The editorial argues Oura has decided the legal risk of disclosure exceeds the reputational risk of opacity, betting customers won't notice the absence of a transparency report, warrant canary, or published challenge policy. This is framed as a deliberate corporate choice rather than a legal necessity, given that Apple, Google, Microsoft, and even Discord publish biannual transparency reports.
The piece points out that Fitbit (pre-Google), Whoop, and Garmin similarly publish no transparency reports, suggesting this is a category-wide failure rather than just an Oura problem. The wearables sector skipped the decade of accountability norms the rest of tech built after Snowden, creating a blind spot precisely as these devices collect ever more sensitive physiological data.
The editorial emphasizes that Oura collects continuous heart rate, HRV, respiratory rate, skin temperature, sleep stages, and increasingly inferences about illness and reproductive status via Symptom Radar and pregnancy tracking. This is a denser physiological dataset than messaging metadata and is exactly the category prosecutors in restrictive states have begun seeking in abortion-related investigations.
By surfacing Zack Whittaker's TechCrunch reporting to HN's front page (268 points, 146 comments), the submitter signaled that the developer community sees this as a meaningful privacy concern worth amplifying. The high engagement reflects shared unease about biometric data flowing to governments without disclosure.
Because National Security Letters and Section 2703(d) orders come with gag orders, aggregate transparency reports are the sole window the public has into the scale and shape of government data demands. Without them, users have no way to assess whether a company is a frequent compliance partner or a rare target, making informed consent about device adoption impossible.
Oura, the Finnish maker of the smart ring worn by an estimated 2.5 million people including a sizable contingent of Silicon Valley executives, confirmed to TechCrunch's Zack Whittaker that it receives government demands for user data. What it won't do is tell anyone how many, from which governments, or what categories of data are handed over. The company has no transparency report. It has no published policy for challenging overbroad requests. It has no warrant canary.
This is the standard playbook of a company that has decided the legal risk of disclosure exceeds the reputational risk of opacity — and is betting customers won't notice. Apple, Google, Microsoft, Cloudflare, Meta, and even Discord publish biannual transparency reports detailing the volume and type of government requests they receive. Fitbit, before the Google acquisition, did not. Whoop does not. Garmin does not. The wearables industry as a category has quietly opted out of the disclosure norms that the rest of the tech industry spent a decade building post-Snowden.
The story matters because of what Oura actually collects. Continuous heart rate, heart rate variability, respiratory rate, skin temperature deviation from baseline, sleep stages (REM, deep, light), movement, and increasingly — with the Symptom Radar and pregnancy-tracking features — inferences about illness onset and reproductive status. This is a denser behavioral and physiological dataset than most messaging metadata. It's also, post-Dobbs, the exact category of data that prosecutors in restrictive states have begun seeking in abortion-related investigations.
The transparency-report norm exists for a reason: it's the only public-facing accountability mechanism for the secret legal process. National Security Letters come with gag orders. Section 2703(d) orders under the Stored Communications Act often arrive with non-disclosure provisions. Subpoenas for biometric data sit in a legal grey zone that the courts have not yet meaningfully bounded. Without aggregate numbers, users have no way to assess whether a service is a high-value target for law enforcement or a backwater they can safely ignore.
The deeper issue is that wearables sit in a regulatory blind spot. HIPAA covers data held by "covered entities" — your doctor, your hospital, your insurer. It does not cover the same data when collected directly by a consumer device manufacturer. Your cardiologist needs a court order to release your heart rhythm data; Oura arguably needs only a subpoena, which requires a far lower evidentiary bar than a warrant. The FTC has been increasingly active on health-data privacy under Section 5 (see the 2023 GoodRx and BetterHelp settlements), but enforcement has focused on advertising-related sharing, not law enforcement disclosure.
Community reaction on Hacker News was unusually pointed for a privacy story (268 points, ~400 comments). The top thread argued that the absence of a transparency report is itself the answer — that any company receiving zero requests would happily say so. Several commenters noted Oura's recent military and government contracts (the U.S. Department of Defense bought 8,000+ rings for personnel health monitoring in 2020-2021, and the company has ongoing federal relationships) as a structural conflict that makes transparency commercially inconvenient. Others pointed to the company's Finnish headquarters as theoretically protective under EU data-transfer rules — until you remember that European data, once subject to a U.S. legal process aimed at U.S. servers, gets the same treatment as everyone else's.
The pattern here — collect rich physiological data, build deep behavioral inference on top, decline to disclose government interactions — is the default posture of every consumer health-tech startup launched in the last five years. It's not malicious. It's the path of least legal resistance combined with the path of least PR friction. But it produces a market in which users have no signal to differentiate between vendors who will fight overbroad requests and vendors who will quietly comply.
If you're building anything that touches biometric, health, or location data, the legal threat model has shifted and your privacy architecture needs to catch up. The mitigation isn't "better encryption at rest" — it's data minimization that makes compliance with a subpoena technically impossible. Apple's approach to iMessage (end-to-end encryption such that Apple cannot decrypt content even with a warrant) and Signal's approach to contact metadata (sealed sender, no logs to subpoena) are the design patterns to study. Not because every app needs to be Signal, but because the questions they had to answer — "what happens when we receive a subpoena" — should be answered at design time, not at lawyer time.
Concrete actions: (1) Audit what user data your service holds that could be subpoenaed. "Could it be subpoenaed" is approximately "does it exist on a server you control." (2) For each category, ask whether you need to retain it server-side or whether on-device processing is feasible. (3) If you're a startup, publish a transparency policy *before* you receive your first request — it's much harder to start once gag orders are in play. (4) Consider a warrant canary, with the caveat that the legal protection of canaries remains untested. (5) If you handle health data and aren't HIPAA-covered, you're in the FTC's jurisdiction under the Health Breach Notification Rule — read the 2023 GoodRx complaint carefully.
The second-order implication is for procurement. If your company issues wearables to employees (for wellness programs, executive health screening, or operational fitness), you are now the data controller for a population of physiological data that can be subpoenaed for any of those employees. Most corporate wellness contracts have not been updated to reflect this.
The wearables industry will eventually be forced into the transparency-report norm — either by EU regulation (the GDPR already arguably requires Article 15 disclosures), a high-profile criminal case where ring data convicts someone, or competitive pressure once one major vendor breaks ranks. Oura, with its scale and visibility, is the obvious candidate to move first. Until it does, the practical advice for privacy-conscious users is the same as it's always been: assume any data you don't explicitly control will eventually be requested by someone with legal authority to ask, and act accordingly.
"In my previous blog, I revealed that Oura data is not end-to-end encrypted. That means that an Oura user's health data can be unscrambled at certain points as it travels from a person's ring, through their phone app, over the internet, and as it lands on Oura's servers."Ver
guy who pays $6/month to be monitored by the f3ds
All this said I'm more concerned about Automatic Content Recognition (ACR) on smartTV you buy in the store and never even realize it's phoning home with everything you watch...
What will the government even do with my heart rate and blood oxygen data?"Mr Smith has been running again, we better bring him in for questioning!"Edit: to be clear, the government is requesting the data, so clearly they're doing something with it... But what? I don't see it!
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
> the once-responsive Oura has not yet replied to any of my inquiries, or committed to releasing the numbersIllinois has a tight biometric-privacy law [1]. I’d bet Oura isn’t particularly careful about prohibiting e.g. a Texas police department querying the protected information of Illinois resid