When it comes to subjects like mental health or addiction, one should be able to trust that an app designed to help you through such a difficult and personal problem would take your privacy seriously. But a new study suggests that not only is this not the case, but these apps are coughing over your data to tech giants like—surprise, surprise—Facebook and Google. And not only are some of these apps failing to tell you about it, but they may also be doing it whether or not you use the social logins that link those accounts with said apps.
The study—conducted in January of last year by researchers with the University of New South Wales and the Department of Psychiatry at Beth Israel Deaconess Medical Center and published Friday at the journal JAMA Network Open—examined a total of 36 of the top-ranking free apps for smoking cessation and depression available in the Android and iOS app stores in the U.S. and Australia. Those included seven apps available for both, as well as another 14 exclusive to iOS and 15 only available on Android.
For those with privacy policies, the researchers found that only 23 apps were disclosing the possibility that a user’s data could be shared with a third party, with 16 disclosing that data could be shared with advertisers and 14 indicating data could be shared with both advertisers and analytics services. Only one app said that no data would be shared with third parties, but six of these apps specifically stated that no “strong personal identifiers” such as email address, name, or date of birth, would be shared with advertisers.
But upon examining the data transmission of each iOS and Android app, the researchers found that 33 of the 36 apps—or 92 percent—shared data with one or more third parties. They also observed that 29 of those 36 popular mental health and cessation apps were sharing information with services operated by Facebook (12) or Google (28), but only some were making that clear in their privacy policies (six apps for Facebook and 12 in Google’s case). In apps that included social logins for these platforms, the researchers wrote, data-sharing “occurred regardless of whether the social login feature was used.”
Neither Facebook nor Google immediately returned a request for comment. We asked the researchers behind the study which apps they studied but did not receive an immediate reply.
In nine of the 33 instances of health or cessation apps sharing user data, the researchers found that one app shared a username and eight shared an identifier linked to the user’s device. Two apps shared information that included substance use or personal health information, and in 26 cases the apps shared pseudonymous advertising identifiers that the researchers noted: “can be used to track user behavior over time and across different products and technology platforms.”
But the researchers said that aside from this information, they didn’t observe that any “other personal or sensitive information (such as full names, passwords, dates of birth, or medical data)” was being shared with third parties. Additionally, they said, their study did not examine whether user data that was surreptitiously being shipped off to third parties was being used for targeted advertising.
Even still, the study raises significant questions about the security of the information we share with the apps meant to help us lead healthier lifestyles. In sensitive situations like mental health and addiction, the last thing that anyone needs is targeted ads attempting to bait them into some kind of snake oil remedy—or worse. Steven Chan, a physician with the Veterans Affairs Palo Alto Health Care System, told the Verge that advertisers could potentially target an individual attempting to curb one addiction, like smoking, with ads for another, like alcohol—which doesn’t seem too far out of the hellish realm of possibility.
“As smartphones continue to gain capabilities to collect new forms of personal, biometric, and health information, it is imperative for the health care community to respond with new methods and processes to review apps and ensure they remain safe and protect personal health information,” they said.