[jsnell]

If the GP had given "access to location" as an example of the obscene permissions, I would not have replied. That's indeed a permission that the app requests (but AFAIK doesn't require or automatically get!), and people can judge for themselves whether requesting that permission is reasonable or not.

But the GP didn't do that. They gave access to health data as the example, and that's just not a permission that the app asks for. (Is it even a permission that exists?). It's pretty clear that they're just regurgitating that misleading screenshot that was making the rounds a couple of days ago with no understanding.

If the app's privacy story really is that bad, one should be able to make that case while sticking to the facts.

[cmiles74]

The Register has a story about Threads and the permissions it asks for, "Health and Fitness" is indeed on the list. Honestly, it looks like it simply asks for every conceivable permission (what is "Sensitive Info" or "Other Data"?) There's a screenshot at the bottom of the article with the full list.

https://www.theregister.com/2023/07/05/threads_comes_to_uk/

[jsnell]

Right, this is exactly what I mean. That screenshot is not a list of permissions.

That is a screenshot of the Privacy Labels. It's basically a structured form of the app's privacy policy, self-reported by Facebook. Them putting "Health and Fitness" in that list does not in any way grant their app access to any health data on your iPhone. The same is true for literally every other item on that list. It has no impact on what iOS lets the app do.

The reason all of that data is listed there is that Meta might already have it associated with your account, due to e.g. your use of Facebook, Instagram, WhatsApp, or Quest, and they might make use of that data in this app too. Or possibly they want a single unified privacy policy for all their apps.

[cmiles74]

I found some documentation. This is supposed to be an enumeration of all the data that the _application_ collects from the phone. It's surprising to see that the app is collecting health data, presumably the phone prompts a person to grant the permission when they try to fetch that data.

If, as you say, this covers all data "used" in some manner by all Meta apps then I think this is a clear misuse of the policy. Providing a list of labels that includes literally every label isn't helpful to the person deciding if they want to continue using the application or not.

In any case, if Threads doesn't collect health data then, IMHO, the privacy label shouldn't be listed. By Meta's own admission, their app collects this data and posts it back to Meta.

[jsnell]

Yes, they do need to list the permissions that the app will use. But you're wrong about this being a list of permissions. See https://developer.apple.com/app-store/app-privacy-details/ for what this is.

The list of permissions is a different list, with different contents.

[aaomidi]

Literally read what that labeling does.

It doesn’t give the app access to your health data.