Earlier this week I wrote about the potential pitfalls of data that relates to abortions in the wake of the removal of reproductive rights in the U.S. Today I have another example of how sensitive data can be misused. The Verge is reporting that US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) have written to two leading mental health app providers, Talkspace and BetterHelp, and are demanding answers about their data collection and sharing practices:
In letters to BetterHelp and Talkspace executives on Thursday, Warren — along with Sens. Cory Booker (D-NJ) and Ron Wyden (D-OR) — called on the mental health companies to explain how their apps collect and use data obtained from their patients. Specifically, lawmakers requested information on the apps’ relationships with online advertisers, data brokers, and social media platforms like Facebook as well as how those relationships are disclosed to users.
Reviewing the companies’ privacy policies, the senators wrote that “unfortunately, it appears possible that the policies used by your company and similar mental health platforms allow third-party Big Tech firms and data brokers, who have shown remarkably little interest in protecting vulnerable consumers and users, to access and use highly confidential personal and medical information.”
The letter follows a report published in May by the Mozilla Foundation, which warned consumers that online talk therapy apps could be profiting off of their mental health data. While both BetterHelp and Talkspace promise not to sell a user’s medical data without their consent, the researchers determined that personal information — like a patient’s name, phone number, and email — could still be sold or accessed by third parties for advertising and marketing purposes.
Well, that’s shady. But sadly not a new phenomena. And Dan Weiss who is the SVP Application & Network Security Services for GRIMM agrees:
This problem is neither new nor unique. Instead, it represents a challenge to both users and regulators. Technology’s trend to move more rapidly than regulation and to expand in ways that are difficult to predict is both well-known and a consistent story over time. This case highlights that consumers still operate under the mistaken bias that data (of any sort) that passes through a mobile device has any assumption of privacy. The truth is that ensuring “privacy” in this landscape is a nearly impossible challenge, one which most application developers implement imperfectly, if at all.
Coupled with the fact that user data is the primary product for many applications, the challenge of restricting unintended use cases is one that regulators have failed to address. Some platforms, such as Apple, have worked to provide a level of additional visibility and control to users (although a cynic might rightfully question the completeness and motivation for these changes). However, attempting to solve the problem through current regulatory strategies is essentially doomed to fail for the reasons alluded to above. Ultimately, it will fall to the consumer to understand how the application is using their data and fully understand that the conventional definition of privacy no longer applies to data that transits the vast majority of commercial mobile applications.
It will be interesting to see how these companies respond to these senators. But it will be even more interesting to see if they suddenly make changes to hopefully make the scrutiny on them go away.
Watch this space for more.