> the once-responsive Oura has not yet replied to any of my inquiries, or committed to releasing the numbers
Illinois has a tight biometric-privacy law [1]. I’d bet Oura isn’t particularly careful about prohibiting e.g. a Texas police department querying the protected information of Illinois residents.
"In my previous blog, I revealed that Oura data is not end-to-end encrypted. That means that an Oura user's health data can be unscrambled at certain points as it travels from a person's ring, through their phone app, over the internet, and as it lands on Oura's servers."
Very strange -- it seems to be conflating end-to-end encryption with encryption-in-transit.
munchler 1 hours ago [-]
My understanding is that E2E encryption implies encryption in transit. The message is encrypted at the source and only decrypted at the destination, so it is encrypted everywhere in between.
blueg3 22 minutes ago [-]
The term has kind of degraded, because people started marketing that "end-to-end encryption" is the "right" answer.
Encryption in transit means that network intermediates can't read the data. The two endpoints of the network communication can.
E2E encryption is more context-sensitive, and its context mostly comes from messaging. It means that the data is encrypted and that operational intermediates cannot read it. So in the context of messaging, the servers that run the messaging system cannot read the messages. Or, for an email, only the sender and recipient, not any of the intermediate email servers.
There's a big difference -- you can't really control or predict your network intermediates, but you can in theory know the operational intermediates. Whether something is E2E encrypted often depends on what intermediates you bring in to scope.
For example:
> That means that an Oura user's health data can be unscrambled at certain points as it travels from a person's ring, through their phone app, over the internet, and as it lands on Oura's servers.
If the ring uses Bluetooth to sync the data to your phone and the phone syncs data to the Oura servers, but the data is in the clear on your phone, then by this definition, it is not E2E encrypted. However, that's a pretty reasonable setup, depending on how the data on the phone is stored.
lloeki 10 minutes ago [-]
> If the ring uses Bluetooth to sync the data to your phone and the phone syncs data to the Oura servers, but the data is in the clear on your phone, then by this definition, it is not E2E encrypted.
Yet another angle would be that both the phone and the ring are in one's material possession, whereas the cloud is someone else's computer, and to display a nice web UI it has to have the data unencrypted over there.
In that case, the cloud is the potentially untrusted intermediate between the data and one's eyeballs.
All of these are equally valid, it all depends on what is your threat model.
iLoveOncall 1 hours ago [-]
You are conflating end-to-end encryption with encryption at rest.
close04 10 minutes ago [-]
Not very strange but E2EE is thrown around a lot and everyone interprets it differently. And in some cases the expectations are unrealistic.
Take a messenger app using a server as middleman. E2EE means only the 2 users get to see the content, not the middleman company server. For Oura there’s only a user and the company server and a lot of people assume Oura can’t read the data, like the Signal or WhatsApp servers can’t read the data because of E2EE. The marketing usually allows or encourages this misunderstanding.
If they claim E2EE though, the interface between the user and the service (the ring or at worst the app) should mandate the encryption and the data should be decrypted only at the other end on Oura’s servers. If at any point in between these 2 ends the data is decrypted then it’s not E2EE.
ggm 3 hours ago [-]
It also doesn't sound like its encrypted at rest. Perhaps each in-transit is held to be a unique e2e IP exchange?
juggle-anyhow 2 hours ago [-]
Encrypted at rest means something different. It means if you pull the hard drive out no one can decrypt it. Not that it is encrypted in the database.
stavros 39 minutes ago [-]
Does encryption at rest actually do much? The percentage of attacks that were perpetrated by people getting physical access to a drive must approach zero.
alternatex 12 minutes ago [-]
I think it's also meant to protect from potential mistakes in handling of hard disk decommissioning which presumably is a common thing with data centers.
nicce 33 minutes ago [-]
Depends on what kind of data is in question. Backups and old incremential data can stay encrypted while disks are otherwise in use.
stavros 32 minutes ago [-]
Hm yeah, I always think of encryption at rest as "the drive handles encryption itself", rather than "we encrypted these archives before we wrote them", but fair enough.
literalAardvark 5 minutes ago [-]
Not necessarily the drive, but yeah, where standards mandate encryption at rest you need to have the files on the live disk encrypted.
Usually it's much less of a headache to luks/bitlocker/SED the whole drive so that you don't have to worry about swap files and logs
focusgroup0 2 hours ago [-]
guy who pays $6/month to be monitored by the f3ds
MassPikeMike 2 hours ago [-]
Judging by ads for cell phone service, most people pay more than that per month to be monitored by the Feds.
Cider9986 1 hours ago [-]
Cell phone services don't record your heart rate.
mathgeek 2 hours ago [-]
Judging by various leaks over the years, you get it for free anyway.
amarant 1 hours ago [-]
What will the government even do with my heart rate and blood oxygen data?
"Mr Smith has been running again, we better bring him in for questioning!"
Edit: to be clear, the government is requesting the data, so clearly they're doing something with it... But what? I don't see it!
jubilanti 1 hours ago [-]
Target infamously was inferring when teenage girls were pregnant before their parents knew based on reward card data records of single merchant retail purchases.... in 2002.
Tech companies when they speak to VCs: look at all the creepy things we can infer with ooodles of aggregated data and AI to maximize targeted ad revenue, we're worth 50x what an equivalent non-tech company in our sector is valued, because of all the things we can do with all that data from all those people together
Tech companies when they speak to their customers: oh you're so silly to even ask about privacy, what possible utility could there be in that single isolated variable?
nkrisc 14 minutes ago [-]
Accidentally inferring. They were using basic machine learning to send coupons for predicted future purchases based on past purchases and general trends. And as far as I’m aware, it only happened once (or was only publicized once).
xboxnolifes 16 minutes ago [-]
Buys your heart rate and blood oxygen data from Oura. Collects your iris data from Eyez. Purchases your fitness data from Borg. Sees your purchasing patterns through Krump. Knows everything you've said online through Gwimp. Gets your sequenced DNA from FamaTree. Tracks your location data from, well, nearly every app in existance.
What could they possibly do from this single variable???
ratdragon 34 minutes ago [-]
Ordering a taxi after running outside of US? Probably missed some mass transport. Raise the price boys... like good old Uber back in the day based on iphone battery level. Really the possibilities are endless if you're evil.
Bad health? Raise the insurance premiums? Or anything more evil I can't think of.
edit: grammar
amarant 31 minutes ago [-]
None of those things sounds like stuff the government would have a hand in, unless you live in some communist country where the taxis are state-owned?
none2585 1 hours ago [-]
Also if you're a woman biological signals can be used to know when you are on your cycle and thus missed it.
drfloyd51 1 hours ago [-]
He was running at the same time our cops were chasing people. Bring him in.
jonners00 1 hours ago [-]
No one seems to care anymore, but a big issue that people were concerned about in the 2000s was the switch from 'I know more about me than the blob (corps, gov, etc) does' to, 'I need the blob to remind me where the hell I was that day'. Heart rate and blood oxygen data are hard to exploit data points but not impossible(1), but facing an accusation from someone who knows more about your movements than you do is an uncomfortable scenario. Of course right now, if you're facing an acusation of this type, odds are it's legitimate, or if not, defenseable, but that was the case 15 years ago in Türkiye, but isn't now. Things change.
(Note 1:"Dr. Bootlicker, the defendant wants the court to believe that she calmly placed herself between the agent and the minor he was trying to apprehend, and asserts that the agent's claim, that the defendant's actions constitute assault, is, in her words, 'ridiculous'. But am I correct in understanding that you view minutes 8 and 9 of the biometric data submitted to the court as characteristic of significant physical exertion that might be similar to that undergone by an assailant while commiting an assault?")
AmblingAvocado 1 hours ago [-]
They used iPhone pick up and orientation data to build a narrative in the trial of Alex Murdaugh, so I imagine something similar.
Forge36 1 hours ago [-]
Location and time
1 hours ago [-]
jubilanti 1 hours ago [-]
You're on Hacker News, think like a hacker - in both meanings of the term - for what could possibly go wrong.
amarant 42 minutes ago [-]
I did, and came up blank... Any pointers?
BenFranklin100 45 minutes ago [-]
I considered an Oura but went with an Apple watch instead. I turned on Advanced Data Protection on the paired iPhone for peace of mind. No other large data providers really provide anything equivalent to ADP’s E2EE protection with zero access encryption, especially in the consumer space for activity trackers.
nextos 15 minutes ago [-]
Garmin can be used completely offline?
AFAIK, they even have some watches with no radio hardware so that they can be used in sensible environments.
allthetime 3 minutes ago [-]
Yup. It’s a bit of a pain, but you don’t have to use the connect app. Devices and data can be accessed with direct USB connection as standard storage. You will lose some features and I think firmware updates become difficult (or impossible?)
kator 1 hours ago [-]
All this said I'm more concerned about Automatic Content Recognition (ACR) on smartTV you buy in the store and never even realize it's phoning home with everything you watch...
JumpCrisscross 1 hours ago [-]
> I'm more concerned about Automatic Content Recognition (ACR) on smartTV
You’re more concerned about privacy when it comes to TV viewing than medical data? What a strange hijacking of a serious thread…
mcmcmc 1 hours ago [-]
When you buy a medical data collection device and it collects medical data that’s not exactly a surprise
drfloyd51 1 hours ago [-]
Whataboutism in fancy clothes.
guilamu 1 hours ago [-]
If you're concerned about that do not give internet to your tv and use any kind of tv box instead (shield tv, apple tv, etc).
Shadowmist 1 hours ago [-]
How long until they have built in cellular or use a mesh?
bentcorner 35 minutes ago [-]
I'm certain there are a non-zero number of TVs that either attempt to auto-join popular wifi hotspots (xfinity/tmobile/starbucks/etc.) and/or have cellular connections for telemetry.
Thinking more on this I think a business opportunity in the future will be companies that design hardware stacks that can go in random appliances that can gather usage information in the name of telemetry.
I give it +/- 5 years before an OTS coffee maker at walmart phones home.
So that TV box can phone home instead of your smart TV? What's the point?
antiframe 28 minutes ago [-]
Use a TV box that doesn't phone home, obviously. Also, don't buy a smart TV but a monitor.
drfloyd51 1 hours ago [-]
Different homes are being phoned. If that matters.
akersten 2 hours ago [-]
IPOing soon at $11B btw
shevy-java 1 hours ago [-]
We can not trust any government here.
throwawa1 1 hours ago [-]
Another reason to add to my list to justify not wearing my Apple watch and moved to a mechanical watch.
ck2 2 hours ago [-]
Oura doesn't even have GPS does it?
Government can already get ALL your celltower locations without a warrant
AND read all your emails and text messages that are over 6 months old, without a warrant
arusahni 2 hours ago [-]
In a society where women are being prosecuted for medical procedures, menstrual data becomes very risky to have handed over.
kevin_thibedeau 58 minutes ago [-]
I sat in a meeting at a data broker in 1998 where one of their product managers was strangely proud about how they could determine menstrual cycles from purchase records. It wasn't just hygiene products either. They already have that data and manipulate women with targeted ads timed for the optimal receptivity.
michelb 2 hours ago [-]
Probably this yeah. Your location data can be obtained from other devices than your own, but this medical data cannot.
ethersteeds 26 minutes ago [-]
The ring doesn't have gps but its app requires location permission so it gets it from your phone. It continually asks me to turn on background sync, which would presumably upload my location regularly as well. I decline and only allow location when the app is open to sync.
speff 1 hours ago [-]
From what I understand, they can get call records and subscription info w/ administrative subpoenas, but this is the first I've heard of them being able to get location data without a warrant.
Assuming you meant directly from the telcos and not from the data broker loopholes - in which case pretty much anyone should be able to do that. Emails and texts they still need a warrant for.
n8m8 51 minutes ago [-]
Great, so they can further extrapolate what exact locations you get nervous / are more relaxed / walk more quickly… the understated problem with PII isn’t about any single data point, it’s about combining data to make probable inferences.
basisword 3 hours ago [-]
This is why although I don't love my Apple Watch, I'm not using anything else. It's very sensitive data and Apple is the only company worth trusting with it. They're not perfect but compared to others there's no competition.
mmh0000 2 hours ago [-]
You may want to reevaluate.
Apple has a great PR (propaganda) department that has convinced many people they respect your privacy. In truth, they do not. They're "better" than Google, but only slightly. And only so slightly that realistically it doesn't matter.
"Apple is taking the unprecedented step of removing its highest level data security tool from customers in the UK, after the government demanded access to user data."
Did you just post an article where Apple refused a UK government order to weaken their encryption as "proof" that Apple doesn't respect customer privacy?
Also, the US Government has already demanded that Apple weaken device encryption.
Apple fought it in court, and the government dropped their demand rather than set a privacy precedent they wanted to avoid.
add-sub-mul-div 1 hours ago [-]
It's brilliant how they've laundered their "privacy" reputation through Google etc. and people believe it so fully.
GeekyBear 2 hours ago [-]
A great example is Apple's new in-house cellular modem design, which gives you the option to stop reporting your exact location to your cellular provider.
The best way to prevent the Feds from getting access to customer data is to not collect it in the first place.
jeroenhd 2 hours ago [-]
Google's Health Connect system doesn't share this data either (without a consent prompt for third party apps, off course). This is to the point where I wish it would just support some kind of sync, because two devices hooked up to the same accounts need a third party app to transfer the health info.
Apple is subject to the same laws Oura is. The competition is too.
jjice 2 hours ago [-]
I believe the Apple one is E2E encrypted so they physically can't give useful data. Thats the core issue with Oura here.
SoftTalker 2 hours ago [-]
Apple might be pretty good now. There's no assurance they always will be.
haritha-j 2 hours ago [-]
Yeah there's no one I'd trust with my personal data except Apple. Their track record of refusing to bow down to the feds has been golden. 24 carat infact.
echelon 2 hours ago [-]
In the US. Apple's policies are flexible when it comes to other nation states.
All it takes is a political sea change for E2EE to go away.
Apple already has to hand over a wealth of information when asked by the feds.
GeekyBear 2 hours ago [-]
Apple literally removed encrypted file storage as a feature in the UK rather than comply with demands for access to encrypted customer data from the UK government.
Previously, they refused US government demands for a backdoor that would allow them to unlock locked devices.
pepperoni_pizza 8 minutes ago [-]
> Apple literally removed encrypted file storage as a feature in the UK rather than comply with demands for access to encrypted customer data from the UK government.
Does that mean that instead of UK government accessing the data (through a backdoor), UK government can now access to data (because it's not encrypted at all)?
samatman 1 hours ago [-]
"Things might change in the future" is a perfectly general statement which applies to any state of affairs which is not restricted by natural law.
That makes it very nearly meaningless.
echelon 49 minutes ago [-]
Maybe, weren't it for the fact that we're having age verification and IDV ("protect the kids"), hardware attestation, removal of 3rd party APKs, etc. heaved upon us.
We've never had so many threats to our privacy and liberties heaved upon us, and the rate is accelerating.
johnnyApplePRNG 2 hours ago [-]
OURA is a joke. My GF bought two for us and after a week I made her return them due to non stop dark patterns coming out of that company.
Everything about that company is disgusting.
Such a shame, too. I was eager to learn more about my health.
Forge36 57 minutes ago [-]
Can you elaborate?
mystraline 3 hours ago [-]
I was definitely interested in some sort of comprehensive sensor bundle for my healthcare.
But every one of these devices demands some Android/Apple app, and shipping all my health data to basically non-HIPAA data brokers.
Id be all over a local-only no-data-exfiltration health tracker. But the companies do NOT want to provide that.
I, uh, guess, "go surveillance capitalism", for more choices?
duskdozer 2 hours ago [-]
If your concern is that the government may access the data, whether it's covered by HIPAA or not is irrelevant, because HIPAA allows government access. Though yes, it would still be better than non-HIPAA in general.
permutations 2 hours ago [-]
I will once again proselytize for the new pebble time 2 (I am quite a fan of it). Open source and comes with standard sensors for health monitoring (6 axis imu, heart rate monitor, SpO2). Health data can be kept and analyzed on your phone and there are various apps that can do so. Suffice to say there are “surveillance-free” options out there, and if you’re not satisfied with current app options it is easy to hack your own together
RunningDroid 1 hours ago [-]
Many times GadgetBridge* can be used instead of the official app
Illinois has a tight biometric-privacy law [1]. I’d bet Oura isn’t particularly careful about prohibiting e.g. a Texas police department querying the protected information of Illinois residents.
[1] https://en.wikipedia.org/wiki/Biometric_Information_Privacy_...
I’m assuming that Oura are assuming that this—the Illinois BIPA is toothless—is true. It is not [1].
[1] https://www.wilmerhale.com/en/insights/blogs/wilmerhale-priv...
Very strange -- it seems to be conflating end-to-end encryption with encryption-in-transit.
Encryption in transit means that network intermediates can't read the data. The two endpoints of the network communication can.
E2E encryption is more context-sensitive, and its context mostly comes from messaging. It means that the data is encrypted and that operational intermediates cannot read it. So in the context of messaging, the servers that run the messaging system cannot read the messages. Or, for an email, only the sender and recipient, not any of the intermediate email servers.
There's a big difference -- you can't really control or predict your network intermediates, but you can in theory know the operational intermediates. Whether something is E2E encrypted often depends on what intermediates you bring in to scope.
For example:
> That means that an Oura user's health data can be unscrambled at certain points as it travels from a person's ring, through their phone app, over the internet, and as it lands on Oura's servers.
If the ring uses Bluetooth to sync the data to your phone and the phone syncs data to the Oura servers, but the data is in the clear on your phone, then by this definition, it is not E2E encrypted. However, that's a pretty reasonable setup, depending on how the data on the phone is stored.
Yet another angle would be that both the phone and the ring are in one's material possession, whereas the cloud is someone else's computer, and to display a nice web UI it has to have the data unencrypted over there.
In that case, the cloud is the potentially untrusted intermediate between the data and one's eyeballs.
All of these are equally valid, it all depends on what is your threat model.
Take a messenger app using a server as middleman. E2EE means only the 2 users get to see the content, not the middleman company server. For Oura there’s only a user and the company server and a lot of people assume Oura can’t read the data, like the Signal or WhatsApp servers can’t read the data because of E2EE. The marketing usually allows or encourages this misunderstanding.
If they claim E2EE though, the interface between the user and the service (the ring or at worst the app) should mandate the encryption and the data should be decrypted only at the other end on Oura’s servers. If at any point in between these 2 ends the data is decrypted then it’s not E2EE.
Usually it's much less of a headache to luks/bitlocker/SED the whole drive so that you don't have to worry about swap files and logs
"Mr Smith has been running again, we better bring him in for questioning!"
Edit: to be clear, the government is requesting the data, so clearly they're doing something with it... But what? I don't see it!
Tech companies when they speak to VCs: look at all the creepy things we can infer with ooodles of aggregated data and AI to maximize targeted ad revenue, we're worth 50x what an equivalent non-tech company in our sector is valued, because of all the things we can do with all that data from all those people together
Tech companies when they speak to their customers: oh you're so silly to even ask about privacy, what possible utility could there be in that single isolated variable?
What could they possibly do from this single variable???
Bad health? Raise the insurance premiums? Or anything more evil I can't think of.
edit: grammar
(Note 1:"Dr. Bootlicker, the defendant wants the court to believe that she calmly placed herself between the agent and the minor he was trying to apprehend, and asserts that the agent's claim, that the defendant's actions constitute assault, is, in her words, 'ridiculous'. But am I correct in understanding that you view minutes 8 and 9 of the biometric data submitted to the court as characteristic of significant physical exertion that might be similar to that undergone by an assailant while commiting an assault?")
AFAIK, they even have some watches with no radio hardware so that they can be used in sensible environments.
You’re more concerned about privacy when it comes to TV viewing than medical data? What a strange hijacking of a serious thread…
Thinking more on this I think a business opportunity in the future will be companies that design hardware stacks that can go in random appliances that can gather usage information in the name of telemetry.
I give it +/- 5 years before an OTS coffee maker at walmart phones home.
Government can already get ALL your celltower locations without a warrant
AND read all your emails and text messages that are over 6 months old, without a warrant
Assuming you meant directly from the telcos and not from the data broker loopholes - in which case pretty much anyone should be able to do that. Emails and texts they still need a warrant for.
Apple has a great PR (propaganda) department that has convinced many people they respect your privacy. In truth, they do not. They're "better" than Google, but only slightly. And only so slightly that realistically it doesn't matter.
"Apple is taking the unprecedented step of removing its highest level data security tool from customers in the UK, after the government demanded access to user data."
https://www.bbc.com/news/articles/cgj54eq4vejo
It happened in the UK; it will not be long before it happens in the US.
--
Also, USA: https://www.bbc.com/news/technology-36084244
--
Also, France, Germany, Australia, Brazil, Japan: https://www.apple.com/legal/transparency/pdf/requests-2024-H...
--
Also, Russia: https://www.bloomberg.com/news/articles/2019-02-04/apple-fil...
--
Also, China: https://www.article19.org/resources/apple-cares-about-digita...
--
Also in general: https://proton.me/blog/iphone-privacy
Also, the US Government has already demanded that Apple weaken device encryption.
Apple fought it in court, and the government dropped their demand rather than set a privacy precedent they wanted to avoid.
The best way to prevent the Feds from getting access to customer data is to not collect it in the first place.
Apple is subject to the same laws Oura is. The competition is too.
All it takes is a political sea change for E2EE to go away.
Apple already has to hand over a wealth of information when asked by the feds.
Previously, they refused US government demands for a backdoor that would allow them to unlock locked devices.
Does that mean that instead of UK government accessing the data (through a backdoor), UK government can now access to data (because it's not encrypted at all)?
That makes it very nearly meaningless.
We've never had so many threats to our privacy and liberties heaved upon us, and the rate is accelerating.
Everything about that company is disgusting.
Such a shame, too. I was eager to learn more about my health.
But every one of these devices demands some Android/Apple app, and shipping all my health data to basically non-HIPAA data brokers.
Id be all over a local-only no-data-exfiltration health tracker. But the companies do NOT want to provide that.
I, uh, guess, "go surveillance capitalism", for more choices?
*https://codeberg.org/Freeyourgadget/Gadgetbridge
In overly simple terms, if insurance is not involved, then it’s not subject to HIPAA.