This is interesting requirement considering that you recommend 1Password, a closed source password manager that arguably protects even more sensitive data. So, your stricter requirement for these categories makes little sense to me.
We could discuss that in a new thread.
I think we could re-evaluate this once Proton Pass is out and there are multiple open-source cloud-based password managers, if Proton Pass turns out to be good.
Right now there weren’t really good options in this category other than Bitwarden, and 1Password provides advantages over Bitwarden in some respects. If Proton Pass ends up providing the same advantages then it could take its place and we could make this change, but time will tell. I’m also not thrilled with 1Password potentially adding telemetry anyways, no matter how “privacy respecting” it’s claimed to be, but that is a future change.
Bitwarden claims to use Google Analytics. Is that not also a concern?
EDIT: The reply by Bitwarden is not deleted, I’m just a dum-dum. Disregard that part.
In a now seemingly deleted Mastodon post (Bitwarden: "@Jo3@mastodon.social Hey there, Firebase Cloud Me…" - Fosstodon), Bitwarden said (this is not the entirety of their reply, just the part that I was able to quote from another reply I made elsewhere):
Hey there, Firebase Cloud Messaging (often mistaken for a tracker) is used only for push notifications related to sync and performs absolutely no tracking functions. Microsoft Visual Studio App Center is used for crash reporting on a range of mobile devices.
Now, I don’t know whether they removed that post because what is stated there is incorrect, but Bitwarden having a library in the app doesn’t necessarily mean they use the analytics portion of said library.
Someone could reach out and request more specific and up-to-date information.
We use data for analytics and measurement to understand how our the Site and Bitwarden Service are used. For example, we analyze data about your visits to our Site to do things like optimize product design. We use a variety of tools to do this, including Google Analytics. When you visit the Site using Google Analytics, we and Google may link information about your activity from that site with activity from other sites that use Google Analytics services.
They’re not quite clear if Google Analytics are used on the service, they say they use a variety of tools including Google Analytics, but yeah, you’re right, I would assume they do.
Whether that’s relevant to them being listed or not, I don’t know.
I’m just pointing out that if first-party analytics are a point of concern regarding 1Password, then Bitwarden is also affected. I’m not thrilled with analytics either but I’d prefer a first-party approach over Google Analytics any day.
Bitwarden only uses Google Analytics on its website, not on the apps. So, this is not a huge concern, in my opinion. The same goes for 1Password, which also uses Google Analytics on its website. However, 1Password has also recently stated that they will soon start using telemetry on their apps, which is another thing to consider. But if we are talking about website analytics, it is actually next to impossible to find a product that wouldn’t use them. For example, KeePassXC uses cloudflareinsights, and Strongbox uses plausible but also tries to access Canvas. So, there really isn’t a perfect solution in this regard. But then you could also ask how many people have to even revisit these websites in the first place after creating their account or downloading the app. I would assume not many times, if at all.
The difference is that a lot of account settings with Bitwarden are only available through the web vault. This means that people are far more likely to visit the Bitwarden website than they would if they were using another password manager.
Settings such as changing the KDF, enabling/changing 2FA settings, changing the master password, etc., are all only available through the Bitwarden web vault.
And still, if you use any of the browsers PrivacyGuides recommends, this isn’t really a problem, as those trackers would get blocked.
Woah hey. Now this is branching off again, from open source to the use of analytics