LastPass Android app tracks its users

Yes. I wrote about that last week in the other LastPass thread.

In the LastPass web page (your vault) you can change privacy settings. (It is difficult to show a LastPass page without showing private info, so I cropped/cut out or blurred some of these images.)

This is the latest update from LastPass:
LastPass’ Commitment to Privacy and User Experience - The LastPass Blog

“LastPass collects application telemetry, error and crash reporting data and high-level usage statistical information solely for the purposes improving the overall performance and reliability and usability of the product. This data is separate from user vault data, such as password generation and sharing, which are not visible in a decrypted state to LastPass and/or any third-party tracking tool providers. Finally, it is very important to note that LastPass does not sell user, tracking, analytics, or telemetry data.”

I had a reflexive, negative reaction to the news just like most folks, so I went and read the original post from the security researcher that got this whole thing started:
LastPass Android: Drittanbieter überwachen jeden Schritt ⋆ Kuketz IT-Security Blog (

He lists the seven trackers identified and some example of information tracked. To my untrained eye, it seems like the kind of stuff that would be helpful for LastPass to know as developers. He seems to start from the position that all trackers are bad, and then the argument proceeds from there that there are trackers present, thus this is bad. And being in the EU, he notes that this probably violates GDPR. (I think noting that everything violates GDPR is itself a requirement of the law). What is missing from the blog post is an explanation of what the consumer harm is, and how it would manifest-- that would be helpful. He concludes by saying the presence of trackers indicates that security is not important to LastPass, then includes links to examples of past incidents where LastPass quickly addressed security concerns, so… :man_shrugging:t3:

To be clear, I would prefer fewer or no trackers in general. Also, I would prefer that LastPass (and other companies) publish detailed explanations of why they need-- and how they use-- this stuff. Give us twenty pages detailing exactly how they’ve used this in the past to diagnose problems and improve the service; don’t just give us some boilerplate language about “industry standards”. Or maybe write your own code for tracking this stuff so there are no third parties involved-- or explain exactly why it is better to get this through a third party. Transparency is the fix for a lot of this stuff, and I think companies avoid transparency because it is hard.