Pages:
Author

Topic: Ledger Live Liars Data Collection (Read 410 times)

legendary
Activity: 2212
Merit: 7064
April 09, 2022, 04:23:38 PM
#30
Wasabi Wallet 2.0 is decades ahead of other privacy solutions in Bitcoin. There's Samourai that's a scam and so aggressive they scare away every newcomer who would like to develop for Bitcoin privacy. That leaves JoinMarket that's coming along nicely, however as a project without funding, its development is much slower.
This is topic about Ledger Live Data Collection, not about Wasabi wallet, please don't go off-topic anymore.
If you want to continue talking about Wasabi and answer many questions you didn't answer so far, better open new topic dedicated to Wasabi only.
Note that I am saying this to nopara73 and to everyone else Wink
Thank you.
member
Activity: 103
Merit: 327
April 09, 2022, 04:01:10 PM
#29
> Will 2.0 also censor users? If so, then you can't honestly claim to be decades ahead of anything.

You're conflating Wasabi Wallet, the open source software with zkSNACKs, the company that's running a Wasabi coordinator.

> In what way? Because they known your xpub if you don't run Dojo, the same as any other SPV wallet? Bit of a stretch to call that a scam.

SPV wallets don't send xpubs to servers, but I'll assume you wanted to say "most light wallets" which would make it true. Yes, you have zero privacy with most light wallets. The difference with Samourai is they don't advertise themselves as a privacy wallet.  
Don't take it as an offense, but the fact that you brought up running Dojo as the solution to this shows that you've just been scammed by them. We know that the default user sends their xpubs to Samourai, therefore these users gain zero privacy against their server even if they mix. Even if you use a full node to mix (dojo) you'll be still deanonymized by exclusion. Anonymity likes company. You cannot be anonymous by yourself.  

The fact that they don't provide any privacy is just my first problem. I have a much longer list of problems with them and I can go on and on. But since you seem to be liking JoinMarket, you may want to ask some JoinMarket contributors in private what their feelings are about Samourai. Spoiler alert: Many Bitcoin developers are afraid to publicly speak out about them due to their constant astroturfing and harassment of anyone who would like to look into what they are doing and how: https://nopara73.medium.com/samouraileaks-part-2-harassment-of-bitcoin-developers-fae3019abd2f
legendary
Activity: 2268
Merit: 18748
April 09, 2022, 03:36:08 PM
#28
You are still not addressing any of the very valid concerns being raised in this thread.

Wasabi Wallet 2.0 is decades ahead of other privacy solutions in Bitcoin.
Will 2.0 also censor users? If so, then you can't honestly claim to be decades ahead of anything.

There's Samourai that's a scam
In what way? Because they known your xpub if you don't run Dojo, the same as any other SPV wallet? Bit of a stretch to call that a scam.

That leaves JoinMarket that's coming along nicely
Cool, let's all use that then.
member
Activity: 103
Merit: 327
April 09, 2022, 03:09:51 PM
#27
Wasabi Wallet 2.0 is decades ahead of other privacy solutions in Bitcoin. There's Samourai that's a scam and so aggressive they scare away every newcomer who would like to develop for Bitcoin privacy. That leaves JoinMarket that's coming along nicely, however as a project without funding, its development is much slower.
legendary
Activity: 2268
Merit: 18748
April 03, 2022, 09:27:16 AM
#26
Anyhow, I agree with you and that's what we're doing: https://blog.wasabiwallet.io/zksnacks-blacklisting-update/
That blog post doesn't explain a single thing you are doing to fight this; it just make a list of excuses as to why you are selling out, followed by a final two paragraphs reminding everyone how great you are for selling them out. Not to mention some very dubious statements it makes, such as:

Quote
The alternative, discontinuing zkSNACKs would have set back Bitcoin privacy for decades.
Lol. Decades? Bitcoin is only 13 years old but your wallet is so amazing that without it Bitcoin would have been set back decades? Come on.

Quote
Blacklisting by the default coordinator, while undesirable, is a small price to pay for the future of Bitcoin's privacy.
Right, because if you didn't start censoring people, then privacy as we know it would be over. Roll Eyes

Quote
The zkSNACKs coordinator having a blacklist does not mean Wasabi Wallet monitors or collects user data.
No, you'll just hire a blockchain analysis company instead and get them to spy on people on your behalf, as your team stated on Telegram. Because I definitely want my coinjoin fees to go straight to a blockchain analysis company. Don't you just love paying people to spy on you?

You can't claim to be protecting privacy while also being pro-censorship, since to censor certain outputs you must first invade the privacy of everybody using your service. Even the users who aren't censored are being monitored by whatever blockchain analysis companies you hire to make sure they are being good little citizens, and they are paying for the privilege of being spied on.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
April 03, 2022, 08:41:38 AM
#25
Wasabi is the most popular privacy solution on Bitcoin
If you believe that to be true, then all the more reason you should be fighting to protect that privacy and not capitulating of your own free will, even before being forced to by any legislation.

This is a fact, not an opinion: https://github.com/nopara73/Dumplings

Anyhow, I agree with you and that's what we're doing: https://blog.wasabiwallet.io/zksnacks-blacklisting-update/
It's just legislation isn't the only way criminal organizations like governments are going after you. Not even the primary one.
I only see excuses and justifications; no attempts to apologize and make things better, such as reverting the decision, since there are no legal reasons to do something like this right now. And those premium devs that you can hire with your super company money, could come up with something better before such laws kick in. It's clear that you guys chose the 'easy way'. Took the 'blue pill', if you wish.

One idea that I randomly came up with was: shut down your centralized coordinator, explain how to set up own coordinators and introduce a way in the GUI to set that 'custom coordinator'. Maybe keep the zkSNACKS one running as a fallback for a transition period. That's just one idea of many that your highly specialized, trained professional developer team might consider along with many others that they have much higher chances to think of than myself.
member
Activity: 103
Merit: 327
April 03, 2022, 08:30:06 AM
#24
Wasabi is the most popular privacy solution on Bitcoin
If you believe that to be true, then all the more reason you should be fighting to protect that privacy and not capitulating of your own free will, even before being forced to by any legislation.

This is a fact, not an opinion: https://github.com/nopara73/Dumplings

Anyhow, I agree with you and that's what we're doing: https://blog.wasabiwallet.io/zksnacks-blacklisting-update/
It's just legislation isn't the only way criminal organizations like governments are going after you. Not even the primary one.
legendary
Activity: 2268
Merit: 18748
April 03, 2022, 03:45:50 AM
#23
Wasabi is the most popular privacy solution on Bitcoin
If you believe that to be true, then all the more reason you should be fighting to protect that privacy and not capitulating of your own free will, even before being forced to by any legislation.

Actually I find the best option to have a cold storage and not a hardware wallet, especially a closed source one. Convenience has its price and that price is unfortunately rising.
Well, that's true. Cheesy I gave up using my Ledger devices a long time ago, and various events from the massive data breach to them integrating a KYC debit card directly in their software have proven time and again that that was the right decision. But lots of people will continue to use hardware devices for their convenience over setting up airgapped cold storage.

Using a different seed phrase will not work because in order to change the seed you have to enter wrong PIN 3 times and reset the device. The result is that the apps have to be reinstalled at the moment the device has your HD seed and this procedure is done with (drums) Ledger Live. Yeah... Sad
I thought there was an option in the settings to simply enter a new seed phrase, but I must be confusing it with a different hardware wallet. As I said, it's been a while since I used one.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
April 03, 2022, 03:10:51 AM
#22
Actually I find the best option to have a cold storage and not a hardware wallet, especially a closed source one. Convenience has its price and that price is unfortunately rising.
Just that hardware wallets support several altcoins unlike cold storage like airgapped devices. Aside that, no other convenience, like while making transaction. It is a good option for people that just want to be making use of bitcoin to go for airgapped device. No one would know if the device is actually a cold storage wallet or not. Hardware wallet that has an element of close source is worst, be it its software or secure element or anything used in the wallet makeup.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
April 03, 2022, 01:35:41 AM
#21
I don't think you can say that for sure. Given that on Ledger devices you can enter a passphrase without opening the bitcoin app, then clearly it can still access the seed phrase and perform operations on it, which will include potentially deriving public keys. Given it is closed source, we can't say for sure this isn't happening.

That's true.

I think the best option is to have your basic wallet completely empty and only store coins behind additional, temporary passphrases. If you then only unlock your wallet but never enter a passphrase before connecting to Ledger Live for updates, and only open your passphrased wallets when connected to your own Electrum server or similar, then this should (but again, we can't be certain) prevent the public keys from your passphrased wallets being leaked during an update.

Alternatively have a dummy seed phrase which you enter to the device prior to any updates, and then restore your real seed phrase after.

Actually I find the best option to have a cold storage and not a hardware wallet, especially a closed source one. Convenience has its price and that price is unfortunately rising.


Using a different seed phrase will not work because in order to change the seed you have to enter wrong PIN 3 times and reset the device. The result is that the apps have to be reinstalled at the moment the device has your HD seed and this procedure is done with (drums) Ledger Live. Yeah... Sad
member
Activity: 103
Merit: 327
April 02, 2022, 09:42:45 AM
#20
But even then.  We have some like Wasabi that just turn bad over time.

Wasabi did not turn bad. It's not like anyone is happy with what happened, but the fact is, Wasabi is the most popular privacy solution on Bitcoin, which makes it the most endangered Bitcoin project in existence.
legendary
Activity: 2268
Merit: 18748
April 02, 2022, 04:10:57 AM
#19
If you don't start the Bitcoin app (the one installed inside your HW) in Ledger Live they don't know your xpub. So imho you can update without them knowing everything about you. Am I missing something?!
I don't think you can say that for sure. Given that on Ledger devices you can enter a passphrase without opening the bitcoin app, then clearly it can still access the seed phrase and perform operations on it, which will include potentially deriving public keys. Given it is closed source, we can't say for sure this isn't happening.

I think the best option is to have your basic wallet completely empty and only store coins behind additional, temporary passphrases. If you then only unlock your wallet but never enter a passphrase before connecting to Ledger Live for updates, and only open your passphrased wallets when connected to your own Electrum server or similar, then this should (but again, we can't be certain) prevent the public keys from your passphrased wallets being leaked during an update.

Alternatively have a dummy seed phrase which you enter to the device prior to any updates, and then restore your real seed phrase after.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
April 01, 2022, 06:36:05 PM
#18
The question is, what will they do with all this data? Will they provide information to governments on demand?
~
There are many more surprises ahead of us from Ledger.
That's not a big question, honestly. Especially financial information is very lucrative on the data market; alone the fact that someone owns any cryptocurrency or not is very valuable.
Have a look at this infographic, for instance.

I also don't believe after following different topics in the forum here, anything coming from Ledger will be really surprising. We can expect data selling, data breaches, low-quality devices and bad customer support, unfortunately.

legendary
Activity: 1792
Merit: 1296
Crypto Casino and Sportsbook
April 01, 2022, 01:45:17 PM
#17
Device session identifier, IP address, clicks, actions, language and region for your operating system, transactions, etc.
It's really funny and even ridiculous: they are lying even about not collecting the information about bitcoin addresses user generates with their Ledger Live application:

Posted by
u/Crypto_Economist42
1 year ago
Does Ledger collect addresses from Ledger Live and associate them with any personal information collected?

btchip
1 yr. ago
Ledger Co-Founder

No. You can check that in the privacy policy you agreed to when using the product.

Their Privacy Policy clearly states that they collect user's information about "currency, time stamp, amount and status of transactions, transaction identifier, identifier used by our partners to identify you."
It seems that Ledger's "right hand" (support department) doesn't know what his "left hand" (programming department) is doing. Constantly confused in their evidence. This immediately causes distrust and doubts about the reliability of this company.


It has long been known that Ledger guys want to know everything about their customers, which is one of the reasons why they made it so difficult to purchase a Ledger device. Users have to undergo the full process of verification and identification if they want their products. You simply can't buy Ledger anonymously with cryptocurrency. In order to purchase, you have to use either your credit card that is already attached to your real identity and bank account or your verified account on PayPal, Crypto.com, BitPay that also will contain information about your identity. All that means that not only will Ledger know you purchased a hardware wallet from them, but also everyone else should a data breach occur, including your government should it request information from one of these entities.
Now we understand their "inner kitchen", but unfortunately it's a little late. This company has sold millions of devices, which means that they have obtained a lot of sensitive information about millions of their customers in a cunning way.

The question is, what will they do with all this data? Will they provide information to governments on demand?

The law will affect exchanges and non-custodial wallets, such as metamask, ledger and trezor, as I explained.
Read more here: Goodbye, privacy, goodbye, it was nice while it lasted.

There are many more surprises ahead of us from Ledger.
legendary
Activity: 3528
Merit: 7005
Top Crypto Casino
April 01, 2022, 10:08:20 AM
#16
OP, you've been critical of Ledger for as long as I can remember, and I used to politely disagree with you (if I recall correctly), but everything you've said stuck in my mind and produced doubts--doubts that kept growing and growing until I finally decided to ditch Ledger a couple of weeks ago. 

I don't like the fact that they use a closed-source code, and I don't like their data collection and privacy practices.  In fact, I'm uncomfortable enough with those things that I moved my coins off my device and into separate wallets (fortunately I don't own that many coins, and the amounts are small anyway).  So I thank you for being the canary in the coalmine for so long, because I have a feeling Ledger's policies are going to backfire on them, but it's their users who are going to get their heads blown off.

Too bad, because I loved the Nano S and X and the fact that they supported so many coins.  If anyone from Ledger ever reads this, tell someone high up to get the company's shit together.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
April 01, 2022, 09:23:53 AM
#15
If you don't start the Bitcoin app (the one installed inside your HW) in Ledger Live they don't know your xpub. So imho you can update without them knowing everything about you. Am I missing something?!
Of course, if you use their wallet, ... that's entirely your fault.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
April 01, 2022, 09:20:11 AM
#14
I'm no fan of Ledger's stance on user data and privacy, but this is not unique to them or even unique to hardware wallets. If you use any wallet which goes through any server which is not your own server pointed at your own node, then whoever runs that server will absolutely be able to see your IP address and details of every address you query and every transaction you make, as well as any other unique identifiers the wallet software communicates to them, and can keep that data for as long as they want and share it with anyone that they want.
This is only partially true, because I can use Electrum or some other wallet that maybe have records of my IP addresses and transactions, but they are not sharing that info with any partners of parties that pay more, and they don't keep this data for five years.
In Trezor hardware wallet used with Trezor Suite app I can disable sending of all information (in settings) and I can enable Tor to hide my IP address.
This is what Trezor can collect if you enable anonymous data collection:
https://docs.trezor.io/trezor-suite/misc/analytics.html

is there no way to do this offline?
There is no way you can update ledger offline and you must use normal computer, not a mobile device for this process.


Not to be snarky but how do you know what data I am keeping / selling if you connect to my electrum node.
Unless you are running it yourself you really don't know.

Side note, although a magnitude or two or three more difficult and expensive same thing can be done with lightning.
Build enough nodes connected to each other and some major services that use it. Set the fees to 0 so other nodes will route through you and you could get a decent picture to a certain extent of what is going where.
Not perfect, but still.

Back to ledger collecting data if you need an app to update your HW wallet and just can't plug it in and upload a file to it, then yeah you never can trust what they are doing.

-Dave
legendary
Activity: 2464
Merit: 4415
🔐BitcoinMessage.Tools🔑
April 01, 2022, 03:37:57 AM
#13
Device session identifier, IP address, clicks, actions, language and region for your operating system, transactions, etc.
It's really funny and even ridiculous: they are lying even about not collecting the information about bitcoin addresses user generates with their Ledger Live application:

Posted by
u/Crypto_Economist42
1 year ago
Does Ledger collect addresses from Ledger Live and associate them with any personal information collected?

btchip
1 yr. ago
Ledger Co-Founder

No. You can check that in the privacy policy you agreed to when using the product.

Their Privacy Policy clearly states that they collect user's information about "currency, time stamp, amount and status of transactions, transaction identifier, identifier used by our partners to identify you."

It has long been known that Ledger guys want to know everything about their customers, which is one of the reasons why they made it so difficult to purchase a Ledger device. Users have to undergo the full process of verification and identification if they want their products. You simply can't buy Ledger anonymously with cryptocurrency. In order to purchase, you have to use either your credit card that is already attached to your real identity and bank account or your verified account on PayPal, Crypto.com, BitPay that also will contain information about your identity. All that means that not only will Ledger know you purchased a hardware wallet from them, but also everyone else should a data breach occur, including your government should it request information from one of these entities.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
March 30, 2022, 01:18:05 PM
#12
Basically every website and company does that, but they are not so clear about.
Except that I can put an SD card with a firmware file on it into my Foundation Passport and it updates itself without any data sent to anyone.

This should be the default and relatively easy to implement. BitBox02 has had this for 5+ years now if my memory serves me correctly.
legendary
Activity: 2268
Merit: 18748
March 30, 2022, 06:10:18 AM
#11
You can create 2 wallets, using a passphrase. Then, you can use ledger live only in your empty wallet to update the firmware.
I already explained this option in my reply you quoted. I was looking for a way where you can download the update manually and then flash it on an offline computer. It doesn't seem this is possible.

I just gave un example and we are not talking about some random people who run servers, we are talking about official wallet developers who openly say what they are doing.
I appreciate that, but I think the distinction is academic. The outcome in both cases is the same: Some third party is collecting your data, storing it, and sharing it, and if you don't want that to happen, then you need to run your own node.

It is clear to me now that any custodial wallet and any Closed Source software is going to collect and sell information about you.
This is the way. Closed source software such as Windows and centralized services such as Google and Facebook have spent years collecting and selling your data. Why would cryptocurrency be any different, especially when governments are taking such an interest in controlling and monitoring it?
Pages:
Jump to: