1Password adds Telemetry to its password manager, but it is opt-in, sort of
The makers of the password management service 1Password announced the rollout of what they call a "privacy-preserving telemetry system" in the application today.
Telemetry collects usage data and many applications and all operating systems have such systems in place. Developers may use it to analyze issues or usage, which may help prioritize development.
Telemetry is a red flag for some users, especially those with a tech background or expertise. One of the reasons for that is that it is often baked into programs and operating systems automatically. In other words: data is collected automatically and users have to hunt for opt-out options, if they even exist. Sometimes, these options may even get reset, for instance after upgrades.
1Password Telemetry
1Password promises that its system is privacy preserving. To ensure that, it designed the system to be opt-in instead of opt-out. Users will receive a prompt about data collecting and it is up to them to agree to it or decline the request.
The prompt does not use dark patterns, but the share option appears to be enabled by default. Users need to toggle the "share analytics" toggle when they see the prompt to block 1Password from collecting and sending usage data to the company. Users may change the usage data preference at any time under manage account.
The setting applies to all 1Password instances on all of the user's devices.
1Password users who have not seen the prompt yet in the application do not have data collected in their applications yet.
Telemetry in 1Password is designed to collected event data. User data, such as passwords, passkeys, usernames or URLs are never collected and remain private.
1Password lists a few examples of event data that it collects:
- finishing the in-app boarding
- unlocking 1Password
- creating a new item
- filling an item in a website or app
The data will be "de-identified and processed in aggregate" before it is used for analysis according to the company. 1Password admits that it will also collect a "small amount of metadata", such as the type of device that was used to complete an action.
The company explains that it needs the data to "build an even better 1Password".
The Telemetry system will roll out to customers in the coming months. The company won't roll out Telemetry to team or business accounts "at this time".
1Password has recently started to put pressure on customers who still use the old version of the password manager. The version supports classic browser extensions and local vaults, while the new version of the password managed does not. The company announced that it will retire the classic browser extensions.
1Password is funded by venture capital. The company received $620 million in a Series C funding in 2022 at a valuation of $6.8 billion in early 2022.
1Password alternatives include the open source Bitwarden and KeePass among many others.
Closing Words
Now You: what is your take on this implementation of Telemetry?
“Telemetry is a red flag for some users, especially those with a tech background or expertise.”
It depends. A lot of them eat thanks to generalized total surveillance. Even the top EFF execs end up being hired by Facebook. And it’s usually the most noisy. Not that the others wouldn’t want to talk too, but those others aren’t employed by those who own the means of communication.
“Sometimes, these options may even get reset, for instance after upgrades.”
So true, a nasty one. Typical of Microsoft or Mozilla, for instance.
The easy part is that it’s rather black or white in that field. Either they will make it opt in and legitimate, not being assholes ; or opt out, and in that case, it’s usually only the first step on a highway to hell. No known exception. Welcome to the dark side, 1Passsomething.
“The prompt does not use dark patterns, but the share option appears to be enabled by default.”
Then it’s a dark pattern. For instance, the law would forbid such a thing for cookie banners in the EU.
“Users need to toggle the “share analytics” toggle when they see the prompt to block 1Password from collecting and sending usage data to the company.”
So, opt out or not ? and “it’s optin, sort of”. I don’t understand the words that you are typing.
“Telemetry in 1Password is designed to collected event data. User data, such as passwords, passkeys, usernames or URLs are never collected and remain private.”
I’m sorry but once an IT company repeated that over and over everywhere and lied 100% about it without consequences (Mozilla for example), no other one is to be believed about that. That’s how it works and that’s not the least of their function. “Telemetry is innocuous, it’s just non sensitive events, and it’s only to improve the software” finally means it’s your dick pics to sell them to the FBI to trigger jealousy hate crimes from them.
“filling an item in a website or app”
I won’t play the game of reading their privacy policy to unearth the shit,
but that already may smell like browsing history.
“de-identified and processed in aggregate”
Anonymization is another thing that has proved knowingly untrustworthy from those businesses. They’re technical people. They know they’re lying. Not that I would feel better having anonymized dick pics collected by them, of course. But it’s a legal loophole, true. Anything goes.
By the way, password managers are those things that centralized passwords in a standard place to be hacked, and it tends to happen frequently. So telemetry may not be the worst problem when their very existence is worse than meaningless, hostile.
Their product became so bad that they justify the need for telemetry. You all 1Password users know the “We have passed your feedback to the team” !
I have never recommended 1Password to my clients. I use and recommend free, open-source KeePass, or Bitwarden for those who want something cloud-based.
There is no such thing as “privacy-preserving” telemetry. Basically 1Password has added spyware now.