Level up your business security with free, on-demand training and certification. Explore 1Password Academy today →
Forum Discussion
Solved
1Password's stance on Canada's Lawful Access Bill C-22?
I'm sorry if these touches in a topic that bends to the political, but this is something that I don't think we as keepers of people's most important and sensitive information should be just standing by and not getting into the discussion before it is too late.
As a Canadian and a 1Password being a Canadian based "Electronic Service Provider", based on the law's very loose definition of what an ESP is, I have very grave concerns that just like Apple and Meta the data that is contained within 1Password could be subject to this "unlawful" bill. Even my own company as small as it may be is caught up in the legal definition of an ESP.
- There is no scope at what an ESP is and what the government has defined and what their level of Systemic Vulnerability will be.
- 1Password in its current wording is caught up in this definition
- The powers can be extended through regulations an minimal future debate
- No Guardrails
- Secret ministerial orders requiring system modifications or re-engineering that could be demanded of 1Password with a gag order
- No mandatory oversight
- Limited ability for 1Password to challenge orders or redefine vulnerabilities
- Extensive Realtime access & retention
- 1Password would have to build the capability (at its expense) the ability to intercept, decrypt & hand over data
- Access to metadata, geolocation, in realtime and stored for retroactive access for all users for up to one year (with talk from law enforcement of wanting this to be even longer in the future).
Basically eroding privacy and security, and weakens encryption and creates a permanent surveillance state power and, because of the conflicting sections of the Bill, the "so called" protections can be overridden by a secret request, 1Password won't be allowed to ever tell us that it had to do any of this for the government, law enforcement, or the Canadian security (spy agencies).
Now I hear that because of the growing pushback on this bill, that the debate on this bill is going to be now limited to 3 days and a goal of having this law by the end of the month. Has your legal team been studying this bill? What is the 1Password stance on this invasive bill that even Apple, Meta and US Congress are voicing their concerns of this bill in its current form? If Both Apple and Meta, with huge legal and resources, are concerned that this could force them to weaken encryption, how is 1Password a Canadian company going to be able to ethically stand ground to weakened privacy, security and increased enduring real-time surveillance?
I remain unconvinced that all the data and access that we all store within 1Password would not be a prime target for access requests. All we have is a verbal promise that the government would never make these kinds of requests. If not now, as Micheal Geist says, in the setting ready and waiting for a "Turnkey Totalitarianism"?
I think this warrants a response and a position from 1Password before the company no longer has the legal right to do so, don't you?
https://openmedia.org/press/item/civil-society-to-parliament-kill-bill-c-22
Hey skippingrock! We’ve seen the concerns about Canada’s Bill C-22 and appreciate the discussion. We also want to clarify how the bill relates to 1Password.
The short answer here is that based on how it’s currently written, Bill C-22 would not require 1Password to provide access to customer vault data. It is focused on subscriber information and metadata, not sensitive data such as passwords, vault contents, encryption keys, and emergency kits.
Bill C-22 also includes safeguards meant to prevent companies from being required to introduce systemic vulnerabilities or backdoors for officials to gain access to such sensitive information. Since 1Password is designed so that we cannot access your vault data in the first place, doing so would mean weakening our encryption.
We are continuing to monitor Bill C-22. If anything changes that would weaken customer privacy or security, we would challenge or appeal those requirements. Protecting your data by design is core to how 1Password works, and we won’t compromise on that.
1 Reply
- 1P_Blake
Community Manager
Hey skippingrock! We’ve seen the concerns about Canada’s Bill C-22 and appreciate the discussion. We also want to clarify how the bill relates to 1Password.
The short answer here is that based on how it’s currently written, Bill C-22 would not require 1Password to provide access to customer vault data. It is focused on subscriber information and metadata, not sensitive data such as passwords, vault contents, encryption keys, and emergency kits.
Bill C-22 also includes safeguards meant to prevent companies from being required to introduce systemic vulnerabilities or backdoors for officials to gain access to such sensitive information. Since 1Password is designed so that we cannot access your vault data in the first place, doing so would mean weakening our encryption.
We are continuing to monitor Bill C-22. If anything changes that would weaken customer privacy or security, we would challenge or appeal those requirements. Protecting your data by design is core to how 1Password works, and we won’t compromise on that.
