It would appear that Amboss Technologies is collecting personal information about the Lightning Network and its users and selling it to third parties as chain analytics software (or for the purposes of "Risk Management" in their own words). This is according to their very own Privacy Policy
The amount of information they have collected and want to collect should alarm all users of Lightning, even those that have not given Amboss or Thunderhub (the wallet they collect data through) access to their node information. They have claimed 30% of the Lightning Network has registered for their services, which is dangerous considering their power to deanonymize the network.
By now, you might be wondering, what does this comprehensive data gathering mean for the privacy and security of Lightning Network users?
To put it simply, it undermines user privacy at its very core. What makes the Lightning Network unique is its dedication to providing privacy and anonymity to its users. The Lightning Network is designed in such a way that transactions are only known to the involved parties, making it more private than traditional financial systems. With Amboss' aggressive data collection policies, the fundamental privacy of the Lightning Network is at stake.
Collection Procedures
Third-Party Collections
One glaring concern is how Amboss collects user information.
For example, we may collect information from advertising networks, and data analytics providers. This information may include your name, email address, and phone number. Additionally, if you create or log into your Amboss account through a third-party platform (such as Telegram), we may have access to certain information from that platform, such as your name, telephone number, and profile picture, in accordance with the authorization procedures determined by such platform.
Twitter, telegram, and website/email are some ways that Amboss lets you link your account, which allows them further collect, store, and sell that data according to their policy.
Source of Funds
Not only is the collection happening, but they go further to try to link everything you provide them with, such as analyzing the source of funds:
We will also use vendors that provide background information about social media profiles we collect and information about the source of funds from the transaction IDs referenced above.
The language used here is very intentional. They are trying to figure out the source of funds. Now why would they want to do that? Because they are a chain analytics company selling this data to interested parties such as Chainanalysis, governments, or highly regulated entities.
KYC-Level Identity
Even more alarming, the information they want to collect doesn't stop there:
We may also work with identity verification vendors to conduct "know your customer" or "know your business" checks. You may be asked to share information with such vendors (e.g., name, address, social security number, and driver's license) so the vendors can tell us whether you have successfully completed the check and are authorized to use the Services.
Why does Amboss need KYC information such as name, address, and social security numbers? Combined with all the other data collected, this allows them to link the source of funds, transaction ids, node ids, etc., with your social media persona and your entire government identity, which is later sold. It's one thing if this was an exchange, but this is YOUR self-custodial funds they are infringing on and sharing with parties that do not have access to this information otherwise.
And for what? So you can sell liquidity on their centralized platform or have a "verified" node? Congratulations, you doxxed your whole stack on your node, in addition to weakening the privacy of all the others on Lightning.
Lightning Network Collection
Certain information is publicly broadcasted on Lightning, which Amboss collects and sells, which might make sense, given that there should be no expectation of privacy. However, lightning information is temporary, unlike the Bitcoin Blockchain, which is permanent. That breaks down when a well-funded information collector decides to persist and sell this data, which Amboss is doing.
There's some basic stuff like this:
- Node Information: We collect information about node(s) on the Lightning Network, including the alias, color, features, public key, balance information, and size of the backup. Nodes may also independently share other information with us that is hosted on the nodes platform, such as social media information, community information, or other identifying information.
And more intrusive information like:
- Channel Information: We also collect information about the channels on the Lightning Network, including the fees, response times, transaction IDs, and peer ratings associated with the channel.
- Transaction Information: When you engage in a transaction through the Services, we collect information about the transaction, such as the date, time, and amount of the transaction.
- User Reported Information: we also receive information from users about transactions on the Lightning Network to which Amboss is not a party, including payment forwards, failed forwards, node online status, history, and balance.
"Response Times" is pretty ridiculous, considering deanonymizing attacks depends on analyzing the response times between each channel.
"Transaction on the Lightning Network" means that they are taking individual transaction information from each node that is routing (and "voluntarily" giving to Amboss) and collecting in mass. That means that a transaction routing through multiple nodes participating in Amboss data collection will allow Amboss to determine the source and destination of the payment, which is assumed that they will sell according to their policies. This is NOT public information. Amboss has historically stated their innocence by hand-waving that node operators are "voluntarily" giving them this information when linking their node to Amboss and "voluntarily" running the wallet software for which the cofounder is conveniently the maintainer.
You've read that right. Amboss is the data collection monetization arm for the wallet they created called Thunderhub. Would you use a wallet that Chainalysis created? Well, you are by running Thunderhub. Did you know the amount of data that you are "voluntarily" giving to chain analytics companies? Is that even considered voluntary if it is without your knowledge?
Balance Sharing
Let's also look at one of the controversial "features" they provide users, which is to, again, "volunteer" channel balance information to Amboss for your benefit somehow?
One of our features is called Channel Balance Sharing. Through Channel Balance Sharing, we present the current state of channel balances and the aggregate flow of funds through the Lightning Network ("Channel Balance Insights"). To present Channel Balance Insights, we collect raw channel balance data. We do not use the raw data to identify any individuals or transactions. As soon as we have generated the Channel Balance Insights we delete the underlying raw data. (This typically occurs within 24 hours.)
This feature, as described in their privacy policy, indeed seems innocent. However, upon close inspection, several questionable aspects of this feature emerge.
The feature collects "raw channel balance data," which refers to the unprocessed, unfiltered information about the balances of all channels on the Lightning Network. This includes the size of the channels and the flow of funds within them. Although Amboss claims they do not use this raw data to identify individuals or transactions, the mere fact that they have access to such data is concerning. In the wrong hands, such data could infer patterns, analyze user behavior, and deanonymize users or transactions.
Amboss' claim to delete the "underlying raw data" within 24 hours does not fully assure user privacy protection. The interval between collection and deletion provides Amboss ample time to generate Channel Balance Insights, which, although aggregated, could be analyzed to infer patterns about the flow of funds within the Lightning Network. More importantly, the policy does not explicitly state if and how they ensure secure data deletion, leaving ambiguity around the integrity of this process.
Amboss doesn't clarify if the deletion of raw data includes all copies and backups. If backups are kept and not securely deleted, this sensitive information can be exposed or misused.
Amboss' policy doesn't clarify whether third parties have access to these "Channel Balance Insights." Suppose these insights are made available to other entities. In that case, it broadens the potential for misuse, potentially creating a secondary market for data analysis that could compromise the privacy and anonymity of Lightning Network users.
Even if Amboss does not misuse this data, the company becomes an attractive target for malicious actors. Cyberattacks could steal this valuable trove of information before it's deleted, possibly leading to a significant breach of privacy.
While the "Channel Balance Sharing" feature might seem innocuous as per Amboss' privacy policy, it raises serious concerns regarding the overall privacy and security of Lightning Network users. It is another tactic for Amboss to amass a significant amount of sensitive user data, and the lack of clarity in their privacy policy only amplifies these concerns.
Use and Sharing
We share personal information in the following circumstances or as otherwise described in this policy: We share personal information with vendors, service providers, contractors and consultants that access personal information to perform work for us, such as companies that assist us with web hosting, identity verification, fraud prevention, customer service, email delivery, and marketing and advertising. We reserve the right to make the information described above publicly available on our Services (including through our APIs) and to sell certain of that information to our customers. We may disclose personal information if we believe that disclosure is in accordance with, or required by, any applicable law or legal process, including lawful requests by public authorities to meet national security or law enforcement requirements. We may share personal information if we believe that your actions are inconsistent with our user agreements or policies, if we believe that you have violated the law, or if we believe it is necessary to protect the rights, property, and safety of Amboss, our users, the public, or others. We may share personal information with our lawyers and other professional advisors where necessary to obtain advice or otherwise protect and manage our business interests. We may share personal information in connection with, or during negotiations concerning, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company. Personal information may be shared between and among Amboss and our current and future parents, affiliates, and subsidiaries and other companies under common control and ownership. We may share personal information with your consent or at your direction.
The 'Sharing of Information' clause in Amboss' privacy policy is rife with ambiguities that could allow for extensive and unrestricted sharing of personal information. Their policy offers a broad range of scenarios in which they may share personal information, and it's crucial to take a closer look at each.
The policy starts by mentioning sharing information with vendors, service providers, contractors, and consultants performing work for Amboss. While this may seem ordinary for a technology company, the scope of 'work' and the kind of companies involved isn't defined, potentially allowing any entity they work with to access personal data.
Amboss's "Sharing of Information" policy provides broad leeway to share, sell, and disclose personal information they have collected, with few restrictions. This effectively means that any personal information shared with Amboss could be distributed to virtually anyone — from their vendors to business partners, law enforcement, other companies, and even the public. This raises serious questions about how user privacy is protected under their policy.
Conclusion
There's a certain point where privacy policies are generic enough that say something along the lines of "The information you have provided us may be used to provide services to you in return" and may even feature some language such as third-party software providers that might have access to that information as well. However, all the language here is very much catered towards what they are trying to do, which is to over-collect as much as they can to sell your financial data and identity. And it is working. After all, they have recently raised $4M to carry out these goals.
Amboss has tricked users into signing up for their service to sell their information to third parties. They have been targeting Lightning Service Providers to collect their routing information and have gone after communities to collect general user information. Privacy is only as strong as the ability to hide amongst a crowd. If the entire crowd has been fooled into giving up their information, nothing is left but the illusion of privacy. It is up to us to stand up to malicious data collection and stop using services like Amboss.