Apps with the most sensitive data seem to be the worst at protecting user privacy, according to a review by Mozilla’s Privacy Not Included team. The analysts looked at 32 mental health and prayer apps to determine what kind of privacy protections are in place. The Mozilla team gave 28 of the apps a “Privacy Not Included” warning label for weak policies, sharing personal data with third parties.
In a blog post about the review process, Mozilla Researcher Misha Rykov described the apps as “data-sucking machines with a mental health app veneer.” Mozilla also noted that the companies were “incredibly unresponsive,” with only one of the 32 companies responding in a timely manner to inquiries about privacy policies.
The good news is that PTSD Coach and Wysa are trustworthy. The U.S. Department of Veterans Affairs built the PTSD app, which has strict privacy rules and explains clearly what usage data is collected, what it’s used for and how to turn off the sharing of that data. Wysa is an AI chatbot that gets a thumbs up for privacy protection as a mental health app that “isn’t looking to make money off your personal information,” according to the app review.
The apps with the worst practices are:
- Better Help: Vague and messy privacy policies
- Better Stop Suicide: Vague and messy privacy policies
- Pray.com: Share personal data with third parties
- Woebot: Share personal data with third parties
- Youper: Share personal data with third parties
- Talkspace: Collects chat transcripts
There’s a review of each app with a user rating as well as a feature review of privacy, security and artificial intelligence elements. The *Privacy Not Included team also spells out how the app maker uses the data and whether or not a user can control his or her data. There are also tips on how to adjust the settings on an app for anonymizing data or turning off certain features.
“Woebot says they can collect a good deal of personal info like name, email, phone number, IP address, and all the information you give them in your conversations. They also say they can “obtain information about you from other sources, including through third party services and organizations to supplement information provided by you.” So, Woebot can collect a good deal of personal information, add to the information you give them with even more information gathered from third parties. Then they say they can share some of this information with third parties, including insurance companies and a seemingly broad category they call “external advisors.” They also use some of your information for advertising and marketing purposes…”
So although Woebot does not sell user data, the company can share location, identifiers and internet network activity with advertising partners.
“For the vast majority of users, data is only shared with service providers who make the Woebot app work, or in the rare circumstance when we must comply with law enforcement. For a fraction of users who have chosen to participate in a partner program, such as with a research institution, health system or employer, we may share certain data with those partners, but only when users have provided explicit agreement.”
Mozilla started the *Privacy Not Included buyer’s guide in 2017. The team’s reviews advise consumers and businesses on how to navigate privacy concerns with connected products. The team does not buy products to make these determinations. Instead the group researches privacy policies and company security practices to understand privacy and security concerns related to specific products. The Creep-O-Meter rating for each product is a user rating to reflect individual experiences with various apps.
*Updated on May 5 to add a response from Woebot.