The government makes very few demands for data from password managers, but when it does it expects a lot, including login information, Forbes has learned.
In one case—the first documented government request to any major password manager—the Drug Enforcement Administration (DEA) demanded logins and physical and IP addresses, as well as communications between a user and LogMeIn, the owner of massively popular tool LastPass. It’s an encrypted vault for storing passwords. The DEA was seeking information related to a LastPass customer, Stephan Caamano, suspected of dealing drugs via the dark Web and Reddit, according to a search warrant detailing the request.
Passwords were not handed over, but LastPass did return IP addresses used by the suspect, alongside information about when Caamano’s LastPass account was created and when it was last used. According to the government’s application for the search warrant, filed at the end of January 2019: “Such information allows investigators to understand the geographic and chronological context of LastPass access, use, and events relating to the crime under investigation.”
According to the government’s account, Caamano, who lives in Champaign, Illinois, came under suspicion after he ordered a number of tablet press machines from China as well as packages of fentanyl and alprazolam, which many know as the Pfizer brand Xanax. Investigators then traced Caamano to a property and carried out surveillance on packages containing the pills they believed he was sending to customers. They later spoke with one of the recipients, who said they’d ordered Xanax from a Reddit user called “Googleplex,” a dealer also operating on the dark Web drug bazaar the Dream Market.
With enough evidence in hand, police arrested Caamano on May 29, when they seized a mobile device on which LastPass was installed. Police were also able to bypass encryption on the suspect’s CyberPowerPC, where they discovered an extension app for LastPass. But as they didn’t have the master password, the police couldn’t get access to the account and the logins within.
The Department of Justice said it couldn’t comment because the case was ongoing. Caamaro’s case is due to scheduled to go ahead this May. He has pleaded not guilty. His counsel had not responded to a request for comment at the time of publication.