An Open Letter To LastPass | 2021-02-21

Dear LastPass,

Hi there. Let’s not share any illusions that anyone who makes decisions will actually read this letter, though I will be sending a copy through your customer support portal anyway, where some poor Tier 1 sod will have to skim it before giving a canned response and closing the ticket. I feel for that person, because I’ve been that person before, but maybe, if I’m lucky, adding myself to the statistics of users leaving your system will help get a message through.

I read your blog post announcing your crippling your basic features for free-tier users. I’m glad you emailed a copy to me, since I consulted with a number of colleagues and several of them received no notification at all, and thus would have presumably reached March 16 only to find that they were finding their normal daily use of Lastpass hostaged without notification. It’s so much more genteel to tell your users in advance of your plans to hostage them, isn’t it?

And let’s make no bones about this whatsoever. Your little pivot is precisely that– it’s a hostaging. You’ve invited in ordinary users with the promise of a free password vault (plus some minor frills) that functions across their entire digital life. These users entrusted their personal online security to you, accepting that the quagmire of modern passwords would require some tools to keep things properly managed. They came to rely on you. They, also, are the sort of people who likely have both a smartphone and a PC.

And once you had them all locked in, you told them that you were going to cut them off from their passwords on at least one of their critical devices unless they paid you money. You decided to take ordinary people’s digital lives and hold them hostage for money. How incredibly sleazy of you.

My colleagues in free and open source software (FOSS) are often incredibly skeptical about the trends in capitalist cloud computing. They’ve complained for years about the dangers of a Web where users consolidate their trust and critical services to an oligopoly with an ever-decreasing number of players. They have always been at least theoretically correct that entrusting one’s critical data to a remote and faceless third party creates a power relationship ripe for exploitation, and that, ultimately, the drive to extract profits will encourage exploitation in that relationship. And, for years, I have considered those warnings purely theoretical. A large number of companies providing essential cloud services for free have had to the good sense to keep their exploitation of their user base on the down low, opting for a quiet and indirect mode of exploitation through analytics and advertising. Others have seen free services as a loss leader, a way to keep the brand’s name in people’s minds so that, when an entire company suddenly needs the “enterprise edition” of that given service, someone in the sales department would have a contract with a very large figure on it ready to go.

These methods of exploiting user data have, for me, seemed tolerable costs of accepting a third party take responsiblity for keeping that data safe, and it’s been a common part of the business for some time. I’ve defended it as a necessity of modern life, and I’ve noted that there really haven’t been situations where users’ suddenly found their access to their data threatened for a ransom.

And then y’all came along and said “Nice impossible-to-remember passwords you’ve got there. Shame if something…happened to them.” Please spare everyone some tired refrain about how free-tier users still can access passwords from a single class of device. Digital life is lived on a PC and a phone these days, and eventually, everyone needs their passwords on both. You came along and demonstrated a willingness to cripple your necessary utility for a lousy $27 per user.

Let’s also not make this about the immense costs that free-tier users are causing you. You’re a password vault. Your data storage costs per user are miniscule. The apps used to retrieve passwords are not large and complex. Your highest cost on free users is support, and that’s easily solved by…charging your free users for support. In fact, it’s obvious that this isn’t about the burden of free users because you have locked free users out from a class of devices rather than, say, limiting the number of passwords or disabling your security audit features or things like that. Note that you didn’t also just start inconveniencing new users and keep your existing ones grandfathered-in. This was never about what this costs you and absolutely about what you could extract by threatening normal user habits.

So, as of yesterday, I’ve created my own Nextcloud instance and migrated my passwords. I’ve confirmed that the Nextcloud password mobile app and browser extension work well enough. I’m joining the “self hosting” movement. Will this cost me more than your $27/yr ransom? Yes, it will. At least, it will in the short term. Who knows what you’ll cripple-for-pay in the future.

But you know what? I consider the slightly higher costs of hosting my own password vault to be worth it just to spite companies like you. People like me didn’t ask for much, just that you keep your exploitation of your locked-in user base a bit sub rosa. But you couldn’t even keep to that. You had to go and show everyone that giving your data to someone else is an invitation to be held hostage. And you did it with some of the most secure and critical data that users had.

I’m gone. I don’t need you. I’ll offer a password vault to every friend I can completely free of charge. It’s an act of kindness to do so, because they clearly can’t trust people like you.

With contempt,

Kit Rhett Aultman