Steve Gibson on 1Password Travel Mode: "They did it exactly right"
Steve Gibson likes the new 1Password Travel Mode, as he explains in Security Now episode 614:
Steve: So bravo. Speaking of bravo, I have a new acronym, TDF. Stands for Traveler Data Frisking.
Leo: I'm going to be going through some of that, some intrusive travel data frisking, I think, maybe.
Steve: I know. Being frisked for your data is something that seems to be on the rise. And so many of our listeners have asked, over the last couple weeks, since it was announced by AgileBits, what do I think about 1Password's Travel Mode? And my answer is they did it exactly right.
Leo: Oh, that's good to know. That's great.
Steve: Yes, 100%. Your various secrets are - so the way this works is you first partition them into vaults. And the vaults can be individually flagged as "Safe for Travel" or not. So as you approach customs or a particularly officious-looking TSA agent, you log into your 1Password.com account and activate Travel Mode, whereupon all of the non-safe for travel vaults are completely removed. They are wiped and removed from your connected devices. They're not obscured or hidden. They are gone. So then you present your device, and if they need to get a password from you, you go, okay, yeah, here's what I've got. Whatever you need to do not to be harassed. You travel through customs smiling and maybe trying not to bow too deep. And if you are data frisked, the duly anointed officials will see only those secrets you previously decided to allow them to see. Nothing more to see here. Move along.
Once you're safely through inspection, you simply log back into your 1Password.com account, turn off travel mode. Maybe you want to wait till you get to the hotel or whatever, depending. Maybe, I mean, and maybe, in fact, you just - if these are things you don't need while you're traveling, then it's also just better for security to not have them on your devices, not only to deal with the officious-looking TSA agents, but just in general not to have them while you're traveling.
But if you need them, the point is you turn off Travel Mode, and all of those vaults are immediately repopulated on your devices and reappear, just as they were before. So I dug in. I read Rick Fillion's explanation of this. He posted on AgileBits' blog under "Introducing Travel Mode: Protect Your Data When Crossing Borders." And I was very impressed with everything I saw. So double thumbs up. These guys did it exactly right. And it looks to me like a great feature. So now we need everybody else to copy them.
Sources: show notes and podcast for episode 614.
Comments
-
Maybe not....
Bruce Schneier on 1password travel mode: It doesn't make much sense
"The password-manager 1Password has just implemented a travel mode that tries to protect users while crossing borders. It doesn't make much sense."
https://schneier.com/blog/archives/2017/06/passwords_at_th.html
0 -
@toasted: I sounds like you missed some of @jpgoldberg 's comments there:
The idea of 1Password's Travel Mode is not to hide data or to help you deceive nor lie to border officials. That would be a very bad thing. Instead it is a convenience mechanism to genuinely remove certain data from your device.
In designing this, we have been very mindful of EFF and ACLU's advice on these matters: Don't lie to border officials, but try to carry less with you. That is what Travel Mode is intended for.
So, keeping in mind the actual problem this feature is meant to solve, it's really pretty effective: making sure we don't have our devices full of sensitive information so that we can comply with border officials without compromising ourselves.
And more personally, it saves me the trouble of manually removing (and later, re-adding) AgileBits data from my devices before traveling, which indirectly protects you as well. Cheers! :sunglasses:
0 -
Or we can do it the really old fashioned way : use a burner phone and a local SIM. I haven't traveled in years but I'll keep Travel Mode in mind if I decide to go anywhere. If I have multiple devices, does that mean that Travel mode is global across all devices, even for those I don't take along? I haven't attempted to use it yet.
0 -
Or we can do it the really old fashioned way : use a burner phone and a local SIM.
@wkleem: That is such a pain though. Part of what Schneier is getting at in his post that @toasted lined above is something that was talked about in more detail in a great blog post that @benfdc linked in another discussion. To paraphrase, it's exceptionally suspicious nowadays to not have any data on your device, or to not have one at all.
I haven't traveled in years but I'll keep Travel Mode in mind if I decide to go anywhere. If I have multiple devices, does that mean that Travel mode is global across all devices, even for those I don't take along? I haven't attempted to use it yet.
Enabling Travel Mode on your account in 1Password.com will remove all non-Travel Safe vaults (which is all of them by default) and their encryption keys from all of your authorized devices. Enabling and disabling this is incredibly quick and painless, and I encourage you to try it for yourself. :)
0 -
Thanks for the hat tip, @brenty. I was thinking about posting a link to Bruce Schneier's commentary but I see that @toasted beat me to the punch.
This back-and-forth reinforces a point I have made in another thread—there should be clear user documentation on the proper use of this feature. There are several good discussions here in the forums, but I imagine that only a small portion of your user base spends much if any time here. Also, I note that over three months have passed since the grugq promised good travel advice "in a later post." It's easier to generalize about "don'ts" than it is to formulate a good set of "dos."
—Ben F
0 -
@benfdc: Ah, I noticed too that a followup was mentioned but not yet posted. I hope it's forthcoming. :)
I disagree about the documentation though. "Don't be a jerk to border officials" seems a bit out of scope for 1Password. I don't think it's our place to proscribe public decorum for individuals...and I'm not sure people are very receptive to that kind of thing anyway. :lol:
0 -
I'm not talking about "don't be a jerk." I'm talking about making users aware of concerns by some experts that overly-agressive stripping of one's 1Password vault when traveling could arouse suspicions.
Unfortunately, deciding what to carry on your device when traveling and what to remove is something of a d@mned if you do, d@mned if you don't situation. Anything can arouse suspicions to someone who is inclined to be suspicious, and even giving advice can be fraught,
as the news continually reminds us.0 -
Sorry for joining so late. (Perhaps we ought to consolidate these various threads).
@toasted, I would agree with Schneier if Travel Mode behaved the way that he appears to think it does. You can see some of my comments on his post.
I don't really think that Steve Gibson really gets the intent either. You should go into Travel Mode before you reach a situation where the devices you have with you may be searched. If you are just turning it on when you see a border official, you are probably doing something wrong.
0 -
@jpgoldberg for a lot of countries it all seems all pretty academic anyway.
https://theatlantic.com/technology/archive/2017/02/give-us-your-passwords/516315/
Just go ahead and sign in here please.
Sigh.0 -
Much of that article is speculation, but I think we can agree crossing borders can be a stressful experience. Travel Mode is a tool in your toolbox that may help alleviate some of that stress. Or maybe you'd rather carry all of your data with you across the border. It is entirely up to you. :)
Ben
0 -
The Atlantic article is good, @toasted, and these are the sorts of things that have gone into our thinking with Travel Mode. The assumptions that we are making are that
- You are more likely to be compelled to unlock and decrypt your devices at a border than elsewhere.
- Those searches (at the border) are more likely to be limited to what you have on your person.
These two are linked to each other. In the US (and many other countries) the standard, both legal and in practice, is that it takes less "cause" to search what you are bringing into a country than conducting a search in other circumstances. In the U.S. no warrant or "probable cause" is needed to search a suitcase you bringing into the country. That is what I mean by (1) above.
But the broad latitude border officials are granted for warrantless searches is justified by this notion "what you are bringing into the country." So in principle at least, those sorts of searches should be limited to what you are carrying with you. That is point (2).
If a non-border search can compel you to decrypt what is on your devices, it is likely to be able to compel you to decrypt your data wherever it is stored, because the authority to conduct those searches isn't about controlling what is brought into the country.
Where the laws and practices divide on (2) remains to be seen. Different countries will have different laws and practices, and this is unsettled law in the US. Number (2) is definitely true in the US, but the exact boundaries of those limits are ill-defined. If it turns out that (2) turns out to not hold in a way that makes Travel Mode useful, we will have to rethink offering it.
And I will take this opportunity to again state that I think it is very unwise to try to trick or lie to border officials. This is particularly true if you are not a citizen of the country you are entering. Travel Mode is just a way of not taking certain things with you. It's not about hiding things.
0 -
@Jpgoldberg
I think the more concerning element of the Atlantic article is the suggestion that the requirement for the visitor is to supply usernames and passwords to websites the visitor accesses... such as the commonly suggested social sites like Facebook ....'so we can see what you get up too'... but why not your online password manager.. you don't even need to have it with you.0 -
@toasted: Unfortunately these are things each of us has to take into account when traveling now. I'm okay with someone going through my social media accounts. All of that's public anyway. But for some people this will be a big problem. Travel Mode is another tool we can choose to use if it helps in our situation.
0 -
I think the more concerning element of the Atlantic article is the suggestion that the requirement for the visitor is to supply usernames and passwords to websites the visitor accesses... such as the commonly suggested social sites like Facebook ....'so we can see what you get up too'... but why not your online password manager.. you don't even need to have it with you.
I'm going to try to repeat my point about the distinction between "at the boarder" and elsewhere. Many of the requirements/requests to grant access to social media accounts are during the process of applying for a visa. In these cases it doesn't make a difference whether those passwords are on your person, and so Travel Mode is simply irrelevant. Although those are demands made of people wishing to visit a country, they are not searches at the border as these are made well before any travel has actually begun.
I do not feel that the Atlantic article made the distinction sufficiently clear between what happens at the border and what happens during visa application. A lot of people are failing to make that distinction, but I would have hoped that the Atlantic article would have done a better job at clearing that up.
0 -
Part of the visa process, sure….but it is also reported such data being requested by border officials at the border as a condition of entry.
"John Kelly, the new secretary of the Department of Homeland Security, testified that foreign travelers coming to the United States could be required to give up social media passwords to border officials as a condition of entry"
And
“If they truly want to come into America, then they'll cooperate. If not, you know, next in line”
“If a foreign visitor refuses a border agent’s demand to unlock their digital device, provide the device password, or provide social media information, and the agent responds by denying entry, the foreign visitor may have little legal recourse.”
There is even talk or requiring access to financial records, places visited in the last 5 years, home addresses in the last 5 years etc
A cursory search produces many legitimate news sources reporting:
In the US, if you’re a US citizen, your entry may be “delayed” if you’re not a US citizen your entry may be “refused”. Even more concerning is the contemplation of reciprocal ban on Americans (and others no doubt)… I am sure its fine for your TSA agent to have access to your online accounts But I am not so sure of other border agents in other countries.….
Totally trustworthy. Oh. Wait….
So if a travellers passwords are all available online (“just login here please madam”)….. I suspect this might not be a good thing.
0 -
Again, some of those things apply at the border and some of those things apply during visa application. There is a lot of unsettled law and practice around each of those. But I think that many agree that there is some sense to which a major category of border searches are in some way limited to "what you are bringing into the country."
If, when the dust settles, this view turns out to be wrong, then we will have to rethink Travel Mode.
0