Last Friday a controversy arose over the collection of user data carried out by the application of the French physical wallet company, Ledger, disclosed by the anonymous developer REKTBuildr. This fact has been hidden in plain sight, in Ledger's privacy policy and within the Ledger Live application itself.
“Ledger Live sends data about the assets you have in your hardware wallet the moment you access it. It also sends a lot of other information about your computer and device.” This is how the anonymous developer REKTBuildr summarized the first results of his research on Ledger Live.
Given the disclosure, Ledger's CTO, Charles Guillemet, acknowledged the data tracking, stating that they disclose the data they collect in their privacy policy. Guillemet stated that the goal of this is to improve the user experience, adding that if someone wants to disable the feature they can do so from the Ledger Live settings. However, tracking and information collection comes by default in the application.
Information Collected by Ledger Live
In the section dedicated to Ledger Live, in the privacy policy, the company ensures that it collects information such as IP address, clicks, language, region of your operating system, currencies, amounts, transaction status, transaction identifier and even the data used by their partners to identify you.
While Ledger Live integrates services for the purchase and sale of cryptocurrencies on platforms with Know Your Customer (KYC), this identifier may include the name of the users. The information collected is stored in France for up to 5 years and may be disclosed to “legal or administrative authorities or any authorized third party where the sharing of this information is established by law.” It may also be shared with technical providers, subsidiaries, partners such as services accessible from Ledger Live or personalized advertisers, and other companies.
Ledger says it does not store information that allows the company to know your personal identity, clarifying that users' IP addresses are only recorded to be transmitted to partners when that information is necessary for their services, and is not stored by Ledger.
REKTBuildr disclosed that Ledger uses the Segment service of the data processing company Twilio to analyze the information of its users. “Ledger Live is doing analytics on everything from screen views to clicks, error events, installs, uninstalls, etc. Everything you do in that app is being tracked,” writes the developer.
It should be noted that this information tracking corresponds exclusively to the Ledger Live application, and not to the hardware devices manufactured by the company. Users who wish to do so can choose to use their Ledger device through other wallet applications such as Sparrow or Electrum.
Last June it was disclosed that the Ledger app contains trackers that share information with Facebook and Google. On the other hand, it is important to remember that, in 2020, the personal information of nearly 300,000 Ledger users was leaked in attacks on its proprietary database and that of its partner, Shopify.