Last updated: March 16, 2017.
Introduction
AgileBits deeply appreciates the tireless work of law enforcement officials and agencies in their quest to keep society safe. We understand that in the course of some investigations you may have questions about 1Password and our customers.
Here at AgileBits we believe that the less information we know about people, the better. Because individuals entrust our software with some of their most personal information, we design our software to limit what information we know. This protects users because it is impossible for us to lose, use, or abuse information we don’t know.
With this unique business model in mind, we have created this guide to address certain questions you may have, and how to get in touch.
What is 1Password?
1Password is a software product designed, written, and published by AgileBits, Inc. in Canada. 1Password is a suite of applications for desktop and mobile devices that empower everyone from individuals to government institutions to easily and effectively manage their various digital credentials, store Secure Notes, Documents, credit card details, and more, and keep that information in sync across their devices.
What Kinds of Customer Information Do You Have?
AgileBits maintains two kinds of data specific to 1Password account customers: Service Data and Secure Data. Service Data is information that is necessary to deliver our Services to our customers, and includes such information as purchase records and contact details. Secure Data is encrypted information which we have no means of accessing in plaintext form. Secure Data includes the whole content of all 1Password account vaults.
If a customer does not have a 1Password account they cannot transmit to us any Secure Data. Even for some customers who have a 1Password account we may have no Secure Data. In the case of some customers, for example those who have purchased our products through an App Store and have never contacted us, we may have no records at all.
Who Owns and Can Access Customer Data?
AgileBits owns and has access to all Service Data. Secure Data is owned exclusively by our customers and we have no plaintext access to this information. This means we have no means by which we are capable of providing decrypted information which may be stored in 1Password account vaults.
Can You Provide Access to an OPVault or Agile Keychain File?
No. Without the Account Password it is not possible to access 1Password sync keychain files in either OPVault or Agile Keychain formats. We have publicly documented the keychain formats which means you can already look up everything we could possibly know about any given keychain. And since we have no back doors, in house tools, or other methods by which we can bypass the encryption provided by the Account Password, there is no assistance we can render.
Can You Provide Forensic Assistance with Recovered SQLite Files?
No. The internal SQLite database structure is intuitive and the vault content is encrypted with keys known only to the user. The answer above applies.
Can You Provide 1Password Data from iCloud or Dropbox Users?
No. AgileBits has no access to 1Password data stored in any third party services.
How Do I Submit a Request for Customer Data?
We can provide access to customer data only in response to a legal instrument such as a court order. There are certain things you should know before submitting a request for customer information.
We can only respond to requests domesticated to a court of competant jurisdiction in Ontario, Canada. If you are not a Canadian entity you should use the resources provided by relevant Mutual Legal Assistance Treaties your country has with Canada. It is not possible for us to respond to informal requests or those that originate outside of a Canadian court.
Your request can only be accepted in person on hard copy at our Home Office in Toronto. We don’t have the ability to accept requests via email, facsimile, or over the phone.
Tailor your request as narrowly as possible, which is how we will always construe them. Overly broad requests will be challenged.
Absent a restraint authorized by Canadian law, customers for whom responsive data is held will be notified and will be provided a complete copy of the request for their data.
We do not have the ability to service requests in languages other than English.
All requests must include: i) all direct contact and official information for the requesting agent, officer, or attorney, their direct supervisor, and both their field office and headquarters; ii) a citation and explanation of the relevant matter; iii) a description as complete as is possible specifically describing the details for the customer information being requested, which must include at a minimum: the customers full name and email address.
We can provide data exports only on physical, non-network connected media in person, which will be provided by us. We are unable to connect third party hardware or software to our systems. In the event the customer has stored no information in their 1Password account, we can provide nothing more than an attestation to that fact and information on when their account was created.
We require without exception a minimum lead time of 7 business days to process and produce information pursuant to a request meeting the above guidelines.
What Do I Get by Requesting Customer Data?
If your request for customer data is granted the minimum information you will receive will range from an attestation that we have no record of the 1Password user, to the limited Service Data you’ll already have from other sources. This Service Data includes payment information, name, and email address. If we have Secure Data to provide, you will receive a series of files that contain encrypted content that we are unable to decrypt.
How Do I Contact You?
We do not currently have a Law Enforcement Hotline or similar. If you have any questions, you can write us at:
4711 Yonge St, 10th Floor,
Toronto, Ontario,
M2N 6K8
Canada
support+security@1password.com