Ninjastic
Search content
Sort by
Showing 8 of 8 results by 1a5f9842524
Post
Topic
Board Armory
Re: Why is Armory sending our *USERNAMES* to bitcoinarmory.com ‼️
by
1a5f9842524
on 10/08/2014, 00:41:40 UTC
Quote from: etotheipi on August 10, 2014, 12:22:24 AM

It's quite clear that those two pieces of data do have pretty serious privacy implications.  I want to fix this ASAP.  


Thank you.
Post
Topic
Board Armory
Re: Why is Armory sending our *USERNAMES* to bitcoinarmory.com ‼️
by
1a5f9842524
on 09/08/2014, 22:32:48 UTC
Quote from: Gummo on August 09, 2014, 10:21:02 PM
Not really. One can broadcast the raw tx let's say on blockchain.info when the client is closed. I did it a few times myself.

You're of a very small majority.
Post
Topic
Board Armory
Re: Why is Armory sending our *USERNAMES* to bitcoinarmory.com ‼️
by
1a5f9842524
on 09/08/2014, 21:01:23 UTC
Quote from: pand70 on August 09, 2014, 08:55:11 PM
Quote from: 1a5f9842524 on August 09, 2014, 01:47:51 PM
It's not hard to imagine how this would be connected with the transactions a person makes just due to the timings of the requests.

Running armory doesn't necessarily mean that you are performing transactions, so i don't think any connections can be made by that.

Sure they can.

You know that the user won't be making transactions when the application is closed, so you can start to eliminate transactions on the chain which couldn't possibly have been theirs. Armory doesn't use compressed point pubkeys, and does not reuse addresses which you can use to further filter the transactions you see. With the last two features alone you can eliminate a large portion of all transactions in each block as being not possibly being made by Armory.

Having 32 bits of the home folder hash is actually pretty devastating to your privacy as well. Within that space you could search bitcointalk user names for example with only a 1 in 4 billion chance of a false positive per attempt. I'd bet on a lot of people having user names that very much match with their bitcointalk ones.
Post
Topic
Board Armory
Re: Why is Armory sending our *USERNAMES* to bitcoinarmory.com ‼️
by
1a5f9842524
on 09/08/2014, 20:20:46 UTC
Quote from: etotheipi on August 09, 2014, 02:27:03 PM
We added the unique ID so that we have a way to count unique users without logging IP addresses.

Your Privacy Policy (which oddly enough I've never seen before now) says that you only log IP addresses. Which is it? 

https://i.imgur.com/6xPsGpU.jpg

Collecting 32 bits worth of people's usernames is not mentioned in the Privacy Policy at all, ergo you shouldn't be doing it. It also mentions nothing about sending it to Amazon S3, or to Cloudflare which you use to host the ping domains.
Post
Topic
Board Armory
Re: Why is Armory sending our *USERNAMES* to bitcoinarmory.com ‼️
by
1a5f9842524
on 09/08/2014, 20:04:40 UTC
Quote from: etotheipi on August 09, 2014, 02:52:18 PM

The 30 minutes isn't to for "collection", it's for announcement checking.  If there's a hard fork and people are potentially going to lose money, we need users to be aware as soon as possible.


Why don't you use the alert system in Bitcoind just like everybody else? It would be instant and more reliable, only you wouldn't be able to collect personal information with that method.



Quote from: etotheipi on August 09, 2014, 03:00:16 PM
Quote from: ForgottenPassword on August 09, 2014, 02:53:29 PM
Quote from: etotheipi on August 09, 2014, 02:52:18 PM
The 30 minutes isn't to for "collection", it's for announcement checking.  If there's a hard fork and people are potentially going to lose money, we need users to be aware as soon as possible.

You don't need to send the installation ID when checking for announcements. Why would you need that?

So that we don't "count" that ping as a unique user.  Our goal is to get a rough gauge of how many people are using Armory, and what the OS & version distribution is.  That's all we use the data for.  If we send a ping without the ID, we don't know if it's a duplicate. 


Utter nonsense.

If you wanted a unique anonymous ID you would have generated a few random bytes and used that. Instead you used a highly identifying, personal piece of information and sent it to your remote server along with the IP address of the user. There's no way you can pretend that was a mistake from somebody who is writing wallet software.

Why don't you do us a favor and delete all the information you've collected without your users consent.
Post
Topic
Board Armory
Re: Why is Armory sending our *USERNAMES* to bitcoinarmory.com ‼️
by
1a5f9842524
on 09/08/2014, 14:33:10 UTC
Quote from: etotheipi on August 09, 2014, 02:27:03 PM
The code you posted doesn't send your username to bitcoinarmory.com, it sends the truncated hash of your user home directory path.  This does not give us any information about you except that it will be the same when your system makes multiple requests for version/announcement information.   We intentionally chose this instead of tracking by IP because we knew that IP logging was "not cool". 

That's pretty much synonymous, most people will have their user name set to either their common pseudonym or their full name. If you have a batch of people who you think might have sent a transaction, 4 bytes of the hash is more than enough to work out which one.

Sending any personal information at all is "not cool", especially when nobody was told about it in the first place.


Quote from: etotheipi on August 09, 2014, 02:27:03 PM
As a company, we have to have some way to measure our userbase, and we felt this was the least intrusive way possible.  And you can opt-out.

Why ping every 30 minutes?


Quote from: etotheipi on August 09, 2014, 02:27:03 PM
We also add the ability for you disable this by running with "--skip-annuonce-check".

You can't expect a user to apply this every single time they load up the client. Not giving the option in the GUI is intentionally obstructive.
Post
Topic
Board Armory
Re: Why is Armory sending our *USERNAMES* to bitcoinarmory.com!?
by
1a5f9842524
on 09/08/2014, 14:04:58 UTC
Quote from: ForgottenPassword on August 09, 2014, 01:50:52 PM
The GUI gave me the impression that I had to press "Check for updates" before it would "dial home", apparently I was wrong.
I thought that too. All the better to ruin your privacy with I suppose.
Code:
DEFAULT_FETCH_INTERVAL = 30*MINUTE


Quote from: ForgottenPassword on August 09, 2014, 01:50:52 PM
I didn't see the comment where they admit its logged.
Code:
Use the verbose=True option to add OS, subOS, and a few "random" bytes that help reject duplicate queries.

How would they know if the requests are duplicate if they weren't logging them?

Post
Topic
Board Armory
Topic OP
Why is Armory sending our *USERNAMES* to bitcoinarmory.com ‼️
by
1a5f9842524
on 09/08/2014, 13:47:51 UTC
The Armory client makes a HTTP request bitcoinarmory.com every 30 minutes with the hash of your home folder name, OS version, and of course your IP address (proxies are ignore) at every start of the application. The only way to disable it is not an option that can be set, but a command line option you need to use every launch. The options "skip online check" and "disable software upgrade notifications" do not disable it as one would expect.

It's not hard to imagine how this would be connected with the transactions a person makes just due to the timings of the requests. Even just matching the hashes returned with usernames on this forum would be enough to identify a lot of people. As pointed out below, this does not respect proxy settings so the real IP of the user is sent to bitcoinarmory.com.

  • How much of this is being logged by Amazon S3 and bitcoinarmory.com?
  • How long are the logs kept?
  • Why aren't users told their privacy is being violated?
  • Why can't this feature be turned off in a sensible way?

This behavior is totally unacceptable.

Code:
   #############################################################################
   def getDecoratedURL(self, url, verbose=False):
      """
      This always decorates the URL with at least Armory version.  Use the
      verbose=True option to add OS, subOS, and a few "random" bytes that help
      reject duplicate queries.
      """
      argsMap = {}
      argsMap['ver'] = getVersionString(BTCARMORY_VERSION)
   
      if verbose:
         if OS_WINDOWS:
            argsMap['os'] = 'win'
         elif OS_LINUX:
            argsMap['os'] = 'lin'
         elif OS_MACOSX:
            argsMap['os'] = 'mac'
         else:
            argsMap['os'] = 'unk'
   
         try:
            if OS_MACOSX:
               argsMap['osvar'] = OS_VARIANT
            else:
               argsMap['osvar'] = OS_VARIANT[0].lower()
         except:
            LOGERR('Unrecognized OS while constructing version URL')
            argsMap['osvar'] = 'unk'
   
         if OS_WINDOWS:
            argsMap['id'] = binary_to_hex(hash256(USER_HOME_DIR.encode('utf8'))[:4])
         else:
            argsMap['id'] = binary_to_hex(hash256(USER_HOME_DIR)[:4])

      return url + '?' + urllib.urlencode(argsMap)


https://github.com/etotheipi/BitcoinArmory/blob/7bd89850a90a280e3345c29d7e0338b62f841548/announcefetch.py#L232