Co-designing MESA-Bot: Enhancing Accessibility, Privacy, Security, and Trust in a Mental Health Chatbot for Older Adults
Aishwarya Umeshkumar Surani, Sanchari Das · 2026 · Proceedings of the 2026 CHI Conference on Human Factors in Computing Systems (CHI '26) · doi:10.1145/3772318.3790562
Summary
Surani and Das address the gap between accessibility design and privacy-and-security engineering in mental health chatbots for older adults, a population nearly a billion strong worldwide for whom cost, stigma, wait times, and digital-literacy barriers limit access to conventional mental-health care. The paper reports a two-phase study centred on MESA-Bot (Mental and Emotional Support Assistant for Older Adults), a non-diagnostic web chatbot co-designed with participants aged 60-75. Phase I combined a comparative review of ten leading commercial mental-health chatbots (Woebot, Wysa, Youper, Talkspace, Ginger, 7 Cups, Moodnotes, Moodkit, Pacifica, Joy App) with remote co-design sessions with 10 older adults, surfacing design themes (need for clear guidance, accessibility flexibility, data visibility, security expectations, user agency over data). These shaped a Flask-based prototype with revocable consent, role-based access control, pseudonymisation via SHA-256 hashed identifiers, a 48-hour transcript retention default, high-contrast Viridis-derived colour palette, large text, simplified dialogue flows, and optional two-factor authentication. Phase II evaluated the prototype with a separate group of 28 older adults via semi-structured interviews. Alongside the user study the authors conducted a technical validation using STRIDE threat modelling, OWASP ASVS v4.0.3 mapping, gray-box penetration testing (64 test cases), and generative red-teaming (35 adversarial prompts), making this one of the more unusually rigorous accessibility-research evaluations from a security perspective.
Key findings
86% of Phase II participants found MESA-Bot easy to use; 24/28 described the experience as positive, comfortable, engaging, or stress-free. Privacy and security features were not experienced as obstacles but as confidence-builders when surfaced transparently — revocable consent, role-based access control, anonymisation, and optional 2FA all increased trust rather than friction. Twenty-three of 28 participants said they were comfortable sharing at least some personal information; the minority who were uncomfortable cited uncertainty over who could access their data rather than the act of disclosure itself. Participants preferred predefined option buttons and structured prompts over free-form input for emotionally loaded decision points — a finding at odds with the conversational-first assumption of most commercial tools. On the technical side, the prototype passed 13/14 authentication, 12/12 access-control, 18/18 injection, 10/10 privacy-re-identification, and 9/10 logging-integrity test cases; generative red-teaming blocked 26/35 and safe-handled 6/35 adversarial prompts (91.4% safe-handling), with three leaks from jailbreak attempts that relaxed tone but never disclosed system internals or personal data. The comparative review showed that mainstream commercial chatbots implement few of the user-valued privacy controls (granular consent, data-retention explanations, accessible visibility controls) older adults prioritised.
Relevance
For practitioners building health-adjacent conversational tools, this paper is a concrete demonstration that privacy and security engineering can be made visible and legible to older adults without harming usability — a finding that pushes back on the common assumption that accessibility for aging populations requires stripping out protective mechanisms. Specific design takeaways that transfer to any sensitive digital service: foreground revocable consent with a persistent button, default to short retention windows with explicit opt-in for longer storage, surface role-based access control in plain language, offer but do not enforce MFA, and pair structured button prompts with free-text for sensitive disclosures. The paper also argues for chatbot-specific legislation to close the gap left by HIPAA, GDPR, and CCPA, which do not clearly assign ownership of chatbot-collected mental-health data or developer liability for AI-generated advice. Limitations include a prototype (not production) system, a text-first interface that excludes voice-preferring users, no clinical expert involvement, no longitudinal data, and a U.S.-centric regulatory framing that may not generalise.
Tags: older adults · mental health · chatbot · co-design · privacy · security · accessibility · trust · threat modeling · conversational agent
Standards referenced: HIPAA · GDPR · CCPA · OWASP ASVS · OWASP Top 10 · WCAG