Can HW manufacturers get user info through their apps?

[m2017]

Imagine a situation.

Newbie first heard about Bitcoin and decided to buy it. He has a question where to store it. Of course, under the influence of advertising, he buys one of hardware wallets. Will most newbies use HW in connection with Electrum or something like that? I doubt. He will take a simpler path and install Ledger Live or Trezor Suite, for example, where there are a bunch of wallets in one place at once, where don’t need to install many different apps/wallets for each specific crypto currensy. Agree, this is convenient, but as I assume, most of you will not approve of Newbie's decision.

I don't want to focus now on the firmware of devices, which is better, open source or not. Undoubtedly, this is an important point, but this has been discussed many times and now I want to turn attention to the apps offered by manufacturers and discuss the level of their security. What threats can pose from manufacturers (Don't consider the option on the topic of methods used by attackers in this topic)?

I have the following questions:

- What kind of information can HW producers get about the users of their apps?
IP (and hence location)? Information about funds (history of balance, transactions, addresses)? Something else?
- Such information may be useless now, but will it be possible to say the same with certainty in the future? Technologies are developing.
- Are there cases when manufacturers received information from users of their apps?
- Do manufacturers make the source code of their apps publicly available? If yes, which brands?

I propose to discuss this topic and try to find out what information about users can be obtained by HW manufacturers and used to their advantage (or safely lose, as ledger has successfully succeeded more than once). 

It would be good to hear your assumptions on this matter or the facts that you have.

Explanation:
I haven't seen a similar thread, but that doesn't rule out that this has already been discussed. If a similar question has been raised before, then will close this topic.

[1714716741]

1714716741

[1714716741]

1714716741

[NeuroticFish]

Imho they cannot gather info from their HW directly, but they can (and most probably gather) everything they can from their SPV wallets:
* addresses, funds, but also they can link all addresses (and transactions) of your wallet, including the altcoins too.
* link all this to your IP if they can (if you don't use TOR, for example)

But it's nothing really different from what any SPV server operator can do? And it's known that chain analysis companies do run Electrum servers (possibly both on clear net and under TOR)...
The information is important for chain analysis. They may aim to track all your crypto history, like Google or FB want to track all your online history. That's valuable, and not only for taxes or finding criminals; you can easily become the target for certain advertising based on how wealthy you are, for example.


They may be able to also gather this or that when one updates the HW software and apps, but that would be dangerous and will make them lose their reputation in a second. So I don't think they do that.
For example Ledger software is closed source. But there are open source hardware wallets too, you can look here: https://bitcointalk.org/index.php?topic=5288971.0

I didn't answer point by point, but I think that I didn't miss anything big.

[Pmalek]

- What kind of information can HW producers get about the users of their apps?
IP (and hence location)? Information about funds (history of balance, transactions, addresses)? Something else?

Probably everything that you mentioned. If you purchased the hardware wallet from the manufacturer directly, they already know your location. Assuming, of course, you had it delivered to your home. If you paid with a credit card, bank account, or one of those traditional payment providers, they know even more. If you bought the device from a reseller/official distributor, there is now an additional party that knows you. One way around this is purchasing HWs with crypto and not have them delivered to your home but to a PO box, for example.

If you use Electrum and connect to a server, the person who runs it can acquire your IP, list of addresses, and balances. Ledger Live uses its own servers, so the same rules apply there as well. I don't have a Trezor, but I assume it's the same thing.   

- Do manufacturers make the source code of their apps publicly available? If yes, which brands?

Doesn't matter if a database hack happens because private information is stored on some servers somewhere. When Shopify's database was hacked, Ledger (closed-source) was among the companies that was affected. If an open-source company used their e-commerce services as well, it wouldn't be any different.   

[SFR10]

- What kind of information can HW producers get about the users of their apps?
IP (and hence location)? Information about funds (history of balance, transactions, addresses)? Something else?

Here's what those two brands you mentioned earlier are saying about the type of information that they collect on their apps ^{[the above users are correct]}:

• Trezor Suite: Analytics
• Ledger Live: 1) Ledger Live stores your data locally 2) Step 5. Bug reports & analytics

If you bought the device from a reseller/official distributor, there is now an additional party that knows you.

That's true, but it's a different story if they paid in cash ^{[without giving their names]}.

Ledger Live uses its own servers, so the same rules apply there as well. I don't have a Trezor, but I assume it's the same thing.  

As a Trezor user, I can confirm that's also the case, but it's going to change soon.

Update:
Refer to "this post" for more information...

[dkbit98]

What kind of information can HW producers get about the users of their apps?

They have all your personal information if you buy device from them directly, pay online, and send them your real name and home address.
Later down the line this data can be leaked like it happened with ledger, so everyone will know al your details.
When you use your wallet with default app they will have your IP address and all transaction history, unless you use Tor or vpn.

Do manufacturers make the source code of their apps publicly available? If yes, which brands?

Code for apps and firmware code for hardware wallets are two different things.
Having closed source wallet used with publicly available code app means very little in reality.

[Husires]

If you are looking for privacy, you have a few cryptocurrencies that pass the decentralization test, which is considered an entrance to privacy.
If your crypto is central, privacy does not mean anything.


Assuming we have only two decentralized crypto which is Bitcoin and Monero.

Online Bitcoin analytics services collect more information about you than hardware services.


Hardware:

Hardware wallets can get the information if you provide it to them when buying.
you can hide your identity by shipping to another location, paying using mixed currencies or with cash.

You can build these devices yourself if you have some experience.

Softwate:

Software is almost the same as desktop wallets and then you will need to manage your full node, Tor, a trusted VPN, stop using anything related to JavaScript, and only connect to the Internet when necessary.

Privacy is valuable, and you need to be careful to enjoy as much of it as possible.

[hugeblack]

They can obtain information, but it will be useless unless it is linked to other information collected about you, such as information from Google, Facebook, and other services.

 - The generation of PVT keys is assumed to be in an environment that has not and will not be connected to the Internet.
 - Broadcasting transactions must be connected to a server, so they may be able to collect information such as addresses, IP addresses, etc.
 - You can connect to your own server to enhance privacy.

When they get your IP and addresses, all they need to do is track them using Google, central platforms, service providers and more.

So for the average user, they will not get important information, but if you are wanted by the FBI or there are enough resources to track you, they will certainly be able to find you.

[m2017]

• Trezor Suite: Analytics
• Ledger Live: 1) Ledger Live stores your data locally 2) Step 5. Bug reports & analytics

I wanted to look for this info on the manufacturer's website, but you beat me to it and saved me time.
Thanks for the links. I looked at them and, in general, found some answers, but also new ones appeared.

As you can see in the 1st paragraph "Ledger Live does not store your information on a centralized Ledger server", it is written completely different than what was said in the comments above and no information about servers and personal data transfer. But we will not blindly believe everything that is written on the site, right?

In the 2nd paragraph, the words "Ledger Live  only synchronizes your operation history and balance with the blockchain" confuse me. Isn't this where the weak point with the transfer of data to servers Ledger lies? I would like to know how it is implemented. About the same as blockchain explorer websites with all their shortcomings?

I think that comments are unnecessary here and this is already an occasion to think.
I still want to pay attention to: in the 1st picture it is written that "Ledger Live does not store your information on a centralized Ledger server", but at the same time in the 2nd picture there is already a clear contradiction. It turns out that the app can collect information about the user (look at the "Analytics" line) and can send it to Ledger servers.
 

In this case, it is openly voiced that data collection takes place.
In the 2nd paragraph "Anonymous data", it says what data is not included, but it doesn't say what data is collected. The next words that can not be verified.

From the information above, we can draw a small conclusion:
If you decide to use apps Ledger Live or Trezor Suite, then it is better to disable Analytics in the settings, because this is enabled by default.

HW market is not limited to just these two firms.  What other manufacturers offer their apps to their customers with HWs?  What can you say about them / their app? All the same with getting user data, how do Ledger and Trezor do it? Are there any exceptions?

Ledger Live uses its own servers, so the same rules apply there as well. I don't have a Trezor, but I assume it's the same thing.  

As a Trezor user, I can confirm that's also the case, but it's going to change soon.

What changes are you talking about?

[PrivacyG]

From the information above, we can draw a small conclusion:
If you decide to use apps Ledger Live or Trezor Suite, then it is better to disable Analytics in the settings, because this is enabled by default.

You see, this is what scares me.  One software switch does not ensure at all that Analytics will happen or not.  It is of the same use as a software switch for your computer camera.  Software can be tricked, and bypassed.

But at least as far as I know, Trezor's Suite is open source and it can be analyzed whether any kind of information is shared with servers or not.  Or is Suite not as open source like I thought?  Was it just their device and the device's operating system?

Anyway.  The Trezor Suite software gives you the option to opt out of Analytics upon installing.  That one I remember for sure.  Not sure about Ledger Live though, which if I remember correctly DOES have Analytics on by default.  It sucks, because before you know about the switch, their servers have already collected basic information about you.

-
Regards,
PrivacyG

[SFR10]

Thanks for the links.

You're very welcome

But we will not blindly believe everything that is written on the site, right?

Exactly, if there's a way to verify it, we should do it!

I still want to pay attention to: in the 1st picture it is written that "Ledger Live does not store your information on a centralized Ledger server", but at the same time in the 2nd picture there is already a clear contradiction. It turns out that the app can collect information about the user (look at the "Analytics" line) and can send it to Ledger servers.

This isn't the first time that Ledger or rather one of their staff has contradicted one of their earlier statements!

In the 2nd paragraph "Anonymous data", it says what data is not included, but it doesn't say what data is collected.

That's weird! Even though I'm the one who shared it the other day, somehow I actually misread that part ^{[facepalm (SMH), thanks for pointing it out]}, but I did find a few things on that page:

• Attributes which are always tracked:
  

  • c_v: version of analytics
  • c_type: type of tracked event
  • c_commit: current revision of app
  • c_instance_id: until user does not wipe storage, the id is still same
  • c_session_id: id changed on every launch of app
  • c_timestamp: time in ms when event is created

What changes are you talking about?

I was talking about "Bitcoin full node via Electrum Server" and they've already released it in "beta mode".
^{- I just "found out" that Trezor already had a "different software [Blockbook]" that allowed its users to connect to their own node!}

[m2017]

From the information above, we can draw a small conclusion:
If you decide to use apps Ledger Live or Trezor Suite, then it is better to disable Analytics in the settings, because this is enabled by default.

You see, this is what scares me.  One software switch does not ensure at all that Analytics will happen or not.  It is of the same use as a software switch for your computer camera.  Software can be tricked, and bypassed.

This should alert any potential user. You are right about Analytics. There is no guarantee that this will be disabled by the button. Below I will explain why I think so.

But at least as far as I know, Trezor's Suite is open source and it can be analyzed whether any kind of information is shared with servers or not.  Or is Suite not as open source like I thought?  Was it just their device and the device's operating system?

If we compare Ledger Live and Trezor Suite, then from this angle Suite looks more reliable. If, the source code is open and can audit.

Anyway.  The Trezor Suite software gives you the option to opt out of Analytics upon installing. 

This is another + in favor of Trezor Suite.

That one I remember for sure.  Not sure about Ledger Live though, which if I remember correctly DOES have Analytics on by default.  It sucks, because before you know about the switch, their servers have already collected basic information about you.

I'm assuming this was done on purpose. This alone should alert their future customers and understand how these firms treat their users. Like a wallet from which need to extort money as quickly as possible by any means and not at all caring about the right to the security of private customer data.

I still want to pay attention to: in the 1st picture it is written that "Ledger Live does not store your information on a centralized Ledger server", but at the same time in the 2nd picture there is already a clear contradiction. It turns out that the app can collect information about the user (look at the "Analytics" line) and can send it to Ledger servers.

This isn't the first time that Ledger or rather one of their staff has contradicted one of their earlier statements!

Could you remind me of this?
Usually, when they contradict, they try to hide from us or deceive something. In any case, this is a minus for Ledger. Above, we discussed about Analytics. Now, if Ledger has already fooled everyone repeatedly, why don't they do it again? That is why I believe that there can be no guarantees from them.

Of the two evils, Trezor Suite looks like the better solution. Although, as always, there are other options.
As I said before, the world is not limited to these two manufacturers.  What other HW manufacturers have their own app?

[Pmalek]

I think that comments are unnecessary here and this is already an occasion to think.
I still want to pay attention to: in the 1st picture it is written that "Ledger Live does not store your information on a centralized Ledger server", but at the same time in the 2nd picture there is already a clear contradiction. It turns out that the app can collect information about the user (look at the "Analytics" line) and can send it to Ledger servers.

I think that in the first picture they are talking about data concerning your portfolio and balances, the coins you hold, how many accounts you have, the name of those accounts, which crypto apps you have installed, which ones you are using, and things like that. The second image says that Ledger can send certain technical data but if you allow it to do that. You can opt out of if though. 
 

HW market is not limited to just these two firms.  What other manufacturers offer their apps to their customers with HWs?  What can you say about them / their app? All the same with getting user data, how do Ledger and Trezor do it?

I don't think the approach is different with other manufacturers either. They are interested in how you use their software, which features are mostly used and which ones don't get enough attention. If the software crashes, they want to see logs to figure out why the crash happened, what the user did when it happened, and how it can be fixed.

[SFR10]

Could you remind me of this?
Usually, when they contradict, they try to hide from us or deceive something.

I commented about it in one of my posts before, but I had no luck in finding it ^{[it was probably from late last year]}... Actually the latter is exactly what they did on that occasion ^{[they silently altered the content of their earlier statement]}, so perhaps the way I described it yesterday ^{[contradicting part]}, it's not an accurate representation of the situation in question, but regardless of that, they tend to do stuff like that from time to time.
^{- If I find that post, I'll update this one...}

Although, as always, there are other options.
As I said before, the world is not limited to these two manufacturers.  What other HW manufacturers have their own app?

I agree with @Pmalek's comment in the above post.

Update:
- Found it ^{[they kept shipping faulty products for a few more weeks or a month after the removal of that paraghraph]}!

[m2017]

See what I found.

After discussion in this thread, I am not surprised by "actions (send, recive, lock, etc)". This is exactly what you all warned about. Here can add: "(un)installing and app version, number of accounts, crypto assets and operations (the most valuable info), session durations (It's already interesting. Why do they need it?), the Ledger device type and firmware".

But this surprises me a bit: "This includes clicks, page visits, redirections, ...end of page scrolls..." It already looks like espionage. The most surprising thing is that Ledger openly writes about this in the settings of its Ledger Live application.

Together, this all forms a very large array of important information about their user. The questions is how they will use it, who will be given access to this information and whether they will be able to keep it all safe.

[SFR10]

session durations (It's already interesting. Why do they need it?)

AFAIK, that information alone is only useful to their production and marketing team, but when you combine it with some of the other things that you mentioned, it comes in handy for app optimization and stuff like that...

whether they will be able to keep it all safe.

Based on past incidents, I think it's safe to say that they're not that reliable in regards to keeping any kind of information safe ^{[regardless of it being directly their fault or not]}.
^{- I hope I'm wrong.}

[PrivacyG]

Here can add: "(un)installing and app version, number of accounts, crypto assets and operations (the most valuable info), session durations (It's already interesting. Why do they need it?), the Ledger device type and firmware".

But this surprises me a bit: "This includes clicks, page visits, redirections, ...end of page scrolls..." It already looks like espionage. The most surprising thing is that Ledger openly writes about this in the settings of its Ledger Live application.

Sounds like there is someone who needs information about a specific user for a specific purpose.  I wonder who and why.  Jokes on you, they do not need this for improving user experience.  Crypto assets and operations plus clicks, page visits, redirections et cetera does not sound like something needed for improving experience.

That is, unless they are doing this to prioritize showing the most used pages of Live first and such.  But I still doubt it is what they are using it for.  Seems as legit as becoming very intrusive to prevent money laundering.  Hell no, they will find another way to launder while my privacy will still be gone.

I am avoiding this mess by using the 'Try Linux' boot option with a bootable Linux USB stick.  Boot it up in the Try Linux mode, download Live and do your transactions and stuff, shut the computer down.  Next time you boot your computer Live will not be there anymore.  Problem of being spied on now gone.  Much better than installing and running it on your main Operating System anyway.

-
Regards,
PrivacyG

[m2017]

whether they will be able to keep it all safe.

Based on past incidents, I think it's safe to say that they're not that reliable in regards to keeping any kind of information safe ^{[regardless of it being directly their fault or not]}.
^{- I hope I'm wrong.}

Based not only on past incidents, but now on new ones: https://bitcointalk.org/index.php?topic=5376279.msg59628509#msg59628509.

Here can add: "(un)installing and app version, number of accounts, crypto assets and operations (the most valuable info), session durations (It's already interesting. Why do they need it?), the Ledger device type and firmware".

But this surprises me a bit: "This includes clicks, page visits, redirections, ...end of page scrolls..." It already looks like espionage. The most surprising thing is that Ledger openly writes about this in the settings of its Ledger Live application.

Sounds like there is someone who needs information about a specific user for a specific purpose.  I wonder who and why.  Jokes on you, they do not need this for improving user experience.  Crypto assets and operations plus clicks, page visits, redirections et cetera does not sound like something needed for improving experience.

It is possible that a particular company needs very little information to improve user experience. The collection of the rest information can be imposed on Ledger by other persons. I don't want to get into conspiracy theories. Any government can influence and impose the behavior they want on any firm under their jurisdiction. Can't argue with that.

If I had not seen this text myself, I would also have thought it was a joke. Anyone can check this in Ledger Live app's settings until it's removed. It still amazes me that they are not afraid to openly state this in Analytics and don't even try to hide it. Their honesty is off the charts.

That is, unless they are doing this to prioritize showing the most used pages of Live first and such.  But I still doubt it is what they are using it for.  Seems as legit as becoming very intrusive to prevent money laundering.  Hell no, they will find another way to launder while my privacy will still be gone.

It is possible that one day all the information they collect will one day surface. Either in government structures, like the tax office, or in the hands of hackers.

I am avoiding this mess by using the 'Try Linux' boot option with a bootable Linux USB stick.  Boot it up in the Try Linux mode, download Live and do your transactions and stuff, shut the computer down.  Next time you boot your computer Live will not be there anymore.  Problem of being spied on now gone.  Much better than installing and running it on your main Operating System anyway.

Curious lifehack. To eliminate repetitive actions and wasting extra time each time, I can offer an alternative. Linux OS emulation (for example, VirtualBox) with installed LL application. Once installed and configured, and after that, let them spy as much as they want (They won't get access to info on main OS). Although even in this case, Ledger will still be able to collect too much information about users.

[n0nce]

I am avoiding this mess by using the 'Try Linux' boot option with a bootable Linux USB stick.  Boot it up in the Try Linux mode, download Live and do your transactions and stuff, shut the computer down.  Next time you boot your computer Live will not be there anymore.  Problem of being spied on now gone.  Much better than installing and running it on your main Operating System anyway.

Curious lifehack. To eliminate repetitive actions and wasting extra time each time, I can offer an alternative. Linux OS emulation (for example, VirtualBox) with installed LL application. Once installed and configured, and after that, let them spy as much as they want (They won't get access to info on main OS). Although even in this case, Ledger will still be able to collect too much information about users.

I'm not going to 'leak' my own setup, but I do recommend going as far as using segregated machines for different purposes for privacy and security. It's easy to freshly reinstall a 'burner' machine frequently if it holds no important data; and if it does get compromised, it won't be too bad either. You might also want to look into VLAN and put your machines on different VLANs so that viruses from the 'burner machine' won't propagate to your 'high security machines'.

[Pmalek]

After discussion in this thread, I am not surprised by "actions (send, recive, lock, etc)". This is exactly what you all warned about. Here can add: "(un)installing and app version, number of accounts, crypto assets and operations (the most valuable info), session durations (It's already interesting. Why do they need it?), the Ledger device type and firmware".

By spying on their users when they use Ledger Live, they can see what coins and apps are the most popular ones. Maybe that's how they make plans for their roadmap and decisions about what to develop and integrate next. We can see that Ledger keeps introducing new altcoins, NFTs, DeFi, etc. They could have gotten all that information based on the activity of their users who spent most of their time engaging with the ETH app, for example, and by checking that they keep NFTs in their ETH accounts.

Checking what apps are being uninstalled gives them an idea of what is considered unpopular by their userbase. Its quite logical that if they notice that many users installed an app but then uninstalled it, they weren't satisfied somehow. The solution: check what's wrong with it and try to improve based on support messages and complaints over social media.   

[n0nce]

After discussion in this thread, I am not surprised by "actions (send, recive, lock, etc)". This is exactly what you all warned about. Here can add: "(un)installing and app version, number of accounts, crypto assets and operations (the most valuable info), session durations (It's already interesting. Why do they need it?), the Ledger device type and firmware".

By spying on their users when they use Ledger Live, they can see what coins and apps are the most popular ones. Maybe that's how they make plans for their roadmap and decisions about what to develop and integrate next. We can see that Ledger keeps introducing new altcoins, NFTs, DeFi, etc. They could have gotten all that information based on the activity of their users who spent most of their time engaging with the ETH app, for example, and by checking that they keep NFTs in their ETH accounts.

Checking what apps are being uninstalled gives them an idea of what is considered unpopular by their userbase. Its quite logical that if they notice that many users installed an app but then uninstalled it, they weren't satisfied somehow. The solution: check what's wrong with it and try to improve based on support messages and complaints over social media.   

Of course, analytics can be and are used to improve products. That doesn't change the fact that the company learns about usage patterns, preferences and in this case even potentially financial decisions of their users; very sensitive information. After their repeated leaks and questionable company habits, it's hard to trust them with this information.
I can see how many users prefer open-source software without telemetry even if it means the company behind it can't get automatically get insights on what features are preferred or not. They can get the same information through forums, social media and GitHub issues, though, without invasion of privacy.