To protect your privacy: email us with billing or account questions instead of posting here.

Does Travel Mode erase the locally stored account key?

lilyball
lilyball
Community Member

The newly announced Travel Mode sounds like a great idea. But one concern I have with it is what if the TSA demands that I log into the web site? (I'm not sure if they actually can demand that, but there are reports of them demanding people log into social media sites so it seems plausible) If I go to the web site right now, it has my account key stored locally so I only need my master password. I'm assuming that Travel Mode doesn't have a way to erase that locally stored account key. To that end, it would be great if there was a way to do it. Maybe even just a "Forget key" link next to the Secret Key field on the login form that shows up if the key was stored locally, so that way I can just manually forget the key on any device I'm traveling with.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«1

Comments

  • Frank
    edited May 2017

    Hi @kballard - Great questions! I would like to direct you to our blog post since a couple of your questions have been addressed by Rick in the comments section. I appreciate the feedback and keep the suggestions coming :smile:

  • benfdc
    benfdc
    Community Member
    edited May 2017

    I'd also like to see the answer to this, and hunting through comments on the blog is not as efficient using the forums, where we have the benefit of threaded discussions on narrow, focused questions!

  • AGAlumB
    AGAlumB
    1Password Alumni

    @benfdc: Good point! I think there's a lot of other good information on the blog as well, but told Frank I wanted to follow up here because these are things I've been discussing a lot lately. I'm getting on a plane again tomorrow! This feature wasn't added just for me, but I like to pretend that it was because of the timing. :tongue:

    The newly announced Travel Mode sounds like a great idea. But one concern I have with it is what if the TSA demands that I log into the web site? (I'm not sure if they actually can demand that, but there are reports of them demanding people log into social media sites so it seems plausible)

    @kballard: I'm really glad you brought this up, because I think this is important: Travel mode can't protect you from yourself. But I realize that sounds absolutely horrendous, so let me explain.

    If you're detained, even in a relatively low-risk situation (your life isn't in danger, so really just a matter of inconvenience), authorities can demand whatever they want from you. And you can can refuse to comply. But they can likewise refuse to release you until they're satisfied that they have everything they want. I'm sure @jpgoldberg could tell you some stories. 1Password can help you secure your data, but it can't stop you from giving someone else access to it. And sometimes that's better than the alternatives.

    Now, I know we can get into our heads and tell ourselves that we'll never submit (or debate it and declare that publicly), but it's different when you're in a tough situation and have to make a choice. So I think we need to keep in mind that this isn't a panacaea: 1Password can make it easier for you to remove sensitive data from your devices, but anyone can demand that you give them access to whatever they want. It's our data, and our call what each of us does at that point. No matter what, it probably won't be a good time, and unfortunately 1Password can't help with that.

    If I go to the web site right now, it has my account key stored locally so I only need my master password. I'm assuming that Travel Mode doesn't have a way to erase that locally stored account key. To that end, it would be great if there was a way to do it. Maybe even just a "Forget key" link next to the Secret Key field on the login form that shows up if the key was stored locally, so that way I can just manually forget the key on any device I'm traveling with.

    You can make 1Password "forget" the Secret Key by signing out of the account on your device. I know this is tedious because it's what I've been doing up until now when I travel, so that's always an option for you depending on your own risk assessment. That's no easier now, but it's also no worse. And for most people, it's overkill. Just keep in mind that even if someone gets your Secret Key, you can regenerate it to get a new one for your account, and they'll only have your Master Password if you give it to them. Unless you choose to cede it, you have the power.

    As you can probably tell, I'm pretty passionate about this feature myself, so I'm looking forward to hearing more feedback from you and the rest of our awesome customers. I'll be looking forward to catching up here once I'm out of "travel mode". :sunglasses:

  • benfdc
    benfdc
    Community Member

    @brenty, I guess I may be missing the point of this feature. Either that or I just don't understand it. I hope you can help me out here.

    So long as my passphrase is strong enough I really don't care whether my 1P data is physically present on my device. If someone who gets hold of my iPhone when the vault is open can restore "non-travel" vaults by going to 1Password.com, how does this new feature make my data safer?

    This only makes sense to me if the traveler can irrevocably delegate the ability to toggle travel mode to a third party. (But that raises other concerns!)

    Am I making myself clear? I don't really see what problem this feature solves unless one places value on security by obscurity (protection against border agents who do not know about the travel vault feature).

    —Ben F

  • lilyball
    lilyball
    Community Member

    @brenty

    You can make 1Password "forget" the Secret Key by signing out of the account on your device.

    I'm not terribly worried about authorities extracting the secret key from 1Password. So my concern isn't the fact that the app still has access. I was strictly concerned about the fact that the browser knows what the key is, as can be seen when going to the web site, because then authorities can just demand I log in with my master password (which I know), instead of demanding that I type in the account key that I don't know.

    If I go to the web site right now there's a "Change Accounts" link that lets me put in a new secret key instead of using the saved one, but that apparently doesn't actually forget the existing key (well, unless I log in to a new account), so I can't just use that link as a way of saying "forget the key". It would be great if there was a simple way to erase the key from my browser's local storage.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I'm not terribly worried about authorities extracting the secret key from 1Password. So my concern isn't the fact that the app still has access. I was strictly concerned about the fact that the browser knows what the key is, as can be seen when going to the web site, because then authorities can just demand I log in with my master password (which I know), instead of demanding that I type in the account key that I don't know.

    @kballard: Ah, I'm sorry. I totally misunderstood. That's a great point! In that case, there are a couple methods to ensure your browser doesn't have the Secret Key:

    1. Click the "This is a public or shared computer" checkbox when signing in the first time (you can click "Change accounts" on a subsequent sign in attempt to get this option).
    2. Deauthorize individual browsers/devices from your Profile page on 1Password.com.
    3. Reset the browser (or clear "1password.com" data stored in it).

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @brenty, I guess I may be missing the point of this feature. Either that or I just don't understand it. I hope you can help me out here.

    @benfdc: I'll do my best! Admittedly, while some customers have asked us for this feature, it's probably mainly for self-serving reasons that it's available already.

    It really depends on the person, but here at AgileBits we do have access to some customer data (though not particularly useful) and systems that are sensitive. So we have a responsibility, especially from a privacy perspective, to ensure that we don't give someone access to these things. For example, a lot of people probably don't particularly want their government to know they're our customer. It's none of their business anyway! And travel mode makes it a lot less painful to manage removing company credentials from all of my devices. And I'm sure that a lot of companies with similar concerns will appreciate that it's easier for their employees to actually comply with this type of directive. It's just a lot less onerous to click a button. More on that later.

    So long as my passphrase is strong enough I really don't care whether my 1P data is physically present on my device. If someone who gets hold of my iPhone when the vault is open can restore "non-travel" vaults by going to 1Password.com, how does this new feature make my data safer?

    That's a fair point, but they'd need to have your 1Password.com account credentials to do that. And the only way they have those is if you relinquish them. Of course they can make further demands on you, but in the vast majority of cases, they're literally just going to ask you to unlock your devices and then look through what you have. And if you don't have anything on the device that you don't want them to access in the first place, that's one less thing to worry about. There's also a lot that can go wrong depending on the situation, but this is something that's at least within our control. It beats using a "burner phone".

    This only makes sense to me if the traveler can irrevocably delegate the ability to toggle travel mode to a third party. (But that raises other concerns!)

    That's an interesting idea. Maybe worth exploring. But for me the "other concerns" would be that if someone is sufficiently determined to get what they want, there isn't a lot any of us can do. 1Password isn't going to save you in a life-or-death situation, but thankfully that's not something many of us will face.

    Am I making myself clear? I don't really see what problem this feature solves unless one places value on security by obscurity (protection against border agents who do not know about the travel vault feature).

    It really depends on the situation, but I find it saves me a lot of extra work compared to my normal procedure (part of my packing/preparation checklist).

    Before travel mode:

    1. Grab EVERY DEVICE I OWN
    2. Unlock 1Password on each one
    3. Remove my AgileBits account manually from each
    4. (Travel)
    5. Sign into the account...
    6. ..again...
    7. ..on each device...
    8. ..UGH... (I have too many devices...)

    After:

    1. Login to agilebits.1password.com
    2. Enable travel mode (once)
    3. (Travel)
    4. Disable travel mode (once)

    We're not saying that this is going to be a perfect solution for everyone. Frankly, I can think of plenty of ways we could potentially improve this. But it's another tool in our security (and privacy) toolbox...and it's way better than what I had not too long ago. :)

  • benfdc
    benfdc
    Community Member

    Is that "after" checklist correct? I thought you have to unlock your vault on each device, while connected to the internet, in order for the non-travel vaults to be wiped.

  • Frank
    edited May 2017

    Hi @benfdc - You're right, Brenty is just excited :lol: We created a fantastic guide on how to enable Travel Mode depending on the type of 1Password.com account your rocking at the moment. :+1:

    I hope this helps. Let us know if you have any additional questions.

  • benfdc
    benfdc
    Community Member

    The more I think about it, the clearer it seems to me that the travel mode toggle needs to be accessed via a separate 1Password.com login password, and that when an account is in travel mode the non-traveling vaults must not be visible via the standard account login.

    This would create a situation comparable to a secondary, hidden TrueCrypt vault: there would be no way for an attacker who gains access to a 1Password.com account to ascertain whether non-traveling vaults exist. Isn't that the appropriate objective?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited May 2017

    Is that "after" checklist correct? I thought you have to unlock your vault on each device, while connected to the internet, in order for the non-travel vaults to be wiped.

    @benfdc: Yeah, I did get a little carried away and not explain myself well. For me, after I disable travel mode through 1Password.com, I'm not taking additional steps to unlock the app on each device immediately afterward since I'll do that in normal use anyway. So in practice, as soon as I need the data, it's there. :)

    The more I think about it, the clearer it seems to me that the travel mode toggle needs to be accessed via a separate 1Password.com login password, and that when an account is in travel mode the non-traveling vaults must not be visible via the standard account login.
    This would create a situation comparable to a secondary, hidden TrueCrypt vault: there would be no way for an attacker who gains access to a 1Password.com account to ascertain whether non-traveling vaults exist. Isn't that the appropriate objective?

    That's a really interesting idea and something we can consider adding to the new travel mode feature in a future iteration. But I think it's important to keep in mind that this doesn't quite solve all of the problems it seems to on the surface. For example, the fake login (not sure what to call it) would need to be prepopulated by you with things like fake accounts containing plausible information, and this is especially difficult with things like social media. While this is something we could add, I don't think a lot of people are really prepared to create and maintain a separate digital identity for purposes of misdirection and plausible deniability. I know I'm not.

    So what we're really trying to do here is to make it easy to be cooperative during routine border searches, protecting our data (or someone else's, in the case of teams and families) while still being able to turn over our devices if required. But this just isn't going to stop authorities (or attackers) who are willing to go to much greater lengths as far as detention and coercion from asking much tougher questions and demanding access to things not on your person. At that point you'll have much bigger problems though. Having travel mode makes it easy for me to manage this as a user, but in a scenario where you need to avoid exposing others' data as well, it's probably a good idea to have a team or family member revoke your access temporarily. Technically this works the same (data and encryption keys removed), but it means that no one can get to it through you, as access is gated by someone else.

  • benfdc
    benfdc
    Community Member

    @brenty—It's only a fake login if the vaults one travels with are fake vaults. I thought that the idea of non-traveling vaults is simply that they hold information that one does not wish to travel with. I don't carry all of my credit cards and keys with me when I travel, but the ones that I take with me are not fake. For purposes of this discussion I'm going to call my suggestion the TMM (travel mode management) login.

    I guess where I am coming from is thinking about the threat model. To my mind, the "CBP agent at the airport" attack is a legal or quasi-legal variant of the $5 wrench attack. It's just not clear to me that a CBP agent who is able to gain access to the 1Password data on my phone would have significantly greater difficulty in gaining access to my online 1Password.com account. That being the case, a feature which protects non-traveling data that is normally present on my phone but does not protect the same data in my account is of dubious value. To the extent that it provides a false sense of security, it could do more harm than good. (Irony alert: in another active thread here, you seem to be raising an objection to a feature request of mine based on your belief that, for most of your users, the feature would do more harm than good.)

    I have a feeling that your idea of the principal threat model to which "travel mode" is addressed may be different from mine. I'm hoping that you can help me understand it. And if you can help me understand it, then maybe you can help your users generally to understand it. Because IMO the travel mode feature will not enhance the security of your users if they misunderstand its purpose. I'm thinking specifically of a long-ago time when @jpgoldberg informed me, much to my surprise, that 1Password's "Export Selected Items to HTML" feature was not a thoroughly safe way to share secrets with other people. I had always thought that this was the purpose of the feature, but Jeff stated that he had never contemplated that use.

    Switching to a different point, let me observe that having a separate login for managing travel mode (both the toggle switch and the designation of vaults as non-traveling) is a flexible solution. If I wish, I can memorize my TMM passphrase so that I can gain access to my non-traveling vaults while abroad. Alternatively, I can "escrow" my non-traveling vaults by having my trusted escrow agent change my TMM passphrase and not disclose it to me. And so on. The feature would allow for many use cases.

    It occurs to me that it's possible that a TMM passphrase might have to be set up at the time of account creation, just as the standard process for creating a hidden TrueCrypt vault is to create it at the same time that one creates the principal vault (which in some but not all use cases may indeed be a decoy vault). It also occurs to me that I am neither sufficiently knowledgeable nor sufficiently imaginative to know whether or not this is actually the case.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited June 2017

    Hi all,

    I haven't been following this discussion (and perhaps I should merge discussions) and please forgive me for not reading everything that has been said here so far.

    There are a couple of points I want to try to make clear

    What you carry with you and what you don't

    Travel Mode makes no attempt to protect you from someone who can compel you to log into the service. It isn't designed for that, and it would probably be a mistake to try to co-opt or or extend it for such a thing. It is designed under the assumption that there are circumstances (like at a border entering a country) when the things that you carry with you can be subject to search in ways that the things that you don't have with you cannot be.

    If you enter a country with a suitcase, that suitcase is typically subject to search without the need for a warrant or court order even though such warrants might be needed to search it under other circumstances. Things that you carry with you across a border are more open to search than other things.

    Let's consider two envelopes. Envelope A is in a bank safe deposit box in country X. Envelope B is in your carry-on luggage as you enter into country X. The government of X is capable of searching both, but it faces a much higher threshold of due process to search A then to search B.

    So Travel Mode is set up so that you have less on your person as you enter a country. Under our assumption that B is more likely to be subject to search than A, this is useful. It doesn't matter that A can be searched; what matters is that A is much less likely to be searched than B.

    No deception

    Travel Mode is not about concealing the existence of some data. And it certainly isn't about presenting fake data to authorities. That would be dangerous, and we do not want to put our customers in danger.

    People who have the power to compel you to unlock your devices and unlock what is on those devices are people with a lot of power. You do not want to play games with them. You do not want to try to lie to, mislead, or trick them. They have power, they have resources, and institutionally they have a lot of knowledge. Attempting to mislead them would be pinning your future on the hope that those people are either incapable of detecting an attempt at deception or are unable to retaliate against you once such deception is detected.

    Seriously, do you imagine that if sometime after the fact (or during the encounter) they discover an attempt at detection they are going to say, "Well, it looks like you won this time with your clever little trick. I guess you are free to go now." ? They aren't. Anything that even looks like an attempt to deceive them would (correctly) lead them to apply more pressure and escalate the situation. They wouldn't be doing their jobs otherwise.

    If you really want to try to trick an entity that has the power to compel you to decrypt data, you had better be extremely confident about your chances of success, because the consequences of getting caught are large. And note that "getting caught" doesn't mean getting proven guilty. A reasonable suspicion that you have been lying to border officials enough to make things very bad for you.

    Games are fun to think about

    It is fine to imagine how to develop a system that conceals the existence of data or spits out fake data under certain circumstances, but if you have any real intention of misleading border officials, I strongly suggest that you consult with a lawyer first.

    What's in a name?

    By the way, I have been detained at the border in one country and nearly deported from another. And I managed to get a third border official really pissed off at me. All of those were cases where I had zero intention to deceive or do anything wrong. In the first two, my unusual situation got me caught up between conflicted laws, and they are really tedious stories. But the third story is simple enough that I can relate.

    This was 1989 and I, an American, was traveling with friends from Budapest (Hungary) to Cluj (Romania) by train. When I was in a compartment with Romanian citizens who were ethnic Hungarians. We were speaking Hungarian and English. I was living in Hungary at the time. When we reached the border, and the Romanian official saw my passport he wanted to ask me some things. He asked where I was going, someone translated to English for me, and I said "Kolosvár". Everyone in the compartment gasped, and many people tried to apologize on my behalf. I realized my terrible mistake instantly. I should have said "Cluj".

    Hungarians speaking Hungarian among themselves will use the Hungarian name for that city (Kolosvár) with no ill intent. But to be seen to "insist" on the Hungarian name for the principle city in Transylvania when speaking to a Romanian is something that is done by Hungarian is pure irredentism. I sounded like a trouble maker who wanted Transylvania returned to Hungary.

    From this point on the border control guy refused to let anyone translate for me. Even if he spoke Hungarian that would not have been an acceptable language. We settled on French (which I don't speak, but I can fake it better than Romanian). Anyway, after a search of my stuff and some grilling in a language I don't speak, he did come to accept my apology and accept it as an innocent mistake. This was important not for me (the worst he could have done was eject me and send me back to Budapest), but ethnic Hungarian Romanian citizens who had been consorting with me could be subject to more trouble after they got home.

    OK, that was a digression that served nothing of the main point. And, I am a white male American. My border and immigration difficulties (I've lived in three countries) are minor to what others may face. But even minor miscommunications can lead to trouble at borders. Do not try to trick or deceive those people. Be polite and cooperative. Travel Mode allows you to be cooperative. It is not a tool for deception.

  • benfdc
    benfdc
    Community Member
    edited May 2017

    I'm with you 100%, Jeff. The security professional who uses the handle the grugq wrote a nice piece on this subject earlier this year that offers the same perspective. @Brenty used the term "fake login" to describe my feature request. That was actually the furthest thing from my mind. Travel Mode should not be used for purposes of deception or lack of cooperation. It's strictly about what you choose to have in your possession when you travel, and what you choose to not have in your possession.

    I don't think that the concerns you raise are particularly relevant to my suggestion. Rather, they are inherent in the Travel Mode feature itself. Travel Mode, used improperly, can get a 1Password user in trouble. Some people might think it is a smart idea to keep only innocuous things in their personal vault and stow everything of real value in a separate non-traveling vault. In fact, that may be anything but smart, for the reasons that you and the grugq lay out. A very thin 1Password.com vault might lead a CBP agent to believe that the traveler is purposely hiding account information in other, off-device vaults. A smart traveler will keep enough information in his or her traveling vault to allow the CBP agent to do his or her job. If you are active on social media it's not smart to deny it, and telling the agent that you have Facebook and Twitter accounts but have no way to access them could make more trouble than letting the agent peruse those accounts.

    My question, and my suggestion, should be considered in the context of Travel Mode being used appropriately. Let's say you have an AgileBits code signing key which you keep in a non-traveling 1Password vault because you don't want to take it with you when you travel. So you go onto 1Password.com, toggle Travel Mode on, and proceed to purge that vault from your devices. My question is this: If the code signing key is still readily accessible via the 1Password app on your device whenever your device is connected to the internet, what have you gained? In other words, what threats do the new Travel Mode feature actually protect against?

    I guess this is the bottom line. The CBP agent asks you to unlock your 1Password app. You comply. The CBP agent then asks you if you have removed data from your device via Travel Mode. Now what? If AgileBits has not prepped 1Password users to anticipate and plan for that situation, but is leaving it to them to think on their feet in the heat of the moment, offering this feature in the product may not be serving them well.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Thanks, @benfdc! That's what I get for not reading the discussion carefully before posting. But as I am talking every opportunity to advice against tried to deceive border officials, it was fine for me to state it again.

    You might also want to see this article in Wired in which I am heavily quoted. Indeed, I try to make the same point that you are making:

    “If it looks like you’ve taken extraordinary steps to avoid things being discovered during the search, then that may have consequences,” Goldberg says. “In a sense we’re trying to make it easier to fully and honestly cooperate at the border. This is not a mechanism for thumbing your nose at border agents.”

  • benfdc
    benfdc
    Community Member

    OK, @jpgoldberg, something odd may be going on here because I don't see the comment of mine to which your 2:17 post responds. Anyway, thanks for the link to the Wired article. It actually reinforces my concerns, though.

    Setting up a travel plan requires careful consideration of what’s on a device and what could raise suspicion.

    1Password’s Travel Mode doesn’t solve every border crossing privacy concern, but the more tools people have at their disposal, the more likely they are to give real consideration to their data privacy.

    I really have to question that last sentence. Giving someone a tool isn't necessarily a way to encourage them to acquire subject matter expertise. If Travel Mode is a potentially dangerous feature, as the Wired article seems to stipulate, and if it requires expertise to use wisely, then where is the net benefit for your users?

    I keep returning to the same question: what exactly is the threat which this feature seeks to address, and how effectively does it address that threat? Unless Agilebits can very clearly communicate to users what Travel Mode is for versus what it is not for, I think it ought to be promoted and documented as a feature for advanced users only. For people who might misuse Travel Mode, the stakes strike me as higher than they were with my riskier-than-I-realized practice of sharing of secrets with other folks via the old "Export Selected To HTML" feature back in time immemorial. The risks may be even greater for Agilebits and your user community as a whole—nobody benefits if 1Password can be painted as the tool of choice for people trying to circumvent inspections at the border.

    Remember the slogan "Rip. Mix. Burn." when iTunes was new? When the iPod came onto the scene, it brought with it a new slogan: "Don't Steal Music." Apple set out a very clear position on the proper use of its new product.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    You aren't wrong, @benfdc. There is a risk that someone will use Travel Mode in a way that will do them harm. But we designed it to minimize that scope by making it merely about what data is on your device.

    Furthermore, the additional risk is small because there is already a similar risk with any strong encryption system. There will be users who may feel tempted to say things like, "Ha. You will never get at X in a million billion years because I use Y."

    That is not just unwise for the obvious reasons, a statement like that by someone in a criminal case lost them a fifth amendment claim against compulsory decryption. It is because X was sufficiently specific to amount to testimony that it exists.1 Now that doesn't apply to in our border search situation or with Travel Mode itself, but it does show how bragging about your security can make things worse.


    1. I can't recall the specific case, but the legal principle is that it is easier to compel someone to aid in a search for something that you know exists then for a search that would reveal the existence of the thing, as the latter could be considered testimony of its existence. "Hand over the codes to your secret nuclear devices" is fine if the police can prove that those codes exist and you have them. But if they cannot independently prove that those exist and you have them, a fifth amendment defense against you doing anything that testifies to their existence might be usable. (Again, case law is very unsettled, and it will be interesting to see how this plays out with a Congressional Subpoena instead of a criminal investigation.) ↩︎

  • benfdc
    benfdc
    Community Member
    edited May 2017

    Oh, I imagine that the trouble starts when someone tries to unlock my iPhone and is presented with a keyboard instead of a PIN pad. Is this evidence that I have an expectation of privacy or evidence that I have something to hide? :-)

    I recently read reports of a case where a judge or magistrate ruled that a person who tosses a smartphone in a dumpster obviously has no expectation of privacy respecting the device's contents and therefore may not lawfully refuse to unlock it. The logic of this argument escapes me, but my opinion isn't of any help to the owner of that phone, and one might well apply similar "logic" to a person who tries to enter the country with a smartphone!!! I think it would be even less rational to presume that the owner had waived any expectation of privacy regarding the contents of a password manager app on said phone, but again one can never predict how the authorities will view the matter.

    Still, legal issues aside, I take some comfort from the fact that Jonathan Zdziarski was hired by Apple's security architecture group earlier this year. One can make an argument that iPhone users can presumed to have a greater expectation of privacy than Android users, but good luck trying to persuade a court of that. Expectations or not, the security disparity is a fact. I think it was heroic of Steve Jobs to insist that carriers give Apple full control of device updates, and arguably deplorable of Google to adopt a business model that precluded it from following Apple's lead. As one expert recently observed about the Shadow Brokers' "dump of the month club" threat:

    Although iOS is responsive and quickly patches vulnerabilities, most Android devices are woefully insecure. Given the very high quality and ease of use present in the other Shadow Brokers released tools, a set of easy-to-use Android exploits would be devastating to the Android ecosystem, as criminals and other miscreants would be able to use such tools to devastating effect.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Oh, I imagine that the trouble starts when someone tries to unlock my iPhone and is presented with a keyboard instead of a PIN pad. Is this evidence that I have an expectation of privacy or evidence that I have something to hide? :-)

    Your smilie aside, this does illustrate the problem of at what point does an effort to protect your privacy because "suspicious". And of course, there is the distinction between what a court may rule versus the sorts of actions that a border official may take. After all, a border official already has broad powers to search you and your stuff as you enter a country, and so we may be concerned about what may make them more inclined to use that authority. Law enforcement seeking warrants face different requirements. They can make less use of "it looks like he's trying to hide something" when seeking a warrant.

  • AGAlumB
    AGAlumB
    1Password Alumni

    OK, @jpgoldberg, something odd may be going on here because I don't see the comment of mine to which your 2:17 post responds.

    @benfdc: Yep. For some reason only that comment got flagged by the spam filter (I'm guessing because of the link), and Goldberg must have seen it in his notifications, as I was also confused when catching up on this discussion today since I couldn't see it either. Anyway, I've fixed that. :dizzy:

    @Brenty used the term "fake login" to describe my feature request. That was actually the furthest thing from my mind. Travel Mode should not be used for purposes of deception or lack of cooperation. It's strictly about what you choose to have in your possession when you travel, and what you choose to not have in your possession.

    Yeah I really did misunderstand what you were suggesting. Thanks for taking the time to clear that up for me (and for the rest of your thoughts on this as well)!

    For me it comes down to this core idea, which you brought up initially and Goldberg summed up this way:

    There is a risk that someone will use Travel Mode in a way that will do them harm. But we designed it to minimize that scope by making it merely about what data is on your device.

    Since people can choose weak Master Passwords or even do things like write them down on a Post-It™ stuck to their screen, or simply share them with someone else when they probably shouldn't, 1Password itself can be used in a harmful way. Users have a tremendous, justifiable belief that 1Password can help keep them secure, because it offers many incredibly powerful tools that can be used to that end. But any tool can be misused as well. If I were skilled with a table saw, I could create some great wood stuff (I am not skilled with a table saw). Or...I can lose some fingers.

    I have to use these tools with great care, and putting myself in a position to refuse to grant border officials access to my devices, or lie about what information I do or do not have access to, is careless. So while travel mode doesn't solve a problem of me having information worthy of detention or interrogation, it does make it easy to hand over my devices without including things I am not entitled to share with others.

    What I love about 1Password is that I literally don't know my login credentials for anything, so I can answer honestly "I don't know" if I'm asked for them. And I love travel mode because when — not if — I'm asked to turn over my devices for a search, they won't contain my AgileBits credentials. And others can use this feature similarly to limit what's stored on their devices while traveling. At the point where we're being asked to produce information we don't have with us at the border, we probably need an lawyer anyway...or are in much more serious trouble than a lawyer can help with.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @benfdc: Oh, and I really appreciate that article you shared. Just finished reading it. Good stuff! :) :+1:

  • benfdc
    benfdc
    Community Member
    edited May 2017

    @brenty—Thanks for restoring one of my comments, and I'm glad you enjoyed one of my links (or maybe I should be miffed that you didn't like both of them?)

    I understand the distinction you all are drawing between stuff on one's device and stuff not on one's device, but I don't think it's entirely valid. For most folks, most items stored in 1Password are logins, and logins are used to access info that is NOT on one's device. Which is why I keep returning to what seems to me to be a straightforward question—what benefit does Travel Mode provide if anyone with access to my unlocked 1Password app can get into my 1Password.com account and turn Travel Mode off?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @brenty—Thanks for restoring one of my comments, and I'm glad you enjoyed one of my links (or maybe I should be miffed that you didn't like both of them?)

    @benfdc: Ha! I had been so focused on the post that I'd restored that I didn't even notice you'd included another in a more recent comment. It's definitely interesting to compare and contrast the platforms and the impact business decisions have on their security. :)

    I understand the distinction you all are drawing between stuff on one's device and stuff not on one's device, but I don't think it's entirely valid. For most folks, most items stored in 1Password are logins, and logins are used to access info that is NOT on one's device. Which is why I keep returning to what seems to me to be a straightforward question—what benefit does Travel Mode provide if anyone with access to my unlocked 1Password app can get into my 1Password.com account and turn Travel Mode off?

    I really don't know how to sum it up differently. While you're right that it can depend on the person and situation, for me it's helpful to be able to more easily remove sensitive data from all of my devices. Ultimately the effect is the same, but it saves me a lot of trouble. And 1Password.com is sort of beside the point since no one can get into my account in the browser to disable travel mode unless I give them the credentials. I guess I don't understand the different problem you're trying to solve, or maybe I do and it's simply unsolvable because 1Password cannot prevent you from giving someone access to your account to someone else. :(

  • benfdc
    benfdc
    Community Member
    edited May 2017

    I guess that takes me back to the question that I thought was implicit in the title of the thread. If a CBP agent is holding my iPhone in her hand with 1Password unlocked, does she need any further credentials from me in order to access my 1Password.com account?

    Is there a simple yes or no answer to this?

  • @benfdc : Yes, they would need your account's password.

    Rick

  • benfdc
    benfdc
    Community Member

    Aha! Thanks for that info, @rickfillion. NOW I get it. The amount of protection that Travel Mode provides to the contents of non-traveling vaults depends, to a considerable extent, on whether or not the traveler elects to store his or her 1Password.com password in a vault that stays on the device.

    IMO this is a very important point, it is not intuitively obvious, and it should be clearly and prominently documented.

    I still think there is a case to be made for my "TMM login" suggestion, which if implemented in parallel with the existing Travel Mode feature would work like, and provide protection comparable to, a hidden TrueCrypt volume. However, I readily concede that, quite aside from technical and customer support concerns, a case can be made against my idea that would rest on the considerations raised by @jpgoldberg above and by the grugq in the essay that I linked to above. Even the present implementation of Travel Mode dips a toe in troubled waters, and a second, hidden layer would take you considerably further from shore. Including this feature in some types of 1Password.com accounts but not others strikes me as a plausible option, but there may be no perfect solution.

    Forum discussions like these are invaluable, and are the reason that I always recommend 1Password so highly to family and friends. Thanks again to everyone who has weighed in here.

  • Thanks for the kind words, @benfdc. :)

    Rick

  • IanTaylorFB
    IanTaylorFB
    Community Member

    Ok, so I've read the above reasonably thoroughly, and I believe I get Travel Mode:

    When I travel -
    I don't pack all my credit cards
    I don't take all my computers
    1PW Travel Mode => I don't take all my data

    This all makes sense to me, and I like it!

    However, I don't get the practical reality of an encounter with a border official. So far this hasn't happened to me, but it appears increasingly likely.

    Let's start with some assertions. If any of these are wrong, my reasoning below needs to change.

    Assertions
    1. The Master Vault password is the same as the Account password for 1password.com accounts.
    2. My Master password is not stored in my vault unless I deliberately create an item that stores it.
    3. An unlocked 1Password vault reveals the existence of the 1password.com account and allows viewing the secret key.

    What I don't know is how an encounter proceeds. I can envisage two broad scenarios:

    (A) I use my passwords
    (B) I tell my passwords

    (A) I use my passwords
    Official asks me to unlock my device (iPhone, say). I unlock it with fingerprint or passcode, hand it over. Official asks me to unlock 1Password. I unlock it with fingerprint or passcode, hand it over. In this scenario, the official has access to unlocked assets, but does not know or have the keys.

    (B) I tell my passwords
    Official asks for my device passcode. I tell it, official unlocks my device. Official asks for my 1Password passcode. I tell it, official unlocks 1PW. In this scenario, the official has access to unlocked assets, and knows the keys (do/can they record audio, video or write stuff down?)

    Which one of A or B is practical reality? In some respects, it doesn't seem to matter, since assertion 3 reveals the existence of the 1password.com account and they can then just request that I log in to my account in scenario A, or do it themselves in scenario B (because assertion 1 tells us that my account password is the same as my vault password).

    It seems that I haven't really "left my data", it is all still available, it just needs one or two more simple steps to see it.

    I really like the idea of travel mode and I want to use it and rely on it the way I rely on other 1Password features, but it doesn't seem to achieve its objective of "leaving my data at home". What am I missing here?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @IanTaylorFB: You're not wrong, but none of that has to do with 1Password or Travel Mode. You're talking about 1) having sensitive information on your device when going through border control and either 2) directly giving border officials access to it or 3) giving border officials your password to access all of your data. Also, keep in mind that border searches are, unless the laws change or new precedents are set in the courts, restricted to what you bring with you over the border. That's not to say that you won't be asked for your Facebook login or whatever, but it's up to you what you do at that point, since it's your stuff on the line. But I haven't heard of that except with regard to applying for permission to enter a country beforehand, not routine searches when you're already at the border, presumably with passport and visa.

    Travel Mode isn't meant to — and cannot — protect you from overreaching government officials demanding that you give them information which you don't want to. That's a legal/social problem. Rather, Travel Mode exists to make it easier to leave some data off of your person when traveling, much like your excellent example of the credit cards and computers you don't bring with you. This was always possible, with or without 1Password, but Travel Mode just makes it much less of a hassle. If you expect that you'll be given an ultimatum of "give us access to all of your stuff or go to prison", you can always delete 1Password from your devices and/or delete your 1Password account before traveling, but I suspect that is only really necessary in very few extreme cases.

This discussion has been closed.