European Commission privacy regulations Wiki Commons

[UPDATE 13.01.2021] LastPass has reached out to use with some clarification around its practices. We have included the relevent quotes in the article below in bold font.


[12.01.2021 – 16:53 CET]

Europe takes a dim view on companies that mishandle user privacy and security. The European Commission leverages GDPR laws to regulate companies with a strict hand. However, it seems LastPass is willing to fly in the face of EU regulators and is facing a hefty fine for unresolved bugs.

Advertisement

Users and outlets have been increasingly pointing out how the company’s data practices go against the tenants of GDPR law. Starting on Reddit and then to an article by AlternativeTo, the company is said to be holding user data by not allowing them to export it.

If you are unfamiliar with LastPass, it is a freemium password management platform that provides encrypted passwords for users online. Sounds great, but it seems the company is not doing the best job at maintaining the privacy of customers.

For example, the company is said to be punishing users who drop from a paid account to a free version. Specifically, LastPass can lock users onto the desktop browser app when they switch between mobile and desktop three times. I am unsure why three is the magic number, but it is.

UPDATE – In an email to WinBuzzer, LastPass explains how its model works across mobile and desktop, following changes as far back as March 2021:

“To provide some background, on March 16, 2021, LastPass made changes to our subscription model, and we changed how LastPass Free users could access LastPass across device types. LastPass offers access across two device types – Computers (including all browsers running on desktops and laptops) or Mobile Devices (including mobile phones, smart watches, and tablets). 

All LastPass Free users were impacted by these changes. As a LastPass Free user, the device type (computers or mobile devices) that is used to log in to LastPass – on or after March 16, 2021 – becomes the user’s “active” device type. Users are allowed to change their active device type for up to a maximum of three (3) times, or users can upgrade to LastPass Premium or Families for unlimited device type access.”

Once locked onto the desktop app, the user can no longer export their data. It seems there are bugs that the company has not dealt with that precent exports. In other words, LastPass could solve the issue but is choosing not to.

The report suggests the bug is a violation of GDRP Article 20, which states users have the right to data portability. If a user wants to take their data and access it, they must be able to whether on a paid service or not.

LastPass is also reportedly lacking any normal avenue for customer support. There is no email or phone support for non-paying customers, but there is a virtual assistant. While this annoying, plenty of enterprise apps take a similar position.

[UPDATE] In response, LastPass says that it is compliant with GDPR laws and consistently works to ensure compliance is ongoing. Furthermore, the company puts value on user privacy and it is possible for free users to export data through the website:

“LastPass takes the privacy of our users very seriously and has a comprehensive Privacy and GDPR program designed to meet the evolving needs of the law and our user base. As noted above, the ability to export and initiate data portability has been available for many years for LastPass users, including prior to the GDPR going into effect, and further changes were made last April to ensure that mobile-only free users continued to have this right and ability. It was recently brought to our attention that a more recent bug was causing issues for some free mobile-only with data portability in the browser extension. Upon discovery of this bug, the LastPass team investigated and are in the process of releasing a fix to all browser extension stores. However, as of 4/8/21, free users should be able to export their data by logging in to lastpass.com and utilizing the export feature from there.

Previous

LastPass has a history of problems. In December 2021, the company confirmed a breach scare following a spate of unauthorized password warnings to users. However, the company said it was a false alarm and no accounts/passwords were compromised.

In 2019, we reported on a vulnerability on the platform that left users open to their information being taken before LastPass issued a patch.

Tip of the day: Did you know that Task Manager lets you set CPU affinity to claw back some resources from running apps and give selected apps higher priority. Our tutorial shows how you can use this helpful feature.

Advertisement