I was also pleased to see that "BetterHelp" earned the badge of shame. BetterHelp is just on this side of an outright scam. They contract with legitimate counselors and therapists and then cram their appointment books full of Zoom sessions. They claim that you can just send a quick text message to your "therapist" and get helped. But people aren't getting helped, they're just getting taken for a ride. This aggregation of gig-working counselors in an app is a really bad way to conduct this kind of business. It may work for a ride-hailing service, but not for mental health care. If you're thinking of using "BetterHelp" or one of its analogs, please instead consider doing your homework, finding a legitimate clinic or therapist who's licensed in your state, and do an intake directly with their practice. Many of them are now amenable to televideo appointments, and they will work with or without your insurance or on a sliding scale. There are really good therapists out there who don't need to be found on a janky app.
I got as far as the conversation with my "onboarding coach", the licensed therapist who was supposed to find me a "good match" - and it became apparent she was either a bot or attending so little to the conversation she was unable to recognize information my earlier messages and apply it to later messages - it was like an automated customer support/service flow, but asking me highly personal questions about my mental health.
There's plenty of mediocre apps out there, but nothing has produced a simmering rage in me like the knowledge that BetterHelp exists and takes advantage of people who need help every day so their leadership and investors can try to get rich.
Billed by the month for exchanging a dozen or so messages with a fake therapist. If you're a company leader and get the opportunity to include BetterHelp in your benefits package - don't.
One very good choice in my area is Catholic Charities. They have licensed counselors as well as students under supervision, and they charge a mere $35 per session. This is a great choice for those who are uninsured or have trouble getting in somewhere.
My Christian health sharing ministry shared all costs for a Catholic therapist while I was seeing him. Since this is not a "health insurance" arrangement, I didn't need to worry about whether he was in-network or approved; he just submitted his bills to them. My health sharing ministry also has a service that "reprices" bills, i.e. renegotiates them based on market rates and lops off overcharges that commonly occur.
And yeah, "BetterHelp" has this illusion of availability, and that can be very alluring to people in distress, and that's a dangerous thing. If someone gets mixed up with gig-worker counselors, they may find themselves worse off than when they started. "Good things come to those who wait", as it were.
I'm not sure what the implication of this comment was, but hopefully it does not imply that "if my executive dysfunction prevents me from seeing a real professional then I'll press buttons on my phone and see a fake one instead", because that's a horrible life choice. Complete inaction would be significantly less harmful in a case like that.
What if I don't want a strong password? What if I have 0 care for my account because I never wanted an account to being with but was strong armed into giving away my email, phone number, and now need a unique password because I'm worried someone is going to see that I 'prayed' 100 times.
I loved that reddit didn't need an email, and I could use a generic password. If I lost my reddit account, no big deal at all. For my personal/PR reddit account, email and strong password, great.
The platform actually desires you to possess a robust password, given that hijacked accounts contribute to spam so heavily.
Many people often use the same "basic passwords" on multiple websites. If one of your temporary accounts gets hijacked all your other "temporary" (in quotes because some of them might actually be important) accounts, including older ones you might have forgotten about, could be exposed.
Essentially, there are hardly any valid grounds for any platform to permit the utilization of frail passwords, especially considering how effortless it is to create distinct passwords using a password manager nowadays.
One was just given: Users don't really care to create an account to begin with, so they provide throwaway email accounts and low security passwords. If the apps required longer, safer passwords, then they risk losing signups.
If I get a message complaining about my password being to weak, from a service I might not care that much about, then there's an increased risk that I opt to not create an account.
Apple solution is actually pretty good, it allows me to quickly create an account to try out an app or service. If I don't like it, meeh, they only have the Apple login info and nothing else.
If I lose a password, what do I almost always have to do?
1. Email account recovery link.
2. Input auth code sent from text message or authenticator app. [Optional.]
3. Make new random password I'm going to forget or lose.
Why bother with this? If email is the reset mechanism why does the industry care so much about getting passwords from users?
1. Email sign-in link.
2. Input auth code. [Optional]
Everything other part of this whole chain gets simpler. No more password strength checking code. No multiple auth paths. No issues with anything. Just a single email with at most two links, one for browser sign in, one for app sign in.
If you really, really, really need to you can add one or two QR codes so these hypothetical people that don't have email on their phone can sign into the app.
Because you may not have access to your e-mail from the device where you want to use that service.
For example, I don't need to have access to my e-mails from my tablet as I'm always reading/writing them on a computer with a keyboard. So I don't want to setup access to my e-mails from my tablet, as it reduces the risks of a bad app leaking them or leaking my credentials.
So, while I mostly agree overall, especially with respect to silly little things that aren't likely to hurt anyone, I do think there's a compelling case for password and 2factor.
As it stands, you have to know something and have something. Making it so you only need to have something is better than making it so they only know something.
However, that second factor seems like a good idea; though I will admit that it's probably unlikely that a thief would have the motivation to crack your phone to get your email; is this even easily achievable?
From the methodology:
> If the product uses passwords or other means of security for remote authentication, it must require that strong passwords are used, including having password strength requirements.
What are 'strength requirements'? Is minimum-length-of-X a strength requirement? Apparently not, since Abide failed for the following:
> Strong password: No. Allowed us to register with '11111111'. They require 8 characters minimum, but do not check if a password is strong.
----
I don't believe in the meme of l337speak pa55W0rd$. I think sufficiently long pass phrases are fine.
Therefore, a password like "EstablishedCousins" is significantly less secure than "bR^4outc0m3" despite containing more characters.
Edit: I actually mean dictionary attack, not rainbow tables, but my point still stands.
Edit 2: In fact, the password from the example ("11111111") appears in the 71st line of this password dictionary: https://raw.githubusercontent.com/duyet/bruteforce-database/...
Passwords are legally the only thing that can't be forced out of you, to make you login into a computer system against your interests.
Passwords are the core foundation of keeping your internet life separate from your personal/private life. Biometric and hardware authentication make both your real life name/address/life history and your computer ID the same thing.
I didn't sign up for American globalism, and I don't want my iPhone's authentication systems to force me into being accountable to Twitter/Apple/Google credit score. If the Australian government forced this stuff on me and kept it within Australia, that's different.
IBM is moving to a "passwordless trend" on their server authentication, in favour of biometrics and iPhone auth. I bet my bottom dollar that will get spread everywhere in the universe, regardless of our protestations.
It's not agreeable. inb4 people say "it's always been that way/they could always do that". The last shred of internet-identity liberty is going to be dead in a new york minute.
Your religious identity, and your prayer life is going to get owned if you let go of passwords and ambigious identities.
Not in the UK, since RIPA.
https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Po...
It's been used:
Imagine Christianity is illegal. Imagine the government decides to prosecute you, but hires the weakest, most incompetent, repeatedly-almost-disbarred prosecutor there is. You meanwhile get access to David Boies. Would the government have enough evidence for even the worst prosecutor to prove you are a Christian?
Well, if not… it’s like Mozilla doesn’t realize that religious people don’t mind prayer being a fairly public act as long as people against them aren’t preying on them. Catholics have Mass every Sunday; Muslims have their five-times-daily prayers and often wear clothing that clearly identifies them as such; and so forth.
Obviously, you shouldn't be storing confessions in an app, but the principle is that privacy goes beyond the danger of persecution.
Okay, if Christianity is illegal you'd want your Christian apps to be secure.
If Christianity isnt illegal, you don't care.
You'd want privacy if you were using the silk road, but you are probably okay with your alarm clock app collecting the number of times you hit snooze. You'd also be okay if the US/Chinese government knew that you hit snooze.
BetterHelp isn’t free at all, it’s actually fairly expensive; so one could argue they should not need to phone in your data to so many third-parties.
I pay my therapist for their services, assuming there’s a high degree of confidentiality in our relationship. These apps, even paid ones, behave like any other app in terms of data sharing.
And not to mention that some of this information might be covered by HIPAA?
I submitted it on their form for review, but was a little surprised to see it missing from a “top” list.
Seeing this report makes me really want to build privacy-respecting apps in this space. Of all categories, using traditional monetization and data selling practices seems particularly bad here.
(Not affiliated in any way; just a happy customer hoping they aren’t abusing my data too badly…)
Ordinarily I feel much better about an app which has a clearly defined, above-board, method of funding itself. (The old "if you aren't paying for the product, you are the product" thing). But this is a good reminder that it is "if" not "if and only if".
This website is advertised by our PM to children.
I'm going to assume sharing an invite code would go badly, but if you want mine so you get a mini pet in the app, please email me at the address in my profile. The benefit I get is not monetary: if I get a few signups I get a mini pet myself.
Finch is one of the few self help apps that really seems to help me. I was slipping further into deep depression but Finch has helped me to have a few good days, and I've showered and changed my clothes every day for 2 weeks. I recommend it!
Privacy not included there also: that Mozilla web site use Google Fonts and Google Tag Manager which are not GDPR compliant.
I personally have seen iphones(or at least iphone users) have far more intrusive and customized ads to the point where saying a word in a home puts you at risk of getting physical mail related to that word. (It was dog food, and a dog food ad.)
I've come to the conclusion that privacy and security are mostly theater, and if I am being realistic, I need to assume everything I say/do is being recorded. I also treat my devices as compromised. Any thoughts that your device is private or secure is delusion.
That said, there's certainly no harm in treating your device as compromised. I do the same. "Better safe than sorry."
