The Washington PostDemocracy Dies in Darkness

Smoking and depression apps are selling your data to Google and Facebook, study finds

Placeholder while article actions load

The pitch: Health apps for users who are battling depression or want to quit smoking.

The problem: Many of the apps designed to track a user’s progress are sharing the personal details they collect with third parties, like Google and Facebook, without consent.

That’s according to a study published Friday in the journal JAMA Network Open. Researchers say the findings are especially important in mental health, given the social stigmas and the risks of having sensitive information shared unknowingly. And because many health apps aren’t subject to government regulation, researchers say, consumers and clinicians must contend with what information is being entered into these apps — and who else can access it.

“Digital data doesn’t go away,” said John Torous, a co-author of the report. “A part of the risk is that we don’t fully know who is going to put this data together, when and where it’s going to show up again and in what context. … Data seems to end up in the hands of the wrong people more and more."

Is your pregnancy app sharing your intimate data with your boss?

Torous heads the digital psychiatry division at a Harvard Medical School-affiliated teaching hospital, where he also is a staff psychiatrist and faculty member. He said there needs to be a “wake-up call” in the digital health field because, “We can’t treat people’s personal data like it’s the personal property of these app developers."

The study tracked three-dozen apps targeted at people with depression or who want to quit smoking and found that only a third of them accurately conveyed that the data collected could be accessed by a third party. The study looked at the top-ranked apps for depression and smoking but didn’t identify them.

Nearly a third of the apps in the study did not have a privacy policy at all. But even among those that did, researchers found that many did not accurately disclose whether that data could be shared with a third party.

So not only did most apps share data, but many also gave users no indication that sharing was a possibility.

Privacy is a recurring question in the digital realm. This month, The Washington Post reported that data compiled by popular period- and pregnancy-tracking apps often are not confined to users. Rather, apps such as Ovia give employers and health insurers a lens into users’ personal information about pregnancy and childbirth — often under the umbrella of corporate wellness.

In the case of Ovia, for example, employers who pay the apps’ developer can offer their workers a special version of the apps that, in turn, transmits health data — in an aggregated form — to an internal company website that can be viewed by people in human resources.

Who owns your medical data? Most likely not you.

Data and privacy issues among health apps often stem from their business models, the researchers wrote. Because many insurers don’t cover these apps, developers typically have to sell subscriptions or users’ personal data to stay viable.

The apps in the study didn’t transmit data that could immediately identify a user, Torous said. But they did release strings of information “that can begin the process of re-identification.” If, for example, those strings get sent to Facebook analytics, Torous said, then the question becomes, “Who is putting this all together, and who gets to access this?"

“We’ve seen enough stories that … there’s value in [the data], or else the app makers wouldn’t be sending them off,” Torous said. “And the bigger point is that [the apps] weren’t even disclosing it.”

With the rise of health and wellness apps, it can be confusing for users to distinguish between products that explicitly offer medical care and those that don’t. But many health apps label themselves as “wellness tools” in their policies to get around legislation that mandates privacy protections for user data, such as the Health Insurance Portability and Accountability Act (HIPAA), the researchers wrote.

Torous gave the example of apps that address “stress and anxiety, or mood and depression.”

“In mental health, it’s a blurry line between what’s critical care and what’s self help,” he said.

Torous suggested a few ways to screen for reliable — and secure — apps. Carefully read the privacy policies. Check whether an app has been updated in the past 180 days and, if not, move on. Try to gauge whether you trust the app developer.

For example, Torous said, mental-health apps developed by the Department of Veterans Affairs clearly say that user data isn’t transmitted elsewhere. And while the apps are generally geared toward veterans, the tools can often apply to others. The Food and Drug Administration, along with other international governments and agencies, is also developing ways to make health apps and other digital health tools more private and secure.

“Certainly if you’re sharing a lot of information about your mental health, and the app is not actually helping you, why put yourself at risk?” Torous said.