This blog series focuses on examining the collection of device data by various popular mobile applications. This data is often collected in the name of advertising, error monitoring, fraud detection, and social media integration.
Note: I have reached out to BetterHelp and they are taking steps to address any issues outlined in this blog. If you or someone you know needs help with a crisis please contact 1–800–273-TALK.
The application featured in this blog is BetterHelp, a platform to remotely connect patients to counselors and therapists. In the pursuit to provide a quality counselling platform they choose to collect their user’s sensitive mental health data.
BetterHelp offers a mobile application where users can sign up and begin taking online therapy sessions. During the sign up period, users are asked various questions in an attempt to match them with an appropriate counselor.
These questions target a user’s mental health, asking: “Are you currently experiencing overwhelming sadness, grief, or depression?”, “When was the last time you had a plan to commit suicide?”, “Are you currently experiencing anxiety, panic attacks or have any phobias?”, and more. The answers the user provides to these questions are often quite personal.
Who’s collecting what and why?
Often applications will track their users as they proceed through the signup process; this allows a company to detect issues that prevent their first-time users from becoming registered returning users. To extract user analytics during signup, BetterHelp leverages a third-party tool called Mixpanel. Mixpanel is used to track user interactions across applications or websites, providing guides on tracking first time users.
During the signup questionnaire, data corresponding to responses are sent to Mixpanel. Some of these responses are obfuscated, others are not. For example, a user’s response to the question “When was the last time you had a plan to commit suicide?” is sent in the clear.
Additionally, when users pick counselor-specific experience areas, which helps match patients, corresponding events are sent to Mixpanel. This provides Mixpanel with a profile of the user’s mental health.
What users can do about it
If a user is uncomfortable with sharing this data they can block api.mixpanel.com at the DNS level; unfortunately this is a more technical solution and requires some work. Alternatively an ad-blocker, such as uBlock Origin, will block Mixpanel but confines the user to using a browser.
The data collected by BetterHelp gives them a better picture on how users progress through their sign up procedure. A user should understand that blocking BetterHelp’s access to this data causes issues to go unnoticed and analytics to be skewed.
With the rise of affordable virtual counselling platforms, users should be aware their data may be shared with third-parties. While BetterHelp is the focus of this blog, undoubtedly similar services dabble in the same third-party tools. However, if we choose to treat mental and physical health equally we ought to handle the data with equal sensitivity. It would be difficult to justify sending a users prescription data to a third-party, why should it be acceptable with their mental health data?
Once again this is the trade-off between security and usability. Hopefully this blog allows users to make an informed decision on how they share their data.