GoKawiilOura users' data is not end-to-end encrypted and can be handed to the government. Will the wearable tech maker say how often it turns over data?
Last year, health wearable maker Oura became embroiled in a social media shitstorm after inking a deal with the Department of Defense and Palantir. Some customers feared their data would end up in the clutches of the Trump administration. The scandal blew up so much that my partner, an Oura ring user, drew my attention to it.
Oura rings are health-monitoring hardware wearables worn on a finger. These battery powered rings keep track of a person's health data, like heart rate, sleep patterns, menstrual cycles, and dozens of other data points, including their location. Oura keeps a lot of sensitive information about its users on its servers.
As a security and privacy nerd reporter, and the partner of someone who uses hers, I wondered: Where does all that data go, and how does it get there? You might assume it doesn't matter. But the way that companies set up their products and servers makes all the difference between whether governments (or hackers) can also access that user data.
This was a good opportunity to dig into how Oura rings work, how they send data and how the data is stored, and who has access to it. I wrote a detailed longread explaining why Oura's security design choices allow governments to tap records from Oura's vast banks of user information.
Oura is not unique in this, and many (if not most) companies design their systems to allow their staff to access user data, perhaps for troubleshooting customer issues or because it was the easiest and cheapest setup for a once cash-strapped startup. But Oura is now one of the largest health tech wearable makers today, valued at over $11 billion ahead of going public . The company has a responsibility more than ever to ensure that its users' data cannot be accessed. And, Oura can no longer argue that it does not have the financial resources to do it.
In my previous blog , I revealed that Oura data is not end-to-end encrypted. That means that an Oura user's health data can be unscrambled at certain points as it travels from a person's ring, through their phone app, over the internet, and as it lands on Oura's servers. The company confirmed that it stores user data in a way that allows some staff to access it. This also means others can as well, such as a prosecutor with a warrant, a hacker with stolen keys, or a disgruntled insider who wants to leave behind a fustercluck of a mess.
Out of the three, we know at least one of those things has happened.
When I reached out for comment before publishing my last article, an Oura spokesperson told me that the company does "receive infrequent requests from the government." Oura said it looks at each request "for legality, scope, and necessity," and that it pushes back "where requests are invalid, overbroad, or inconsistent with our commitment to protect our members’ privacy."
Oura would not say how many requests it receives, how often it turns over user data, or what kinds of data are requested. Oura has sold over 5.5 million rings to date as of around the time of my last article , giving some scale to the size of the company's customer base.
... continue reading