Meta’s new text-based conversation platform Threads launched with a bang earlier this month, surpassing 100 million sign-ups less than a week after it became available to the public on July 5.
But soon after the app—seen as a direct threat to Twitter, which recently became X— was released, users on Twitter began posting screenshots of Threads’ privacy policy published on Apple’s App store. Some pointed out the app’s terms of service give Meta permission to collect a trove of data, including information on user’s health, financial information, location, search history.
Data privacy experts say that, though this level of data collection is not unique to Threads, users do risk handing over even more personal information to a company that already knows a lot about account holders. And as Meta looks towards turning Threads into a decentralized service, which would allow users to view Threads content across other apps and theoretically give them more control over their data, experts warn that the move could expand the company’s reach across the internet.
Meta’s deputy chief privacy officer, Rob Sherman has said that privacy policy on the App Store isn’t fully representative of the platform’s actual policy and said that users can “choose to share different kinds of data,” in a post on Threads on July 10.
“In general, Threads collects [the same data that] Facebook and Instagram do, which is much more information than is necessary for the app to function and much more information than is collected on Twitter or many of the other Twitter alternatives,” Calli Schroeder, Global Privacy Counsel at the Electronic Privacy Information Center told TIME in an email.
A review by TIME of Threads and X’s policies on Apple’s App Store shows that X collects much of the same information—such as browsing and purchase history—as Threads, though X’s privacy policy does not include the “sensitive information,” financial information, or health and fitness categories that Threads does. Threads’ privacy policy does not specify what information is considered sensitive.
Threads users require an Instagram account to sign up, which means many may already have the same data collected about them. Despite this, privacy experts still say users should be cautious about signing up for Threads.
Read More: The Best Twitter Alternatives if You’re Ditching X
“This information will most likely be used to create a more hyper-personalized and targeted experience on the app, shared with and sold to advertisers, or added to the already massive troves of personal data Meta has collected on individuals via its other platforms and outside sources,” says Schroeder. A Meta spokesperson told TIME over the phone that the company provides a number of controls for people to manage how their data is used for ads, such as ad preferences, and the “Why Am I Seeing This?” feature, which provides context about why users are being shown specific ads.
Here’s what to know about Threads’ data collection policy and plans for decentralization.
What data can apps access?
According to its listing on the Apple App Store, Threads can collect information about a user’s health, finance, contacts, search history, location, and other sensitive information via their digital activity.
In his post on Threads, Meta’s Sherman said that users should consult Meta’s own privacy policies to best understand the data the app collects. “The labels are similar to the rest of our apps, including Instagram, in that our social apps receive whatever info (including the categories of data listed in the App Store) you share in the app. People can choose to share different kinds of data,” he said. “Meta’s privacy policy, and the Threads supplementary privacy policy, are the best resources to understand how Threads uses and collects data.”
Experts say that much of the information users agree to let the app collect is already available to companies—especially if they already use Meta’s other services like Facebook or Instagram.
“Quite frankly, in terms of collection, this is par for the course for everybody,” says Jim Waldo, a professor at Harvard University whose research focuses on privacy.
Even so, Nazanin Andalibi, assistant professor of information at the University of Michigan, says that users concerned about privacy should still proceed with caution, and be wary of “going further into the Meta ecosystem” by signing up for a new app like Threads.
People use different platforms differently, Andalibi says—for example, you might use Facebook to keep up with family, Instagram for friends, and Threads for work. While they might seem like separate worlds, the information you give to each app all goes back to the same company.
“Now Meta knows who all your friends are and and who your family’s friends are and it can build social graphs around that to give it a lot of information,” adds Waldo. “If you use more and more of Meta’s apps, they get a fuller picture of your activity.”
Threads’ release in the E.U. is on hold amid regulatory uncertainty. The E.U.’s Digital Markets Act, passed last year, prevents large companies like Meta from sharing user data across multiple platforms. “We would have liked to offer Threads in the EU at the same time as other markets, and the app does meet GDPR requirements today,” Sherman wrote in a Thread, “But building this offering against the backdrop of other regulatory requirements that have not yet been clarified would potentially take a lot longer, and in the face of this uncertainty, we prioritized offering this new product to as many people as possible.”
Meta has come under fire for its handling of data privacy in the past. In May, the company was fined a record $1.3 billion for data privacy violations in the E.U. The company said it had been “singled out” and that it used the same legal mechanisms as thousands of other companies in the E.U. In the U.S. The Federal Trade Commission (FTC) has proposed an expansion of its 2020 consent order against Meta over its alleged misrepresentation of how much access app developers had to users’ private data. (Twitter recently protested its own FTC consent order around data practices, saying that the watchdog had made “unceasing demands.”)
In 2018, Facebook, which has since rebranded as Meta, disclosed that it had exposed the data of 87 million users of its Facebook platform to third parties, including Cambridge Analytica, a British political consulting group with ties to Donald Trump’s 2016 election campaign. A year later, the company agreed to pay a record $5 billion penalty to the FTC, one of the largest regulatory penalties ever imposed by the U.S. government on a company.
What do companies do with data?
Why does Threads want to know things like health and fitness or financial information? The answer has to do with advertising—the company’s bread and butter. Advertising revenue accounted for 97% of Meta’s overall revenue in 2022.
Data collection allows the app to create a finely-tuned profile of users that could be shared with third-party services, many of which use the information to create hyper-targeted ads, Andalibi says. “All of these different insights or information about people separately can be very sensitive and consequential in certain contexts,” she says.“Imagine targeted advertising in the context of infertility, or someone with an eating disorder seeing ads about weight loss.” (Meta says it made updates to its privacy policy in 2022 that give users more control over the ads they see.)
Threads does not currently support ads, but a Meta source told Axios that it would introduce ads once its “user base reaches a critical mass”.
Andalibi says there is no need for companies to access and store the data it does. Andalibi points to apps like Signal, which use encryption services to ensure user data is protected. “These are decisions that technology companies make—what data they collect, how they collect it, what they use it for, who they share it with, how long they keep it for,” she says. “It’s not an inevitable choice.”
Plans for decentralization
Meta has shared that Threads would “soon” be compatible with ActivityPub, a user-centric software that would give users the option to run their own servers, rather than just relying on Meta’s, known as decentralization. This tool could allow social media users to cross-post and interact with other platforms in what’s known as the “fediverse,” a group of social networks including Mastodon that allow users to communicate across platforms. This should give social media users control of their content, audience and data across platforms.
“Our vision is that people using compatible apps will be able to follow and interact with people on Threads without having a Threads account, and vice versa, ushering in a new era of diverse and interconnected networks. If you have a public profile on Threads, this means your posts would be accessible from other apps, allowing you to reach new people with no added effort,” the company said in an announcement.
In theory, this could give users further control over their data, as they’d be able to access Threads without downloading Meta’s platform. But what that means for the data the app is already collecting, and data on other platforms remains to be seen. (Meta told TIME that Thread’s supplementary privacy policy includes additional disclosures around how data is shared with third parties, to reflect the plan for Threads to eventually be interoperable with other apps.) The disclosures say that, even if users interact with Threads through a third-party service, Meta can still collect information about the third-party account and profile.
“It’s not clear what’s going to happen to all of the data that was collected from profiles before that point,” Andalibi says. Schroeder notes that Meta could end up tracking Threads interactions across servers, widening its reach. “In a way, this could just expand Meta’s reach and ability to see everything people do across the internet,” Schroeder says.
Musk took a different approach earlier this year when he began an effort to start charging for access to Twitter’s application programming interface (API), which lets third-party developers and researchers access Twitter data.
Read More: She Built an App to Block Harassment on Twitter. Elon Musk Killed It
What options do users in search of stricter privacy protocols have? One of the biggest things users can do is simply stay off the app, a move Schroeder says could help put pressure on the company to make decentralization a priority.
“My guess is that Meta will have little incentive to follow through on their decentralization promise if they get mass early buy-in for Threads,” says Schroeder. “Users may be able to push for decentralization if they refuse to sign up until Threads can be used outside current Meta platforms.”