I don’t use Android or iPhones because of privacy concerns.
I got into an accident over a year ago and have been in horrible pain. My employer has contracted with some healthtech company, Hinge Health, which provides videos and instructions to help people reduce pain.
They have no website, of course, and only have an Android App or iPhone App.
I kept ignoring their emails spamming their product, despite really needing it, but then they said if I signed up I could get a free massager. This would really help me.
So I signed up using the web, thinking things had possibly changed and added web features, and after that they told me I had to download the App and do a lesson to get the massager.
I expressed my frustration to them and said I couldn’t do it. I am poor, I don’t have a smart phone nor do I want one. I told them this hoping they would give me the messager. Instead, they said they could send a free tablet to help. I was like, great, thinking I’d turn off bluetooth, nearby device permission, location, and connect to WiFi only to a pihole to preserve some of my privacy, get a massager, and be in less horrible pain.
When the tablet arrived, it’s a Lenovo TB310FU or Tab M9. It was a beautiful tablet. So I turn it on and their corporate logo shows up, which was slightly concerning.
Then the tablet loads and there is their Hinge App, a Chrome Browser, and Settings, and that’s it. I made sure to turn off location, turn off WiFi, not connect to anything, and keep bluetooth off, although in the 5 seconds before that happened I’m sure it collected data on all nearby networks and devices. Then I go into the settings to try to figure out what’s happening.
There’s an admin account attached and also an app called Esper. For Esper, it can’t be uninstalled and it has access to location, nearby device permissions, bluetooth, and every permission that is available and none of them can be turned off. Esper is listed as an admin App.
I also am unable to reset the tablet and it said “Blocked by your IT administrator.”
Since I am using a health device, it felt extraordinarily invasive to me. I do not trust big tech or health tech to keep my data safe, I’ve had data breaches before, and I also don’t entirely understand why this company needs to know my nearby devices if it’s just for health. Even though I made it clear I reserve my HIPPA rights and opt out of research, those are still on.
What was frustrating is this was presented to me in a way in which I thought it was a free tablet. After I got it and looked at it more, I wasn’t sure whether it was free or not or if they thought they were letting me borrow it and they expected it to be returned. I also wonder if they are giving the tablet to me for free and somehow monetizing marketing data.
I contacted them about returning it, since I didn’t feel comfortable with them having root access to a Tablet that collect data and interact with other electronics nearby when it’s a health device. They said they understood and would send something to return it.
The Esper Device Management also access “physical activity” upon turning it on, which seems invasive and I can’t turn that off. Keep in mind, I haven’t even opened the Health App.
I have two concerns. 1) I am actually still in pain. It would have been nice to use this Hinge App in an isolated environment where I didn’t feel like it was collecting nearby devices information and GPS coordinates and other things which didn’t seem related to health issues. 2) This tablet may have already collected information through bluetooth, GPS, WiFi, etc, and although I haven’t connected it to the Internet, if I send it back to them then that information can go into their network, which I really didn’t want and never would have agreed to.
So, my main question is whether I can use something like adb in a terminal to get into this app and break Esper, root it to something like Calyx or Bliss, and use the App without permissions being enabled in the OS like this to reduce my pain. Would this be possible? I don’t want to go down this rabbit hole if it’s a waste of time. I would also be happy if I could just wipe the tablet prior to returning it.
I would also have to check with the company to see if it’s even allowed to root it. This is a company that is also contracted through my employer and I am worried if I do anything that they don’t like, it could cause trouble with my employment, but it seems unlikely.
The other thing is whether there is a way to delete any data Esper stored. I am not able to “Erase all data” and when I try it says “Blocked by your IT admin.” So it seems totally managed.
And I never would have agreed to this had I known this was a managed device and I also can’t purge it of collected data that isn’t related to health that I didn’t consent to being collected.
This is just so frustrating because I really am in a lot of terrible pain, but I really go out of my way to never use any Google or Apple products in my personal life because of privacy concerns, and I thought I could make an exception but limit it and it turns out it’s 1000 times worse than a normal tablet.
Am I overreacting? I told them I would send it back, but it now likely has nearby device data and information about my personal network and other info I did not want to share and I can’t delete it, nor do I even know what was collected.
it feels invasive in principle. If they had said it was a managed device, I never would have accepted it.
data brokers do not know which devices are nearby me. i use linux. no one collects anything where i am. and now databrokers are able to know which specific devices are around me, meaning that if I buy a smart device in cash and set it up, data brokers will be able to infer it’s me based on the proximity of nearby devices collected by this health tablet. that actually is invasive, data brokers and smart devices are that good at inferences, and i feel like I was duped into this.
Did you really expect them to just give you a 100% free tablet out of the goodness of their hearts no strings attached? If a company gives you a device without any management then they have incompetent IT staff.
I beg to differ! The association I work for allow me to root any device they give me and our IT isnt… Oh, I’m their tech guy. Maybe I would be incompetent.
/J
I’m not rooting my work stuff for the simple reason of being on the samish OS (Win11 in different flavors) as the users so I keep myself up to date on the systems behaviour
How do you know that? If you live in a neighborhood signals bleed all over the place and undoubtably they have information on you.
Or if you’re in the middle of nowhere, if you’ve ever had any friends or family over, their phones most likely scanned what’s around too.
No one can live in a bubble anymore.
I think OPs body does not emit radio signals
Bear in mind that they already have your home address, as they sent the tablet to you, that address is geolocated, and anyone with a phobe passing near you will have enumerated any wifi networks and possibly bluetooth too and geolocated those.
They already know what devices are around you unless there’s not been a phone within range since you got them.
You were sent the tablet in order to be able to access the the app they provide. I strongly suspect that it is actually a loan, and they will want it back when you are finished with it. Given that, you shouldn’t even attempt to root it. Use it for what it is intended for, gain some benefit from that, hopefully get your massager, and return the tablet when you’re finished with it.
Unless you deliberately give them more information, there’s not much new they can gain about your environment from the tablet. What you do in the app is going to be much more valuable data to them as it’ll give them information about you and your health that they could not gain any other way.