RISKS

What is Happening

In just a matter of days, Meta’s new Threads app reached 100 million users, solidifying the Twitter competitor’s claim to the title of the most rapidly downloaded app ever.

That rapid growth has concerned privacy experts, who warn that few users realize just how much information the app collects. They point out that Meta has put the launch of Threads in the European Union on hold because it’s unclear whether the way the company handles user data and shares it across different platforms, including Threads, will run afoul of impending privacy regulations.

Privacy advocates and security researchers have noted that Threads already collects more personal data than many other social media apps; a wide variety of it could be considered invasive, and is also not at all necessary for the app’s function. Privacy concerns have been raised due to the app’s ability to log browsing history, search history, physical geolocation, employment, union membership, health status, race and ethnicity, sexual orientation and more under the app’s current
expansive data collection terms.

Meta also faces potential issues due to the way that Threads forces integration with Instagram. Entirely new users will have an Instagram account created for them when they sign up for Threads, while those with existing Instagram accounts must link the two inextricably. That includes also deleting one’s Instagram if one decides they no longer want to have a Threads account. Threads profiles can be deactivated without impacting Instagram accounts, but not deleted entirely. A Meta spokesperson said that the Threads team is “looking into” a way to separately remove the app, but there is no timeframe (or promises) at present.

“Several of the privacy concerns with Threads tie back to Meta’s history of concerning privacy practices,” said Calli Schroeder, senior counsel and global privacy counsel at the Electronic Privacy Information Center (Epic), a digital privacy nonprofit. “I haven’t seen any evidence that Meta is being transparent about what it will do with sensitive personal data or is clearly establishing why it is collecting that data other than ‘because we want to’.”

 

The list of past practices that give experts like Schroeder cause for concern is long. In addition to being under an FTC consent decree because of previous improper collection and use of data in the US, Meta has also received three major fines for data privacy violations – all from the Ireland’s Data Protection Commission (DPC) – within a year’s time:

  1. In June 2022, the Irish DPC also slapped Instagram with a fine of €405 million after an investigation found the social media platform mishandled teenagers’ personal information in violation of strict European Union data privacy rules.
  2. In November 2022, Meta was also fined another €265 million by the Irish DPC following a probe that found the social-media company had failed to apply strict safeguards required under GDPR.
  3. And in May 2023, Meta was fined a record €1.2 billion euros and was also ordered to stop transferring data collected from Facebook users in Europe to the United States. The €1.2 billion euro fine is the largest data privacy fine yet since the GDPR went into effect and the three fines together is nearly €1.9 billion (nearly $2 billion).

 

Why is this Important?

The privacy concerns about Threads and the fact that they have not launched the app in the EU yet raises concerns that Meta is putting personal data collection over privacy protections. If the lack of availability in the EU extends for a significant period of time, it may signal that Meta may avoid deployment where the most scrutiny is being applied regarding data protection, at least for Threads.

The data collection practices of Threads also reiterate the need to keep personal and business separate – devices with both types of data can mean that some of the data that Meta is collecting could be business related as well as personal.

 

What does this mean to me?

Meta’s massive collection of data is geared towards one goal – selling ads. Threads currently doesn’t run ads yet, but it undoubtedly will in the future, experts say. In the meantime, information collected on Threads may be used as part of the larger ecosystem of data Meta uses to serve ads on its other platforms.

In addition to Facebook and Instagram (and now Threads), Meta also collects data through Meta Pixel, a short piece of code that can be added to websites, tracks and analyzes visitor activity, after which various versions of that data are shared with Meta. For instance, several hospitals, pharmacies and grocery chains reportedly share sensitive information with Meta and other social platforms through Pixel including whether consumers added Plan B or HIV or pregnancy tests to their carts, according to news website the Markup.

Last year, we reported that a long string of complaints and lawsuits against hospitals and Meta for collecting data on hospital websites has included UCSF Medical Center, Dignity Health, Northwestern Memorial Hospital and Baltimore’s Medstar Health System. Litigants claim that the data acquired violates the Health Insurance Portability and Accountability Act (HIPAA).

“We should absolutely be concerned about the amount of data Meta can hold on individuals,” Schroeder of Epic said. “Not only is this a huge risk for breaches – and Meta has already had and been penalized for several major data breaches in the past – but the data can be used to infer even more information about an individual that they may not voluntarily share.”

 

APPROACHES

Device and Browser Configurations: Cyber Security Awareness Training

Commonality of attack:  N/A

Article on the story: As Threads app thrives, experts warn of Meta’s string of privacy violations