Wednesday, April 26, 2023

1Password to Add Telemetry

Pedro Canahuati (Hacker News):

1Password is beginning an internal test of our new, privacy-preserving in-app telemetry system.


We’re only interested in how people use the app itself, what features and screens they interact with – not what they store in their vaults, what sites they autofill on, or anything like that.


This data will be gathered from a randomized selection of accounts, de-identified, and processed in aggregate.


Over the years, we’ve relied on our own usage in conjunction with your feedback to inform our decision making. This presents a challenge, though: we don’t know when you run into trouble unless you tell us. […] But there are millions of people using 1Password now, often in cool and innovative ways! If we’re going to keep improving 1Password, we can no longer rely on our own usage and your direct feedback alone.

I don’t really understand how they plan to figure out these cool and innovative uses from anonymized, aggregate data. But it does have the potential to identify hot spots that they should be paying attention to. And it’s good that they’re going to offer a way to opt-out. Of course, my preference is for a password manager to make no network connections at all.


Telemetry in a “trust us, this closed-source application which contains all your secrets, which we provide you and which we update periodically, is only contacting us for “privacy protecting telemetry” and not exfiltration, intentionally or not, of your most sensitive of all data” application is a hard pass for me. This seems like an IQ test kind of question.

(So many times error reporting, etc. have accidentally leaked highly sensitive data, which was then the source of a major compromise, in other systems. Maybe 1Password won’t get it wrong, maybe 1Password will never be subject to any pressure to get it wrong…)

Casey Liss:

In and of itself, no, telemetry doesn’t bother me. And rolling it out to your own internal users first is 👍🏻

But it seems pretty clear that this isn’t a problem that needs solving: customers have been SHOUTING FROM THE ROOFTOPS explaining what is wrong.

Mostly, I have been hearing about problems with the browser extensions.


Users: We want standalone non-subscription licenses!
1Password: I really wish we knew what users wanted.

Users: Please don’t move to Electron, I don’t want Chrome bugs in my password manager.
1Password: I’m just baffled. We never hear from users.

Users: Please, for the love of God, give us control over our vaults. Don’t go cloud-only, we’re begging you!
1Password: Better turn on telemetry. It’s the only way to solve this mystery for the ages.

The fundamental issue is that they decided to focus on a larger market that has very different concerns than their original customer base. This sets up the situation where they feel like they are listening, and in many ways the product is better for its target audience; yet some us feel like we’ve been ignored for the last 7 years or so, with each successive version straying farther from what we originally liked.


Update (2023-04-27): Daniel Jalkut:

For 20 years it seemed 1Password knew exactly what customers wanted, how they used their software, and how it could be improved. They’ve been taking a PR beating the last couple years, at least in my circles. They used to be the obvious choice, and now most people I know are looking for other options (or older versions). I don’t think telemetry will fix that.

I find this troubling in ways that are comparable to Apple’s “bad years” of MacBook Pros with unreliable keyboards. It was still the main thing I’d recommend to folks, but I couldn’t do so effusively.

Update (2023-06-23): Matt Grimes (Hacker News):

After months of development and refinement, we’re now confident we can deploy this system in a way that helps us build a better 1Password without compromising on our commitment to protect your privacy.

Later this summer, you’ll see the option to participate in our telemetry system and help improve 1Password. You don’t need to take any action right now, and we won’t collect any usage data without your awareness and consent first. Participation will be optional for Individual and Family plan customers. And at this time, our telemetry system won’t be rolled out to any team or business using 1Password.

12 Comments RSS · Twitter · Mastodon

I think the move to electron was worth it because we got a linux client out of it.

BitWarden doesn’t have good apps but I’m still happy that I fled 1Password as it sinks into the sea of chasing returns for VCs instead of satisfying its customers who are also the actual users. It’s sad that they chose this path but once it became clear that they had stopped caring about those of us who built their company, it was clearly the right call for me to flee.

And yes, I’m just here to smugly gloat about it.

When later this summer Chrome will stop supporting v2 manifests for extensions, the 1Password extension for 1Password 7, the last version to offer a perpetual license, will stop working, with no update planned and the sole resolution being the upgrade to v8 and the subscription (or use only Safari.) After more than 10 years, I think this will be the end for me.

@Apostolos: Looks like turning off v2 in Chrome is postponed again:

If they turn it off, you can also try switching to Brave, they said they would keep support for v2 if possible.

@SamiSamhuri Bitwarden received more than $100 million in VC money. $100M in a series B in 2022, and $? in a series A in 2019. Source: Crunchbase.

"BitWarden doesn’t have good apps" is a gross understatement.

torstenvl’s comment (from hackernews) is just plain wrong. They’re not asking “what do users want from our product?” They’re asking “what do users do in our product?” These are very different questions, and telemetry addresses the actual question, not the purported question.

@M. I’m not opposed to VC funding on principle. BitWarden is far more open in the first place and don’t seem to be making poor decisions that alienate me as an individual while they chase VC returns.

For example I run my own sync server and don’t have to use or trust their service. And it’s not even their server software, it’s a community open-source project. All of their first-party projects are open source too though and anyone can make a drop-in replacement for any component.

Saying their apps aren’t good is an understatement but I can make my own, and I have actually been seriously considering it recently.

I cancelled my subscription; it runs out this September. It hasn't been all bad, but really, it's over. So sad, but if they want the enterprise customers, well, good for them, but I want--no, need--competently-written and joyous software.

And I put in the work to find out what was best for me. Strongbox (iOS and MAS), Pro outright purchase, universal app. Uses Apple's native autofill/quicktype feature for filling passwords in Safari on both platform. Glorious!

BitWarden? But the client doesn't seem to sync, it requires an always-on server. And the server AFAICT wants Docker. Thank you, no. No Docker. Perhaps someone can say how best to run a Bitwarden-compatible API, without Docker, using a lightweight database, and entirely offline in the client when the need arises.

Sebby, it sounds like you want to give the VaultWarden server a try. It is packaged by default as Docker but it doesn't look like it would be too hard to build it standalone.

Hey, thanks @Scott! Looks very interesting. There's apparently also a Go port. I need to look into things further but it does appear that you can extract the container's contents and just run it under a root directory as it's all statically built. Webvault looks like a bit of a challenge though. And it does look like there's no way to operate read-write offline, so that's a limitation I'd have to work with. Still, great to have options.

So for those who care, it turns out to be a great deal easier to simply use a neat shell script to extract the "vaultwarden/server:latest" image, then pick out the (statically-compiled) binary and pre-patched "webvault" UI. Why the fsck people choose to ship their perfectly useful and usable server software in Docker by fiat for absolutely no reason whatsoever is a total mystery to me, but I'd suggest to anyone listening that doing that (and not providing a trivial non-Docker alternative) is a really great way to make people like me easily miss whatever you're hawking (and, on a personal note, it just makes me sad and frustrated that Docker ever became a trend at all, TBH, because it distracts us from real problems that actually need to be solved, e.g. in package management and atomic system deployment and upgrade).

When 1Password was a native app it just worked. Then they rewrote it with Electron and things went south. Now to make auto fill working I have to press the hotkey combination twice on all of my three macs! Is it only me?
Once again, a company makes the product worse for its customers, to make it easier for them developing the product.

Leave a Comment