How will 1Password react should the Required Backdoor Encryption bill pass in Australia?
Just as the question is in the subject. How do you plan to implement the changes required in the bill? I'm not in Australia but have concerns over whether they--or someone else--could access my data within 1Password depending on how this bill pans out.
Add'l info link: https://www.eff.org/deeplinks/2018/09/australian-government-ignores-experts-advancing-its-anti-encryption-bill
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @doylecw
I'm not familiar with this specific situation but I would think the information here would still apply:
Password manager - for law enforcement | 1Password
We're a Canadian company and as far as I'm aware none of our developers are Australian citizens, so I don't believe this would have a direct impact on us. I don't see how the Australian government could compel us to comply with Australian legislation.
Ben
0 -
The bill did pass: https://www.theverge.com/2018/12/7/18130391/encryption-law-australia-global-impact
Based on concerning commentary like this:
Could you please investigate and confirm with certainty that you have no Australians working on the product, within reach of Australian law?
As an Australian myself, I am saddened to be asking this question.
0 -
This is a sad day for security, privacy, and encryption
0 -
Oh... to know that an employee can insert backdoors sounds very scary!!
0 -
@prime: Couldn't agree more.
Oh... to know that an employee can insert backdoors sounds very scary!!
@Ziko: They can't, and that's very intentional. We compartmentalize things, limit access to only those individuals who must have it, and code changes are reviewed by multiple people as well.
Could you please investigate and confirm with certainty that you have no Australians working on the product, within reach of Australian law?
@Pez: As a Canadian company, we're not subject to Australian law. And as I mentioned above, it would not be feasible for a rogue Australian to insert a backdoor by themselves; we'd have to be an Australian company, or a company composed solely of compromised Australians, in order for something like that to pass review. None of that is the case.
So while this turn of events absolutely sucks, both for Australians who might be put in such a compromising position and for the world at large due to precedent, this doesn't spell doom for 1Password...and, honestly, this isn't over for other companies either. People aren't going to take this lying down. The positive thing about bad stuff like this happening is that it forces more people out of neutrality and apathy to take a stand, and laws that are struck down or overturned are much less likely to be reinstated. That, and the number of organizations out there today actively fighting against these injustices, gives me hope.
0 -
@doylecw: Also, to come back to your original comments, it's worth reiterating that the "keys" to 1Password users' data are never sent to us. So only you have the means to decrypt your own data, regardless of where you happen to live. That's a fundamental right as far as we're concerned, and we'd sooner pivot to making another software product than compromise on that. :)
0 -
@Pez: As a Canadian company, we're not subject to Australian law. And as I mentioned above, it would not be feasible for a rogue Australian to insert a backdoor by themselves; we'd have to be an Australian company, or a company composed solely of compromised Australians, in order for something like that to pass review. None of that is the case.
Thanks @brenty, but the question/issue isn’t if the if the Australian government can apply our law to your Canadian company.
The question is how you can be confident that an individual, working for you but being coerced/forced by Australian authorities, isn’t able to weaken your software in secret.
As insane as this all is, given that this law appears to directly enable such a covert operation, how will you remain confident you are not being targeted?
Will you apply additional rigor to code reviews? It’s great multiple people are already involved and I have confidence in your process. But do you now need to make sure that every commit is approved by at least one person you can be entirely confident is beyond the control of these laws?
Thank you.
0 -
The question is how you can be confident that an individual, working for you but being coerced/forced by Australian authorities, isn’t able to weaken your software in secret. As insane as this all is, given that this law appears to directly enable such a covert operation, how will you remain confident you are not being targeted?
@Pez: I don't think it's insane at all. As paranoid as you may think you are, trust me, we're way ahead of you; everyone here at 1Password relies on us being on top of these things for our livelihood, because millions of 1Password users rely on us to get it right. I did address this in my previous reply though:
We compartmentalize things, limit access to only those individuals who must have it, and code changes are reviewed by multiple people as well.
The scenario you're proposing just isn't feasible the way we have things setup, not just specifically to protect against something like this, but also honest mistakes that could cost users' data, and us our jobs.
Will you apply additional rigor to code reviews? It’s great multiple people are already involved and I have confidence in your process. But do you now need to make sure that every commit is approved by at least one person you can be entirely confident is beyond the control of these laws?
We're already doing that. I'm not sure how to make that more clear, or what you're specifically asking for that we're not already doing. I will say, however, that we're always looking at ways to lock things down even more, and constantly evaluating our existing processes; so, regardless of what happens in Australia or any other country, we'll continue to do anything we can to ensure that 1Password stays secure. It would be shortsighted of us to not already be doing these things, and wait until something like this happens to be in the news to care about it. So I'm not sure the response you seem to think you want is really the response you want...if that makes sense.
0 -
@Pez: As a Canadian company, we're not subject to Australian law. And as I mentioned above, it would not be feasible for a rogue Australian to insert a backdoor by themselves; we'd have to be an Australian company, or a company composed solely of compromised Australians, in order for something like that to pass review. None of that is the case.
Isn’t Apple a US company? These new laws are basically targeting them.
0 -
I was just about to create a topic on our forums discussing this, when I found that it already exists.
My understanding of law (which I have not studied) is that while it could not compel AgileBits (a Canadian company) it could compel someone subject to Australian laws to act secretly against our interests and against the interests of a 1Password user. And so it is the kind of thing that we do need to defend against and it is something that our users (particularly in Australia) should reasonably be asking about. (Again, this is based on my very shallow understanding of the law.)
Fundamental line of defense
As I said in a comment on Twitter,
@drzax Our best response to #aaBill is to continue making @1Password users safe from insider attacks. That's been a design principle from the start, but there is always room for improvement.
We can't be compelled to do something we're incapable (by design) of doing.
To the extent that we succeed at keeping 1Password users safe from insider attacks, they are kept safe despite something like #aaBill. There is no 100% guarantee of being 100% safe from insider attacks, but we've built 1Password and our practices from the beginning with the notion that if we can defend against insider attacks than a fortori we can protect people if we are compromised even if that compromise is in the form of legal compulsion.
Attacker risks
Five years ago, I wrote a blog post on 1Password and the Crypto Wars. Some of the details have changed, but it highlights a major point in addition to simple end-to-end encryption. It would be hard to introduce a backdoor into our clients without it being detected, and the consequences of it being detected would be severe. These means that an attacker would need a high probability of success before even trying.
Because of the end-to-end nature of 1Password the most likely attacks would be to deliver a malicious client to to users.
Among the things that raise the possibility of detection are
- 1Password's behavior is well documented. So it makes it easier independent researchers to discover if it is misbehaving
- We do not (generally) obfuscate our source code. People are encouraged to run it in debuggers and see what it is up to.
- There are many (internal) eyes on our source and our build process. These include people from all over the world, many of whom have strong personal beliefs on the matter.
- Although there are many eyes on what gets built and codesigned, only very few people have access to the codesigning private keys.
Now none of these offer a full guarantee against us or someone controlling us shipping a malicious client, but in combination they substantially raise the likelihood that any attempt would be detected.
Maybe we can't outrun the bear, but
There is an old joke whose punchline is, "I don't need to outrun the bear; I just need to outrun you."
Even if we can't entirely eliminate the threat of compulsion for a back door, we can raise the cost and risks to an attacker that they will find it cheaper and less risky to go around 1Password than through it. The attacker needs to consider the costs and risks of trying to get a backdoor inserted into 1Password against other avenues of attack. Is it cheaper and easier to just place cameras monitoring your master password entry? Is it cheaper and easier to tamper with your computer? It is cheaper and easier to get the information through some other means?
So we strive to make it harder and riskier for someone (malicious insider, compelled insider, outsider who compromises our development and deployment process) to insert a backdoor – and we continue to work to make it harder – we can also accept the fact that we can't achieve perfection if we've raised the costs and risks to an attacker that they will aim elsewhere.
Raising those costs and risks to an attacker is an ongoing process. It's also part of our normal process, and because it has been part of our normal process we don't have to panic as some country enacts a stupid and reckless law.
Update: Now with a working link to the old blog post.
0 -
This article talked about Singal and Whatapp. Now I know Whatapp aid owner by Facebook, but Signsl isn’t. Open Whisper Systems (Owners of Signal) is out of California, and they don’t have retail stores and I think they are just based in the USA.
https://www.abc.net.au/news/2018-12-04/encryption-whatsapp-signal-messages-explained/10580208
I know we all don’t know everything, but I just want to make sure you all know any info I read too.
One thing we all know, this is a scary time for encryption. If they goes world wide, we are all in trouble.
0 -
My understanding (based on zero legal training) is the same as Ben's. We do not have a legal presence in Australia despite the fact that we sell products to Australians. This does make us responsible for collecting V.A.T. and submitting that properly, but it is mostly our payments processor (Stripe) that takes care of that.
Although I consider myself an employee of AgileBits, I actually am not. Pretty much everyone outside of Ontario is a contractor. This saves Agilebits having to have a legal presence in dozens of countries and US states. We do have people all over the planet (including Australia). I know that there are companies that threat contractors poorly, but AgileBits has always treated contractors as part of the family.
But all of that is beside the point that I was trying to make. By designing 1Password and our processes correctly it doesn't matter to the security of 1Password that we happen to have people in countries that have passed poorly thought out laws. Brenty was absolutely correct to point out that it is hard to insert a back door and get away with it.
It does help that the people with eyes on the code, what we deliver, and our processes are spread across a range of jurisdictions. That makes it harder for something nasty to be done under a gag order that someone not subject to that order wouldn't notice. So if those of us in country A were compelled to do something surreptitious they'd have to sneak it passed those in countries B, C, D, etc. Again, this isn't a perfect defense, but I believe that it makes an attempt risky and expensive enough that the attackers1 have to go elsewhere.
So while the we might have strong opinions about Australia's Access And Assistance Bill (aaBill), it doesn't really require a change in how we do things. We try to design 1Password to be resistant to the sorts of attacks the law grants the government. We continue to do so.
Other kinds of laws
For different sorts of laws, a legal presence in the jurisdiction would matter. But aaBill does not give the government power to force vendors to introduce systematic weaknesses. So even if we were based in Australia, this law would not compel us to change how we build and design 1Password.
But other kinds of laws would make jurisdiction matter more. Countries could make it illegal for people to possess or use certain sorts of security tools. Such laws would hit our customers in those countries. And proposals like that do pop up on occasion. There are actually plenty of places with such laws on the books, but to our knowledge they have never been enforced against 1Password users in those countries.
I'm not saying that we (as a community) shouldn't worry about aaBill. Just because it doesn't have much impact on 1Password given our design, that doesn't mean that it doesn't have a substantial impact on privacy and security in general. But when it comes to 1Password security we can pretty much say that our design principles and practices mean that we we already do protects our users.
-
I'm using the word "attacker" to include lawful government actors as well as more criminal type actors. Software cannot distinguish between these. We cannot defend against one without defending against the other. ↩︎
0 -
-
Hi guys,
Maybe ask Troy Hunt for advice? You both know each other and he’s Australian. It kind of stinks right now.
0 -
Here's the article Goldberg referenced above, courtesy of the Internet Archive:
A few parts are a bit dated at this point, but still (sadly) very relevant today.
At the end of the day, I'm a 1Password user first and foremost myself, even working here. So it helps me sleep better at night knowing that my own data is safe too. 1Password's fundamental design doesn't allow for a backdoor, so it would require substantial changes in order to even try to insert one -- and anyone here would look askance at a PR like that.
0 -
The five year old blog post is now in it's new home: https://blog.1password.com/1password-and-the-crypto-wars/
0 -
@brenty @jpgoldberg I found this today and mention you guys
“There is confusion about other secrecy requirements of the law. For example, would it require employees who received requests to keep them secret from their employers? The Australian Department of Home Affairs, which coordinates strategy and leadership of the country’s national security policy, says it would not. But security experts at the Electronic Frontier Foundation and at companies like the password manager 1Password say it is actually unclear.”
https://www.nytimes.com/2019/01/22/technology/australia-cellphone-encryption-security.html
0 -
@prime: Thank you. I really hope that's true. I'm not a legal expert, but I'm always wary of this kind of thing. It's nice that someone in the government says that, but my understanding from reading is that the law itself is not quite clear on that point. I don't like this sort of legislation happening at all, but I'd feel much more comfortable with a bad law being crystal clear with no room for (mis)interpretation. Having it unclear makes it harder to fight against, and often that's very intentional. :(
0 -
Well, that's true. But I do think we can find some consolation in the fact that other generations have too, and I'm not sure I'd want to trade places. That's not to minimize this sort of thing, but rather I appreciate the perspective that if it wasn't this type of government overreach, it would probably just be another. What's important is that we stand up for our rights, no matter the context, today and every day. I'm fortunate enough to be in an environment where I can do that without fearing for my safety, so I don't want to take that for granted. :blush:
0 -
@brenty German politicians were hacked a few weeks ago, but that was poor password practices. I can see that being the norm if this goes world wide... even worse. People need to stop thinking “I have nothing to hide” and “only the government/tech companies will have access”. We all have something to hide from the wrong people.
0 -
I agree completely. And just because we have nothing to hide doesn't mean we should give up our privacy.
0