Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
Encryption Privacy

'End-To-End Encrypted' Smart Toilet Camera Is Not Actually End-To-End Encrypted (techcrunch.com) 76

Posted by BeauHD from the surprise-surprise dept.
An anonymous reader quotes a report from TechCrunch: Earlier this year, home goods maker Kohler launched a smart camera called the Dekoda that attaches to your toilet bowl, takes pictures of it, and analyzes the images to advise you on your gut health. Anticipating privacy fears, Kohler said on its website that the Dekoda's sensors only see down into the toilet, and claimed that all data is secured with "end-to-end encryption." The company's use of the expression "end-to-end encryption" is, however, wrong, as security researcher Simon Fondrie-Teitler pointed out in a blog post on Tuesday. By reading Kohler's privacy policy, it's clear that the company is referring to the type of encryption that secures data as it travels over the internet, known as TLS encryption -- the same that powers HTTPS websites. [...] The security researcher also pointed out that given Kohler can access customers' data on its servers, it's possible Kohler is using customers' bowl pictures to train AI. Citing another response from the company representative, the researcher was told that Kohler's "algorithms are trained on de-identified data only." A "privacy contact" from Kohler said that user data is "encrypted at rest, when it's stored on the user's mobile phone, toilet attachment, and on our systems." The company also said that, "data in transit is also encrypted end-to-end, as it travels between the user's devices and our systems, where it is decrypted and processed to provide our service."

'End-To-End Encrypted' Smart Toilet Camera Is Not Actually End-To-End Encrypted More | Reply

'End-To-End Encrypted' Smart Toilet Camera Is Not Actually End-To-End Encrypted

Comments Filter:

  • Wow (Score:5, Funny)

    by r1348 ( 2567295 ) on Thursday December 04, 2025 @08:29AM (#65834857)

    Imagine the leaks.

    • Re: (Score:1)

      by Anonymous Coward

      Some really shitty security there.

    • No, I really, really *don't* want to imagine the leaks!

    • Imagine the leaks.

      Came for the jokes about that shit job. Was not disappointed. 3.8/5 stars. Would pun again.

      • Not a bad FP branch though I think there was more room for Funny.

        On the serious side, I think this picture is not worth a thousand words. The medical application really calls for chemical analysis. Even genetic analysis if an actual doctor wants to know what is really going on in there.

        But I mostly wanted an excuse to cite Toire No Himitsu . Sorry, but it hasn't been translated into English and that seems quite unlikely, too. It would probably be "The Secrets of Toilets". Mostly about the development of th

    • Thanks for the laugh.
  • "End to end" means that the servers holding the data can't decrypt it. (What all those 'think of the children' types complain about.) If the server is the end-point, it's not actually end-to-end security. Marketing executives are moving the goal-posts so that cloud services can pretend to care about their customers.

    • Re:Re-purposed as a marketing buzz-word (Score:5, Informative)

      by Racemaniac ( 1099281 ) on Thursday December 04, 2025 @08:37AM (#65834869)

      No, it means only the sender, and the intended receiver can access the data.
      For a service like this, the intended receiver is obviously the company you pay monthly to process the data. Sounds like E2E encryption to me.

      Of course, for a service where you exchange data between users, the point is that the company can't read the messages, but that's so obviously not the case here.

    • Re:Re-purposed as a marketing buzz-word (Score:5, Insightful)

      by znrt ( 2424692 ) on Thursday December 04, 2025 @09:53AM (#65835031)

      "End to end" means that the servers holding the data can't decrypt it.

      no, that's not what e2e encryption is. the definition is literally on tfa.

      this "security researcher" is just making a big fuss about his personal take on semantics and context. he argues that the company has access to the unecrypted data and stores it on its servers, which is just nonsensical confusion because the company is the intended receiver. he further warns about the a risk of the company using the data which is just as nonsensical because the company using the data to provide results is the whole point of their service.

      so he's basically just smearing a company without any serious argument and for no reason (except maybe getting attention).

      • There's a lot of spin around what e2e encryption actually means. I think the objections of the security researcher here are that the marketing of this product implies to a user that your images are never at risk of being hacked, in other words the end user of the data pipe is the process analysing the images (e.g. images should be encrypted at all times, both in flight and at rest until they actually need to be processed). Instead they have raw photos of your junk all over their hard drives, ripe and read

        • And with other types of E2E encryption like for example whatsapp messages, the person you sent them to has them on his phone, that can get hacked?

          It all gets decrypted somewhere, and that somewhere can get hacked, that's always true.

          This complaint makes no sense.

          • Yeah, clearly it has to get decrypted at the point of use, but while it's sitting at rest on a drive, or in an AWS ball pit, it should be encrypted. Saying it's ok for sensitive pictures to be stored unencrypted is exactly the same lax attitude that got us in trouble when credit card numbers were stored in plain text in databases. Sensitive data should be decrypted at the last possible point in the processing to minimise the attack window. I hope all you guys on this thread saying there's no problem here
            • Having said all that, the Kohler privacy policy says that it is encrypted at rest on their servers, so unless there was something in his private comms with them to suggest otherwise, he may indeed be talking nonsense.

            • I like your follow up comment, but please don't strawman me. I replied to your assertion of " the marketing of this product implies to a user that your images are never at risk of being hacked", and i just replied that it has to always be decrypted somewhere, and that somewhere can be compromised. So this isn't the property of any E2E encryption.

        • Re: (Score:2)

          by znrt ( 2424692 )

          that makes sense, but he isn't making any effort of educating users either, rather throwing in more confusion. he could have just said: "while it appears to be true that your data is e2e encrypted, be aware that it may still be hacked at the endpoint". maybe that would have been too obvious.

          i just wonder what in the potential users' imagination is supposed to be the endpoint of their encrypted poop.

          • lol as if users of a toilet camera are going to read this guys blog. His audience is other security researchers.

            • Re: (Score:2)

              by znrt ( 2424692 )

              i doubt any real security researcher follows his bluesky account. he's a charlatan, an engineer with connections that secured a charlatan job at the ftc and likes to act important. his angle is clearly consumer privacy, not security, and his post clearly shows that he has no clue about security either. the fact that so many "tech" outlets have circulated this inane drivel at the same only speaks to how low the level has sunk.

      • Please don't use the word "smear" in the comments on this post. Thank you.

    • Re: (Score:2)

      by mspohr ( 589790 )

      I thought "end to end" meant "one tushy to another".

  • Storm in a toilet bowl (Score:4, Insightful)

    by AmiMoJo ( 196126 ) on Thursday December 04, 2025 @08:32AM (#65834861) Homepage Journal

    This "researcher" doesn't seem to know what end-to-end encryption is, or why what the manufacturer says is true. Their blog says that "[t]he term is generally used for applications that allow some kind of communication between users", but that's not true. The most common type of end-to-end encryption is HTTPS, typically between the user and a web server.

    Also, they offer an AI powered service to analyse your output, and state that they use the data for further training. That is well within both expectations of what an AI powered service will be doing, and what their privacy policy says they will do.

    I dislike how privacy is treated as a premium product, and how many companies feel entitled to our data, this case is nothing special at all.

    • "analyze your output"
      Nice one!

      I like it when we agree. I'm unable to fathom why this guy thinks the images should be encrypted in a way that makes it impossible to provide the service. I'm forced to guess that the answer is sensationalism.

    • True end-to-end encryption would be having a bad case of diarrhea.

      • Re: (Score:2)

        by AmiMoJo ( 196126 )

        I'm not sure there is any amount of money that I'd accept to engineer a product that involved looking at thousands of photos of unflushed toilets.

  • ehmm what? (Score:3)

    by Racemaniac ( 1099281 ) on Thursday December 04, 2025 @08:34AM (#65834865)

    So the issue for the security researcher is that when E2E encryption is mentioned that for him it's not clear who the other end is? For a camera whose entire purpose it to send the data to the vendor you're paying monthly for analyzing the data and give you feedback on your health O_o....

    Yeah, the company is obviously the other end, how else could they provide the service you're paying them for???

    Or is there some part in the E2E encryption definition that the intended recipient can't be a company??

    • I don't know. I'm baffled by the complaint. I see data encrypted in transit and at rest and say, "good enough".

    • This (Score:2)

      by Viol8 ( 599362 )

      If the pictures were encrypted so the company couldn't decrpyt them wtf would be the point of sending them in the first place!? Its a service, not a personal file server for poo pictures.

      This "security researcher" seems to lack even basic common sense.

      • Re: (Score:2)

        by TWX ( 665546 )

        If the pictures were encrypted so the company couldn't decrpyt them wtf would be the point of sending them in the first place!? Its a service, not a personal file server for poo pictures.

        Thanks. Now you tell me...

  • Training AI to recognize feces? Why? Never mind, I don't want to know.

  • It's going to come out that the camera's view area doesn't just include the contents of the toilet bowl.

  • "end-to-end" huh huh (Score:3)

    by Thud457 ( 234763 ) on Thursday December 04, 2025 @08:57AM (#65834909) Homepage Journal

    When you sit on the toilet you connect your butthole up to the large network of connected buttholes.

    Not mine, just astonishing relevant.

    • I have my own private septic tank, so no, actually. Anything that comes out of my butt essentially goes into a black hole.

  • More ads like the chick with the cat tights, PLEASE!!

    • You see them too?? Yeah I almost bought some but I don't want to buy anything from a business that uses fake genAI models. Taking work away from real human models is not acceptable to me.

  • Transport encrypted from your "end" to theirs, sounds like it's working as specified!

    • Transport encrypted from your "end" to theirs, sounds like it's working as specified!

      When your shit's encrypted, does it still smell like shit?

  • I hope there aren't any back doors! Well, aside from your own.

    • Re: (Score:2)

      by TWX ( 665546 )

      I wonder if anyone's going to revive that old hacking tool, "back orifice".

  • But I'd really love to know how exactly how many of these things were sold? A dozen? 500? Thousands? Feels like there is an econ or finance study about consumer behavior buried in the customer base of such an item.

    Mainly just folks with disposable incomes who like tech? Someone with cancer risk really convinced this will work? The most expensive Spencers gag gift? "I could look it up myself but I don't want to have to look at my own poop?"

    • Re: (Score:3)

      by TWX ( 665546 )

      It was probably invented by the mail-clerks at Exact Sciences. They were tired of the mishaps when receiving Cologuard return-samples whose patients didn't understand the packaging instructions.

  • ...if they invert the ends by mistake ?!?

  • This is exactly end to end encryption, and the so-called "security researcher" appears to have no idea what he is talking about. So:

    Mr. Fondrie-Teitler, what you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.

  • Hopefully not yet sentient.

  • So who asked for turd cam?

    Who thought turd cam was a good idea?

    Which product manager approved turd cam?

    Who would buy a turd cam?

    Who would buy a turd cam from an over priced company like Kohler?

    I'm starting to like using the words "turd cam". I hope that it doesn't accidentally wind up in an email or something.

  • I know where they got the idea. (must be some pervs at Kohler, and I was one!)
  • Kohler Dekoda can tell you.

  • I'm not sure I see the harm here and they may be some good. People want Koehler to be able to see the pictures so that they can be analyzed (be careful how you pronounce that word). And of course Koehler shoudl take care to safeguard the data at rest.

    It would be interesting to know if Koehler have been able to diagnose anything for anyone or even if they successfully flag people that ate beets yesterday

  • No, it is "end to end" encryption exactly as they claimed - one of those ends is their datacenter where the data is processed.

    As per the description from the linked blog:

    "End-to-end encryption", or E2EE, is a method of securing data that ensures only the sender and their chosen recipient are able to view it.

    The "chosen recipient" is Kohler's datacenter, so it's behaving exactly as claimed. The application functions by processing the data on their servers, which is also why a monthly fee is charged to provide the service.

    You could theoretically avoid this by transmitting the data directly between the camera and your device, and doing the proces

  • I was thinking a fart gas analyzer would be better for figuring out what's going on in your gut. Pictures of turds can probably be machine-learned on to tell a lot, but things like levels of H2S and other toxic gasses would be better. Maybe a combo of the two.

  • enshitification (Score:3)

    by sdinfoserv ( 1793266 ) on Thursday December 04, 2025 @11:13AM (#65835245)
    I'm not sure Cory Doctorow had this in mind, but, why not.

    • I'm not sure Cory Doctorow had this in mind, but, why not.

      In mind? Hell, I smell an infringement suit.

      From here.

    • I saw the words "Toilet" and "End-To-End Encrypted" and knew that the jokes would write themselves.

  • End to end encryption, for a toilet? Frankny I do not want a TOILET to connect me "end-to-end" with anybody. They're doing it wrong.

    Time to pull up the sheet on IOT. Not only has it gone up it's own backside, now it's trying to go up ours too.

  • If it were truly end to end encryption the consumer endpoint wouldn't be the toilet, it would be the consumer. However I don't think we really want end to end encryption in this case. If so, we might be asking the company to tell their customers to "Take this certificate and shove it up your ass."
  • The truth is that you really cannot tell whether someone has a "healthy gut" from looking at what they put in the toilet. In fact, there isn't even a solid (ha) agreement on what "gut health" even means; and there is even limited evidence that a healthy gut produces overall health, or if overall health produces a healthy gut. See, for example: https://pubmed.ncbi.nlm.nih.go... [nih.gov]

    There is DEFINITELY no rigorous science that shows that sending photos of your poop to Kohler will make you healthier. None.
  • But lets be real, their next a toilet will have a screen so they can shill drug/product ads to a trapped audience. Whoa, looks like you need some Pepto Bismol! I can order it for you!

  • the researcher was told that Kohler's "algorithms are trained on de-identified data only."

    What the hell good is that? Maybe for training. But eventually Kohler is going to want to provide a diagnostic service based upon this training. And then they will have to know who's poop they are looking at.

  • ...it's actually shit.

  • If your putting camera's in your toilet, encryption is the least of your worries

  • "At long last we have created the Torment Nexus from classic sci-fi novel Don't Create The Torment Nexus" is the famous Alex Blechman tweet, but what is the "classic sci-fi novel" in this case?

    None other than "Smart Pipe", the over-ten-years-old Adult Swim fake informercial:
    https://www.youtube.com/watch?... [youtube.com]

    Starring a pipe that analyzes poop and posts it to social media (including the oft-missed comment "i put phosphates in u hole"), an Ayn Rand fanboy CEO, and an amazing interviewer who is enthused by every

    • I've seen multiple instances of companies trying to create smart pipe. It's so fucking funny every time.

  • What a shitty idea!

  • I assume you are putting guests on notice that you put cameras in your bathroom? Cause if you're not, you're asking for trouble.

Slashdot Top Deals

Of course you can't flap your arms and fly to the moon. After a while you'd run out of air to push against.

Close