Oura says it gets government demands for user data. Will it share how many?
Recorded: May 23, 2026, 2:59 p.m.
| Original | Summarized |
Oura says it gets government demands for user data. Will it share how many? ~this week in security~ About Sign in 23 May 2026 4 min read Articles Oura says it gets government demands for user data. Will it share how many? Oura users' data is not end-to-end encrypted and can be handed to the government. Will the wearable tech maker say how often it turns over data? Photo by Zack Whittaker / this week in security Last year, health wearable maker Oura became embroiled in a social media shitstorm after inking a deal with the Department of Defense and Palantir. Some customers feared their data would end up in the clutches of the Trump administration. The scandal blew up so much that my partner, an Oura ring user, drew my attention to it.Oura rings are health-monitoring hardware wearables worn on a finger. These battery powered rings keep track of a person's health data, like heart rate, sleep patterns, menstrual cycles, and dozens of other data points, including their location. Oura keeps a lot of sensitive information about its users on its servers.As a security and privacy nerd reporter, and the partner of someone who uses hers, I wondered: Where does all that data go, and how does it get there? You might assume it doesn't matter. But the way that companies set up their products and servers makes all the difference between whether governments (or hackers) can also access that user data.This was a good opportunity to dig into how Oura rings work, how they send data and how the data is stored, and who has access to it. I wrote a detailed longread explaining why Oura's security design choices allow governments to tap records from Oura's vast banks of user information.Oura is not unique in this, and many (if not most) companies design their systems to allow their staff to access user data, perhaps for troubleshooting customer issues or because it was the easiest and cheapest setup for a once cash-strapped startup. But Oura is now one of the largest health tech wearable makers today, valued at over $11 billion ahead of going public. The company has a responsibility more than ever to ensure that its users' data cannot be accessed. And, Oura can no longer argue that it does not have the financial resources to do it.In my previous blog, I revealed that Oura data is not end-to-end encrypted. That means that an Oura user's health data can be unscrambled at certain points as it travels from a person's ring, through their phone app, over the internet, and as it lands on Oura's servers. The company confirmed that it stores user data in a way that allows some staff to access it. This also means others can as well, such as a prosecutor with a warrant, a hacker with stolen keys, or a disgruntled insider who wants to leave behind a fustercluck of a mess.Out of the three, we know at least one of those things has happened. PLEASE SUPPORT THIS NEWSLETTER! ~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for exclusive articles, analysis, and more.Or, you can submit a one-time tip to show your support! Subscribe to access premium blogs When I reached out for comment before publishing my last article, an Oura spokesperson told me that the company does "receive infrequent requests from the government." Oura said it looks at each request "for legality, scope, and necessity," and that it pushes back "where requests are invalid, overbroad, or inconsistent with our commitment to protect our members’ privacy."Oura would not say how many requests it receives, how often it turns over user data, or what kinds of data are requested. Oura has sold over 5.5 million rings to date as of around the time of my last article, giving some scale to the size of the company's customer base.I asked Oura back then if it would disclose how often it received these requests, such as by publishing a transparency report. A wave of tech companies began releasing in aggregate how many government demands they received on a semi-annual basis. This was largely to counter the claims that they were secretly handing over reams of user data to the government upon request, stemming from the NSA surveillance scandal in 2013.There was some hope in Oura's initial response. A spokesperson told me at the time that while Oura does not publish a transparency report, the company said it was "actively evaluating how to share aggregate data in a way that maintains security and does not introduce risk to our members."It's been eight months, dear reader. I recently reached out to Oura again to see if it would release a transparency report, and after several follow-up emails, the once-responsive Oura has not yet replied to any of my inquiries, or committed to releasing the numbers. I'm hopeful that Oura will reconsider and publish how many demands it receives as other tech companies have. Without seeing the numbers, it is impossible to know how often, if ever, Oura rejects government demands for data. As the frontrunner in the health wearables market, Oura should share how often the government demands access to users' information if it wants to earn or keep the trust of its customers. ~ ~ Thank you so much for reading ~this week in security~. If you liked this article, please share it! Feel free to reach out with any feedback, questions, or comments about this article: this@weekinsecurity.com. Get all the cyber news you need to know, delivered weekly. Subscribe Email sent! Check your inbox to complete your signup. No email open or link tracking. Unsubscribe anytime.
Published by: Zack Whittaker You might also like... 20 May '26 AI can find bugs and flaws, but don't forget the cybersecurity basics 5 min read
11 May '26 The most dangerous threats to the internet in 2026 13 min read
04 May '26 Plot twist: I'm suing the Justice Department and FBI 3 min read
02 May '26 Why every organization should make it easy to report security flaws 8 min read
23 Apr '26 Why your doctor's AI recorder can be bad for your health (and privacy) 3 min read
~this week in security~ © 2026 Subscribe Powered by Ghost |
The provided text examines the security, privacy, and data governance practices of the health wearable maker Oura, particularly concerning government demands for user data. The author raises concerns stemming from Oura's history, specifically a deal with the Department of Defense and Palantir, which fueled fears among customers that their sensitive health data could be accessed by government entities, such as the Trump administration. Oura’s products, wearable rings, collect a substantial amount of sensitive personal information, including heart rate, sleep patterns, menstrual cycles, and location data, necessitating a thorough examination of how this information is secured and managed. A critical aspect highlighted is Oura’s security architecture; the author notes that the company’s design choices allow for access to user data by governmental bodies. Specifically, Oura does not employ end-to-end encryption, meaning user health data can be potentially unscrambled during transit from the ring to the mobile application, across the internet, and onto Oura’s servers. Furthermore, the company confirms that its data storage methods allow internal staff access, which consequently opens potential avenues for external access by entities like prosecutors with warrants, hackers, or disgruntled insiders. When questioned about government interactions, an Oura spokesperson indicated that the company receives infrequent requests and assesses each one based on legality, scope, and necessity, pushing back against demands that are deemed invalid, overbroad, or inconsistent with privacy commitments. However, Oura made no public disclosure regarding the frequency of these government requests, the volume of data turnover, or the types of data requested. The author argues that this lack of transparency is problematic, especially given Oura's position as a leading provider in the health wearables market. The author stresses that without knowing how often government demands are made or how often Oura rejects them, it is impossible to gauge the extent of data exposure. In the context of post-2013 surveillance concerns, the author points out that other technology companies have begun releasing aggregate data on government demands to counter the narrative of secret data transfers. Despite this industry trend, Oura has not provided a transparency report, and subsequent follow-up inquiries have gone unanswered. The author concludes by asserting that Oura should share aggregate data on government access requests to maintain the trust of its extensive customer base. |