top | item 40040406

(no title)

nihaals | 1 year ago

They don't really give any specifics and I'm not sure if they give you the keys or explain how the keys are derived (which I assume must be based on your login if they don't make you enter it otherwise they must be able to decrypt it whenever they want) but they mention they worked with Latacora[1]. Also curious if anyone else has any ideas on how they prevent themselves from being able to decrypt user data while implying they're not using E2EE[1].

[1]: https://help.limitless.ai/en/articles/9130680-privacy-with-l...

Edit: I just tried it. They don't give you encryption keys you need to enter when signing in and the server literally sends you your transcripts with no encryption. Maybe they're including a key somehow derived when signing in with Google/a magic link in the request, but I don't think anything would stop them from just logging API responses even if that was the case. They're definitely not using E2EE. They might just be encrypting at rest and storing their keys in AWS KMS which sounds like false advertising.

discuss

Oras|1 year ago

It would be impossible to do E2E encryption unless the transcription happens on the device (I assume you mean the wearable).

Even with that, you will only access the transcript and still need an AI model to get meaningful info.

This device wouldn't be suitable for anyone with little privacy concerns.

georgehill|1 year ago

I was going to buy it, but this lack of privacy explanation scares me.

nihaals|1 year ago

Just added some additional context from trying it which might make you glad you checked.