Case Study

Mental Health Apps

Project Timeframe

First Evaluation: August 2020

Latest Update: December 2020

Problem

Mental health apps growing in popularity:  App-based mental health counseling is a large and growing industry. These apps accounted for $587.9 million in 2018 and are expected to generate up to $3.9 billion in annual revenue by 2027, according to some estimates. Due to greater awareness related to the significance of mental health, U.S. and Canadian consumers made up the majority of the global market in 2018.

Increased anxiety and tumult, harms not evenly distributed: Recent events like the global coronavirus pandemic, the resulting economic crisis, and large scale protests related to the Black Lives Matter movement, have spotlighted rising mental health related harms with marginalized and vulnerable populations. Increased anxiety and upheaval causes both physical and psychological symptoms and can be very distressing. Mental health applications collect sensitive information that can create damaging, irreversible impacts on individuals if shared with third parties, including social stigmatization and additional barriers to future opportunities. These applications can collect data around topics such as anxiety disorders, depression, bipolar disorders, eating disorders, and post-traumatic stress disorders. Finally, the pandemic has exposed disparities in the U.S. mental health system, reported  the Center for American Progress. People with mental health disabilities face “disproportionately high rates of poverty”, “housing and employment discrimination”, and criminalization.  

Data leaks: In addition, there are documented data leaks with mental health applications. Investigative journalists have highlighted issues around excessive data sharing with the argument that apps can either sell subscriptions to services or sell data. Privacy concerns about mental health apps have highlighted the need for improved regulation on these apps, marketed to people with anxiety, autism and depression. Other research highlighted how “the majority of the top-ranked mental health apps for depression and smoking cessation” share user data without disclosing the practice in privacy policies

Process/Method

Data Testing: We ran a static analysis of each Android application. We also worked with AppCensus, a company that analyzes app behavior for privacy and security issues, to do an automated analysis of the apps. This research process involved an inspection of the following items:

  • Permissions: What access to data and features was requested, and what was actually used?
  • Third Party SDKs: What third-party software is bundled with the app when a user installs it, and what role does it play in app behavior? 
  • Data recipients: Which entities (companies, services, etc.) receive information from the app, and which security and privacy methods / policies do they observe or not
  • Personal information: What identifiers (Android ID, Advertising ID, etc.) from the phone are transmitted by the app, and where are these identifiers sent?
  • We used the following Android app binaries: 

Design analysis (UX + UI): The user experience, user interface design analysis involved a manual, thorough review of all of the user-interfacing elements of the applications. More specifically, the purpose of this work is to: 

  • Show how the company empowers and informs users, in support of and/or beyond what they say in the documents (Terms of Service and Privacy Policy)
  • Understand how the app works, who this is positioned to.
  • Understand how privacy / security are integrated and positioned (including privacy policy and terms of service documentation), including app defaults and permissions
  • Identify what the core components of the application featured are in order to do more testing, where necessary. 
  • Identify areas for sensitive data collection, and potentially cross reference that with app data collection and 3rd party sharing happening simultaneously.
  • Capture which app permissions are requested, and if/when these permissions are accessed while using the app.
  • We used the following iOS app versions:
    • BetterHelp: iOS app version 9.7
    • MindDoc: iOS app version 4.2.1
    • Sanity & Self: iOS app version 3.0.6502.180
    • Talkspace: iOS app version 8.86.00
    • Wysa: iOS app version 5.7.4
    • Youper: iOS app version 9.00.000
    • 7 Cups: iOS app version 4.6.9

Policy review: Third, the team reviewed the privacy policy and terms of service documents of the applications.

Output & Impact

CR sent a letter on December 17, 2020 to seven companies that operate mental health applications: BetterHelp, Moodpath, Sanity & Self, Talkspace, Wysa, Youper and 7 Cups. Based on a review of the policies of these applications, CR is urging the companies to raise the standard of privacy and transparency for their services.

We provided the four recommendations below to the companies: 

Recommendation 1: Clearly explain procedures used for de-identification of data used for research. Identifiable data should not be shared except at the consumer’s direction.

We advocate for companies to improve clarity on research for data sharing especially around how they define “anonymized data.” Companies should be explicit about what processes they use to de-identify data. We highlight this to help prevent people from being reidentified. Mental health applications collect sensitive information that can create damaging, irreversible impacts on individuals if shared with third parties, including social stigmatization and additional barriers to future opportunities. 

Recommendation 2: Provide clear and contextually-appropriate explanations of how user-provided data will be used, so users are aware of potential consequences before they share.

Companies should not overwhelm people with superfluous information or choices. Wherever possible, app default settings should be that your privacy is protected and users should not have to worry about managing this on their own. However, if there are choices to be made or information someone should be aware of, they should be presented in a clear and straightforward way.

Recommendation 3: Adhere to platform guidelines that are in place to protect people’s privacy.

App developers should ensure that their apps meet the guidelines laid out in Android developer documentation, such as Best Practices for Unique Identifiers which recommends avoiding the use of identifiers like the Android ID (SSAID). App developers should also make sure that the libraries (SDKs) they embed within their apps meet their own expectations for data collection, and that they are configured accordingly.

Recommendation 4: Transparently disclose the service providers that receive data when people use your apps.

We recommend that companies are more transparent in their privacy policies about the service providers that receive data. Although it is not legally required or common practice in the U.S. to list every service provider or institution receiving data, we recommend companies proactively disclose this information.

We published a full research study that provides additional information about our investigation. We also published a letter to the companies, a 2-page brief and a blog post.

Digital Standard Mapping

.