Kohler's Smart Toilet Camera Faces Privacy Concerns After Engineer Exposes Encryption Claims

Engineer proves that Kohler's smart toilet cameras aren't very private

Kohler is facing backlash after an engineer pointed out that the company's new smart toilet cameras may not be as private as it wants people to believe. The discussion raises questions about Kohler's use of the term "end-to-end encryption" (E2EE) and the inherent privacy limitations of a device that films the goings-on of a toilet bowl. In October, Kohler announced its first "health" product, the Dekoda. Kohler's announcement described the $599 device (it also requires a subscription that starts at $7 per month) as a toilet bowl attachment that uses "optical sensors and validated machine-learning algorithms" to deliver "valuable insights into your health and wellness." The announcement added: Data flows to the personalized Kohler Health app, giving users continuous, private awareness of key health and wellness indicators -- right on their phone. Features like fingerprint authentication and end-to-end encryption are designed for user privacy and security. The average person is most likely to be familiar with E2EE through messaging apps, like Signal. Messages sent via apps with E2EE are encrypted throughout transmission. Only the message's sender and recipient can view the decrypted messages, which is intended to prevent third parties, including the app developer, from reading them. But how does E2EE apply to a docked camera inside a toilet? Software engineer and former Federal Trade Commission technology advisor Simon Fondrie-Teitler sought answers about this, considering that "Kohler Health doesn't have any user-to-user sharing features," he wrote in a blog post this week: ... emails exchanged with Kohler's privacy contact clarified that the other 'end' that can decrypt the data is Kohler themselves: 'User data is encrypted at rest, when it's stored on the user's mobile phone, toilet attachment, and on our systems. Data in transit is also encrypted end-to-end, as it travels between the user's devices and our systems, where it is decrypted and processed to provide our service.' Ars Technica contacted Kohler to ask if the above statement is an accurate summary of Dekoda's "E2EE" and if Kohler employees can access data from Dekoda devices. A spokesperson responded with a company statement that basically argued that data gathered from Dekoda devices is encrypted from one end (the toilet camera) until it reaches another end, in this case, Kohler's servers. The statement reads, in part: The term end-to-end encryption is often used in the context of products that enable a user (sender) to communicate with another user (recipient), such as a messaging application. Kohler Health is not a messaging application. In this case, we used the term with respect to the encryption of data between our users (sender) and Kohler Health (recipient). We encrypt data end-to-end in transit, as it travels between users' devices and our systems, where it is decrypted and processed to provide and improve our service. We also encrypt sensitive user data at rest, when it's stored on a user's mobile phone, toilet attachment, and on our systems. Although Kohler somewhat logically defines the endpoints in what it considers E2EE, at a minimum, Kohler's definition goes against the consumer-facing spirit of E2EE. Because E2EE is, as Kohler's statement notes, most frequently used in messaging apps, people tend to associate it with privacy from the company that enables the data transmission. Since that's not the case with the Dekoda, Kohler's misuse of the term E2EE can give users a false sense of privacy. As IBM defines it, E2EE "ensures that service providers facilitating the communications ... can't access the messages." Kohler's statement implies that the company understood how people typically think about E2EE and still chose to use the term over more accurate alternatives, such as Transport Layer Security (TLS) encryption, which "encrypts data as it travels between a client and a server. However, it doesn't provide strong protection against access by intermediaries such as application servers or network providers," per IBM. "Using terms like 'anonymized' and 'encrypted' gives an impression of a company taking privacy and security seriously -- but that doesn't mean it actually is," RJ Cross, director of the consumer privacy program at the Public Interest Research Group (PIRG), told Ars Technica. Smart toilet cameras are so new (and questionable) that there are few comparisons we can make here. But the Dekoda's primary rival, the Throne, also uses confusing marketing language. The smart camera's website makes no mention of end-to-end encryption but claims that the device uses "bank-grade encryption," a vague term often used by marketers but that does not imply E2EE, which isn't a mandatory banking security standard in the US. Why didn't anyone notice before? As Fondrie-Teitler pointed out in his blog, it's odd to see E2EE associated with a smart toilet camera. Despite this, I wasn't immediately able to find online discussion around Dekoda's use of the term, which includes the device's website saying that the Dekoda uses "encryption at every step." Numerous stories about the toilet cam's launch (examples here, here, here, and here) mentioned the device's purported E2EE but made no statements about how E2EE is used or the implications that E2EE claims have, or don't have, for user privacy. It's possible there wasn't much questioning about the Dekoda's E2EE claim since the type of person who worries about and understands such things is often someone who wouldn't put a camera anywhere near their bathroom. It's also possible that people had other ideas for how the smart toilet camera might work. Speaking with The Register, Fondrie-Teitler suggested a design in which data never leaves the camera but admitted that he didn't know if this is possible. "Ideally, this type of data would remain on the user's device for analysis, and client-side encryption would be used for backups or synchronizing historical data to new devices," he told The Register. What is Kohler doing with the data? For those curious about why Kohler wants data about its customers' waste, the answer, as it often is today, is marketing and AI. As Fondrie-Teitler noted, Kohler's privacy policy says Kohler can use customer data to "create aggregated, de-identified and/or anonymized data, which we may use and share with third parties for our lawful business purposes, including to analyze and improve the Kohler Health Platform and our other products and services, to promote our business, and to train our AI and machine learning models." In its statement, Kohler said: If a user consents (which is optional), Kohler Health may de-identify the data and use the de-identified data to train the AI that drives our product. This consent check-box is displayed in the Kohler Health app, is optional, and is not pre-checked. Words matter Kohler isn't the first tech company to confuse people with its use of the term E2EE. In April, there was debate over whether Google was truly giving Gmail for business users E2EE, since, in addition to the sender and recipient having access to decrypted messages, people inside the users' organization who deploy and manage the KACL (Key Access Control List) server can access the key necessary for decryption. In general, what matters most is whether the product provides the security users demand. As Ars Technica Senior Security Editor Dan Goodin wrote about Gmail's E2EE debate: "The new feature is of potential value to organizations that must comply with onerous regulations mandating end-to-end encryption. It most definitely isn't suitable for consumers or anyone who wants sole control over the messages they send. Privacy advocates, take note." When the product in question is an Internet-connected camera that lives inside your toilet bowl, it's important to ask whether any technology could ever make it private enough. For many, no proper terminology could rationalize such a device. Still, if a company is going to push "health" products to people who may have health concerns and, perhaps, limited cybersecurity and tech privacy knowledge, there's an onus on that company for clear and straightforward communication. "Throwing security terms around that the public doesn't understand to try and create an illusion of data privacy and security being a high priority for your company is misleading to the people who have bought your product," Cross said.

Kohler's Poop-Analyzing Toilet Cam Might Also Flush Your Privacy Down the Drain

A toilet camera that can analyze your poop isn't as private as its marketing suggests. In October, Kohler Health announced the Dekoda, a $599 camera that hangs on the rim of your toilet and analyzes your stool and urine for potential health insights. Obviously, the product raised questions about privacy. However, Kohler designed the camera's sensors to face downward and advertised the system as end-to-end encrypted, a term that often implies the provider can't read the user's data. But a former technology advisor to the Federal Trade Commission took a closer look at the encryption claims, and found them to be bogus. "Responses from the company make it clear that -- contrary to common understanding of the term -- Kohler is able to access data collected by the device and associated application," Simon Fondrie-Teitler wrote on his blog this week. End-to-end encryption is most often used when talking about messaging apps, such as WhatsApp, Signal, or Apple's iMessage. The term means that only the sender and recipient's devices can decrypt any data, preventing the service provider from reading the messages. This is why WhatsApp and Signal can't hand the contents of you messages over to law enforcement. The encryption keys are stored on the devices, not the company's servers. On the Dekoda, however, Kohler is a data recipient. The camera gathers the data, encrypts it, and sends it to Kohler to de-scramble for analysis. Fondrie-Teitler confirmed this when emailing Kohler's privacy contact. "The other 'end' that can decrypt the data is Kohler themselves," he wrote, later adding: "What Kohler is referring to as E2EE here is simply HTTPS encryption between the app and the server, something that has been basic security practice for two decades now, plus encryption at rest." Kohler Health, a division under Kohler Co., tells us the end-to-end encryption only applies to data sent between the user and the company. "We encrypt data end-to-end in transit, as it travels between users' devices and our systems, where it is decrypted and processed to provide and improve our service," it said. Kohler Health also confirmed that it can harness the collected data to train AI programs, a concern that Fondrie-Teitler flagged. "If a user consents (which is optional), Kohler Health may de-identify the data and use the de-identified data to train the AI that drives our product. This consent check-box is displayed in the Kohler Health app, is optional, and is not pre-checked," Kohler Health says. This all means that Kohler Health can theoretically take a closer look at your poop data once it hits its servers. The company's privacy policy mentions collecting "Health data, including fecal and urine images," along with sensor information concerning "gut health and blood in bowl." Still, the company told us: "We also encrypt sensitive user data at rest, when it's stored on a user's mobile phone, toilet attachment, and on our systems." In response to the privacy concerns, it noted: "Privacy and security are foundational to Kohler Health because we know health data is deeply personal. We welcome user feedback and want to ensure they understand that every element of the product is designed with privacy and security in mind."

Kohler's $600 AI toilet camera sparks major privacy concerns

Serving tech enthusiasts for over 25 years. TechSpot means tech analysis and advice you can trust. Talking crap? Remember the Dekoda, the $600 (plus subscription fee) AI-infused camera that attaches to the inside of your toilet and photographs your stools? It seems that maker Kohler's claim that the data it captures is end-to-end encrypted may be a load of crap. Kohler Health, the new division from home-products company Kohler, announced the Dekoda in October. The company says the images it captures, combined with its validated machine-learning algorithms, offer valuable insights into your health and wellness. This sort of device is always going to raise privacy concerns, of course. Kohler assured users that the camera only points straight down toward the toilet's contents, so it shouldn't capture any low-hanging body parts. Kohler also emphasized that all data collected by the device and companion app were "end-to-end encrypted" (E2EE). But researcher and former FTC technology advisor Simon Fondrie-Teitler was confused as to how E2EE, usually associated with messaging apps like Signal and WhatsApp, applied to a toilet camera. He also noted that Kohler Health doesn't have any user-to-user sharing features. Fondrie-Teitler writes in his post that what Kohler is referring to as E2EE is likely just HTTPS (TLS) encryption between the app and its server, not true end-to-end encryption. The researcher adds that emails exchanged with Kohler's privacy contact clarified that Kohler itself is able to decrypt user data. "User data is encrypted at rest, when it's stored on the user's mobile phone, toilet attachment, and on our systems. Data in transit is also encrypted end-to-end, as it travels between the user's devices and our systems, where it is decrypted and processed to provide our service." Why would Kohler be interested in checking what you leave in the toilet bowl, aside from the stated health analysis? Its privacy policy says the company can use your data, and share it with third parties, to refine the Kohler Health Platform, improve its products, promote its business, and train its AI and machine-learning models. The policy says that the data is anonymized, and that users have to consent if they want it used to train Kohler's AI. The main issue here is the company's use of the term end-to-end encryption, which gives users a misleading sense of privacy. Kohler said in a statement that it used the term with respect to the encryption of data between its users (sender) and Kohler Health (recipient). So, it's secure rather than private, essentially.

Kohler's Smart Toilet Camera Not Actually End-to-End Encrypted

Home goods company Kohler would like a bold look in your toilet to take some photos. It's OK, though, the company has promised that all the data it collects on your "waste" will be "end-to-end encrypted." However, a deeper look into the company's claim by technologist Simon Fondrie-Teitler revealed that Kohler seems to have no idea what E2EE actually means. According to Fondrie-Teitler's write-up, which was first reported by TechCrunch, the company will have access to the photos the camera takes and may even use them to train AI. The whole fiasco gives an entirely too on-the-nose meaning to the "Internet of Shit." Kohler launched its $600 camera to hang on your toilets earlier this year. It's called Dekoda, and along with the large price tag, the toilet cam also requires a monthly service fee that starts at $6.99. If you want to track the piss and shit of a family of 6, you'll have to pay $12.99 a month. What do you get for putting a camera on your toilet? According to Kohler's pitch, "health & wellness insights" about your gut health and "possible signs of blood in the bowl" as "Dekoda uses advanced sensors to passively analyze your waste in the background." If you're squeamish about sending pictures of the "waste" of your family to Kohler, the company promised that all of the data is "end-to-end encrypted." The privacy page for the Kohler Health said "user data is encrypted end to end, at rest and in transit" and it's mentioned several places in the marketing. It's not, though. Fondrie-Teitler told 404 Media he started looking into Dekoda after he noticed friends making fun of it in a Slack he's part of. "I saw the 'end-to-end encryption' claim on the homepage, which seemed at odds with what they said they were collecting in the privacy policy," he said. "Pretty much every other company I've seen implement end-to-end encryption has published a whitepaper alongside it. Which makes sense, the details really matter so telling people what you've done is important to build trust. Plus it's generally a bunch of work so companies want to brag about it. I couldn't find any more details though." E2EE has a specific meaning. It's a type of messaging system that keeps the contents of a message private while in transit, meaning only the person sending and the person receiving a message can view it. Famously, E2EE means that the messaging company itself cannot decode or see the messages (Signal, for example, is E2EE). The point is to protect the privacy of individual users from a company prying into data if a third party, like the government, comes asking for it. Kohler, it's clear, has access to a user's data. This means it's not E2EE. Fondrie-Teitler told 404 Media that he downloaded the Kohler health app and analyzed the network traffic it sent. "I didn't see anything that would indicate an end-to-end encrypted connection being created," he said. Then he reached out to Kohler and had a conversation with its privacy team via email. "The Kohler Health app itself does not share data between users. Data is only shared between the user and Kohler Health," a member of the privacy team at Kohler told Fondrie-Teitler in an email reviewed by 404 Media. "User data is encrypted at rest, when it's stored on the user's mobile phone, toilet attachment, and on our systems. Data in transit is also encrypted end-to-end, as it travels between the user's devices and our systems, where it is decrypted and processed to provide our service." If Kohler can view the user's data, as it admits to doing in this email exchange with Fondrie-Teitler, then it's not -- by definition -- using E2EE. "The term end-to-end encryption is often used in the context of products that enable a user (sender) to communicate with another user (recipient), such as a messaging application. Kohler Health is not a messaging application. In this case, we used the term with respect to the encryption of data between our users (sender) and Kohler Health (recipient)," Kohler Health told 404 Media in a statement. "Privacy and security are foundational to Kohler Health because we know health data is deeply personal. We're evaluating all feedback to clarify anything that may be causing confusion," it added. "I'd like the term 'end-to-end encryption' to not get watered down to just meaning 'uses https' so I wanted to see if I could confirm what it was actually doing and let people know," Fondrie-Teitler told 404 Media. He pointed out that Zoom once made a similar claim and had to pay a fine to the FTC because of it. "I think everyone has a right to privacy, and in order for that to be realized people need to have an understanding of what's happening with their data," Fondrie-Teitler said. "It's already so hard for non-technical individuals (and even tech experts) to evaluate the privacy and security of the software and devices they're using. E2EE doesn't guarantee privacy or security, but it's a non-trivial positive signal and losing that will only make it harder for people to maintain control over their data."