Cerebral

Aviso: *Privacidade não incluída neste produto

Cerebral

Data da avaliação: 25 de Abril de 2023

|
A Mozilla investigou por 8 horas
|

Opinião da Mozilla

|
Votos das pessoas: Assustador demais

Feeling anxious, depressed, can't sleep? Cerebral says it can help you with a variety of plans that offer medication and management, medication and therapy, or just therapy. Hop on their website, create an account (there's no getting started without creating an account), take their questionnaire, and pay up. Off you'll go with a video or phone call with a mental health provider or a chat with a counselor. Cerebral even says you could get your medications within days. All this is well and good. What's not good AT ALL is the fact that Cerebral admitted to sharing the private personal health information of over 3.1 million patients with social media sites like Facebook and TikTok! That's not likely going to help your anxiety much.

O que pode acontecer se algo der errado?

We’d expect an app called “Cerebral” to be, uh, smarter about protecting your personal data. Especially because it handles protected health information covered by the US’s stronger health privacy law, HIPAA. So, being conscientious should be a no-brainer… Right? Cue the sad trumpet sound. The short answer is no.

Cerebral could go head-to-head with your doctor and your dog on the topic of intimate knowledge about you. Now, a lot of that information is given by you to get treatment, like your medical history, your Social Security number, and even your feelings – or “emotional characteristics” as their privacy policy puts it. And while it makes sense for them to have access to that in the context of care, handing it over means granting them a lot of trust. And considering earlier in 2023 Cerebral says they revealed that they shared the private mental health information of millions -- yes, millions, 3.1 million to be exact -- of their users, well, trust isn't something we'd say they are worthy of right now. As TechCrunch pointed out, according to a list put together by the U.S. Department of Health and Human Services, Cerebral's big data oopsy was the one of the largest breaches of Americans’ health data so far in 2023.

On top of what you tell them about yourself, Cerebral may collect information about how you use the services, like which products you’re using, when, and from what computer. Okay, if you must. But here’s where they may be getting a little greedy. Cerebral leaves the door open to collect information about you elsewhere, like social media sites and public sources, and combine it with what they already know about you. Plus, your lovely privacy researcher identified a heck of a lot of tracking going on, detecting 799 points of contact with different ad platforms during one minute of app activity. Why are you so obsessed with us, Cerebral?

They promise that the intimate knowledge will help them to “to better understand your interests and needs,” but it’s not clear whether that actually benefits you or not. They also mention “measuring the effectiveness of advertising and content we serve to you and others to deliver and customize relevant advertising and content to you” but that part definitely feels like that’s more like a benefiting-them-thing.

Here’s where we can share a little silver lining on an otherwise gray matter: they say that they “do not ‘sell’ your personal information and have not done so in the prior 12 months from the effective date of this Policy.” So your data’s not for sale! Not exactly cause for celebration, but we’ll take it.

Now scurrying back to the bad news. It’s worth mentioning that they’ve given themselves carte blanche to do what they want with your information so long as it’s de-identified or “no longer reasonably capable of being associated with you.” And we’ve got a two-pronged beef with that. The first is, studies have found “anonymized data” can be hard to make truly anonymous . But even if it was, most people probably don’t mean to agree to be a guinea pig when they click “accept” on a single checkbox as they’re signing up to seek help. Indeed, Cerebral says in their privacy policy that once they anonymize the data they can use it "for any purpose, including for research and marketing purposes, and we may also share such information for any purpose with any third parties, at our discretion." Uh..yikes.

So what if you change your mind and want to take back ownership of all that super-intimate information you shared with Cerebral? Well, it’s not clear whether all users have the right to have their data deleted. Indeed, if you don't live under stricter privacy laws like California's CCPA, you might be out of luck trying to get your data deleted according to Cerebral's privacy policy.

In Cerebral’s case, it’s not too tough to imagine what could go wrong when you share your most sensitive personal information with them -- it already happened when they admitted they shared millions of their customers personal information, including potentially some pretty sensitive mental health information, for their own marketing purposes without permission. Yup, that's bad.

Dicas para se proteger

- Do not give access to your photos and video
- Do not log in using third-party accounts
- Do not connect to any third party via the app, or at least make sure that a third party employs decent privacy practices
- Do not give consent for sharing of personal data for marketing and advertisement.
- Chose a strong password! You may use a password control tool like 1Password, KeePass etc
- Do not use social media plug-ins.
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
- Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
- When starting a sign-up, do not agree to tracking of your data if possible."

  • mobile

Pode me bisbilhotar? informações

Câmera

Dispositivo: Não aplicável

Aplicativo: Sim

Microfone

Dispositivo: Não aplicável

Aplicativo: Não

Rastreia localização

Dispositivo: Não aplicável

Aplicativo: Sim

O que pode ser usado para se inscrever?

Google sign-up available.

Que dados a empresa coleta?

Como a empresa usa esses dados?

We ding this product as it may be combining collected data with data from third parties including advertisers.

"We may collect information about you if you use any of the other websites we operate or the other services we provide. We may collect information from public sources, advertisers, partners, and other third parties (such as third party intermediaries, including Providers and the Pharmacies). We may also collect information about you through a social media or other third-party account, such as Facebook or Google."

"We may use the information we collect in the following ways:
In accordance with applicable legal requirements, advertise and market our Services and those of our third-party partners to you, including on third-party websites (subject to any opt-out preferences you have communicated to us).
To personalize the Services, including engaging in analysis and research regarding use of the Services to better understand your interests and needs and measuring the effectiveness of advertising and content we serve to you and others to deliver and customize relevant advertising and content to you."

"Based on our understanding of the definition of “sell,” we do not “sell” your personal information and have not done so in the prior 12 months from the effective date of this Policy. "

"We have no control over how any third-party site uses or discloses the personal information it collects about you. We may combine information we receive from social media services and other sources with other information we collect from and about you."

"We may engage third parties to serve tailored advertisements for our Services on our behalf on third-party websites and applications. You have certain choices about how your information is used for this purpose."

Como você pode controlar seus dados?

It is not clear if all users regardless of location can get their data be deleted.

"Depending on your jurisdiction of residence, you may have certain rights to access, delete, or correct your information. Your rights will be subject to applicable exceptions, and we will need to verify your identity before processing your request. If you would like to submit a request relating to your data, please email us at [email protected]."

"We keep your information for the time necessary for the purposes for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it and your choices, after which time we may delete and/or aggregate it. We may also retain and use this information as necessary to comply with our legal obligations, as necessary for our legitimate business interests, to resolve disputes, and to enforce our agreements."

Qual é o histórico conhecido da empresa na proteção de dados dos usuários?

Precisa de melhorias

In 2023 Cerebral admitted to sharing the private personal health information of over 3.1 million patients to social media sites such as Facebook and TikTok.

Informações de privacidade infantil

"Our Services are not directed to children under the age of eighteen (18) without parental consent. We do not knowingly collect information for individuals under the age of 18 (including, for children under the age of 13, “personal information” as defined in the U.S. Children’s Online Privacy Protection Act) without the verifiable consent of that child’s parent or guardian. If we learn that we have received any information for an individual under the age of 18, we process and delete that information as required by applicable law. If you are aware of a child providing personal information to us without parental consent, please contact us using the information below."

Este produto pode ser usado offline?

Não

Informações de privacidade fáceis de entender?

Não

Links para informações de privacidade

Este produto atende aos nossos padrões mínimos de segurança? informações

Sim

Criptografia

Sim

Senha forte

Sim

Atualizações de segurança

Sim

Gerencia vulnerabilidades

Sim

"Cerebral utilizes a vulnerability management process that leverages external vendor services, and a suite of security scanning and penetration testing tools to identify, validate, and prioritize remediation. If a vulnerability requiring remediation has been identified, it is logged and prioritized based on its severity, likelihood of risk, and impact.

If an individual has concerns they can be raised via phone (415-403-2156), in the patient and client portal, or to the Privacy or the Compliance functions of the company at [email protected] or [email protected]."

Política de privacidade

Sim

O produto usa inteligência artificial? informações

Sim

The company representative shared with us that "We use machine learning models in various areas of the product to improve patient outcomes from optimizing patient-clinician matching to identifying patients potentially in crisis. These models help the patient, clinician or our operations teams see the most relevant, actionable information in a timely manner. These models do not make any decisions for users and the internal models are not accessible or controlled by users."

Esta inteligência artificial não é confiável?

Não foi possível determinar

Que tipo de decisões a inteligência artificial faz sobre você ou por você?

A empresa é transparente sobre como funciona a inteligência artificial?

Não foi possível determinar

O usuário tem controle sobre os recursos da inteligência artificial?

Não aplicável

*Privacidade não incluída

Mergulhe mais fundo

  • Notice of HIPAA Privacy Breach
    Cerebral O link é aberto em uma nova aba
  • Cerebral admits to sharing patient data with Meta, TikTok, and Google
    The Verge O link é aberto em uma nova aba
  • Telehealth startup Cerebral shared millions of patients’ data with advertisers
    TechCrunch O link é aberto em uma nova aba
  • Mental health startup exposes the personal data of more than 3 million people
    CNN O link é aberto em uma nova aba
  • ‘Shut it off immediately’: The health industry responds to data privacy crackdown
    Politico O link é aberto em uma nova aba
  • Mental health app privacy language opens up holes for user data
    The Verge O link é aberto em uma nova aba

Comentários

Tem um comentário a fazer? Nos diga.