A new social media app has entered the marketplace for your attention, courtesy of Meta. Threads, an apparent copycat of Twitter, lets you post 500-character, text-based updates and has a similar user interface. The app is part of Instagram, so you can log in with your Instagram account and immediately start following your familiar contacts. As of July 10, five days after its launch, 100 million people have joined(new window).
Right away, two things stood out about Threads with regard to privacy:
- It collects an enormous amount of personal data about you across multiple categories.
- Threads is not available in the European Union, where Meta is already in trouble with privacy regulators.
These are still the early days of Threads, so it’s difficult to draw too many conclusions about the privacy implications of the new app. But it’s clear that Meta is not pointing its products in the direction of greater privacy, despite billions in privacy-related fines and internal warnings that the company doesn’t know how it uses people’s data. In fact, Threads suggests Meta is doing just the opposite.
What Threads knows about you
But Threads adds some additional data collection to enable its planned interoperability with third-party services. It also collects some surprising data for reasons that aren’t entirely clear. For example, Threads somehow gathers information about people’s credit for “app functionality”. (It’s not clear how Meta determines creditworthiness, but The Intercept has suggested(new window) the company may use a kind of “correlation profiling”.) And it collects “sensitive info,” such as your ethnicity, sexual orientation, political opinions, and biometric data, for “product personalization” reasons.
Below are the kinds of data Threads collects about you for various reasons, according to the App Store disclosures(new window).
What’s important to note is that this list is identical to those of the Facebook and Instagram apps. So if you use these other Meta products, you’ve already surrendered this information to the company.
- Health & Fitness
- Purchases — Purchase history
- Financial Info — Credit Info, Payment Info, Other Financial Info
- Location — Precise Location, Coarse Location
- Contact Info — Physical Address, Email Address, Name, Phone Number, Other User Contact Info
- User Content — In-app messages, Photos or Videos, Gameplay Content, Customer Support, Audio Data, Other User Content
- In-app Search History
- Browsing History
- Sensitive Info — Includes racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data
- Identifiers — User ID, Device ID
- Usage Data — Product Interaction, Advertising Data, Other Usage Data
- Diagnostics — Crash Data, Performance Data, Other Diagnostic Data
- Other Data Types
In addition to advertising, analytics, personalization, and app functionality purposes, there’s also an “other purposes” category, for which it collects much of the information listed above. Threads does not detail what these other purposes are. However, if you have iOS, you can turn on the App Privacy Report feature(new window) and see how apps use the privacy permissions you grant them.
Many people were quick to note the incredible breadth of data Threads lays claim to. “All your Threads are belong to us,” quipped Jack Dorsey, co-founder of Twitter.
Threads would likely not hold up to EU scrutiny
Threads launched July 5 in the US and UK, but Meta postponed the European Union launch because of the bloc’s regulations on companies’ use of personal data. News outlets have reported that EU regulators did not prevent the company from launching Threads, but sources suggest that Threads, in its current form, may violate one or both of the following regulations:
- The General Data Protection Regulation(new window) (GDPR), which stipulates how data controllers must collect, use, and safeguard personal data
- And the Digital Markets Act (DMA), which is more of an antitrust regulation but also includes rules about personal data
Threads vs. the GDPR
Meta is already in deep trouble in Europe for two reasons.
First, in January 2023, the EU fined Meta €390 million for not having a valid reason under the GDPR to use people’s data for personalized ads. In its decision(new window), the Irish Data Protection Commission found that Facebook and Instagram users couldn’t properly consent to their personal data being used for advertising. In response, Meta said(new window) it would switch to “legitimate interest” as the basis for its targeted ads. Regulators haven’t ruled on this new tactic.
Second, in May 2023, Meta got hit with the largest-ever GDPR fine: €1.2 billion for transferring EU citizens’ data to the United States. This violates Article 46(1)(new window) of the GDPR, which requires “appropriate safeguards” before sending data outside the EU. Meta said it would appeal the decision.
Threads vs. the DMA
The day before Threads launched, Meta acknowledged(new window) that it meets the criteria to be considered a “gatekeeper” under the Digital Markets Act. As a result, the company must comply with the law, including Article 5(a). As we reported previously, 5(a) prevents “gatekeepers from combining personal data collected from their core platform services with personal data collected from other services” and prohibits a company from “forcing you to automatically sign in to all of a gatekeeper’s services if you only want to sign in to one.”
The way Threads seems to mix data collected from Instagram and other Meta products, and the fact that you sign into Threads through Instagram are possible red flags.
Meta already has a bad reputation for privacy
We’ve shown how the Threads app is as data-hungry as they come and that it almost certainly would not hold up to EU privacy regulations, if Meta’s past troubles are any guide.
But for people signing up to use Threads, it’s important to note that Meta as a company has not been a good steward of personal privacy. When you use Meta products, you are entrusting your personal data to a company that, by the admission of some of its own employees, doesn’t know what it does with your data.
In a leaked internal document, a Meta employee compared your personal data to ink spilled into a lake. “How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?” The employee’s point was that it would be impossible for Meta to comply with privacy laws without changing its business model.
Previously, in a deposition, a Facebook engineer said the company’s data organization was “terrifying”.
What does this mean for you? If you have a Facebook, Instagram, WhatsApp, or Threads account, your data is already in the Meta labyrinth. With Threads, the company is vying to gather more. If you want to escape Meta’s surveillance and profiling practices at this point, the only sure way to prevent future data collection is to delete your data and delete the apps.
It’s perhaps too easy to criticize Facebook and other Big Tech companies on privacy, but it’s important to realize that they could build their products any way they want to. They choose to build them as spy gadgets.
Threads could have been more like Mastodon(new window) or another up-and-comer microblogging site, Bluesky(new window), which collect limited data. Instead, Threads is essentially the opposite, sweeping up as much of your personal data as it can. Meta went this route even though it meant initially forfeiting the entire European market.
These design decisions are a natural consequence of Meta’s business model, which turns people into products that can be sold to advertisers. And it’s in sharp contrast to our vision of an internet that puts privacy first and treats people as customers, which we’re actively building at Proton through a subscription-based business model.
Meta’s recent choices on privacy are in some ways similar to those of Google, which has recently cranked up its banner ads, trying to juice as much revenue from personal data before privacy regulations turn off the spigot.
Regulators have taken years to enforce privacy laws against Meta, and there’s no guarantee the company will ultimately comply and change its products to protect people. For now, the burden of online privacy still rests with you.