To protect your privacy: email us with billing or account questions instead of posting here.

Regional Awareness, Privacy and Encryption

laugher
laugher
Community Member

Hi 1Password Team. As the year winds down, I'm getting a little more time thinking about password management strategies and the technology direction which 1Password has embarked upon. Namely, memberships tied to a 1Password.com account with the vault stored in the cloud managed by AgileBits.

The advantages of this approach couldn't be more clear. One of the primary examples of the benefit of this direction and having my vault data in the 1Password cloud is being able to take advantage of 1Password X. The architectural advantages means that AgileBits are able to build a consistent UI on any device to my vault data. Securely.

As I consider the personal benefits of 1Password, I am also consciously aware that AgileBits is a Toronto based company and while not intimately aware of Canadian privacy/encryption laws, what jurisdiction presides and what happens when the NSA, FBI (or CIA because Canada is a foreign nation to the US?) or the Canadian equivalent of these (Canadian Mounted Police?) decides that it needs access to my vault data, I am still pessimistically cautious because of my previous government training.

As a rule, most organisations like to hold their data within their own geographical region. Especially if that data is sensitive in nature. Passwords and secure notes often represents the keys to the kingdom and so for me, it definitely falls into the scope of sensitive data.

As it stands today, I only own and use a licensed copy of 1Password. I do not have a 1Password.com membership and I host my data on cloud services that I know allow me to restrict access via geographically isolated zones. My understanding at this stage is that the 1Password cloud (assuming you use either Amazon Web or Azure hosting services) is not geographically isolated.

When will this option/flexibility be introduced? Is it on the roadmap?

Thank you again for continuing to innovate in the password management area. Its been a real pleasure seeing 1Password mature ever since I started using it, a decade or more ago! (I've lost count!)


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • danco
    danco
    Volunteer Moderator

    Where are you based? My understanding is that the main reason for creating 1password.eu was so that EU privacy rules could be ensured. I think the data centers are in Frankfurt.

    Also, because AgileBits do not have either your master password or your secret key (the latter only exists if you have a subscription) then all they could ever be forced to hand over is an encrypted version of your data with no means of decrypting it.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2019

    My understanding is that the main reason for creating 1password.eu was so that EU privacy rules could be ensured. I think the data centers are in Frankfurt.

    @danco: Thanks! Indeed, that's correct. Both 1Password.eu and 1Password.ca are GDPR compliant; 1Password.com would be too except for it being run on servers located in the US. Some people may want/need to use one or the other based on contractual agreements though (e.g. some data must stay within EU jurisdiction).

    Also, because AgileBits do not have either your master password or your secret key (the latter only exists if you have a subscription) then all they could ever be forced to hand over is an encrypted version of your data with no means of decrypting it.

    Also correct, and we have more details here:

    Information for Law Enforcement

    And in the security white paper.

    @laugher: But to answer your specific questions:

    what jurisdiction presides and what happens when the NSA, FBI (or CIA because Canada is a foreign nation to the US?) or the Canadian equivalent of these (Canadian Mounted Police?)

    While we do not have the keys to grant anyone access to the contents of your vault, we can comply with legal orders under Canadian law to turn over the encrypted data, the name on the account, etc. (specifics in the article above)

    My understanding at this stage is that the 1Password cloud (assuming you use either Amazon Web or Azure hosting services) is not geographically isolated. When will this option/flexibility be introduced? Is it on the roadmap?

    I don't recall exactly when 1Password.eu and 1Password.ca "launched" because it wasn't something we publicized, but it was at least a couple years ago now. The breakdown is as follows:

    Thank you again for continuing to innovate in the password management area. Its been a real pleasure seeing 1Password mature ever since I started using it, a decade or more ago! (I've lost count!)

    Likewise, thanks for your passion for what we do! None of this would exist without the encouragement and support of you and the rest of your awesome customers. Happy holidays! :chuffed:

  • laugher
    laugher
    Community Member

    @danco - based in Australia. Worked in various geographic locations in this part of the world including China and South East Asia.

    @brenty and @danco - thanks for the refresher and additional information.

    So if I am the Canadian Mounted Police and I obtain a court order or if I am the CIA and I leverage off my relationships with the Canadian Mounted Police to obtain said court order, I would be able to obtain someone's 1Password entire vault directory. Granted that this is all encrypted.

    Do you have other federal government agencies outside of the US, EU and Canada that is using 1Password in the enterprise? Would you be able to give me some references so I can understand how they accept the residual risks involved?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2019

    So if I am the Canadian Mounted Police and I obtain a court order or if I am the CIA and I leverage off my relationships with the Canadian Mounted Police to obtain said court order, I would be able to obtain someone's 1Password entire vault directory. Granted that this is all encrypted.

    @laugher: Precisely. :+1:

    Do you have other federal government agencies outside of the US, EU and Canada that is using 1Password in the enterprise? Would you be able to give me some references so I can understand how they accept the residual risks involved?

    We cannot. If any of our customers want to publicly discuss their use of 1Password, we're more than okay with that. But it isn't a decision we will make on behalf of anyone, government, corporate, or individual. We take customer privacy very seriously, and everything is considered confidential unless and until the customer themselves makes it otherwise. Thanks for understanding.

  • laugher
    laugher
    Community Member

    Ok. Understand your position and fully respect your stance. I was hoping there was a customer success story from a government outside of North America or the EU which might give me some leads to follow. Lots of organisations do it as an indication of how widely accepted they are.

    Congratulations on winning Apple over? I think I read somewhere where Apple deployed 1Password in their enterprise!

  • AGAlumB
    AGAlumB
    1Password Alumni

    It's entirely possible that folks in those sectors will share their 1Password stories someday. It's really fun and inspiring when that happens, but we've got to leave it up to each customer to determine if they want to do so. Cheers! :)

  • laugher
    laugher
    Community Member

    @brenty - prod your marketing people. Its in AgileBits best interest to publish the wide ranging customer base you people have. As far as I am concerned, you folks should be at the far right of the Gartner Magic quadrant and be identified as a market and industry leader!

  • Thanks for the suggestion. :)

    Ben

  • laugher
    laugher
    Community Member

    @Ben just let me know when you folks decide to float the company! :pirate:

  • laugher
    laugher
    Community Member

    @Ben That's one big incentive to join your team!!! Too bad you folks are based in Canada.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @laugher: What's so bad about Canada?! :tongue:

    Anyway, I believe most of us are not actually in Canada at this point. It's a beautiful, safe country, but I prefer subjecting myself to that kind of winter only occasionally by choice. :lol:

  • laugher
    laugher
    Community Member

    Wholeheartedly agree with you @brenty !!! This isn't as grandeur as the AgileBits party on a cruise liner but I don't go very far to get here.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Looks pretty grand to me! :love:

This discussion has been closed.