Privacy Red Flag in NYC’s New “Teenspace” Mental Health Platform

In November Mayor Adams and DOHMH Commissioner Dr. Vasan announced a $26 million partnership with mental health platform Talkspace. Called “Teenspace,” it provides free access for New Yorkers ages 13 to 17 years old, to a dedicated online therapist, monthly 30 minute video meetings, and unlimited texting.

Providing mental health support to teens, and embracing the digital world in doing so should be something to celebrate. And it’s a well-intended effort. But with three serious cybersecurity attacks in just the past two years affecting thousands of NYC students, combined with the highly sensitive nature of mental health data, it was worth a review. And glad we did, because we found some serious issues worthy of review and discussion. 🚩🚩🚩

What’s the Problem?

You can read here about the Teenspace service, the contract New York City signed, and a lengthier overview of both general and specific concerns about the platform.

But quite simply, and thanks to the Mozilla Foundation’s privacy guide, there in one aspect of the registration process that, particularly in the context of youth, should be alarming:

🚩 Talkspace collects sensitive data before a user is given clear prompts related to privacy

“…They also ask users straight away to take a questionnaire where pretty sensitive information is gather about things like a users' mental state, gender and gender identity, date of birth, and more. No privacy policy is presented before the answers to those questions are collected so you can understand how that information could be used.” (Mozilla Foundation)

🚩 And for New York teens using “Teenspace” (and their parents/guardians) it’s worse…

Because the law requires a parent/guardian to give consent for their teen to use the platform. It’s clearly stated in the city’s materials including in the steps laid out here and in the image.

🚩 The 1, 2, 3 steps to signup that NYC touts are NOT what happens

What happens instead? Well, teens input a shocking amount of personal information BEFORE parents receive an official opt-in email. You can try it yourself or watch our walk through below. Teens only pass one screen with two tiny links to the terms and privacy policy after they add an email address. But if they miss it (they are teens) from there they sail through dozens of highly personal questions. And more importantly, they do it all before an email is triggered and sent to parents for the required consent.

🚩 No big deal? Well, it gets worse…

Understandably some parents might not have an issue with their teens signing up on their own for the service and see the parental opt-in requirement as just perfunctory. But that’s just one reason to be concerned. The other is arguably bigger and the root of the problem we see:

The initial registration information that you see in the video (and PDF) above is not protected by HIPAA. It is not “medical” and not part of your therapy service. So it can be used for marketing, for law enforcement purposes; in fact, a long list of ways that you can see below. And that should be problematic to all of us (and should have been flagged by the city, the media and not simply thanks to the privacy advocates at Mozilla and our team investigating the issue).

What’s next…

It’s important that we are able to balance opportunity, future thinking and privacy. And as privacy policies and terms and condition get tinier in font and harder to understand… how are we to evaluate? And certainly if our local government struggles to see the gaps as well, then we might need a rethink on the process of launching these types of initiatives.

We will seek answers and share an update when we have an update. In the meantime, we’d love to hear from you.

Previous
Previous

NYC’s Losing Scorecard on Inclusivity and Sports

Next
Next

When Good People Overlook Bad Things: the Migrant Crisis in Perspective