Here is the Threads Supplemental Privacy Policy referenced in the article. Some relevant excerpts are:
We collect information about the Third Party Services and Third Party Users who interact with Threads. If you interact with Threads through a Third Party Service (such as by following Threads users, interacting with Threads content, or by allowing Threads users to follow you or interact with your content), we collect information about your third-party account and profile (such as your username, profile picture, IP address, and the name of the Third Party Service on which you are registered), your content (such as when you allow Threads users to follow, like, reshare, or have mentions in your posts), and your interactions (such as when you follow, like, reshare, or have mentions in Threads posts).
And further down…
If you are a Third Party User, our ability to verify your request may be limited and we may be unable to process your request. Please note, however, that the interoperable protocol allows Third Party Services to automatically send Threads requests for deletion of individual posts when those posts are deleted on the Third Party Service. We make reasonable efforts to honor such requests when we receive them. Contact your Third Party Service to learn more.
Thats a nothingburger and a half.
This just lists the info that is auto shared through federation, in legalese. The second one explains how federated deletes work, also in legalese. This is the info any instance would handle if you interacted with it.
because every other instance does the same.
this comment is content, it’s now stored on the instance I share it with, and all the instances it federates to, along with my username and so forth.
the above is just a legalese explanation of how the fediverse works.
Apart from the list of items being somewhat generic and IP address just being unobtainable as someone else pointed out, it’s just saying that they get data about users by means of the normal functioning of federation. It’s ok in the same way as the server that originally hosts this community we are posting to (lemmy.ml) necessarily getting user data from our “home” servers we are posting from (feddit.de, sopuli.xyz), is ok. This is how we want it to work.
It’s worth thinking about what you’re putting out there, but you’re right. This isn’t a Threads specific thing.
You’re putting these posts on the internet. You should expect everyone to read them, including Threads and Google and Putin and Kim Jong Un. That’s kind of the idea of public posting. They don’t even need an API to do that.
First one: “we will take as much as we legally can”
Second one: “we will give as little as we legally can get away with”