Oura says it gets government demands for user data

Oura says it gets government demands for user data(this.weekinsecurity.com)

133 points by donohoe 3 hours ago | 69 comments

> the once-responsive Oura has not yet replied to any of my inquiries, or committed to releasing the numbers

Illinois has a tight biometric-privacy law [1]. I’d bet Oura isn’t particularly careful about prohibiting e.g. a Texas police department querying the protected information of Illinois residents.

[1] https://en.wikipedia.org/wiki/Biometric_Information_Privacy_...

p-e-w 19 minutes ago | |

Why would they be careful, given that the chances of any serious consequences for ignoring such provisions are effectively zero?

JumpCrisscross 15 minutes ago | | |

> given that the chances of any serious consequences for ignoring such provisions are effectively zero?

I’m assuming that Oura are assuming that this—the Illinois BIPA is toothless—is true. It is not [1].

[1] https://www.wilmerhale.com/en/insights/blogs/wilmerhale-priv...

sz4kerto 2 hours ago |

"In my previous blog, I revealed that Oura data is not end-to-end encrypted. That means that an Oura user's health data can be unscrambled at certain points as it travels from a person's ring, through their phone app, over the internet, and as it lands on Oura's servers."

Very strange -- it seems to be conflating end-to-end encryption with encryption-in-transit.

munchler 1 hour ago | |

My understanding is that E2E encryption implies encryption in transit. The message is encrypted at the source and only decrypted at the destination, so it is encrypted everywhere in between.

blueg3 7 minutes ago | | |

The term has kind of degraded, because people started marketing that "end-to-end encryption" is the "right" answer.

Encryption in transit means that network intermediates can't read the data. The two endpoints of the network communication can.

E2E encryption is more context-sensitive, and its context mostly comes from messaging. It means that the data is encrypted and that operational intermediates cannot read it. So in the context of messaging, the servers that run the messaging system cannot read the messages. Or, for an email, only the sender and recipient, not any of the intermediate email servers.

There's a big difference -- you can't really control or predict your network intermediates, but you can in theory know the operational intermediates. Whether something is E2E encrypted often depends on what intermediates you bring in to scope.

For example:

> That means that an Oura user's health data can be unscrambled at certain points as it travels from a person's ring, through their phone app, over the internet, and as it lands on Oura's servers.

If the ring uses Bluetooth to sync the data to your phone and the phone syncs data to the Oura servers, but the data is in the clear on your phone, then by this definition, it is not E2E encrypted. However, that's a pretty reasonable setup, depending on how the data on the phone is stored.

iLoveOncall 59 minutes ago | |

You are conflating end-to-end encryption with encryption at rest.

ggm 2 hours ago | |

It also doesn't sound like its encrypted at rest. Perhaps each in-transit is held to be a unique e2e IP exchange?

juggle-anyhow 2 hours ago | | |

Encrypted at rest means something different. It means if you pull the hard drive out no one can decrypt it. Not that it is encrypted in the database.

kator 1 hour ago |

All this said I'm more concerned about Automatic Content Recognition (ACR) on smartTV you buy in the store and never even realize it's phoning home with everything you watch...

JumpCrisscross 58 minutes ago | |

> I'm more concerned about Automatic Content Recognition (ACR) on smartTV

You’re more concerned about privacy when it comes to TV viewing than medical data? What a strange hijacking of a serious thread…

mcmcmc 56 minutes ago | | |

When you buy a medical data collection device and it collects medical data that’s not exactly a surprise

drfloyd51 51 minutes ago | | |

Whataboutism in fancy clothes.

guilamu 1 hour ago | |

If you're concerned about that do not give internet to your tv and use any kind of tv box instead (shield tv, apple tv, etc).

Shadowmist 1 hour ago | | |

How long until they have built in cellular or use a mesh?

Buildstarted 57 minutes ago | | |

with things like amazon's sidewalk you might not have any choice https://en.wikipedia.org/wiki/Amazon_Sidewalk

iLoveOncall 1 hour ago | | |

So that TV box can phone home instead of your smart TV? What's the point?

focusgroup0 2 hours ago |

guy who pays $6/month to be monitored by the f3ds

MassPikeMike 1 hour ago | |

Judging by ads for cell phone service, most people pay more than that per month to be monitored by the Feds.

Cider9986 1 hour ago | | |

Cell phone services don't record your heart rate.

mathgeek 1 hour ago | | |

Judging by various leaks over the years, you get it for free anyway.

BenFranklin100 30 minutes ago |

I considered an Oura but went with an Apple watch instead. I turned on Advanced Data Protection on the paired iPhone for peace of mind. No other large data providers really provide anything equivalent to ADP’s E2EE protection with zero access encryption, especially in the consumer space for activity trackers.

amarant 1 hour ago |

What will the government even do with my heart rate and blood oxygen data?

"Mr Smith has been running again, we better bring him in for questioning!"

Edit: to be clear, the government is requesting the data, so clearly they're doing something with it... But what? I don't see it!

akersten 1 hour ago |

IPOing soon at $11B btw

throwawa1 1 hour ago |

Another reason to add to my list to justify not wearing my Apple watch and moved to a mechanical watch.

shevy-java 57 minutes ago |

We can not trust any government here.

ck2 2 hours ago |

Oura doesn't even have GPS does it?

Government can already get ALL your celltower locations without a warrant

AND read all your emails and text messages that are over 6 months old, without a warrant

arusahni 1 hour ago | |

In a society where women are being prosecuted for medical procedures, menstrual data becomes very risky to have handed over.

kevin_thibedeau 43 minutes ago | | |

I sat in a meeting at a data broker in 1998 where one of their product managers was strangely proud about how they could determine menstrual cycles from purchase records. It wasn't just hygiene products either. They already have that data and manipulate women with targeted ads timed for the optimal receptivity.

michelb 1 hour ago | | |

Probably this yeah. Your location data can be obtained from other devices than your own, but this medical data cannot.

ethersteeds 11 minutes ago | |

The ring doesn't have gps but its app requires location permission so it gets it from your phone. It continually asks me to turn on background sync, which would presumably upload my location regularly as well. I decline and only allow location when the app is open to sync.

speff 1 hour ago | |

From what I understand, they can get call records and subscription info w/ administrative subpoenas, but this is the first I've heard of them being able to get location data without a warrant.

Assuming you meant directly from the telcos and not from the data broker loopholes - in which case pretty much anyone should be able to do that. Emails and texts they still need a warrant for.

n8m8 36 minutes ago | |

Great, so they can further extrapolate what exact locations you get nervous / are more relaxed / walk more quickly… the understated problem with PII isn’t about any single data point, it’s about combining data to make probable inferences.

basisword 2 hours ago |

This is why although I don't love my Apple Watch, I'm not using anything else. It's very sensitive data and Apple is the only company worth trusting with it. They're not perfect but compared to others there's no competition.

mystraline 2 hours ago |

I was definitely interested in some sort of comprehensive sensor bundle for my healthcare.

But every one of these devices demands some Android/Apple app, and shipping all my health data to basically non-HIPAA data brokers.

Id be all over a local-only no-data-exfiltration health tracker. But the companies do NOT want to provide that.

I, uh, guess, "go surveillance capitalism", for more choices?

duskdozer 1 hour ago | |

If your concern is that the government may access the data, whether it's covered by HIPAA or not is irrelevant, because HIPAA allows government access. Though yes, it would still be better than non-HIPAA in general.

permutations 1 hour ago | |

I will once again proselytize for the new pebble time 2 (I am quite a fan of it). Open source and comes with standard sensors for health monitoring (6 axis imu, heart rate monitor, SpO2). Health data can be kept and analyzed on your phone and there are various apps that can do so. Suffice to say there are “surveillance-free” options out there, and if you’re not satisfied with current app options it is easy to hack your own together

RunningDroid 1 hour ago | |

Many times GadgetBridge* can be used instead of the official app

*https://codeberg.org/Freeyourgadget/Gadgetbridge

SkyPuncher 1 hour ago | |

HIPAA is completely irrelevant to any of this. Ours is technically HIPAA complaint because the data they process is not subject to HIPAA.

In overly simple terms, if insurance is not involved, then it’s not subject to HIPAA.

Aldipower 2 hours ago | |

I am using Withings in combination Tredict. Both GDPR-compliant.

johnnyApplePRNG 1 hour ago |

OURA is a joke. My GF bought two for us and after a week I made her return them due to non stop dark patterns coming out of that company.

Everything about that company is disgusting.

Such a shame, too. I was eager to learn more about my health.

Forge36 42 minutes ago | |

Can you elaborate?