Is There Privacy with Wearables? Case Oura Ring

Out of all the information we generate (willingly or unwillingly) out there, nothing gets more personal than health data. Traditionally, health data has been collecting dust in some public healthcare sector’s file cabinet, but thanks to fitness and wellness gadgets and services, that data is now scattered across the world.

Workout heatmaps reveal secret military bases left and right, DNA testing services get breached and fitness trackers go bankrupt leaving data who knows where. Is there any hope for privacy left in this field?

After 8 months of waiting since preorder, I’m now an owner of a new Oura ring – one of the most advanced wellness and sleep trackers on the market. Among other things, Oura gives its user (wearer?) every day an overall score for Sleep, Readiness and Activity. I decided to return the favor and go through Oura’s Privacy Policy with a fine comb and give Oura a Privacy score. This is how it went down.

The starting point

First of all, there’s a couple of different components to look at. Here’s an excerpt from the Privacy Policy (May 23, 2018 edition) :

When worn, the Oura ring automatically collects data of your body responses during your sleep and daily activity. That data is uploaded wirelessly to your mobile phone via our Oura mobile app. The ring and the app are connected to your computer or a cloud service and your data is made available to you there.

So we have hardware (ring), mobile app, web interface (cloud service) and of course then the data transmission between all of these. The ring collects and stores data until it’s synced with the app, but it’s unclear to me if there’s a possibility for someone e.g. to steal the ring and upload my data to their device. Probably not, and that’s not currently part of my Threat Model either, so let’s focus on the software side. but thanks to “Restricted mode” it’s not possible to withdraw that data with a device that hasn’t been previously paired with the ring. It’s good to note that the connection between the ring and your phone is encrypted as well.

There are 17 parts in the Privacy Policy. To keep the scoring simple, I’ll rate each part either -1, 0 or +1. Scale is then from -17 to +17, and I’ll convert the end result to match the 0-100 rating scale that Oura uses in the app as well. I’ll not copypaste the whole Privacy Policy here, but instead I’ll highlight what I consider to be the most relevant (in good or bad) for this analysis.

---

1. WHY DOES THIS MATTER?

Please note that certain measurement data collected via the app and device may be regarded as health related data under data protection laws in certain jurisdictions.

They start their policy with a great way. Privacy matters. Also good news for users is the fact that Oura acknowledges that their ring and services are health related. This puts more (legal) obligations towards them and how they handle user data.

SCORE: +1

2. ABOUT THIS POLICY

Pretty standard stuff here.

SCORE: 0

3. OUR CONTACT INFORMATION

It’s what it says it is. They also give out contact information for their Data Protection Officer which I guess is a minor plus.

SCORE: +1

4. HOW DOES OUR DEVICE AND APP WORK?

Nothing to mention here.

SCORE: 0

5. WHAT PERSONAL DATA DO WE PROCESS?

Well it is a wellness and sleep tracker, so obviously it collects a bunch of related data. That’s all good. However, there was one thing that caught my eye:

We also track and generate certain usage related and technical data:

• IP address and high-level location

Neither Oura app or web service provide anything location-related or location-specific information for the user. So most likely, IP address is collected just by default, perhaps for their own analytics. “High-level location” could be a reference to the use of collected IP addresses, or it could be addressing the fact that when BLE is turned on on Android devices, location services (GPS) must be turned on as well. I’m not sure if BLE requires that with iOS too, but for Android, that has been a standard feature since 6.0 Marshmallow.

All in all, I still have to give this one a negative score.

SCORE: -1

6. DATA SOURCES

Nothing to mention here. Self explanatory.

SCORE: 0

7. PURPOSES AND LEGITIMATE GROUNDS FOR PROCESSING OF PERSONAL DATA

Smells like GDPR. A couple of things to note:

For analytics and service improvements

We may process aggregated information regarding the use of our Service to improve our app quality. When possible, we will do this using only aggregated, non-personally identifiable data.

For improving app quality, there should never be need for any developer to collect PII. I assume “when possible” is here just for legal reasons, i.e. to cover their asses in a case of data misuse.

For in-app advertising

With your consent we may show or send you advertisements within the app or by using push notifications. We will never use your health-related data for advertising without your explicit consent.

This is a bit weird one. I haven’t seen any ads in the app, and I don’t understand why they would show anything either as it’s not like the company would be ad-funded. Perhaps this is here just in case they want to promote the next generation of their rings some time in the future?

Furthermore, we process the personal data to pursue our legitimate for aggregated analytics and trend detection. When choosing to use your data on the basis of our legitimate interests, we carefully weigh our own interests against your right to privacy.

Again a nice thing of them to say. Of course, that sentence doesn’t really mean anything concrete, but looking at the big picture, it’s things like these that help build trust towards the company – at least they’ve gone through the effort to continuously (and consciously) consider user privacy.

I’ll give this one a careful +1. It could be a lot worse.

SCORE: +1

8. DATA TRANSFERS TO COUNTRIES OUTSIDE EEA

Oura stores the Users’ personal data primarily within the European Economic Area.

However, we may transfer personal data to, or access it in, jurisdictions outside the European Economic Area or the User’s domicile.

Sigh.

We will take steps to ensure that the Users’ personal data receives an adequate level of protection in the jurisdictions in which it is processed. We provide adequate protection for the transfers of personal data to countries outside of the European Economic Area through a series of agreements with our service providers based on the Standard Contractual Clauses or other similar arrangements.

SCORE: -1

9. SHARING YOUR PERSONAL DATA

We may share data with our group companies, subsidiaries and affiliates. Otherwise we do not share personal data with third parties outside of our organization unless one of the following circumstances applies:

“We may share, but otherwise we don’t.” ¯\_(ツ)_/¯ The policy proceeds to list a whole bunch of reasons, such as legal or technical, for sharing data. Regardless of how reasonable they are, it’s impossible to give a posivite score for this one.

SCORE: -1

10. ANONYMIZED DATA

We may aggregate and anonymize data collected via the application. Such data will be anonymous and cannot be connected to an individual User, therefore no longer qualifying as personal data. We may use this type of anonymous data for analytics, statistics, research, communications and PR purposes as well as for trend detection and for benchmark data.

I have no problem with this. I’ve understood that Oura does quite a bit of collaboration with universities and researchers, and I’m happy to help them with my anonymized data. I’m going to reward them with a positive score just because instead of just hogging or selling my data, they are providing anonymized, aggregated data for good.

SCORE: +1

11. HOW LONG DO WE KEEP YOUR DATA?

Oura does not store personal data longer than is legally permitted and necessary for the purposes specified above. The storage period generally depends on the duration an account lifecycle, unless data has been deleted upon request.

Backups are deleted as soon as reasonably possible, typically within 6 months.

Fair enough.

SCORE: 0

12. YOUR RIGHTS

The policy lists the following rights that users have regarding their data:

• Right to access
• Right to withdraw consent
• Right to correct
• Right to erasure
• Right to object
• Right to restriction of processing
• Right to data portability

They also explain each right individually. I’m really happy to see this part given so much attention in this Privacy Policy – other companies, take note! This section ends in “How to use the rights”.

SCORE: +1

13. DIRECT MARKETING AND PUSH NOTIFICATIONS

By direct marketing they mean their newsletter, so nothing fancy here.

We will ask your explicit consent if we wish to send you push notifications or to use any health related data for marketing purposes.

I sure hope you do. I think using my health data for marketing purposes is exactly the thing I’m not comfortable with and what I’m afraid of when it comes to these types of gadgets or services.

SCORE: 0

14. DATA OF CHILDREN

We do not knowingly process data of children under the age of 18.

Please note that according to our terms and conditions we reserve the right to delete accounts of children, in particular if no proof of parental consent is provided.

SCORE: +1

15. SAFEGUARDING YOUR DATA

Nothing wrong with this one. I’m going to quote this in full:

We do our best to keep your data safe and secure.

We use administrative, organizational, technical, and physical safeguards to protect the personal data we collect and process. Measures may include, for example, where appropriate, encryption, pseudonymization and access right systems. Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, availability, resilience and ability restore the data. We regularly test our Service, systems, and other assets for security vulnerabilities.

We will take all reasonable precautions to ensure that our staff and employees who have been specifically granted access to information about you have received adequate training to ensure that they process that information only in accordance with this policy and with our obligations under applicable legislations.

Should despite of the security measures, a security breach occur that is likely to have negative effects to your privacy, we will inform you and relevant authorities as required by applicable data protection laws.

SCORE: +1

16. SOCIAL MEDIA AND PUBLIC FORUMS

Basically, they are saying that you can share your data to social media, but they don’t encourage you to do it and they don’t take any responsibility if you do so.

Please think carefully before deciding what information you share, in connection with your User Content.

Educating users in this manner is a plus in my books.

SCORE: +1

17. LODGING A COMPLAINT

In case you consider our processing of personal data to be inconsistent with the applicable data protection laws, a complaint may be lodged with the data protection supervisory authority.

SCORE: 0

 

The final results

On a scale of -17 to +17, Oura’s Privacy Policy receives a score of 5. When transferring this to scale 0-100, we’ll get

PRIVACY SCORE
65

Oura consideres scores of 85 or above to be excellent (and rewards users with a little 👑). Their current Privacy Policy doesn’t quite get there, but considering we are talking about a wearable that tracks you 24/7, I’d still say that’s a pretty damn good score.

In the end, with wearables (and any other service), it all comes down to two things:

• how much do you trust the company
• what is your threat model

Oura being a a Finnish company already alleviates privacy concerns a bit. But as seen with this Privacy Policy (and with e.g. the recent case with Polar), that doesn’t automatically guarantee anything.

What do you think about the score of 65? Is it reasonable, or perhaps I was too easy or hard on them? Let me know in the comments below, or as always, you can contact me on Twitter. Thanks for reading.