I just have a quick question about access to law enforcement. If there is a Court order for the data in the encrypted Bitwarden vault and the owner will not give the master password, what would Bitwarden as a company do? Are they forced by law to get that data by any means necessary? I only say this because if Bitwarden is setup like they say it is they should not be able to get the data due to the zero knowlage encryption.
That is correct, only you have the full set of keys required to decrypt your vault data.
Their terms and conditions likely say they will work with law enforcement under certain conditions (e.g. court order, terror threat or imminent national emergency). For local law enforcement and a court order, a company would typically hand the vault over, if required. Then a judge is going to lean on you to give up your master password if they can’t find it. If you don’t, they have just let people sit in detention until they say ‘give.’ If national intelligence (e.g. NSA) or serious federal investigation (e.g. FBI) they can produce court orders to a company that compels them to do all kinds of other things if you haven’t yet been arrested that may trick you into releasing the contents of your decrypted vault to law enforcement (e.g. injecting something into your specific browser extension or app on an update to retrieve contents). In effect, you’ll be owned if you’re targeted by a state actor.
Read up on the Silk Road loser that enabled drug dealers to feed addicts drugs, as he took a cut, while claiming he was some arms length disruptive technological white knight. I think they nabbed him in a public library and used a stick or other object to quickly jam between his open laptop so it couldn’t close and become encrypted. National intelligence also have IT staff working under cover in major data centres and internet providers and even their immediate bosses don’t know. The kinds of services that most cloud-based companies rely on. TOR was initially funded and created, in part, by U.S. Naval Intelligence for intelligence purposes. We don’t know who manages all the entry and exit nodes around the world but its volume of traffic doesn’t suggest only individuals could be just randomly doing it. And those nodes probably mostly sit in those big U.S. incorporated data centres where U.S. intelligence has staff. We forget when we are sitting at home or work that our pipes to the internet, encrypted or not, are owned by a very small number of very large corporations that stay friendly with government for business purposes and who value profit over liberty (see Cisco’s great firewall of China and the complicity of many other Silicon Valley tech companies in building a modern authoritarian censorship regime). There is a reason leaders of the mob never used phones back in the day.
Break the law in a serious way, you (meaning any of us) will be owned. Those kinds of folks, if they have any smarts (and most don’t, btw, unless they are criminal enterprises), aren’t using cloud-based storage such as zero knowledge password managers. More info than you wanted, I know.
Even LastPass didn’t give up any passwords when they were served a search warrant.
Though they did give up all the unencrypted data (and so would any tech company)
They didn’t have any passwords to give up.
You’ll notice the article was silent on encrypted vaults. LastPass wouldn’t have had a choice but to turn them over if a court order required them. In theory, the encrypted portions of the vault would be useless to law enforcement until they figure out how to decrypt it.
I am waiting for the day that the USA fifth amendment makes it up to the Supreme Court and the case flows all the way through. So far, we have only had a super small presence there and the parties have settled out of court. Holding a person in jail because then want to use their 5th amendment right to stay silent will almost certainly be upheld and the 3 letters know it, which is why they always stop the cases that end up in the high court.
BW Mgmt ---- if this post is perceived as political and is offensive please delete accordingly. I am not wanting to start any rants here!!
Agreed. This is about industry practices w/ law enforcement, not specifically about Bitwarden.
I agree that the gov’t will settle often. Often to protect their sources and methods of gaining information. I’m trying to remember which high profile bad guy exploited this knowledge a few years ago to have their case eventually dropped. The article above was interesting in how it was silent about turning over encrypted vaults. Of course they would have, if compelled. But, companies will often negotiate what info law enforcement will release to the public as they have no incentive to tell their customers they just turned over an encrypted vault or enabled law enforcement to deliver an injected extension through a third-party app marketplace. Most companies would likely be holding their nose while they are forced to enable the latter. In fact, law enforcement wouldn’t even necessarily need to tell the password manager company this. They could just serve Apple or Google and do it directly through them and the password manager company might find out, if they ever do, during disclosure over the course of the legal proceedings. If, that is, the government hasn’t settled first.
A LastPass vault would reveal in cleartext whether a user has a login account at www.criminals-r-us.com and www.JustIllegalThings.net, and thus would not be useless to law enforcement.
True. I intended to write the encrypted data would be useless to them until they decrypted it. Yes, the plaintext data is very valuable. IP addresses, urls in LastPass’ case, etc.