Introducing Travel Mode: Protect your data when crossing borders

We often get inspired to create new features based on feedback from our customers. Earlier this month, our friends at Basecamp made their Employee Handbook public. We were impressed to see they had a whole section about using 1Password, which included instructions for keeping work information off their devices when travelling internationally.

We knew right away that we wanted to make it easier for everyone to follow this great advice. So we hunkered down and built Travel Mode.

Travel Mode is a new feature we’re making available to everyone with a 1Password membership. It protects your 1Password data from unwarranted searches when you travel. When you turn on Travel Mode, every vault will be removed from your devices except for the ones marked “safe for travel.” All it takes is a single click to travel with confidence.

It’s important for me that my personal data be as secure and private as possible. I have data on my devices that’s ultimately a lot more sensitive than my personal data though. As one of the developers here at AgileBits I’m trusted with access to certain keys and services that we simply can’t take any risks with.

How it works

Let’s say I had an upcoming trip for a technology conference in San Jose. I hear the apples are especially delicious over there this time of year. :) Before Travel Mode, I would have had to sign out of all my 1Password accounts on all my devices. If I needed certain passwords with me, I had to create a temporary travel account. It was a lot of work and not worth it for most people.

Now all I have to do is make sure any of the items I need for travel are in a single vault. I then sign in to my account on 1Password.com, mark that vault as “safe for travel,” and turn on Travel Mode in my profile. I unlock 1Password on my devices so the vaults are removed, and I’m now ready for my trip. Off I go from sunny Winnipeg to hopefully-sunnier San Jose, ready to cross the border knowing that my iPhone and my Mac no longer contain the vast majority of my sensitive information.

After I arrive at my destination, I can sign in again and turn off Travel Mode. The vaults immediately show up on my devices, and I’m back in business.

Not just a magic trick

Your vaults aren’t just hidden; they’re completely removed from your devices as long as Travel Mode is on. That includes every item and all your encryption keys. There are no traces left for anyone to find. So even if you’re asked to unlock 1Password by someone at the border, there’s no way for them to tell that Travel Mode is even enabled.

In 1Password Teams, Travel Mode is even cooler. If you’re a team administrator, you have total control over which secrets your employees can travel with. You can turn Travel Mode on and off for your team members, so you can ensure that company information stays safe at all times.

Travel Mode is going to change how you use 1Password. It’s already changed the way we use it. When we gave a sneak peak to our friends at Basecamp, here’s what their founder, David Heinemeier Hansson, had to say:

International travel while maintaining your privacy (and dignity!) has become increasingly tough. We need better tools to help protect ourselves against unwarranted searches and the leakage of business and personal secrets. 1Password is taking a great step in that direction with their new Travel Mode. Bravo.

Travel Mode is available today, included in every 1Password membership. Give it a shot, and let us know how you travel with 1Password.

Learn how to use Travel Mode on our support site.

146 replies
« Older CommentsNewer Comments »
  1. Louis
    Louis says:

    This is a really nice idea but I can see the obvious problem of being compelled to sign into your website.

    Could I suggest something else in addition?

    I enter my master psssword every 24 hours and use TouchID during that 24 hours.

    Under US law you can be compelled to use your fingerprint but not disclose a password (in most states).

    Therefore can you add a PIN protection option in addition to TouchID? It’s really simple programmatically and would tremendously increase my security.

    I don’t want to weaken my master password (and if your answer would be: disable TouchID, that’d be unacceptable).

    The flow for me would be:

    1) Master password every 24 hours
    2) TouchID
    3) Optional 4-6 digit PIN to unlock the vault

    This’d allow me to use TouchID to unlock the first level of security and then a PIN to get past the second level.

    If that’s not possible can you add the option to allow a PIN instead of TouchID?

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Louis!

      I also turn off TouchID in situations where I would also be enabling Travel Mode. That is a good recommendation, but I also believe that you (and lots of other people) are mistaken when they say

      Under US law you can be compelled to use your fingerprint but not disclose a password (in most states).

      There may be a grain of truth to that; but it is not nearly as true as people suspect. While there may be protections against revealing your password, you can be compelled to use (but not reveal) a password in order to unlock something. And even the limited and barely apparent protections against revealing a password are very very far from settled law.

      I would also point out that what limited case law there is has to do with challenges to evidence introduced at a criminal trial. So even a well established precedent of the sort that you (and so many) believe exists, it may not play any role in what border officials may demand/request of people.

  2. Jon
    Jon says:

    While I don’t travel internationally much, this does appeal to me a great deal. It’s better to unlock a safe with SOME passwords in it (perhaps they could be dummy accounts for this purpose, who knows) than nothing at all.

    However I just have one big beg …. Linux edition. Please! So much please! Even mono/wine version would be fine. Being in DevOps my work machine is of the penguin variety and I probably have the most important secrets of all… but I can’t use 1password :-(

    Reply
    • Rick Fillion
      Rick Fillion says:

      I hear ya. I want to setup a Linux machine these days and the lack of 1Password there is a real bummer. With 1Password.com I could use the webapp to get passwords to copy/paste, but that’s just not the same.

      Thanks for taking the time to comment. :)

      Rick

  3. Fred Hoysted
    Fred Hoysted says:

    I love the concept. About to give it a go, but one question first. I have a shared vault with my wife. I’ll be travelling and she’ll be staying at home, If I mark that vault as ‘not safe for travel’, presumably it is only removed from my devices, and not hers too? Thanks!

    Reply
    • Rick Fillion
      Rick Fillion says:

      Hi Fred,

      Thanks for the kind words. Your presumption is correct. It only removes the vaults from the devices of the people who are marked as traveling.

      Rick

  4. Matt
    Matt says:

    The fact that you have to add this feature is pretty depressing, which countries are asking for this level of privacy invasion? Just the US?
    Wouldn’t have crossed my mind to consider a boarder guard as a potential attacker.

    Reply
    • Rick Fillion
      Rick Fillion says:

      I agree wholeheartedly. We’ve heard reports of overreach from a few countries, so it’s not just the US.

      Rick

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Matt,

      Don’t read too much into the term “Travel” mode. That is the context in which discussion of this kind of thing has come up. Think about it as a mode to switch on prior to entering a situation where you may be compelled to decrypt the contents of the device you have on your person.

      At this point there are plenty of reports about such demands at US borders, but it isn’t even known if these have increased or whether it is only press reports of such incidents increasing. This is why the EFF is asking people to report such incidents to them. Although I suspect that there has been a real increase (along with an increase in press reporting).

      Also keep in mind that there are many countries that claim enormous powers to search people and their devices. The US on its worst day may still be a lot better than some other countries on their best day. It is up to you to decide when to use Travel Mode given your assessments of the risks that you face.

      -j

    • Tim
      Tim says:

      It’s absolutely not just the US. Pick a country, and google for the words “forced to unlock at border” + that country name.

      For example, it was easy for me to learn that Canada’s Border Services Agency is, for now, legally allowed to require you to unlock your electronic device, and hold on to it if you refuse.

  5. Tangible
    Tangible says:

    US law is unsettled. The ACLU says:

    “There’s no articulated CBP policy on whether agents may click on apps and search data stored in the cloud. While this kind of warrantless search should be well outside the government’s authority at the border, we don’t know how they view this issue.”

    One thing is certain: Lying to a CBP agent is a crime. If they see 1P on your device and ask if you have any vaults in travel mode, don’t lie.

    Reply
  6. David Gaw
    David Gaw says:

    It’s a clever idea, but how long before border authorities become aware of the feature, and order travelers to log in to 1Password and turn off Travel Mode, or be denied entry? I’m guessing not very.

    Reply
    • Rick Fillion
      Rick Fillion says:

      That’s a very reasonable question. We’ll have to wait and see. We have some ideas for how this could be made better to help with this situation.

      Rick

    • Tangible
      Tangible says:

      David, note that US citizens cannot be denied entry by US officials. They can have their devices confiscated.

      Non-citizens can be denied entry.

    • Pat
      Pat says:

      TimeLock maybe? Like bank vaults, doesn’t matter if the password is known and correct. No password is verified until a specified time.

      So I am at the border, and the timelock is not released until 3 weeks from now….

      Additional request, “safe for border crossing” as separate from “safe for travel”

      Last question, how do you know the deleted vault is not recoverable? Maybe pollute the vault with bogus passwords?

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Thank you, Pat, for your excellent suggestions. Something like a time lock may very well make some sense.

      You are absolutely correct that there are different threats to your data when crossing a border than when traveling in general. But there are also different threats when traveling in location A than in location B (and C and D, …).
      Although it would be possible to have a bunch of fine grained settings for what vaults are “safe” for what settings, we have found in the past that offering such gradations tends to add more complexity and get people confused. (Many years ago, we experimented with “Security Levels”. Although it turned to be be helpful for some people, we dropped that because it did more harm than good.)

      I’m not saying that we won’t ever offer the kind of fine grained control you are asking about, but I did want to let you know that we try to limit complexity as much as possible.

      While it may sound cool to have decoy or bogus passwords, the value of such a feature depends on a very particular threat model. It assumes an attacker who is able to coerce you to decrypt your data but is unable to retaliate against you if you give them bogus data. Lying to or deliberately misleading someone who has the power to get your to decrypt your local data is probably not a very good idea. (Word games like “well you told me to decrypt my data and that is what I did” may play out nicely in our heads or in movie scripts, but are really unwise in real life.)

      -j

  7. Matt
    Matt says:

    From what I understand most of the legal right to search the device is just like their right to search your suitcase. They can argue that there are illegal or valuable items on your device that you need a permit/pay/can’t import thus they need to search it. Them requiring your device password is just like them requiring the key to your suitcase (in the suitcase situation they will typically cut it open if you don’t give the key)

    I think it would be hard to justify forcing you to log into a website this system where the mode is only usable on the website I think protects you in that from my understanding at least while the have the right to view all the content on your phone (including what you lock up in 1PW) they do not have the right to view content external to that device.

    Reply
    • Rick Fillion
      Rick Fillion says:

      What’s legal will of course differ based on country. That being said, your understanding very closely matches my understanding of what’s typical.

      Rick

  8. Patrick Eddington
    Patrick Eddington says:

    If I understand correctly, in Travel Mode a user’s data remains resident on AgileBits servers in Canada. If U.S. DHS/CBP had a particular person targeted for a search and saw that said person had 1Password on their device, they could still go to CSIS and/or RCMP & ask them to serve you with a warrant for the user’s data, unless I’m mistaken–and if I am mistaken, please correct me.

    Reply
  9. Dan Moutal
    Dan Moutal says:

    I did quick test and it did remove all vaults from my phone and my computer as intended. But there were a few issues when turning it back on. One minor issue on My mac was that once I turned travel mode off the default vault for saving was a dropbox vault instead my 1password.com vault as it had been before. This is a fairly minor issue though.

    More seriously the vaults haven’t come back on my phone. Travel mode is off but my 1password.com vaults haven’t come back. How long is this supposed to take? I have waited about 10 minutes, am I just being impatient?

    Still this looks like a very useful feature, much simpler that deleting all vaults before traveling

    Reply
    • Rick Fillion
      Rick Fillion says:

      Hi Dan,

      Thanks for the feedback. The “Vault for Saving” changing like that is something we’ll have to fix up. That’s a good point. Did it switch itself back to your Personal/Private vault after closing the preferences window and re-opening it? If not that smells like possibly 2 bugs.

      As for how long it should take on the phone… it should be instant like the Mac app. Are you using the iOS app itself or the iOS Extension? The Extension can’t sync so it’d just sit there. But the iOS app itself should sync after an unlock and the vaults should come back.

      Let us know and we’ll make sure to get the various bugs filed to fix things up.

      Rick

    • Dan Moutal
      Dan Moutal says:

      Did it switch itself back to your Personal/Private vault after closing the preferences window and re-opening it?

      Nope. Once I exited travel mode the only way to tell 1password to set the Vault for Saving back to my 1password.com vault was to set it manually.

      As for how long it should take on the phone… it should be instant like the Mac app. Are you using the iOS app itself or the iOS Extension?

      I am using the app, so something isn’t working right. I will give it some time to see what happens, otherwise I will try to sing out and then sign back in.

    • Rick Fillion
      Rick Fillion says:

      Thanks. I’ve filed a bug (OPM-5070) for us to look into the Vault for Saving issue.

      I am using the app, so something isn’t working right. I will give it some time to see what happens, otherwise I will try to sing out and then sign back in.

      Try locking the app and unlocking it. Or force quitting the app and re-launching it. You really shouldn’t need to sign out/sign in again. If none of those work I’d like to get a Diagnostics Report from the device so that we can see why it’s not talking to the server. Follow the instructions on here: https://support.1password.com/diagnostics/. Email it in and mention my name in the email along with a link to this blog comment to give us a bit of context. If there’s a bug I want us to fix it instead of finding a workaround.

      Rick

    • Dan Moutal
      Dan Moutal says:

      I did try force quitting and locking/unlocking as well as rebooting the phone. Nothing seemed to work. Although at some point during the afternoon, my vaults just showed up. I wonder if it could be the wifi network I was on (the work network) I will try again tomorrow when I am at work to see if it makes a difference

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Network outages can definitely play a role, Dan. 1Password on your phone needs to get the message that certain vaults are “now” available.

« Older CommentsNewer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.