A new social media app has entered the marketplace for your attention, courtesy of Meta. Threads, an apparent copycat of Twitter, lets you post 500-character, text-based updates and has a similar user interface. The app is part of Instagram, so you can log in with your Instagram account and immediately start following your familiar contacts. As of July 10, five days after its launch, 100 million people have joined(nieuw venster).
Right away, two things stood out about Threads with regard to privacy:
- It collects an enormous amount of personal data about you across multiple categories.
- Threads is not available in the European Union, where Meta is already in trouble with privacy regulators.
These are still the early days of Threads, so it’s difficult to draw too many conclusions about the privacy implications of the new app. But it’s clear that Meta is not pointing its products in the direction of greater privacy, despite billions in privacy-related fines and internal warnings that the company doesn’t know how it uses people’s data. In fact, Threads suggests Meta is doing just the opposite.
This article is an overview of what we know so far about how Threads treats privacy, based on the company’s privacy policy, its disclosures on iOS, and other information that has come to light since the app launch.
What Threads knows about you
Thanks to the privacy requirements of Apple’s App Store, we know specifics about what data Threads itself collects. Threads’ own privacy policy(nieuw venster) is a supplement to Instagram’s policy(nieuw venster), so all of the other Instagram and Meta rules apply.
But Threads adds some additional data collection to enable its planned interoperability with third-party services. It also collects some surprising data for reasons that aren’t entirely clear. For example, Threads somehow gathers information about people’s credit for “app functionality”. (It’s not clear how Meta determines creditworthiness, but The Intercept has suggested(nieuw venster) the company may use a kind of “correlation profiling”.) And it collects “sensitive info,” such as your ethnicity, sexual orientation, political opinions, and biometric data, for “product personalization” reasons.
Below are the kinds of data Threads collects about you for various reasons, according to the App Store disclosures(nieuw venster).
What’s important to note is that this list is identical to those of the Facebook and Instagram apps. So if you use these other Meta products, you’ve already surrendered this information to the company.
- Health & Fitness
- Purchases — Purchase history
- Financial Info — Credit Info, Payment Info, Other Financial Info
- Location — Precise Location, Coarse Location
- Contact Info — Physical Address, Email Address, Name, Phone Number, Other User Contact Info
- Contacts
- User Content — In-app messages, Photos or Videos, Gameplay Content, Customer Support, Audio Data, Other User Content
- In-app Search History
- Browsing History
- Sensitive Info — Includes racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data
- Identifiers — User ID, Device ID
- Usage Data — Product Interaction, Advertising Data, Other Usage Data
- Diagnostics — Crash Data, Performance Data, Other Diagnostic Data
- Other Data Types
In addition to advertising, analytics, personalization, and app functionality purposes, there’s also an “other purposes” category, for which it collects much of the information listed above. Threads does not detail what these other purposes are. However, if you have iOS, you can turn on the App Privacy Report feature(nieuw venster) and see how apps use the privacy permissions you grant them.
Many people were quick to note the incredible breadth of data Threads lays claim to. “All your Threads are belong to us,” quipped Jack Dorsey, co-founder of Twitter.
Threads would likely not hold up to EU scrutiny
Threads launched July 5 in the US and UK, but Meta postponed the European Union launch because of the bloc’s regulations on companies’ use of personal data. News outlets have reported that EU regulators did not prevent the company from launching Threads, but sources suggest that Threads, in its current form, may violate one or both of the following regulations:
- The General Data Protection Regulation(nieuw venster) (GDPR), which stipulates how data controllers must collect, use, and safeguard personal data
- And the Digital Markets Act (DMA), which is more of an antitrust regulation but also includes rules about personal data
Threads vs. the GDPR
Meta is already in deep trouble in Europe for two reasons.
First, in January 2023, the EU fined Meta €390 million for not having a valid reason under the GDPR to use people’s data for personalized ads. In its decision(nieuw venster), the Irish Data Protection Commission found that Facebook and Instagram users couldn’t properly consent to their personal data being used for advertising. In response, Meta said(nieuw venster) it would switch to “legitimate interest” as the basis for its targeted ads. Regulators haven’t ruled on this new tactic.
Second, in May 2023, Meta got hit with the largest-ever GDPR fine: €1.2 billion for transferring EU citizens’ data to the United States. This violates Article 46(1)(nieuw venster) of the GDPR, which requires “appropriate safeguards” before sending data outside the EU. Meta said it would appeal the decision.
Both of these decisions, if they survive Meta’s challenges, would dramatically change the way Meta does business in the European Union. Threads, which basically clones Instagram’s privacy policy, would be directly affected as well.
Threads vs. the DMA
The day before Threads launched, Meta acknowledged(nieuw venster) that it meets the criteria to be considered a “gatekeeper” under the Digital Markets Act. As a result, the company must comply with the law, including Article 5(a). As we reported previously, 5(a) prevents “gatekeepers from combining personal data collected from their core platform services with personal data collected from other services” and prohibits a company from “forcing you to automatically sign in to all of a gatekeeper’s services if you only want to sign in to one.”
The way Threads seems to mix data collected from Instagram and other Meta products, and the fact that you sign into Threads through Instagram are possible red flags.
Meta already has a bad reputation for privacy
We’ve shown how the Threads app is as data-hungry as they come and that it almost certainly would not hold up to EU privacy regulations, if Meta’s past troubles are any guide.
But for people signing up to use Threads, it’s important to note that Meta as a company has not been a good steward of personal privacy. When you use Meta products, you are entrusting your personal data to a company that, by the admission of some of its own employees, doesn’t know what it does with your data.
In a leaked internal document, a Meta employee compared your personal data to ink spilled into a lake. “How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?” The employee’s point was that it would be impossible for Meta to comply with privacy laws without changing its business model.
Previously, in a deposition, a Facebook engineer said the company’s data organization was “terrifying”.
What does this mean for you? If you have a Facebook, Instagram, WhatsApp, or Threads account, your data is already in the Meta labyrinth. With Threads, the company is vying to gather more. If you want to escape Meta’s surveillance and profiling practices at this point, the only sure way to prevent future data collection is to delete your data and delete the apps.
Conclusion
It’s perhaps too easy to criticize Facebook and other Big Tech companies on privacy, but it’s important to realize that they could build their products any way they want to. They choose to build them as spy gadgets.
Threads could have been more like Mastodon(nieuw venster) or another up-and-comer microblogging site, Bluesky(nieuw venster), which collect limited data. Instead, Threads is essentially the opposite, sweeping up as much of your personal data as it can. Meta went this route even though it meant initially forfeiting the entire European market.
These design decisions are a natural consequence of Meta’s business model, which turns people into products that can be sold to advertisers. And it’s in sharp contrast to our vision of an internet that puts privacy first and treats people as customers, which we’re actively building at Proton through a subscription-based business model.
Meta’s recent choices on privacy are in some ways similar to those of Google, which has recently cranked up its banner ads, trying to juice as much revenue from personal data before privacy regulations turn off the spigot.
Regulators have taken years to enforce privacy laws against Meta, and there’s no guarantee the company will ultimately comply and change its products to protect people. For now, the burden of online privacy still rests with you.