ProtonBlog

A privacy analysis of Meta’s new Threads app

A new social media app has entered the marketplace for your attention, courtesy of Meta. Threads, an apparent copycat of Twitter, lets you post 500-character, text-based updates and has a similar user interface. The app is part of Instagram, so you can log in with your Instagram account and immediately start following your familiar contacts. As of July 10, five days after its launch, 100 million people have joined(new window).

Right away, two things stood out about Threads with regard to privacy:

  • It collects an enormous amount of personal data about you across multiple categories.
  • Threads is not available in the European Union, where Meta is already in trouble with privacy regulators.

These are still the early days of Threads, so it’s difficult to draw too many conclusions about the privacy implications of the new app. But it’s clear that Meta is not pointing its products in the direction of greater privacy, despite billions in privacy-related fines and internal warnings that the company doesn’t know how it uses people’s data. In fact, Threads suggests Meta is doing just the opposite.

This article is an overview of what we know so far about how Threads treats privacy, based on the company’s privacy policy, its disclosures on iOS, and other information that has come to light since the app launch.

What Threads knows about you

Thanks to the privacy requirements of Apple’s App Store, we know specifics about what data Threads itself collects. Threads’ own privacy policy(new window) is a supplement to Instagram’s policy(new window), so all of the other Instagram and Meta rules apply. 

But Threads adds some additional data collection to enable its planned interoperability with third-party services. It also collects some surprising data for reasons that aren’t entirely clear. For example, Threads somehow gathers information about people’s credit for “app functionality”. (It’s not clear how Meta determines creditworthiness, but The Intercept has suggested(new window) the company may use a kind of “correlation profiling”.) And it collects “sensitive info,” such as your ethnicity, sexual orientation, political opinions, and biometric data, for “product personalization” reasons.

Below are the kinds of data Threads collects about you for various reasons, according to the App Store disclosures(new window)

What’s important to note is that this list is identical to those of the Facebook and Instagram apps. So if you use these other Meta products, you’ve already surrendered this information to the company.

  • Health & Fitness
  • Purchases — Purchase history
  • Financial Info — Credit Info, Payment Info, Other Financial Info
  • Location Precise Location, Coarse Location
  • Contact Info Physical Address, Email Address, Name, Phone Number, Other User Contact Info
  • Contacts
  • User Content In-app messages, Photos or Videos, Gameplay Content, Customer Support, Audio Data, Other User Content
  • In-app Search History
  • Browsing History
  • Sensitive Info — Includes racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data
  • Identifiers — User ID, Device ID
  • Usage Data — Product Interaction, Advertising Data, Other Usage Data
  • Diagnostics — Crash Data, Performance Data, Other Diagnostic Data
  • Other Data Types

In addition to advertising, analytics, personalization, and app functionality purposes, there’s also an “other purposes” category, for which it collects much of the information listed above. Threads does not detail what these other purposes are. However, if you have iOS, you can turn on the App Privacy Report feature(new window) and see how apps use the privacy permissions you grant them.

Many people were quick to note the incredible breadth of data Threads lays claim to. “All your Threads are belong to us,” quipped Jack Dorsey, co-founder of Twitter.

Threads would likely not hold up to EU scrutiny

Threads launched July 5 in the US and UK, but Meta postponed the European Union launch because of the bloc’s regulations on companies’ use of personal data. News outlets have reported that EU regulators did not prevent the company from launching Threads, but sources suggest that Threads, in its current form, may violate one or both of the following regulations:

Threads vs. the GDPR

Meta is already in deep trouble in Europe for two reasons.

First, in January 2023, the EU fined Meta €390 million for not having a valid reason under the GDPR to use people’s data for personalized ads. In its decision(new window), the Irish Data Protection Commission found that Facebook and Instagram users couldn’t properly consent to their personal data being used for advertising. In response, Meta said(new window) it would switch to “legitimate interest” as the basis for its targeted ads. Regulators haven’t ruled on this new tactic.

Second, in May 2023, Meta got hit with the largest-ever GDPR fine: €1.2 billion for transferring EU citizens’ data to the United States. This violates Article 46(1)(new window) of the GDPR, which requires “appropriate safeguards” before sending data outside the EU. Meta said it would appeal the decision.

Both of these decisions, if they survive Meta’s challenges, would dramatically change the way Meta does business in the European Union. Threads, which basically clones Instagram’s privacy policy, would be directly affected as well.

Threads vs. the DMA

The day before Threads launched, Meta acknowledged(new window) that it meets the criteria to be considered a “gatekeeper” under the Digital Markets Act. As a result, the company must comply with the law, including Article 5(a). As we reported previously, 5(a) prevents “gatekeepers from combining personal data collected from their core platform services with personal data collected from other services” and prohibits a company from “forcing you to automatically sign in to all of a gatekeeper’s services if you only want to sign in to one.”

The way Threads seems to mix data collected from Instagram and other Meta products, and the fact that you sign into Threads through Instagram are possible red flags. 

Meta already has a bad reputation for privacy

We’ve shown how the Threads app is as data-hungry as they come and that it almost certainly would not hold up to EU privacy regulations, if Meta’s past troubles are any guide.

But for people signing up to use Threads, it’s important to note that Meta as a company has not been a good steward of personal privacy. When you use Meta products, you are entrusting your personal data to a company that, by the admission of some of its own employees, doesn’t know what it does with your data.

In a leaked internal document, a Meta employee compared your personal data to ink spilled into a lake. “How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?” The employee’s point was that it would be impossible for Meta to comply with privacy laws without changing its business model.

Previously, in a deposition, a Facebook engineer said the company’s data organization was “terrifying”.

What does this mean for you? If you have a Facebook, Instagram, WhatsApp, or Threads account, your data is already in the Meta labyrinth. With Threads, the company is vying to gather more. If you want to escape Meta’s surveillance and profiling practices at this point, the only sure way to prevent future data collection is to delete your data and delete the apps. 

Conclusion

It’s perhaps too easy to criticize Facebook and other Big Tech companies on privacy, but it’s important to realize that they could build their products any way they want to. They choose to build them as spy gadgets. 

Threads could have been more like Mastodon(new window) or another up-and-comer microblogging site, Bluesky(new window), which collect limited data. Instead, Threads is essentially the opposite, sweeping up as much of your personal data as it can. Meta went this route even though it meant initially forfeiting the entire European market.

These design decisions are a natural consequence of Meta’s business model, which turns people into products that can be sold to advertisers. And it’s in sharp contrast to our vision of an internet that puts privacy first and treats people as customers, which we’re actively building at Proton through a subscription-based business model.

Meta’s recent choices on privacy are in some ways similar to those of Google, which has recently cranked up its banner ads, trying to juice as much revenue from personal data before privacy regulations turn off the spigot.

Regulators have taken years to enforce privacy laws against Meta, and there’s no guarantee the company will ultimately comply and change its products to protect people. For now, the burden of online privacy still rests with you.

Protect your privacy with Proton
Create a free account

Related articles

If you’re comparing different password managers or researching password security, you’ll quickly run into terms like hashing and salting. While these terms might sound like steps you take to make breakfast potatoes, they’re actually processes that ar
People often choose to remove their personal information from the internet due to privacy and security concerns. For example, oversharing on social media can expose you to phishing attacks, identity theft, and cyberstalking. Plus, your data is highl
It’s been roughly three months since the European Union’s Digital Markets Act (DMA), which aims to restore competition and fairness to the internet, came into effect for Big Tech monopolies. Since then, Google has done precisely nothing to comply wit
Today we’re announcing enhancements to our business plans, further enriching our commitment to delivering the best privacy experience for businesses. These upgrades will help us continue expanding our feature suite for organizations, while giving mor
Proton Pass brings secure and private password management to all devices
Today, we’re excited to announce the launch of the Proton Pass macOS app and the Proton Pass Linux app. One of the most popular requests from the Proton community was a standalone desktop app, which is now available on every major platform — Windows,
When you use the internet at home, connected to everything from fitness equipment to game consoles, smartphones, and laptops, marketing companies could be watching you with a tiny piece of surveillance tech you might not even know about. We’re talki