Over the years, I recommended using a password manager to hundreds of students… I often recommended popular services on the grounds of convenience. Last month Last Pass announced it would seriously limit the free tier forcing me to do a lot of self reflection about those recommendations. From today onward, last pass would only work on mobile or on your computer but not both. If you want to keep using the service like you used to, you need to pay the piper.
If you think about it, this is a pretty shitty move to pull on your users. Most users of a password manager will now have passwords stored on these services that are not amenable to human memorization unless your name is Nelson Dellis. What the service is doing is essentially holding the users access to their accounts hostage, much like ransomware.
The problem is not limited to Last Pass, or the password managers. Cloud services are in a position of power over their users. They hold your information and they can alter their terms of service on a whim. We, the users, are loosing ownership of the means of computation. This has been an on going trend. The things we used to do on our own hardware and with our own software are now offered as services and often times it is hard -if not impossible- to find an on premises solution that does what cloud services do for the same cost/effort.
I know because I go out of my way to use open source software whenever I can. My password manager needs three different integrations to do what last pass does (browser plugin, cloud storage, mobile app). Again the problem is not just password managers, you strike the same Faustian bargain with every cloud service you use to varying degrees.
Take photo storage for example. It is nigh impossible to find the feature set and convenience offered by google photos in your own setup. Even if you go through the trouble of setting up your own NAS, synchronization on multiple devices, setting up a web server to access the photos; you likely will not get access to all the features google offers. It is not that the technology is impossible to implement on your own premises. It is a clunky solution that requires constant vigilance (did you update that NAS? When was the last time you backed it up? What happens if your server rack gets damaged in a fire or a flood?) on your part and even then it is not convenient to cooperate with others.
It is just that nobody has the incentive to build and maintain an appliance like this. The business proposition is just not there for the customer segment. Assume you built a photo syncing NAS storage application. You will sell one unit to one house hold every so many years. Your cloud service competitor offers lower barriers (free tier) to entry, convenience, and off-site backups… Over the years, I got excited over email appliances, NAS appliances and such only for the brilliant looking devices to disappear into obscurity.
So what is the take away? Cloud services offer real value and traditional business models -based on owning your own hardware and software, owning the means of computation- is just not competitive? Yes but there is more. The cloud services require the users to give up a lot of power and control over how their data is stored/processed in exchange for convenience. Convenience definitely has a value, but I don’t think the users are fully conscious of the trade off they are making.
The solution is not open source purism or a wholesale rejection of cloud services. It is a rational analysis of the risks typical end users face by using or forgoing the cloud service. I too use file storage services, hardware as a service, and this blog is hosted on word press servers… I guess the key is to understand what is being given up (access to your accounts, photos of your child, your email correspondence) and what is being gained (convenience, reduced costs) in each instance and choose accordingly.