Designing safety for a billion private conversations
I designed safety and privacy features for Instagram Direct and Messenger.
I joined Meta’s Well-Being team. The team sits at the intersection of Instagram Direct and Messenger, responsible for protecting people from abuse, exploitation, and privacy violations in their most private digital spaces. When I say private, I mean: direct messages, encrypted conversations, media shared between two people who may or may not trust each other.
These products serve over a billion people. Every design decision ships to a population larger than most countries. Every default is experienced by millions before anyone can evaluate its consequences.
The central tension
Safety work in messaging lives inside a contradiction: the things that make messaging valuable are the same things that make it dangerous.
People message because it’s easy. Predators exploit that ease. People share photos because it feels intimate. Extortionists weaponize that intimacy. People expect their messages to be private. End-to-end encryption guarantees it. But it also means the platform cannot see what’s happening inside the conversation.
This is the design space I worked in. Every feature is a trade-off between safety and friction, between protection and autonomy. The job is to find where friction serves people rather than frustrating them.
Nudity protection
We launched nudity protection in Instagram DMs. The feature uses on-device machine learning to detect nudity in images before they’re displayed, blurring them by default. For users under 18, it’s enabled automatically. For adults, we encourage activation.
The critical design decision: this works inside end-to-end encrypted conversations. Because the analysis happens on the device itself, Meta never sees the image. The user retains full privacy while gaining protection they didn’t have before.
This feature was reported by CNN, The Wall Street Journal, BBC, Reuters, The Washington Post, Engadget, Le Parisien, and The Telegraph on the same day. The press links are listed at the end of this document.
Restricting unwanted contact
We shipped features that prevent adults from messaging teens who don’t follow them on Instagram. If a teen is already in a conversation with an adult exhibiting suspicious behavior, such as sending a high volume of friend requests to minors, they receive a notification and tools to end, block, or report the contact.
We restricted DM requests further. A non-follower can now send exactly one text-only message. No images, no videos, no voice notes until the recipient explicitly accepts the request. This is a deliberate increase in friction for strangers, designed to preserve ease for existing connections.
These restrictions were especially relevant for women, who disproportionately receive unsolicited media in DMs. The design principle was simple: you should never open your inbox and see something you didn’t ask to see.
Cross-platform safety
When Instagram and Messenger became interoperable, the attack surface expanded. An Instagram user could now reach a Messenger user, and vice versa. The reachability graph grew, and so did the risk.
We designed and shipped message delivery controls for both platforms, giving people granular authority over who can reach them across apps. The rollout covered 74% of the world. Multiple teams, Well-Being, Privacy, IG and Family Experience, worked together to mitigate the risks without undermining the value of interoperability.
The interoperable messaging project has since been discontinued. But the safety infrastructure we built for it, the delivery controls, the cross-app permission model, the abuse detection patterns, carried forward into subsequent work on both platforms.
End-to-end encryption
The migration to end-to-end encryption on Messenger was one of the most complex safety challenges I worked on. E2EE is a privacy guarantee: your messages are unreadable by anyone except you and the person you’re talking to. Including Meta.
This creates a fundamental problem for safety. Many detection mechanisms rely on reading message content, which is exactly what encryption prevents. The question I kept returning to: can we provide maximum privacy and maximum security at the same time?
Not perfectly. But you can close the gap. Nudity protection is one example: on-device analysis preserves encryption while still protecting the user. Safety notices and behavioral signals are another: they work from metadata and patterns, not message content. We launched expression features inside E2EE chats, proving that encryption doesn’t require a stripped-down experience. And we built forwarding limits to slow misinformation, a safety measure that works regardless of encryption status.
Designing friction
Most product design optimizes for reduction: fewer taps, shorter flows, less resistance. Safety design does the opposite. Every useful safety feature is, by definition, an interruption.
The craft question is not whether to create friction, but where. A blur on an image is friction. A restriction on DM requests is friction. A parental control is friction. The design problem is making each of these feel protective rather than restrictive.
The best safety feature is the one the user barely notices. It doesn’t lecture. It doesn’t shame. It gives the person one more second of control in a situation where they might otherwise have none.
What this work taught me
Designing safety produced a specific conviction: social impact is not a side effect of good design. It is the design.
Those features ship to a billion people. And the measure of their success is not engagement or retention. It’s the number of people who never had to see something they didn’t want to see.
Evidence
Press coverage of features designed by the Well-Being team. Listed as evidence that the problems are real and the work shipped.
Sextortion and nudity protection
- Meta introduces new tools to combat sextortion - CNN
- Instagram to start blurring nude images in messages to protect teens - WSJ
- Meta to blur nudity in Instagram messages - BBC
- Meta to blur Instagram messages containing nudity - Reuters
- Instagram to blur nudity in direct messages - Washington Post
- Instagram will test nudity protection in messages - Engadget
- Instagram veut lutter contre le chantage aux images intimes - Le Parisien
- Instagram to blur nude images sent to under-18s - The Telegraph
Teen safety and parental controls
- Stop sextortion: resources for caregivers - Meta
- Education campaign to protect teens from sextortion scams - Meta
- Stricter message settings for teens on Instagram and Facebook - Instagram
- Parental supervision and teen time management - Meta
- Instagram adds new teen safety tools - TechCrunch
- Make Instagram safer for the youngest members - Instagram
DM protections
- Instagram protects users from unwanted images and videos in DMs - TechCrunch
- Instagram makes it harder for people to spam you with DM requests - The Verge
- How we protect people on Instagram from abuse - Meta
- Protect teens and their privacy on Facebook and Instagram - Meta
Privacy and encryption
- Express yourself in Messenger’s E2EE chats - Messenger
- Ways you can take control of your privacy - Messenger
- Our approach to safer private messaging - Messenger
- Messenger E2E encrypted chat updates - Messenger
- Messenger safety features - Messenger
- Cross-platform messaging on Instagram and Messenger - TechCrunch
- Messenger launches forwarding limits - Messenger
Design practice
- Designing for safety and integrity in social technologies - Meta Design
- Instagram Safer Internet Day - Instagram
- Messenger Safer Internet Day - Messenger