Telemetry Function
Dear 1Password Team,
I am kind of surprised that I could not find a discussion about the new telemetry function, the internal beta test of which was announced in a blog post on March 13th 2023 on the 1Password website: https://blog.1password.com/privacy-preserving-app-telemetry/
1Password is basically trying to collect de-identified app usage data to improve their services.
I do not want to impute any sinister intentions to 1Password, but this blog post has me really concerned, because in the long term - irrespective of the claim in the blog post that this is not the case right now - it seems just like the setup for a future way of profiling me.
1Password claims the following in the post:
"Over the years, we’ve relied on our own usage in conjunction with your feedback to inform our decision making. This presents a challenge, though: we don’t know when you run into trouble unless you tell us."
I do not understand in how far this poses a problem or should be a reason to setup a telemetry system to monitor user actions inside the app.
Since 1Password is a really great app, you seemed to have performed really well over the last 17+ years with the traditional way of handling user feedback and feature requests. The blog post seems a tad bit too apologetic. As if you knew really well that snooping around inside the app, tracking user behavior and phoning the information back home is not quite the style expected from a company with such a high reputation among its devoted users as 1Password. No matter how de-identified the information is, in the end, I suppose, most users don't want any of this.
I'll hold it to 1Password's credit that you are at least transparent about the intended functionality.
But I really hope that you are keeping to your word that you will inform users as soon as the new functionality rolls out and give them an easy way to opt out - because that is what I intend to do right away: opt out as soon as the functionality arrives.
It is unfortunately a big nope for me. If I run into any trouble using the app, I will tell you the traditional way. No need to track my behavior on behalf of me, thank you!
What is other users' opinion in the Community here?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
because that is what I intend to do right away: opt out as soon as the functionality arrives.
I hope they do the proper thing and make it opt-in (which I won’t do).
Does anyone know whether the GDPR requires that?
(Like those annoying cookie walls)
0 -
Ever since I started using the early access of 1Password 8, I wondered why 1Password doesn't attempt to gather user behavior statistics. That's state of the art with software development. It would be vastly more efficient to just see how an app is used, in comparison to decipher all the random user feedback from forum and support tickets.
Many things that users have complained about in the forum would get an objective weighting - a weighting that would not depend on how "loudly" someone complained, but on how many people really had problems with.In general, I welcome this as chance to enable 1Password improve their software much faster and more user orientated. Not that green table concept- and design-orientated as some app details appear to be. However, to make efficient use of telemetry, development has to become more dynamic. Telemetry can help to avoid going a wrong path up to the end and waste many resources by doing this. Currently, it seems there is a 1-2 year period for development: "this" year some feature is designed, and "next" year it is being implemented. This is much too long. You need to react to telemetry in terms of months and adapt findings to the current development road.
From past experience with software using telemetry, I accept telemetry if it is optional, either opt-in or opt-out with a notification banner as soon as telemetry is about to be enabled. I must be notified what data is collected and for what it is used. No personal data can be collected. The collection must be implemented in a way that nobody can create some function from the big usage database to query something personal like: "How many times the person with ip address aa.xx.yy.zz started the 1Password app and what items did he use in the last week?" If the data reaches the database, it must merge into one large homogenous pool where no person can be seen any more, just a big sea of users.
I really don't care if 1Password count my clicks on various program functionality. If it helps developing a better GUI or focus on functions I often use, I welcome this, because it will make the app work better for me.
So if it is anonymous, optional, opt-in, well explained and no difference in features if I enable or disable it, it would be fine with me.
As contrast, there is Microsoft Windows and Microsoft Office 365. It's forced, you cannot see what is actually being recorded, and you cannot disable their telemetry. This is something I despise and don't accept. If that software had an alternative, I would switch. However, there aren't alternatives that offer productivity as high, so I feel forced to use a software I despise in some part, which is not a pleasant experience.
0 -
This content has been removed.
-
1Password's mission is to help people safeguard their most important information. We have always taken a people-first approach to security by bringing to market products that are simple and intuitive. Our decision to start testing telemetry with our employees at 1Password is directly aligned with our commitment to make 1Password a better product for everyone.
1Password has grown tremendously in the past couple of years; and, in order to deliver the exceptional product experience our users expect from us, we need to better understand how they use 1Password.
We do want to emphasize that the data you save in 1Password is always yours – end-to-end encrypted with keys only you have. This effort is really about understanding aggregated (not individual!) usage patterns, so we can make using 1Password a better experience for everyone.
And while our goal is to deliver better 1Password products, we won’t require our community to help us if they don't want to. We're fully committed to transparency, and will provide updates coming out of our research and development period. When we are ready for a wider rollout of this functionality, we will provide clear, in-app messaging and you’ll be able to control whether or not telemetry is active on your account.
1 -
Thank you very much for the clear statement.
It is very reassuring to hear.0 -
Interesting perspective on this topic:
0 -
Thank you very much for the link!
Kind of sums up my feelings towards this upcoming feature.
But as long as I can opt out, I will go along for better or worse.0 -
1Password has the option of utilizing any one of a number of robust marketing research methodologies to gather data about product feature usage and preferences. Capturing telemetry from within the 1Password application simply feels too invasive – even if, strictly speaking, it completely respects the user’s privacy and security.
In my opinion, acting in a way that respects the user’s privacy and security by 1Password is the lowest expected threshold. “Doing things right” is not the same as “doing the right things,” and the “right thing” here is to adopt a higher standard and avoid even the appearance of any activity that may have the slightest hint of being less than 100% customer-centric.
As Jane Austin cautioned, “My good opinion once lost is lost forever.”
0 -
I guess it's already possible to actually see what's being collected. If I open the 1Password sqlite database of the Windows desktop client on my PC, running the latest nightly build, I see an item_usage table that seems to be a log what action has been performed on what item at what time. It's already being collected here, just not sent away.
0 -
Thank you all for the feedback. As Tommy mentioned, we’re exploring telemetry as a way to help us make better decisions about how to improve 1Password. Understanding where 1Password isn’t providing the experience we’re hoping to deliver helps us make better decisions. As we grow, our customer base becomes more diverse, and our feature set expands, it has become less predictable which features are essential to our customers. Only a small subset of our customers actually contacts us about the app, be it via email, social media, or the forum, and that sometimes has made us miss the mark when we don't have an accurate understanding of how 1Password is being used.
Any functionality that we roll out to customers will have a prominent in-app message that will ask individual and family account users to choose whether they prefer to keep telemetry on or off for their account. Nothing gets collected until they’ve made this choice, and users will be able to change their preferences whenever they’d like.
@Tertius3 We’ve only rolled out telemetry to our employee base. We’ll be analyzing the results of this internal-only roll-out before implementing this functionality more broadly. The screenshot that you posted isn't part of our telemetry project but is instead just item usage data. We’re going to take time to learn from the internal-only beta before any external expansion to customer accounts.
We look forward to sharing more details as the functionality takes shape through our internal beta.
-Dave
0 -
@Dave_1P Thanks for the info - since I only have a family account, not a business account, I don't have any reporting functionality, so there was no apparent use for that table. And so I suspected it might have a connection to the telemetry project, because it also contains usage data. In my company, I have to use a centrally managed password vault manager product called CyberArk, and from this I know the greatest fear of companies is not enough reporting about item usage. So it all makes sense now.
0 -
Any functionality that we roll out to customers will have a prominent in-app message that will ask individual and family account users to choose whether they prefer to keep telemetry on or off for their account.
Please don’t!
Let me turn off telemetry once (preferably as an admin for my entire family) and then don’t bother me ever again (with prompts about telemetry).
0 -
Assuming telemetry has a customer-facing roll-out: for families, the plan is that each individual will be given the choice. The choice will be synced via that individual's account, so it won't be necessary to make it more than once. It will not be necessary to change your settings using each app installation. Once you have set your preference for your account, that preference will sync to each of the apps you use that account with. You’ll be able to change your preference at any time.
Ben
0 -
I might have misread @Dave_1P’s “any” as “anytime” instead of “whatever”?
0 -
I'm sorry that my comment wasn't as clear as it could have been. Let us know if you have any other questions. 🙂
-Dave
0 -
The screenshot in this blog seems to indicate that this feature will be opt-out:
https://blog.1password.com/telemetry-system-roll-out/
I hope that's not the case! (It should be opt-in)
0 -
Thank you for taking the time to read our latest blog post! We’re excited to introduce our privacy-preserving telemetry system since it will enable us to better understand how people are using 1Password so that we can identify the features and updates we should be investing in first.
Telemetry will have a prominent in-app prompt that will ask individual and family account users to choose whether they prefer to have telemetry on or off for their account.
No telemetry data is collected until you’ve made this choice, and you’ll be able to change your preferences whenever you’d like. We’re rolling this out gradually. If you haven’t seen the prompt yet, we’re not collecting telemetry on your account.
-Dave
0 -
Look, I know there's basically zero chance of this getting rolled back, so I'll just say this clearly: I've been a paying customer of your product long enough that my initial sync mechanism was Dropbox, but a means of collecting and transmitting data about what I'm doing inside my Password Manager is enough of a ticking time bomb that it's gotten me to start a paid evaluation of one of your competitors. We've all been on the internet long enough to recognize a slippery slope when we see one, and user data collection never diminishes in scope. You all are a Security Company - you are held to a different standard than a normal web app. Find some other way of doing customer research.
1 -
Thank you for both the feedback and for being part of 1Password for so many years, we appreciate you sticking with us for so long.
Our intention in rolling out telemetry is to better understand which 1Password features are being used, and how often. We cannot analyze sensitive information like your passwords or which websites you access. The data you save in 1Password is yours. We will be analyzing aggregated and de-identified (not linked to an individual) usage patterns, so we can focus on making 1Password a better experience.
1Password does not have access to the data you store in 1Password. The data you store with us is end-to-end encrypted using secrets that only you have. That’s not going to change. Visit the 1Password Support site to read more about our security philosophy and how 1Password works on a technical level.
We’ve also shared our security design in our white paper: https://1passwordstatic.com/files/security/1password-white-paper.pdf
-Dave
0 -
Telemetry will have a prominent in-app prompt that will ask individual and family account users to choose whether they prefer to have telemetry on or off for their account.
But my question was/is: what’s the default value in that prompt?
(Opt-out as the picture suggests, or opt-in?)
Does anyone know whether opt-out is even allowed by GDPR?
1 -
The screenshot that is included in our most recent blog article is what we're anticipating the experience to look like:
You decide whether to participate or not and this in-app prompt cannot be dismissed until you've made, and confirmed, that choice. Once your preference is set for an account, it will be respected across your apps. Nothing gets collected until you've made the choice to keep telemetry on or off for your account, and you'll be able to change your preferences whenever you'd like.
-Dave
0 -
So opt-out? 😢
(Why are you circling around giving a straight answer?)
1 -
Does anyone know whether opt-out is even allowed by GDPR?
Could this be a “dark pattern” banned by the EU’s Digital Services Act?
0 -
You decide whether to participate or not and this in-app prompt cannot be dismissed until you've made, and confirmed, that choice. Once your preference is set for an account, it will be respected across your apps. Nothing gets collected until you've made the choice to keep telemetry on or off for your account, and you'll be able to change your preferences whenever you'd like.
This is great! It pops up, I click off, and done. So many companies tell you about this, but put it deep into the settings.
0 -
So opt-out? 😢
(Why are you circling around giving a straight answer?)"Opt-in" and "opt-out" can be interpreted in different ways, so we're simply trying to be clear about the actual experience you'll encounter when this rolls out.
Could this be a “dark pattern” banned by the EU’s Digital Services Act?
We ran this experience and content through multiple rounds of user testing to ensure usability, readability and comprehension – and to make the process as transparent as possible. Consenting to sharing analytics data requires multiple affirmative steps and actions from the user in order to prevent anyone from sharing analytics usage unintentionally. Our recommended setting is to share analytics because we want our customers to choose to contribute to telemetry. We have built a truly privacy-preserving system that will help make our products and services better, if customers choose to participate.
Ben
0 -
Hey 1Password team, I waited to comment until further information came out about your new telemetry system. I was hopeful that you would do something truly different with telemetry, that I could feel comfortable keeping enabled.
With your blog post a few days ago, I'm choosing to comment:
https://blog.1password.com/privacy-telemetry-deep-dive/
For context, I'm another long-time 1Password user. According to 1Password my first items were created in 2011, about 12 years ago!
I'm concerned. Certainly there's bright spots about your implementation, but I'm concerned about the direction a telemetry system can take a company, as well as the direction a company wanting a telemetry system is going. There are 3 core ways I'm concerned:
1. Fallacy of designing to make the numbers look good, rather than to make a good product.
2. Collection and storage of data that is not end-to-end encrypted.
3. Primarily opt-in, rather than opt-out, system.First, it's incredibly easy to fall into the trap of building and designing a product that makes the numbers look good rather than making a good product. I hope you have the internal processes in place to protect everyone from that fallacy and remain forever wary about your choices being influenced in such a way.
Second, you do collect and store data that is a privacy concern. This system is far, far too similar to all of the data collection systems used by large technology companies. I should know; I was a part of building one. It made me incredibly uncomfortable, and I ended up leaving that role as a result.
Based on your blog post you persist identifiable data in a way that is not end-to-end encrypted. This raises three questions:
1. Why is my usage data being treated with any less security than my passwords, URLs, and notes?
2. Why move away from your clear and simple story that all of the user's data is end to end encrypted, and 1Password the company has no access to any of it?
3. Why not anonymize the data client-side, rather than server-side?Third, and last, I get that no user needs to send their usage data to you. However, to the point of folks above, your dialog has strong elements of being opt-out rather than opt-in. Specifically, as @XIII called out, the default value of your prompt (based on your screenshots) is to have data collection enabled.
I'm not seeing any way to close the prompt without making a choice. So while no data is collected until a user opts-in, the app is entirely unusable until they make a choice. And the fastest, no-thinking path is to send usage data. This is jumping head-first into the company-first, business-first trend of data collection by default, without individual users being able to comprehend the potential consequences. Rather than being a refreshing escape from data collection, as you have been for well over a decade, you are becoming yet another company in the data collection pile.
Please don't lose sight of your roots as a user-first company. I don't want to have to find a different password manager for my family, but I would by lying if I said I haven't been paying significantly closer attention to competitors since the moment you started building for the enterprise. Adding data collection is making me look closer again.
0 -
Hey @ccw,
Thanks for taking the time to share these thoughts with us. There is a lot here, so I'm going to jump right in:
Why is my usage data being treated with any less security than my passwords, URLs, and notes?
There are a few reasons:
- The threat model is inherently different, and thus the required tooling is different. Usage data is less sensitive than the data customers store in 1Password. Usage data cannot be tied to an individual outside of our systems, even in its raw form, and our de-identification pipeline strives to decrease the likelihood of a user being identifiable even within our systems. The data is treated with best practices for the threat model.
- Usage data which is end-to-end encrypted using secrets only the customer knows would render it unreadable to us for purposes of performing analytics (which is the purpose of collecting said data). For those who choose to contribute to our analytics/telemetry data, we need this ability to read that data in order to derive insights.
Consider too that there are already other types of data that customers trust us to handle responsibly that are not end-to-end encrypted. We already maintain service data, which is handled differently from data customers store within 1Password. Billing data is an example which cannot be E2E encrypted, or we wouldn't be able to bill you.
Why move away from your clear and simple story that all of the user’s data is end to end encrypted, and 1Password the company has no access to any of it?
Our position hasn't changed with regard to the data customers store within 1Password. This continues to be end-to-end encrypted, and we have no access to any of it. As for why usage data has become a motivating factor, frankly we've found that the data we already have/receive isn't always sufficient to make informed decisions.
The most frequently cited example of this is that during the build-up to the 1Password 8 for iOS release we did not prioritize an Apple Watch app. We had heard very little from customers about our existing Apple Watch app, which led us to the conclusion that it was not widely used. When we launched 1Password 8, one of the top pieces of feedback from iOS customers was that they missed the Watch app. Had we known in advance that more people were using it, we likely would've prioritized differently.
Until now the vast majority of our insight came from what customers wrote to us about, combined with our own experiences. That is still an incredibly key component, but it doesn't capture things like the Apple Watch situation. Those sorts of misses are what we're trying to avoid by adding telemetry data to the equation.
The protections we put into place around this data continues to prioritize security and privacy: we self-host all infrastructure which collects and stores raw data, we collect the minimum data necessary to build a better 1Password, and we've implemented de-identification mechanisms to protect privacy.
Why not anonymize the data client-side, rather than server-side?
De-identifying server-side allows us to enrich the raw event data with additional metadata elements that aren't stored on your device. These elements are non-identifying pieces of information. The entire server-side enrichment pipeline is hosted entirely within 1Password's own infrastructure.
Fallacy of designing to make the numbers look good, rather than to make a good product.
I understand the concern here, but the intention behind this is to build a better 1Password by making informed decisions, and not simply to make the numbers look good. There is more info on why we're doing this (in a section titled as such) in our blog post:
Rolling Out Our Privacy-Preserving Telemetry System
Ultimately the proof will be in the pudding, as they say.
Ben
0 -
I’ve read through the follow-up blog post on how the new telemetry function works under the hood. And first thing I‘ll do, once this prompt pops up, is opt out of any of it.
I‘ll keep a close eye on how the situation develops. I hope, I can keep using 1Password in the future, because despite all of the changes in recent years, I still like it and haven‘t found anything better. But iCloud Keychain (which I have had already integrated into my workflow long ago) is catching up fast.0 -
You can definitely choose not to participate and absolutely no usage data will be collected if that's your choice.
I'm happy to hear that you're enjoying 1Password and hope that you'll stick with us for many years to come. 🙂
-Dave
0