ProtonBlog(new window)

A privacy analysis of Meta’s new Threads app

Share this page

A new social media app has entered the marketplace for your attention, courtesy of Meta. Threads, an apparent copycat of Twitter, lets you post 500-character, text-based updates and has a similar user interface. The app is part of Instagram, so you can log in with your Instagram account and immediately start following your familiar contacts. As of July 10, five days after its launch, 100 million people have joined(new window).

Right away, two things stood out about Threads with regard to privacy:

  • It collects an enormous amount of personal data about you across multiple categories.
  • Threads is not available in the European Union, where Meta is already in trouble with privacy regulators.

These are still the early days of Threads, so it’s difficult to draw too many conclusions about the privacy implications of the new app. But it’s clear that Meta is not pointing its products in the direction of greater privacy, despite billions in privacy-related fines and internal warnings that the company doesn’t know how it uses people’s data. In fact, Threads suggests Meta is doing just the opposite.

This article is an overview of what we know so far about how Threads treats privacy, based on the company’s privacy policy, its disclosures on iOS, and other information that has come to light since the app launch.

What Threads knows about you

Thanks to the privacy requirements of Apple’s App Store, we know specifics about what data Threads itself collects. Threads’ own privacy policy(new window) is a supplement to Instagram’s policy(new window), so all of the other Instagram and Meta rules apply. 

But Threads adds some additional data collection to enable its planned interoperability with third-party services. It also collects some surprising data for reasons that aren’t entirely clear. For example, Threads somehow gathers information about people’s credit for “app functionality”. (It’s not clear how Meta determines creditworthiness, but The Intercept has suggested(new window) the company may use a kind of “correlation profiling”.) And it collects “sensitive info,” such as your ethnicity, sexual orientation, political opinions, and biometric data, for “product personalization” reasons.

Below are the kinds of data Threads collects about you for various reasons, according to the App Store disclosures(new window)

What’s important to note is that this list is identical to those of the Facebook and Instagram apps. So if you use these other Meta products, you’ve already surrendered this information to the company.

  • Health & Fitness
  • Purchases — Purchase history
  • Financial Info — Credit Info, Payment Info, Other Financial Info
  • Location Precise Location, Coarse Location
  • Contact Info Physical Address, Email Address, Name, Phone Number, Other User Contact Info
  • Contacts
  • User Content In-app messages, Photos or Videos, Gameplay Content, Customer Support, Audio Data, Other User Content
  • In-app Search History
  • Browsing History
  • Sensitive Info — Includes racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data
  • Identifiers — User ID, Device ID
  • Usage Data — Product Interaction, Advertising Data, Other Usage Data
  • Diagnostics — Crash Data, Performance Data, Other Diagnostic Data
  • Other Data Types

In addition to advertising, analytics, personalization, and app functionality purposes, there’s also an “other purposes” category, for which it collects much of the information listed above. Threads does not detail what these other purposes are. However, if you have iOS, you can turn on the App Privacy Report feature(new window) and see how apps use the privacy permissions you grant them.

Many people were quick to note the incredible breadth of data Threads lays claim to. “All your Threads are belong to us,” quipped Jack Dorsey, co-founder of Twitter.

Threads would likely not hold up to EU scrutiny

Threads launched July 5 in the US and UK, but Meta postponed the European Union launch because of the bloc’s regulations on companies’ use of personal data. News outlets have reported that EU regulators did not prevent the company from launching Threads, but sources suggest that Threads, in its current form, may violate one or both of the following regulations:

Threads vs. the GDPR

Meta is already in deep trouble in Europe for two reasons.

First, in January 2023, the EU fined Meta €390 million for not having a valid reason under the GDPR to use people’s data for personalized ads. In its decision(new window), the Irish Data Protection Commission found that Facebook and Instagram users couldn’t properly consent to their personal data being used for advertising. In response, Meta said(new window) it would switch to “legitimate interest” as the basis for its targeted ads. Regulators haven’t ruled on this new tactic.

Second, in May 2023, Meta got hit with the largest-ever GDPR fine: €1.2 billion for transferring EU citizens’ data to the United States. This violates Article 46(1)(new window) of the GDPR, which requires “appropriate safeguards” before sending data outside the EU. Meta said it would appeal the decision.

Both of these decisions, if they survive Meta’s challenges, would dramatically change the way Meta does business in the European Union. Threads, which basically clones Instagram’s privacy policy, would be directly affected as well.

Threads vs. the DMA

The day before Threads launched, Meta acknowledged(new window) that it meets the criteria to be considered a “gatekeeper” under the Digital Markets Act. As a result, the company must comply with the law, including Article 5(a). As we reported previously, 5(a) prevents “gatekeepers from combining personal data collected from their core platform services with personal data collected from other services” and prohibits a company from “forcing you to automatically sign in to all of a gatekeeper’s services if you only want to sign in to one.”

The way Threads seems to mix data collected from Instagram and other Meta products, and the fact that you sign into Threads through Instagram are possible red flags. 

Meta already has a bad reputation for privacy

We’ve shown how the Threads app is as data-hungry as they come and that it almost certainly would not hold up to EU privacy regulations, if Meta’s past troubles are any guide.

But for people signing up to use Threads, it’s important to note that Meta as a company has not been a good steward of personal privacy. When you use Meta products, you are entrusting your personal data to a company that, by the admission of some of its own employees, doesn’t know what it does with your data.

In a leaked internal document(new window), a Meta employee compared your personal data to ink spilled into a lake. “How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?” The employee’s point was that it would be impossible for Meta to comply with privacy laws without changing its business model.

Previously, in a deposition(new window), a Facebook engineer said the company’s data organization was “terrifying”.

What does this mean for you? If you have a Facebook, Instagram, WhatsApp, or Threads account, your data is already in the Meta labyrinth. With Threads, the company is vying to gather more. If you want to escape Meta’s surveillance and profiling practices at this point, the only sure way to prevent future data collection is to delete your data and delete the apps. 

Conclusion

It’s perhaps too easy to criticize Facebook and other Big Tech companies on privacy, but it’s important to realize that they could build their products any way they want to. They choose to build them as spy gadgets. 

Threads could have been more like Mastodon(new window) or another up-and-comer microblogging site, Bluesky(new window), which collect limited data. Instead, Threads is essentially the opposite, sweeping up as much of your personal data as it can. Meta went this route even though it meant initially forfeiting the entire European market.

These design decisions are a natural consequence of Meta’s business model, which turns people into products that can be sold to advertisers. And it’s in sharp contrast to our vision of an internet that puts privacy first and treats people as customers, which we’re actively building at Proton through a subscription-based business model(new window).

Meta’s recent choices on privacy are in some ways similar to those of Google, which has recently cranked up its banner ads(new window), trying to juice as much revenue from personal data before privacy regulations turn off the spigot.

Regulators have taken years to enforce privacy laws against Meta, and there’s no guarantee the company will ultimately comply and change its products to protect people. For now, the burden of online privacy still rests with you.

Protect your privacy with Proton
Create a free account

Share this page

Ben Wolford(new window)

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Related articles

What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m
In the early days when Proton started, we often received a question along the lines of “I love the product and what Proton stands for, but how do I know you will still be around to protect my data 10 years from now?”  Ten years and 100 million accou
Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attack, but fortunately, one that’s easy to
With Skiff abruptly shutting down operations, many people are on the lookout for alternatives that don’t compromise on privacy — and won’t suddenly disappear. People were attracted to Skiff because it promised privacy, no ads, end-to-end encryption,
Skiff is dead. On Feb. 9, the email company Skiff announced it was being bought by Notion. Many Skiff customers have been shocked by this news, as their inboxes have been sold out from under them. Skiff gave people six months to export their data be
Looking into the Dropbox privacy policy
Dropbox was the first mainstream cloud storage provider, and still the biggest player on the market, with 700 million users in 2022. We took a dive into Dropbox’s privacy policy to see how well the company protects the personal data of those millions