Mental health and prayer apps have failed at maintaining privacy and data security of their users, researchers at Mozilla found as a result of a rigorous study. The researchers said that 29 of the 32 popular mental health and prayer apps including Talkspace, Better Health, and Calm have indicated strong concerns over user privacy and data management. As many as 25 apps also failed to have standards such as requiring strong passwords and managing security updates and vulnerabilities.
Mozilla’s latest ‘*Privacy Not Included’ guide lists the apps that have not followed the appropriate privacy and security practices. The researchers spent 255 hours — including over eight hours per product — and found that a vast majority of the mental health and prayer apps are “exceptionally creepy” and exclude privacy elements.
“Turns out, researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information,” said Jen Caltrider, Mozilla’s ‘*Privacy Not Included’ Lead, in a prepared statement. “They track, share, and capitalise on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data.”
Mental health and prayers apps received an immense focus from users around the world during the initial phase of COVID-19. These apps deal with issues including anxiety, depression, domestic violence, and suicidal thoughts.
Nonetheless, Mozilla’s researchers have found that despite dealing with some of the most sensitive issues, most mental health and prayers apps allow weak passwords, target vulnerable users with personalised ads, and include vague as well as poorly-written privacy policies.
The researchers picked the apps that connect users with therapists, include artificial intelligence (AI) chatbots, community support pages, and prayers, offer mood journals, and well-being assessment, among other features.
“In some cases, they operate like data-sucking machines with a mental health app veneer. In other words: A wolf in sheep’s clothing,” said Misha Rykov, Mozilla Researcher who co-developed guide.
Of all the apps considered for the research, six have emerged as the worst offenders. These are Better Help, Youper, Woebot, Better Stop Suicide, Pray.com, and Talkspace.
The researchers noted that while Better Help and Better Stop Suicide entail “incredibly vague and messy” privacy policies, Youper, Pray.com, and Woebot were found to be sharing personal information with third parties. Talkspace was also found to be collecting chat transcripts of user communications with experts.
Mozilla said that most companies behind these apps were “incredibly unresponsive” and did not respond to the emails highlighting the issues at least three times. Only a single company that is behind Catholic prayer app Hallow responded in a timely manner, while Calm and Wysa came back after a third email was sent to them, the researchers said.
The researchers also noted that nearly all the apps reviewed are gobbling up data of their users. Some of them are found to be even harvesting additional data from third-party platforms (like Facebook), elsewhere on users’ phones, or data brokers.
“Valley investors are pouring hundreds of millions of dollars into these apps. Insurance companies get to collect extra data on the people they insure. And data brokers are enriching their databases with even more sensitive data,” the researchers noted.
At least eight of the selected apps are found to be lacking security practices and allow weak passwords ranging from “1” to “11111111”. Moodfit was also found to have required one letter or digit as a password. Further, lack of security updates on a regular basis was seen across most apps tested.
Among other apps selected for the guide, PTSD Coach and AI chatbot Wysa were found to be the two “trustworthy” solutions. However, it is recommended that parents should pay close attention to how mental health and prayer apps are handling the privacy of their kids and teens as they are amongst the most vulnerable audience.
The information shared on these apps could be leaked, hacked, or used to target young people with personalised ads and marketing due to the lack of privacy and user security measures.