Meta’s New Twitter Rival Threads Has Complex Privacy Issues

The last few days have seen widespread excitement about the launch of Meta’s new Twitter rival, Threads. The uptake has been rapid: 30 million people signed up for Threads in the first 24 hours, and after five days, the number had reached 100 million. Despite its surging popularity, privacy issues surrounding the app have loomed large.

Apple’s App Store provides details about the information that Threads can collect about users. The third-party advertising section alone reads as follows:

• Purchases (purchase history)
• Financial info (other financial info)
• Location (precise location, coarse location)
• Contact info (physical address, email address, name, phone number, other user contact info)
• Contacts
• User content (photos or videos, gameplay content, other user content)
• Search history
• Browsing history
• Identifiers (user ID, device ID)
• Usage Data (product interaction, advertising data, other usage data)
• Diagnostics (crash data, performance data, other diagnostic data)
• Other data

An article on Wired lists the other main categories of personal information that Threads gathers: developer’s advertising or marketing, analytics, product personalization, app functionality, and “other purposes.” Each category includes an extensive list of data points, showing that overall, Threads is collecting far more data than other rivals in the space such as Bluesky. In comparison, the open source, federated social network Mastodon collects absolutely no information about its users, which shows that doing so is a choice, not a necessity.

The quantity of personal data that Threads can capture is a serious problem in the EU. Meta has recently been hit with a 1.2 billion euros fine (around $1.3 billion) for violating the EU’s General Data Protection Regulation (GDPR) by sending EU citizens’ personal data to the US where it could be subject to mass surveillance. While Meta might just see billion-dollar fines as the cost of doing business in the EU, a recent decision by the EU’s top court, the Court of Justice of the European Union (CJEU), cannot be shrugged off so easily.

Here’s what happened according to the noyb.eu organization, which has been successfully bringing privacy cases against Facebook and Meta for years:

The GDPR allows for six legal bases to process personal data. In the case Meta v Bundeskartellamt, the CJEU has today ruled on all of them – further clarifying the interpretation of the GDPR. The CJEU has largely closed the doors for Meta to use personal data beyond what is strictly necessary to provide the core products (such as messaging or sharing content) – all other processing (like advertisement and sharing personal data) requires freely given and fair consent by users.

This is a major judgment that strikes at the heart of personalized advertising-based business models. It’s not clear what the way forward for Meta (and other companies) will be. The GDPR’s stringent privacy protections are thought to be the main reason that Threads is not available in the EU at present – a huge market that Meta would want to capitalize on if it could.

The problems caused by Threads’ massive collection of personal data are probably one reason why much of Meta’s post about its new service concerns an apparently rather obscure technical aspect:

Soon, we are planning to make Threads compatible with ActivityPub, the open social networking protocol established by the World Wide Web Consortium (W3C), the body responsible for the open standards that power the modern web. This would make Threads interoperable with other apps that also support the ActivityPub protocol, such as Mastodon and WordPress – allowing new types of connections that are simply not possible on most social apps today. Other platforms including Tumblr have shared plans to support the ActivityPub protocol in the future.

As we previously discussed, basing a social network on the ActivityPub protocol creates big benefits for users. Chief among them is the ability to move between different services that support it without losing your social network. This could potentially be great news for data protection as it means people can move away from services that fail to respect their privacy to platforms that do. In other words, it allows for far more control than is possible at the moment while people are trapped within the walled gardens of Facebook, Instagram, Twitter, and others.

Despite Meta’s plans to make Threads “compatible” with ActivityPub – and it’s unclear what exactly that means – it will not be a simple matter, for reasons a post by Richard MacManus on The New Stack explains. Leaving aside the technical issues of linking hundreds of millions of Threads users with multiple external social networks, there are also broader concerns.

Some worry that this will be a classic case of embrace, extend, and extinguish, because the influx of millions of Threads users will overwhelm today’s much smaller social networks built around ActivityPub. Others, like Watts Martin, believe that Meta has no interest in such a takeover because it’s not worth the effort. In any case, Eugen Rochko, the creator of the leading ActivityPub social network, Mastodon, welcomes the move:

The fact that large platforms are adopting ActivityPub is not only validation of the movement towards decentralized social media, but a path forward for people locked into these platforms to switch to better providers.

If and when Meta adds ActivityPub compatibility to Threads, it will become clearer how it will interoperate with existing social networks there, and whether people will be able to migrate from Threads along with their social graph. That would be a huge win not just for ActivityPub and decentralized social networks, but for online privacy in general.

Featured image by Meta.