Tim BrayJust to report that spouse & I have successfully transferred off 1Password to Bitwarden, relying on sync through Bitwarden.eu. It’s not quite as slick as 1PW but is less American and AFAIK is not fooling around with AI. Also, offers the option to self-host if the company goes sour.
Kees de Kooter 🍉@timbray I thought 1Password was Canadian?
Garrett@kdekooter @timbray It is, based out of Toronto (address is in the website footer).
@kdekooter Huh, so it is, I had no idea. Although it looks like their infrastructure is US-based. And there's the AI chatter. Also we disliked some of the trade-offs in moving from 1PW versions 7 to 8.
William Oldwin@timbray @kdekooter Yes, 1Password is Canadian and Bitwarden is American!
@willegible @kdekooter Well, they offer explicit sync through a .eu.
@timbray 1Password does too, as well as a .ca, but at least when I used it there wasn't any better migration path from the .com than 'export and import' and once you're doing that you might as well entertain other options. N.B. I'm not advocating for or against either of them, just FYIing! (Bitwarden and 1Password were my last two password managers.)
Hubert Figuière@timbray @willegible @kdekooter they all end up being subject to the CLOUD act, since they are either american or host on american operated server. And they all vibe code.
@hub @timbray @kdekooter I suspect that @timbray understands CLOUD Act jurisdiction and that this helped motivate his desire to make a change in the first place.
@willegible @hub @kdekooter Well actually I didn’t but as a result of this investigation I've now read up considerably on the CLOUD act and yeah, having your data domiciled outside the US does make a difference. I'm going to have to blog this stuff, stand by.
@timbray @hub @kdekooter It doesn't make a difference as long as the data is hosted by a US company. The CLOUD Act gives the US government access to any such data regardless of where it's physically hosted. This is why AWS just spent a lot of money on an 'EU Sovereign Cloud' that's supposedly air-gapped against US control, but this hasn't been tested and there are good reasons to think it won't stand up if push comes to shove because it's still owned by Amazon.
@willegible FWIW, having just read a bunch of discussion of CLOUD, I don't agree with your interpretation of what it says. But IANAL, are you?
In any case, I suspect the real issue isn't so much getting access as whether decryption can be forced.
@timbray No, I'm citing authority. Like the EU's lawyers: 'the Act removed any doubts as to the extraterritorial effect of the probable cause warrants issued under the SCA, by making explicit the obligation of the U.S. service providers to preserve and produce data they control regardless of where it is stored.' https://www.eurojust.europa.eu/sites/default/files/assets/the-cloud-act.pdf
Yes, if the data is encrypted and the keys aren't available to the hosting provider, then the US government gets encrypted data.
@willegible Well, unless the Wikipedia entry and a couple of cloud-provider FAQs are all wrong, the US government's access to extraterritorial data is not a "just ask" unlimited thing, but subject to nontrivial legal process. But anyhow it sounds like we agree that the encryption is a more significant privacy factor than the geography.
@timbray The threat modelling typically includes questions like 'how confident are you of the US courts remaining a reliable brake against executive overreach' and 'how confident are you that the encryption will stand up to potential US attack' and 'are they using their own key management or e.g. AWS KMS, in which case the encryption offers zero protection against AWS themselves'.