‘Skreepy’ mental health and prayer apps share your personal data

A review of mental health and prayer apps has concluded that they offer worse privacy and security than any other type of app.

Mozilla’s survey of 32 mental health and prayer apps, including Talkspace, Better Help, Calm and Glorify, found that 28 raised strong concerns over user data management, while 25 failed to meet Mozilla’s minimum security standards, such as requiring strong passwords and managing security updates and vulnerabilities.

Despite dealing with sensitive issues—depression, anxiety, suicidal thoughts, domestic violence, eating disorders, and PTSD—these apps routinely share data, allow weak passwords, target vulnerable users with personalized ads, and have vague and poorly written privacy policies. Some collect additional data from third-party platforms such as Facebook, from other locations on users’ phones or from data brokers.

“The vast majority of mental health and prayer apps are extraordinarily sinister. They track, share and exploit users’ most intimate personal thoughts and feelings, such as mood, mental state and biometric data,” says Jen Caltrider, Mozilla’s ‘Privacy Not’ Included’ lead .

“It turns out that researching mental health apps isn’t good for your mental health, as it reveals how careless and tight-lipped these companies can be with our most intimate personal information.”

The six worst offenders, according to Mozilla, are Better Help, Youper, Woebot, Better Stop Suicide, Pray.com and Talkspace. Youper, Pray.com and Woebot were found to share personal information with third parties, while Talkspace even collects chat transcripts.

Meanwhile, at least eight apps allowed weak passwords from “1” to “11111111.”

The only two apps found to responsibly protect data were TSD Coach, an app created by the US Department of Veterans Affairs, and the AI ​​chatbot Wysa.

Mozilla warns that parents of children and teenagers should be especially careful, as many mental health and prayer apps target this market.

“When teens share information on these apps, it can be leaked, hacked, or used to target them with personalized ads and marketing for years to come,” it says.

It is not the first time that mental health products have been found to share data. Three years ago, Privacy International revealed that more than 97 percent of the mental health websites it surveyed contained a third-party element such as third-party cookies, third-party JavaScript, or an image hosted on a third-party server. More than three-quarters contained third-party trackers for marketing purposes.

“Hundreds of millions of dollars are invested in these apps despite their flaws. In some cases, they act as data-sucking machines with a mental health app veneer,” says Mozilla researcher Misha Rykov. “In other words, a wolf in sheep’s clothing.”

Update: Pray.com does not disclose what data it collects, where it comes from and how it is used, but says it is “not about selling its customers’ personal data”. It adds: “Pray.com remains focused on delivering the best digital faith experience and leaving a legacy of helping others. This includes providing a safe and secure community for its customers, as well as stepping out as a leader in the future of web3, crypto. and NFT technology. This will help further strengthen privacy and IP ownership while reducing censorship in the market. Pray.com is committed to providing a safe and secure environment for its customers and looks forward to serve them in new ways as it embraces the technologies of the future.”

Talkspace says Mozilla’s report lacks context. A spokesperson adds: “We have one of the most comprehensive privacy policies in the industry, and it is misleading to claim that we collect user data or chat transcripts for anything other than providing treatment.”

Youper denies selling personal information, saying it only shares it with users’ consent, adding: “Messages between users and their medical providers are encrypted in transit. All user health information used by healthcare providers is recorded in an electronic health record, which follows the HIPAA standard to protect privacy.”