Regional Awareness, Privacy and Encryption
Hi 1Password Team. As the year winds down, I'm getting a little more time thinking about password management strategies and the technology direction which 1Password has embarked upon. Namely, memberships tied to a 1Password.com account with the vault stored in the cloud managed by AgileBits.
The advantages of this approach couldn't be more clear. One of the primary examples of the benefit of this direction and having my vault data in the 1Password cloud is being able to take advantage of 1Password X. The architectural advantages means that AgileBits are able to build a consistent UI on any device to my vault data. Securely.
As I consider the personal benefits of 1Password, I am also consciously aware that AgileBits is a Toronto based company and while not intimately aware of Canadian privacy/encryption laws, what jurisdiction presides and what happens when the NSA, FBI (or CIA because Canada is a foreign nation to the US?) or the Canadian equivalent of these (Canadian Mounted Police?) decides that it needs access to my vault data, I am still pessimistically cautious because of my previous government training.
As a rule, most organisations like to hold their data within their own geographical region. Especially if that data is sensitive in nature. Passwords and secure notes often represents the keys to the kingdom and so for me, it definitely falls into the scope of sensitive data.
As it stands today, I only own and use a licensed copy of 1Password. I do not have a 1Password.com membership and I host my data on cloud services that I know allow me to restrict access via geographically isolated zones. My understanding at this stage is that the 1Password cloud (assuming you use either Amazon Web or Azure hosting services) is not geographically isolated.
When will this option/flexibility be introduced? Is it on the roadmap?
Thank you again for continuing to innovate in the password management area. Its been a real pleasure seeing 1Password mature ever since I started using it, a decade or more ago! (I've lost count!)
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Where are you based? My understanding is that the main reason for creating 1password.eu was so that EU privacy rules could be ensured. I think the data centers are in Frankfurt.
Also, because AgileBits do not have either your master password or your secret key (the latter only exists if you have a subscription) then all they could ever be forced to hand over is an encrypted version of your data with no means of decrypting it.
0 -
My understanding is that the main reason for creating 1password.eu was so that EU privacy rules could be ensured. I think the data centers are in Frankfurt.
@danco: Thanks! Indeed, that's correct. Both 1Password.eu and 1Password.ca are GDPR compliant; 1Password.com would be too except for it being run on servers located in the US. Some people may want/need to use one or the other based on contractual agreements though (e.g. some data must stay within EU jurisdiction).
Also, because AgileBits do not have either your master password or your secret key (the latter only exists if you have a subscription) then all they could ever be forced to hand over is an encrypted version of your data with no means of decrypting it.
Also correct, and we have more details here:
Information for Law Enforcement
And in the security white paper.
@laugher: But to answer your specific questions:
what jurisdiction presides and what happens when the NSA, FBI (or CIA because Canada is a foreign nation to the US?) or the Canadian equivalent of these (Canadian Mounted Police?)
While we do not have the keys to grant anyone access to the contents of your vault, we can comply with legal orders under Canadian law to turn over the encrypted data, the name on the account, etc. (specifics in the article above)
My understanding at this stage is that the 1Password cloud (assuming you use either Amazon Web or Azure hosting services) is not geographically isolated. When will this option/flexibility be introduced? Is it on the roadmap?
I don't recall exactly when 1Password.eu and 1Password.ca "launched" because it wasn't something we publicized, but it was at least a couple years ago now. The breakdown is as follows:
- 1Password.com: AWS N. Virginia, USA:
us-east-1 - 1Password.ca: AWS Montreal, Canada:
ca-central-1 - 1Password.eu: AWS Frankfurt, Germany:
eu-central-1
Thank you again for continuing to innovate in the password management area. Its been a real pleasure seeing 1Password mature ever since I started using it, a decade or more ago! (I've lost count!)
Likewise, thanks for your passion for what we do! None of this would exist without the encouragement and support of you and the rest of your awesome customers. Happy holidays! :chuffed:
0 - 1Password.com: AWS N. Virginia, USA:
-
@danco - based in Australia. Worked in various geographic locations in this part of the world including China and South East Asia.
@brenty and @danco - thanks for the refresher and additional information.
So if I am the Canadian Mounted Police and I obtain a court order or if I am the CIA and I leverage off my relationships with the Canadian Mounted Police to obtain said court order, I would be able to obtain someone's 1Password entire vault directory. Granted that this is all encrypted.
Do you have other federal government agencies outside of the US, EU and Canada that is using 1Password in the enterprise? Would you be able to give me some references so I can understand how they accept the residual risks involved?
0 -
So if I am the Canadian Mounted Police and I obtain a court order or if I am the CIA and I leverage off my relationships with the Canadian Mounted Police to obtain said court order, I would be able to obtain someone's 1Password entire vault directory. Granted that this is all encrypted.
@laugher: Precisely. :+1:
Do you have other federal government agencies outside of the US, EU and Canada that is using 1Password in the enterprise? Would you be able to give me some references so I can understand how they accept the residual risks involved?
We cannot. If any of our customers want to publicly discuss their use of 1Password, we're more than okay with that. But it isn't a decision we will make on behalf of anyone, government, corporate, or individual. We take customer privacy very seriously, and everything is considered confidential unless and until the customer themselves makes it otherwise. Thanks for understanding.
0 -
Ok. Understand your position and fully respect your stance. I was hoping there was a customer success story from a government outside of North America or the EU which might give me some leads to follow. Lots of organisations do it as an indication of how widely accepted they are.
Congratulations on winning Apple over? I think I read somewhere where Apple deployed 1Password in their enterprise!
0 -
It's entirely possible that folks in those sectors will share their 1Password stories someday. It's really fun and inspiring when that happens, but we've got to leave it up to each customer to determine if they want to do so. Cheers! :)
0 -
Thanks for the suggestion. :)
Ben
0 -
0
-
Looks pretty grand to me! :love:
0
