Bitcoin Forum
August 10, 2022, 04:55:27 AM *
News: Latest Bitcoin Core release: 23.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: Why is Armory sending our *USERNAMES* to bitcoinarmory.com ‼️  (Read 9155 times)
1a5f9842524
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
August 09, 2014, 01:47:51 PM
Last edit: August 09, 2014, 08:55:23 PM by 1a5f9842524
 #1

The Armory client makes a HTTP request bitcoinarmory.com every 30 minutes with the hash of your home folder name, OS version, and of course your IP address (proxies are ignore) at every start of the application. The only way to disable it is not an option that can be set, but a command line option you need to use every launch. The options "skip online check" and "disable software upgrade notifications" do not disable it as one would expect.

It's not hard to imagine how this would be connected with the transactions a person makes just due to the timings of the requests. Even just matching the hashes returned with usernames on this forum would be enough to identify a lot of people. As pointed out below, this does not respect proxy settings so the real IP of the user is sent to bitcoinarmory.com.

  • How much of this is being logged by Amazon S3 and bitcoinarmory.com?
  • How long are the logs kept?
  • Why aren't users told their privacy is being violated?
  • Why can't this feature be turned off in a sensible way?

This behavior is totally unacceptable.

Code:
   #############################################################################
   def getDecoratedURL(self, url, verbose=False):
      """
      This always decorates the URL with at least Armory version.  Use the
      verbose=True option to add OS, subOS, and a few "random" bytes that help
      reject duplicate queries.
      """
      argsMap = {}
      argsMap['ver'] = getVersionString(BTCARMORY_VERSION)
   
      if verbose:
         if OS_WINDOWS:
            argsMap['os'] = 'win'
         elif OS_LINUX:
            argsMap['os'] = 'lin'
         elif OS_MACOSX:
            argsMap['os'] = 'mac'
         else:
            argsMap['os'] = 'unk'
   
         try:
            if OS_MACOSX:
               argsMap['osvar'] = OS_VARIANT
            else:
               argsMap['osvar'] = OS_VARIANT[0].lower()
         except:
            LOGERR('Unrecognized OS while constructing version URL')
            argsMap['osvar'] = 'unk'
   
         if OS_WINDOWS:
            argsMap['id'] = binary_to_hex(hash256(USER_HOME_DIR.encode('utf8'))[:4])
         else:
            argsMap['id'] = binary_to_hex(hash256(USER_HOME_DIR)[:4])

      return url + '?' + urllib.urlencode(argsMap)


https://github.com/etotheipi/BitcoinArmory/blob/7bd89850a90a280e3345c29d7e0338b62f841548/announcefetch.py#L232

1660107327
Hero Member
*
Offline Offline

Posts: 1660107327

View Profile Personal Message (Offline)

Ignore
1660107327
Reply with quote  #2

1660107327
Report to moderator
1660107327
Hero Member
*
Offline Offline

Posts: 1660107327

View Profile Personal Message (Offline)

Ignore
1660107327
Reply with quote  #2

1660107327
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1660107327
Hero Member
*
Offline Offline

Posts: 1660107327

View Profile Personal Message (Offline)

Ignore
1660107327
Reply with quote  #2

1660107327
Report to moderator
ForgottenPassword
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
August 09, 2014, 01:50:52 PM
Last edit: August 11, 2014, 08:31:11 PM by ForgottenPassword
 #2

Holy hell. Thats pretty serious if you ask me. Has anyone brought this up before?

It seems to be for getting the announcements on new releases. Why do you need the hash of the home directory for that?

The GUI gave me the impression that I had to press "Check for updates" before it would "dial home", apparently I was wrong. Why would you do that every 30 minutes? It shouldn't do that automatically!

I didn't see the comment where they admit its logged. But if it is why in the hell would they do that? that puts them at unnecessary legal risk of receiving subpoenas for this information.

Update:
The Armory developers are releasing an update that will fix everything we were worried about, see here: https://bitcointalk.org/index.php?topic=731315.msg8299712#msg8299712

I have private messages disabled. Send me an email instead. My contact details can be found here.

Tip Address: 13Lwo1hK5smoBpFWxmqeKSL52EvN8U7asX
1a5f9842524
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
August 09, 2014, 02:04:58 PM
 #3

The GUI gave me the impression that I had to press "Check for updates" before it would "dial home", apparently I was wrong.
I thought that too. All the better to ruin your privacy with I suppose.
Code:
DEFAULT_FETCH_INTERVAL = 30*MINUTE


I didn't see the comment where they admit its logged.
Code:
Use the verbose=True option to add OS, subOS, and a few "random" bytes that help reject duplicate queries.

How would they know if the requests are duplicate if they weren't logging them?

Dabs
Legendary
*
Offline Offline

Activity: 3304
Merit: 1895


The Concierge of Crypto


View Profile
August 09, 2014, 02:22:48 PM
 #4

This is something to consider, but I have not been using Armory because of two reasons:

1. Doesn't work on 32 bit XP.
2. Doesn't work with compressed keys.

I guess you could just block bitcoinarmory.com on your router or firewall.

lenny_
Legendary
*
Offline Offline

Activity: 1050
Merit: 1000


DARKNETMARKETS.COM


View Profile WWW
August 09, 2014, 02:24:40 PM
 #5

Wow, Armory devs, maybe you can tell us what is going on?

DARKNET MARKETS >> https://DARKNETMARKETS.COM
ForgottenPassword
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
August 09, 2014, 02:25:40 PM
 #6

Here is where USER_HOME_DIR is set:
https://github.com/etotheipi/BitcoinArmory/blob/master/armoryengine/ArmoryUtils.py#L265

On my Windows machine it gets set to this: C:\Users\<username>\AppData\Roaming

It seems to send the first 4 characters of the hash, enough information to distinguish between different Armory installations.

I have private messages disabled. Send me an email instead. My contact details can be found here.

Tip Address: 13Lwo1hK5smoBpFWxmqeKSL52EvN8U7asX
QuantumQrack
Sr. Member
****
Offline Offline

Activity: 340
Merit: 250


View Profile
August 09, 2014, 02:26:17 PM
 #7

Why is this code in Armory?  What purpose does it serve an end user of Armory?
etotheipi
Legendary
*
Offline Offline

Activity: 1428
Merit: 1072


Core Armory Developer


View Profile WWW
August 09, 2014, 02:27:03 PM
 #8

Guys, calm down.  

The code you posted doesn't send your username to bitcoinarmory.com, it sends the truncated hash of your user home directory path.  This does not give us any information about you except that it will be the same when your system makes multiple requests for version/announcement information.   We intentionally chose this instead of tracking by IP because we knew that IP logging was "not cool".  And in the end, we don't care about your IP, we only use it the ID for collecting statistics about what operatings systems are being use to run Armory and what versions people are using, especially after announcing new versions.  This helps us remove duplicates.

Armory (the company) only tracks unique IDs long enough to collect daily statistics of our user base, like how many people have upgraded.  If a announce-request is made and comes from an ID we have never seen, we add the OS and Armory version to the statistics.  Otherwise we ignore it.   That's it.  We added the unique ID so that we have a way to count unique users without logging IP addresses.    We also add the ability for you disable this by running with "--skip-annuonce-check".  

As a company, we have to have some way to measure our userbase, and we felt this was the least intrusive way possible.  And you can opt-out.


Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
ForgottenPassword
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
August 09, 2014, 02:31:41 PM
 #9

Guys, calm down.  

The code you posted doesn't send your username to bitcoinarmory.com, it sends the truncated hash of your user home directory path.  This does not give us any information about you except that it will be the same when your system makes multiple requests for version/announcement information.   We intentionally chose this instead of tracking by IP because we knew that IP logging was "not cool".  And in the end, we don't care about your IP, we only use it the ID for collecting statistics about what operatings systems are being use to run Armory and what versions people are using, especially after announcing new versions.  This helps us remove duplicates.

Armory (the company) only tracks unique IDs long enough to collect daily statistics of our user base, like how many people have upgraded.  If a announce-request is made and comes from an ID we have never seen, we add the OS and Armory version to the statistics.  Otherwise we ignore it.   That's it.  We added the unique ID so that we have a way to count unique users without logging IP addresses.    We also add the ability for you disable this by running with "--skip-annuonce-check".  

As a company, we have to have some way to measure our userbase, and we felt this was the least intrusive way possible.  And you can opt-out.



If that is the case, why do you need to collect statistics every 30 minutes? By doing that you also see what times the installation is running which could allow you to match it up against bitcoin transactions made during those times.

And whether you like it or not the IP is transmitted along with the unique installation ID and we can't know whether you are storing the IP's or not. This bypasses any proxy settings set on bitcoind, such as people using Tor.

I have private messages disabled. Send me an email instead. My contact details can be found here.

Tip Address: 13Lwo1hK5smoBpFWxmqeKSL52EvN8U7asX
1a5f9842524
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
August 09, 2014, 02:33:10 PM
Last edit: August 09, 2014, 02:43:18 PM by 1a5f9842524
 #10

The code you posted doesn't send your username to bitcoinarmory.com, it sends the truncated hash of your user home directory path.  This does not give us any information about you except that it will be the same when your system makes multiple requests for version/announcement information.   We intentionally chose this instead of tracking by IP because we knew that IP logging was "not cool". 

That's pretty much synonymous, most people will have their user name set to either their common pseudonym or their full name. If you have a batch of people who you think might have sent a transaction, 4 bytes of the hash is more than enough to work out which one.

Sending any personal information at all is "not cool", especially when nobody was told about it in the first place.


As a company, we have to have some way to measure our userbase, and we felt this was the least intrusive way possible.  And you can opt-out.

Why ping every 30 minutes?


We also add the ability for you disable this by running with "--skip-annuonce-check".

You can't expect a user to apply this every single time they load up the client. Not giving the option in the GUI is intentionally obstructive.
QuantumQrack
Sr. Member
****
Offline Offline

Activity: 340
Merit: 250


View Profile
August 09, 2014, 02:35:19 PM
 #11

There should be an option on install to disable this activity of the Armory client.
ForgottenPassword
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
August 09, 2014, 02:39:22 PM
Last edit: August 09, 2014, 02:51:18 PM by ForgottenPassword
 #12

Additionally you could still get a list of all usernames on bitcointalk for example and compute the ID hashes by working out what their home directory would be expected to be if they used the same username on bitcointalk and their PC.

You'd be able to check that hash against your "statistics database" and find their installation along with all of the IP's that gave you the statistics.

What you do is arguably worse than simply collecting IP's.

Why don't you just send the OS version etc without the ID on the first time Armory is run? Much better than what you do.

I have private messages disabled. Send me an email instead. My contact details can be found here.

Tip Address: 13Lwo1hK5smoBpFWxmqeKSL52EvN8U7asX
etotheipi
Legendary
*
Offline Offline

Activity: 1428
Merit: 1072


Core Armory Developer


View Profile WWW
August 09, 2014, 02:52:18 PM
 #13

As a company, we have to have some way to measure our userbase, and we felt this was the least intrusive way possible.  And you can opt-out.

Why ping every 30 minutes?



The 30 minutes isn't to for "collection", it's for announcement checking.  If there's a hard fork and people are potentially going to lose money, we need users to be aware as soon as possible.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
ForgottenPassword
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
August 09, 2014, 02:53:29 PM
 #14

The 30 minutes isn't to for "collection", it's for announcement checking.  If there's a hard fork and people are potentially going to lose money, we need users to be aware as soon as possible.

You don't need to send the installation ID when checking for announcements. Why would you need that?

I have private messages disabled. Send me an email instead. My contact details can be found here.

Tip Address: 13Lwo1hK5smoBpFWxmqeKSL52EvN8U7asX
etotheipi
Legendary
*
Offline Offline

Activity: 1428
Merit: 1072


Core Armory Developer


View Profile WWW
August 09, 2014, 03:00:16 PM
 #15

The 30 minutes isn't to for "collection", it's for announcement checking.  If there's a hard fork and people are potentially going to lose money, we need users to be aware as soon as possible.

You don't need to send the installation ID when checking for announcements. Why would you need that?

So that we don't "count" that ping as a unique user.  Our goal is to get a rough gauge of how many people are using Armory, and what the OS & version distribution is.  That's all we use the data for.  If we send a ping without the ID, we don't know if it's a duplicate. 

Also, I shouldn't have suggested "just" hard-forks... a piece of secure software used by people with massive amounts of money has many different reasons users might need to be notified, including critical security issues with Armory, if they arise.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
ForgottenPassword
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
August 09, 2014, 03:06:13 PM
Last edit: August 09, 2014, 03:16:54 PM by ForgottenPassword
 #16

So that we don't "count" that ping as a unique user.  Our goal is to get a rough gauge of how many people are using Armory, and what the OS & version distribution is.  That's all we use the data for.  If we send a ping without the ID, we don't know if it's a duplicate.  

Also, I shouldn't have suggested "just" hard-forks... a piece of secure software used by people with massive amounts of money has many different reasons users might need to be notified, including critical security issues with Armory, if they arise.

I still don't know why you need to know their installation ID for each ping. Can you come up with a real-life example of a situation where you'd need to know that information when providing announcements? if there were critical issues in Armory that would affect everyone running that version and not specific installations.

For most users privacy is just as important as security.

Annoucements/statistics should be two completely seperate things. I think statistics should happen on first-run ONLY and it should be very obvious it's happening and easy for the user to opt-out. Checking for annoucements should send the bare amount of information you require, the Armory version and platform.

I was under the impression checks for announcements weren't automatic and it seems others were too. Maybe it should be more obvious that they are automatic and easier to disable them (in the GUI) for people who want to check manually instead.

I have private messages disabled. Send me an email instead. My contact details can be found here.

Tip Address: 13Lwo1hK5smoBpFWxmqeKSL52EvN8U7asX
1a5f9842524
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
August 09, 2014, 08:04:40 PM
 #17


The 30 minutes isn't to for "collection", it's for announcement checking.  If there's a hard fork and people are potentially going to lose money, we need users to be aware as soon as possible.


Why don't you use the alert system in Bitcoind just like everybody else? It would be instant and more reliable, only you wouldn't be able to collect personal information with that method.



The 30 minutes isn't to for "collection", it's for announcement checking.  If there's a hard fork and people are potentially going to lose money, we need users to be aware as soon as possible.

You don't need to send the installation ID when checking for announcements. Why would you need that?

So that we don't "count" that ping as a unique user.  Our goal is to get a rough gauge of how many people are using Armory, and what the OS & version distribution is.  That's all we use the data for.  If we send a ping without the ID, we don't know if it's a duplicate. 


Utter nonsense.

If you wanted a unique anonymous ID you would have generated a few random bytes and used that. Instead you used a highly identifying, personal piece of information and sent it to your remote server along with the IP address of the user. There's no way you can pretend that was a mistake from somebody who is writing wallet software.

Why don't you do us a favor and delete all the information you've collected without your users consent.
ForgottenPassword
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
August 09, 2014, 08:06:54 PM
Last edit: August 09, 2014, 08:51:08 PM by ForgottenPassword
 #18

Utter nonsense.

If you wanted a unique anonymous ID you would have generated a few random bytes and used that. Instead you used a highly identifying, personal piece of information and sent it to your remote server along with the IP address of the user. There's no way you can pretend that was a mistake from somebody who is writing wallet software.

Why don't you do us a favor and delete all the information you've collected without your users consent.

I agree.

On the website, they have a privacy policy that states this:

Quote
ATI may collect your device’s IP address: when you start the software on your device and the software checks for updates and notifications, unless you opt out of this feature.

ATI does not share this information outside of ATI except that ATI may share information with governmental authorities pursuant to a court order or other lawful order.

However I don't recall being forced to agree to this when I ran the software, though from looking at the source it appears to be in the help menu at least.

I have private messages disabled. Send me an email instead. My contact details can be found here.

Tip Address: 13Lwo1hK5smoBpFWxmqeKSL52EvN8U7asX
1a5f9842524
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
August 09, 2014, 08:20:46 PM
Last edit: August 09, 2014, 09:28:28 PM by 1a5f9842524
 #19

We added the unique ID so that we have a way to count unique users without logging IP addresses.

Your Privacy Policy (which oddly enough I've never seen before now) says that you only log IP addresses. Which is it? 

https://i.imgur.com/6xPsGpU.jpg

Collecting 32 bits worth of people's usernames is not mentioned in the Privacy Policy at all, ergo you shouldn't be doing it. It also mentions nothing about sending it to Amazon S3, or to Cloudflare which you use to host the ping domains.
pand70
Sr. Member
****
Offline Offline

Activity: 476
Merit: 250



View Profile
August 09, 2014, 08:55:11 PM
 #20

It's not hard to imagine how this would be connected with the transactions a person makes just due to the timings of the requests.

Running armory doesn't necessarily mean that you are performing transactions, so i don't think any connections can be made by that.

In any case it's nice that you have noticed that and i think a permanent opt-out option should be available.
Then again stats might be one of the few ways for creators to monetize their wallet-software.

Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!