Anti-Privacy Policies of Password Managers

This article compiles the most striking excerpts from the privacy policies of various password management solution providers, highlighting their anti-privacy stance. It seeks to uncover the subtle ways in which these policies may compromise user privacy rather than protect it. All information is publicly available on their websites, with references to the full documents provided at the end of this article.

Keeper Security

"... will never disclose such data on an individual or identifiable basis to third parties except when we must comply with laws that require such disclosure to law enforcement authorities or other government third party officials, such as subpoenas, or we believe in good faith that disclosure is necessary to protect our rights…"

In essence, the last case implies that they may disclose your data to anyone and use it whenever they choose.

"We may provide limited contact, payment, and usage information to companies that provide services to help us with our business activities…"

This essentially means that they share your activity records with third parties. Once shared with any third party, it is beyond their and your control and could be disclosed or breached through those companies.

1Password

"We inevitably acquire Service Data about your usage of our services, your account, and your payments."

Who decided it was inevitable? Perhaps because they do not want to take responsibility?

RoboForm

"... will not send personal data stored on servers to other companies or individuals, except in cases when the sending of such data is required by ... our business processes."

This means they can send your data to anyone whenever they wish. No further explanation is necessary.

Bitwarden

"... may use the Personal Information collected by the Site to provide you with services, to accomplish our business purposes…"

Then there is a lengthy list of reasons why they believe it’s beneficial for them to collect and retain usage data on you. However, two reasons deserve special attention:

“For research and development”:

This means your data could end up on developers' machines, where it can be retained, sold, or stolen by hackers. Note that they do not mention de-identifying or even sanitizing your data before it goes to R&D.

“For other purposes about which we notify you and, where relevant or required, give you a choice about the new purpose”:

This means they can use your data however they wish, potentially even selling it to third parties, without necessarily offering you an option to opt out.

LastPass

"We will not disclose customer information unless presented with a valid warrant, subpoena, court order, or equivalent legal process."

What exactly is the “equivalent legal process”? It appears they reserve the definition for themselves, just in case.

“Additionally, LastPass may attempt to narrow requests that it deems excessively broad.”

Does “may attempt” mean “will attempt” or “will not attempt”?

Dashlane

From their privacy policy: "You are not required to provide Personal Data, but we may not be able to provide the Services or respond to inquiries if you don’t."

It’s a paradoxical “you are not required, but you are required” situation.

“Apps do not store Master Passwords locally…”

At least they are transparent about the fact that they store master passwords on their servers, likely in some hashed form. If breached, these passwords could be decrypted by brute-force, dictionary, or other known offline attacks.

Zoho

Zoho even collects information about you from social media:

"When you provide feedback or reviews about our products, interact, or engage with us on marketplaces, review sites, or social media sites such as Facebook, Twitter, LinkedIn, and Instagram through posts, comments, questions, and other interactions, we may collect such publicly available information, including profile information…"

This is more dangerous than it appears at first glance - they say they retain your data even if you delete it from your social media!

"We must tell you that once collected, this information may remain with us even if you delete it from these sites."

And finally, the cherry on top:

"Zoho may also add and update information about you from other publicly available sources."

Besides social media, market places, and review sites, what are these other publicly available sources? Since they do not provide a definition or even an example, it remains open to their interpretation.

Conclusion

The privacy policies of various password managers reveal significant concerns regarding the handling of personal data. While these services are designed to enhance security, the broad allowances for data sharing and the conditions under which data may be accessed or disclosed can undermine the privacy assurances they promise. Users must remain vigilant, understanding the terms they agree to, and continuously assess the privacy practices of the tools they rely on to secure their digital lives. The paradoxes and ambiguities highlighted in these policies emphasize the need for clearer, more user-centric approaches to data privacy in the realm of password management.

Privacy Policies

• Keeper: Keeper Security Privacy Policy

• 1Password: 1Password Privacy Policy

• RoboForm: RoboForm Privacy Policy

• Bitwarden: Bitwarden Privacy Policy

• LastPass: LastPass Privacy Policy

• Dashlane: Dashlane Privacy Policy

• Zoho Vault: Zoho Privacy Policy

#Privacy #CyberSecurity #PasswordManagement #DataProtection #Surveillance #DigitalPrivacy