[close04]

Not very strange but E2EE is thrown around a lot and everyone interprets it differently. And in some cases the expectations are unrealistic.

Take a messenger app using a server as middleman. E2EE means only the 2 users get to see the content, not the middleman company server. For Oura there’s only a user and the company server and a lot of people assume Oura can’t read the data, like the Signal or WhatsApp servers can’t read the data because of E2EE. The marketing usually allows or encourages this misunderstanding.

If they claim E2EE though, the interface between the user and the service (the ring or at worst the app) should mandate the encryption and the data should be decrypted only at the other end on Oura’s servers. If at any point in between these 2 ends the data is decrypted then it’s not E2EE.

[u1hcw9nx]

There is no interpretation issue, some people are just confused.

Oura is not claiming E2EE and Oura is not E2EE. E2EE in the health apps would mean that Oura would not see the data. Only user could see the data in their app. Oura's privacy policy states that they do not sell your data, they limit internal access using strict safeguards (like pseudonymization, where your name is separated from your health stats), and they pledge to push back against overbroad government data requests.

Contrast Oura to Apple Health that is true E2EE. Only you and your trusted devices have the keys, Apple can't see the keys, and Apple has noting to give is it gets government request.

[fc417fc802]

> everyone interprets it differently.

No, they don't. You're spreading misinformation. If the service provider can see the data then it is not E2EE. There is no room for negotiation here. Let me be perfectly clear that any service provider that claims E2EE while having access to user data is committing blatant fraud.

That said, it does not appear that Oura ever claimed E2EE. The author is merely making it clear to the reader that this is not the case.

[Chaosvex]

Agreed. Weird to see a bunch of posts trying to argue that E2E doesn't imply that provider can't see the data, at rest or in transit.

[close04]

> Weird to see a bunch of posts trying to argue that E2E doesn't imply that provider can't see the data, at rest or in transit.

It's only weird for the people in that middle ground where they know "something" about it, but really not much at all. There are ways to get educated and at least acknowledge the misunderstandings but who has time for that [0].

E2E explicitly means from one end to another. Obviously when the provider is one of the ends, as sender or final recipient of the data, they can have access to the data and not violate the principle of E2EE. When the provider is just an intermediary they should not be able to decrypt the data because they are not one of the ends.

Some companies slap the E2EE sticker on their product even when it's meaningless because it makes the product sound more secure. Like when they were slapping "blockchain" on everything. Or "AI" and "agentic" these days. It means nothing, it's misleading, but not factually wrong.

[0] https://www.researchgate.net/publication/342621891_Improving...

[fc417fc802]

No, again, that is misinformation on your part. By your own logic every https connection qualifies as E2EE by virtue of traversing untrusted intermediaries as it crosses the public internet.

That obviously makes no sense as it renders the term entirely pointless. The entire reason for the term to exist is the difference from encryption in transit. It specifically means that one or more of the intended recipients (generally the service provider) do not have default access to the data.

The "meaningless" usage you describe is fraud seeing as it's an intentional attempt to deceive the consumer. It is factually wrong in the exact same way that slapping an open source label on something made available on github under a proprietary license is.

[close04]

> No, they don't. You're spreading misinformation.

You can confidently say that everyone is qualified enough and understands E2EE the same way you do? Is it magic or an LLM whispered in your ear?

Because by the nature of my job I talk every 2 days with someone who doesn't really understand what E2EE is, what it does and more importantly what it doesn't do. They learn from marketing materials nit from reading technical info, you know, like almost all users out there.