Passpack’s job is to let you store and share private data (passwords) in way that not even we can see them on our server. While it sounds very straightforward, that definition has been in the making since Dec. ’06.
When we first launched Passpack, we equally stressed both data privacy & security and personal privacy & anonymity. It’s anonymity that is up for discussion today.
Currently Passpack’s architecture has some throw-back structures to these early beginnings. Moving forward, these residual elements make it increasingly complex to solve what should be simple problems for you.
We’re planning some significant changes to the architecture, which will allow us to get a move on with some of the important features you’ve been requesting. But before we do so, we wanted to let you know about what those changes are, and give you a chance to voice your opinions.
Shared Tags, Global Groups & More
First – I’m going to details the pros and cons here, and at the end of the post there’s a survey for you to express your thoughts.
Share / Transfer Tags
This is the feature request that first made us wake up and rethink our architecture. It should be an easy enough thing to do to allow you to tag an entry, share it, and have the tags shared along with the entry itself. And technically we could do it with the existing architecture, but to do so would take an enormous amount of time and effort… and really would just be just postponing the underlying issue: are we making our users’ lives harder than need be by obsessively over-encrypting?
Current state - All tags are HPH encrypted in a single monoblock. On the server, Passpack doesn’t know the names of your tags, nor which ones are used on which entries. All of that matching happens on-the-fly on your computer after you’ve logged in.
The change – We’d like to remove the encryption from tags. This will mean that we may know what tags you are using. But unless you’re doing something really odd like using your password as a tag, this shouldn’t actually compromise your password privacy.
Global Groups & Group Admins
Global groups would allow folks to know when they’ve been assigned to a particular group and who else belongs to it. Building on that would be the ability for an account owner to designate someone inside the group as an administrator with permission to manage sharing privileges on the owner’s behalf. Both are pretty basic in most collaboration systems. Both are not possible with Passpack’s existing structure.
Current state - Passpack’s server knows the sharing nicknames of the people you’re connected with. But it does not know the names of your groups, if you’ve renamed any of your people, or which people belong to which groups. Like with tags, all of that matching happens in real-time directly on your computer. Groups exist locally, in your account, as an organizational tool only. The server knows nothing of them.
The change - We must first and foremost make the server aware of the groups you have created, and which people are assigned to them. This will reveal something about your organizational structure to Passpack, but will not compromise the privacy of your passwords.
More Flexibility in Entries
There are a bunch of suggestions in the forum which revolve around the concept of making entries more flexible. Things like customizing entries or storing things other than passwords would work perfectly fine with the system as-is. However some things, like setting reminders and tracking usage are inherently non anonymous, thus in conflict with the existing architecture.
Current state - The name, user id, password, notes, link and email of each and every entry are all HPH encrypted, in a single monoblock. If the entry is shared, Passpack knows the sharing nickname of all the folks involved, but that’s about it.
Also, the activity logs you see in your home page are not persistent. In other words, we can’t actually keep a running log. Similar to the current approach with tags and groups, the changes in your account are deconstructed by the interface and shown on screen as a notification on-the-fly. Once you log out, and log back in, that information is gone.
The change - We essentially want to split up the data between “needs to be encrypted” (password and notes) and “doesn’t need to be encrypted” (link and entry name). While we could make some enhancements to entries now, it would be largely more scalable once we make this split. Also some items, like notifications, simply can’t be fixed unless we make this change.
Bonus: Customer Support
We often have folks writing in saying things like “hey I need help with the 5 entries that I shared with the group ABC.” or “the 10 entries for my tag XYZ” or simply “my Amazon entry”. Alas, as of now, none of that information can help us locate your encrypted entries in our database. Usually, a lot of back and forth with the customer ensues to try and figure out which entries are the problem ones. It’s frustrating, or sometimes impossible and we’re literally unable to help.
The History of Passpack’s Architecture
For those who don’t already know, Passpack is Host-Proof Hosting (HPH). That means that not only is all your data encrypted, but it’s encrypted on your computer, before being sent to Passpack’s server for storage. The key to decrypt and read that data is your Packing Key, which never gets sent to the server at all. The net result is that Passpack only stores pre-encrypted data to which it does not have the key (aka: we can’t read your stuff).
That’s not changing. We are, and will always be a HPH company (heck, we’re HPH pioneers!). What is changing though is which data HPH gets applied to it, and why.
Striving for both data privacy and anonymity required us to apply HPH encryption to as much account data as possible. We jumped through amazing hoops to avoid accidentally finding out who our users were, or anything about them for that matter. But even back then, we knew a line needed to be drawn between reality and theory. We just chose to draw it in a different place than where it needs to be now.
Anonymity was a big request from our early adopter. Many early architectural decisions were based on their desire to keep their identity and activity on the web completely hidden. This was much more important to than, say, ease of use or convenience.
That was many years ago. Since then, Passpack has evolved into a collaboration tool used mostly by work groups and businesses. The large majority of these folks have a much bigger need for easy, convenient solutions, than they do for anonymity.
So… time to make some changes.
Ok, so I’ve laid it all out for you, Now tell me what you’re thinking with this super quick survey below.