Kohler is facing privacy backlash after security researchers revealed the company's $599 smart toilet camera isn't actually "end-to-end encrypted" as advertised. The Dekoda device, which photographs users' waste to analyze gut health, gives Kohler full access to customers' most intimate data - and the company admits it uses these images to train AI algorithms.
The smart home privacy nightmare just got more personal. Kohler, the century-old plumbing giant, is scrambling to defend its marketing claims after security researcher Simon Fondrie-Teitler tore apart the company's privacy promises around its controversial toilet camera.
The Dekoda device launched earlier this year with a bold pitch: attach a $599 camera to your toilet bowl, let it photograph your waste, and get personalized gut health insights delivered through a mandatory $6.99 monthly subscription. To calm obvious privacy fears, Kohler's website prominently claimed all data was secured with "end-to-end encryption."
But that's not what's actually happening. Fondrie-Teitler's investigation reveals Kohler is using basic TLS encryption - the same security that protects regular websites - while misleadingly calling it "end-to-end encryption." The distinction matters enormously for user privacy.
True end-to-end encryption, used by Signal, WhatsApp, and Apple's iMessage, means only the sender and recipient can read the data. Even the company providing the service can't access it. TLS encryption only protects data while it travels over the internet, but companies can still read everything once it reaches their servers.
"Using the right terms matters, especially in the context of users' privacy concerns," the original TechCrunch investigation noted. The terminology confusion could lead customers to believe Kohler can't see their toilet photos when the company actually has full access.
When confronted, a Kohler privacy contact told Fondrie-Teitler that customer data is "encrypted at rest" on phones and company servers, but crucially admitted that data "travels between the user's devices and our systems, where it is decrypted and processed to provide our service." That's the opposite of end-to-end encryption.
The privacy implications get worse. Since Kohler can access the toilet photos, the company confirmed it's using this intimate data for AI training. A company representative told Fondrie-Teitler that Kohler's "algorithms are trained on de-identified data only," but provided no details about the de-identification process or whether users explicitly consented to their waste photos becoming AI training material.
This scandal highlights a broader problem plaguing the IoT industry. Companies routinely misuse security terminology to market products, leaving consumers unable to make informed privacy decisions. Apple and Google have pushed for clearer privacy labeling, but the smart home market remains filled with devices making misleading security claims.
The timing couldn't be worse for Kohler. Consumer privacy awareness is at an all-time high following high-profile data breaches at Meta, Amazon, and other tech giants. Smart home adoption has slowed as users become more skeptical of devices that collect personal data.
TechCrunch reached out to Kohler for comment but received no response. The company's silence speaks volumes about how seriously it takes these privacy concerns.
For customers already using the Dekoda, there's no easy way to ensure their toilet photos remain private. The device requires cloud connectivity to function, and Kohler's privacy policy makes clear the company retains broad rights to use customer data.
The Kohler toilet camera controversy exposes how companies exploit consumer confusion about privacy terminology to collect and monetize intimate personal data. As smart home devices become more invasive, regulators and consumers need to demand clearer, honest disclosure about what data companies can access and how it's used. Until then, buyers should assume that any IoT device claiming "encryption" probably means the company can still see everything.
