Privacy/Features/Sync Compromise Alerts
Status
Sync Account Compromise Alerts | |
Stage | Draft |
Status | ` |
Release target | ` |
Health | OK |
Status note | ` |
Team
Product manager | ` |
Directly Responsible Individual | ` |
Lead engineer | ` |
Security lead | ` |
Privacy lead | Sid Stamm |
Localization lead | ` |
Accessibility lead | ` |
QA lead | ` |
UX lead | ` |
Product marketing lead | ` |
Operations lead | ` |
Additional members | ` |
Open issues/risks
`
Stage 1: Definition
1. Feature overview
This feature is intended to minimize the chance that adding a device to a user's sync account will go unnoticed. When a new device is set up in a user's sync account, we should alert the other devices on the account that a new device was added; this can be effectively used as account compromise detection, much like location of sign-in is monitored by Google's mail client and users are alerted when something "unusual" or "unexpected" happens.
This becomes more important as we start syncing more information so users know to which devices their information will be copied.
2. Users & use cases
- Alice syncs her phone, laptop and desktop, then loses her phone. Eve finds the phone, uses the phone to set up a new "eavesdropping" device (via J-Pake setup flow, pairing Eve's desktop to Alice's phone) then returns the phone to Alice. Alice learns of this pairing only because her laptop and desktop are alerted about adding Eve's desktop.
- Adam syncs his phone, laptop and desktop. He leaves his desktop unlocked one day at work and Eric pairs his phone to Adam's desktop. Without this feature, Eric could always tap into Adam's passwords and browsing history, but with this feature, Adam will receive alerts on his phone and laptop about Eric's pairing activity.
- Anna syncs her phone, laptop and desktop. Edward notices her laptop unattended at a cafe (as she walks away to pick up her order) and quickly pairs his laptop to hers. Although she doesn't store passwords in sync, Edward is able to modify her bookmarks to her banking sites so that when she clicks them she connects to his phishing sites instead. When he syncs his laptop, the malicious bookmarks are synced out to all of her devices.
3. Dependencies
This can be implemented by itself, but the alerts could be generated inside the clients and pushed to the other devices using Services/Sync/Push_to_device.
4. Requirements
`
Non-goals
`
Stage 2: Design
5. Functional specification
When a new device is set up on an account using username/password/sync-key, all other devices paired with the account receive and display alerts about the sync event.
When a new device is set up on an account using pairing (J-Pake), all devices not involved in the transaction (all but the new one and the host device) are alerted.
6. User experience design
`
Stage 3: Planning
7. Implementation plan
`
8. Reviews
Security review
`
Privacy review
`
Localization review
`
Accessibility
`
Quality Assurance review
`
Operations review
`
Stage 4: Development
9. Implementation
`
Stage 5: Release
10. Landing criteria
`
Feature details
Priority | Unprioritized |
Rank | 999 |
Theme / Goal | ` |
Roadmap | ` |
Secondary roadmap | ` |
Feature list | ` |
Project | ` |
Engineering team | ` |
Team status notes
status | notes | |
Products | ` | ` |
Engineering | ` | ` |
Security | ` | ` |
Privacy | ` | ` |
Localization | ` | ` |
Accessibility | ` | ` |
Quality assurance | ` | ` |
User experience | ` | ` |
Product marketing | ` | ` |
Operations | ` | ` |