In a shocking revelation, digital currency enthusiasts have raised concerns about the Ledger Live app, the open-source companion software for Ledger hardware wallets. The app is allegedly tracking and sending user information to an outsourced data collection service. The accusations surfaced on social media, where user “rektbuildr” detailed the unsettling findings.
Upon investigating Ledger Live’s network activity, rektbuildr claimed:
“Ledger Live is phoning out data on assets you hold in your hardware wallet the moment you access Ledger Live. It’s also sending out tons of other information about your computer and device.”
The app apparently transmits data to an external endpoint at “https://api.segment.io/v1/t”, identified as an outsourced data collection service.
Related reading: Ledger Wallet ‘Hacks’ Itself With Latest Update Growing ‘Backdoor’ Concerns
Tracking Every Button Click
The exposed payload reportedly includes a unique userId and writeKey, potentially identifying users’ devices. Furthermore, the transmitted data encompasses device details, storage usage, operating system version, and more. Rektbuildr claimed that Ledger Live’s tracking code goes beyond regular analytics, monitoring almost every click. They stated:
“The tracking code is too structural to be just counting users and downloads, like regular apps do. Ledger Live is doing analytics on everything from screen views to button clicks, error events, installs, uninstalls, etc. It’s basically tracking everything. Anything you do on that app gets tracked.”
The X user claims that “every single file” on Ledger Live has user trackers in them. According to the whistleblower, Ledger Live initiated its “intensive” user tracking campaign with the v1.2.0 release on December 23, 2019. Notably, in this release, the company switched its user tracking from opt-in to opt-out by default for new installations.
Related reading: Ledger Recover: Is Your Money At Risk?
Ledger Live App’s Data Collection Policy
Notably, Ledger Live’s privacy policy itself reveals that it collects and retains various user data, including device session identifiers, IP addresses (transmitted but not stored, according to Ledger), transaction details, and more.
According to the “not so private” privacy policy, the collected information is shared with technical service providers, subsidiaries, partners, and potentially other companies in the future. It states:
“We share your data with our technical service providers, subsidiaries, partners, and other companies to which we could sell or assign all or part of our activities. The administrative or legal authorities or any other authorized third party where this data sharing is set out in law.”
The controversy raises questions about the true anonymity of the collected data, especially given the broad list of entities with which Ledger shares user information. While Ledger claims that IP addresses are not stored, concerns persist about the potential identifiability of the transmitted data.
Ledger Live users are now seeking clarification from the company regarding data collection practices and the purpose of sharing information with external entities. The accusations may have far-reaching consequences for Ledger’s reputation and user trust, highlighting the need for greater transparency and ethical data practices within the digital asset sector.
Related reading: