Explosive Claims: Ledger Live App Harvesting Massive User Data!

In a surprising revelation, concerns have been raised by digital currency enthusiasts regarding the Ledger Live app, the open-source companion software for Ledger hardware wallets. Allegations suggest that the app tracks and sends user information to an external data collection service. These claims came to light on social media, where user “rektbuildr” outlined the unsettling discoveries.

Upon investigating Ledger Live's network activity, rektbuildr asserted: 

“Ledger Live is phoning out data on assets you hold in your hardware wallet the moment you access Ledger Live. It’s also sending out tons of other information about your computer and device.”

The app appears to be transmitting data to an external endpoint at “https://api.segment.io/v1/t,” which is identified as an outsourced data collection service.

The exposed payload reportedly contains a unique user ID and write Key, potentially identifying users' devices. The transmitted data includes device details, storage usage, operating system version, and more. Rektbuildr alleges that Ledger Live's tracking code extends beyond standard analytics, monitoring nearly every click. They mentioned: 

“The tracking code is too structural to be just counting users and downloads like regular apps do. Ledger Live is doing analytics on everything from screen views to button clicks, error events, installs, uninstalls, etc. It’s tracking everything. Anything you do on that app gets tracked.”

The user X asserts that “every single file” on Ledger Live contains user trackers. According to the whistleblower, Ledger Live initiated an “intensive” user tracking campaign with the v1.2.0 release on December 23, 2019. Notably, in this release, the company switched its user tracking from opt-in to opt-out by default for new installations.

Furthermore, Ledger Live's privacy policy itself discloses that it collects and retains various user data, including device session identifiers, IP addresses (transmitted but not stored, according to Ledger), transaction details, and more.

According to the “not so private” privacy policy, the collected information is shared with technical service providers, subsidiaries, partners, and potentially other companies in the future. It states: 

“We share your data with our technical service providers, subsidiaries, partners, and other companies to which we could sell or assign all or part of our activities. The administrative or legal authorities or any other authorised third party where this data sharing is set out in law.”

The controversy prompts inquiries into the actual anonymity of the gathered data, particularly given the broad range of entities with whom Ledger shares user information. Despite Ledger's assertion that IP addresses are not retained, lingering concerns exist regarding the potential identifiability of the transmitted data.

Users of Ledger Live are currently seeking clarification from the company concerning data collection practices and the rationale behind sharing information with external entities. The allegations could potentially have significant repercussions for Ledger's reputation and user trust, underscoring the urgency for increased transparency and ethical data practices within the digital asset sector.