In light of yesterday’s shocking news that the NSA has deliberately inserted weaknesses into computer security products, the developer of popular password and security app for Mac and iOS, 1Password, has written a fairly telling blog post on their vulnerability to this type of NSA intervention.
Here’s what AgileBits says:
Has 1Password been deliberately weakened?
Have we, AgileBits, ever been asked/compelled/pressured/contacted by any entity asking us to weaken 1Password?
That’s the easy part; anyone could say that. Let’s look a bit deeper.
AgileBits spends quite a bit of time explaining why the above is true. It makes sense, as its entire business model is predicated on the fact that its encryption–and therefore its customer’s data–is safe, even from the NSA.
The blog post explains that AgileBits has developers in Canada, the US, the UK, and the Netherlands. Even if the NSA had bound AgileBits, a Canadian-owned company, with a gag order, it could not bind non-US citizens who live outside of the country. Any orders from other countries would likewise not bind any US citizens living here. The only way to keep the company’s silence, then, would be to coordinate at least four separate NSA-like agencies across all four countries. Possible, but not probable.
Secondly, the system that 1Password works within is totally in the customer’s hands. “Out of the box,” the company writes, “1Password creates a local data file (your “vault”) and sync is disabled. We never have the opportunity to see your Master Password or even your encrypted 1Password data.”
The company never sees how you use 1Password. None of your private browsing data or sensitive financial records pass through the 1Password systems. They don’t even know if you’re using the software or not once you’ve bought it. They do offer some data sync, but even that is done locally, according to the web site. “When 1Password 4 for Mac arrives soon,”says the blog, “Wi-Fi sync (currently in testing) will allow you to sync locally, meaning your data never has to leave your local network.” This can, of course, be verified with a program like LittleSnitch or any other network analysis tool.
Finally, the company says that their data format is verifiable, as well. They’ve provided details of the encryption that 1Password use, which lets anyone concerned about its relative strength or deliberate weakness test it themselves.
The post continues to say that they would most likely follow the precedent set by Lavabit, a company that has gone public with its own alleged gag orders by shutting itself down. AgileBits (not related) says, “… the very real possibility that we would shut ourselves down (which would be public) rather than sabotage what we do and love should act as some deterrent to those who might wish to compel us to introduce a backdoor.”
The blog post finally states that, to AgileBits’ knowledge, only communication tools have been targeted, and not tools that protect consumer passwords and data locally, like 1Password.
These are a fairly robust set of reasons why AgileBits might be trusted with the encryption of our data. In addition, they didn’t have to step forward and call it out; while this may be the sign of a conspiracy, again, it’s not probable. Ultimately, we all give up a bit of our security by using digital tools, and potentially more if we use products like these.
Other companies who make similar products have not made statements to this effect, as far as we know, and one, LastPass, may have already been breached.
The AgileBits blog post sums it all up, by saying,
Even if you don’t find any of the individual reasons listed above to be persuasive, they interact powerfully. In combination, they make it much harder to get a weakness into 1Password without taking on large risks of getting caught and failing. Any attacker, including the NSA, will avoid high risk, high cost attacks if there are safer and easier alternatives. I’m therefore confident that the NSA would rather go around 1Password than through it.
What do you think, Mac users?