Bitwarden (Password Manager) NOT Privacy-PRESERVING

On Privacy Tools, password manager page, they recommend Bitwarden, a password manager service.


After reading Bitwarden’s privacy policy (https://bitwarden.com/privacy/) , they hand over users information when compelled:

" HOW WE RESPOND TO COMPELLED DISCLOSURE

Bitwarden may disclose personally-identifying information or other information we collect about you to law enforcement in response to a valid subpoena, court order, warrant, or similar government order, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or those of third parties or the public at large.

In complying with court orders and similar legal processes, Bitwarden strives for transparency. When permitted, we will make a reasonable effort to notify users of any disclosure of their information, unless we are prohibited by law or court order from doing so, or in rare, exigent circumstances. "


Compare that, to Apple’s iOS 8 and up, having your passcode setup on your iOS devices now fully encrypts the enitre phone/tablet, and they have it setup up, that Apple themselves do not possess their customers passcodes and encryption keys.
So even if compelled by law enforcement, they have nothing to hand over in the first place.

See:

3 Likes

My personal rule: never put anything important in the cloud, period.

2 Likes

Compare Bitwarden’s cloud --to-- Apple’s iCloud.

Apple has engineered their iCloud, to not possess any sensitive user data, to the point where their iCloud servers would most likely be useless if an authority, even were able to gain access to any of their iCloud servers, for example.

Very Ironic,
Bitwarden being open-source --but-- flaky and lax privacy and security standards for their users.

1 Like

You’re so full of crap, you have no ties to the NSA what so ever. Lol. I like your sense of humor… :slight_smile:

2 Likes

I’m the janitor at the NSA actually.

1 Like

I am honestly not sure what point you’re trying to make here. Apple doesn’t possess your encryption keys or passcode, right, but neither does Bitwarden.

They can pass over the same amount of information Apple can, realistically. They can’t hand over your passwords because they are uploaded to the server encrypted by your device. Bitwarden says they will hand over any identifiable information they have, which would be whatever information you give to them. Your name, email, probably your IP address (use a VPN), but that’s really about it. Apple, if compelled will be able to give over that same information, but like Bitwarden, won’t be able to give them any access to your files.

" Bitwarden always encrypts and/or hashes your data on your local device before it is ever sent to the cloud servers for syncing. The Bitwarden servers are only used for storing encrypted data. It is not possible to get your unencrypted data from the Bitwarden cloud servers."

https://help.bitwarden.com/article/what-encryption-is-used/

3 Likes

Can guarantee privacy-perserving by self-hosting

1 Like

Is anybody surprised that bitwarden follows the law? I’d think that’s to be expected or even preferred (to law enforcement shutting down a service you use because they don’t follow the law).

But nothing in their privacy policy says that they can decrypt your data. Sure, because you access the data with the browser they might in some extreme case be forced to serve malicious JavaScript that collects the password in the clear, but if you have data that sensitive and high-rise and you store it in a cloud-based service accessed via a browser, it’s kinda on the user.

2 Likes

Yes, Bitwarden is in the business of encrypting your passwords and sensitive information.

But there’s nothing stating (or stopping them, for that matter) from not having their servers from having “backdoors” or having ways of decrypting, specific users accounts to hand over to law enforcement.

————

Apple, stood up to the FBI.

————
Another profound example,

ExpressVPNs Turkey server when it was raided at its data center, the Linux Ubuntu (hard drives on all of their servers coded to be obsolete, only using RAM, on all their servers BTW) server turned out to be useless in the investigation of the assassination of the Turkish ambassador, who was killed by an off duty Russian police officer who was connected to that ExpressVPN server, and deleted evidence on Facebook and Gmail, that could’ve been useful to the investigation.
Verifying their no logs claim, and put them to the ultimate test in such a tragic, and senseless scandal.

See:

And here’s a statement from ExpressVPN, themselves, regarding the scandal:

Now, I understand, in contrast ExpressVPN is based in (and engineers their entire network of all their VPN servers, where their headquarters is) the British Virgin Islands (which, has a separate legislation from the UK itself, outside of the 14 eyes territories), with no mandatory data retention laws.
And even after this scandal, ExpressVPN says they still will not have their servers have information that could track or uniquely identify any given user.
And that they are fundamentally opposed to implementing any “backdoors” into their service, and are entirely opposed of doing so.

Which makes them one of the best and most trusted leaders in the VPN industry.
And, provide a premium version of an essential tool, to preserving our digital freedom, that helps preserves our liberties, and recognizing that privacy is a basic human right.

Now, post-scandal, their Turkey server, is physically based in the Netherlands, but gives users a Turkish IP address.

That are a team of geniuses, and a service more than worth the money you pay for their service.

———-

Bitwarden’s is based in a jurisdiction that has mandatory data retention laws.

So they don’t have the nearly the same level of digital freedom and liberty.

And the infamous and draconian NSA, LOVE planting backdoors into everything, which is why they as an agency, are dangerous and harmful towards society, in this digital age, especially.
And we need to learn to make the conscious choice of privacy, and the need to protect ourselves from the NSA (and CIA).

Edward Snowden (NSA whistleblower) is one of the most courageous human beings to ever walk this earth.
I have the utmost profound respect for him, and him choosing to do what was right, even though it could have costed his life.

Anywho,
Bitwarden would have no mandatory need to have to hand over anything, when or if compelled, if it weren’t for our liberties and even safety as citizens being poisoned by the cancer that the NSA is.

So, in essence, I’m not placing the blame on Bitwarden. I’m placing it on draconian authority.

2 Likes

No, nothing stopping them except for the fact they are open source and have been audited so such a backdoor would be found. Unless their posted source code is different than the code they actually use to compile the BitWarden binary you download. But that’s getting into extreme territory.

3 Likes

I understand that.

But,

Jurisdiction MATTERS for any service regarding privacy.

And it’s what they state in their Privacy Policy itself, as well that raises red flags.

1 Like

What nobody has mentioned here is that Bitwarden is completely open-source and you can self-host the server application yourself. I think the recommendation on privacytools.io is more of a recommendation of the software and less of a recommendation of the service.

4 Likes

Fair Enough! :slight_smile:
I can see your point of view.

I tend to be overly idealistic, and can pay attention to “what can go wrong” intellectually, have the attitude “anything worth doing, is worth overdoing”, and “if it’s not broken, do fix it, the grass could always be greener, and you may discover new things along the way.”

Of course those traits have their pros and cons, depending on the situation…and I admit to being the over analyzer who puts a single or few aspects intensely under the microscope, which can make it hard to “see the forest, for the trees”. Sometimes, to the point cognitively, discriminating important details vs. unimportant details, being severly impaired.

I do often need to get out of my head, as I tend to live in the internal emotional and intellectual world, a bit too much.

“expecttheworst”,

I’d love to hear your views and thoughts, in reply, to my previous reply (from this one), that was replied to you.

I tend to be more on the libertarian and “crypto-anarchist” side, HOWEVER, I don’t see my self above the law or as an outlaw. I just believe we’re on a timeline headed toward losing our liberties, like the right to privacy, as more and more things are becoming powered by the internet. Hell, a Smart Watch, knows when you’re sleeping and when your awake…so go for an APPLE Watch, if a Smart Watch is one of your “must haves” Lol. Apple believes privacy isn’t an ideal to strive for, but that it’s a basic human right. Talk about Orwellian nightmare, with a Google (collects, tracks, and sells every little thing they know about you) Smart watch on you 24/7 …LOL

1 Like

“expecttheworst”,

Check out this funny, yet truthful infographic by ExpressVPN, on Santa Claus…this shows what I’m talking about with Smart Watches, “he see’s you when you’re sleeping, knows when you’re awake”. Sounds funny, but its really not, its very true. “Santa” with the internet as it is today, never needs to ask anybody not on his naughty list, what they like and want for Christmas. Think of Amazon, Google, Trackers, IoT devices as the “elfs”, that know your Christmas wish list, before you even compose the list yourself.

2 Likes

Right, Supernova. As people have said here before, it depends on your threat model. With the exception of the identity theft cases, I’m more of an “ordinary” user (as opposed to someone like Snowden). While it is possible that someone could retrieve my data from BitWarden, I don’t feel such a high-value target.

That being said, which password manager do you trust? KeePass? That’s the only other one I can think of at the moment.

1 Like

not true, the US has no mandatory data retention laws.

The info Bitwarden can/will give is also limited to info provided to create account, billing info (if upgrade to premium) and access times/locations (if stored, as I assume it is).

They have no access to your client side encrypted infos in the ‘vault’ (database) but that won’t slow law enforcement from knocking on your billing address door with some gentle rubber-hose time to get you into providing BW vault access…

If you are free BW user and want to keep tighter control over your infos that can bring LE to your door then use alt email for reg and do it through Tor (or trusted vpn).

or self-host (although that requires an email for registered code during setup, so throw-away email, and again, over Tor

(edit to add: reference for mandatory data retention in US (note, access to stored data is mandatory under SCA though, but nothing says it must be stored:/

2 Likes