Hacker News

Oura says it gets government demands for user data

57 points by donohoe 3 hours ago | 26 comments

sz4kerto 2 hours ago

"In my previous blog, I revealed that Oura data is not end-to-end encrypted. That means that an Oura user's health data can be unscrambled at certain points as it travels from a person's ring, through their phone app, over the internet, and as it lands on Oura's servers."

Very strange -- it seems to be conflating end-to-end encryption with encryption-in-transit.

ggm 2 hours ago

It also doesn't sound like its encrypted at rest. Perhaps each in-transit is held to be a unique e2e IP exchange?

juggle-anyhow 58 minutes ago

Encrypted at rest means something different. It means if you pull the hard drive out no one can decrypt it. Not that it is encrypted in the database.

JumpCrisscross 17 minutes ago

> the once-responsive Oura has not yet replied to any of my inquiries, or committed to releasing the numbers

Illinois has a tight biometric-privacy law [1]. I’d bet Oura isn’t particularly careful about prohibiting e.g. a Texas police department querying the protected information of Illinois residents.

[1] https://en.wikipedia.org/wiki/Biometric_Information_Privacy_...

focusgroup0 56 minutes ago

guy who pays $6/month to be monitored by the f3ds

MassPikeMike 23 minutes ago

Judging by ads for cell phone service, most people pay more than that per month to be monitored by the Feds.

mathgeek 8 minutes ago

Judging by various leaks over the years, you get it for free anyway.

johnnyApplePRNG 10 minutes ago

OURA is a joke. My GF bought two for us and after a week I made her return them due to non stop dark patterns coming out of that company.

Everything about that company is disgusting.

Such a shame, too. I was eager to learn more about my health.

akersten 17 minutes ago

IPOing soon at $11B btw

ck2 54 minutes ago

Oura doesn't even have GPS does it?

Government can already get ALL your celltower locations without a warrant

AND read all your emails and text messages that are over 6 months old, without a warrant

arusahni 35 minutes ago

In a society where women are being prosecuted for medical procedures, menstrual data becomes very risky to have handed over.

michelb 24 minutes ago

Probably this yeah. Your location data can be obtained from other devices than your own, but this medical data cannot.

basisword 2 hours ago

This is why although I don't love my Apple Watch, I'm not using anything else. It's very sensitive data and Apple is the only company worth trusting with it. They're not perfect but compared to others there's no competition.

mmh0000 8 minutes ago

You may want to reevaluate.

Apple has a great PR (propaganda) department that has convinced many people they respect your privacy. In truth, they do not. They're "better" than Google, but only slightly. And only so slightly that realistically it doesn't matter.

"Apple is taking the unprecedented step of removing its highest level data security tool from customers in the UK, after the government demanded access to user data."

https://www.bbc.com/news/articles/cgj54eq4vejo

It happened in the UK; it will not be long before it happens in the US.

Also, USA: https://www.bbc.com/news/technology-36084244

Also, France, Germany, Australia, Brazil, Japan: https://www.apple.com/legal/transparency/pdf/requests-2024-H...

Also, Russia: https://www.bloomberg.com/news/articles/2019-02-04/apple-fil...

Also, China: https://www.article19.org/resources/apple-cares-about-digita...

Also in general: https://proton.me/blog/iphone-privacy

GeekyBear 14 minutes ago

A great example is Apple's new in-house cellular modem design, which gives you the option to stop reporting your exact location to your cellular provider.

The best way to prevent the Feds from getting access to customer data is to not collect it in the first place.

jeroenhd 58 minutes ago

Google's Health Connect system doesn't share this data either (without a consent prompt for third party apps, off course). This is to the point where I wish it would just support some kind of sync, because two devices hooked up to the same accounts need a third party app to transfer the health info.

Apple is subject to the same laws Oura is. The competition is too.

jjice 10 minutes ago

I believe the Apple one is E2E encrypted so they physically can't give useful data. Thats the core issue with Oura here.

SoftTalker 47 minutes ago

Apple might be pretty good now. There's no assurance they always will be.

haritha-j 37 minutes ago

Yeah there's no one I'd trust with my personal data except Apple. Their track record of refusing to bow down to the feds has been golden. 24 carat infact.

echelon 27 minutes ago

In the US. Apple's policies are flexible when it comes to other nation states.

All it takes is a political sea change for E2EE to go away.

Apple already has to hand over a wealth of information when asked by the feds.

GeekyBear 3 minutes ago

Apple literally removed encrypted file storage as a feature in the UK rather than comply with demands for access to encrypted customer data from the UK government.

Previously, they refused US government demands for a backdoor that would allow them to unlock locked devices.

mystraline 2 hours ago

I was definitely interested in some sort of comprehensive sensor bundle for my healthcare.

But every one of these devices demands some Android/Apple app, and shipping all my health data to basically non-HIPAA data brokers.

Id be all over a local-only no-data-exfiltration health tracker. But the companies do NOT want to provide that.

I, uh, guess, "go surveillance capitalism", for more choices?

permutations 2 minutes ago

I will once again proselytize for the new pebble time 2 (I am quite a fan of it). Open source and comes with standard sensors for health monitoring (6 axis imu, heart rate monitor, SpO2). Health data can be kept and analyzed on your phone and there are various apps that can do so. Suffice to say there are “surveillance-free” options out there, and if you’re not satisfied with current app options it is easy to hack your own together

duskdozer 39 minutes ago

If your concern is that the government may access the data, whether it's covered by HIPAA or not is irrelevant, because HIPAA allows government access. Though yes, it would still be better than non-HIPAA in general.

SkyPuncher 39 minutes ago

HIPAA is completely irrelevant to any of this. Ours is technically HIPAA complaint because the data they process is not subject to HIPAA.

In overly simple terms, if insurance is not involved, then it’s not subject to HIPAA.

Aldipower 2 hours ago

I am using Withings in combination Tredict. Both GDPR-compliant.