Topic: Ledger Live Liars Data Collection (Read 380 times)

This is topic about Ledger Live Data Collection, not about Wasabi wallet, please don't go off-topic anymore.
If you want to continue talking about Wasabi and answer many questions you didn't answer so far, better open new topic dedicated to Wasabi only.
Note that I am saying this to nopara73 and to everyone else
Thank you.

> Will 2.0 also censor users? If so, then you can't honestly claim to be decades ahead of anything.

You're conflating Wasabi Wallet, the open source software with zkSNACKs, the company that's running a Wasabi coordinator.

> In what way? Because they known your xpub if you don't run Dojo, the same as any other SPV wallet? Bit of a stretch to call that a scam.

SPV wallets don't send xpubs to servers, but I'll assume you wanted to say "most light wallets" which would make it true. Yes, you have zero privacy with most light wallets. The difference with Samourai is they don't advertise themselves as a privacy wallet.  
Don't take it as an offense, but the fact that you brought up running Dojo as the solution to this shows that you've just been scammed by them. We know that the default user sends their xpubs to Samourai, therefore these users gain zero privacy against their server even if they mix. Even if you use a full node to mix (dojo) you'll be still deanonymized by exclusion. Anonymity likes company. You cannot be anonymous by yourself.  

The fact that they don't provide any privacy is just my first problem. I have a much longer list of problems with them and I can go on and on. But since you seem to be liking JoinMarket, you may want to ask some JoinMarket contributors in private what their feelings are about Samourai. Spoiler alert: Many Bitcoin developers are afraid to publicly speak out about them due to their constant astroturfing and harassment of anyone who would like to look into what they are doing and how: https://nopara73.medium.com/samouraileaks-part-2-harassment-of-bitcoin-developers-fae3019abd2f

You are still not addressing any of the very valid concerns being raised in this thread.

Will 2.0 also censor users? If so, then you can't honestly claim to be decades ahead of anything.

In what way? Because they known your xpub if you don't run Dojo, the same as any other SPV wallet? Bit of a stretch to call that a scam.

Cool, let's all use that then.

Wasabi Wallet 2.0 is decades ahead of other privacy solutions in Bitcoin. There's Samourai that's a scam and so aggressive they scare away every newcomer who would like to develop for Bitcoin privacy. That leaves JoinMarket that's coming along nicely, however as a project without funding, its development is much slower.

That blog post doesn't explain a single thing you are doing to fight this; it just make a list of excuses as to why you are selling out, followed by a final two paragraphs reminding everyone how great you are for selling them out. Not to mention some very dubious statements it makes, such as:

Lol. Decades? Bitcoin is only 13 years old but your wallet is so amazing that without it Bitcoin would have been set back decades? Come on.

Right, because if you didn't start censoring people, then privacy as we know it would be over.

No, you'll just hire a blockchain analysis company instead and get them to spy on people on your behalf, as your team stated on Telegram. Because I definitely want my coinjoin fees to go straight to a blockchain analysis company. Don't you just love paying people to spy on you?

You can't claim to be protecting privacy while also being pro-censorship, since to censor certain outputs you must first invade the privacy of everybody using your service. Even the users who aren't censored are being monitored by whatever blockchain analysis companies you hire to make sure they are being good little citizens, and they are paying for the privilege of being spied on.

I only see excuses and justifications; no attempts to apologize and make things better, such as reverting the decision, since there are no legal reasons to do something like this right now. And those premium devs that you can hire with your super company money, could come up with something better before such laws kick in. It's clear that you guys chose the 'easy way'. Took the 'blue pill', if you wish.

One idea that I randomly came up with was: shut down your centralized coordinator, explain how to set up own coordinators and introduce a way in the GUI to set that 'custom coordinator'. Maybe keep the zkSNACKS one running as a fallback for a transition period. That's just one idea of many that your highly specialized, trained professional developer team might consider along with many others that they have much higher chances to think of than myself.

This is a fact, not an opinion: https://github.com/nopara73/Dumplings

Anyhow, I agree with you and that's what we're doing: https://blog.wasabiwallet.io/zksnacks-blacklisting-update/
It's just legislation isn't the only way criminal organizations like governments are going after you. Not even the primary one.

If you believe that to be true, then all the more reason you should be fighting to protect that privacy and not capitulating of your own free will, even before being forced to by any legislation.

Well, that's true. I gave up using my Ledger devices a long time ago, and various events from the massive data breach to them integrating a KYC debit card directly in their software have proven time and again that that was the right decision. But lots of people will continue to use hardware devices for their convenience over setting up airgapped cold storage.

I thought there was an option in the settings to simply enter a new seed phrase, but I must be confusing it with a different hardware wallet. As I said, it's been a while since I used one.

Just that hardware wallets support several altcoins unlike cold storage like airgapped devices. Aside that, no other convenience, like while making transaction. It is a good option for people that just want to be making use of bitcoin to go for airgapped device. No one would know if the device is actually a cold storage wallet or not. Hardware wallet that has an element of close source is worst, be it its software or secure element or anything used in the wallet makeup.

That's true.


Actually I find the best option to have a cold storage and not a hardware wallet, especially a closed source one. Convenience has its price and that price is unfortunately rising.


Using a different seed phrase will not work because in order to change the seed you have to enter wrong PIN 3 times and reset the device. The result is that the apps have to be reinstalled at the moment the device has your HD seed and this procedure is done with (drums) Ledger Live. Yeah...

Wasabi did not turn bad. It's not like anyone is happy with what happened, but the fact is, Wasabi is the most popular privacy solution on Bitcoin, which makes it the most endangered Bitcoin project in existence.

I don't think you can say that for sure. Given that on Ledger devices you can enter a passphrase without opening the bitcoin app, then clearly it can still access the seed phrase and perform operations on it, which will include potentially deriving public keys. Given it is closed source, we can't say for sure this isn't happening.

I think the best option is to have your basic wallet completely empty and only store coins behind additional, temporary passphrases. If you then only unlock your wallet but never enter a passphrase before connecting to Ledger Live for updates, and only open your passphrased wallets when connected to your own Electrum server or similar, then this should (but again, we can't be certain) prevent the public keys from your passphrased wallets being leaked during an update.

Alternatively have a dummy seed phrase which you enter to the device prior to any updates, and then restore your real seed phrase after.

That's not a big question, honestly. Especially financial information is very lucrative on the data market; alone the fact that someone owns any cryptocurrency or not is very valuable.
Have a look at this infographic, for instance.

I also don't believe after following different topics in the forum here, anything coming from Ledger will be really surprising. We can expect data selling, data breaches, low-quality devices and bad customer support, unfortunately.

It seems that Ledger's "right hand" (support department) doesn't know what his "left hand" (programming department) is doing. Constantly confused in their evidence. This immediately causes distrust and doubts about the reliability of this company.


Now we understand their "inner kitchen", but unfortunately it's a little late. This company has sold millions of devices, which means that they have obtained a lot of sensitive information about millions of their customers in a cunning way.

The question is, what will they do with all this data? Will they provide information to governments on demand?

Read more here: Goodbye, privacy, goodbye, it was nice while it lasted.

There are many more surprises ahead of us from Ledger.

OP, you've been critical of Ledger for as long as I can remember, and I used to politely disagree with you (if I recall correctly), but everything you've said stuck in my mind and produced doubts--doubts that kept growing and growing until I finally decided to ditch Ledger a couple of weeks ago. 

I don't like the fact that they use a closed-source code, and I don't like their data collection and privacy practices.  In fact, I'm uncomfortable enough with those things that I moved my coins off my device and into separate wallets (fortunately I don't own that many coins, and the amounts are small anyway).  So I thank you for being the canary in the coalmine for so long, because I have a feeling Ledger's policies are going to backfire on them, but it's their users who are going to get their heads blown off.

Too bad, because I loved the Nano S and X and the fact that they supported so many coins.  If anyone from Ledger ever reads this, tell someone high up to get the company's shit together.

If you don't start the Bitcoin app (the one installed inside your HW) in Ledger Live they don't know your xpub. So imho you can update without them knowing everything about you. Am I missing something?!
Of course, if you use their wallet, ... that's entirely your fault.

Not to be snarky but how do you know what data I am keeping / selling if you connect to my electrum node.
Unless you are running it yourself you really don't know.

Side note, although a magnitude or two or three more difficult and expensive same thing can be done with lightning.
Build enough nodes connected to each other and some major services that use it. Set the fees to 0 so other nodes will route through you and you could get a decent picture to a certain extent of what is going where.
Not perfect, but still.

Back to ledger collecting data if you need an app to update your HW wallet and just can't plug it in and upload a file to it, then yeah you never can trust what they are doing.

-Dave

It's really funny and even ridiculous: they are lying even about not collecting the information about bitcoin addresses user generates with their Ledger Live application:


Their Privacy Policy clearly states that they collect user's information about "currency, time stamp, amount and status of transactions, transaction identifier, identifier used by our partners to identify you."

It has long been known that Ledger guys want to know everything about their customers, which is one of the reasons why they made it so difficult to purchase a Ledger device. Users have to undergo the full process of verification and identification if they want their products. You simply can't buy Ledger anonymously with cryptocurrency. In order to purchase, you have to use either your credit card that is already attached to your real identity and bank account or your verified account on PayPal, Crypto.com, BitPay that also will contain information about your identity. All that means that not only will Ledger know you purchased a hardware wallet from them, but also everyone else should a data breach occur, including your government should it request information from one of these entities.

Except that I can put an SD card with a firmware file on it into my Foundation Passport and it updates itself without any data sent to anyone.

This should be the default and relatively easy to implement. BitBox02 has had this for 5+ years now if my memory serves me correctly.

I already explained this option in my reply you quoted. I was looking for a way where you can download the update manually and then flash it on an offline computer. It doesn't seem this is possible.

I appreciate that, but I think the distinction is academic. The outcome in both cases is the same: Some third party is collecting your data, storing it, and sharing it, and if you don't want that to happen, then you need to run your own node.

This is the way. Closed source software such as Windows and centralized services such as Google and Facebook have spent years collecting and selling your data. Why would cryptocurrency be any different, especially when governments are taking such an interest in controlling and monitoring it?