Kohler Can Access Pictures from "End-to-End Encrypted" Toilet Camera
(varlogsimon.leaflet.pub)192 points by TimDotC 9 hours ago
192 points by TimDotC 9 hours ago
This is an incredibly common misuse of the term e2ee. I think at this point we need a new word because you have a coin flip's chance of actually getting what you think when a company describes their product this way.
There was a discussion here on hn about OpenAI and it's privacy. Same confusion about e2ee. Users thinking e2ee is possible when you chat with an ai agent.
Creating a new term for the less secure definition doesn't work, as they'll just continue to call it E2EE encrypted.
> However in this case there are no other users, and their server is one of the "ends" doing the communicating, which is... perhaps not a literal contradiction in terms, but certainly breaking the spirit of the phrase.
Am I understanding correctly that the other end of this is a rear end?
This is exactly what E2EE means. I used to work at a bank, and our data was E2EE, and we had to certify that it was E2EE - from the person paying, through the networks, through the DNS and Load balancers, until it got to the servers. Only at the servers could it be unencrypted and a (authoried) human could look at it.
Of course, only authorized users could see the data, but that was a different compliance line item.
No, E2EE doesn't mean it's encrypted until the service provider decrypts it. E2EE means the service provider is unable to decrypt it. What you are describing is encryption in transit (and possibly at rest).
Bank data is never E2EE because the bank needs to see it. If banks call it E2EE they are misusing the term. E2EE for financial transactions would look like e.g. ZCash.
I would argue it depends on context. E2EE means it's encrypted until the "target" receives it. For a messaging protocol, it's the intended recipient of the message. For what the person you're replying is discussing, the intended recipient IS the bank.
That being said, the person you're replying to seems to be saying that "the server" is always an "intended" end, which is wrong.
Anyone reading that is misunderstanding what E2EE means. As the article says, that's client-side encryption. Kohler isn't lying, people are confusing two different security features.
> They're claiming "end to end" encryption, which usually implies the service is unable to spy on individual users that are communicating to one-another over an individualized channel.
It doesn't "imply", it outright states that. Their server isn't the end, it's the middle. They're not "breaking the spirit" or something, what they are doing is called lying.
Sounds like the crappiest data source for AI training yet.
But in all seriousness, of course they can access the data. Otherwise who else would process it to give any health results back? I don't think encryption in transit is relevant to privacy concerns because the concerns are about such data being tied to you at all, in any way. At the same time, yes, this could product valuable health information.
Their better bet would be to allow full anonymity, so even if there is a leak (yeah, the puns write themselves), there is never a connection between this data and your person.
And the heat from the processor(s) would make for a comfy user experience in the wintertime.
Only for the very well endowed since it points down. Though hopefully they're doing something other than let their bits dangle in the toilet water.
Imagine the collective brainpower that could be used to help solve the world's ills, and instead decided, no, what we need is a camera pointed at your asshole which we feed into an AI-powered SaaS we can then sell to you for a subscription. This industry is finished.
This is downstream from the notion that companies need to have infinite growth forever. Of course, that's not possible, so this is the end stages of that: wealth trickles up while the, well... you can guess what's trickling down.
They claim it only points about your doings, but even then...
The Norwegian term for e2ee is "ende-til-ende-kryptering".
And "ende" can also mean 'butt' https://naob.no/ordbok/ende_3#52867988
So I guess it makes some kind of sense.
The problem is genuinely the misleading nature of the phrase "end to end" and the lack of a better alternative. HTTPS is "end to end". There should be some new word for "decryptable only by the user".
So basically some idiot company connected toilets with cameras to the internet claiming the media collected of peoples "ends" was end to end encrypted. Except, it wasn't.
These compromised toilets could be easily used to exfiltrate compromising videos of exfiltrations.
The toilets leak pictures of people taking leaks.
The internet really is going to shit.
https://youtube.com/watch?v=DJklHwoYgBQ for those who haven't seen it yet.
edit: also, what the hell, YouTube? they've got this new link shorter at https://youtu.be/DJklHwoYgBQ that they really want you to use, that forces you to use the browser to watch it instead of the app? so weird.
We're past The Onion clips coming true, now it's Adult Swim:
Here we are 35 years after the invention of the web browser, and now browser fingerprinting is an exact science. [1] I'm guessing 35 years from now toilet bowl fingerprinting will be an exact science. Claims of "de-identified and/or anonymized data" are reckless and naive.
This obsession with personal health data collection is in its self counter productive to health outcomes and insane behavior.
This world is upside down. I wake up feeling like I am the man in the middle being attacked from all sides.
congratulations, you have lived to see man made horrors beyond your comprehension
Our crypto cookies implement end-to-end encryption by creating a digest of the input morsels and securing their transit between the front end and the back end. Be warned, certain failure modes can result in over-encryption or return of partially-encrypted ciphertext to the sender.
> Kohler Health’s homepage, the page for the Kohler Health App, and a support page all use the term “end-to-end encryption” to describe the protection the app provides for data. Many media outlets included the claim in their articles covering the launch of the product.
When companies first wanted to sell things over the Web, a concern I heard a lot was that consumers would be afraid of getting ripped off somehow. So companies started emphasizing prominently how the customer was protected with n bits of encryption. As if this solved the problem. It did not, but people were confused by confident buzzwords.
(I was reminded of this, because I actually saw a modern Web site touting that prominently just last week, like maybe they were working from a 30 year-old Dotcom Marketing for Dummies book, and it was still not very applicable to the concern.)
Some marketers lie, or don't care what the truth is. They want success, and bonuses, and promotions. And, really, a toilet company possibly getting class-action sued for a feces camera that behaves in an unexpected way, that attorneys would have to convince a judge was misrepresented, and then quantify the unclear harm, and finally settle, several years later, for lawyers' fees and a $10 off coupon for the latest model Voyeur Toilet 3000... isn't on the radar of the marketers.
You pay someone in a developing nation $1.00 per day to look at thousands of photos of shit. Like, how do people think Facebook moderation and semantic labeling happen? Cheap labor in places with no labor laws. It was ever thus.
They probably do clinical trials (or at least something like that) where they get baseline data from participants through other means.
I think the obvious things are:
- Deviation in consistency/texture/color/etc.
- Obvious signs related to the above (eg: diarrhea, dehydration, blood in stool).
Ultimately though, you can get the same results by just looking down yourself and being curious if things look off...
tldr: this feels like literal internet-of-shit IoT stuff.
That is very strangely worded, to a degree they I wonder if maybe the wordsmithing was outsourced to either an ai or someone who didn't do English very well. Or if it's meant to be confusing.
But the linked privacy policy talks about making anonymous (aka de-identified) bulk data sets and using them for "lawful business purposes" (aka anything they want that's not illegal).
?? I got very confused from the start of this article because it is clear that Kohler is one end of the communication from how the product is described and marketed. They’re just stating the data is encrypted between the device and them.
> it is clear that Kohler is one end of the communication
That’s not end-to-end encryption. By that logic HN, and any other website over HTTPS is E2E encrypted.
I'm so sorry for the people who work on this and have to look at the data.
The old adage is "garbage in, garbage out". s/garbage/feces/g
This sounds like the marketing department came up with this "market opportunity" and then some poor team at Kohler was asked to make it real.
No doubt there is health data to be had in waste products (it was used extensively during covid to figure out community-wide infection rates) but that used physical samples that were then analyzed. Trying to figure out if someone has a UTI, or pathogenic poop from a webcam image ... it is hopeless.
some poor soul has to do train this AI. Imagine your job is categorizing pictures of poop
People who have clinical gut issues need to track this kind of thing
And people who are being treated for gut issues can pay for their $600 medical toilet with HSA or insurance
Honestly, that this camera toilet exists is not a WTF for me. If my doctor needs to track changes to my stool, I certainly don’t want to have to hover over the bowl with my phone out. Please, just have the toilet take the picture.
You know, obvious humor potential aside, that’s a great point. Fewer people would laugh about a pee analyzer: “Oh, it can tell if you’re dehydrated, or in ketosis, or whatever? Makes sense!” I can imagine how this could gather similar types of information.
And yes, if my doctor wanted me to collect that info, I’d vastly rather buy a smart toilet and let it do the dirty work. That is, assuming it was actually secure.
Yeah I hate to kill the party but if you can’t imagine a need for this product, consider yourself blessed. GI issues are not pleasant.
An ADA toilet at Home Depot is $300 so even the price isn’t that outrageous, honestly. It’s a unique niche product so it’s gonna be a little bit pricey.
I don’t know, it just feels a bit gauche to make jokes about a medical device. Nobody’s buying this unless they need it, and if they need it then best of luck to them.
Assuming you're appropriately sighted, you don't need a $600 toilet cam to tell you if you're dehydrated.
Not the people spending $12.1m on a gold toilet that's for sure.
You wouldn't want that cheap tat miring up the clean lines of your throne.
So they made Google TISP?
To me it reminds me of Smart Pipe.
It would be naive to assume they couldn't access the data from a technical perspective. I think anyone in here would think so. The problem is regular customers who aren't technical and don't have much choice but to trust claims by the seller - these are the real victims here.
End-to-end encryption is not a term used for communication between clients and servers, although I saw several marketers trying to do it.
For normal people E2EE means privacy, and that's why some company tries to sneak the term in products where it makes no sense.
> > For normal people E2EE means privacy > > It's misunderstood.
Not in my experience, except by very few
> But later some marketers try to use it as a "transport channel" for client-server interactions.
Some, still few enough to not make the term confusing, for what I can tell
https://www.youtube.com/watch?v=DJklHwoYgBQ
Smart Pipe | Infomercials | Adult Swim
Everything in our lives is connected to the internet, so why not our toilets? Take a tour of Smart Pipe, the hot new tech startup that turns your waste into valuable information and fun social connectivity.
[Smart Pipe Inc. is a registered sex offender.]
Huh what could possibly go wrong here?
>https://www.nytimes.com/2025/12/02/world/asia/south-korea-ca...
Oh...
Holy crap.
I remember a sign in our dorm bathroom that read, “toilet cam is for research purposes only”. It was a joke, but always got a nice reaction from new people in the building.
But they actually sell this?! And want to charge me for it!?
Holy crap!
It was only a decade or so ago that "End-To-End Encryption" began to mean something other than "encrypted in transit".
E2EE now means something wildly different in the context of messaging applications and the like (since like 2014) so this is more of an outdated way of saying "no one is getting your poop pictures between your toilet and us".
It also feels like it would never make sense for this to be "E2EE encrypted" in the modern sense of the term as the "end user recipient" of the message is the service provider (Kohler) itself. "Encrypted in Transit" and "Encrypted at Rest" is about as good as you're going to get here IMO as the service provider is going to have to have access to the keys, so E2EE in a product like this is kind of impossible if you're not doing the processing on the device.
I wonder if they encrypt it and then send it over TLS or if they're just relying on TLS as the client->server encryption. Restated, I wonder how deep in their stack the encrypted blob goes before it's decrypted.
> It was only a decade or so ago that "End-To-End Encryption" began to mean something other than "encrypted in transit".
No, before that it was simply not a term, except in some obscure radio protocol (and even there someone competent in cryptography would probably not have chosen that term)
> E2EE now means something wildly different in the context of messaging applications and the like (since like 2014) so this is more of an outdated way of saying "no one is getting your poop pictures between your toilet and us".
The outdated way was saying "Military-grade 128-bit encryption", no one really used the E2EE term before it got the current meaning
> I wonder if they encrypt it and then send it over TLS or if they're just relying on TLS as the client->server encryption. Restated, I wonder how deep in their stack the encrypted blob goes before it's decrypted.
Some homemade encryption added on top of TLS is very unlikely to increase the security of the system
> No, before that it was simply not a term, except in some obscure radio protocol
> no one really used the E2EE term before it got the current meaning
It most certainly was a term and no it wasn't simply limited to "some obscure radio protocol".
1994: https://ieeexplore.ieee.org/abstract/document/363791
1984: https://dl.acm.org/doi/pdf/10.1145/357401.357402
1978: https://apps.dtic.mil/sti/tr/pdf/ADA059221.pdf
> Some homemade encryption added on top of TLS is very unlikely to increase the security of the system
"Some homemade encryption" is not what I was suggesting at all. E.g. encrypted-at-the-source (client side) AWS files are still sent over TLS as an encrypted blob within an encrypted blob but remain encrypted past the TLS boundary.
> "Some homemade encryption" is not what I was suggesting at all. E.g. encrypted-at-the-source (client side) AWS files are still sent over TLS as an encrypted blob within an encrypted blob but remain encrypted past the TLS boundary.
They need to analyse the data; adding layers of encryption, thus, could only improve security if the keys for the inner encryptions are better protected than the server's TLS private key.
Which would honestly, actually, likely to be the case, but it would probably be a modest improvement
The 1994 paper (freely available at https://digital.library.unt.edu/ark:/67531/metadc1341727/m2/...) is actually about proper E2EE.
I addressed the other two at https://news.ycombinator.com/item?id=46132220 .
You did show that the term was already used, but in the current meaning
> The 1994 paper (freely available at https://digital.library.unt.edu/ark:/67531/metadc1341727/m2/...) is actually about proper E2EE.
That paper is about PKI-based session setup for End-End which is the ancestor of SSL/TLS. It even mentions a CAE which is effectively a CA and it does a synchronous handshake to establish a symmetric key. It's very clearly about transport layer security from end to end.
It's not about User-User E2EE (akin to Signal) and shares very little other than that data is encrypted from point A to point B.
Holy fuck they actually built Smart Pipe[1]
I'm convinced whatever Torment Nexus we can think of will get built.
Now's the time to get on board so that, when they launch the social network, you can be a top influencer just like Scout
So, end-to-end-encraption?
Oh wait, maybe this is what Cory Doctorow is referring to as enshittified?
I mean, these jokes make themselves, including whoever buys the hardware, AND buys the marketing pitch.
Years ago, a friend and I were kicking around startup ideas. We weren't coming up with anything good, so we flipped it and decided to come up with the worst/dumbest idea possible. We landed on a social media site dedicated to poop (this was back when social media sites were all the rage). People could upload pictures of their poop, discuss poop, share "best poop" stories, and so on. We never actually built anything, realizing it was just a joke, a total waste of time. ... Fast forward to 2025: For $600-plus-monthly-subscription, we'll take pictures of your poop!
BTW, someone please tell me that there is/was a social media site dedicated to poop, and the founder got rich from it. I need that today.
What I want to know is who is taking pictures of their poop like this? There has to be a better way.
So basically their marketing-department is abusing a security term in order to sound good, as opposed to a software flaw.
They're claiming "end to end" encryption, which usually implies the service is unable to spy on individual users that are communicating to one-another over an individualized channel.
However in this case there are no other users, and their server is one of the "ends" doing the communicating, which is... perhaps not a literal contradiction in terms, but certainly breaking the spirit of the phrase.