Every second, thousands of people tell their phone or computer something about themselves that they might not want anyone else to know. That's what happens when people search for medical information online, typically looking for answers to questions about a worry they have.
In 2022, Google says, its users searched often for information about diets and supplements, exercise, stress and depression, and various other ailments. Depending on the users' browser settings, those details may still be found in their Google profiles.
And internet searches are just one of many ways people share sensitive personal health data.
They're also doing so on health and wellness apps, including mental health and counseling programs. These apps collect data about their users to provide services - and, in many cases, to generate revenue, whether it be through targeted advertisements or sales of anonymized information to data brokers.
On May 2, researchers at Mozilla released their latest report on the privacy practices of popular mental health apps, finding that almost 60 percent fell short of the company's minimum standards. In fact, Mozilla said, 40 percent of the apps reviewed had worse privacy practices this year than they did last year.
Jen Caltrider, director of Mozilla's Privacy Not Included work, said it's important to read an app's privacy policy before downloading it, because some start collecting data moments after they're activated.
Caltrider's team found that 29 - or 90 percent of those studied - didn't meet Mozilla's minimum standards when it released its report last May, earning a Privacy Not Included warning label on Mozilla's site.
"Despite these apps dealing with sensitive issues - like depression, anxiety, suicidal thoughts, domestic violence, eating disorders, and post-traumatic stress disorder - the worst of them routinely share data, target vulnerable users with personalized ads, allow weak passwords, and feature vague and poorly written privacy policies," the company said.
Since then, the company said, six of the reviewed apps have improved on the privacy and security front.
In some cases, such as with the Modern Health app, they simply made clear in their privacy policies that they were not, in fact, selling or disclosing personal information to third parties. In others, such as with Youper and Woebot, the apps made their privacy and password policies significantly stronger.
But 10 other apps went in the other direction, Mozilla said, weakening their privacy or security policies, or both. All told, almost 60 percent of the apps reviewed earned Mozilla's warning label.
Although people are starting to talk more openly about their mental health, Caltrider said, "it's something that a lot of people want to keep private or close to the vest."
That's not just because of the stigma attached to some mental health issues. It's also because of the real risk of harm that people face if their personal information gets shared for the wrong reasons.
For instance, you might tell an app that you're seeing a therapist three times a week for obsessive-compulsive disorder or that you have an eating disorder. Now imagine that information finding its way into the anonymous profile advertisers have assigned to you. Do you want those ads showing up in your browser or e-mail, especially when you're at work?
It doesn't take much imagination, actually. Data brokers are collecting and selling mental health data, according to a report released last month by Duke University.
"The 10 most engaged brokers advertized highly sensitive mental health data, including data on those with depression, attention disorder, insomnia, anxiety, ADHD, and bipolar disorder as well as data on ethnicity, age, gender, zip code, religion, children in the home, marital status, net worth, credit score, date of birth, and single parent status," the report states.
"Many of the data brokers seem to imply that they have the capabilities to provide identifiable data."
Nor did many of the brokers have meaningful controls on whom they sold the data to or how the information could be used, the report said.
Many app developers will insist that they don't share personally identifiable information, but studies have shown that supposedly anonymous profiles can be linked to real names and attributes if they contain enough scraps of detail (especially if these scraps include location data). "Users must really trust that the company takes the best measures possible to make sure all this data is actually truly anonymized and de-identified," Mozilla's researchers warned.
What steps can you take steps to prevent your data from being collected and shared?
Read the privacy policy. What about apps that don't have a privacy policy? "Never download those apps," Caltrider said.
Skip apps that are no longer supported. If there's no one monitoring an app for bugs and security holes, hackers could find and then share techniques for using the app as a gateway into your phone and the information you store there.
Don't rely on the privacy information in the app store. In the description provided for each app, Google and Apple offer summaries of the data collected and shared. But Caltrider said that the information is supplied by the app developers themselves, not an independent source.
Don't use your Facebook or Google ID to sign into an app. Linking your app to these companies invites them to collect more data about your life online, which feeds their ad-targeting economies.
Use video instead of text where possible. As the data is not protected by law, what you disclose to apps in writing could exist forever in unencrypted form, Caltrider said. "I would do video-based conversations that aren't going to be recorded."
Los Angeles Times (TNS)
