this post was submitted on 16 Jul 2023
49 points (100.0% liked)

Technology

12 readers
1 users here now

This magazine is dedicated to discussions on the latest developments, trends, and innovations in the world of technology. Whether you are a tech enthusiast, a developer, or simply curious about the latest gadgets and software, this is the place for you. Here you can share your knowledge, ask questions, and engage in discussions on topics such as artificial intelligence, robotics, cloud computing, cybersecurity, and more. From the impact of technology on society to the ethical considerations of new technologies, this category covers a wide range of topics related to technology. Join the conversation and let's explore the ever-evolving world of technology together!

founded 1 year ago
49
Threads collects so much sensitive information it’s a ’hacker’s dream,’ experts say (nationalpost.com)
submitted 1 year ago by [email protected] to c/[email protected]
37 comments fedilink hide all child comments
 

Meta captures everything from the information you give it when you sign up for accounts, to what you click on or like, who you befriend online and what kind of phone, computer or tablet you use to access its products

top 29 comments
sorted by: hot top controversial new old
[–] [email protected] 22 points 1 year ago (2 children)

Not that I'm ever going to use the app, but I'd like to point out as to why the collection of this specific dataset is particularly dangerous.

Threads scrapes Health and Fitness information. Why is this a problem? Because Meta is already illegally scraping hospital websites for your records. Speaking as a data analyst, it doesn't take much (like one line of code in some cases) to match your Threads account to your hospital records in a database. To assume Meta isn't attempting to do so as we speak is naive - there's simply too much money to be made.

In an age where we've had to start underground railroads to help women across state lines to keep the right to choose, combined with the push from the far right to criminalize helping them, this sets up a frightening scenario:

Meta finds that you've scheduled an abortion through the hospital across state lines. With Threads on your phone, they can now track you as you travel to that appointment. It only takes one more step, or a law like this one tailored towards abortion, to notify law enforcement to pick you up enroute.

Combined with Meta's overall right-leaning politics, it just doesn't make sense to make yourself vulnerable to them, especially if you're a member of a minority population or have any sort of health condition. There's simply too much potential for abuse, and Meta has shown itself more than willing to abuse its users.

[–] [email protected] 4 points 1 year ago (2 children)

Because Meta is already illegally scraping hospital websites for your records.

Sorry, but this is just bad web design from the hospitals. This pixel tool doesn't magically appear on websites without being put there deliberately. Literally any tracking tool can capture this stuff on any page that a developer puts it on. This is 100% the fault of the programmer at the hospital (or the admin that made them do it) that decided to put tracking cookies on sensitive pages.

The hospital administrators decided it was more important to get their precious reports on usage from Meta's portal than protecting their patients.

I'm pissed that I've had to defend Meta here, but this one isn't on them.

[–] [email protected] 9 points 1 year ago (1 children)

If I leave my door unlocked while I'm gone, and you come in and steal my laptop, it's still theft. Yes, I'm an idiot, but you're still a criminal.

That being said, I fully agree with you that the hospitals should bear equal fault - the lack of protections around patient records is criminal, and I'd really like to see those whose records were exposed sue both the hospitals at fault and Meta, or better yet, a criminal case from the FTC and the Department of Health.

Not likely, I know, but I'm a dreamer.

[–] [email protected] 5 points 1 year ago (1 children)

Not trying to be a hater, but that analogy isn't quite right. The web designers didn't leave their door unlocked. They invited Meta in, put their laptop in Meta's hands, and then said "Please take this. Enjoy." They weren't idiots. They chose to give Meta that data deliberately.

Medical institutions need to be held to account as much as Meta does for everything they do. I agree with that completely.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago)

So now you got me digging into this because I take an absurd amount of pride in my analogies, and it looks like the Meta Pixel tech they embedded was basically like the standard Google Analytics tracking tag on most websites. The hospitals were stupid to install it on their password protected pages, but they were also misled in the fact that Meta's Pixel took far more data than a standard tracking tag, claimed they weren't tracking sensitive data when they were, then claimed to filter the data even though their engineers admitted they couldn't:

The Markup was unable to confirm whether any of the data referenced in this story was in fact removed before being stored by Meta. However, a recent joint investigation with Reveal found that Meta’s sensitive health information filtering system didn’t block information about appointments a reporter requested with crisis pregnancy centers.

Internally, Facebook employees have been blunt about how well—or not so well—the company generally protects sensitive data.

“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ ” Facebook engineers on the ad and business product team wrote in a 2021 privacy overview that was leaked to Vice.

So, to perfect the analogy, this would be like a hotel installing security cameras in their rooms, and then finding out the company that makes the cameras and runs the network is selling porn starring its customers. Not only that, now that the porn is in their system, it can't be adequately filtered or removed.

The hotel is stupid and liable, but the security company is just flat out vile.

Ok, I'm done. Have an upvote for putting up with that ;)

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

Someone on my Mastodon feed put this best: People who aren't tech saavy STILL deserve privacy, security and safety.

Hospitals are full of people who understand medicine, not tech. Because that's what they are. Administrators don't even know what to ask to hire a good tech person, and when a tech person gets in there any change they make has a danger of disrupting livesaving systems so they can't do anything anyway. It sucks, but HIPAA still says those records are private and you're not supposed to be looking at them without having a good reason to. The hospitals are liable for not protecting them properly, but Meta is still in the wrong and still breaking the law by scarping for them.

Ultimately, this is everyone's fault but the patients and the patients are the people who are wronged by it.

[–] [email protected] 2 points 1 year ago

Can't say I disagree with your take.

[–] [email protected] 4 points 1 year ago (1 children)

Shit fuck shit fuck

[–] [email protected] 1 points 1 year ago

IKR? It's like 1984 and the Handsmaid's Tale got together and are talking about having kids....

[–] [email protected] 10 points 1 year ago (2 children)

Meta captures everything from the information you give it when you sign up for accounts, to what you click on or like, who you befriend online and what kind of phone, computer or tablet you use to access its products

I mean, yeah? None of that is unique to threads nor meta and half of that is information required to run the service

[–] [email protected] 11 points 1 year ago (2 children)

Threads Data linked to you
Third-party advertising:

  • Purchases (Purchase History)
  • Financial Info (Other Financial Info)
  • Location (Precise Location, Coarse Location)
  • Contact Info (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
  • Contacts
  • User Content (Photos or Videos, Gameplay Content, Other User Content)
  • Search History
  • Browsing History
  • Identifiers (User ID, Device ID)
  • Usage Data (Product Interaction, Advertising Data, Other Usage Data)
  • Diagnostics (Crash Data, Performance Data, Other Diagnostic Data)
  • Other Data

Developer's advertising or marketing:

  • Purchases (Purchase History)
  • Financial Info (Other Financial Info)
  • Location (Precise Location, Coarse Location)
  • Contact Info (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
  • Contacts
  • User Content ( Photos or Videos, Gameplay Content, Other User Content)
  • Search History
  • Browsing History
  • Identifiers (User ID, Device ID)
  • Usage Data (Product Interaction, Advertising Data, Other Usage Data)
  • Diagnostics (Crash Data, Performance Data, Other Diagnostic Data)
  • Other Data

Analytics:

  • Health & Fitness (Health, Fitness)
  • Purchases (Purchase History, Financial Info, Payment Info, Other Financial Info)
  • Location (Precise Location, Coarse Location)
  • Contact Info (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
  • Contacts
  • User Content (Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
  • Search History
  • Browsing History
  • Identifiers (User ID, Device ID)
  • Usage Data (Product Interaction, Advertising Data, Other Usage Data)
  • Sensitive Info
  • Diagnostics (Crash Data, Performance Data, Other Diagnostic Data)
  • Other Data

Product Personalization:

  • Purchases (Purchase History)
  • Financial Info (Other Financial Info)
  • Location (Precise Location, Coarse Location)
  • Contact Info (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
  • Contacts
  • User Content (Photos or Videos, Gameplay Content, Other User Content)
  • Search History
  • Browsing History
  • Identifiers (User ID, Device ID)
  • Usage Data (Product Interaction, Advertising Data, Other Usage Data)
  • Sensitive Info
  • Diagnostics (Crash Data, Performance Data, Other Diagnostic Data)
  • Other Data

App functionality:

  • Health & Fitness (Health, Fitness)
  • Purchases (Purchase History)
  • Financial Info (Payment Info, Credit Info, Other Financial Info)
  • Location (Precise Location, Coarse Location)
  • Contact Info (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
  • Contacts
  • User Content (Emails or Text Messages, Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
  • Search History
  • Browsing History
  • Identifiers (User ID, Device ID)
  • Usage Data (Product Interaction, Advertising Data, Other Usage Data)
  • Sensitive Info
  • Diagnostics (Crash Data, Performance Data, Other Diagnostic Data)
  • Other Data

Other purposes:

  • Purchases (Purchase History)
  • Financial Info (Other Financial Info)
  • Location (Precise Location, Coarse Location)
  • Contact Info (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
  • Contacts
  • User Content (Photos or Videos, Gameplay Content, Customer Support, Other User Content)
  • Search History
  • Browsing History
  • Identifiers (User ID, Device ID)
  • Usage Data (Product Interaction, Advertising Data, Other Usage Data)
  • Diagnostics (Crash Data, Performance Data, Other Diagnostic Data)
  • Other Data

As compared to Mastadon:

[Blank Space]

Source

[–] [email protected] 3 points 1 year ago (2 children)

And yet the article decided to use 4 things that are inconsequential as their headline topics rather than that list

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

So you didn't read the article, and just read the headline and lede.

[–] [email protected] 2 points 1 year ago

No I read the article and I've seen the rest of the posts here containing the list you mentioned. I was commenting specifically on that line from the article hence why I quoted it

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

The press is complicit.

[–] [email protected] 0 points 1 year ago (1 children)

Why would they make the article at all then?

[–] [email protected] 1 points 1 year ago (1 children)

People are discussing it, and an article that downplays it will suggest the discussion is overreaction.

[–] [email protected] 1 points 1 year ago (1 children)

But the article doesn't downplay it, it just uses bad examples. You'd have to be technically adept enough to know that the examples were bad whilst also not knowing what meta actually collects

[–] [email protected] 1 points 1 year ago

Maybe I'm just paranoid and they're just stupid, then.

[–] [email protected] 2 points 1 year ago (2 children)

I mean, yeah, but this is also true compared to writing your thoughts down in a paper journal or a self-hosted WordPress blog. Comparing it to Mastodon is only meaningful if you're specifically evangelizing for Mastodon. You're preaching to the choir here.

Your source touches on this, but a more meaningful comparison would be the social networks that are already being used by the same demographic. Is Threads use of data excessive or unusual compared the existing apps from Meta or its direct peers? How does it compare to Facebook, Instagram, Twitter, Tiktok, Snapchat, etc.? How does it compare to ubiquitous Google apps like YouTube, Gmail, Chrome, etc?

Yeah, excessive tracking is Not Good, but it's nowhere near unique to Threads.

The cybersecurity startup the parent article is built around, Protexxa, have their own Twitter, Instagram, LinkedIn, etc. as does its founder and CEO.

So what's the point of the article? Why Threads? Why now?

[–] [email protected] 4 points 1 year ago (1 children)

Personally, I think it says a lot that they can’t release it in the EU yet because it gathers so much data. Plus, we know Meta can’t be trusted with people’s data. It’s gathering more than other Meta apps and need to be aware of it.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

As far as I know, they didn't want to rush it out in the EU because they didn't know if they'd fall foul of rules or not and they couldn't wait weeks or months just to find out. Not because they can't. Though, ironically, I think federation would cause the biggest problems. (How do you support the right to be forgotten when it's not technically possible?)

[–] [email protected] 2 points 1 year ago (1 children)

I kept a blog for ten years, I didn't write down my health info, my contact info, and my financial info on it.

And attention is being paid to Threads because yes, the access to health info is unusal. Other social media apps haven't asked for that unless they were specifically fitness apps.

It's bad that other ones track stuff, but it's not just stuff anyone puts on the internet just by being there, and they ARE taking an unprecedented step here.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

I kept a blog for ten years, I didn't write down my health info, my contact info, and my financial info on it.

That was my point. It isn't that Mastodon is the alternative to Threads, it's just an alternative. The are plenty of systems of sharing short status updates with people that won't involve as many privacy threats.

And attention is being paid to Threads because yes, the access to health info is unusal. Other social media apps haven't asked for that unless they were specifically fitness apps.

Instagram also collects health info, which it has no intrinsic need for. This is important to note because, fundamentally, Threads is Instagram. That's why it collects the same data.

[–] [email protected] 1 points 1 year ago

I don't have an Instagram. Man, that's intrusive. I'm glad Threads is getting people to call attention to it.

[–] [email protected] 7 points 1 year ago (1 children)

This was all I had to read to decide the entire article is junk.

[–] [email protected] 2 points 1 year ago

You should have read on that it also captures Health and Fitness information. The only reason it would get that is to sell it to insurance companies, or worse, law enforcement if you're in a region that outlaws certain medical procedures.

[–] [email protected] 6 points 1 year ago

Anyone who thinks that any meta subsidiary is not trying to gain every piece of information on you and everyone around you is delusional. They want every detail. Do you masterbate? How often? To what? Partners? Cis/trans/nb, het/gay/bi/poly? Where do you do it? How often? Then meta asks, how can we make money off this knowledge and extract every penny. But one of their board members gets outed and it’s all out war, metaphorically speaking.

[–] [email protected] 2 points 1 year ago

But, it's free!!!

load more comments
view more: next ›