FilterHN

Oura says it gets government demands for user data. Will it share how many?

48 points

by donohoe

1 hour ago

| past

| 7 comments

| this.weekinsecurity.com

| HN

▲

JumpCrisscross

1 minute ago

[-]

Illinois has a tight biometric-privacy law [1]. I’d bet Oura isn’t particularly careful about prohibiting e.g. a Texas police department querying the protected information of Illinois residents.

[1] https://en.wikipedia.org/wiki/Biometric_Information_Privacy_...

▲

sz4kerto

56 minutes ago

[-]

"In my previous blog, I revealed that Oura data is not end-to-end encrypted. That means that an Oura user's health data can be unscrambled at certain points as it travels from a person's ring, through their phone app, over the internet, and as it lands on Oura's servers."

Very strange -- it seems to be conflating end-to-end encryption with encryption-in-transit.

▲

ggm

48 minutes ago

[-]

It also doesn't sound like its encrypted at rest. Perhaps each in-transit is held to be a unique e2e IP exchange?

▲

juggle-anyhow

41 minutes ago

[-]

Encrypted at rest means something different. It means if you pull the hard drive out no one can decrypt it. Not that it is encrypted in the database.

▲

akersten

48 seconds ago

[-]

IPOing soon at $11B btw

▲

focusgroup0

39 minutes ago

[-]

guy who pays $6/month to be monitored by the f3ds

▲

MassPikeMike

6 minutes ago

[-]

Judging by ads for cell phone service, most people pay more than that per month to be monitored by the Feds.

▲

basisword

48 minutes ago

[-]

This is why although I don't love my Apple Watch, I'm not using anything else. It's very sensitive data and Apple is the only company worth trusting with it. They're not perfect but compared to others there's no competition.

▲

jeroenhd

42 minutes ago

[-]

Google's Health Connect system doesn't share this data either (without a consent prompt for third party apps, off course). This is to the point where I wish it would just support some kind of sync, because two devices hooked up to the same accounts need a third party app to transfer the health info.

Apple is subject to the same laws Oura is. The competition is too.

▲

SoftTalker

31 minutes ago

[-]

Apple might be pretty good now. There's no assurance they always will be.

▲

haritha-j

21 minutes ago

[-]

Yeah there's no one I'd trust with my personal data except Apple. Their track record of refusing to bow down to the feds has been golden. 24 carat infact.

▲

echelon

10 minutes ago

[-]

In the US. Apple's policies are flexible when it comes to other nation states.

All it takes is a political sea change for E2EE to go away.

Apple already has to hand over a wealth of information when asked by the feds.

▲

ck2

37 minutes ago

[-]

Oura doesn't even have GPS does it?

Government can already get ALL your celltower locations without a warrant

AND read all your emails and text messages that are over 6 months old, without a warrant

▲

arusahni

19 minutes ago

[-]

In a society where women are being prosecuted for medical procedures, menstrual data becomes very risky to have handed over.

▲

michelb

8 minutes ago

[-]

Probably this yeah. Your location data can be obtained from other devices than your own, but this medical data cannot.

▲

mystraline

58 minutes ago

[-]

I was definitely interested in some sort of comprehensive sensor bundle for my healthcare.

But every one of these devices demands some Android/Apple app, and shipping all my health data to basically non-HIPAA data brokers.

Id be all over a local-only no-data-exfiltration health tracker. But the companies do NOT want to provide that.

I, uh, guess, "go surveillance capitalism", for more choices?

▲

duskdozer

23 minutes ago

[-]

If your concern is that the government may access the data, whether it's covered by HIPAA or not is irrelevant, because HIPAA allows government access. Though yes, it would still be better than non-HIPAA in general.

▲

SkyPuncher

23 minutes ago

[-]

HIPAA is completely irrelevant to any of this. Ours is technically HIPAA complaint because the data they process is not subject to HIPAA.

In overly simple terms, if insurance is not involved, then it’s not subject to HIPAA.

▲

Aldipower

47 minutes ago

[-]

I am using Withings in combination Tredict. Both GDPR-compliant.