Top Mental Health and Prayer Apps Fail at Privacy, Security (2022)
foundation.mozilla.orgI was pleased to see that Hallow earned their seal of approval, or should I say it evaded their badge of shame? Hallow's a good app, professionally developed, and it's marketed tirelessly. I had my friend asking me if it was a good app to install. I don't know; I use other ones but not Hallow.
I was also pleased to see that "BetterHelp" earned the badge of shame. BetterHelp is just on this side of an outright scam. They contract with legitimate counselors and therapists and then cram their appointment books full of Zoom sessions. They claim that you can just send a quick text message to your "therapist" and get helped. But people aren't getting helped, they're just getting taken for a ride. This aggregation of gig-working counselors in an app is a really bad way to conduct this kind of business. It may work for a ride-hailing service, but not for mental health care. If you're thinking of using "BetterHelp" or one of its analogs, please instead consider doing your homework, finding a legitimate clinic or therapist who's licensed in your state, and do an intake directly with their practice. Many of them are now amenable to televideo appointments, and they will work with or without your insurance or on a sliding scale. There are really good therapists out there who don't need to be found on a janky app.
Of note one of the things not mentioned in "BetterHelp" is that the ability to not text your therapist at all hours of the day is actually very important for mental health. The therapist is a tool, not a crutch, and shouldn't be treated like a coping mechanism. A therapist is supposed to help teach and guide someone to develop healthier behavior patterns, and time away from the therapist to implement those patterns by onesself is very important.
BetterHelp is terrible. The dehumanizing, exhausting, money-seizing experience of trying to engage with their app was a net negative for my mental health when I tried to use it. They've taken the antipatterns used to extract effective monetization in social media apps and mobile games and applied them to people seeking help with their mental health. I've noticed they ingratiate themselves with corporate health benefits providers, etc too. I firmly believe someone in severe need of assistance would only feel worse after seeking help from that app.
I got as far as the conversation with my "onboarding coach", the licensed therapist who was supposed to find me a "good match" - and it became apparent she was either a bot or attending so little to the conversation she was unable to recognize information my earlier messages and apply it to later messages - it was like an automated customer support/service flow, but asking me highly personal questions about my mental health.
There's plenty of mediocre apps out there, but nothing has produced a simmering rage in me like the knowledge that BetterHelp exists and takes advantage of people who need help every day so their leadership and investors can try to get rich.
Oh, I just remembered: the onboarding "chat" was specifically advertised as a free, no committal part of the introduction process. After I declined to go further, they started billing me monthly for a subscription to therapy services I had never engaged to use, and I had to email them repeatedly to get the subscription stopped and the charges refunded.
Billed by the month for exchanging a dozen or so messages with a fake therapist. If you're a company leader and get the opportunity to include BetterHelp in your benefits package - don't.
While you're not wrong, in many many states in the US, if not a majority of them, finding a therapist that is both a) covered by your insurance and b) accepting new patients can be extraordinarily difficult if not impossible. At the same time, demand for mental health care is steadily rising. That's why these apps do so well.
I've found that some of the best therapists don't accept any insurance at all, and it'd be foolish to limit one's choices to therapists who are covered by conventional health insurance.
One very good choice in my area is Catholic Charities. They have licensed counselors as well as students under supervision, and they charge a mere $35 per session. This is a great choice for those who are uninsured or have trouble getting in somewhere.
My Christian health sharing ministry shared all costs for a Catholic therapist while I was seeing him. Since this is not a "health insurance" arrangement, I didn't need to worry about whether he was in-network or approved; he just submitted his bills to them. My health sharing ministry also has a service that "reprices" bills, i.e. renegotiates them based on market rates and lops off overcharges that commonly occur.
And yeah, "BetterHelp" has this illusion of availability, and that can be very alluring to people in distress, and that's a dangerous thing. If someone gets mixed up with gig-worker counselors, they may find themselves worse off than when they started. "Good things come to those who wait", as it were.
> and it'd be foolish to limit one's choices to therapists who are covered by conventional health insurance.
I mean, many people don't have a choice, or it's prohibitively expensive. Good for you if you have such flexibility.
So long as you’re not LGBT, or considering an abortion, or any number of things that run afoul of the Catholics.
While I am neither LGBT nor abortion-minded, I found that Catholic Charities employs counselors and students from all walks of life, and not all of them are Catholic. Also, Catholic Charities serves everyone in the community, no matter what their faith or race or sexual preference. They are notable for their service to the refugee population, many of whom are Muslim. So I would say that you do them a disservice if you think that their counselors will argue with you over these issues, rather than supporting and respecting you as a person with things to work out.
> If you're thinking of using "BetterHelp" or one of its analogs, please instead consider [...a bunch of stuff that someone with an executive dysfunction could never manage to do]
If somebody's executive dysfunction is preventing them from going through the basic steps needed to get help for that very thing, then they seriously need to enlist the help of either a family member or a professional who can walk them through this and ensure that they succeed.
I'm not sure what the implication of this comment was, but hopefully it does not imply that "if my executive dysfunction prevents me from seeing a real professional then I'll press buttons on my phone and see a fake one instead", because that's a horrible life choice. Complete inaction would be significantly less harmful in a case like that.
> If somebody's executive dysfunction is preventing them from going through the basic steps needed to get help for that very thing, then they seriously need to enlist the help of either a family member or a professional who can walk them through this and ensure that they succeed.
You just said the same thing over again. How do you expect them to "enlist the help of a professional"? That's the whole (complex, multi-step) goal they're pursuing here!
(And, for many such people, they have no supportive family members. They live on their own, do the bare minimum each day at work, drag themselves home, microwave a TV dinner, and fall asleep. Think of them as "a car that doesn't have enough gas in the tank to drive to a gas station.")
> I'm not sure what the implication of this comment was
That lowering the barriers (and thus amount of willpower required) to get yourself initially introduced to someone who can help you with your problems even a little — even if they're not going to be able to help you really well with your problems — is valuable, because being helped even a little now means you have more willpower, that you can then use to access a higher-barrier-to-entry solution, and so on, in a cycle, incrementally bootstrapping your way to fully addressing your problem.
For an analogous situation: group therapy for gender dysphoria is hard to access. Web forums full of trans people you can talk to are easy to access. Those forums aren't structured to help you in the way that group therapy is, but it can at least help you overcome a crisis about whether you should acknowledge that you have a need that requires addressing in the first place.
Whether or not any particular approach or service that lowers barriers to accessing help, is good at doing that, should not be used to condemn the act of lowering barriers to accessing help itself. Just because BetterHelp is worse than nothing, doesn't mean that we should accept "nothing"; the barriers-to-access are still a problem to be solved, and we should still encourage people and companies who set out to try to solve it.
>Mozilla’s Minimum Security Standards, like requiring strong passwords
What if I don't want a strong password? What if I have 0 care for my account because I never wanted an account to being with but was strong armed into giving away my email, phone number, and now need a unique password because I'm worried someone is going to see that I 'prayed' 100 times.
I loved that reddit didn't need an email, and I could use a generic password. If I lost my reddit account, no big deal at all. For my personal/PR reddit account, email and strong password, great.
There are substantial incentives for practically everyone to adopt strong passwords, including yourself, even if it's just a temporary account.
The platform actually desires you to possess a robust password, given that hijacked accounts contribute to spam so heavily.
Many people often use the same "basic passwords" on multiple websites. If one of your temporary accounts gets hijacked all your other "temporary" (in quotes because some of them might actually be important) accounts, including older ones you might have forgotten about, could be exposed.
Essentially, there are hardly any valid grounds for any platform to permit the utilization of frail passwords, especially considering how effortless it is to create distinct passwords using a password manager nowadays.
I think creating a strong password and offering it once is better or am I overlooking something?
If you suggest making one powerful password and using it everywhere, then as soon as one website reveals your password all your accounts have been exposed. The usual practice is to remember one strong phrase and never use it for anything except your password keeper.
I mean if the website in questions generates a password and shows it (and then lets it go of course). This is used to show cert private keys for example. I can see it work with passwords.
I don’t care about passwords. I just want a “key” and I’ll store it.
Seems reasonable.
Offering it once? Offering what?
The password, at account creation. Here is your password: ……
I have seen it being used for cert keys.
Oh I see - the system generates the user a password? Yeah; makes sense.
> Essentially, there are hardly any valid grounds for any platform to permit the utilization of frail passwords, especially considering how effortless it is to create distinct passwords using a password manager nowadays.
One was just given: Users don't really care to create an account to begin with, so they provide throwaway email accounts and low security passwords. If the apps required longer, safer passwords, then they risk losing signups.
If I get a message complaining about my password being to weak, from a service I might not care that much about, then there's an increased risk that I opt to not create an account.
Apple solution is actually pretty good, it allows me to quickly create an account to try out an app or service. If I don't like it, meeh, they only have the Apple login info and nothing else.
It's clear that platforms don't view it as a major obstacle to registrations. Or, at least, not a hassle that weighs significantly against the issue of unauthorized access to accounts and, to put it bluntly, articles of this nature that tarnish their reputation.
Considering the ongoing trend towards the use of robust passwords rather than their abandonment, we can infer that either the impact on meaningful engagement hasn't been substantial or the decrease in signups is deemed overwhelmingly worthwhile in order to combat spam and other unfavorable aspects.
So, I stand by what I said.
Why do I need a password at all for 99.99% of apps or websites?
If I lose a password, what do I almost always have to do?
1. Email account recovery link.
2. Input auth code sent from text message or authenticator app. [Optional.]
3. Make new random password I'm going to forget or lose.
Why bother with this? If email is the reset mechanism why does the industry care so much about getting passwords from users?
1. Email sign-in link.
2. Input auth code. [Optional]
Everything other part of this whole chain gets simpler. No more password strength checking code. No multiple auth paths. No issues with anything. Just a single email with at most two links, one for browser sign in, one for app sign in.
If you really, really, really need to you can add one or two QR codes so these hypothetical people that don't have email on their phone can sign into the app.
> Why bother with this? If email is the reset mechanism why does the industry care so much about getting passwords from users?
Because you may not have access to your e-mail from the device where you want to use that service.
For example, I don't need to have access to my e-mails from my tablet as I'm always reading/writing them on a computer with a keyboard. So I don't want to setup access to my e-mails from my tablet, as it reduces the risks of a bad app leaking them or leaking my credentials.
I covered this in my comment with QR login codes.
Plus, if you really want to, you could also have a one-time use 6 digit code for login also sent in the email and it would be better for the majority of people that do not use a password manager.
Or if you really, really, really must have your passwords then please invert the default to where login via link is the primary mechanism and passwords are optional on a per-account basis.
I think they do this in Europe. I believe that there is still loss of some security. With email only you could loss all your accounts.
So, while I mostly agree overall, especially with respect to silly little things that aren't likely to hurt anyone, I do think there's a compelling case for password and 2factor.
As it stands, you have to know something and have something. Making it so you only need to have something is better than making it so they only know something.
However, that second factor seems like a good idea; though I will admit that it's probably unlikely that a thief would have the motivation to crack your phone to get your email; is this even easily achievable?
I don't understand what they mean by strong passwords.
From the methodology:
> If the product uses passwords or other means of security for remote authentication, it must require that strong passwords are used, including having password strength requirements.
What are 'strength requirements'? Is minimum-length-of-X a strength requirement? Apparently not, since Abide failed for the following:
> Strong password: No. Allowed us to register with '11111111'. They require 8 characters minimum, but do not check if a password is strong.
----
I don't believe in the meme of l337speak pa55W0rd$. I think sufficiently long pass phrases are fine.
Passwords tend not to be brute forced one character at a time, but by combinations of common password lists and rainbow tables. The base unit is not character in these cases but entries in the tables.
Therefore, a password like "EstablishedCousins" is significantly less secure than "bR^4outc0m3" despite containing more characters.
Edit: I actually mean dictionary attack, not rainbow tables, but my point still stands.
Edit 2: In fact, the password from the example ("11111111") appears in the 71st line of this password dictionary: https://raw.githubusercontent.com/duyet/bruteforce-database/...
> Therefore, a password like "EstablishedCousins" is significantly less secure than "bR^4outc0m3" despite containing more characters.
And "awn-handsome-dolce-esophagi-radix-lawgiver" is more secure than "Hunter2"…
My point is that their methodology doesn't cover what do they mean by strong passwords. A sufficiently long (and sufficiently random - but how do you check for that?) pass phrase is strong in my view.
'Sufficiently long' is doing a lot of work though. 1$a}F is a five symbol password and so is ASufficientlyLongPassPhrase. Unless an attacker has some specific knowledge about how the passwords were generated, the latter is significantly more secure since the dictionary size for the symbols (English words, though none especially uncommon so top 5k or so should suffice) is significantly larger than that of the former (standard keyboard characters). But it's not nearly as secure as a password in the style of the former with the same number of characters as that passphrase.
8 characters isn’t exactly long but I agree overall length is the main way to make a password stronger. Cue the xkcd comic.
Passwords are not about hiding data.
Passwords are legally the only thing that can't be forced out of you, to make you login into a computer system against your interests.
Passwords are the core foundation of keeping your internet life separate from your personal/private life. Biometric and hardware authentication make both your real life name/address/life history and your computer ID the same thing.
I didn't sign up for American globalism, and I don't want my iPhone's authentication systems to force me into being accountable to Twitter/Apple/Google credit score. If the Australian government forced this stuff on me and kept it within Australia, that's different.
IBM is moving to a "passwordless trend" on their server authentication, in favour of biometrics and iPhone auth. I bet my bottom dollar that will get spread everywhere in the universe, regardless of our protestations.
It's not agreeable. inb4 people say "it's always been that way/they could always do that". The last shred of internet-identity liberty is going to be dead in a new york minute.
Your religious identity, and your prayer life is going to get owned if you let go of passwords and ambigious identities.
> Passwords are legally the only thing that can't be forced out of you, to make you login into a computer system against your interests.
Not in the UK, since RIPA.
https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Po...
It's been used:
Guess my comment is surplus-to-requirements. Waves of 'sadge' aside..
Non-conformists are necessary to keep society progressing. The computing revolution is becoming oppressive. I guess the future rests with Men who have the willpower to keep valuable ideas out of the system long enough to for them to bear fruit.
Isaac Newton studied in private for 15yrs.. He also privately denied the Trinity and refused to take Holy Orders from the CofE. It's very questionable if that is at all possible to do again under constant 'supervision', when a fundamental difference between authority and truth happens again.
> and refused to take Holy Orders from the CofE.
Did the CofE try to compel him to take Holy Orders?
As far as I'm aware, Holy Orders in the CofE amounts to becoming a priest (since the CofE has no monks or friars). I thought you had to ask for that, and then prove your worthiness.
Is there some order in the CofE that the church can ask you to join, when you don't want to?
[Edit] He was a Rosicrucian; I'm not really sure what that means in theological terms, but I'm pretty sure it doesn't align with any conventional doxy.
He lived in a very orthodox time in the UK. The country has previously had a state religion (1200s) and kicked out the Jews at the time. The Brits have previously severely restriced public services for all non-conformists after the Act Of Uniformity 1851. The Brits have murdered/killed/marytyred many people from European religions. Denying the Trinity is enough to invite severe negative judgement from the Archbishop of Cantebury. We live in Trinitarian times.
The Brits is a CofE country, even though it's 'going dark' (well less visible and more authoritarian) in our lifetimes and GAFCON will temporarily take the limelight.
It is trivial to silence people technologically today and with biometrics denying services is also trivial.
If a discovery like Calculus comes from people who wish to study and speak of non-orthodox ideas, then we should be careful about our technological lock downs. Social media manipulation of thinking is already a big danger to true innovative thought.
Yes, I get it, he was a non-conformist. But in what sense did the CofE try to compel him to take Holy Orders?
> even though it's 'going dark'
Not sure what you mean. The CofE is a very different organisation from what it was 60 years ago, when I first rejected religion. I like the modern organisation a lot less than the one I left; it's become heavier, more intolerant of human diversity, with a much narrower range of views. Maybe that's what you meant.
One very, very basic measurement / thought experiment for holiness in Christian circles to think about is the following:
Imagine Christianity is illegal. Imagine the government decides to prosecute you, but hires the weakest, most incompetent, repeatedly-almost-disbarred prosecutor there is. You meanwhile get access to David Boies. Would the government have enough evidence for even the worst prosecutor to prove you are a Christian?
Well, if not… it’s like Mozilla doesn’t realize that religious people don’t mind prayer being a fairly public act as long as people against them aren’t preying on them. Catholics have Mass every Sunday; Muslims have their five-times-daily prayers and often wear clothing that clearly identifies them as such; and so forth.
Prayer can be both public and private. It's more than just the danger of being exposed as a Christian to a regime that is hostile to it and persecuting Christians. The seal of confession is an obvious good example of why privacy is important. Everyone standing in line to the confessional knows you're Catholic and that you're going to confession. They don't know what you're confessing to.
Obviously, you shouldn't be storing confessions in an app, but the principle is that privacy goes beyond the danger of persecution.
Your thought problem isnt productive because it creates a fake scenario that creates validity to an otherwise invalid problem.
Okay, if Christianity is illegal you'd want your Christian apps to be secure.
If Christianity isnt illegal, you don't care.
You'd want privacy if you were using the silk road, but you are probably okay with your alarm clock app collecting the number of times you hit snooze. You'd also be okay if the US/Chinese government knew that you hit snooze.
The person you're replying to is using the hypothetical to illustrate why religious people don't care if prayer app data is made public. He is not trying to tease out the hypothetical any further than that.
The list is about privacy and security. If you don’t think your prayers are private or need security, then don’t worry about the list I guess.
The information stored in therapy or prayer apps is much more sensitive than a disposable Reddit account.
You know, it's not a requirement to be contrarian about everything. Encouraging people to use stronger passwords (and password managers to handle them) is pretty much universally a good thing.
I hate to be the one who has to say the quiet part out loud but- what in the world are we doing to ourselves? Were these apps FOSS I might not be so alarmed but how do you think these companies are paying the bills? With good karma? No, YOUR DATA. And not just your GPS location or your favorite brand of ice cream, but your most vulnerable and intimate of thoughts. Now, shudder at the thought that not only can these apps leech your data, they can now poke back, manipulating the user to god know's what. And of course, your health insurance provider is now peering into your soul. They'll surely be happy to mandate that you can no longer attend "human" therapy.
You’re sadly right, but many of these apps have a freemium model.
BetterHelp isn’t free at all, it’s actually fairly expensive; so one could argue they should not need to phone in your data to so many third-parties.
I pay my therapist for their services, assuming there’s a high degree of confidentiality in our relationship. These apps, even paid ones, behave like any other app in terms of data sharing.
And not to mention that some of this information might be covered by HIPAA?
Some people are stupid.
Missing is the “Waking Up” meditation app which is a treasure trove of content and the first app that helped me “get” meditation.
I submitted it on their form for review, but was a little surprised to see it missing from a “top” list.
Seeing this report makes me really want to build privacy-respecting apps in this space. Of all categories, using traditional monetization and data selling practices seems particularly bad here.
(Not affiliated in any way; just a happy customer hoping they aren’t abusing my data too badly…)
It is disheartening (although not that surprising) to see how many companies are "double dipping" here. For example Pray.com seems particularly bad. It has a $7.99 a month subscription, but still track and sell your information just like a "free" app would.
Ordinarily I feel much better about an app which has a clearly defined, above-board, method of funding itself. (The old "if you aren't paying for the product, you are the product" thing). But this is a good reminder that it is "if" not "if and only if".
Canada recently funded a mental health website which suffers from many of the same problems mentioned in the article. It's under review with OPC currently, but additional reports always help.
This website is advertised by our PM to children.
Nice to see that the app I use, Finch, is rated fairly well.
I'm going to assume sharing an invite code would go badly, but if you want mine so you get a mini pet in the app, please email me at the address in my profile. The benefit I get is not monetary: if I get a few signups I get a mini pet myself.
Finch is one of the few self help apps that really seems to help me. I was slipping further into deep depression but Finch has helped me to have a few good days, and I've showered and changed my clothes every day for 2 weeks. I recommend it!
This is concerning. I'm using one of these services and if my mental health details were to be known, I would not only feel devastated, but this would negatively impact my career and social life (for a long time?). I need to know I can trust these folks, but what are other options? I can't find any psychologists or psychotherapists in my area who are available (many don't even answer my calls or emails). Do you know of any good and trustworthy online services for this?
I believe that this problem is one of sheer personal responsibility. That is, I don't really trust therapists much more than these apps. Support groups and self-help books are better but in the end, only pure "shadow work" can really save you. You must learn to be your own therapist.
As someone that did shadow work, this is disingenuous and unhelpful. People undergoing depression or PTSD can’t be told to “man up” and work on themselves alone. Therapists are usually very careful with confidentiality.
I wonder if this sort of thing has any relation to the revelations that the US Government is one of the largest buyers of private data from apps and such. Would certainly seem to make sense.
About https://foundation.mozilla.org/fr/privacynotincluded/categor...
Privacy not included there also: that Mozilla web site use Google Fonts and Google Tag Manager which are not GDPR compliant.
iOS or Android, both get your data. What is the difference in privacy? Please use actual examples and not boogeymen 'Google is an ad company'.
I personally have seen iphones(or at least iphone users) have far more intrusive and customized ads to the point where saying a word in a home puts you at risk of getting physical mail related to that word. (It was dog food, and a dog food ad.)
I've come to the conclusion that privacy and security are mostly theater, and if I am being realistic, I need to assume everything I say/do is being recorded. I also treat my devices as compromised. Any thoughts that your device is private or secure is delusion.
FWIW, I don't have any pets (and haven't for some time), but I receive physical mail regarding dog food, dog toys, etc, all the time. There's a chance you've been fooled by randomness here.
That said, there's certainly no harm in treating your device as compromised. I do the same. "Better safe than sorry."
Well, the specific name of the company that was mentioned showed up, and us getting 0 dog related stuff prior, and 0 dog stuff since, makes it sus.