Threads collects so much sensitive information it’s a “hacker’s dream,” experts say

TORONTO — It knows when you’ve shopped online, when you last worked out, and if you’ve been lurking on your ex’s profile.

Meta’s new social media platform Threads gobbles up massive amounts of sensitive data about its 100 million users and counting.

The specificity and amount of information that the text and multimedia platform can access poses a risk to most users, if it falls into the wrong hands or is used to target them, technical experts agree.

“This is every hacker’s dream,” said Claudette McGowan, a longtime bank executive who founded Protexxa, a Toronto-based platform that uses artificial intelligence to quickly identify and fix cyber problems for employees.

“The more data you have in a given position (or place), the more people are going to get really excited about accessing it and being really creative with it.”

Threads is governed by Meta’s broader privacy policy that covers its other social media platforms, Facebook and Instagram. That policy describes how Meta records everything from the information you provide when you sign up for accounts, to what you click or like, who you befriend online, and what kind of phone, computer, or tablet you use to access get to its products.

It also tracks what you do on your device, such as whether the app is in the foreground or your mouse is moving, messages you send and receive, and details about purchases you make, including credit card information.

Threads also has its own supplemental privacy policy, which states “we collect information about your activity on Threads, including the content you create, the types of content you view or use and how you interact with it, metadata about your content, the Threads features you use and how you use them, the hashtags you use, and the time, frequency, and duration of your activity on Threads.

The privacy policy that Threads has embedded in Apple’s app store shows that it may collect and link data to your identity, including your health and fitness, financial data, browsing history, location, and contact information, along with the broad category of “sensitive information” .

“It seems to me like it’s a grab bag or a drift net approach,” said Brett Caraway, a professor of media economics at the University of Toronto.

That approach is not unusual for social media services or other apps. It has become “standard repertoire” for such companies to mediate access to as much data as possible, he said.

For example, music-focused social media app TikTok collects usernames, passwords, dates of birth, email addresses, phone numbers, information revealed in user profiles, photos, and videos. It also records preferences you have set, content you upload, comments you make, websites you have visited, apps you have downloaded and purchases you have made.

Screen resolution, keystroke patterns, battery levels, audio settings, and “your approximate location, including location information based on your SIM card and/or IP address” are also picked up by TikTok.

Caraway often hears from students who wonder why they should care if social media companies have access to their data because they aren’t high profile and don’t use such apps for controversial activities.

“Just because you’re safe today doesn’t mean you’ll be safe tomorrow,” argues Caraway.

“We certainly see a situation in the US where certain marginalized populations are under attack, at least rhetorically and sometimes legally, and you could find yourself part of one of those marginalized populations.”

Regardless of what you do on social media, Caraway said these companies “don’t empower users to bargain.”

“You just have to take what the platform gives you.”

When asked about the app’s privacy concerns, Meta The Canadian Press referred to Threads posts by its chief privacy officer Rob Sherman, where he argued that the privacy measures are “similar to the rest of our social apps, including Instagram, in that our apps receive all the information you share in the app – including the categories of data listed in the App Store.

“People can choose to share different types of data,” he wrote.

Before signing up for Threads or any other service, McGowan encourages people to move beyond a cursory glance at the privacy policy they’re agreeing to and read it more thoroughly, considering how the data may be used.

“People just don’t understand the value of the data,” says McGowan.

“They become the product. Money is made doing things they can’t even imagine and they think they’re making decisions and formulating opinions that are really formed and decided for them.”

She also advises people to reflect on a company’s history.

“Do they have a track record of handling sensitive information with care?” she wondered.

“Do they have a track record of being transparent, open and honest with their user community?”

In the case of Threads, parent company Meta was notoriously mired in privacy concerns in 2018, when it was revealed that consulting firm Cambridge Analytica had paid a Facebook app developer to access the personal information of about 87 million users.

The personal information was used to target American voters during the country’s presidential election, which ended with Donald Trump in power.

Threads has yet to launch in the European Union, which has strict data privacy rules.

“We would have loved to offer Threads in the EU at the same time as other markets, and today the app meets the requirements of the General Data Protection Regulation,” Sherman said on Threads.

“However, building this offering against the backdrop of other regulatory requirements that have not yet been clarified could potentially take much longer, and given this uncertainty, we have prioritized bringing this new product to as many people as possible.”

If you’re unsure about an account you’ve signed up for in light of such developments, most services provide tools that allow you to adjust settings, limiting access to some of your personal information.

“And you always have the option to disconnect,” McGowan added.

However, to dump your Threads profile, which is embedded in Instagram, you’ll also need to delete your Instagram account.

This report from The Canadian Press was first published on July 16, 2023.

—

Meta funds a limited number of grants that support emerging journalists at The Canadian Press.

PART: