Mental health and prayer apps have some of the worst privacy protections, study claims


Mental health and prayer apps have some of the worst privacy protections, a Mozilla study claims, finding they ‘track and share’ users intimate thoughts and feelings.

The findings, released to coincide with May’s Mental Health Awareness Month, were published as part of the annual Mozilla ‘Privacy Not Included’ guide.

The researchers examined privacy and security practices for 32 mental health and prayer apps on iOS and Android, including Talkspace, Better Help, Calm and Glorify.

The six worst offenders, according to Mozilla, that is those with the very worst privacy and security, were Better Help, Youper, Woebot, Better Stop Suicide, Pray.com, and Talkspace.

‘Their flaws entail incredibly vague and messy privacy policies, sharing personal information with third parties, and even collecting chat transcripts,’ Mozilla said.

Of all of the apps examined, 29 were given a *Privacy Not Included warning label by the Mozilla foundation, indicating strong concerns over user data management. 

Many of the apps deal with a range of sensitive issues, including depression, anxiety, PTSD, suicidal thoughts, domestic violence and eating disorders, but despite this they were found to be routinely targeting vulnerable users with personalized ads. 

When speaking to some of the apps named, including Pray.com, Glorify, Woebot and Talkspace, they disputed the findings in the report.

Mental health and prayer apps have some of the worst privacy protections, a Mozilla study claims, finding they 'track and share' users intimate thoughts and feelings. Stock image

Mental health and prayer apps have some of the worst privacy protections, a Mozilla study claims, finding they ‘track and share’ users intimate thoughts and feelings. Stock image

Woebot Health criticised the report, with chief information security and privacy officer, Barbee Mooneyhan, saying they are 'working with researchers to correct inaccuracies,' and welcomed a discussion on using data to serve people

Woebot Health criticised the report, with chief information security and privacy officer, Barbee Mooneyhan, saying they are 'working with researchers to correct inaccuracies,' and welcomed a discussion on using data to serve people

Woebot Health criticised the report, with chief information security and privacy officer, Barbee Mooneyhan, saying they are ‘working with researchers to correct inaccuracies,’ and welcomed a discussion on using data to serve people

Woebot Health criticised the report, with chief information security and privacy officer, Barbee Mooneyhan, saying they are ‘working with researchers to correct inaccuracies,’ and welcomed a discussion on using data to serve people.

Talkspace said: ‘The report contains major inaccuracies that we are working to amend directly with Mozilla.’ 

Pray.com said it strives to follow best practice, works with trusted privacy and cybersecurity firms, and ‘is not in the business of selling its customers’ data.’

Glorify says it has updated its privacy policy, including translating it into multiple languages and creating a new, easier to read format. It has also committed to limiting how user data is shared and not selling users personal data.

In total, 25 apps failed to meet Mozilla’s Minimum Security Standards, which include requiring strong passwords and managing security updates and vulnerabilities.

‘The vast majority of mental health and prayer apps are exceptionally creepy,’ Jen Caltrider, the Mozilla *Privacy Not Included guide lead, said in a statement.

Many of the apps routinely share data, allow weak passwords, target vulnerable users with personalized ads, and feature vague and poorly written privacy policies.

The apps that Mozilla investigated connect users with therapists; feature AI chat bots, community support pages, and prayers.

Mozilla researchers reportedly spent 255 hours – over eight hours per product – writing the guide, allowing them to gain a deep understanding of how they operate. 

‘They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data,’ said Caltrider. 

The researchers examined privacy and security practices for 32 mental health and prayer apps on iOS and Android, including Talkspace, Better Help, Calm and Glorify

The researchers examined privacy and security practices for 32 mental health and prayer apps on iOS and Android, including Talkspace, Better Help, Calm and Glorify

The researchers examined privacy and security practices for 32 mental health and prayer apps on iOS and Android, including Talkspace, Better Help, Calm and Glorify

The findings, released to coincide with May's Mental Health Awareness Month, were published as part of the annual Mozilla 'Privacy Not Included' guide. Stock image

The findings, released to coincide with May's Mental Health Awareness Month, were published as part of the annual Mozilla 'Privacy Not Included' guide. Stock image

The findings, released to coincide with May’s Mental Health Awareness Month, were published as part of the annual Mozilla ‘Privacy Not Included’ guide. Stock image

‘Turns out, researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information.’

According to the report, Better Help and Better Stop Suicide had vague and messy privacy policies, while Youper, Pray.com and Woebot shared personal information with third parties.

‘These companies are incredibly unresponsive,’ Mozilla said, adding that they emailed all companies at least three times using the privacy email listed, and only the Catholic prayer app Hallow responded in a timely manner.

Mozilla heard back from Calm and Wysa, but not until emailing them a third time.

PRIVACY NOT INCLUDED ANNUAL REPORT: KEY FINDINGS 

There are six worst offenders: Apps with the very worst privacy and security are Better Help, Youper, Woebot, Better Stop Suicide, Pray.com, and Talkspace. 

Their flaws entail vague and messy privacy policies; sharing personal information with third parties; and even collecting chat transcripts.

These companies are incredibly unresponsive: Mozilla emails all companies at least three times to try and get answers to our privacy and security related questions. 

And only a single company, the Catholic prayer app Hallow, responded in a timely manner. 

There are only two trustworthy apps: PTSD Coach, an app made by the U.S. The Department of Veterans Affairs, had ‘strong privacy policies and security practices.’ 

And the AI chatbot Wysa, ‘seems to value users’ privacy.’

Mental health apps are a data harvesting bonanza: Nearly all the apps reviewed gobble up users’ personal data, with some harvesting additional data from third-party platforms.

Security is sometimes laughable:  Despite dealing with incredibly sensitive information, some apps’ security practices are akin to a flimsy lock on a diary. At least eight apps allowed weak passwords ranging from “1” to “11111111”. 

Moodfit only required one letter or digit as a password, which is concerning for an app that collects mood and symptom data. 

Teens are especially vulnerable: Parents of kids and teens using these apps should pay close attention to how their child’s privacy is handled, Mozilla warned.

Many mental health and prayer apps target young people, including teens — a demographic that suffers the most from mental health issues. 

According to the organization, there were only two trustworthy apps, PTSD Coach, which is produced by the US Department of Veterans Affairs, and AI chatbot Wysa.

The report says PTSD Coach ‘had strong privacy policies and security practices’, and Wysa, ‘seems to really value users’ privacy.’

Nearly all the apps reviewed gobble up users’ personal data, the reviewers found, and some apps harvest additional data from third-party platforms like Facebook, elsewhere on users’ phones, or data brokers. 

One of the most shocking discoveries was that others were taking advantage of this sensitive data, including investors and insurance companies. 

Silicon Valley investors are pouring hundreds of millions of dollars into these apps, and insurance companies get to collect extra data on the people they insure. 

Once the apps have gathered the user data, the reviewers found the security used to protect it was ‘laughable’.

‘Despite dealing with incredibly sensitive information, some apps’ security practices are akin to a flimsy lock on a diary,’ Mozilla said in a statement, finding that at least eight apps allowed weak passwords ranging from “1” to “11111111”.

‘Moodfit only required one letter or digit as a password, which is concerning for an app that collects mood and symptom data,’ a spokesperson for Mozilla explained.

‘We also had trouble determining if many apps pushed security updates regularly or had a way to manage security vulnerabilities found in their apps.’

Mozilla warned parents to be particularly vigilant if their teens used these apps, as many target or market to young people and when they share information the poor security practices could lead to it being leaked or hacked.

They could also face being targeted with personalized ads and marketed to for years to come based on what they shared as a teenager. 

Misha Rykov, Mozilla Researcher who co-developed guide, said: “Hundreds of millions of dollars are being invested in these apps despite their flaws. 

‘In some cases, they operate like data-sucking machines with a mental health app veneer. In other words: A wolf in sheep’s clothing.’

All of the companies DailyMail.com spoke criticized the Mozilla foundation report, and in some case calling it outright wrong.

Woebot Health’s Chief Information Security and Privacy Officer Barbee Mooneyhan said: ‘We are working with the researchers to correct inaccuracies in the report. An open, well-researched conversation about how data can be used to serve people is always a welcome discussion.’

Talkspace said: ‘The report contains major inaccuracies that we are working to amend directly with Mozilla.’

Glorify said it fells ‘strongly about protecting our users,’ adding ‘we have been working with our Data Protection Officer to update our privacy policy and address any points of possible confusion since February 2022, translating it into multiple languages and formatting it in an easy to read format.’

Pray.com said it strives to follow best practice, works with trusted privacy and cybersecurity firms, and 'is not in the business of selling its customers’ data'

Pray.com said it strives to follow best practice, works with trusted privacy and cybersecurity firms, and 'is not in the business of selling its customers’ data'

Pray.com said it strives to follow best practice, works with trusted privacy and cybersecurity firms, and ‘is not in the business of selling its customers’ data’

The Christian app has updated the privacy policy as of April 29, 2022, with it coming into effect on May 13, 2022 and emailed to all users, urging them to read it in full.

‘We are continuously working to keep our policies up-to-date and fully transparent.’

They set out several principles to safeguarding users’ data privacy, including not selling or renting personal data, aggregating analytics for improving and personalising the product, and encrypting all connections.

They also committed to ‘only sharing encrypted and protected data with service providers to deliver the service and improve the user experience,’ and clarifying the methodology used for data retention to ensure any extra data is anonymised.

The team also commit to not knowingly collecting or soliciting the data of anyone under the age of 13 without obtaining consent from a parent or guardian.

They were unaware of Mozilla’s request for information, as all three emails received went into SPAM folders, and have since contacted the foundation, answered questions and had the ‘privacy not included mark’ removed. 

Pray.com says it is committed to protecting user privacy and security, striving to follow best practices and industry standards.

‘Pray.com is about making prayer a priority in its customers’ life. Pray.com is not in the business of selling its customers’ data,’ a spokesperson said.

‘Pray.com remains focused on delivering the best digital faith experience and leaving a legacy of helping others. This includes providing a safe and secure community for its customers as well as stepping out as a leader in the future of web3, crypto and NFT technology. This will help further strengthen privacy and IP ownership while decreasing censorship in the market.

‘Pray.com stands committed to providing a safe and secure environment for its customers and looks forward to serving them in new ways as it embraces the technologies of the future.’

The findings are available in the Mozilla Foundation ‘Privacy Not Included’ guide.



Source link

Share

Written by bourbiza

bourbiza is an entertainment reporter for iltuoiphone News and is based in Los Angeles.

Leave a Reply