Announced at the end of January, Bitfury’s production-ready suite of Lightning Network products and services, Peach, appears to offer everything a developer, user or merchant could want from a Lightning implementation. It comes with built-in, e-commerce plug-ins, has a hardware component for point-of-sale, a toolkit for developers and its own Lightning node to ground the whole outfit.
The suite, with its many uses, has a wide reach … a bit too wide, one crypto analysis group thinks.
Block Digest, “a bi-weekly podcast covering the latest technical and market news related to Bitcoin,” argues that Bitfury’s Peach infringes on its users’ privacy to a disturbing degree. To them, the Peach Lightning node is a panopticon from which no data escapes, and each Peach application is the cell through which Bitfury can see personal and financial information about its users.
Do I Dare Trust a Peach?
“Stay the !#@& away from it,” Rick, one of the Block Digest ensemble, cautions during the group’s breakdown of the technology.
An offshoot of the World Crypto Network podcast, the Block Digest cypherpunks treat the subject with earnest disgust, arguing that Bitfury is being disingenuous and even purposefully misleading about how it manages user data.
“Having read both versions of the terms of use and privacy policy, there are a number of inconsistencies. A lawyer has said that there are a few things that, if not compliant with GDPR [the EU’s technology privacy regulations], would be violating GDPR for vagueness alone. So yes, we would say there are violations of privacy going on,” Janine, another Block Digest member, told Bitcoin Magazine.
In separate correspondence with Bitcoin Magazine, Bitfury push backed on the allegation that it is in violation of GDPR, asserting that it “[complies] fully with all applicable regulations, including GDPR. We believe that our terms of service and privacy policy are indeed compliant with those regulations.”
Still, after Block Digest and other community voices started raising the alarm about Peach’s privacy implications, Bitfury seemed to take notice and revised their terms of use and privacy policy for the Lightning suite on January 30, 2019.
Nevertheless, Block Digest says that the new versions, even with the alterations ,still fall shy of reassuring users that their data is safe from view — or of even fully explaining how it is used.
“They don’t just say they don’t collect it; they say they don’t have access to it,” shinobi, one of Block Digest’s crew, told Bitcoin Magazine.
“There are two things in the code for ability to collect data. The first one is event logs that go through Google analytics, and that’s for navigation in the application.” This first function, he told us, was nothing noteworthy: It just logs events and doesn’t collect information.
The second part, however, does collect information. “For these streaming payments and the payments that use a lightning id without an invoice, all of those are being coordinated through [the] Bitfury server. They can see everything: who’s paying, who’s paying whom, how much they’re paying.”
Bitfury’s Lightning Peach suite allows users to transact with anyone using Lightning through payment invoices, where a recipient requests payment from a sender. Or, they can send payments through the Lightning Peach node, a Bitfury-centralized process, with a lightning id or streaming payment, both of which can only be executed between two Peach users.
At the very least, Block Digest acknowledged that Bitfury won’t collect data from a “regular lightning invoice payment." So if you receive an invoice from a non-Peach user, even if you’re using Peach’s wallet, that payment isn’t routed through the Peach node and is out of their purview.
But anyone using Peach’s streaming payments and Lightning ids will forfeit transaction information, including IP and wallet ID, to Bitfury so that Peach’s Lightning node can facilitate the payment for the user. Given that Bitfury is providing a centralized service, this isn’t out of the ordinary, and Bitfury updated its policy to say this information “is not stored.”
Questions and Contradictions
Most of Block Digest’s most pointed accusations are leveled at what they see as contradictions in Bitfury’s terms of use and privacy policies, as well as a now-omitted clause that originally claimed to keep tabs on user data.
In a document shared in confidence with Bitcoin Magazine, Janine recorded changes in Peach’s terms of use and privacy policies. At one point, she says, “In the older version of the policy, they claimed to collect: ‘traffic data, location data and other communication data, and the resources of the software that you access and how you use them; time that user spent in wallet (session time); number of sessions within the time unit (for example, month); number of payments within one session; amount of payment; payment type (regular/stream); successful/failed payments; periodicity of channel opening (times per month); lifetime of a channel; number of simultaneously open channels; channel capacity; waiting time for channel opening; waiting time for lightning transaction; number of nodes, which user pays to.’"
This could be justified as crash report data collection — aggregated network data to diagnose the reason for a crash or bug. Shinobi had a friend run an audit, and he allegedly found no evidence of collecting data for this purpose in the code.
Block Digest argues that this retracted list embodies the looming contradiction that Bitfury’s terms simultaneously say they won’t collect, store or see data and that they may share, consult or leverage this data under certain circumstances.
The most apparent contradiction, Block Digest argues, comes from Bitfury’s claim in the updated version that data collection is optional, something Bitfury reiterated to Bitcoin Magazine when we inquired about the privacy allegations.
Pavel Prikhodko, head of Lightning Peach, told Bitcoin Magazine, “That data is only collected if users proactively confirm they would like to provide anonymized information via Google Analytics. It enables us to better understand how users interact with our website and software. That data cannot be traced back to an individual user and is a standard optional setting present in the vast majority of modern consumer software products.”
Block Digest is unconvinced, mainly because the same terms simultaneously tell users that they don’t have to provide information unless they acquiesce while it also says that, upon generating a wallet, users will “be required to provide contact information that may include a phone number, email address, username and other information as appropriate.”
Bitfury, clarifying the terms in a Medium post, claims that it doesn’t collect these data points. This is in conflict with the terms of use, Block Digest observes. In the agreement, it says very clearly that “providing the required data is necessary for you to use the Software. If you do not wish to provide the required data, you cannot use the Software.”
Bitfury also claims that it “does not collect, nor have access to ... information on the transactions you perform through the use of the Software,” something that, Block Digest says, doesn’t align with their claims that user data can then be shared or sold to subsidiaries or people buying aspects of Bitfury’s business.
“In the policy that was active before January 30th, they say that they would be willing to share or pass over this data to entities who were looking to buy any aspect of Bitfury’s business,” Janine said.
The new policy says the same, indicating that data may be shared “to the purchaser or seller (or prospective purchaser or seller) of any business or asset which we are (or are contemplating) selling or purchasing. Except as provided in this privacy policy, we do not intend to sell, share or rent your information to third parties.”
Janine makes the point that, “legally, saying you intend not to do something is not the same as saying you will not do something.”
The outfit worries that, at worst, Bitfury could sell information to stakeholders in Bitfury’s companies, or at best, share information between its subsidiaries, including its blockchain analytics platform Crystal, one of Bitfury’s compliance-focused side projects.
Bitfury denied that they intend to share data with Crystal:
“... none of the data processed is shared with Bitfury’s public blockchain analytics division, Crystal. The Crystal platform provides a more user-friendly interface for analyzing public blockchain data.”
It should be noted that, in the terms of use, Bitfury includes a termination clause in the event a user would prefer to get out of the software’s data agreements:
“When you use the Software, and provide the required data, you can contact us (please see paragraph 11 below) to exercise any of the rights you are granted under applicable data protection laws, which includes (1) the right to access your data, (2) to rectify them, (3) to erase them, (4) to restrict the processing of your data, (5) the right to receiving a file of your personal data and (6) or the right to object to the processing, and where we have asked for your consent, to withdraw this consent. These rights may be limited in some situations. We may, for example, deny your request for access when necessary to protect the rights and freedoms of other individuals or refuse to delete your personal data in case the processing of such data is necessary for compliance with legal obligations.”
The Consequence of Big Business
Block Digest has other secondary concerns, such as that Bitfury doesn’t want anyone under 18 using their software, but the bulk of their qualms come from the company’s seemingly contradictory and tenuous stance that it doesn’t collect your data — but could if it wanted to. Most of all, the group disapproves of how this data could be used (for legal and enforcement reasons) and that Bitfury is simultaneously telling people they do and don’t store data.
“Your personal data will be stored no longer than is necessary for the purpose they were obtained for, our compliance with legal and fiscal obligations, or for solving any disputes but not longer than 6 (six) years.”
“We collect, use and store your personal data to provide services to you, to comply with the legal obligations we are subject to, if necessary, for our legitimate interests or on the basis of your consent.”
These two separate clauses contradict the earlier statement that Bitfury doesn’t store data, Block Digest points out.
Other than sharing this data among subsidiaries or selling it in the case of a business transaction, Bitfury “may be required by law to collect and share personal information provided by you with public or governmental organizations for the purpose of compliance with the law, a court order, or to respond to any government or regulatory request, the privacy policy indicates.” This was one of Block Digest’s greatest causes for alarm, but it’s the same regulatory compliance that makes Bitfury comply with GDPR — and maybe even why it doesn’t want adolescents using its software.
This is getting at the crux of it. As Janine said in our talk, no other Lightning service providers “have data collection policies or terms of service like this,” claiming that “they’re not big enough organizations to provide one.”
Bitfury is big enough, and the corporation, like many monolithic crypto companies, plays regulations close to the chest and stays hyper compliant to stay out of trouble in an already internationally stigmatized industry.
“As far as the terms, Janine’s right,” shinobi said about data collection in our talk, “but architecturally … other [softwares and services] are capable of gathering detailed information on your activity, but again, like Janine said, none of them have terms like that. I also don’t really see the kind of history in the space and the move towards more surveillance and regulatory compliance that Bitfury is making with Peach.”
Bitfury told us that it uses “the minimum amount required for the products to work,” for example, IP address and Lightning ID for streaming payments and Lightning ID payments. Anything else is either optional or only stored for as long as it needs to be for the software to function properly, something that Block Digest says is contradicted in the legal literature.
Some of these contradictions appear to have been cleared up in the revisions, which could indicate that Bitfury simply fumbled the first drafts of their terms and privacy policy and needed to make some of the language more precise.
So who’s right and should you trust Peach? Really, it depends on who you are and what your desired level of privacy is.
The Implications of Peach:
- There are contradictions in the terms of use and privacy policy (and in Bitfury’s statement on Medium) about whether or not Bitfury asks for/accesses your personal information and data. In a previous draft, Bitfury mentioned that it collects a host of transaction data, which it now claims it doesn’t collect.
- The legal language gives them the right to access the data if they want to for the purpose of selling aspects of their business, sharing data between subsidiaries or legal compliance.
- Bitfury says that they only have access to limited data (IP and Peach ID) for a short time while they route transactions through the Peach node and claims to not store data thereafter (you can transact without data collection implications by using Lightning invoices).
- The truth is, Bitfury has (and admits to having) access to some data if they need it for legal or business reasons. Which data they have access to and to which extent they would use it is not very clear.
- That said, most of this data is benign in nature (basic transaction details, for example), but some of it (IP address, phone number, etc.) is not.
If you’re not too concerned with privacy, whatever data collection might happen will likely go unnoticed. It’s not unlike the information that, say, Coinbase already has in terms of transaction details and the personal data Facebook and Google have (and are selling, by the way).
If you are privacy conscious, however, the structure (and contradictory explanations of) Peach’s data collection structure will likely be off-putting, enabling the panopticon for data that the modern internet has become.
All things considered, though, you can transact without your data being apprehended through Lightning invoices, and the amount of data that Bitfury could have on you is pretty negligible. It’s ultimately down to over your tolerance/comfort levels for how the business operates and shines a light on these operations.