Meta captures everything from the information you give it when you sign up for accounts, to what you click on or like, who you befriend online and what kind of phone, computer or tablet you use to access its products
Not that I’m ever going to use the app, but I’d like to point out as to why the collection of this specific dataset is particularly dangerous.
Threads scrapes Health and Fitness information. Why is this a problem? Because Meta is already illegally scraping hospital websites for your records. Speaking as a data analyst, it doesn’t take much (like one line of code in some cases) to match your Threads account to your hospital records in a database. To assume Meta isn’t attempting to do so as we speak is naive - there’s simply too much money to be made.
In an age where we’ve had to start underground railroads to help women across state lines to keep the right to choose, combined with the push from the far right to criminalize helping them, this sets up a frightening scenario:
Meta finds that you’ve scheduled an abortion through the hospital across state lines. With Threads on your phone, they can now track you as you travel to that appointment. It only takes one more step, or a law like this one tailored towards abortion, to notify law enforcement to pick you up enroute.
Combined with Meta’s overall right-leaning politics, it just doesn’t make sense to make yourself vulnerable to them, especially if you’re a member of a minority population or have any sort of health condition. There’s simply too much potential for abuse, and Meta has shown itself more than willing to abuse its users.
Because Meta is already illegally scraping hospital websites for your records.
Sorry, but this is just bad web design from the hospitals. This pixel tool doesn’t magically appear on websites without being put there deliberately. Literally any tracking tool can capture this stuff on any page that a developer puts it on. This is 100% the fault of the programmer at the hospital (or the admin that made them do it) that decided to put tracking cookies on sensitive pages.
The hospital administrators decided it was more important to get their precious reports on usage from Meta’s portal than protecting their patients.
I’m pissed that I’ve had to defend Meta here, but this one isn’t on them.
Someone on my Mastodon feed put this best: People who aren’t tech saavy STILL deserve privacy, security and safety.
Hospitals are full of people who understand medicine, not tech. Because that’s what they are. Administrators don’t even know what to ask to hire a good tech person, and when a tech person gets in there any change they make has a danger of disrupting livesaving systems so they can’t do anything anyway. It sucks, but HIPAA still says those records are private and you’re not supposed to be looking at them without having a good reason to. The hospitals are liable for not protecting them properly, but Meta is still in the wrong and still breaking the law by scarping for them.
Ultimately, this is everyone’s fault but the patients and the patients are the people who are wronged by it.
If I leave my door unlocked while I’m gone, and you come in and steal my laptop, it’s still theft. Yes, I’m an idiot, but you’re still a criminal.
That being said, I fully agree with you that the hospitals should bear equal fault - the lack of protections around patient records is criminal, and I’d really like to see those whose records were exposed sue both the hospitals at fault and Meta, or better yet, a criminal case from the FTC and the Department of Health.
Not likely, I know, but I’m a dreamer.
Not trying to be a hater, but that analogy isn’t quite right. The web designers didn’t leave their door unlocked. They invited Meta in, put their laptop in Meta’s hands, and then said “Please take this. Enjoy.” They weren’t idiots. They chose to give Meta that data deliberately.
Medical institutions need to be held to account as much as Meta does for everything they do. I agree with that completely.
So now you got me digging into this because I take an absurd amount of pride in my analogies, and it looks like the Meta Pixel tech they embedded was basically like the standard Google Analytics tracking tag on most websites. The hospitals were stupid to install it on their password protected pages, but they were also misled in the fact that Meta’s Pixel took far more data than a standard tracking tag, claimed they weren’t tracking sensitive data when they were, then claimed to filter the data even though their engineers admitted they couldn’t:
The Markup was unable to confirm whether any of the data referenced in this story was in fact removed before being stored by Meta. However, a recent joint investigation with Reveal found that Meta’s sensitive health information filtering system didn’t block information about appointments a reporter requested with crisis pregnancy centers.
Internally, Facebook employees have been blunt about how well—or not so well—the company generally protects sensitive data.
“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ ” Facebook engineers on the ad and business product team wrote in a 2021 privacy overview that was leaked to Vice.
So, to perfect the analogy, this would be like a hotel installing security cameras in their rooms, and then finding out the company that makes the cameras and runs the network is selling porn starring its customers. Not only that, now that the porn is in their system, it can’t be adequately filtered or removed.
The hotel is stupid and liable, but the security company is just flat out vile.
Ok, I’m done. Have an upvote for putting up with that ;)
Meta captures everything from the information you give it when you sign up for accounts, to what you click on or like, who you befriend online and what kind of phone, computer or tablet you use to access its products
I mean, yeah? None of that is unique to threads nor meta and half of that is information required to run the service
Threads Data linked to you
Third-party advertising:- Purchases (Purchase History)
- Financial Info (Other Financial Info)
- Location (Precise Location, Coarse Location)
- Contact Info (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
- Contacts
- User Content (Photos or Videos, Gameplay Content, Other User Content)
- Search History
- Browsing History
- Identifiers (User ID, Device ID)
- Usage Data (Product Interaction, Advertising Data, Other Usage Data)
- Diagnostics (Crash Data, Performance Data, Other Diagnostic Data)
- Other Data
Developer’s advertising or marketing:
- Purchases (Purchase History)
- Financial Info (Other Financial Info)
- Location (Precise Location, Coarse Location)
- Contact Info (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
- Contacts
- User Content ( Photos or Videos, Gameplay Content, Other User Content)
- Search History
- Browsing History
- Identifiers (User ID, Device ID)
- Usage Data (Product Interaction, Advertising Data, Other Usage Data)
- Diagnostics (Crash Data, Performance Data, Other Diagnostic Data)
- Other Data
Analytics:
- Health & Fitness (Health, Fitness)
- Purchases (Purchase History, Financial Info, Payment Info, Other Financial Info)
- Location (Precise Location, Coarse Location)
- Contact Info (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
- Contacts
- User Content (Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
- Search History
- Browsing History
- Identifiers (User ID, Device ID)
- Usage Data (Product Interaction, Advertising Data, Other Usage Data)
- Sensitive Info
- Diagnostics (Crash Data, Performance Data, Other Diagnostic Data)
- Other Data
Product Personalization:
- Purchases (Purchase History)
- Financial Info (Other Financial Info)
- Location (Precise Location, Coarse Location)
- Contact Info (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
- Contacts
- User Content (Photos or Videos, Gameplay Content, Other User Content)
- Search History
- Browsing History
- Identifiers (User ID, Device ID)
- Usage Data (Product Interaction, Advertising Data, Other Usage Data)
- Sensitive Info
- Diagnostics (Crash Data, Performance Data, Other Diagnostic Data)
- Other Data
App functionality:
- Health & Fitness (Health, Fitness)
- Purchases (Purchase History)
- Financial Info (Payment Info, Credit Info, Other Financial Info)
- Location (Precise Location, Coarse Location)
- Contact Info (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
- Contacts
- User Content (Emails or Text Messages, Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
- Search History
- Browsing History
- Identifiers (User ID, Device ID)
- Usage Data (Product Interaction, Advertising Data, Other Usage Data)
- Sensitive Info
- Diagnostics (Crash Data, Performance Data, Other Diagnostic Data)
- Other Data
Other purposes:
- Purchases (Purchase History)
- Financial Info (Other Financial Info)
- Location (Precise Location, Coarse Location)
- Contact Info (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
- Contacts
- User Content (Photos or Videos, Gameplay Content, Customer Support, Other User Content)
- Search History
- Browsing History
- Identifiers (User ID, Device ID)
- Usage Data (Product Interaction, Advertising Data, Other Usage Data)
- Diagnostics (Crash Data, Performance Data, Other Diagnostic Data)
- Other Data
As compared to Mastadon:
[Blank Space]
And yet the article decided to use 4 things that are inconsequential as their headline topics rather than that list
The press is complicit.
So you didn’t read the article, and just read the headline and lede.
I mean, yeah, but this is also true compared to writing your thoughts down in a paper journal or a self-hosted WordPress blog. Comparing it to Mastodon is only meaningful if you’re specifically evangelizing for Mastodon. You’re preaching to the choir here.
Your source touches on this, but a more meaningful comparison would be the social networks that are already being used by the same demographic. Is Threads use of data excessive or unusual compared the existing apps from Meta or its direct peers? How does it compare to Facebook, Instagram, Twitter, Tiktok, Snapchat, etc.? How does it compare to ubiquitous Google apps like YouTube, Gmail, Chrome, etc?
Yeah, excessive tracking is Not Good, but it’s nowhere near unique to Threads.
The cybersecurity startup the parent article is built around, Protexxa, have their own Twitter, Instagram, LinkedIn, etc. as does its founder and CEO.
So what’s the point of the article? Why Threads? Why now?
I kept a blog for ten years, I didn’t write down my health info, my contact info, and my financial info on it.
And attention is being paid to Threads because yes, the access to health info is unusal. Other social media apps haven’t asked for that unless they were specifically fitness apps.
It’s bad that other ones track stuff, but it’s not just stuff anyone puts on the internet just by being there, and they ARE taking an unprecedented step here.
I kept a blog for ten years, I didn’t write down my health info, my contact info, and my financial info on it.
That was my point. It isn’t that Mastodon is the alternative to Threads, it’s just an alternative. The are plenty of systems of sharing short status updates with people that won’t involve as many privacy threats.
And attention is being paid to Threads because yes, the access to health info is unusal. Other social media apps haven’t asked for that unless they were specifically fitness apps.
Instagram also collects health info, which it has no intrinsic need for. This is important to note because, fundamentally, Threads is Instagram. That’s why it collects the same data.
Personally, I think it says a lot that they can’t release it in the EU yet because it gathers so much data. Plus, we know Meta can’t be trusted with people’s data. It’s gathering more than other Meta apps and need to be aware of it.
As far as I know, they didn’t want to rush it out in the EU because they didn’t know if they’d fall foul of rules or not and they couldn’t wait weeks or months just to find out. Not because they can’t. Though, ironically, I think federation would cause the biggest problems. (How do you support the right to be forgotten when it’s not technically possible?)