TL;DR:
- What: The Take It Down Act (S.146) takes effect May 19, 2026. Platforms must remove nonconsensual intimate imagery within 48 hours of a takedown request
- The encryption problem: End-to-end encrypted platforms can't scan content they can't see. The law makes no exception for them
- Who already folded: Meta removed E2E encryption from Instagram DMs on May 8, eleven days before the deadline
- What's missing: No perjury requirement for filers, no counter-notice for the accused, no penalty for false claims
- The penalties: $53,088 per violation. The FTC sent warning letters to 15+ companies on May 11
- What to do: Move private conversations to Signal or WhatsApp (still encrypted). Assume Instagram DMs are no longer private
Three Days Until Enforcement
On May 19, every platform that hosts user-generated content becomes legally required to remove nonconsensual intimate imagery (including AI-generated deepfakes) within 48 hours of receiving a takedown request. All "known identical copies" must go too.
The Take It Down Act passed the Senate unanimously and the House 409-2. President Trump signed it into law in May 2025. Platforms got one year to prepare. That year is up.
On May 11, FTC Chairman Andrew Ferguson sent warning letters to more than 15 companies: Amazon, Apple, Meta, TikTok, X, Discord, Reddit, Snapchat, Pinterest, Microsoft, Bumble, Match Group, and others. His message was blunt: "We stand ready to monitor compliance, investigate violations, and enforce the Take It Down Act."
The fine is $53,088 per violation. Per image. Per day of non-compliance. For a platform hosting millions of messages, the math gets ugly fast.
The Encryption Impossibility
Here's the problem nobody in Congress solved: you can't remove content you can't see.
End-to-end encryption means the platform never has access to message contents. That's the entire point. When you send an encrypted message on Signal, not even Signal can read it. The encryption keys live on your device and the recipient's device. The company in the middle is blind by design.
The Take It Down Act requires platforms to find and remove intimate images within 48 hours. It requires them to locate and delete "known identical copies." It says nothing about what happens when a platform literally cannot access the content to check.
There are only three options for encrypted platforms:
- Break encryption: remove E2E so the platform can scan messages. This is what Meta did with Instagram
- Client-side scanning: scan content on the user's device before it's encrypted. Security researchers from Cambridge, Johns Hopkins, MIT, and Stanford have called this approach fundamentally incompatible with privacy guarantees
- Ignore the law: keep encryption, accept the legal risk, and argue that compliance is technically impossible
The Internet Society, the Center for Democracy and Technology, and the Global Encryption Coalition sent an open letter to Congress asking for encrypted services to be explicitly excluded from the law's obligations, the same kind of exemption that already exists for other service categories. Congress didn't act on it.
Meta Blinked First
On May 8, eleven days before the enforcement deadline, Meta removed end-to-end encryption from Instagram direct messages. No fanfare. No press conference. Just a quiet policy update.
Meta's stated reason: "Very few people were opting in to end-to-end encrypted messaging in DMs." That's technically true, because Meta never turned it on by default and never rolled it out globally. They built the feature, barely promoted it, then killed it because nobody used it. Convenient.
The real reason is obvious. Instagram has 2 billion monthly users. At $53,088 per violation, a single missed takedown request could cost more than the feature was worth. Meta looked at the math and chose compliance over privacy.
WhatsApp, also owned by Meta, still has E2E encryption turned on by default for all messages and calls. Meta hasn't touched it. Yet. WhatsApp's encryption predates Meta's acquisition and is core to the product's identity. Stripping it would trigger a user exodus to Signal or Telegram. For now, Meta is treating Instagram and WhatsApp as different compliance categories.
But the law doesn't distinguish between them. If the FTC decides WhatsApp isn't doing enough to comply, the same pressure that broke Instagram could break WhatsApp too.
Signal and the Holdouts
Signal isn't budging. The platform has taken the same position it took against the UK's Online Safety Act: encryption is non-negotiable. Signal president Meredith Whittaker has repeatedly stated the organization would rather pull out of a market than compromise on E2E encryption.
That's the principled position. It's also a position that's easier to hold when you're a nonprofit with 100 million users than when you're a public company with shareholders. Signal doesn't have an ad business that depends on content access. It doesn't have an FTC consent decree hanging over its head. Its entire value proposition is privacy.
But Signal still operates in the US. It still hosts user-generated content. And the Take It Down Act doesn't care about your business model.
The question isn't whether encrypted platforms can comply. They can't, not without breaking their core promise. The question is whether the FTC will enforce the law against platforms that are technically unable to comply, and what courts will say when they do.
A Takedown System Without Guardrails
The Take It Down Act has another problem that has nothing to do with encryption: it's built to be abused.
Compare it to the DMCA, which has been handling copyright takedowns since 1998. The DMCA requires:
- A statement under penalty of perjury that the claim is legitimate
- A counter-notice mechanism so the accused can respond
- Penalties for filing false claims
The Take It Down Act requires none of that.
Anyone can file a takedown request. There's no perjury requirement. There's no counter-notice process. There's no penalty for filing a false claim. The platform has 48 hours to remove the content and all identical copies, with no time to investigate whether the request is legitimate.
The Cato Institute and the Cyber Civil Rights Initiative have both warned that the law will be weaponized to censor lawful content. An abusive ex could file a false claim to get legitimate photos removed. A political operative could target campaign materials. A corporation could silence whistleblowers. All with no legal consequence for filing a bogus request.
The DMCA's abuse problem is well-documented despite its perjury requirement. Imagine that system with even fewer safeguards.
What's Actually at Stake
Nobody is arguing that nonconsensual intimate imagery should stay online. The victims of revenge porn and deepfake abuse deserve fast, effective removal tools. That's not the debate.
The debate is whether the law Congress wrote actually solves the problem without creating bigger ones. And the answer, three days before enforcement, is no.
What You Can Do
The Bottom Line
The Take It Down Act passed Congress with almost no opposition: 409-2 in the House, unanimous in the Senate. That kind of bipartisan consensus usually means the bill is either genuinely uncontroversial or nobody read the fine print.
Three days before enforcement, the fine print is becoming clear. A law designed to protect victims of intimate image abuse is also a law that undermines encryption, lacks basic abuse safeguards, and has already caused one of the world's largest platforms to strip privacy protections from 2 billion users.
Good intentions. Bad drafting. The victims who need this law deserve better. So do the billions of users whose private communications just became a little less private.
Sources
- FTC: Complying With the Take It Down Act (May 2026)
- FTC: Chairman Ferguson Advises Companies to Comply (May 11, 2026)
- Internet Society: Fix the Take It Down Act to Protect Encryption (September 2025)
- Reclaim The Net: Take It Down Act Starts May 19 With No Abuse Safeguards (May 14, 2026)
- Wiley Law: May 19 Deadline for TAKE IT DOWN Act Compliance (May 2026)
- Notebookcheck: Instagram Is Removing End-to-End Encryption from DMs (May 2026)
- Security Affairs: Instagram Removed E2E Encryption for DMs (May 2026)
- Congress.gov: S.146 TAKE IT DOWN Act (119th Congress)
- National Association of Attorneys General: Benefits and Potential Shortcomings of the TAKE IT DOWN Act
- Center for Democracy and Technology: Letter to Fix the Take It Down Act (2025)
Published: May 16, 2026