[fx32s]

Reading the comments it almost seems that folks assume passwords are shared plain text with these trackers. I don't have any issue with Lastpass having anonymized logs of how often people visit which part of the app if it leads to improvements in usability.

[danpalmer]

From a security standpoint this is kinda the point – we don't know what it's sharing and it has the ability to, so we have to assume it. Obviously it's unlikely, but through accident, ignorance, or malice, it's possible.

I think for a security product the onus is on the author to show that this can't happen (not just that it doesn't), which means either not having trackers (easy) or somehow showing that trackers are isolated from the sensitive data (hard).

This isn't uncommon. Apple have published a bunch about how they do iOS security, and it's quite clear that there's strong sandboxing between untrusted code and sensitive data, in some cases even enforced at the hardware level.

[Fnoord]

> I don't have any issue with Lastpass having anonymized logs of how often people visit which part of the app if it leads to improvements in usability.

I do. Some don't. Some do.

So give the user the choice instead.

I also wonder if this is even GDPR compliant...