I don’t use Android or iPhones because of privacy concerns.
I got into an accident over a year ago and have been in horrible pain. My employer has contracted with some healthtech company, Hinge Health, which provides videos and instructions to help people reduce pain.
They have no website, of course, and only have an Android App or iPhone App.
I kept ignoring their emails spamming their product, despite really needing it, but then they said if I signed up I could get a free massager. This would really help me.
So I signed up using the web, thinking things had possibly changed and added web features, and after that they told me I had to download the App and do a lesson to get the massager.
I expressed my frustration to them and said I couldn’t do it. I am poor, I don’t have a smart phone nor do I want one. I told them this hoping they would give me the messager. Instead, they said they could send a free tablet to help. I was like, great, thinking I’d turn off bluetooth, nearby device permission, location, and connect to WiFi only to a pihole to preserve some of my privacy, get a massager, and be in less horrible pain.
When the tablet arrived, it’s a Lenovo TB310FU or Tab M9. It was a beautiful tablet. So I turn it on and their corporate logo shows up, which was slightly concerning.
Then the tablet loads and there is their Hinge App, a Chrome Browser, and Settings, and that’s it. I made sure to turn off location, turn off WiFi, not connect to anything, and keep bluetooth off, although in the 5 seconds before that happened I’m sure it collected data on all nearby networks and devices. Then I go into the settings to try to figure out what’s happening.
There’s an admin account attached and also an app called Esper. For Esper, it can’t be uninstalled and it has access to location, nearby device permissions, bluetooth, and every permission that is available and none of them can be turned off. Esper is listed as an admin App.
I also am unable to reset the tablet and it said “Blocked by your IT administrator.”
Since I am using a health device, it felt extraordinarily invasive to me. I do not trust big tech or health tech to keep my data safe, I’ve had data breaches before, and I also don’t entirely understand why this company needs to know my nearby devices if it’s just for health. Even though I made it clear I reserve my HIPPA rights and opt out of research, those are still on.
What was frustrating is this was presented to me in a way in which I thought it was a free tablet. After I got it and looked at it more, I wasn’t sure whether it was free or not or if they thought they were letting me borrow it and they expected it to be returned. I also wonder if they are giving the tablet to me for free and somehow monetizing marketing data.
I contacted them about returning it, since I didn’t feel comfortable with them having root access to a Tablet that collect data and interact with other electronics nearby when it’s a health device. They said they understood and would send something to return it.
The Esper Device Management also access “physical activity” upon turning it on, which seems invasive and I can’t turn that off. Keep in mind, I haven’t even opened the Health App.
I have two concerns. 1) I am actually still in pain. It would have been nice to use this Hinge App in an isolated environment where I didn’t feel like it was collecting nearby devices information and GPS coordinates and other things which didn’t seem related to health issues. 2) This tablet may have already collected information through bluetooth, GPS, WiFi, etc, and although I haven’t connected it to the Internet, if I send it back to them then that information can go into their network, which I really didn’t want and never would have agreed to.
So, my main question is whether I can use something like adb in a terminal to get into this app and break Esper, root it to something like Calyx or Bliss, and use the App without permissions being enabled in the OS like this to reduce my pain. Would this be possible? I don’t want to go down this rabbit hole if it’s a waste of time. I would also be happy if I could just wipe the tablet prior to returning it.
I would also have to check with the company to see if it’s even allowed to root it. This is a company that is also contracted through my employer and I am worried if I do anything that they don’t like, it could cause trouble with my employment, but it seems unlikely.
The other thing is whether there is a way to delete any data Esper stored. I am not able to “Erase all data” and when I try it says “Blocked by your IT admin.” So it seems totally managed.
And I never would have agreed to this had I known this was a managed device and I also can’t purge it of collected data that isn’t related to health that I didn’t consent to being collected.
This is just so frustrating because I really am in a lot of terrible pain, but I really go out of my way to never use any Google or Apple products in my personal life because of privacy concerns, and I thought I could make an exception but limit it and it turns out it’s 1000 times worse than a normal tablet.
Am I overreacting? I told them I would send it back, but it now likely has nearby device data and information about my personal network and other info I did not want to share and I can’t delete it, nor do I even know what was collected.
-
It’s a device provided by someone else through your employer. It would be best not to mess with it in any way that’s not already provided by the device (e.g. rooting it)
-
all the infos on nearby devices have already been collected over and over by your neighbours and people walking around outside.
all the infos on nearby devices have already been collected over and over by your neighbours and people walking around outside.
aaand now that is also attached to their name.
thanks for being the first person or one of the few to understand the concern
it feels invasive in principle. If they had said it was a managed device, I never would have accepted it.
data brokers do not know which devices are nearby me. i use linux. no one collects anything where i am. and now databrokers are able to know which specific devices are around me, meaning that if I buy a smart device in cash and set it up, data brokers will be able to infer it’s me based on the proximity of nearby devices collected by this health tablet. that actually is invasive, data brokers and smart devices are that good at inferences, and i feel like I was duped into this.
If they had said it was a managed device, I never would have accepted it.
Did you really expect them to just give you a 100% free tablet out of the goodness of their hearts no strings attached? If a company gives you a device without any management then they have incompetent IT staff.
I beg to differ! The association I work for allow me to root any device they give me and our IT isnt… Oh, I’m their tech guy. Maybe I would be incompetent.
/J
I’m not rooting my work stuff for the simple reason of being on the samish OS (Win11 in different flavors) as the users so I keep myself up to date on the systems behaviour
no one collects anything where I am
How do you know that? If you live in a neighborhood signals bleed all over the place and undoubtably they have information on you.
Or if you’re in the middle of nowhere, if you’ve ever had any friends or family over, their phones most likely scanned what’s around too.
No one can live in a bubble anymore.
How do you know that? If you live in a neighborhood signals bleed all over the place and undoubtably they have information on you.
I think OPs body does not emit radio signals
Bear in mind that they already have your home address, as they sent the tablet to you, that address is geolocated, and anyone with a phobe passing near you will have enumerated any wifi networks and possibly bluetooth too and geolocated those.
They already know what devices are around you unless there’s not been a phone within range since you got them.
You were sent the tablet in order to be able to access the the app they provide. I strongly suspect that it is actually a loan, and they will want it back when you are finished with it. Given that, you shouldn’t even attempt to root it. Use it for what it is intended for, gain some benefit from that, hopefully get your massager, and return the tablet when you’re finished with it.
Unless you deliberately give them more information, there’s not much new they can gain about your environment from the tablet. What you do in the app is going to be much more valuable data to them as it’ll give them information about you and your health that they could not gain any other way.
they actually didn’t say it was a loan. i think i remember the webpage they sent me to said free tablet and yoga mat, but i didn’t know. i wasn’t thinking about it because i figured i could root or disable all permissions.
it may be that it’s free, they wouldn’t have a problem with me rooting it and putting the app on it, and i just need to ask
These things are usually buried somewhere in the small print, and it might even have been in some “hey, look at this exciting new prek we git you” email from your employer when you/they joined the scheme. It might have been something like “Any items we provide to assist with member’s physical therapy remain the property of <evilcorp> at all times, and must be returned at the end of the therapy”.
Just treat the tablet as what it was provided as, a way to access their app, and be ready to return it afterwards.
you may be right, i’ll have to find out more before doing anything else
-
You should try to setup an Android VM and run the health app off your computer.
i could do that. i still hate how many apps contain things like firebase and other analytics code baked into the compiled apk probably are trying to collect hardware identifiers. even if they are only collecting vm identifiers, those VM identifiers are now linked to me.
we live in a strange and rapidly changing world. look at the “ice” goons with face masks going around abducting people and some random white people emulating ice people to rob latinos. i am not latino, but i am LGBT, and i’m not so naive as to think this couldn’t impact me. i may be in wave 2 of whatever “this” is.
what if i want to run an LGBT dating app in an android VM to try to meet someone new WITHOUT it being linked to my name in some databroker database? the identifiers will be the same in that, even if i reinstall it (perhaps there would be a new media id and advertiser id, but the emulated hardware identifiers are persistent, like a hash of the underlying hardware identifiers). my strength is not in coding so if this is wrong, please let me know.
i was fine with just using the tablet for this app and having the hardware identifiers of the tablet linked to the app. the problem is it’s sucking up data of everything nearby.
the strange thing about privacy awareness is that it’s all paranoia and conspiracy theories until suddenly there’s some unexpected radical movement or change in power that persecutes some minority group and demands compliance from data brokers, who only care about money. i’m sure many people apprehended by ICE never thought about data privacy prior to being disappeared.
You are not overreacting for wanting the services offered without the egregious data harvesting requirement. However, that’s the level of service your employer pays for. Price of admission.
Attempting to fiddle with the device when it is clearly externally managed is a bad idea, especially now you have put the gears in motion for a return.
You are overreacting by thinking that they will obtain anything valuable or anything that can be leveraged from it, if returned now in the state you leave it.
Your employer has already shared plenty of information about you with the provider simply by enrolling you in whatever health plan this is. That horse has long since bolted and the barn door is swinging in the wind.
The device data will add nothing useful to what they have already, unless you actually use it.
I assume the app is internet dependent & any self-sourced device using the app would just give up data regardless, or that the app would not function if you successfully castrated it.
In your position, the only way forward while keeping your scruples is to either convince the provider to give you the item without the bullshit, or seek alternative options.
Just power it down and send it back. The tiny snapshot of data it got when you powered it up is of little concern.
Honestly no one will likely look at it, IT is just going to reimage it and ship it again.
There’s no privacy concern. They sent you the tablet so you could watch the training video. They need to know you watched the instructional video so that’s not a privacy intrusion.
Watch the video and turn it off.
Hi, under your own responsability. I found in XDA forums this guide:
https://xdaforums.com/t/guide-how-to-root-and-install-gsi-on-lenovo-tab-m9.4701150/
Hope it helps.
So even if I call them and try to keep the tablet, I have no idea if they meant to give me the tablet as a gift or not
if it’s a gift, i could try to use win or plug the tablet into linux and then attach it to the VM. i could possibly get it rooted that way. ew windows.
i am also pretty sure the Esper App blocks developer mode. I should just tap 5 times to try to find out.
I probably need to ask them.
How much personal information is going into the intended use of the tablet? If all you need to do is watch some videos can you take it to a public library or a McDonald’s? Does your Dr’s office have wifi or could you watch it at work?
