Data leak on nightscout

The question you asked i answered. Mine is wide open. These are special settings that you can set up if you so choose. Most apps have admin settings.

Sounds like you might have wanted to start at the Nightscout foundation…

Then you have no idea who this person is. Knowing this info narrows your search to about 50 million people. Lol.

Worry warts.

Thank you, I have found those now and am reading up on it in the link @BrianJ gave.

I’ll take up the default settings on the nightscout github.

Thanks to everyone. I guess I was a little shocked to see some stranger’s data on line just by mistyping a url. Poor fellow isn’t having a great time of it!

Personally I think secure by default should be, well, the default.

2 Likes

It is perfectly secure imo. I guess it’s all in just how worried you are that someone can take over your identity or whatever else concerns you, by knowing that you speak English, own a cell phone, and track your blood glucose levels.

Not that it matters , but I just typed the URL myuser.herokuapp.com in and got a secured page.

my username isn’t really myuser :slight_smile:

I had to come back and address thIs post because it’s unsettling to me. So, as i took your response you implied that Liam should somehow hide his diabetes in order to break or circumvent rules policies and laws… Even those imposed by bean counters (often the very people responsible for gathering and analyzing data… Critical quantitative takings that are necessary in order to establish laws and rules in our country.)

So to answer your presumed hypothetical I would tell Liam… If the current policy states that your disease precludes you from joining then you have to trust that quantitative analysis has been conducted and it has been determined that your disease poses a risk to yourself and possibly others (as is the case with being a pilot) while engaging in this activity.

So i will spend my time teaching my child (as i do with all my children) how to FIGHT for change if you believe there is an Injustice being done to you. Take your battle to the top, fight for it, fight and lead the charge for CHANGE if you feel strongly the this condition should not preclude you from participating. But do NOT hide who you are and do NOT break the law,

Get voted into a position of power so that you can drive the change.

But it’s never ok I’m my view to intentionally hide a disease like diabetes while applying for a job that has specific policies that prevent you from joining. There is a reason the policy exists and most often that has to do with safety… Safety for self and safety for others.

I want Liam to be and do anything he wants to be and do… But i want him to do it the right way.

1 Like

I would not suggest that they hide their disease… im just saying that electronic medical data can have the potential to be harmful to people, unjustly, and that’s why many of us feel the need to protect it— particularly when it comes to electronic blood sugar data. It’s why I, and Eric, and many others don’t allow even our doctors to download our meters or cgm… maybe the perspective is different when it’s a child… I’d likely not have these concerns either if it were my children… but be forwarded it may be something that becomes a concern at some point in life to everyone who has diabetes or any other chronic illness

1 Like

I agree and this is why HIPAA laws exist. The subject in question; however doesn’t break hipaa in any way. It’s over worry imo. Much ado about nothing.

Thanks for the clarification. When Liam is old enough, the management and decision-making Torch will be handed off to him.

While I don’t think being worried about un-identified data in Nightscout leaking is a reasonable concern, HIPAA allows for de-identified data to be shared with partners and both Google and Amazon are undertaking projects where they try and create data products to improve healthcare outcomes. Unfortunately, Google and Amazon are both wizards at identifying people from de-identified data. It is sad really, because the possibility for both good and bad exists with these data sets and our congressional leaders don’t seem to believe the average person needs any protection. This is of course not relevent to the nightscout issue being discussed.

3 Likes

It’s relevant to me since i consider NS data as de-(un)-identified data.

So then using an email that isn’t traceable to you is probably the best you can offer. Honestly, the problem is that all of the companies should be required to meet a secure data portability standard that doesn’t currently exist but should. Then developers could connect to allow the patient to use their data as they see fit, and their wouldn’t be a need for the nightscout type solution.

I don’t have a horse in the race on this. I used Nightscout for a couple of years and didn’t have a concern. But as I think about this, is the BS data really de-identifed in Nightscout? If I recall correctly, my nightscout set-up had a unique url that allowed me to access my data. In my case that url linked back to Microsoft Azure. I doubt it would take much technical expertise to link that URL back to me. Just makes me wonder…

1 Like

I am in complete agreement, and I suspect the user whose account you stumbled upon would be too, given the use of the non-US units. I illadivisedly published my xDrip+ to Dexcom share, without understanding the total lack of security inherent in these systems, when I first set up xDrip+.

It is certainly unacceptable for an organization subject to data protection laws (there are none in the US) that receives personal data to publish it without consent. So what NightScout should be doing is defaulting to the protected settings.

Are there any European users of NightScout out there, or was that just a Canadian?

Oh well, I’ve made this comment in the past. Alas no one in the US understands; our data is too much not our property that we simply accept it being stolen.

We’re moving the conversation away from… Can someone identify me by just having access to the public url (locked) to… Can i be hacked in some way if someone with the skills wants to hack me…

The answer to the first question is no. The answer to the second question is most certainly… If someone wants to hack any of us and had the skills they can do it through any number of 21st century services and devices we use today.

Not going to live in fear of some boogie man though.

1 Like

The OP (@NickR) posed these two questions:

So you are slightly off topic, however you ask:

Oooh ■■■■ yes. You give me enough data about you and I can identify you just using Google. Biometric prints are particularly good for identifying people:

  1. Fingerprint: you have given your fingerprints to the FBI haven’t you? Everyone joined in that craze and I certainly have.
  2. Retinal scans. You have been through [any number of countries, including the US] immigration recently, haven’t you? And they certainly took a picture of you. (I admit the one in Cozumel probably wouldn’t resolve my retina.)
  3. Blood glucose levels. I defy anyone to be able to reproduce my blood glucose levels. They identify me uniquely and are particularly easy to match given a timestamp. I am my blood glucose levels, given some NaOH the fingerprints go, my retinal scans are getting outdated in a big way but my blood glucose recorded levels are on everything I carry.

So no, the answer to the first question is yes.

I simply don’t understand where that is coming from. This is about protecting our own private lives. My understanding is that @NickR was talking about personal information (someone else’s) being disclosed by a third party. That has nothing to do with what you refer to as “be[ing] hacked”, notwithstanding that I have objected for more than 30 years to the the pejorative use of “hack”; I am a hacker, or a hack, or I do hack, if you want to get back to the pre-newspaper use (I do not ride horses, though.)

1 Like

We’lll just have to agree to disagree on this one.

Consumer Reports just started up one of their periodic petitions on a more general version of this problem:

Meanwhile and very ironically Epic has been campaigning against changes proposed by the US Department of Health and Human Services to give us (the “patients”) better access to our own data:

Epic is using what I regard as a spurious privacy argument; the company controls large amounts of patient data and severely restricts access to it outside its paying customers (specific doctors and hospitals).

This stuff is of critical importance to us. It affects things people on FUD have complained about before such as the difficulty of getting data from Dexcom Clarity and the lack of redundancy in Dexcom Share as well, of course, as the issue @NickR raised in this thread; the apparent lack of any security in the Heroku implementation of NightScout.

Of course Dexcom do conform to both HIPAA (the US privacy stuff) and the EU regulations (which cover all personal data):

https://www.dexcom.com/linked/documentservice/PrivacyPolicy

The HIPAA statement is on a different web page (linked in the previous one):

https://www.dexcom.com/notice-of-privacy-practices

That’s a good example of how much and how little is covered in HIPAA.