Here’s how Enpass safeguards your privacy while using website icons

With version 6.2, Enpass introduced support for website icons making it easier for you to identify your items in a quick glance – actual brand icons instead of standard or default ones.

These icons are fetched from our server and since Enpass is an offline password manager, some questions about data privacy are natural.

  • Do we know about websites saved by a particular user?
  • What data does Enpass collect?
  • Why does Enpass use its server instead of directly fetching favicons from the websites?

At Enpass, the privacy of your data is paramount for us. That’s why the use of website icons is optional, and the feature is disabled by default. To start with, you’ll have to enable it from Enpass settings manually.

Why are we using our own server?

We initially denied the idea of using our own server for managing website icons and spent significant time in doing this without server. A beta version was also launched but that failed to meet the expectations, and later we chose to go with our own server. We were having following options in plate.

Option I- Fetching website icons directly from the saved URL

The first and obvious option was to look for the favicon on a fixed standard path – https://www.<domain>.com/favicon.ico – on any website.

However, we observed that many websites do not have their favicons at this location. Moreover, such favicons have small resolutions that aren’t suitable for modern, high-resolution displays.

In the end, crawling through the website code is the only option to find icons at various places like apple-touch-icon or twitter-image, but it can make the app buggy, introducing parsing bugs that could lead to app crashes on websites that have not been tested before. Another practical issue with this approach is that even for a slight improvement related to any website, we would have to update the app.

Option II- Using third-party services

This seemed promising and we launched a beta version where the Favicons were fetched from a third-party service but later we had to withdraw it because of several issues.

The problem with this approach was that we did not have any control over how they were handling users’ data. Also, their database was falling short of favicons and the quality of some icons.

Option III- Creating our own service

This is what we are doing now. We are managing our own database of URLs to the actual website icons. A script runs on our server and tries to find the best resolution icon for the requested URL. The best thing here is that we can improve the service without releasing any updates.

What data we collect?

The only information we record is, how many times an icon has been requested for a particular domain. This helps us to figure out which of the popular websites are missing so that we can improve the script accordingly to provide the missing icons to you later without releasing the update to the app.

The Enpass app anonymously sends a POST query to our server over HTTPS protocol with all the domains in saved URLs. It does not contain any of your personal information. All the URLs in your Enpass items are stripped out to the domain part only and no website path or any URL parameters are sent.

The only identifiable information that reaches our server is your IP address, and our server does not log or cache it anywhere to identify you, so we do not know which websites a particular user has saved in Enpass. We cannot strip that out from the request since it is part of the HTTPS protocol.

In response to your query, the server returns the links to the website icons that are already available. The ones that are not, are put in a queue and collected later.