Kohler claims poop scanner uses E2EE, researcher cries foul • The Register

No, this is not a joke: Kohler’s poop-scanning bathroom attachment, which the corporate claims is … uh … end-to-end encrypted, seems to be something butt.

The Dekoda, released in October by folks seemingly unaware of this 11-year-old but extremely prescient Grownup Swim spoof infomercial, attaches to current dumb bogs. It features a digital camera that fortunately solely gazes downward at your leavings as an alternative of elsewhere, and claims to have the ability to analyze waste for intestine well being, hydration, and the presence of blood. 

Given the delicate nature of what Dekoda is analyzing, Kohler says it designed Dekoda and the accompanying Kohler Well being app “with privacy-first options” together with so-called end-to-end encryption (E2EE). However in accordance with freelance journalist, software program engineer, privateness skilled, and former Federal Commerce Fee expertise advisor Simon Fondrie-Teitler, Kohler is misusing the time period “E2EE”.

Writing within the premiere post of his /var/log/simon weblog, Fondrie-Teitler dug into Dekoda’s use of the time period E2EE and its therapy of consumer knowledge. E2EE is often understood to be encryption of communications knowledge between a sender and recipient, with even the corporate offering the service unable to decrypt the shared knowledge.

No such options exist within the Kohler Well being app, Fondrie-Teitler famous. 

“Whereas one ‘finish’ can be the consumer, it isn’t clear what the opposite finish can be,” Fondrie-Teitler defined within the Tuesday publish earlier than noting that his communications with Kohler made clear that the opposite finish was the corporate itself. 

In accordance with the weblog publish and our evaluate of Kohler’s privateness policy, consumer knowledge is encrypted “at relaxation, when it is saved in your cell phone, bathroom attachment, and on our techniques,” in addition to in transit. That stated, Kohler has entry to consumer knowledge, which means its model of E2EE “is solely HTTPS encryption between the app and the server, one thing that has been fundamental safety apply for 20 years now, plus encryption at relaxation,” Fondrie-Teitler defined. 

For that matter, it seems the corporate is utilizing stated knowledge for extra than simply serving poo-related well being knowledge by means of its cell apps. 

Per Kohler’s privateness coverage, Dekoda prospects give the corporate permission to make use of anonymized well being knowledge “to coach our AI fashions and for different machine studying functions and we could disclose de-identified knowledge to 3rd events.” 

Customers have the fitting to say no to share private knowledge with Kohler, per the coverage, however opting out means some companies is probably not offered. 

In different phrases, Kohler actually needs that knowledge if you wish to know what’s up along with your bathroom deposits. 

We reached out to Fondrie-Teitler to see what he needed to say about Kohler anonymizing the info and what he thought in regards to the firm’s use of such P(ee)II, and he instructed us that in an excellent world, none of that doo-doo knowledge would depart its level of assortment.

“Ideally this kind of knowledge would stay on the consumer’s system for evaluation, and client-side encryption can be used for backups or synchronizing historic knowledge to new units,” Fondrie-Teitler instructed us in a chat on Bluesky. He is unsure that is doable, given he is unsure how Kohler’s techniques work, however at least, he hopes they cease saying the system is end-to-end encrypted, giving customers a false sense of safety.

“I am hoping they replace the language on the web site to extra clearly articulate the scope of their privateness protections,” Fondrie-Teitler instructed us. 

Kohler did not reply to questions for this story. ®