"We won’t be collecting your saved passwords, passkeys, usernames, and any URLs associated with your items. Your private information is just that – private.
All event data will be de-identified and processed in aggregate before it’s used for analysis. "
It sounds like they plan on releasing the technical details in the coming days/weeks. I’m curious how its de-identified and processed.
Decryption was not actually where I was going, as due to the method of encryption although it’s stored at rest, they do not have access to your decrypted password.
Usage patterns, data movement, and the rest of the telemetry can point to who the user is, which might give interested parties enough information to attempt a social hack or some other escalation.
It’s an outlier, but such things have happened in the past. So reducing pointers can help keep you safer in the long run. Especially as data breeches are only increasing in frequency. Lastpass had one last year, which did not compromise password but did compromise customer data.