Smoking, Depression Apps Seen Selling Your Data to Google, Facebook: Study

Smoking, Depression Apps Seen Selling Your Data to Google, Facebook: Study

The pitch: Health apps for users who are battling depression or want to quit smoking.

The problem: Many of the apps designed to track a user’s progress are sharing the personal details they collect with third parties, like Google and Facebook, without consent.

That’s according to a study published Friday in the journal JAMA Network Open. Researchers say the findings are especially important in mental health, given social stigmas and the risks of having sensitive information shared unknowingly. And since many health apps aren’t subject to government regulation, researchers say, consumers and clinicians must contend with what information is being entered into these apps – and who else can access it.

“Digital data doesn’t go away,” said John Torous, a co-author of the report. “A part of the risk is that we don’t fully know who is going to put this data together, when and where it’s going to show up again and in what context. . . . Data seems to end up in the hands of the wrong people more and more.”

Torous heads the digital psychiatry division at a Harvard Medical School-affiliated teaching hospital, where he also is a staff psychiatrist and a faculty member. He said there needs to be a “wake up call” in the digital health field because, “We can’t treat people’s personal data like it’s the personal property of these app developers.”

The study tracked three-dozen apps targeted at people with depression or who want to quit smoking, and found that only a third of them accurately conveyed that data would be accessed by a third party. The study looked at the top-ranked apps for depression and smoking but didn’t identify them.

Only 11 of the 36 apps studied had a privacy policy. Of the 25 without such a policy, all but two specifically said that user data would be shared with third parties. But the researchers determined that data sharing actually occurred in 33 of the 36 apps.

So not only did most apps share data, most gave users no indication sharing was a possibility.

Privacy is a recurring question in the digital realm. Earlier this month, The Washington Post reported that data compiled by popular period- and pregnancy-tracking apps often are not confined to users. Rather, apps like Ovia give employers and health insurers a lens into users’ personal information about pregnancy and childbirth – often under the umbrella of corporate wellness.

In the case of Ovia, for example, employers who pay the apps’ developer can offer their workers a special version of the apps that, in turn, transmits health data – in an aggregated form – to an internal company website that can be viewed by people in human resources.

Data and privacy issues among health apps often stem from their business models, the researchers wrote. Because many insurers don’t cover these apps, developers typically have to sell subscriptions or users’ personal data to stay viable.

The apps in the study didn’t transmit data that could immediately identify a user, Torous said. But they did release strings of information “that can begin the process of re-identification.” If, for example, those strings get sent to Facebook analytics, Torous said, then the question becomes, “Who is putting this all together and who gets to access this?”

“We’ve seen enough stories that . . . there’s value in [the data], or else the app makers wouldn’t be sending them off,” Torous said. “And the bigger point is that [the apps] weren’t even disclosing it.”

With the rise of health and wellness apps, it can be confusing for users to distinguish between products that explicitly offer medical care, and those that don’t. But many health apps label themselves as “wellness tools” in their policies to get around legislation that mandates privacy protections for user data, like HIPAA, the researchers wrote.

Torous gave the example of apps that address “stress and anxiety, or mood and depression.”

“In mental health, it’s a blurry line between what’s critical care and what’s self help,” he said.

Torous suggested a few ways to screen for reliable – and secure – apps. Carefully read the privacy policies. Check whether an app has been updated in the past 180 days and, if not, move on. Try to gauge whether you trust the app developer.

For example, Torous said, mental health apps developed by the Department of Veterans Affairs clearly say that user data isn’t transmitted elsewhere. And while the apps are generally geared toward veterans, the tools can often apply to others. The Food and Drug Administration, along with other international governments and agencies, are also developing ways to make health apps and other digital health tools more private and secure.

“Certainly if you’re sharing a lot of information about your mental health, and the app is not actually helping you, why put yourself at risk?” Torous said.