Smart toilets could leak your medical data, warn security experts
Toilets that collect health data could be hacked to reveal extremely sensitive information and should be regulated as medical devices, say security experts
Toilets with built-in gadgets that monitor your health are poised to make a splash in the world of wellness tech — but they come with risks of data leaks and medical misdiagnosis, warn security experts.
A range of start-ups and research projects have developed smart toilets to monitor everything from heart rate to the consistency of stools and the presence of certain proteins in urine that indicate disease. One device even features an "anus camera" that takes a photo from below for identification, something that has been described as the "polar opposite of facial recognition".
"If you just have a medical hat on, they sound fantastic, but I have a professional privacy hat on," says Isabel Wagner at the University of Basel, Switzerland.
Wagner and Eerke Boiten at De Montfort University in Leicester, UK, recruited a panel of three anonymous privacy experts and asked them to imagine scenarios in which smart toilets backfired. All three expressed serious reservations.
One concern was the privacy of people other than the owner: are visitors consenting to have photographs or measurements taken? There were also worries about the risk of losing sensitive data to hackers, as well as the possibility of companies selling the data on. And if smart toilets were installed in public areas or workplaces, there would be questions about who has access to that data, it was argued.
There were also practical concerns, such as who would be liable if a medical condition were missed, or if false positive diagnoses unnecessarily sent people to doctors, perhaps leading to invasive tests.
The group of experts concluded that smart toilets shouldn't be sold as consumer devices, but instead as medical devices that have to meet high regulatory standards for privacy and safety.
Chase Moyle at smart toilet start-up Coprata says he set out to build a consumer device
because creating a medical device under US Food and Drug Administration regulations
would raise the price by a factor of 10. It would also mean that, in the US, insurance companies would only offer it to people with diagnosed conditions.
"We think that we're passing up way too much of the population size if it's only a medical device," says Moyle. He says the firm follows best practice on data security. It aims to create a consumer device first before later making a medical device and eventually collecting anonymized data to help researchers working on digestive diseases and nutrition. "No one else has captured this data before on a recurring basis," says Moyle.
Alan Woodward at the University of Surrey, UK, says so-called internet of things (IOT) devices, such as heart rate monitors and CCTV cameras, have often been found to
have security flaws, including a smart toilet with a computer-controlled bidet. He fears the same could be true for medical- focused smart toilets. "With a lot of IOT devices, security has never been uppermost in the mind and yet something like a smart toilet is collecting some very personal data," he says. "They're making these weird devices because they can, but nobody's thought through 'should we?"'
Source: New Scientist