> the once-responsive Oura has not yet replied to any of my inquiries, or committed to releasing the numbers
Illinois has a tight biometric-privacy law [1]. I’d bet Oura isn’t particularly careful about prohibiting e.g. a Texas police department querying the protected information of Illinois residents.
"In my previous blog, I revealed that Oura data is not end-to-end encrypted. That means that an Oura user's health data can be unscrambled at certain points as it travels from a person's ring, through their phone app, over the internet, and as it lands on Oura's servers."
Very strange -- it seems to be conflating end-to-end encryption with encryption-in-transit.
My understanding is that E2E encryption implies encryption in transit. The message is encrypted at the source and only decrypted at the destination, so it is encrypted everywhere in between.
All this said I'm more concerned about Automatic Content Recognition (ACR) on smartTV you buy in the store and never even realize it's phoning home with everything you watch...
I considered an Oura but went with an Apple watch instead. I turned on Advanced Data Protection on the paired iPhone for peace of mind. No other large data providers really provide anything equivalent to ADP’s E2EE protection with zero access encryption, especially in the consumer space for activity trackers.
This is why although I don't love my Apple Watch, I'm not using anything else. It's very sensitive data and Apple is the only company worth trusting with it. They're not perfect but compared to others there's no competition.
A great example is Apple's new in-house cellular modem design, which gives you the option to stop reporting your exact location to your cellular provider.
The best way to prevent the Feds from getting access to customer data is to not collect it in the first place.
Google's Health Connect system doesn't share this data either (without a consent prompt for third party apps, off course). This is to the point where I wish it would just support some kind of sync, because two devices hooked up to the same accounts need a third party app to transfer the health info.
Apple is subject to the same laws Oura is. The competition is too.
Yeah there's no one I'd trust with my personal data except Apple. Their track record of refusing to bow down to the feds has been golden. 24 carat infact.
Apple literally removed encrypted file storage as a feature in the UK rather than comply with demands for access to encrypted customer data from the UK government.
Previously, they refused US government demands for a backdoor that would allow them to unlock locked devices.
Maybe, weren't it for the fact that we're having age verification and IDV ("protect the kids"), hardware attestation, removal of 3rd party APKs, etc. heaved upon us.
We've never had so many threats to our privacy and liberties heaved upon us, and the rate is accelerating.
Apple has a great PR (propaganda) department that has convinced many people they respect your privacy. In truth, they do not. They're "better" than Google, but only slightly. And only so slightly that realistically it doesn't matter.
"Apple is taking the unprecedented step of removing its highest level data security tool from customers in the UK, after the government demanded access to user data."
I sat in a meeting at a data broker in 1998 where one of their product managers was strangely proud about how they could determine menstrual cycles from purchase records. It wasn't just hygiene products either. They already have that data and manipulate women with targeted ads timed for the optimal receptivity.
Great, so they can further extrapolate what exact locations you get nervous / are more relaxed / walk more quickly… the understated problem with PII isn’t about any single data point, it’s about combining data to make probable inferences.
From what I understand, they can get call records and subscription info w/ administrative subpoenas, but this is the first I've heard of them being able to get location data without a warrant.
Assuming you meant directly from the telcos and not from the data broker loopholes - in which case pretty much anyone should be able to do that. Emails and texts they still need a warrant for.
If your concern is that the government may access the data, whether it's covered by HIPAA or not is irrelevant, because HIPAA allows government access. Though yes, it would still be better than non-HIPAA in general.
I will once again proselytize for the new pebble time 2 (I am quite a fan of it). Open source and comes with standard sensors for health monitoring (6 axis imu, heart rate monitor, SpO2). Health data can be kept and analyzed on your phone and there are various apps that can do so. Suffice to say there are “surveillance-free” options out there, and if you’re not satisfied with current app options it is easy to hack your own together
Target infamously was inferring when teenage girls were pregnant before their parents knew based on reward card data records of single merchant retail purchases.... in 2002.
Tech companies when they speak to VCs: look at all the creepy things we can infer with ooodles of aggregated data and AI to maximize targeted ad revenue, we're worth 50x what an equivalent non-tech company in our sector is valued, because of all the things we can do with all that data from all those people together
Tech companies when they speak to their customers: oh you're so silly to even ask about privacy, what possible utility could there be in that single isolated variable?
No one seems to care anymore, but a big issue that people were concerned about in the 2000s was the switch from 'I know more about me than the blob (corps, gov, etc) does' to, 'I need the blob to remind me where the hell I was that day'. Heart rate and blood oxygen data are hard to exploit data points but not impossible(1), but facing an accusation from someone who knows more about your movements than you do is an uncomfortable scenario. Of course right now, if you're facing an acusation of this type, odds are it's legitimate, or if not, defenseable, but that was the case 15 years ago in Türkiye, but isn't now. Things change.
(Note 1:"Dr. Bootlicker, the defendant wants the court to believe that she calmly placed herself between the agent and the minor he was trying to apprehend, and asserts that the agent's claim, that the defendant's actions constitute assault, is, in her words, 'ridiculous'. But am I correct in understanding that you view minutes 8 and 9 of the biometric data submitted to the court as characteristic of significant physical exertion that might be similar to that undergone by an assailant while commiting an assault?")
Illinois has a tight biometric-privacy law [1]. I’d bet Oura isn’t particularly careful about prohibiting e.g. a Texas police department querying the protected information of Illinois residents.
[1] https://en.wikipedia.org/wiki/Biometric_Information_Privacy_...
Very strange -- it seems to be conflating end-to-end encryption with encryption-in-transit.
You’re more concerned about privacy when it comes to TV viewing than medical data? What a strange hijacking of a serious thread…
The best way to prevent the Feds from getting access to customer data is to not collect it in the first place.
Apple is subject to the same laws Oura is. The competition is too.
All it takes is a political sea change for E2EE to go away.
Apple already has to hand over a wealth of information when asked by the feds.
Previously, they refused US government demands for a backdoor that would allow them to unlock locked devices.
That makes it very nearly meaningless.
We've never had so many threats to our privacy and liberties heaved upon us, and the rate is accelerating.
Apple has a great PR (propaganda) department that has convinced many people they respect your privacy. In truth, they do not. They're "better" than Google, but only slightly. And only so slightly that realistically it doesn't matter.
"Apple is taking the unprecedented step of removing its highest level data security tool from customers in the UK, after the government demanded access to user data."
https://www.bbc.com/news/articles/cgj54eq4vejo
It happened in the UK; it will not be long before it happens in the US.
--
Also, USA: https://www.bbc.com/news/technology-36084244
--
Also, France, Germany, Australia, Brazil, Japan: https://www.apple.com/legal/transparency/pdf/requests-2024-H...
--
Also, Russia: https://www.bloomberg.com/news/articles/2019-02-04/apple-fil...
--
Also, China: https://www.article19.org/resources/apple-cares-about-digita...
--
Also in general: https://proton.me/blog/iphone-privacy
Government can already get ALL your celltower locations without a warrant
AND read all your emails and text messages that are over 6 months old, without a warrant
Assuming you meant directly from the telcos and not from the data broker loopholes - in which case pretty much anyone should be able to do that. Emails and texts they still need a warrant for.
But every one of these devices demands some Android/Apple app, and shipping all my health data to basically non-HIPAA data brokers.
Id be all over a local-only no-data-exfiltration health tracker. But the companies do NOT want to provide that.
I, uh, guess, "go surveillance capitalism", for more choices?
*https://codeberg.org/Freeyourgadget/Gadgetbridge
In overly simple terms, if insurance is not involved, then it’s not subject to HIPAA.
Everything about that company is disgusting.
Such a shame, too. I was eager to learn more about my health.
"Mr Smith has been running again, we better bring him in for questioning!"
Tech companies when they speak to VCs: look at all the creepy things we can infer with ooodles of aggregated data and AI to maximize targeted ad revenue, we're worth 50x what an equivalent non-tech company in our sector is valued, because of all the things we can do with all that data from all those people together
Tech companies when they speak to their customers: oh you're so silly to even ask about privacy, what possible utility could there be in that single isolated variable?
(Note 1:"Dr. Bootlicker, the defendant wants the court to believe that she calmly placed herself between the agent and the minor he was trying to apprehend, and asserts that the agent's claim, that the defendant's actions constitute assault, is, in her words, 'ridiculous'. But am I correct in understanding that you view minutes 8 and 9 of the biometric data submitted to the court as characteristic of significant physical exertion that might be similar to that undergone by an assailant while commiting an assault?")