Christopher HamiltonI just cannot think of any good reasons for a chat app to request access to your credit score, medical records, fitness data, web browsing history, sexual orientation, text messages, etc.
Yet #Threads does and it is fucking gross
Justknight@39digits is it not possible to just decline those permissions?
@Justknight The majority are marked as optional so it doesn't collect that data by default. Optional should ask the user to opt-in.
So there are some guards in place...but I still can't think why that type of app needs any of those within scope of the permissions to ask.
@39digits I assume it's just to scrape/collect as much data as possible to sell to advertisers. Also fun fact if you have Instagram and you "shake" your phone, an error/problem report system comes up.
So ig they have a reason for health and biometric data? /s
So ig they have a reason for health and biometric data? /s
Albert ARIBAUD ✎@39digits Not only is this gross but also, from a GDPR perspective, it is grossly illegal. There is absolutely zero reason that Meta would need that information in order to provide the service.
@aaribaud Thankfully it is optional meaning the user should be given the chance to opt-in/opt-out before it is collected for the first time.
But I can think of zero reasons these items even need to be in scope though 😐
These should certainly *not* be opt-out, which, again, would run contrary to the GDPR.
Only strict opt-in might be allowable (i.e., forget pre-selected option patterns), and even then, not opting in must cause no restriction on use.
And even opt-in might still be contrary to GDPR here, which does not allow data collection "just because the collector feels like they want it".
@39digits "Well, yes, we would like to collect your financial records, because, you know, in case somewhere someone just happened to provide valuable financial advice that might be adapted to your economic situation, we could let them know you ex-- ^W^W^W^W^W let you know they exist."
@aaribaud "We couldn't help notice you haven't completed your fitness rings 5 days in a row now...so here's an advert for gym memberships in your area based on your location data"
Which *might* work in a gym/health app/site, not in a social network.
Pierre Bourdon@39digits it's not "requesting access" - it's saying that (in some unstated situations) the app *may* collect that information.
Example of such situation: a non-e2ee chat with server side history. The user might be talking about their financials, or their health, or ... and the company needs to collect and store it. GDPR-wise they can probably even do that without explicit consent because it's legitimate interest.
@delroth Am I misreading the Google docs on what Optional means under the Data Handling section? Genuinely curious here.
They say "You can declare that your app collects certain data optionally only if all users – regardless of device or region – can either optionally provide information, opt out or opt in to have the data collected."
I took "either" to mean you either opt-in or opt-out but you have to be given the choice 😅
https://support.google.com/googleplay/android-developer/answer/10787469
@39digits in the example I cited this would be "optionally provide the information" since the users are themselves writing it in the chat box (they don't have to talk about financials/health/...). Similarly with photos/videos/audio recordings, which presumably would only get collected when they get uploaded to be shared with others.
@39digits FWIW I'm not trying to say that Threads is a great option privacy wise (I don't believe it is). But comparing privacy policies and privacy docs is an absolutely useless way to judge this - the length and amount of items listed in a privacy policy mostly reflect how much care and effort lawyers put into writing it.
Small entities (like Mastodon gGmbH) get away with absurdly bad and wrong privacy policies because nobody gives a fuck.
@delroth I have to admit that for me, Google's use of the word "either" implied a choice between two things. Their placement of the "or" in their guidance document led to my misinterpretation.
I would HOPE any form of private chat is encrypted and the public posts are the only way such information could be optionally provided. But I currently live in a country debating how to add backdoors to encrypted chats 🥹 🙃 Wild times for data privacy.
@39digits it does seem like they're missing an Oxford comma in that "either ... or".
FWIW I said "chat" because that's what your initial post used, but everything would apply the exact same way for data that is collected to be more widely reshared - let's say, to followers or publicly on a Twitter clone. And there E2EE isn't a realistic option anyway.