Privacy concerns about Rich Icons and Watchtower

steven1
steven1
Community Member
edited April 2014 in Lounge

Guys,

In the name of ‘privacy/security enhancing’ features, you are adding more and more features that make me seriously UNCOMFORTABLE using 1Pw. Case (s) in point:

-Lookup “rich icons” by default. Really?? so you/amazon (AWS, where you host) know every site I have a login on?
-Watchtower lookup. So you/amazon know every site I have a login on and that is susceptible?

I really like these features, but would prefer to use them in a browser outside of the app, ideally over a VPN so you/amazon don’t know this kind of information.

Questions:
-Are the lookups done over a secure HTTPS connection?
-Are the lookups proxied in any way?

Why should I care? Really, are you also going to argue then that NSA metadata collection is OK??
This is after all, HIGHLY CORRELATED metadata. How so? I am surfing on Amazon, it knows my IP address and lo and behold thanks to 1Pw it also know all the websites I have a login on!!!

PLEASE 1pw change this (and explain how this really works) or risk losing all your users!

Thanks.

Comments

  • Jasper
    edited April 2014

    Hi @steven1,

    Lookup “rich icons” by default. Really?? so you/amazon (AWS, where you host) know every site I have a login on?

    If you have Rich Icons enabled, then 1Password will attempt to fetch icons for Logins and Software listed in your data from Amazon CloudFront: https://d2x2f6qan2kccj.cloudfront.net

    We do not see the IP addresses for any connection, and we only log “misses” without IP address. Logging the misses (anonymously) helps us see what images need to be added.

    Although we don't collect IP addresses of requests coming in to the Rich Icon image server, users should assume that it is possible for Amazon to do so if they wish to or are compelled to. Thus, the use of Rich Icons is completely optional.

    When you start using 1Password 4 for the first time, you are prompted about Rich Icons:

    Watchtower lookup. So you/amazon know every site I have a login on and that is susceptible?

    No, neither we nor Amazon will know all of your websites because of Watchtower. 1Password only needs a connection to download the vulnerability database file into the app's data folders. Once the database is extracted, 1Password locally uses that to compare your data with and show you the matches.

    Again, this is completely optional and you don't have to turn it on (it is actually turned off by default). When you click on the Watchtower on the sidebar, it should then show you a message to enable it if you want. Here's the message we show in the Preferences:

  • steven1
    steven1
    Community Member

    @JasperP thanks for the response...

    1. Re: rich icons: what about the iOS version where rich icons are enabled by default? You guys know better than I do, security/privacy is only as good as the weakest link. So even though the Mac version gives me the option at setup, the iOS version defaults to rich icons, giving Amazon the list of my logins. And if I happened to be browsing amazon they now know who I am and what is in my vault. And I am sure you know we all use both versions so amazon has this info one way or the other!
      I know JeffG will sigh and say but it is only metadata, but I am sure he doesn't care about his call logs with uncle sam either.

    2. The approach with watchtower (download db to check locally) is the way to go to add these features. I am glad to see this is done locally.

    Thanks!

  • steven1
    steven1
    Community Member

    Re: Watchtower locally. On second thought, how many websites do you expect to download, since it will not be based on what is in my vault?

    Again, thanks. I hope you guys consider the privacy implications (metadata leakage) to be just as important of your users' data in addition to the security (keeping users vaults 'safe'). This is why .agilekeychain needs to go bye bye :-)

  • steven1
    steven1
    Community Member

    bump

    @JasperP‌ ...know you guys and gals are busy with the new releases, but could you please respond to above post? (repeated below in summary)

    -What good is Mac version making Rich icons optional if iOS version does not and Amazon has my sites upon first sync??!!!
    -PLEASE make all privacy leaking "features" optional by DEFAULT. Once it is leaked it is leaked, what good does turning Rich icons have after Amazon has been pinged for it once already?
    -PLEASE display bold warning for any privacy leaking "features"
    -Can you not download the icons as a bundle just as you are planning to download watchtower?

    I love your products, but as of late, feel you are taking my privacy very casually.

    Best

    Steven

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @steven1‌

    I'm sorry that you are unhappy with our decision to set Rich Icon's on by default in the iOS app. As @JasperP‌ pointed out, in 1Password for Mac, you are explicitly asked when you first start using 1Password 4).

    We are hesitant to add "yet one more thing" for people to read and review when they start using 1Password. We want something that "just works", and so we made the choice that we did. Ideally, we would like to find a way to ensure that we (nor Amazon) could ever get that data. But the volume of requests is such that we just can't put that through an anonymizing proxy.

    As we said in that privacy document we don't want to have any of your personal information. It is appealing to think of doing here what we did with the Watchtower database, but there are more than 600,000 sites covered by our image server, with images in four sizes for each. The Watchtower data is smaller and more compressible.

    I don't wish to pour cold water on your suggestions. We would like to have a solution to this that works well for everyone, and would guarantee that nobody would be surrendering any personal data through their use of 1Password. We will look at what we can do about the default, on iOS, but I can't promise you that you will be happy with what we do. If we can get it to flow nicely into initial startup screens, then we will do so.

    I should also say that we've considered (and rejected) having some sort of notification in app of "Hey now that you've been using 1Password for a while, here are some more details about various features". But even if that were something acceptable, it wouldn't solve the problem.

    Again, I hate to sound so negative in rejecting so many ideas. I hope that we will be able to find something that really does meet everyone's needs and expectations from us.

  • dteare
    edited April 2014

    Thank you for your feedback, @steven1‌, it's very helpful to be reminded of how important 1Password's privacy features are and where we can do better. Hearing comments from users like you saying we are being casual about privacy make us all sad and clearly demonstrate we're doing a bad job of "marketing" our privacy features.

    We take privacy very seriously and often bend over backwards to do things in a complex fashion in order to avoid any privacy concerns. For example, we could have easily had a website up-and-running for the Heartbleed exploit if we simply broke our rule of never sending private information to our servers. It would have been trivial to simply send a list of all your domains to our server and spit out a pretty report but we refused to do this because we care too much about your privacy. As Jeff said, we really don't want to know anything about your data. We want to know you and have conversations with you, but we don't ever want to have a conversation with your data :)

    With that said, I can see exactly where you are coming from w/r/t the default Rich Icon setting on iOS. Ideally we'd do the same that we did on OS X but we had more constraints on iOS to deal with. We decided to simplify the iOS setup experience and a consequence of this decision was "leaking" a small amount of additional information about your data. We did not believe this to be that big of a concern because we disabled all logging on the Amazon Cloud Front servers to ensure that we cannot collect information about you.

    Your point is that we do indeed "leak" more information with Rich Icons enabled than we do if they were disabled, and you're right. A hypothetical Evil Amazon would be able to piece together more information about you then they should be able to. Perhaps we should switch to CacheFly for icons since they don't have any other businesses like Amazon does, but I'm not sure that would help very much. Ideally we would run the servers ourselves so we could guarantee no spying is taking place but this would increase the appearance of us collecting data on you so I ruled that option out long ago.

    Anyway, I'm not saying all this in order to say we won't ever change the approach we chose. You clearly feel very strongly about this and I'm very glad you brought it up. It spurred me to discuss with our team how we could go about squeezing another setup screen onto iOS, and how to make sure that all users see this setting before we enable Rich Icons. Hopefully we find a solution that addresses all our concerns.

    This discussion brought up some interesting consequences of us not knowing anything about your data. As you mentioned about Watchtower, we must download our entire Watchtower database to every person's machine because we don't know which sites you have saved. This requires a larger download and pretty much ruled out doing this on iOS, but so far this has not been a concern on OS X as the space requirements have not grown that large yet. However, an interesting wrinkle is if you have a very obscure website that you visit it will likely not be in our database and therefore we would not be able to notify 1Password of any vulnerabilities there.

    This Watchtower limitation as well as needing to work harder developing clever ways to keep your data private are just a few of the difficulties that we accept in order to keep your data private. We'll keep iterating on this and we'll try to find a way to improve the iOS setup screens. Thanks again for starting such an important discussion.

    Cheers!

  • RichardPayne
    RichardPayne
    Community Member

    Would it be possible to break the database up into chunks. The 1p app then goes through you site list and for each one works out which chunk the site is in. It then requests the required chunks from the server.

    This reduces the download size while masking which sites you're actually using.

  • steven1
    steven1
    Community Member
    edited May 2014

    Hi @jpgoldberg and @dteare,

    First off, thanks for the thoughtful responses. One of the reasons I have been heartily recommending 1pw is the care you have largely shown in most of the details of your products.

    Clearly, when you guys started this, we all only thought Three Letter Agencies (TLAs) may be able to record all internet traffic and that they may be able to decrypt some things. We now know they can and they do. And frankly, your business model is predicated on there being Evil Amazons, Evil Googles, etc from whom us minions choose to wrest a modicum of privacy.

    It is therefore of paramount importance that you not take our trust for granted and tout privacy features in one place (Mac version) and so, so easily do the exact opposite in another (iOS). However, I am glad that you are considering adding another screen to the iOS setup process to allow us to disable privacy leaking features.

    In fact, here's a freebie suggestion from a generally satisfied customer:
    Allow a paranoid mode which by default disables all privacy leaking features, and once enabled, requires extra effort to turn off :-). Paranoid mode, among others, would:

    1. Disable all privacy leaking lookups based on what is in your vault, such as rich icons, etc.
    2. Potentially disable the mini-mode (not sure about this one...but feels appealing)
    3. Disable sync'ing to destinations that can leak (anything that is not opvault)
    4. Others...

    I think you would garner another source of very satisfied sysadmins, programmers, geeks, etc. to the legions of satisfied Mac and iOS users who can see a pretty picture next to their login.

    I hope you take my comments/questions in the spirit I intended them, to help improve a product I love and recommend.

    Thanks!

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Thank you very much @steven1‌!

    I want to encourage you to share your ideas about how we can make 1Password better. And also feel free to pester us if you think we've got something wrong. There will be times when I slip up and respond defensively instead of thoughtfully. I try to avoid getting defensive, but it does happen, and I apologize for that.

    What Snowden changes

    I have a slightly different take on some of the history, but I think that we are in full agreement about the essentials.

    Clearly, when you guys started this, we all only thought Three Letter Agencies (TLAs) may be able to record all internet traffic and that they may be able to decrypt some things. We now know they can and they do.

    We always assumed that TLAs could get at your data at rest off of things like Dropbox, what changed in June last year is our assessment of how easily and routinely they do so. If I may quote from a blog post, "On the NSA, PRISM, and what it means for your 1Password data"

    If the US government wants your data stored with Apple or Dropbox, it is easy for them to obtain it with no notification to you that they are doing so. This fact is not news. The laws have long enabled them to do that.

    >

    The news is (a) that the NSA and FBI have been collecting data about telephone calls on a large and indiscriminate scale while publicly stating that they weren’t, and (b) that they have mechanisms in place with various service providers, including Apple, to be able to collect data from individuals.

    This is why end-to-end encryption is so important. Only you know your Master Password and only you can decrypt the keys encrypted with your Master Password.

    From a security design point of view anyone who wants access against your wishes to what you store in 1Password is "an attacker". This is the only coherent way to think about security design. This is irrespective of politics; it is entirely irrelevant as to whether one largely things of government agencies as "good guys" or "bad guys".

    What has changed, particularly from the September 5 revelations (see "1Password and The Crypto Wars") is our understanding of what the TLAs are willing to do.

    I personally didn't anticipate how widespread such data collection would be. Nor did I anticipate the extent to which they would actually try to foster deliberate weaknesses in systems.

    But our over all design of end-to-end encryption with us having no information on our customers and turns out to have served us (and you) well despite that. There is (almost) nothing for them to coerce out of us or steal from us; and with verifiable end-to-end encryption there is extremely limited scope for the "implanting" of deliberate weaknesses.

    The point here is that we didn't have to change our overall approach
    in light of the revelations.

    Paranoid mode

    This is an interesting idea:

    In fact, here's a freebie suggestion from a generally satisfied customer:

    Allow a paranoid mode which by default disables all privacy leaking features, and once enabled, requires extra effort to turn off . Paranoid mode, among others, would:
    >

    1. Disable all privacy leaking lookups based on what is in your vault, such as rich icons, etc.

    >

    1. Potentially disable the mini-mode (not sure about this one...but feels appealing)
    2. Disable sync'ing to destinations that can leak (anything that is not opvault)>
    3. Others...

    This is an interesting idea. I've got some questions about how this might work. Please don't take my questioning as an attempt to dismiss your suggestion; instead keep in mind that before we settled on my public job title, internally we were using "Worrywart in Chief." I'm Mikey from the old Life cereal commercials.

    Potential leaking

    With respect to your number 1 on that list would we insist that
    1Browser only operate if we knew that it was running through a secure
    VPN? I'm not trying to dismiss your your concern about rich icons, but
    keep in mind that an attacker with the capacity to get that data
    through Amazon Web Services would also have the capability to see your
    network activity by getting data from your all-to-willing ISP.
    Likewise, would 1Browser have to somehow ensure that you weren't using
    a potentially privacy leaking DNS server if you were to opt for "paranoid mode"?

    Now that I ask that question, I'm inclined to look at how feasible it would be to have a "TOR" mode in 1Browser. But ...

    OPVault everywhere

    With respect your number 3, my inclination is to focus our efforts to making opvault to more people as quickly as we reasonably can. I know that everyone is frustrated by how long this is taking. But some of us old timers remember some of the difficulties that the transition from using the OS X Keychain to the Agile Keychain Format presented to many people; and that was when 1Password was Mac only!

    Remember that our goal is to provide top-notch security for non-experts. We need the transition to be seamless for the overwhelming majority of people using 1Password. So we are being cautious, but that is also where our efforts need to be.

    Mini-mode

    Disabling mini-mode in 1Password 4 on the desktops would, of course, remove one attack surface. But at the same time it would encourage greater use of copy/paste which brings about its own dangers. Perhaps disabling easy "copy to clipboard" would actually be the more paranoid thing to do.

    This illustrates an important thing to keep in mind. Many security design decisions aren't so much about a tradeoff between convenience and security, but are often trade-offs of security in one domain against security in another.

    Security here and there

    One case of this "one type of security versus another" trade-off might come up in asking what the "paranoid" mode would be for auto-lock time-outs.

    Setting a short timeout for auto-lock is going to be more secure, other things being equal, than having a long timeout for auto-lock. But other things aren't equal. We presume (remember we have no data on this) that particularly on mobile devices people with stronger Master Passwords may end up setting longer auto-lock timeouts than they would if they had weaker Master Passwords.

    So setting a "short" timeout might seem more secure, it might encourage less secure behavior elsewhere.

    It is this kind of thing that makes me hesitant of having "stronger" and "weaker" modes. Again, I'm not saying "no" to your suggestion. I'm just highlighting things that need to be considered.

    There's no such thing as "expert-only" mode

    1Password appeals to people with expertise in security. We would be very worried if it didn't. It's the best endorsement of our security approach there is. We, also, are expert users ourselves, and almost everyone other than the founders started out as expert users before we started working for AgileBits. We love expert users. But ...

    But we are trying to bring this level of security that security experts understand to non-experts. And when a non-expert sees an option for "more secure" he will select it even if it says "experts only". This, for example, is why we don't allow PBKDF2 iterations to be user configurable. People will make poor choices (including those who consider themselves experts).

  • buggypac
    buggypac
    Community Member
  • jpgoldberg
    jpgoldberg
    1Password Alumni

    @buggypac, I appreciate that!

    But Molly (one of my dogs) does not.

    Seriously, that is really nice and relaxing now that I've listened to it for a few minutes. And the good news is that I have to listen with headphones anyway, because Molly disconnected my speaker cables in a freak out during a real storm yesterday.

  • buggypac
    buggypac
    Community Member
    edited May 2014

    @jpgoldberg You are a workaholic with a penchant for getting worked up about intricate subjects. I don't know how you manage to continuously erect such walls of text radiating such incredible intelligence and knowledge. I am not being facetious. You are a God of cryptography and programming and I definitely look up to you and your talent. That's why I thought you needed a bit of a break at times, to remember that this is just a game, and that you don't have to take everything so extremely seriously. :) This thread-starter had pretty silly worries about rich icons and watchtower and could have been answered a lot shorter. Your long replies are beautiful and extremely informative as usual, but in this case it was kind of like hammering a nail by traveling into space and forging one of the planets into a hammer and unleashing the hammer-shaped planet onto the tiny nail with the force of a thousand suns. Please take care of yourself and your health, man. :) Not every post warrants hours of your life spent writing/thinking up your mega-awesome posts. If you reserve that for when it truly matters, you'll find yourself with more energy reserves, and you won't feel so tense in your human body. ;) Take care Jeff!

  • khad
    khad
    1Password Alumni

    Don't let it get out, but @jpgoldberg‌ is paid by the word. :P

  • steven1
    steven1
    Community Member

    Makers of proprietary security software face benefit from their user base challenging design decisions they make. That is why @dteare and @jpgoldberg take the time to respond.

    Remember...if you think concern over lookup of rich icons by default is not problematic (from a privacy perspective), _I challenge you or anyone else to post the title and URLs of your 1PW db Login items here :-) _

    Dropbox and file sync "leak" this info too, but at least you are well warned and go into it eyes open. Rich icon lookup on iOS leaks this after the Mac version lulls you into thinking the designers wouldn't want this to happen. Almost smacks of a TLA conspiracy ;-)

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Again, @steven1‌, I need to return to a point I made earlier. Someone in a position to capture the rich icon "leak" is almost certainly in a position to capture what websites you visit (including when you do so) without that "leak". And so that is why I don't think that your challenge ("post all of the websites you visit") correctly characterizes the situation.

This discussion has been closed.