Privacy is not simply an individual right or civil liberty; it is a vital component of the social contract between Canadians and their government. Without privacy, without protective boundaries between government and citizens, trust begins to erode. Good governance requires mutual trust between state and citizen. Otherwise, alienation and a sense of inequality begin to spread, circumstances under which no program for public scrutiny can be tenable or effective in the long term. Where citizen trust hits a low point, in fact, such security measures may be undermined, ignored, circumvented - or in the most egregious cases - passively or actively resisted.
Office of the Privacy Commissioner of Canada, “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century”
First, the good news: 1Password has released a new version of their product on iOS. The company outlines a whole pile of reasons for supposedly delaying security upgrades - some of which include the updates will slow the speed at which users can access their encrypted data - but fail to identify what I suspect is a key motive behind the upgrade. If you recall, I wrote a while ago about key failures in mobile password managers. 1Password was amongst those who had flawed security implementations.
To be clear: security, especially good security, is damn hard to engineer. 1Password didn’t have the gaping flaw that others did - i.e. storing passwords in plaintext!! - but it was flawed. In the security community this (ideally) is resolved when someone critiques your secured infrastructure. In today’s world you should also credit the security researcher(s) who identified the flaw.
Unfortunately, this isn’t what 1Password has done. As far as I can tell, there is no formal recognition from the company that they have had flaws in their mobile security model pointed out by a third-party. This is a shame, given that a key factor that builds genuine trust in security is transparency. It seems like 1Password is willing to address problems - they’re not dwelling in a security by obscurity paradigm, to be sure! - but not credit others with finding those problems in the first place.
Update: My very, very bad. I missed an earlier piece from 1Password, where they note the research. That is available here. It would have been ideal to see a reference to this in their update but, admittedly, credit had previously been given.
An excellent piece from Bruce Schneier, in interview, concerning the relationship between trust and security. It’s short, so just go read it. For a taste:
My primary concerns are threats from the powerful. I’m not worried about criminals, even organised crime. Or terrorists, even organised terrorists. Those groups have always existed, always will, and they’ll always operate on the fringes of society. Societal pressures have done a good job of keeping them that way. It’s much more dangerous when those in power use that power to subvert trust. Specifically, I am thinking of governments and corporations.