Mind My Marbles — Are Online Therapy Apps private?
Mental health awareness is on the rise, and with it an army of online therapy apps; but, are they safe?
Forever the skeptic, my first thoughts were “yeah right, that’s not a real therapist on the other end”. As more of these apps came up, I decided to dig a little deeper on their security features, after all, if it is really therapy you’re probably sharing some pretty private stuff. I am not a cyber security expert so I admit there may be better questions to ask in order to verify this, but I did my best with my limited knowledge. I implore you to do your own research if you are considering signing up to any online mental health service.
I collected a list of apps I came across and sent them all the same set of questions. Many of these apps are registered in the US which may mean they have a loop hole in abiding to certain regulations in Europe (maybe?). Also, keep in mind that the field of psychology is not fully regulated by the UK government so in theory anyone can call themselves a therapist! Below is the list of questions I sent and a summary of the answers I received. If you are a lawyer or a cyber security expert, please drop your knowledge in the comments.
- How do I know if I am talking to the same person every time?
- How do I know if I am talking to a real person?
- How do I know if the person I am talking to is a qualified, certified, licensed therapist?
- Do you store any data, and if so how and for how long?
- Do you use end-to-end encryption?
- Has your online platform/app been certified or vetted in any way?
- In which countries can you legally offer this service?
Feelya say they use OpenTok (developed by Vonage Inc) and do not use any web-based commercial software for their audio/video sessions. Vonage is HIPAA compliant (a US federal law) and has HITRUST CSF certification (a US framework).
All audio/video is encrypted using these protocols: SRTP and DTLS-SRTP. (🤷♀️) Both client and therapist endpoints use the AES cipher with 128-bit keys. Data integrity is verified using HMAC-SHA1. No sessions are recorded.
Feelya is compliant to GDPR (Data Protection Number is ZA250334). All therapists are UK based, vetted, and are registered with either HCPC, UKCP, BPS, or BACP
Quite a below average response here unfortunately. They let me know that their services are available outside of the US and that their prices are listed in multiple currencies. Most therapists are based in the US. All “providers” are licensed and they verify clinical quality and licensure for everyone.
They mentioned that I will “see” the therapist I’m matched with from the account and can check their licenses. I’m not sure what “see” means here, is it just a text profile with a photograph? Easily forged in my (skeptical) opinion.
All therapists are US based, but several are licensed to be able to work internationally (no mention of what license they are referring to). They can offer their services to almost all countries.
This one was a tad worrying, but the massive caveat being I know nothing about cyber security. It just sounds a little simple to me…
Any data they keep is stored on a database behind a firewall in a data centre that has several layers of security. Appointment transcripts are encrypted before being stored.
I was then given a contact phone number I could call to get more info on who from the service can access my data.
To address a bit of bias here, I have used this app as I was given access to it via a previous employer. I only used the “DIY” services and did not have interaction with therapists. It was quite useful if you like CBT. Anyway, on to the response…
Therapist profiles showing experience and qualifications will be visible to the user. They have a two-step assessment process before you are matched to a therapist. All therapists are UK based and are supervised by consultant level clinicians.
They are GDPR compliant and ISO27001 certified. They regularly test their security and all data is encrypted. Their service is only available in the UK.
This response nearly wasn’t included as it came in quite late. They advised that the “practitioner” will introduce themselves at the start of every chat. They mention it is not uncommon for the first 3 sessions to be done by different practitioners while they assess your needs.
They can only offer assurances that you are dealing with a real person. I can understand that, but I also feel like they should go the extra mile to make that clear.
They assure they have a robust recruitment processes in place to check qualifications, BUT, they do say that their “practitioners” (I don’t know why I don’t like that word) are both accredited counsellors and counsellors working towards accreditation. I only hope that they make it clear if you are dealing with a trainee.
Honestly, some of the responses regarding encryption protocols and cyphers have gone totally above my head so I cannot tell you if those are good, bad, or average (also why I didn’t delve into the privacy policies in detail). I find it encouraging that some of these platforms are taking this seriously by responding to the questions with some detail. As always, if you do want to pursue this for yourself — research, research, research, ask a medical professional for a recommendation, research, ask another medical professional…you get the picture. Take this seriously and make sure you know who you are sharing your intimate thoughts with.
I did not get a response from BetterHelp (‼️), Ginger, Larkr, TeenCounselling, 7cups, Harley, Tomo at the time of writing.
- This Life Hacker article delves into the topic as well: Do Therapy Apps Really Protect Your Privacy
- The Mozilla Foundation also concluded that most mental health apps have privacy concerns, they have a whole team looking into this so this one is worth a read.
If you enjoyed this and found it helpful (or totally unhelpful) please let me know by leaving a reaction or comment, or find me via jasminludolf.com.