Depression test scores vulnerable to third-party URLs
For thousands of New Zealanders who are feeling down and struggling with their mental health, an advertisement for depression.org.nz can be a lifeline of hope that they cling to on their journey to getting better.
Over the past decade, the ads starring Sir John Kirwan have been credited with helping to change the way New Zealanders talk about mental health, and making it easier to get help.
Users of the site are greeted by simple self-tests for depression and anxiety that help them decide their next move, such as calling a hotline or speaking with a professional.
But those test scores may have been exposed and shared with thirdparty URLs, according to a new report by Privacy International titled Your Mental Health For Sale.
The Health Promotion Agency (HPA), which operates depression. org.nz, said that any information that had been exposed would not have included names or email addresses.
Depression.org.nz automatically contacts 10 third-party services, including Google, as soon as a user accesses the website, with no option to block this, or to prevent the site using tracking cookies.
‘‘Since the website contacts 10 third-party services, this means that all of these receive test answers and the final test score,’’ the study said.
That’s because the answers and scores are included in the URL of the final page. While the questions themselves can’t be seen in the URL, they are easily available, and a high score would clearly indicate someone having a high likelihood of depression or anxiety.
The site also uses Hotjar, a ‘‘session replay script’’ that records everything a user types and clicks on a website, so that it can be played back later. There is no option for users to block this.
Depression.org.nz was one of just two out of 136 sites included in the study that used this technology.
Hotjar is used to create heatmaps that show which areas are clicked on the most, and track individual user IDs to make a recording of every tap, scroll and movement of the mouse.
Privacy International said thirdparty screen-tracking services like Hotjar were particularly intrusive, and could lead to users being identified if there was a breach or hack of a third-party company which held that information.
The study said that 70 per cent of the time tracking data was passed on to third parties, it was used for marketing purposes.
The HPA admitted that it used cookies and third-party software to collect information about how people used the website, but said this was ‘‘limited and non-identifiable’’.
‘‘The www.depression.org.nz website does not collect any personal data. Therefore, we do not and could not sell or share personal data. All user information collected on www.depression.org.nz is non-identifiable – no identifying information, e.g. names, email addresses etc are collected,’’ a spokesperson said.
Netsafe chief executive Martin Cocker said the HPA’s statement that it did not collect any personal data was an ‘‘oversimplification’’.
‘‘It depends on what you call personal data. It can become more personalised as part of becoming a bigger pot of information.’’
There wasn’t necessarily a suggestion that the HPA was profiting from passing on the data, but users of websites with sensitive content were likely to expect a higher degree of privacy, Cocker said.
Passing on information to third parties meant information could potentially be use to ‘‘target someone at their most vulnerable’’, he said.
It was ‘‘certainly not best practice’’ to do so, and the HPA could ‘‘100 per cent’’ provide higher security while still delivering its service.
Privacy Commissioner John Edwards said he hoped the HPA would take note of the study and review its third-party cookies.
The Privacy International study was based on the most-used mental health websites in Britain, France and Germany. Depression.org.nz was included because it ranked in the top search results for depression tests in Britain.
Under European law, websites must ask for consent before using cookies. The HPA said it did not do this, as it was not legally required in New Zealand.
The report recommended that mental health websites should protect users’ privacy by obtaining valid and informed consent from users, and limit third-party tracking to what was strictly necessary.
It also recommended that mental health test scores should not be stored at all.
‘‘We do not and could not sell or share personal data.’’
depression.org.nz