Mental health and prayer apps have some of the worst privacy protections, study claims

Mental health and prayer apps have some of the worst privacy protections, a Mozilla study claims, finding they ‘track and share’ users intimate thoughts and feelings.

The findings, released to coincide with May’s Mental Health Awareness Month, were published as part of the annual Mozilla ‘Privacy Not Included’ guide.

The researchers examined privacy and security practices for 32 mental health and prayer apps on iOS and Android, including Talkspace, Better Help, Calm and Glorify.

The six worst offenders, according to Mozilla, that is those with the very worst privacy and security, were Better Help, Youper, Woebot, Better Stop Suicide, Pray.com, and Talkspace.

‘Their flaws entail incredibly vague and messy privacy policies, sharing personal information with third parties, and even collecting chat transcripts,’ Mozilla said.

Of all of the apps examined, 29 were given a *Privacy Not Included warning label by the Mozilla foundation, indicating strong concerns over user data management. 

Many of the apps deal with a range of sensitive issues, including depression, anxiety, PTSD, suicidal thoughts, domestic violence and eating disorders, but despite this they were found to be routinely targeting vulnerable users with personalized ads. 

Woebot Health criticised the report, with chief information security and privacy officer, Barbee Mooneyhan, saying they are ‘working with researchers to correct inaccuracies,’ and welcomed a discussion on using data to serve people.

Mental health and prayer apps have some of the worst privacy protections, a Mozilla study claims, finding they ‘track and share’ users intimate thoughts and feelings. Stock image

Woebot Health criticised the report, with chief information security and privacy officer, Barbee Mooneyhan, saying they are ‘working with researchers to correct inaccuracies,’ and welcomed a discussion on using data to serve people

In total, 25 apps failed to meet Mozilla’s Minimum Security Standards, which include requiring strong passwords and managing security updates and vulnerabilities.

‘The vast majority of mental health and prayer apps are exceptionally creepy,’ Jen Caltrider, the Mozilla *Privacy Not Included guide lead, said in a statement.

Many of the apps routinely share data, allow weak passwords, target vulnerable users with personalized ads, and feature vague and poorly written privacy policies.

The apps that Mozilla investigated connect users with therapists; feature AI chat bots, community support pages, and prayers.

Mozilla researchers reportedly spent 255 hours – over eight hours per product – writing the guide, allowing them to gain a deep understanding of how they operate. 

‘They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data,’ said Caltrider. 

The researchers examined privacy and security practices for 32 mental health and prayer apps on iOS and Android, including Talkspace, Better Help, Calm and Glorify

The findings, released to coincide with May’s Mental Health Awareness Month, were published as part of the annual Mozilla ‘Privacy Not Included’ guide. Stock image

‘Turns out, researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information.’

According to the report, Better Help and Better Stop Suicide had vague and messy privacy policies, while Youper, Pray.com and Woebot shared personal information with third parties.

‘These companies are incredibly unresponsive,’ Mozilla said, adding that they emailed all companies at least three times using the privacy email listed, and only the Catholic prayer app Hallow responded in a timely manner.

Mozilla heard back from Calm and Wysa, but not until emailing them a third time.

According to the organization, there were only two trustworthy apps, PTSD Coach, which is produced by the US Department of Veterans Affairs, and AI chatbot Wysa.

The report says PTSD Coach ‘had strong privacy policies and security practices’, and Wysa, ‘seems to really value users’ privacy.’

Nearly all the apps reviewed gobble up users’ personal data, the reviewers found, and some apps harvest additional data from third-party platforms like Facebook, elsewhere on users’ phones, or data brokers. 

One of the most shocking discoveries was that others were taking advantage of this sensitive data, including investors and insurance companies. 

Silicon Valley investors are pouring hundreds of millions of dollars into these apps, and insurance companies get to collect extra data on the people they insure. 

Once the apps have gathered the user data, the reviewers found the security used to protect it was ‘laughable’.

‘Despite dealing with incredibly sensitive information, some apps’ security practices are akin to a flimsy lock on a diary,’ Mozilla said in a statement, finding that at least eight apps allowed weak passwords ranging from “1” to “11111111”.

‘Moodfit only required one letter or digit as a password, which is concerning for an app that collects mood and symptom data,’ a spokesperson for Mozilla explained.

‘We also had trouble determining if many apps pushed security updates regularly or had a way to manage security vulnerabilities found in their apps.’

Mozilla warned parents to be particularly vigilant if their teens used these apps, as many target or market to young people and when they share information the poor security practices could lead to it being leaked or hacked.

They could also face being targeted with personalized ads and marketed to for years to come based on what they shared as a teenager. 

Misha Rykov, Mozilla Researcher who co-developed guide, said: “Hundreds of millions of dollars are being invested in these apps despite their flaws. 

‘In some cases, they operate like data-sucking machines with a mental health app veneer. In other words: A wolf in sheep’s clothing.’

The findings are available in the Mozilla Foundation ‘Privacy Not Included‘ guide.