I joined Meta’s Well-Being team. The team sits at the intersection of Instagram Direct and Messenger, responsible for protecting people from abuse, exploitation, and privacy violations in their most private digital spaces. When I say private, I mean: direct messages, encrypted conversations, media shared between two people who may or may not trust each other.

These products serve over a billion people. Every design decision ships to a population larger than most countries. Every default is experienced by millions before anyone can evaluate its consequences.

The central tension

Safety work in messaging lives inside a contradiction: the things that make messaging valuable are the same things that make it dangerous.

People message because it’s easy. Predators exploit that ease. People share photos because it feels intimate. Extortionists weaponize that intimacy. People expect their messages to be private. End-to-end encryption guarantees it. But it also means the platform cannot see what’s happening inside the conversation.

How do you protect people without breaking the thing you’re protecting?

This is the design space I worked in. Every feature is a trade-off between safety and friction, between protection and autonomy. The job is to find where friction serves people rather than frustrating them.

Nudity protection

We launched nudity protection in Instagram DMs. The feature uses on-device machine learning to detect nudity in images before they’re displayed, blurring them by default. For users under 18, it’s enabled automatically. For adults, we encourage activation.

The critical design decision: this works inside end-to-end encrypted conversations. Because the analysis happens on the device itself, Meta never sees the image. The user retains full privacy while gaining protection they didn’t have before.

Coverage

This feature was reported by CNN, The Wall Street Journal, BBC, Reuters, The Washington Post, Engadget, Le Parisien, and The Telegraph on the same day. The press links are listed at the end of this document.

Restricting unwanted contact

We shipped features that prevent adults from messaging teens who don’t follow them on Instagram. If a teen is already in a conversation with an adult exhibiting suspicious behavior, such as sending a high volume of friend requests to minors, they receive a notification and tools to end, block, or report the contact.

We restricted DM requests further. A non-follower can now send exactly one text-only message. No images, no videos, no voice notes until the recipient explicitly accepts the request. This is a deliberate increase in friction for strangers, designed to preserve ease for existing connections.

These restrictions were especially relevant for women, who disproportionately receive unsolicited media in DMs. The design principle was simple: you should never open your inbox and see something you didn’t ask to see.

Cross-platform safety

When Instagram and Messenger became interoperable, the attack surface expanded. An Instagram user could now reach a Messenger user, and vice versa. The reachability graph grew, and so did the risk.

We designed and shipped message delivery controls for both platforms, giving people granular authority over who can reach them across apps. The rollout covered 74% of the world. Multiple teams, Well-Being, Privacy, IG and Family Experience, worked together to mitigate the risks without undermining the value of interoperability.

The interoperable messaging project has since been discontinued. But the safety infrastructure we built for it, the delivery controls, the cross-app permission model, the abuse detection patterns, carried forward into subsequent work on both platforms.

End-to-end encryption

The migration to end-to-end encryption on Messenger was one of the most complex safety challenges I worked on. E2EE is a privacy guarantee: your messages are unreadable by anyone except you and the person you’re talking to. Including Meta.

This creates a fundamental problem for safety. Many detection mechanisms rely on reading message content, which is exactly what encryption prevents. The question I kept returning to: can we provide maximum privacy and maximum security at the same time?

Not perfectly. But you can close the gap. Nudity protection is one example: on-device analysis preserves encryption while still protecting the user. Safety notices and behavioral signals are another: they work from metadata and patterns, not message content. We launched expression features inside E2EE chats, proving that encryption doesn’t require a stripped-down experience. And we built forwarding limits to slow misinformation, a safety measure that works regardless of encryption status.

Designing friction

Most product design optimizes for reduction: fewer taps, shorter flows, less resistance. Safety design does the opposite. Every useful safety feature is, by definition, an interruption.

The craft question is not whether to create friction, but where. A blur on an image is friction. A restriction on DM requests is friction. A parental control is friction. The design problem is making each of these feel protective rather than restrictive.

The best safety feature is the one the user barely notices. It doesn’t lecture. It doesn’t shame. It gives the person one more second of control in a situation where they might otherwise have none.

What this work taught me

Designing safety produced a specific conviction: social impact is not a side effect of good design. It is the design.

Those features ship to a billion people. And the measure of their success is not engagement or retention. It’s the number of people who never had to see something they didn’t want to see.


Evidence

Press coverage of features designed by the Well-Being team. Listed as evidence that the problems are real and the work shipped.

Sextortion and nudity protection

Teen safety and parental controls

DM protections

Privacy and encryption

Design practice