Would you try a new medication recommended in an article titled ‘Why You Need an Antidepressant’ that earns its publisher a commission each time someone clicks on a link to purchase the recommended product? I’d hope not. Yet, much of the news media openly collects commissions for recommending less-regulated products with surprising potential hazards.
Consider password managers. The New York Times has, in fact, published an article with the headline ‘Why You Need a Password Manager. Yes, You’; CNET has implored ‘Yes, You Need a Password Manager. Your Online Security Depends on It’; Engadget has urged ‘You need a password manager – right now’; and PCWorld has explained ‘Why your browser’s password manager isn’t good enough’.
All the above publications collect commissions when readers click on links (known in the industry as affiliate links) to buy add-on password managers.1 The free password manager built into your web browser, which some articles describe as not “good enough”, pays no commissions.2
Like pharmaceuticals, tech products can be hazardous, as those persuaded to buy LastPass had the misfortune to discover. In 2022, attackers stole LastPass’s online databases of all their customers’ data, including each user’s database of stored passwords and other secrets. That theft was particularly harmful because LastPass had failed to design their software to encrypt some of that data, and the encryption they did use to protect customers’ passwords was woefully substandard. Both flaws had been exposed in 2018 by Wladimir Palant, a well-known security researcher.3 LastPass’s ongoing failure to fix these flaws, both before and after the breach, exposed customers’ password databases. Among the losses appears to be cryptocurrency thefts totalling $35 million, traced back to victims who were all stored their cryptocurrency master secrets in LastPass.4 Since that’s just from one theft operation, it may only be the tip of the iceberg.
Many of the harmed customers had presumably been persuaded to purchase LastPass by news sources that collected commissions from its sale. Even after the 2018 disclosures, and an earlier breach in 2015, LastPass was still recommended by The New York Times5; PCWorld, which awarded it ‘Best Overall’ password manager in 2021; and CNET, which awarded it ‘Best paid password manager’ in 2021. Positive coverage helped LastPass accumulate over 30 million users,6 likely the largest market share of any password manager.7 There have been no apologies from, or consequences for, news organizations that recommended it.
News organizations that collect commissions argue we can still trust them because they have editorial independence in choosing which product is best in its category.8 We shouldn’t believe them. Collecting commissions can bias coverage even when it does not directly influence which product is deemed best.
Commissions give news organizations an incentive to devote more coverage to those product categories that pay the most commissions, leading readers to devote more of their purchasing budgets to product categories that pay larger commissions. Commissions can also cause coverage of the category to be more favorable. Commission can reduce coverage of products’ safety, because even the mention of one product’s hazards can dampen readers’ enthusiasm for the entire product category.
Commissions can cause organizations to hire editorial staff skilled and eager to cover lucrative product categories, to give them workloads that don’t afford time to scrutinize products’ safety, and to avoid hiring those skilled at the laborious and time-consuming work of evaluating products’ safety. So long as we trust commission-based coverage, evolutionary forces will favor the survival of news organizations that provide more coverage of lucrative categories and make more of it positive.
The extent to which industry has captured the media via commissions is evident from the sheer volume of articles promoting products like password managers and those articles’ absence of scrutiny into products’ hazards. Before password managers it was AntiVirus software and VPN services. All have benefited from fawning articles that tell us why we need this products, fail to disclose their potential safety hazards, and fail to cite sources outside the industry that wants us to believe we need them.
To restore our trust, news organizations should stop pretending that editorial independence guarantees unbiased coverage. Those that continue collecting commissions should disclose the source of every penny. Investigative journalists should follow the money that is not being disclosed. A good place to start would be the tens of millions of dollars that may have been paid to those who recommended LastPass.9
If you really hated this article, the last thing you'll want to do is send me a subscription-request email (which I might actually read) or follow me at @MildlyAggrievedScientist.
Many thanks to Cormac Herley, Wladimir Palant, and Bruce Schneier for suggestions on earlier drafts.
Footnotes follow the comment stream.
Comment via my accompanying fediverse post.
The New York Times Wirecutter’s ‘Why You Need a Password Manager. Yes, You’ does not have direct affiliate links, but directs readers to another of their articles, ‘The Best Password Managers’ which contains purchasing links. Similarly, CNET’s ‘Yes, You Need a Password Manager. Your Online Security Depends on It’ links to their rankings of the password managers with purchasing links that pay commissions. Engadget and PCWorld embedded affiliate links directly into the articles promoting the product category. ↩︎
For arguments why browser-based password managers may be safer, see this blog post by Tavis Ormandy. Please note the caveat that Ormandy wrote it while working for Google (maker of Chrome) and that it is fairly one-sided, eliding arguments that favor third-party password managers. For example, Ormandy argues that zero-knowledge architectures can be betrayed by sending clients malicious code, but doesn’t note that releasing malicious code risks exposure that one need not risk if not using a zero-knowledge architecture. ↩︎
See Wladimir Palant’s 2018 Is your LastPass data really safe in the encrypted online vault? and post-breach article LastPass breach: The significance of these password iterations. ↩︎
The losses were linked by Taylor Monahan of MetaMask. For coverage outside of the platform formerly known as Twitter, see coverage by Brian Krebs. ↩︎
The free edition of LastPass was recommended by The New York Times Wirecutter prior to its developer’s acquisition by private equity in 2019, which completed in 2020. I could not isolate when The New York Times stopped recommending it because The New York Times only shows updated versions of articles and the 2019 and 2020 versions of the article could not be found via archive.org. ↩︎
At the start of 2022, LastPass claimed to have over 30 million people trusting their product. ↩︎
In a 2021 study co-authored with collaborators at UC Berkeley, LastPass had the largest market share among verified participants. ↩︎
For example, the second paragraph of The New York Times Wirecutter about page states “We strive to be the most trusted product recommendation service around, and we work with total editorial independence. We won’t post a recommendation unless our writers and editors have deemed something the best through rigorous reporting and testing.” Later they explain that “the decisions we make regarding the products we feature on our site are always driven by editorial and product testing standards, not by affiliate deals or advertising relationships.” PCWorld, a product of IDG Communications Inc., claims “editorial independence” because “Our journalists are generally unaware of how much commission – if any – PCWorld receives from a purchase.” Even Consumer Reports, the gold standard in product coverage that insists on buying the products it reviews and touts being “ad-free”, influence-free”, and “powered by consumers”, collects affiliate commissions, including via their links to recommended password managers. While LastPass was not among their recommendations as of September 2023, their review still rated it “Excellent in data security” despite all the evidence to the contrary. ↩︎
The final SEC Form 10-Q for the six months ending June 30, 2020 of LogMeIn, the developer of LastPass, reported sales and marketing expenses of $235.5 million, of which $92.2 million were bucketed as marketing expenses separate from the sales and marketing personnel, professional services, credit card transaction fees, and so on (the other $147.7 million). The SEC report does not break down these expenses between LogMeIn’s flagship LastPass and other products, and between affiliate commissions and direct advertising. Yet, even if LastPass commissions represented 10% of that budget, it would mean that over ten million dollars of commissions were paid to those recommending LastPass in the year before the breach alone. LastPass offered minimum 25% commissions. Competitor 1Password offers a minimum of $2 per customer in addition to 25% of the customer’s initial subscription. ↩︎
