In October Kohler launched Dekota, a $600-plus-monthly-subscription device that attaches to the rim of your toilet and collects images and data from inside, promising to track and provide insights on gut health, hydration, and more. To allay the obvious privacy concerns, the company emphasizes the sensors are only pointed down, into the bowl, and assures potential buyers that the data collected by the device and app are protected with "end-to-end encryption”.
Kohler Health’s homepage, the page for the Kohler Health App, and a support page all use the term “end-to-end encryption” to describe the protection the app provides for data. Many media outlets included the claim in their articles covering the launch of the product.
However, responses from the company make it clear that—contrary to common understanding of the term—Kohler is able to access data collected by the device and associated application. Additionally, the company states that the data collected by the device and app may be used to train AI models.
What is End-to-End Encryption?
"End-to-end encryption", or E2EE, is a method of securing data that ensures only the sender and their chosen recipient are able to view it. Correctly implemented, it prevents other parties, including the developer of the application, from accessing the protected data. E2EE is best known for its use in messaging applications like WhatsApp, iMessage, and Signal, where it allows users to communicate securely and privately without worrying about their messages being seen by prying eyes at the app developers, internet service providers, and even governments.
E2EE also provides an additional layer of protection if the servers of the application developer are compromised by an attacker. Any data stored on those servers will be meaningless to the attacker, which can significantly reduce the impact of a breach. For a more detailed look at E2EE, see A Deep Dive on End-to-End Encryption from the Electronic Frontier Foundation.
What is Kohler Doing?
The initial issue with Kohler using the term “end-to-end encryption” is that it’s not obvious how it could apply to their product. The term is generally used for applications that allow some kind of communication between users, and Kohler Health doesn’t have any user-to-user sharing features. So while one “end” would be the user, it’s not clear what the other end would be.
I thought Kohler might actually have implemented a related data protection method known as “client-side encryption”, used by services like Apple’s iCloud and the password manager 1Password. This technique allows an application to back up a user’s data to the developers servers, or synchronize data between multiple devices owned by a user, without allowing anyone but the user to access the data.
But emails exchanged with Kohler’s privacy contact clarified that the other “end” that can decrypt the data is Kohler themselves: “User data is encrypted at rest, when it’s stored on the user's mobile phone, toilet attachment, and on our systems. Data in transit is also encrypted end-to-end, as it travels between the user's devices and our systems, where it is decrypted and processed to provide our service.”
They additionally told me “We have designed our systems and processes to protect identifiable images from access by Kohler Health employees through a combination of data encryption, technical safeguards, and governance controls.”
What Kohler is referring to as E2EE here is simply HTTPS encryption between the app and the server, something that has been basic security practice for two decades now, plus encryption at rest.
How is Kohler Using the Data?
If Kohler can access the data stored on its servers, what are they doing with it? While I don’t have a precise answer, there are indications they’re using it for purposes beyond simply providing a service to the user. This may include training AI models.
In response to my question about their use of E2EE, Kohler told me “our algorithms are trained on de-identified data only.” When signing up for an account on the app, the user is prompted to allow Kolher to use the data to "research, develop, and improve its products and technology, and to de-identify [the user’s] data for lawful purposes.”
And the privacy policy states data may be used “To create aggregated, de-identified and/or anonymized data, which we may use and share with third parties for our lawful business purposes, including to analyze and improve the Kohler Health Platform and our other products and services, to promote our business, and to train our AI and machine learning models.”