Topic: PeachBitcoin.com | P2P Bitcoin Exchange 🍑 #kycfree - page 3. (Read 1612 times)

Just letting you know that this has been discussed in the beginning of the thread[1] - the plan of this application is to go open source in the near future (I would say that it still could happen this year, but one never knows). Peach also gave an the interview recently[2] with the Foundation team and the open source subject is discussed here[3]. On that subject, I could sum up their reply in the following bullet points:

• They want verifiable source code first to legally protect them against possible application copies based on their work;
• It also took them a lot of time to get their API ready (which seems to be almost ready) in order to make sure that 1 person only has 1 account and doesn't exploit the system (in this case the daily trade limit) and thus comply with regulations. Naturally their API will also be open source;
• The planned license to implement in the MITCC. MITCC basically allows any user to use the code to create another application but aren't able to create a company based on the code used (by Peach Wallet). This was also explained better on this segment of the podcast[4].

---

[1]https://bitcointalksearch.org/topic/m.62121530
[2]https://www.youtube.com/watch?v=w_dh6nusghk
[3]https://youtu.be/w_dh6nusghk?t=2196
[4]https://youtu.be/w_dh6nusghk?t=2386

I was looking for a technical reason; if it's due to being in early beta, they could just as well have focused on getting it to work (at all; as well as with non-limited functionality) in an anonymous browser before doing the app, for instance.

Sure, but I prefer reading code instead. Only code gives you the full picture and confidence about what data is really collected and uploaded to their servers.

Just one more note on this point: you don't need to do everything on the same mobile phone.

You can install/use the app on one device. And then make the payment via another device. Payments are made outside the app, so you can easily do things without linking one thing to another.

Yes that is exactly the reason why I like what Peach is doing.
There are much more mobile users than computer users today, especially in third world countries, so growth potential is much bigger.
If I had the option to choose I would always use desktop solution with Tor, something like Bisq or Robosats is good for that.

It's limited for The Bitcoin Company (and their cards), and I don't know why, maybe because it's still in early beta phase.
I have no idea how thsi would work for Peach Bitcoin.

Well yeah, that is what you get when you install most of the google and iOS apps, but I am not sure if the same happens with direct APK file.
It's certainly a good to read Terms & Conditions and Privacy Policy page before using Peach:
https://peachbitcoin.com/privacy-policy/
https://peachbitcoin.com/terms-and-conditions/

Tor and open-source code are an absolute must for me. Robosats does have a 'F2F' option, by the way. You can even enter a custom payment option yourself.
Even if Peach may have more features, privacy should always be number 1 priority. But I guess it could be a good alternative to CEX for mobile users who don't own a computer that runs Tor Browser.

Why limited? I'm really interested to understand why this needs to be an app. Maybe I will just install it in an emulator and have a look myself.

Their Google Play page says they collect the in-app messages, crash logs, diagnostics, and device identifiers. Such an identifier would let them connect your trades, whereas reloading Robosats will give you a completely fresh, unlinked identity.



Be aware that 'encrypted in transit' merely refers to the usage of HTTPS (TLS). When the data reaches the server, it is in the clear again. If you're unlucky, they might use Cloudflare, so those folks will have a copy of the data as well. As long as there is no end-to-end encryption in place.
Usually people use E2E as a selling point and plaster it all over the place, which I haven't seen on the pretty Peach Bitcoin website yet.



One good thing I did notice is that they use a Let's Encrypt TLS certificate for their website at least, instead of Cloudflare.

Yeah but I don't think you can use Robosats for meetups and trading face to face for cash, plus I think there are much more options in Peach compared to Robosats.
I think adding support for Tor would be a good idea for Peach, and maybe Robosats and Peach Bitcoin can work together in future.
In theory Peach could alter create web app with limited functionality, like The Bitcoin Company did with their no-kyc cards.

Communication is done within Peach app and I think it's encrypted, so I don't think there is anything connected with phone numbers.
My biggest complain to Peach is that source code needs to be released as open source, for code encryption to be inspected for bugs and exploits.

I'm not saying no, I'm just giving an example of a use case. It is also complicated now to explain how the app works. You can still use VPN to access the app, and not use VPN when paying. But, they would have to be investigating someone specifically, to be able to draw those conclusions. And it should be noted that there are payment methods that are only available in each country, being the users of that country to know how to use it in the best possible way. But, I'm not saying it's impossible.

Almost any P2P method has elements that can be unidentifiable. Unless both people meet and hand money to each other.

Now, Peach has to create (if she hasn't already created) a way for the data not to be stored, at least for a long time.

Well, mobile phone numbers are nowadays often tied to real identities using KYC. So if this communication is not encrypted end-to-end without backdoors or implementation flaws, a three-letter agency could knock at Peach's door, fetch a copy of their data, map phone numbers to identities and end up with a nice list of 'suspicious P2P Bitcoin investors'.

A non-insignificant number of governments nowadays push the narrative that striving for privacy, trying to avoid KYC and using P2P exchanges instead, for instance, is suspicious / criminal behavior or criminally motivated.

Then it will depend on the method used as a means of payment.

For example, when I tested it, I used a payment method that simply indicates the mobile number to send the money. In that sense, the seller sent me a mobile number, to which I sent the money. I gave the indication in the app that I sent the money, and a few minutes later the seller indicated that he received it, and the BTC was transferred.

The question now arises is how the app stores this type of communication. Whether it's point to point or not. But that, I can no longer answer. On the other hand, as there is no kyc, it is difficult to obtain a court order to present the data. Whose data, if they don't identify anyone?

Looking at my example. Even if the seller has problems with the law, the only information they have is the transfer of money via mobile phone. A system widely used among friends and family to pay for group meals, so little to no indication that it has anything to do with BTC.

How exactly do they 'process the payment methods outside the platform'? In the next sentence you say that it's a means of communication.

So I assume that as a seller, you send the other party your fiat payment information (which often includes your real name) through the application's communication system, right?

Just trying to understand.

There is no username, just an ID assigned by the app. Yes it's a username, but it's not the person's name. And the payment methods are all processed outside the platform, the platform being just a means of communication between the parties.

I am speaking from my experience. Either way I understand the concerns.

So there is already one issue here: notifications on Android are delivered through Firebase FCM, which is a centralized Google service. On iOS, they are delivered through APNS - which is the same thing by Apple. In the worst case, iOS users' notifications are actually managed through Firebase and delivered by APNS; so both companies get to know the contents of their notifications.

If the application does not need to run in the background and you can still find a trade partner, I assume there is a centralized server somewhere that keeps offers online. This could be both a central point of failure as well as a privacy concern, especially if the application doesn't connect to it through Tor. Is anything known about this? Otherwise, the server could easily gather and store IP addresses and transaction details, such as payment methods and names.

---

Depending on the details, this could be almost as bad as a centralized exchange when it comes to privacy.

If we had open-source client code, I could easily check if users' name and payment details are properly encrypted and only visible to their trading partner, for instance. Or whether the Tor connection exists / is set up properly. Best-case would be a serverless, decentralized architecture like what's used in bisq.

Right now, I believe Robosats may honestly be a more private option, since you use it through Tor and it receives no 'device information' like a mobile app, doesn't deliver notifications through centralized Google / Apple servers and so on.

I don't know how to answer that, but I can comment on the analysis I did.

The only permission the app requests on Android is notifications and camera access (which I'm denied). Notifications are only for the person to be notified when an offer match occurs (at least they were the only ones I received).

Therefore, it concludes that the offer is online, without the need for the app to run in the background.

Interesting, I just re-discovered this due to your post.. I do appreciate more P2P trading options, and the website design is definitely pretty and appealing.

But do you know what's missing on your webpage? A big, bold GitHub (or other VCS) icon. Or am I just blind?

While I do understand that with a mobile app, you can appeal to a mass audience, I believe many Bitcoiners will prefer to run such software on desktop and / or in browser. Especially if you don't compile the mobile app yourself, there's no way to really know what kinds of data it collects about you / your device and where it sends such data.

Just from a UX standpoint, I'm interested to know whether the application will need to stay online for the trade offer to remain online (like on bisq). Else how do you deal with smartphone apps' limited background-running capabilities?

You can literally see transactions happening all the time on mempool explorer, it's not like BTC mainnet for sure, but I am not expecting it to ever be like that.
As for wallets I know ledger hardware wallet is supporting Liquid chain, they have app and it works connected with Green wallet, and we also have Jade hardware wallet with full support.
I don't know any other wallets supporting Liquid chain yet, but many centralized exchanges are supporting it.
One good thing about Liquid (and I don't like federated blabla blockstream) is the fact we can use confidential transactions, and enter/exit stable coins much easier.

I'm not really familiar with Liquid so my opinion isn't worth much, but I guess it all depends on the demand there is for it. Have you got requests from users to integrate it?
I mean, looking at liquid.network I can barely see any transaction, and besides Blockstream's wallet I don't any major wallet integrating it (I may just be ignorant, tho). Of course it's always nice to see support for different technologies and someone has to go first, but as a startup with limited resources, you may want to think twice before doing it.

From what I understand swapping between BTC and L-BTC is also holding adoption back. As someone not familiar with Liquid, my point of view is that it should be as transparent / seamless as submarine swaps on Lightning, with very small fees and of course no KYC. But I don't know if that's realistic.

I'm sure you have already thought about integrating Lightning, but I'd like to mention it once again, as it's probably the most used scaling solution today. Also, that's more of a personal thing, but for some reason I tend to use desktop wallets for on-chain transactions and mobile wallet for Lightning ones, and since Peach is a mobile app...
In more concrete terms, I think Peach is great for onboarding newcommers. And I think we tend to onboard people with Lightning wallets, as they usually start with small amounts and most bitcoiners are familiar with this technology.
That being said, Liquid would also work for that use-case... if it was actually used.

Edit: one drawback with Lightning tho, is that you would likely need to implement a custodial solution.

Indeed, that's another concern. (Although scaling Bitcoin is most a matter of compromises.)
Lightning is quite concentrated around a few companies, but at least the protocol is open and anyone can run their node and choose the people who they want to open channels with.

Why would you implement support for a permissioned federation when you have options like Lightning and Monero available to you?

I doubt it very much. There is nothing even close to consensus about this on the mailing list, and even if there was, it would likely take months of discussion on GitHub before a viable pull request was ready to be merged.

I am expecting developers to disable ordinals junk spam in next bitcoin updates, and if some degens want to fork off (again) let them do it.

This is a good idea, but only if BTC to L-BTC swap is done without any kyc procedure or extra complicated steps.
You can also consider adding Lightning Network as alternative for lower amounts or when transaction fees are high again.

First of all, I want to say that I really like your answers guys, but I have run out of opportunity to like you!

I would like to add that we are also concerned about the current situation around the Ordinals, as this has caused us a lot of inconvenience. We are realists and we perfectly understand that in the absence of a softfor, this can happen again (thank God, now the mempool has unloaded a little).

- We are thinking of integrating LBTC (with an integrated swapping service).

I would be grateful if you would share your opinion on this in a more detailed form. 

You can find all the details on their website and contact them for more information/explanation.
Every communication before meeting is done over the app, and locations are popping up everywhere in Europe, but there is still lot of room for growth and improvement.

Is that PeachBTC telegram group available for everyone or only for beta testers because title sounds confusing?
Encrypting bank details is cool but we don't know what type of encryption they used and I will have my doubts until they release open source code and someone verifies encryption is good.
I prefer meetings because you don't need to share many personal details over app.