providing data to the company that owns the app." Every conversation, then, is also a data transaction - one that most users neither consciously initiate nor fully understand.
This is not unique to Meta, but the company sits at an extreme end of the spectrum. Popular platforms, Zaliauskas notes, collect user data for advertising, product personalisation, behaviour analysis, and tracking. The difference is one of degree - and Messenger's degree is exceptional.
Removing Encryption from Instagram: What Is Actually Changing
End-to-end encryption works like a locked box to which only the sender and recipient hold keys. When a message leaves your device, it is scrambled in a way that only the recipient's device can unscramble. No intermediary - not the platform, not a server, not the company - can read the contents in transit. Instagram has offered this protection for direct messages, but that changes in May 2026.
Once the encryption is removed, those messages become readable to Meta in the same way a postcard is readable to anyone who handles it in the post. The company will potentially be able to see what users are sending to friends and family. Instagram has advised users who wish to retain copies of their existing encrypted chats to download their messages and media before the deadline.
Zaliauskas said the shift raises serious questions: "This lack of protection raises serious questions about the company's commitment to protecting user data and ensuring digital privacy." The concern is structural. Even if Meta commits never to read user messages, the technical capability to do so will exist - and that capability is precisely what end-to-end encryption was designed to eliminate.
Notably, Meta's WhatsApp still provides end-to-end encryption by default using the open-source Signal encryption protocol, and the company has stated no plans to remove it. Meta says it cannot read WhatsApp messages or listen to calls. The divergence in treatment between its two major messaging platforms is conspicuous.
AI Integration Adds Another Layer of Exposure
Surfshark's research highlights a broader industry trend that compounds the privacy picture: 90% of messaging apps now incorporate artificial intelligence features, including conversation summaries and real-time translation. These features, however convenient, require the app to process the contents of your messages - which means the data is no longer contained purely between you and the person you are talking to.
As Zaliauskas observed: "When you choose a platform that gathers extensive data or integrates Artificial Intelligence into your conversations, that's where privacy basically ends." The arrival of AI inside messaging apps has quietly shifted the boundaries of what "private" means, often without users being clearly informed of the implications.
Alternatives That Offer Stronger Protection
For users reconsidering their choices, the options are not equal. Surfshark's research ranks Signal as the strongest available alternative. The app combines end-to-end encryption with quantum-secure cryptography and collects virtually no data linked to individual users. Apple's iMessage offers robust encryption as well, though it has been found to collect around 10 data types - considerably fewer than Messenger, but not zero.
A VPN can also encrypt broader internet activity, protecting what passes between your device and the wider web, though it does not replace the specific protections that end-to-end encrypted messaging provides within an app. The two tools address different parts of the exposure problem.
The core issue is not merely which app to choose. It is the growing gap between the privacy users assume they have and the privacy they actually retain when they use platforms built primarily to harvest behavioural data. Messenger's data collection profile makes that gap unusually wide - and Meta's decision to roll back Instagram's encryption is making it wider still.
