Threads collects so much sensitive information it’s a ‘hacker’s dream,’ experts say

Threads collects so much sensitive information it's a 'hacker's dream,' experts say
CHEK

It knows when you’ve been online shopping, the last time you worked out and whether you’ve been lurking on your ex’s profile.

Meta’s new social media platform Threads is gobbling up massive amounts of sensitive data on its 100 million users and counting.

The specificity and quantity of information the text and multimedia platform can access poses a risk to most users, if it falls into the wrong hands or is used to target them, tech experts agree.

“This is a hacker’s dream,” said Claudette McGowan, a longtime banking executive who founded Protexxa, a Toronto-based platform that uses artificial intelligence to rapidly identify and resolve cyber issues for employees.

“The more data you have sitting in a certain position (or) spot is going to get people really, really excited about getting access to it and being very creative about it.”

RELATED: Canadian police, emergency agencies consider adopting Meta’s Threads

Threads falls under Meta’s wider privacy policy that covers its other social media platforms, Facebook and Instagram. That policy details how Meta captures everything from the information you give it when you sign up for accounts, to what you click on or like, who you befriend online and what kind of phone, computer or tablet you use to access its products.

It also keeps tabs on what you’re doing on your device, like whether the app is in the foreground or if your mouse is moving, messages you send and receive and details on purchases you make, including credit card information.

Threads also has its own supplemental privacy policy, which says “we collect information about your activity on Threads, including the content you create, the types of content you view or interact with and how you interact with it, metadata about your content, the Threads features you use and how you use them, the hashtags you use, and the time, frequency, and duration of your activities on Threads.”

The privacy policy Threads has embedded in Apple’s app store shows it may collect, and link to your identity, data including your health and fitness, financial, browsing history, location and contact information, along with the broad category of “sensitive information.”

“It looks to me like it is a grab bag or a drift-net approach,” said Brett Caraway, a professor of media economics at the University of Toronto.

That approach is not unusual for social media services or other apps. It’s become “standard repertoire” for such companies to broker access to as much data as possible, he said.

Music-centric social media app TikTok, for example, collects usernames, passwords, dates of birth, email addresses, telephone number, information disclosed in user profiles, photographs and videos. It also grabs preferences you set, content you upload, comments you make, websites you’ve visited, apps you’ve downloaded and purchases you have made.

Screen resolution, keystroke patterns, battery levels, audio settings and “your approximate location, including location information based on your SIM card and/or IP address” are also scooped up by TikTok.

Caraway often hears from students who wonder why they should care if social media companies access their data because they’re not high-profile and don’t use such apps for controversial activities.

“Just because you’re safe today doesn’t mean you’re safe tomorrow,” Caraway argues.

“We’re certainly seeing a situation in the U.S. where certain marginalized populations are under attack, at least rhetorically and sometimes legally, and you might find yourself as part of one of those marginalized populations.”

Regardless of what you do on social media, Caraway said these companies leave users “not in the position to bargain.”

“You just have to take what the platform gives you.”

Asked about the app’s privacy concerns, Meta referred The Canadian Press to Threads posts from its chief privacy officer Rob Sherman, where he argued its privacy measures “are similar to the rest of our social apps, including Instagram, in that our apps receive whatever information you share in the app — including the categories of data listed in the App Store.”

“People can choose to share different kinds of data,” he wrote.

Before signing up for Threads or any other service, McGowan recommends people go beyond a cursory glance at the privacy policy they are agreeing to and read it more thoroughly with how the data could be used in mind.

“People just don’t understand the value of the data,” said McGowan.

“They become the product. Things are being monetized that they don’t even envision and they’re thinking they’re making decisions and formulating opinions that really are being formed and decided for them.”

She also advises people to consider a company’s history.

“Do they have a track record of handling sensitive information with care?” she questioned.

“Do they have a track record of being transparent and open and honest with their user community?”

In the case of Threads, its parent company Meta was infamously ensnared in privacy concerns in 2018, when it was revealed that consulting firm Cambridge Analytica paid a Facebook app developer for access to the personal information of about 87 million users.

The personal info was used to target U.S. voters during the country’s presidential election that ended with Donald Trump in power.

Threads has yet to launch in European Union, which has strict data privacy rules.

“We would have liked to offer Threads in the EU at the same time as other markets, and the app does meet General Data Protection Regulation requirements today,” Sherman has said on Threads.

“But building this offering against the backdrop of other regulatory requirements that have not yet been clarified would potentially take a lot longer, and in the face of this uncertainty, we prioritized offering this new product to as many people as possible.”

If you’re having second thoughts about an account you’ve signed up for in light of such developments, most services offer tools that help you adjust settings, limiting access to some of your personal information.

“And you always have the option to disconnect,” McGowan added.

However, to dump your Threads profile, which is embedded in Instagram, you must also delete your Instagram account.

This report by The Canadian Press was first published July 16, 2023.

Meta funds a limited number of fellowships that support emerging journalists at The Canadian Press.

The Canadian PressThe Canadian Press

Recent Stories

Send us your news tips and videos!