Bold claim: a smart toilet that claims to protect your most intimate health data may actually expose it to the company behind the device. The Dekoda, Kohler’s $599 toilet-mounted camera, promised end-to-end security while offering health insights from waste through optical sensors and AI. Instead of delivering true end-to-end encryption, new findings show Kohler Health could decrypt and access user images stored on its servers, raising serious privacy concerns.
When Kohler Health introduced the Dekoda in October, the pitch centered on wellness monitoring—hydration, nutrition, and other indicators—via a camera attached to the toilet rim. The system uses an app to translate captured images into insights, with touted protections like fingerprint authentication and data security assurances. However, security researcher Simon Fondrie-Teitler’s investigation reveals a gap between these promises and actual data handling: the service can decrypt data upon arrival for processing or AI model training, contradicting the universal standard of end-to-end encryption, where only the sender and recipient should access unencrypted information.
The core issue, as explained by Fondrie-Teitler, stems from Kohler’s redefinition of end-to-end encryption. Kohler asserts that data is encrypted at rest and in transit, but that the company itself decrypts the data for analytics and support. In a conversation cited by 404 Media, Kohler stated that end-to-end encryption is typically used for person-to-person messaging, and thus their use of the term here refers to encryption between users and Kohler Health rather than a messaging scenario. This framing has drawn sharp criticism from privacy experts who argue that if the company can view the data, it is not truly end-to-end encrypted by standard definitions.
Fondrie-Teitler’s inquiry began with whether Kohler could access encrypted images. The answer: yes—the company confirms it can view data to improve services and train AI models. While the Dekoda requires a subscription for insights, users may be unaware that anonymized images could contribute to broader data collections. Encryption is present during transmission, but decryption occurs on Kohler’s side, rendering this closer to client-server encryption than true end-to-end encryption. A cybersecurity observer captured the sentiment by likening it to sending a locked box but giving the post office the key.
Kohler defends its approach by pointing to privacy policy disclosures about data use for research and development, including anonymization and compliance with health data regulations. Critics, however, argue that burying such practices in policy language undermines the bold marketing claims of end-to-end encryption. Tech press coverage notes persistent skepticism: although Kohler maintains its security measures are solid, many in the security community remain unconvinced.
This case slots into a broader look at IoT devices that gather intimate biometric data—from smart rings to sleep trackers and beyond. Privacy advocates warn that marketing claims of strong security can erode trust when real data handling practices aren’t genuinely private. The public response on social platforms blends humor with concern, with people questioning why personal bathroom data would be subjected to corporate access, highlighting a demand for verifiable security in consumer health tech.
Kohler’s public stance emphasizes transparency and privacy foundations, with notes about automatic image deletion after analysis and opt-out options for data sharing. Yet the company has not revised its encryption terminology. Privacy advocates and organizations like the Electronic Frontier Foundation urge stricter standards, warning against co-opting security terms to obscure insufficient protections. The incident could influence future regulatory scrutiny, potentially accelerating calls for independent security audits and more explicit data-handling disclosures for IoT health devices.
Industry voices advise consumers to interrogate privacy policies before purchasing: does the service truly require access to user data to function? While on-device or edge processing could mitigate data exposure, there are no public plans announced for Dekoda to shift in that direction.
Looking forward, the Kohler episode may ripple into regulatory conversations around health data, privacy protections in health tech, and consumer rights in the era of connected devices. In regions with stringent data laws, such as the EU’s GDPR, or evolving U.S. standards, companies could face renewed pressure to demonstrate verifiable privacy protections beyond marketing rhetoric.
Lessons from this case emphasize that hype around new health technologies must be matched by robust, verifiable security practices. Techniques like zero-knowledge proofs or federated learning offer avenues to advance AI-assisted health insights without exposing raw data. Independent security audits and clearer privacy disclosures could become standard expectations for IoT products. For potential buyers, weighing claimed health benefits against privacy risks—and considering less invasive alternatives—remains prudent.
Ultimately, transparency is not optional in a highly connected world. The Kohler Dekoda episode underscores that strong security claims require rigorous, verifiable implementation; otherwise, user trust can be eroded, and the promise of meaningful health insights may be overshadowed by unexpected data access and policy gaps.
