Holy hell. Thats pretty serious if you ask me. Has anyone brought this up before?
It seems to be for getting the announcements on new releases. Why do you need the hash of the home directory for that?
The GUI gave me the impression that I had to press "Check for updates" before it would "dial home", apparently I was wrong. Why would you do that every 30 minutes? It shouldn't do that automatically!
I didn't see the comment where they admit its logged. But if it is why in the hell would they do that? that puts them at unnecessary legal risk of receiving subpoenas for this information.
Update:
The Armory developers are releasing an update that will fix everything we were worried about, see here: https://bitcointalksearch.org/topic/m.8299712
Topic: Why is Armory sending our *USERNAMES* to bitcoinarmory.com ‼️ - page 4. (Read 9248 times)
The Armory client makes a HTTP request bitcoinarmory.com every 30 minutes with the hash of your home folder name, OS version, and of course your IP address (proxies are ignore) at every start of the application. The only way to disable it is not an option that can be set, but a command line option you need to use every launch. The options "skip online check" and "disable software upgrade notifications" do not disable it as one would expect.
It's not hard to imagine how this would be connected with the transactions a person makes just due to the timings of the requests. Even just matching the hashes returned with usernames on this forum would be enough to identify a lot of people. As pointed out below, this does not respect proxy settings so the real IP of the user is sent to bitcoinarmory.com.
This behavior is totally unacceptable.
https://github.com/etotheipi/BitcoinArmory/blob/7bd89850a90a280e3345c29d7e0338b62f841548/announcefetch.py#L232
It's not hard to imagine how this would be connected with the transactions a person makes just due to the timings of the requests. Even just matching the hashes returned with usernames on this forum would be enough to identify a lot of people. As pointed out below, this does not respect proxy settings so the real IP of the user is sent to bitcoinarmory.com.
- How much of this is being logged by Amazon S3 and bitcoinarmory.com?
- How long are the logs kept?
- Why aren't users told their privacy is being violated?
- Why can't this feature be turned off in a sensible way?
This behavior is totally unacceptable.
Code:
#############################################################################
def getDecoratedURL(self, url, verbose=False):
"""
This always decorates the URL with at least Armory version. Use the
verbose=True option to add OS, subOS, and a few "random" bytes that help
reject duplicate queries.
"""
argsMap = {}
argsMap['ver'] = getVersionString(BTCARMORY_VERSION)
if verbose:
if OS_WINDOWS:
argsMap['os'] = 'win'
elif OS_LINUX:
argsMap['os'] = 'lin'
elif OS_MACOSX:
argsMap['os'] = 'mac'
else:
argsMap['os'] = 'unk'
try:
if OS_MACOSX:
argsMap['osvar'] = OS_VARIANT
else:
argsMap['osvar'] = OS_VARIANT[0].lower()
except:
LOGERR('Unrecognized OS while constructing version URL')
argsMap['osvar'] = 'unk'
if OS_WINDOWS:
argsMap['id'] = binary_to_hex(hash256(USER_HOME_DIR.encode('utf8'))[:4])
else:
argsMap['id'] = binary_to_hex(hash256(USER_HOME_DIR)[:4])
return url + '?' + urllib.urlencode(argsMap)
https://github.com/etotheipi/BitcoinArmory/blob/7bd89850a90a280e3345c29d7e0338b62f841548/announcefetch.py#L232
Jump to: