Whittaker argues that Oura's continuous, passive collection of heart rate, temperature, sleep, and menstrual cycle data is more granular than any app-based tracker, making post-Dobbs prosecutorial risk a live concern. Because every major infrastructure peer (Apple, Google, Meta, Cloudflare, Reddit, Discord) publishes semiannual demand counts, Oura's refusal to even disclose totals puts it on the wrong side of an established industry norm.
By submitting the story and driving it to 108 points, donohoe signal-boosts the position that Oura's silence is newsworthy and warrants public scrutiny. The submission frames the lack of a transparency report as a meaningful gap in user trust for a device worn 24/7.
The editorial observes that transparency reports are not legally required but have been the de facto standard since Google established the practice in 2010. Wearable makers — Oura, Whoop, Garmin — have collectively declined to adopt the norm, exploiting the fact that it is enforced only by reputational pressure rather than regulation.
The editorial connects Oura's passive, always-on cycle and temperature data to the documented prosecutorial interest in period-tracking apps in states that criminalized abortion after Dobbs. Because the ring collects richer signals than any standalone tracker and is worn continuously, the practical risk to users in those jurisdictions is materially higher than for app-based competitors.
Oura, the $5.2B Finnish smart-ring maker with roughly 2.5 million rings sold, told *This Week in Security* that it does in fact receive government and law enforcement demands for user data. What it would not do is say how many, from which jurisdictions, or how often it complies. The company has no transparency report, no published process for handling subpoenas, and no commitment to issue one.
The reporting comes from Zack Whittaker, who put the same question to Oura that he routinely puts to every consumer tech company that touches sensitive data: how many government demands did you receive last year? Apple, Google, Microsoft, Meta, Cloudflare, Reddit, Discord, and Automattic all answer that question in public, semiannual filings. Fitbit (now Google) is folded into Google's report. Whoop and Garmin do not publish one. Oura now joins that second list, but with an explicit acknowledgment that the demands exist.
Oura's data set is not trivia. The ring continuously logs heart rate variability, resting heart rate, skin temperature deviation, blood oxygen, sleep stages, and — for users who opt in — menstrual cycle prediction. Two years ago, after the *Dobbs* decision, period-tracking apps became a live concern for prosecutors in states that criminalized abortion. Oura's data is more granular than any standalone cycle tracker, and unlike app-based trackers it is collected passively, 24/7, from a device the user almost never takes off.
Transparency reports are not a legal requirement. They are a norm — one established by Google in 2010 in the aftermath of the first wave of National Security Letter disclosures, and rapidly adopted by every infrastructure provider that wanted to be taken seriously on user trust. The norm exists precisely because companies that hold sensitive data have leverage to push back on overbroad requests, and the public has a right to see whether they're using it.
The wearables industry has quietly opted out. Whoop, Garmin, Oura, Eight Sleep, and most fitness trackers publish nothing. The reasoning, when companies are pressed in private, is some version of: we're a hardware company, not a platform; the volume of requests is too low to be meaningful; publishing numbers would invite scrutiny we'd rather avoid. None of these arguments survive contact with the data itself. Oura's ring generates a higher-resolution biometric record than any phone, and any volume of requests above zero is meaningful when the data can establish location, sleep schedule, pregnancy, and physiological response.
The community reaction on Hacker News (108 points, ~200 comments at time of writing) split predictably. One camp argued that the request volume is probably small and that publishing a report would be performative. The counterargument, made well by several commenters with security and legal backgrounds, is that the size of the number is the point: if it's small, publish it; if it's large, the public has a right to know. Whittaker's reporting also notes that Oura's terms of service include a broad cooperation clause with no notice-to-user commitment. Apple, by contrast, notifies users of government requests unless legally prohibited. Oura makes no such promise.
There is a second-order issue here that the developer audience should care about specifically. Oura has an API. It has a developer platform. Third-party integrations — fertility apps, performance coaching tools, corporate wellness programs — ingest Oura data and store derived versions of it. When a government demand lands on Oura, what happens to the partner data is undefined. There is no model contract clause covering it, no published retention policy for subpoena-touched accounts, and no audit log a user can request.
If you're integrating consumer biometric APIs into a product, the absence of a transparency report is a procurement signal. Treat it the same way you'd treat a SaaS vendor with no SOC 2, no published incident history, and no DPA: a risk that has to be priced in or designed around. Specifically:
- Minimize what you sync. If your app only needs sleep score, don't pull HRV and temperature deviation. The data you don't hold can't be subpoenaed from you, and the data your vendor doesn't have to hand over on your behalf is data your users don't have to worry about. - Document the chain. When a user asks where their data lives, you should be able to answer: Oura's servers, your servers, your analytics provider, your backup. Each hop is a separate subpoena target. - Push the vendor. Procurement leverage is the only thing that has historically moved companies to publish transparency reports. Google did it after enterprise customers asked. Cloudflare did it after the EFF made it a competitive issue. Oura will do it when enough developer-platform customers make it a condition of integration.
For individual users in the audience: if your threat model includes a hostile state actor — and post-*Dobbs*, for a meaningful slice of the US population, it does — a ring that logs your body temperature every minute is not a neutral device. The mitigation is not to stop wearing it. The mitigation is to know what's collected, where it goes, and to choose vendors whose answer to "how many government requests did you get last year" is a number rather than a shrug.
The wearables transparency gap is going to close, but not because the companies want it to. It will close because a high-profile case — a prosecution that turns on ring data, a civil discovery dispute, a leaked subpoena — forces it. The companies that get ahead of that moment by publishing voluntarily will look like they had principles. The companies that are dragged into it will look like Oura looks today: a company that knows the answer, has chosen not to share it, and is hoping nobody keeps asking.
"In my previous blog, I revealed that Oura data is not end-to-end encrypted. That means that an Oura user's health data can be unscrambled at certain points as it travels from a person's ring, through their phone app, over the internet, and as it lands on Oura's servers."Ver
guy who pays $6/month to be monitored by the f3ds
All this said I'm more concerned about Automatic Content Recognition (ACR) on smartTV you buy in the store and never even realize it's phoning home with everything you watch...
What will the government even do with my heart rate and blood oxygen data?"Mr Smith has been running again, we better bring him in for questioning!"Edit: to be clear, the government is requesting the data, so clearly they're doing something with it... But what? I don't see it!
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
> the once-responsive Oura has not yet replied to any of my inquiries, or committed to releasing the numbersIllinois has a tight biometric-privacy law [1]. I’d bet Oura isn’t particularly careful about prohibiting e.g. a Texas police department querying the protected information of Illinois resid