Engineer proves that Kohler’s smart toilet cameras aren’t very private
Kohler is getting the scoop on people’s poop.
A Dekoda smart toilet camera.
Credit:
Kohler
Kohler is facing backlash after an engineer pointed out that the company’s new smart toilet cameras may not be as private as it wants people to believe. The discussion raises questions about Kohler’s use of the term “end-to-end encryption” (E2EE) and the inherent privacy limitations of a device that films the goings-on of a toilet bowl.
In October, Kohler announced its first “health” product, the Dekoda. Kohler’s announcement described the $599 device (it also requires a subscription that starts at $7 per month) as a toilet bowl attachment that uses “optical sensors and validated machine-learning algorithms” to deliver “valuable insights into your health and wellness.” The announcement added:
Data flows to the personalized Kohler Health app, giving users continuous, private awareness of key health and wellness indicators—right on their phone. Features like fingerprint authentication and end-to-end encryption are designed for user privacy and security.
The average person is most likely to be familiar with E2EE through messaging apps, like Signal. Messages sent via apps with E2EE are encrypted throughout transmission. Only the message’s sender and recipient can view the decrypted messages, which is intended to prevent third parties, including the app developer, from reading them.
But how does E2EE apply to a docked camera inside a toilet?
Software engineer and former Federal Trade Commission technology advisor Simon Fondrie-Teitler sought answers about this, considering that “Kohler Health doesn’t have any user-to-user sharing features,” he wrote in a blog post this week:
… emails exchanged with Kohler’s privacy contact clarified that the other ‘end’ that can decrypt the data is Kohler themselves: ‘User data is encrypted at rest, when it’s stored on the user’s mobile phone, toilet attachment, and on our systems. Data in transit is also encrypted end-to-end, as it travels between the user’s devices and our systems, where it is decrypted and processed to provide our service.’
Ars Technica contacted Kohler to ask if the above statement is an accurate summary of Dekoda’s “E2EE” and if Kohler employees can access data from Dekoda devices. A spokesperson responded with a company statement that basically argued that data gathered from Dekoda devices is encrypted from one end (the toilet camera) until it reaches another end, in this case, Kohler’s servers. The statement reads, in part:
The term end-to-end encryption is often used in the context of products that enable a user (sender) to communicate with another user (recipient), such as a messaging application. Kohler Health is not a messaging application. In this case, we used the term with respect to the encryption of data between our users (sender) and Kohler Health (recipient).
We encrypt data end-to-end in transit, as it travels between users’ devices and our systems, where it is decrypted and processed to provide and improve our service. We also encrypt sensitive user data at rest, when it’s stored on a user’s mobile phone, toilet attachment, and on our systems.
Although Kohler somewhat logically defines the endpoints in what it considers E2EE, at a minimum, Kohler’s definition goes against the consumer-facing spirit of E2EE. Because E2EE is, as Kohler’s statement notes, most frequently used in messaging apps, people tend to associate it with privacy from the company that enables the data transmission. Since that’s not the case with the Dekoda, Kohler’s misuse of the term E2EE can give users a false sense of privacy.
As IBM defines it, E2EE “ensures that service providers facilitating the communications … can’t access the messages.” Kohler’s statement implies that the company understood how people typically think about E2EE and still chose to use the term over more accurate alternatives, such as Transport Layer Security (TLS) encryption, which “encrypts data as it travels between a client and a server. However, it doesn’t provide strong protection against access by intermediaries such as application servers or network providers,” per IBM.
“Using terms like ‘anonymized’ and ‘encrypted’ gives an impression of a company taking privacy and security seriously—but that doesn’t mean it actually is,” RJ Cross, director of the consumer privacy program at the Public Interest Research Group (PIRG), told Ars Technica.
Smart toilet cameras are so new (and questionable) that there are few comparisons we can make here. But the Dekoda’s primary rival, the Throne, also uses confusing marketing language. The smart camera’s website makes no mention of end-to-end encryption but claims that the device uses “bank-grade encryption,” a vague term often used by marketers but that does not imply E2EE, which isn’t a mandatory banking security standard in the US.
Why didn’t anyone notice before?
As Fondrie-Teitler pointed out in his blog, it’s odd to see E2EE associated with a smart toilet camera. Despite this, I wasn’t immediately able to find online discussion around Dekoda’s use of the term, which includes the device’s website saying that the Dekoda uses “encryption at every step.”
Numerous stories about the toilet cam’s launch (examples here, here, here, and here) mentioned the device’s purported E2EE but made no statements about how E2EE is used or the implications that E2EE claims have, or don’t have, for user privacy.
It’s possible there wasn’t much questioning about the Dekoda’s E2EE claim since the type of person who worries about and understands such things is often someone who wouldn’t put a camera anywhere near their bathroom.
It’s also possible that people had other ideas for how the smart toilet camera might work. Speaking with The Register, Fondrie-Teitler suggested a design in which data never leaves the camera but admitted that he didn’t know if this is possible.
“Ideally, this type of data would remain on the user’s device for analysis, and client-side encryption would be used for backups or synchronizing historical data to new devices,” he told The Register.
What is Kohler doing with the data?
For those curious about why Kohler wants data about its customers’ waste, the answer, as it often is today, is marketing and AI.
As Fondrie-Teitler noted, Kohler’s privacy policy says Kohler can use customer data to “create aggregated, de-identified and/or anonymized data, which we may use and share with third parties for our lawful business purposes, including to analyze and improve the Kohler Health Platform and our other products and services, to promote our business, and to train our AI and machine learning models.”
In its statement, Kohler said:
If a user consents (which is optional), Kohler Health may de-identify the data and use the de-identified data to train the AI that drives our product. This consent check-box is displayed in the Kohler Health app, is optional, and is not pre-checked.
Words matter
Kohler isn’t the first tech company to confuse people with its use of the term E2EE. In April, there was debate over whether Google was truly giving Gmail for business users E2EE, since, in addition to the sender and recipient having access to decrypted messages, people inside the users’ organization who deploy and manage the KACL (Key Access Control List) server can access the key necessary for decryption.
In general, what matters most is whether the product provides the security users demand. As Ars Technica Senior Security Editor Dan Goodin wrote about Gmail’s E2EE debate:
“The new feature is of potential value to organizations that must comply with onerous regulations mandating end-to-end encryption. It most definitely isn’t suitable for consumers or anyone who wants sole control over the messages they send. Privacy advocates, take note.”
When the product in question is an Internet-connected camera that lives inside your toilet bowl, it’s important to ask whether any technology could ever make it private enough. For many, no proper terminology could rationalize such a device.
Still, if a company is going to push “health” products to people who may have health concerns and, perhaps, limited cybersecurity and tech privacy knowledge, there’s an onus on that company for clear and straightforward communication.
“Throwing security terms around that the public doesn’t understand to try and create an illusion of data privacy and security being a high priority for your company is misleading to the people who have bought your product,” Cross said.
Scharon is a Senior Technology Reporter at Ars Technica writing news, reviews, and analysis on consumer gadgets and services. She’s been reporting on technology for over 10 years, with bylines at Tom’s Hardware, Channelnomics, and CRN UK.
