As Fondrie-Teitler pointed out, Kohler’s privacy policy indicates that Kohler can utilize customer information to “generate aggregated, de-identified and/or anonymized data, which we may use and disclose to third parties for our lawful business objectives, including to assess and enhance the Kohler Health Platform and our various products and services, to promote our business, and to refine our AI and machine learning models.”
In its announcement, Kohler stated:
If a user agrees (which is optional), Kohler Health may anonymize the data and employ the de-identified data to train the AI that powers our product. This consent check-box is available in the Kohler Health app, is voluntary, and is not checked by default.
Words are important
Kohler isn’t the inaugural tech firm to mislead individuals with its use of the term E2EE. In April, there was discussion regarding whether Google was genuinely providing Gmail for business users E2EE, since, besides the sender and receiver having access to decrypted messages, personnel within the users’ organization who deploy and manage the KACL (Key Access Control List) server can access the key needed for decryption.
Overall, what is most significant is whether the product delivers the security that users expect. As Ars Technica Senior Security Editor Dan Goodin reported regarding Gmail’s E2EE discussion:
“The new feature is potentially valuable for organizations that need to comply with strict regulations requiring end-to-end encryption. It absolutely isn’t appropriate for consumers or anyone who desires sole authority over the messages they transmit. Privacy advocates, take note.”
When the product in question is an Internet-connected camera installed inside your toilet bowl, it’s crucial to inquire whether any technology could ever ensure enough privacy. For many, no appropriate terminology could justify such a device.
Nevertheless, if a business is to promote “health” products to individuals who may have health concerns and possibly limited cybersecurity and tech privacy understanding, there is a responsibility on that business to provide clear and direct communication.
“Using security terminology that the public does not comprehend to try and construct an illusion of data privacy and security being a key concern for your organization is misleading to the individuals who have purchased your product,” Cross remarked.
