As Threads app thrives, experts warn of Meta’s string of privacy violations

The platform’s parent company has gotten into several knots before about mishandling sensitive information

By Johana Bhuiyan

Tue 11 Jul 2023 11.00 BST

In just a matter of days, Meta’s new Threads app has reached 100 million users, solidifying the Twitter competitor’s claim to the title of the most rapidly downloaded app ever.

That rapid growth has concerned privacy experts, who warn that few users realize just how much information the app collects. They point out that Meta has put the launch of Threads in the European Union on hold because it’s unclear whether the way the company handles user data and shares it across different platforms, including Threads, will run afoul of impending privacy regulations.

“Several of the privacy concerns with Threads tie back to Meta’s history of concerning privacy practices,” said Calli Schroeder, senior counsel and global privacy counsel at the Electronic Privacy Information Center (Epic), a digital privacy nonprofit. “I haven’t seen any evidence that Meta is being transparent about what it will do with sensitive personal data or is clearly establishing why it is collecting that data other than ‘because we want to’.”

The list of past practices that give experts like Schroeder cause for concern is long. In addition to being under a FTC consent decree because of previous improper collection and use of data in the US, Meta has also been fined for collecting sensitive personal data without obtaining the proper consent under the European Union’s General Data Protection Regulation (GDPR).

Though Threads is a novel entrant to the world of social media platforms, much is already known about how the platform collects, stores and shares user data. That’s because Threads is governed by the same privacy policy and business model as other Meta-owned properties when it comes to what the company can and can’t do with the intimate pieces of information it collects on its users.

Just like its sister platforms, Instagram and Facebook, Threads can and will collect a great deal of data on its users.

Meta’s apps receive whatever information users enter, said Meta spokesperson Emil Vazquez.

That can include sensitive data such as health and fitness information, financial information, location and browsing history, according to the app store entry for Threads.

“Several of the privacy concerns with Threads tie back to Meta’s history of concerning privacy practices”

– Calli Schroeder of the Electronic Privacy Information Center

The platform provides the company with information on what posts users engage with and whom they are following. That includes “the types of content you view or interact with and how you interact with it,” as well as how long and how often you use Threads, according to the Threads privacy policy. In addition to users’ Threads activity, the company’s privacy policy indicates it also has access to GPS location, cameras, photos, IP information, the type of device being used and device signals including “Bluetooth signals, nearby Wi-Fi access points, beacons and cell towers”.

Combined, this information can paint an extremely detailed and intricate map of people’s lives, particularly when taken together with all of the data Meta already collects through Facebook, Instagram and Meta Pixel.

Meta Pixel, a short piece of code that can be added to websites, tracks and analyzes visitor activity, after which various versions of that data are shared with Meta. For instance, several pharmacies and grocery chains reportedly share sensitive information with Meta and other social platforms through Pixel including whether consumers added Plan B or HIV or pregnancy tests to their carts, according to news website the Markup.

You are the product

Meta’s massive collection of data is geared towards one goal – selling ads. Threads currently doesn’t run ads yet, but it undoubtedly will in the future, experts say. In the meantime, information collected on Threads may be used as part of the larger ecosystem of data Meta uses to serve ads on its other platforms.

“Meta has not only not changed its business model, it continues to want to do targeted ads, essentially surveillance advertising,” said Carissa Veliz, an associate professor at the Institute for Ethics in AI at the University of Oxford.

The company is trying to collect as much data as possible and trying to continue in the same direction as it has from the very start despite all the scandals

– Carissa Veliz of the University of Oxford

“To that end, the company is trying to collect as much data as possible and trying to continue in the same direction as it has from the very start despite all the scandals, despite the public backlash, despite warnings from regulators, despite fines. It’s not reimagining its business model to make it a more respectful business model towards users.”

One concern, Veliz said, is how sensitive the data is that the company collects. “It can include sexual orientation, race and ethnicity, biometric data, trade union membership, pregnancy status, politics, religious beliefs. And all these data can potentially be sent to third parties.”

Those third parties include marketers and law enforcement agencies. Vazquez, the Meta spokesperson, said the company internally filters out sensitive data including health information, sexual orientation, and religious views from being used in advertising.

But much of that information remains vulnerable to law enforcement requests, of which Meta received nearly 240,000 globally in the second half of 2022. A little more than 64,000 of those law enforcement requests for user data were just in the US.

In the US, Meta has recently faced specific scrutiny for its collection and distribution of users’ health data and data that can be used in abortion-related prosecutions following the Supreme Court’s decision to overhaul federal abortion protections. Last year, a mother and daughter were charged with aiding and seeking an unlawful abortion in Nebraska in part based on Facebook messages Meta shared with local police. In the case of Threads, health information can come in the form of engaging with or sharing posts that might signal if a user sought reproductive care or was pregnant at some point. Even if their profile is private, law enforcement can subpoena Meta for their posts.

Meta is not alone in collecting and sharing user data – Twitter, TikTok, and most other social platforms are guilty of similar levels of information collection and sharing. But Meta has one of the largest suites of apps available to consumers, giving it a clear picture of the daily lives of users that few companies other than Google have access to, experts said.

“We should absolutely be concerned about the amount of data Meta can hold on individuals,” Schroeder of Epic said. “Not only is this a huge risk for breaches – and Meta has already had and been penalized for several major data breaches in the past – but the data can be used to infer even more information about an individual that they may not voluntarily share.”