alt Hacker NewsNot very strange but E2EE is thrown around a lot and everyone interprets it differently. And in some cases the expectations are unrealistic.
Take a messenger app using a server as middleman. E2EE means only the 2 users get to see the content, not the middleman company server. For Oura there’s only a user and the company server and a lot of people assume Oura can’t read the data, like the Signal or WhatsApp servers can’t read the data because of E2EE. The marketing usually allows or encourages this misunderstanding.
If they claim E2EE though, the interface between the user and the service (the ring or at worst the app) should mandate the encryption and the data should be decrypted only at the other end on Oura’s servers. If at any point in between these 2 ends the data is decrypted then it’s not E2EE.
Replies
> everyone interprets it differently.
No, they don't. You're spreading misinformation. If the service provider can see the data then it is not E2EE. There is no room for negotiation here. Let me be perfectly clear that any service provider that claims E2EE while having access to user data is committing blatant fraud.
That said, it does not appear that Oura ever claimed E2EE. The author is merely making it clear to the reader that this is not the case.
There is no interpretation issue, some people are just confused.
Oura is not claiming E2EE and Oura is not E2EE. E2EE in the health apps would mean that Oura would not see the data. Only user could see the data in their app. Oura's privacy policy states that they do not sell your data, they limit internal access using strict safeguards (like pseudonymization, where your name is separated from your health stats), and they pledge to push back against overbroad government data requests.
Contrast Oura to Apple Health that is true E2EE. Only you and your trusted devices have the keys, Apple can't see the keys, and Apple has noting to give is it gets government request.