Oura says it gets government demands for user data

Last year, health wearable maker Oura became embroiled in a social media shitstorm after inking a deal with the Department of Defense and Palantir. Some customers feared their data would end up in the clutches of the Trump administration. The scandal blew up so much that my partner, an Oura ring user, drew my attention to it.

Oura rings are health-monitoring hardware wearables worn on a finger. These battery powered rings keep track of a person's health data, like heart rate, sleep patterns, menstrual cycles, and dozens of other data points, including their location. Oura keeps a lot of sensitive information about its users on its servers.

As a security and privacy nerd reporter, and the partner of someone who uses hers, I wondered: Where does all that data go, and how does it get there? You might assume it doesn't matter. But the way that companies set up their products and servers makes all the difference between whether governments (or hackers) can also access that user data.

This was a good opportunity to dig into how Oura rings work, how they send data and how the data is stored, and who has access to it. I wrote a detailed longread explaining why Oura's security design choices allow governments to tap records from Oura's vast banks of user information.

Oura is not unique in this, and many (if not most) companies design their systems to allow their staff to access user data, perhaps for troubleshooting customer issues or because it was the easiest and cheapest setup for a once cash-strapped startup. But Oura is now one of the largest health tech wearable makers today, valued at over $11 billion ahead of going public. The company has a responsibility more than ever to ensure that its users' data cannot be accessed. And, Oura can no longer argue that it does not have the financial resources to do it.

In my previous blog, I revealed that Oura data is not end-to-end encrypted. That means that an Oura user's health data can be unscrambled at certain points as it travels from a person's ring, through their phone app, over the internet, and as it lands on Oura's servers. The company confirmed that it stores user data in a way that allows some staff to access it. This also means others can as well, such as a prosecutor with a warrant, a hacker with stolen keys, or a disgruntled insider who wants to leave behind a fustercluck of a mess.

Out of the three, we know at least one of those things has happened.

PLEASE SUPPORT THIS NEWSLETTER!

~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for exclusive articles, analysis, and more.

Or, you can submit a one-time tip to show your support!

Subscribe to access premium blogs

When I reached out for comment before publishing my last article, an Oura spokesperson told me that the company does "receive infrequent requests from the government." Oura said it looks at each request "for legality, scope, and necessity," and that it pushes back "where requests are invalid, overbroad, or inconsistent with our commitment to protect our members’ privacy."

Oura would not say how many requests it receives, how often it turns over user data, or what kinds of data are requested. Oura has sold over 5.5 million rings to date as of around the time of my last article, giving some scale to the size of the company's customer base.

I asked Oura back then if it would disclose how often it received these requests, such as by publishing a transparency report. A wave of tech companies began releasing in aggregate how many government demands they received on a semi-annual basis. This was largely to counter the claims that they were secretly handing over reams of user data to the government upon request, stemming from the NSA surveillance scandal in 2013.

There was some hope in Oura's initial response. A spokesperson told me at the time that while Oura does not publish a transparency report, the company said it was "actively evaluating how to share aggregate data in a way that maintains security and does not introduce risk to our members."

It's been eight months, dear reader. 

I recently reached out to Oura again to see if it would release a transparency report, and after several follow-up emails, the once-responsive Oura has not yet replied to any of my inquiries, or committed to releasing the numbers. I'm hopeful that Oura will reconsider and publish how many demands it receives as other tech companies have. 

Without seeing the numbers, it is impossible to know how often, if ever, Oura rejects government demands for data. As the frontrunner in the health wearables market, Oura should share how often the government demands access to users' information if it wants to earn or keep the trust of its customers.

~ ~

Thank you so much for reading ~this week in security~. If you liked this article, please share it! Feel free to reach out with any feedback, questions, or comments about this article: this@weekinsecurity.com.

Get all the cyber news you need to know, delivered weekly.

sign up for Zack Whittaker's weekly cybersecurity newsletter. Hand-written, zero slop.

No email open or link tracking. Unsubscribe anytime.