3rd June, 2020 Michael Forrest
I don’t see any way that anybody would ever trust a mood tracking app - a diary of one’s most intimate feelings, hopes and fears - without a robust and transparent approach to protecting your privacy.
It is ironic, then, that the first mood tracker I wrote ran on that “bastion of respect for its users’ privacy”, Facebook.
I would never have been so naive as to expose people’s diary entries to Facebook but still, as my mood tracker grew, I found myself with an online database containing the intimate thoughts of over 1,000 people, not all of whom were strangers.
I had a policy never to read the contents of people’s entries but once in a while I accidentally glimpsed something as I went about my business fixing bugs and answering support requests.
I had to make a conscious effort to uphold the trust of my users, and it would have been impossible for them to find out if I’d been doing the opposite by ravenously consuming their secrets.
I have felt much more comfortable about privacy since making the shift to mobile mood-tracking apps in 2011. Storing data locally on your device means I will never see your data unless you really want me to.
When you make an app, it helps if you can see how people are using it, so that you can make it better. I had a problem with my mood tracking mobile apps because I had no idea how people were using them. It was great that people didn’t have to worry about me snooping but it also meant that the design stagnated due to my inability to learn from people’s behaviour.
“Analytics” means the data that apps and websites record about your behaviour, usually without your direct knowledge. It is possible to set up an app so that every time you tap a link or type anything in, this information is immediately sent to a giant, usually Google-owned, database of activities. It is then possible for the app developer to dig into all of this data, segmenting by your location and other personal information that may have been gathered. It would be possible to set up a mood tracking app in such a way that it could be sending everything you’ve tapped on or typed in and connect that with your name, age, location, ethnicity and anything else you might have shared, to observe everything you’ve ever done and to make connections between your behaviour across multiple apps and websites.
Cookie Warnings and GDPR were introduced to fight the most pernicious types of tracking and analytics but it still ultimately comes down to how much you trust the developers of the apps and websites you use the most.
For Changes I decided I would need to figure out a way to gather some analytics without sacrificing privacy. There are two sides to this:
Your data will only ever be used anonymously, and with your permission
The text of your diary entries will never leave your device
We will never receive any data that you have marked 'Sensitive'
If you let us, we use analytics so we can figure out how to improve this app.
We use Apple platform features to protect and synchronise your data between devices. This happens automatically if you are using iCloud.
We understand that to get the most out of this app, you need to be able to trust that your data is protected, and we will always be mindful of this fact.
Don't forget that usually when an app is free, it means that YOU are the product. We'd rather charge money for new features than sell your data.
I decided never to share the text of any entries rather than come up with a criteria that might have been more complex. I also made all analytics opt-in so that I would never receive anything without explicit permission.
I found that I didn’t have a big problem with anybody seeing most of what I’d written in my mood tracker. But because sensitive data was peppered throughout my entries it was always a little dangerous even to show anybody my phone’s screen when I was talking about my app, just in case I’d had a difficult episode recently.
For Changes I added the ability to mark entries and hashtags as “sensitive”. These entries and tags are then blurred out unless you use Face ID to unlock them.
This solves multiple problems:
The “Tracking Details” screen is not just a static document that could become inaccurate as different tracking is added to the app, it is created automatically from the tracking code itself.
I have made it impossible, on a technical level, to add new tracking without this screen getting updated automatically. Here’s how that looks in code:
All tracking is funnelled through a predefined set of possible events that can be listed out and displayed via the Settings screen so that there’s never any doubt about what is being tracked.
You don’t have to take my word for it.
It’s possible to connect your phone to “Web Debugging Proxy Application” and observe every single piece of information that is being shared about you.
Charles is a popular tool that you can set up to do just that. You could proxy your phone through this tool and make sure that no app is sharing any data about you that it shouldn’t.
If you don’t want to do this for yourself, it’s still nice to know that somebody could, and that if they found any dishonest behaviour they would probably raise the alarm in a blog post or on Twitter.
I want you to be confident in your privacy so you can open up to Changes without worrying about me or anybody else looking over your shoulder, either over the internet or in real life.
Sign up for my newsletter to get weekly tips on mood tracking, happiness data analysis and forming better habits.
I will send you a copy of my eBook about mood tracking.