Home goods manufacturer Kohler recently launched its Dekoda smart toilet camera, a device designed to analyze gut health via images of toilet bowl contents. Despite Kohler's assurances of "end-to-end encryption" to address user privacy concerns, a security researcher has revealed that the company can, in fact, access customer data stored on its servers, raising significant questions about data security and AI training practices.
Earlier this year, Kohler introduced the Dekoda camera, which attaches to a toilet bowl to capture and analyze images for personalized gut health advice. Anticipating potential privacy fears, Kohler stated on its website that the Dekoda's sensors only view the toilet interior and that all data is secured with 'end-to-end encryption.' However, this claim has been challenged.
Misleading Encryption Claims Debunked
Security researcher Simon Fondrie-Teitler highlighted in a recent blog post that Kohler's use of the term 'end-to-end encryption' is misleading. A review of Kohler's privacy policy clarifies that the company refers to TLS encryption, which secures data during transit over the internet, similar to HTTPS websites. This differs significantly from true end-to-end encryption.
The distinction is crucial for user privacy. True end-to-end encryption, commonly used by secure messaging apps like iMessage, Signal, and WhatsApp, ensures that only the sender and intended recipient can read the messages, with no intermediaries having access. TLS encryption, while securing data in transit, allows the service provider (in this case, Kohler) to decrypt and access the data on its servers. Misrepresenting TLS as end-to-end encryption can confuse users into believing their sensitive data is inaccessible to Kohler.
Kohler's Data Access and AI Training
While a Kohler spokesperson did not respond to inquiries from TechCrunch, a company 'privacy contact' informed Fondrie-Teitler that user data is 'encrypted at rest' on devices and Kohler's systems. The contact also stated that 'data in transit is also encrypted end-to-end, as it travels between the user’s devices and our systems, where it is decrypted and processed to provide our service.' This statement confirms that Kohler decrypts and processes user data on its own systems, negating the privacy assurances typically associated with true end-to-end encryption.
Given Kohler's confirmed access to customer data on its servers, the security researcher raised concerns that the company might be utilizing customers' intimate bowl pictures to train its AI algorithms. In response, the company representative asserted that Kohler's 'algorithms are trained on de-identified data only.' However, the potential for sensitive data access remains a significant privacy consideration for users.
The Dekoda smart toilet camera is priced at $599, in addition to a mandatory monthly subscription fee starting at least at $6.99.
