data privacy protections
Image: md3d

Apps with the most sensitive data seem to be the worst at protecting user privacy, according to a review by Mozilla’s Privacy Not Included team. The analysts looked at 32 mental health and prayer apps to determine what kind of privacy protections are in place. The Mozilla team gave 28 of the apps a “Privacy Not Included” warning label for weak policies, sharing personal data with third parties.

In a blog post about the review process, Mozilla Researcher Misha Rykov described the apps as “data-sucking machines with a mental health app veneer.” Mozilla also noted that the companies were “incredibly unresponsive,” with only one of the 32 companies responding in a timely manner to inquiries about privacy policies.

The good news is that PTSD Coach and Wysa are trustworthy. The U.S. Department of Veterans Affairs built the PTSD app, which has strict privacy rules and explains clearly what usage data is collected, what it’s used for and how to turn off the sharing of that data. Wysa is an AI chatbot that gets a thumbs up for privacy protection as a mental health app that “isn’t looking to make money off your personal information,” according to the app review.

The apps with the worst practices are:

  • Better Help: Vague and messy privacy policies
  • Better Stop Suicide: Vague and messy privacy policies
  • Pray.com: Share personal data with third parties
  • Woebot: Share personal data with third parties
  • Youper: Share personal data with third parties
  • Talkspace: Collects chat transcripts

There’s a review of each app with a user rating as well as a feature review of privacy, security and artificial intelligence elements. The *Privacy Not Included team also spells out how the app maker uses the data and whether or not a user can control his or her data. There are also tips on how to adjust the settings on an app for anonymizing data or turning off certain features.

SEE: IT pros say privacy regulations are more helpful than harmful

Woebot is a chatbot that uses natural language processing to chat with users who are seeking help for mental health issues. In the review of Woebot, Mozilla identifies this part of the app’s privacy policy as concerning:

“Woebot says they can collect a good deal of personal info like name, email, phone number, IP address, and all the information you give them in your conversations. They also say they can “obtain information about you from other sources, including through third party services and organizations to supplement information provided by you.” So, Woebot can collect a good deal of personal information, add to the information you give them with even more information gathered from third parties. Then they say they can share some of this information with third parties, including insurance companies and a seemingly broad category they call “external advisors.” They also use some of your information for advertising and marketing purposes…”

So although Woebot does not sell user data, the company can share location, identifiers and internet network activity with advertising partners.

After Mozilla published this review of the Woebot app, the company responded to the critique and said that it is working on an update to its privacy policy. Alison Darcy, founder and president of Woebot, said in the post that the company treats all user data as protected health information and secures this data in a dedicated environment for clear access control. Delogne also said that the company believes in informed consent when it comes to sharing data:

“For the vast majority of users, data is only shared with service providers who make the Woebot app work, or in the rare circumstance when we must comply with law enforcement. For a fraction of users who have chosen to participate in a partner program, such as with a research institution, health system or employer, we may share certain data with those partners, but only when users have provided explicit agreement.”

Pray.com is a subscription app that collects a significant amount of personal data, according to Mozilla’s analysis, and the privacy policy states that the app maker can target users with ads, shared with third parties for ad targeting and share the information with other “faith-based organizations” as well. The Mozilla review states that this approach to user data suggests that the app is a “data harvesting business targeting Christians for purposes that go way way way beyond helping them on their prayer journey.”

Mozilla started the *Privacy Not Included buyer’s guide in 2017. The team’s reviews advise consumers and businesses on how to navigate privacy concerns with connected products. The team does not buy products to make these determinations. Instead the group researches privacy policies and company security practices to understand privacy and security concerns related to specific products. The Creep-O-Meter rating for each product is a user rating to reflect individual experiences with various apps.

*Updated on May 5 to add a response from Woebot.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday