A padlock resting on a laptop keyboard in dim lighting

TL;DR:

  • What: The Take It Down Act (S.146) takes effect May 19, 2026. Platforms must remove nonconsensual intimate imagery within 48 hours of a takedown request
  • The encryption problem: End-to-end encrypted platforms can't scan content they can't see. The law makes no exception for them
  • Who already folded: Meta removed E2E encryption from Instagram DMs on May 8, eleven days before the deadline
  • What's missing: No perjury requirement for filers, no counter-notice for the accused, no penalty for false claims
  • The penalties: $53,088 per violation. The FTC sent warning letters to 15+ companies on May 11
  • What to do: Move private conversations to Signal or WhatsApp (still encrypted). Assume Instagram DMs are no longer private

Three Days Until Enforcement

On May 19, every platform that hosts user-generated content becomes legally required to remove nonconsensual intimate imagery (including AI-generated deepfakes) within 48 hours of receiving a takedown request. All "known identical copies" must go too.

The Take It Down Act passed the Senate unanimously and the House 409-2. President Trump signed it into law in May 2025. Platforms got one year to prepare. That year is up.

On May 11, FTC Chairman Andrew Ferguson sent warning letters to more than 15 companies: Amazon, Apple, Meta, TikTok, X, Discord, Reddit, Snapchat, Pinterest, Microsoft, Bumble, Match Group, and others. His message was blunt: "We stand ready to monitor compliance, investigate violations, and enforce the Take It Down Act."

The fine is $53,088 per violation. Per image. Per day of non-compliance. For a platform hosting millions of messages, the math gets ugly fast.

The Encryption Impossibility

Here's the problem nobody in Congress solved: you can't remove content you can't see.

End-to-end encryption means the platform never has access to message contents. That's the entire point. When you send an encrypted message on Signal, not even Signal can read it. The encryption keys live on your device and the recipient's device. The company in the middle is blind by design.

The Take It Down Act requires platforms to find and remove intimate images within 48 hours. It requires them to locate and delete "known identical copies." It says nothing about what happens when a platform literally cannot access the content to check.

There are only three options for encrypted platforms:

  • Break encryption: remove E2E so the platform can scan messages. This is what Meta did with Instagram
  • Client-side scanning: scan content on the user's device before it's encrypted. Security researchers from Cambridge, Johns Hopkins, MIT, and Stanford have called this approach fundamentally incompatible with privacy guarantees
  • Ignore the law: keep encryption, accept the legal risk, and argue that compliance is technically impossible

The Internet Society, the Center for Democracy and Technology, and the Global Encryption Coalition sent an open letter to Congress asking for encrypted services to be explicitly excluded from the law's obligations, the same kind of exemption that already exists for other service categories. Congress didn't act on it.

Meta Blinked First

On May 8, eleven days before the enforcement deadline, Meta removed end-to-end encryption from Instagram direct messages. No fanfare. No press conference. Just a quiet policy update.

Meta's stated reason: "Very few people were opting in to end-to-end encrypted messaging in DMs." That's technically true, because Meta never turned it on by default and never rolled it out globally. They built the feature, barely promoted it, then killed it because nobody used it. Convenient.

The real reason is obvious. Instagram has 2 billion monthly users. At $53,088 per violation, a single missed takedown request could cost more than the feature was worth. Meta looked at the math and chose compliance over privacy.

WhatsApp, also owned by Meta, still has E2E encryption turned on by default for all messages and calls. Meta hasn't touched it. Yet. WhatsApp's encryption predates Meta's acquisition and is core to the product's identity. Stripping it would trigger a user exodus to Signal or Telegram. For now, Meta is treating Instagram and WhatsApp as different compliance categories.

But the law doesn't distinguish between them. If the FTC decides WhatsApp isn't doing enough to comply, the same pressure that broke Instagram could break WhatsApp too.

Signal and the Holdouts

Signal isn't budging. The platform has taken the same position it took against the UK's Online Safety Act: encryption is non-negotiable. Signal president Meredith Whittaker has repeatedly stated the organization would rather pull out of a market than compromise on E2E encryption.

That's the principled position. It's also a position that's easier to hold when you're a nonprofit with 100 million users than when you're a public company with shareholders. Signal doesn't have an ad business that depends on content access. It doesn't have an FTC consent decree hanging over its head. Its entire value proposition is privacy.

But Signal still operates in the US. It still hosts user-generated content. And the Take It Down Act doesn't care about your business model.

The question isn't whether encrypted platforms can comply. They can't, not without breaking their core promise. The question is whether the FTC will enforce the law against platforms that are technically unable to comply, and what courts will say when they do.

A Takedown System Without Guardrails

The Take It Down Act has another problem that has nothing to do with encryption: it's built to be abused.

Compare it to the DMCA, which has been handling copyright takedowns since 1998. The DMCA requires:

  • A statement under penalty of perjury that the claim is legitimate
  • A counter-notice mechanism so the accused can respond
  • Penalties for filing false claims

The Take It Down Act requires none of that.

Anyone can file a takedown request. There's no perjury requirement. There's no counter-notice process. There's no penalty for filing a false claim. The platform has 48 hours to remove the content and all identical copies, with no time to investigate whether the request is legitimate.

The Cato Institute and the Cyber Civil Rights Initiative have both warned that the law will be weaponized to censor lawful content. An abusive ex could file a false claim to get legitimate photos removed. A political operative could target campaign materials. A corporation could silence whistleblowers. All with no legal consequence for filing a bogus request.

The DMCA's abuse problem is well-documented despite its perjury requirement. Imagine that system with even fewer safeguards.

What's Actually at Stake

Nobody is arguing that nonconsensual intimate imagery should stay online. The victims of revenge porn and deepfake abuse deserve fast, effective removal tools. That's not the debate.

The debate is whether the law Congress wrote actually solves the problem without creating bigger ones. And the answer, three days before enforcement, is no.

For encryption: The law creates a compliance framework that's physically impossible for E2E platforms to follow. That's not an oversight. It's a backdoor mandate without the political cost of calling it one. If the FTC enforces against encrypted platforms, every private messaging app faces the same choice Meta made.
For free speech: A takedown system without perjury requirements, counter-notices, or false-claim penalties is a censorship tool. It will be used as one. The question is how often and how badly.
For victims: The people this law is supposed to protect may not benefit much. Platforms already had voluntary removal processes for NCII. The 48-hour mandate helps, but without abuse safeguards, the system will be flooded with false claims that slow down processing of legitimate ones.

What You Can Do

Move private conversations off Instagram: Instagram DMs are no longer encrypted. Meta can read them. Law enforcement can subpoena them. Treat Instagram messages like postcards: anyone in the chain can read them.
Use Signal for sensitive communications: Signal remains fully end-to-end encrypted with no plans to change. It's free, open-source, and available on every platform. If you need a private conversation, this is where to have it.
Understand your rights under the law: If you're a victim of nonconsensual intimate imagery, the Take It Down Act gives you a federal removal right starting May 19. File takedown requests directly with platforms; they must respond within 48 hours. FTC compliance guidance here.
Contact your representatives about the abuse gap: The law needs amendments: a perjury requirement for filers, a counter-notice process, and penalties for false claims. These are basic safeguards that the DMCA has had since 1998. Find your rep here.

The Bottom Line

The Take It Down Act passed Congress with almost no opposition: 409-2 in the House, unanimous in the Senate. That kind of bipartisan consensus usually means the bill is either genuinely uncontroversial or nobody read the fine print.

Three days before enforcement, the fine print is becoming clear. A law designed to protect victims of intimate image abuse is also a law that undermines encryption, lacks basic abuse safeguards, and has already caused one of the world's largest platforms to strip privacy protections from 2 billion users.

Good intentions. Bad drafting. The victims who need this law deserve better. So do the billions of users whose private communications just became a little less private.

Sources