What Happened When The DEA Demanded Passwords From LastPass April 11, 2019, 05:10:15 am You are not allowed to view links. Register or Login - link no adsYou are not allowed to view links. Register or Login - original link with adsQuoteThe government makes very few demands for data from password managers, but when it does it expects a lot, including login information, Forbes has learned.In one case—the first documented government request to any major password manager—the Drug Enforcement Administration (DEA) demanded logins and physical and IP addresses, as well as communications between a user and LogMeIn, the owner of massively popular tool LastPass. It’s an encrypted vault for storing passwords. The DEA was seeking information related to a LastPass customer, Stephan Caamano, suspected of dealing drugs via the dark Web and Reddit, according to a search warrant detailing the request.Passwords were not handed over, but LastPass did return IP addresses used by the suspect, alongside information about when Caamano’s LastPass account was created and when it was last used. According to the government’s application for the search warrant, filed at the end of January 2019: “Such information allows investigators to understand the geographic and chronological context of LastPass access, use, and events relating to the crime under investigation.”According to the government’s account, Caamano, who lives in Champaign, Illinois, came under suspicion after he ordered a number of tablet press machines from China as well as packages of fentanyl and alprazolam, which many know as the Pfizer brand Xanax. Investigators then traced Caamano to a property and carried out surveillance on packages containing the pills they believed he was sending to customers. They later spoke with one of the recipients, who said they’d ordered Xanax from a Reddit user called “Googleplex,” a dealer also operating on the dark Web drug bazaar the Dream Market.With enough evidence in hand, police arrested Caamano on May 29, when they seized a mobile device on which LastPass was installed. Police were also able to bypass encryption on the suspect’s CyberPowerPC, where they discovered an extension app for LastPass. But as they didn’t have the master password, the police couldn’t get access to the account and the logins within.The Department of Justice said it couldn’t comment because the case was ongoing. Caamaro’s case is due to scheduled to go ahead this May. He has pleaded not guilty. His counsel had not responded to a request for comment at the time of publication.No passwords availableDespite its demand, the government could never have expected passwords from LastPass. A LogMeIn spokesperson explained: “User passwords stored on LogMeIn's servers are only done so in an encrypted format. The only way they get decrypted is on the user’s side, and the way that happens—the decryption key—is the user’s master password (used to log into LastPass), which is never received by or available to LogMeIn/LastPass. In other words, we have no means of decrypting user password information on our side, and thus, we are unable to provide these passwords.”The spokesperson said it receives fewer than ten such requests a year, startlingly low for a product that has 13.5 million users. Even when requests do come in, the company can only provide limited data, they added. That includes customer contact information, billing addresses and IP addresses. It could also reveal what apps a customer is storing passwords for in LastPass, but LogMeIn noted it doesn't track users’ Web history.LogMeIn was also keen to stress its opposition to government calls for backdoors in tech that might allow police a way past encryption. “It is the policy and position of LogMeIn that the company does not create such backdoors or decryption techniques to provide access to customer data.”Other password managers have gone to similar lengths to prevent the government from getting easy access to customer logins. Jessy Irwin, a cybersecurity practitioner who was previously “security empress” at LastPass rival 1Password, said her former employer tried to make accessing customers’ private data incredibly difficult for anyone. “One of the biggest things we very deliberately focused on,” she said, “ was not being able to collect browser history, something that would be well within the realm of possibility for other password managers that don’t make conscious privacy choices. … Asking us for data was useless.”Despite the limited data they can get, the cops are making demands of password managers. The Illinois case is just the first time the world has heard about it. And it’s unclear whether all password manager providers are as protective of customers’ private information as industry leaders.