Reading Other People's Journals; Mood Tracking And Privacy

3rd June, 2020
Michael Forrest

Reading Other People's Journals; Mood Tracking and Privacy

I don’t see any way that anybody would ever trust a mood tracking app - a diary of one’s most intimate feelings, hopes and fears - without a robust and transparent approach to protecting your privacy.

Perils of The Cloud

It is ironic, then, that the first mood tracker I wrote ran on that “bastion of respect for its users’ privacy”, Facebook.

I would never have been so naive as to expose people’s diary entries to Facebook but still, as my mood tracker grew, I found myself with an online database containing the intimate thoughts of over 1,000 people, not all of whom were strangers.

I had a policy never to read the contents of people’s entries but once in a while I accidentally glimpsed something as I went about my business fixing bugs and answering support requests.

I had to make a conscious effort to uphold the trust of my users, and it would have been impossible for them to find out if I’d been doing the opposite by ravenously consuming their secrets.

“Observe Privacy Modes” “Observe Privacy Modes” (from “Upload (2020)” on Prime) (from “Upload (2020)” on Prime) I did the opposite of this. I did the opposite of this.

Mobile Apps

I have felt much more comfortable about privacy since making the shift to mobile mood-tracking apps in 2011. Storing data locally on your device means I will never see your data unless you really want me to.

Why I Want Analytics As A Developer

When you make an app, it helps if you can see how people are using it, so that you can make it better. I had a problem with my mood tracking mobile apps because I had no idea how people were using them. It was great that people didn’t have to worry about me snooping but it also meant that the design stagnated due to my inability to learn from people’s behaviour.

Why Analytics are Scary

“Analytics” means the data that apps and websites record about your behaviour, usually without your direct knowledge. It is possible to set up an app so that every time you tap a link or type anything in, this information is immediately sent to a giant, usually Google-owned, database of activities. It is then possible for the app developer to dig into all of this data, segmenting by your location and other personal information that may have been gathered. It would be possible to set up a mood tracking app in such a way that it could be sending everything you’ve tapped on or typed in and connect that with your name, age, location, ethnicity and anything else you might have shared, to observe everything you’ve ever done and to make connections between your behaviour across multiple apps and websites.

Cookie Warnings and GDPR were introduced to fight the most pernicious types of tracking and analytics but it still ultimately comes down to how much you trust the developers of the apps and websites you use the most.

A Respectful and Transparent Approach to Privacy

For Changes I decided I would need to figure out a way to gather some analytics without sacrificing privacy. There are two sides to this:

  1. The Privacy Policy
  2. The Technical Implementation

1. The Privacy Policy

The more thoughts and concepts a privacy policy contains, the more likely it is to contain sneaky loop-holes. That’s why I wanted mine to be short and written in plain English.

Here’s what I ended up with for the Changes Privacy Policy.

Your data will only ever be used anonymously, and with your permission

The text of your diary entries will never leave your device

We will never receive any data that you have marked 'Sensitive'

If you let us, we use analytics so we can figure out how to improve this app.

We use Apple platform features to protect and synchronise your data between devices. This happens automatically if you are using iCloud.

We understand that to get the most out of this app, you need to be able to trust that your data is protected, and we will always be mindful of this fact.

Don't forget that usually when an app is free, it means that YOU are the product. We'd rather charge money for new features than sell your data.

I decided never to share the text of any entries rather than come up with a criteria that might have been more complex. I also made all analytics opt-in so that I would never receive anything without explicit permission.

Aside: “Sensitive” Data

I found that I didn’t have a big problem with anybody seeing most of what I’d written in my mood tracker. But because sensitive data was peppered throughout my entries it was always a little dangerous even to show anybody my phone’s screen when I was talking about my app, just in case I’d had a difficult episode recently.

For Changes I added the ability to mark entries and hashtags as “sensitive”. These entries and tags are then blurred out unless you use Face ID to unlock them.

Showing a blurred out entry Showing a blurred out entry A sensitive hashtag (#W…) A sensitive hashtag (#W…)

This solves multiple problems:

  1. Now I can show off the app without worrying too much about exposing my darkest thoughts
  2. I can scroll through my history without accidentally getting bummed out by an old entry
  3. I can export data from the app with or without the most sensitive entries for analysis or to share some other way
  4. I can use this “sensitive” flag to create a transparent analytics policy

2. The Technical Implementation

When you first use Changes you will be greeted by a bot who will first ask for permission to send notifications, and who will then explain this privacy policy.
As part of this, you will see a screen detailing every single piece of data that can be tracked in your usage of the app.

The “Tracking Details” screen is not just a static document that could become inaccurate as different tracking is added to the app, it is created automatically from the tracking code itself.

I have made it impossible, on a technical level, to add new tracking without this screen getting updated automatically. Here’s how that looks in code:

All tracking is funnelled through a predefined set of possible events that can be listed out and displayed via the Settings screen so that there’s never any doubt about what is being tracked.

The Good News About Analytics

You don’t have to take my word for it.

It’s possible to connect your phone to “Web Debugging Proxy Application” and observe every single piece of information that is being shared about you.

Charles is a popular tool that you can set up to do just that. You could proxy your phone through this tool and make sure that no app is sharing any data about you that it shouldn’t.

If you don’t want to do this for yourself, it’s still nice to know that somebody could, and that if they found any dishonest behaviour they would probably raise the alarm in a blog post or on Twitter.

In Conclusion

I want you to be confident in your privacy so you can open up to Changes without worrying about me or anybody else looking over your shoulder, either over the internet or in real life.

LEARN MORE ABOUT CHANGES »