Big concerns about Travel Mode

heubergen

Hi

It's great to see that you think about all the possibilities to secure and hide our data from others. But for me the Travel Mode is something bad because it can make the US Gov feel like I have something to hide. I don't wanna start a discussion or conversation about I have nothing to hide but it seems for me a risky move to make the US Gov feel like you wanna hide something from them.
I want to travel in this beautiful country for a long time and I'm seriously thinking about cancel my 1Password Account Subscription because of that and change to a more transparent password manager.

To you share this concers or do you want to responds to it?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

pervel

What do you mean by "a more transparent password manager"?

heubergen

I just need a password manager where nobody starts thinking about that I may hide some data from them. So with more transparency I mean more transparent for Gov and Customs :)

rickfillion

Hi @heubergen,

The reality is that we do have something to hide, or at the very least not provide. Do I really care if they can get at my Twitter password? In the grand scheme of things, I really don't. I'd feel uncomfortable and I'd want to change it as soon as possible. But there are other things in my vault that the government has absolutely no right to, under any circumstances.

I'll use an example: Every time we do a code change to 1Password, that code change comes with a digital signature. This allows us to prove (cryptographically) that the code change came from one of us. We require that every change we make include this signature. If someone was able to get access to my key and passphrase for it they would be able to impersonate me. This becomes a much larger problem. There is no scenario where that should be allowed to happen.

Am I hiding something from them? Not really. I've just told you that it's there. But I shouldn't have to trust that someone won't abuse access to that. The best way to do that is to take trust out of the equation and simply not have those keys on any of my devices when I'm in a situation where this could happen.

You don't need to use Travel Mode. If you feel more comfortable without using it, that's up to you.

Rick

julie-tx

@heubergen -

Many of us need to protect secrets to all manner of data. As @rickfillion mentioned, there are signing keys for GitHub changes, and passwords to GitHub repos which contain proprietary data. There may also be corporate credit card details, server passwords, server SSH keys, and so on. The list can get pretty long. Add to that the possibility that a doctor has HIPPA information or passwords, a lawyer has confidential client information, an inventor has undisclosed inventions, law enforcement professionals may have information about active investigations, and so on.

This feature says "We don't care why you can't be required to disclose this information, we're just going to make it impossible." There's a line in "Star Trek III: The Search for Spock" where McCoy says "There aren't gonna be any damned permits! How can you get a permit to do a damned illegal thing?" By automatically deleting selected vaults and all of their items, disclosing the data becomes impossible. You could have deleted the entire account (after memorizing the entire Secret Key), or asked your team administrator to remove you from all of the affected vaults, but both of those are harder than Travel Mode. Nothing kept you from manually removing the data beforehand, it was just probably a lot harder to do.

heubergen

I see your points @rickfillion, @julie-tx but I'm not sure if the Customs will share this argumentation :) At the end if I need to decide between not going to this country or disclose any data from me even thought they might do things that I'm uncomfortable with I choose the second option. (may that's different for you)

The problem is there's no other way for me to prove the Gov that I don't use the travel mode as sign in 1password.com and show them my profile but with doing that the feature is pointless as they can also force e.g. a doctor to login 1password.com.

So for me I'm asking myself where's the advantage of this?

Frank

Hi @heubergen - We appreciate the feedback and for you taking the time to share your perspective on the feature. As Rick mentioned previously -

You don't need to use Travel Mode. If you feel more comfortable without using it, that's up to you.

Other option, you could delete 1Password from your devices and then sign back into your account when you reach your destination as long as you have the keys. Just another thought. Let us know if you have any additional questions or feedback. We'll be more than happy to assist. :smile: Enjoy the rest of your day.

jpgoldberg

You raise an important point, @heubergen, and I am going to make a subtle – but I think crucial – distinction.

We are not trying to conceal the existence of data from attackers. Instead we are trying to remove the data from devices which may be subject to search.

It's not about pretending that certain data doesn't exist at all

There are a couple of reasons why we are not aiming to conceal the existence of data

1. It is very hard to do against even a mildly capable attacker. As an exaggerated example, suppose you have a Facebook account, but it is not among your Safe For Travel vaults. The fact that you have a Facebook account is not secret.
2. It is not particularly wise to attempt to deceive, mislead, or lie to border officials (or most others who have the authority and power to perform the sorts of searches we are talking about).¹ If you are a visitor to a country, any form of apparent non-cooperativeness can leave you barred from the country.

It's about what you have with you

Instead we are offering Travel Mode because there may well be circumstances in which the devices that you carry with you can be subject to search. A search at the border is almost always limited to what you are taking across the border. Also governments are typically more free to search you at a border than in other circumstances.

Suppose you have a safe at your home. When you cross a border, it is not very likely that you will be expected to unlock the safe at your home. But if you are carrying a safe with you, then you may very well be required to open it.

Making it easier to cooperate

Let me give an simple example of how I use Travel Mode (or have been using my own way of doing this before Travel Mode). I have a few administrative rights on this discussion forum. This means that I can see, if I wish to, the email addresses that people registered with and the IP addresses they are connecting from. (This is mostly for managing spammers).

If someone, even a government official, were to acquire my password for logging in here, it would be a threat to the privacy of everyone using our forums. And so it would be a password that I would have to change quickly after such an exposure. I have a lot of work related passwords that fall into that category. So to protect your privacy, I have such passwords in vaults that are not safe for travel.

With travel mode enabled, I simply wouldn't have those on a device that is subject to search, and so if that device is searched, I wouldn't have to change that password afterwards. This makes it easier for me to cooperate with a search. Without Travel Mode (or the personal hacks I was using before we introduced it) I would be more reluctant to cooperate and that would have made everyone unhappy.

Cheers,

-j

---

1. Over the past several months I have seen a lot of people talking about how they might stand up for their rights or refuse to cooperate with certain sorts of requests. I am guessing that none of the people talking in those terms have ever actually been detained at a border. There is an enormous power asymmetry. As for "knowing your rights", in many cases nobody knows what those rights are. In the US the law is extremely unsettled about compulsory decryption. And the law is unsettled about the extent to which borders are exempt from 4th Amendment protections. This is on top of the difference in rights that depend on whether you are a citizen, permanent resident, or visitor. ↩︎

heubergen

Okay I see your point, I'm just not sure how long your argumentation will be valid as the US announces to force you to login web services like twitter or facebook so they can see your private data here. 1 2
Of course currently the focus is on social media networks but might they expanding it to online file hosting services (google drive, dropbox etc.) or online password manager (1Password etc.).

I don't wanna make your work bad, but I just think that the US Gov will always find ways to get the data they want (even if this data are clearly nothing that they should see). Features like Travel Mode will not prevending them from grabbing the data, there's only one way to stay safe with your data: Don't use the Internet :)

jpgoldberg

@heubergen is correct when pointing out that the usefulness of Travel Mode depends on the scope of the search.

I'm just not sure how long your argumentation will be valid as the US announces to force you to login web services like twitter or facebook so they can see your private data here.

The particular cases you cite are about visa applications and are not about searches at the border. In particular those cases are not a "let's search what you are carrying with you." And so, in those cases Travel Mode is irrelevant.

So I again would like to make the distinction between a locked safe that you have at home and a locked safe you travel with. There may be circumstances where you might be compelled to unlock either. But some of the legal justification for warrantless searches at the border is for customs enforcement and is limited to what you are carrying into the country.

Now if it turns out that "what you carry with you" is no more open to search than things that you don't carry with you when entering a country then Travel Mode will be far less useful. We don't know how these distinctions are going to play out in court or in practice (and for different countries). We are confident enough that the distinction between "what you carry with you" and what you don't is sufficiently relevant that we find offering Travel Mode worthwhile.

Of course currently the focus is on social media networks but might they expanding it to online file hosting services (google drive, dropbox etc.) or online password manager (1Password etc.).

If, indeed, it goes that way then Travel Mode would be of limited use. But I am hopeful that warrantless border searches would not extend that far. If I am wrong, then we will have to reconsider the feature.

I don't wanna make your work bad, but I just think that the US Gov will always find ways to get the data they want (even if this data are clearly nothing that they should see)

I am really happy that you raised these points. First of all, I don't want to over promise what Travel Mode can do. But I think it is important to realize that there is a distinction between searches at borders and other searches. The US government does not need a warrant to search your suitcase as you bring it into the country, but it would need to meet a higher standard of "probable cause" to search the suitcase inside the country.

So just because they may always be able to compel you to decrypt anything (that is far from settled at this time, but let's pretend that they can), that is going to take much more effort and due process than searching things you are bringing in through a border.

AGAlumB

Indeed, 1Password can't protect you from yourself, if you grant someone access to your data (perhaps the lesser of two evils, depending on the circumstance). We'll have to see how things play out, and each of us adjust accordingly.

heubergen

Hi @jpgoldberg, @brenty and all the other that took the time to discuss that.
Thank you for you answers, I can now understand better why you build this feature and in which cases it will help people to protect there data. This also helps me about my concers and I'm hoping that I can enter this country soon :)

Can be closed from my side.

AGAlumB

@heubergen: Hey, likewise, thanks for starting this discussion! While perhaps most people are happy enough to be able to click a single button to remove data from their devices (I know I love that part of it myself!) I think it's kind of a shame that there isn't much of an opportunity to go into this kind of detail there (though Rick's blog post and accompanying documentation certainly help)); so I'm really glad to be able discuss this stuff in depth like this. Cheers, and safe travels! :)