Security and privacy with a family plan
I'm in the process of upgrading from the old 1Password 5 to the new 1Password 7, and I've shared my experience in this other thread.
I've been testing the family plan. At the moment I'm in the 30 day free trial, I'm the only user (the "family organizer"), and I've invited myself with different email addresses, to see how it would work for different people using other devices.
The features listed on your website made it sound quite interesting, and I really like how it makes it easy set up new family members and then share vaults and items. However, the way some things work makes it less useful for me. I'm in a position where I like some things but not others, and if I actually got a family plan I'd do so despite some of its features. Of course I totally appreciate that the family plan might work very well for other users, and it's just a matter of personal preference. Anyway, now I'm instead considering either getting personal plans for each family member, or simply buying standalone license(s) and keeping using Dropbox-sync. Before deciding, I wanted to share my thoughts here, to check if there are solutions to the things that I'm perceiving as issues.
For clarity, I'm going to use the term "account-vault" to refer to any vault managed through and stored on the new 1Password account, and "local-vault" to refer to any good old vault stored on a device. I'm also going to use "agilebits-sync" to refer to the proprietary syncing that is backed by the AgileBits servers, and "icloud-sync", "dropbox-sync", etc to refer to the other methods.
Cutting to the chase, I can think of two main issues.
The first one is privacy control and the power of family organizers.
It looks like each family user only has one truly private vault, the one that is aptly named "Private". Individual family users are the only ones who can edit the items in their Private vaults, and the family organizers can't even see them. However, If a user creates any other vault, the family organizers can later add themselves to it, and even de-associate the vault from the family user who originally created it, basically revoking their access to their data.
It seems that family users are encouraged to only use their one Private vault to store private data, as any other vault they create can in theory be taken over. This seems a step back compared to how I've been using 1Password till now (again, I'm upgrading from 1P5), since today I am used to organize my data in a number of independent vaults.
As a real world example of why this is a a problem, I have a family member (using a standalone 1P6 license at the moment) who works as a technical consultant and has a number of clients. The family member uses their Primary vault for all their personal stuff (bank details, online accounts, documents, etc), and then have created a number of secondary vaults, one for each client. These vaults contain things like email accounts and other business sensitive data. If this family member were to join the family plan, and imported everything, then they'd have two choices: either merge everything into the Private vault to ensure privacy, or accept the fact that a family organizer could technically access their clients data. Neither of these choices are acceptable for them, and I strongly agree. Also, to avoid doubts, saying "well, their clients should get 1Password for Business!" is not a solution, as it's not really my family member's choice.
I suppose that an alternative to this issue is to mix-and-match account-vaults and local-vaults, so that the local-vaults can stay private. But if we're doing that, then I'd just buy the standalone licenses.
The second issue is about the risk of losing a user data.
I've realized that if a family user is suspended they lose access to all their vaults. If they're kicked out of their accounts, their vaults are lost forever (I don't know if the AgileBits customer support would be able to recover their vault if the deletion happened by mistake). This seems very risky, because family users basically have to blindly trust their family organizers. Family users are expected to store all their passwords, accounts and sensitive data in their 1Password family account, but their data is not really under their control because it could be taken away from them. Based on my tests, the only way to protect their data is to also store it on local-vaults on their machines, as those will remain available (in read-only mode) if the family users are removed from the family accounts. So I was wondering if perhaps I got it wrong, and if there is a way to automatically convert the family users' account-vaults to local-vaults when they get suspended or kicked out of the family account, just to ensure that they can still access their vaults.
Now, I know what you're probably thinking: the point of a family plan is that it's for families, where people trust each other and were there is no risk of family organizers taking advantage of their power. In principle I agree, but I can't ignore that I'd be teaching the wrong thing to my kids (and to less technically-savvy family members). We live in a world where society is finally talking openly about things like abusive relationships and their power dynamics, and I want to set a good example. I want my kids to properly understand that they should responsibly seek and ensure their ownership and control over their data, and should not entrust it to others. I might be a bit extreme, but I believe that security does not just come from solid encryption and good UX, but also from how we interact with technology and how well we understand the consequences of our choices.
On a different note, I also find it a bit scary that if a family organizer's login got compromized, the malicious third party could cause a lot of damage to every family user's vaults.
So, with the two main points outlined above, what should I do? Did I get something wrong, and there is an easy way to solve those issues? Is there any chance that you could review my feedback and change how family plans work? Or should I just get individual accounts or standalone licenses?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: macOS 10.14.6
Sync Type: Not Provided
Comments
-
Hi @tompave
There is indeed a level of trust the family needs to place in the Family Organizer(s). Ultimately the organizers own the membership and everything in it. They could delete the entire membership at-will if they wanted. If you don't have that level of trust with your proposed organizers then it may make sense to have a separate individual account and only use the family account for sharing family data.
We've had a fair bit of discussion on this subject in another thread, here, if you'd like to read through it:
Powers of Family Organizers / Multiple "Private" vaults — 1Password Forum
Neither of these choices are acceptable for them, and I strongly agree. Also, to avoid doubts, saying "well, their clients should get 1Password for Business!" is not a solution, as it's not really my family member's choice.
I would actually suggest that your family member should consider getting 1Password Business, inviting each of those clients to share the vault created for them, and charge for that service accordingly. ;) How else would they securely share passwords and track changes?
I suppose that an alternative to this issue is to mix-and-match account-vaults and local-vaults, so that the local-vaults can stay private. But if we're doing that, then I'd just buy the standalone licenses.
I'd personally leave standalone out of it entirely. It is possible to use multiple accounts within each of our apps. For example, I have a 1Password Families membership account, a 1Password Business membership account (for my work here), and a 1Password Teams membership account that is part of a non-profit I volunteer with. All of these are accessible to me in each of the 1Password apps, but it keeps a proper level of separation between the data.
This seems very risky, because family users basically have to blindly trust their family organizers.
Hopefully it isn't blind. I would hope that anyone joining a 1Password Families membership would have solid knowledge and familiarity with the organizers of that membership. If that isn't the case then I wouldn't join that family.
Family users are expected to store all their passwords, accounts and sensitive data in their 1Password family account
Mmm. Perhaps. And most people do indeed likely use it that way. But as mentioned above it would be entirely possible to only store the data that is relevant to the family in those vaults, and then store everything else separately.
Now, I know what you're probably thinking: the point of a family plan is that it's for families, where people trust each other and were there is no risk of family organizers taking advantage of their power. In principle I agree, but I can't ignore that I'd be teaching the wrong thing to my kids (and to less technically-savvy family members). We live in a world where society is finally talking openly about things like abusive relationships and their power dynamics, and I want to set a good example. I want my kids to properly understand that they should responsibly seek and ensure their ownership and control over their data, and should not entrust it to others. I might be a bit extreme, but I believe that security does not just come from solid encryption and good UX, but also from how we interact with technology and how well we understand the consequences of our choices.
There are some reasonable thought processes there, but the reality is that someone is paying for this and it probably isn't the kids. As long as that is true whoever is paying is going to have some level of control (e.g. to stop paying).
So, with the two main points outlined above, what should I do? Did I get something wrong, and there is an easy way to solve those issues?
It really sounds like you want everyone to have their own separate account for their personal data, and to only use 1Password Families for shared family data. You can certainly do that, and that is your prerogative, but there is also of course a cost associated with that.
Is there any chance that you could review my feedback and change how family plans work?
We're always open to feedback, and to re-evaluating the choices we've made. That said, as you might imagine, there is a fairly high bar for completely re-designing how the whole system operates. I don't believe we've come anywhere near approaching the level of feedback around these types of issues that would be necessary to cause a major shift in thinking. We'll certainly continue to gauge how much impact the current model has around issues like the ones you've discussed and brainstorm on any changes that might be feasible, but I wouldn't expect a massive re-engineering (and certainly not overnight).
You're totally right that the people paying the bills have a lot of power. That tends to be fairly pervasive throughout our society, and applies with 1Password as well.
Or should I just get individual accounts or standalone licenses?
Neither of those options alone is going to allow for effective sharing, which is one of the primary reasons folks consider 1Password Families. If you'd like to be able to share with your family, and have everyone have their own completely independent silo as well, the most sensible thing might be to consider an individual account for each person as well as a 1Password Families membership.
Ben
0 -
Closing this so we're not having the same conversation in multiple places at once. :)
0