"Using Thunderhub (v0.13.16), an open source node manager, we’ve enabled balance reporting. We’ve created a single endpoint that users can send this data to and it will be displayed on the node’s Amboss page. This method can be replicated on any node manager or service."

We do so much to try to protect the privacy of the lightning network but always going to be constantly fighting the tendencies for society to give away information for convenience. I can't begin to tell you how aggregating this information to a single party is an attack on Lightning and the privacy of all individuals as a whole.

In a way it's almost "good" that it happens publicly and not behind our backs no?

I think the idea that bitcoin/lightning will unite people into "good" is a bit like the Myth of the Peaceful Savage -- we're only kind of united now because it's "us vs them", but in a Bitcoin-only world where the LN trumps VISA, we will start fighting amongst ourselves. Maybe with less inequality, we'll see.

At least Amboss is seen as a friendly adversary and it's better they develop this tool than someone else behind our backs, to see how we can counter it.

You are much more knowledgeable in the subject and I don't fully disagree with you -- it's obviously painful to see it. Just want to play devil's advocate and realize that for every good we bring in bitcoin there will be bad. For every bad someone does to us, there will be good.

First was enthusiastic about the possibilities described in the article: https://ambosstech.medium.com/lightning-balance-sharing-and-network-statistics-32e687a4db25, but thinking just a little this is clearly the living hell of surveillance capitalism.

A short thread: https://twitter.com/openoms/status/1585526779648917511

We need a simple app for the cursed LND nodes to share random data quickly.

I hear you.

Given that this idea of balance reporting is out in the wild, what next steps would you like to see from Amboss, node operators, or LN developers?

If Amboss paid node operators some market-determined rate for opting in to balance reporting (instead of users just giving data away), would that relieve any of your concerns?

I knew this would be inevitable. There's an incentive for users to sell this data to any party and then for that party to sell this data to chain analytics services.

This is just incentives catching up to the privacy flaws that exist. The only steps we can have is to yell out our concerns and point this shit out. I don't think Amboss is trying to be a bad actor, so all that's left is to educate and try to get them to reverse this feature.

I'll do some digging later but it's a sad reality that someone would abuse this sooner rather than later. Just hate to see that it's them.

Yeah, I can see how a privacy arbitrage situation could develop if users are paid.

What privacy impact does this product launch have on node operators who don’t opt-in to balance reporting?

For one, all it takes is a node operator's channel partners to report balance and then in effect, their balances are out there in the open too.

For two, it's quite obvious a large payment flowing through the network. If there's just a few nodes in a route where the data is not being publicized, there's still enough assumptions about the route that could take place. Plenty of academic research into correlating payments across the network.

It eventually gets into the aspect of anonymity sets and length of hops, which is getting worse and worse as the network becomes bigger (there's papers on that too). In the end, chain analytics and triple letter agencies sees who is paying who. What Amboss is doing right now is how we get to that point.

Appreciate the thoughtful response, super helpful.

So if a large subset of node operators decide that they don’t want to connect with nodes that share balance data, is it reasonable to think a new sub-graph may form between those nodes who want privacy?

I mean how would you know though? They even collect data that is "only shared with amboss" so nobody would know about this.

I do think maybe eventually sub graphs will happen anyways, but especially maybe a privacy focused one. I don't know if this is what brings us to that point but possibly other protocol improvements alongside LN in general.

True, maybe Amboss could add a badge to node profiles who have chosen to share balance data, just like the other badges that nodes get when they’re verified, ranked on Terminal, etc…

Do you think any of these ideas could help counter this trend:

  • white listing: only open channels with counter parties you can trust not to share balances
  • black listing: compile a list of known balance sharing nodes and develop open source tools to automatically blacklist them in routing, peering, and channel creation
  • Taint balance history databases with intentionally bad data
  • Modify routing algorithms to split payments more aggressively and route through more nodes
  • Augment the protocol with some kind of payment batching / net settlement protocol

Right on, yeah I think many of these are very valid. I wouldn't have thought people cared about black listing nodes but someone else I know suggested closing channels with nodes that show up as balance sharing node in their list. Unfortunately from what I can tell they have an option of balance sharing privately with just Amboss so you may not know that your channel partner is doing this.

If all else fails, and I don't use that term lightly, I think attacking these nodes are a very valid response to this.

These are some mitigations and the blacklisting especially does hurt the network. What we need is to change the approach: Don't make data sharing the norm because probing is already possible. Rather make probing more difficult, expensive and inconclusive.

Improve payment reliability by implementing Pickhardt-payments and share known good hops in Blinded Paths.

  • Wall of Shame website for data sharing nodes (where publicyl visible) now
  • lobby for the much more previcy preserving 2-bits approach proposed by Rene Pickardt

Apart from that, make script/plugin for nodes to report intentionally false data -essentially spam Amboss- has the best short-term cost-benefit ratio. Granted, we must assume that the big regulated nodes will virtue signal and openly communicate to not report false data, but the moment a payment takes two hops through non-datasharing nodes, then there is enough reasonable doubt

  • compromise: attempt to provide most of the same convenience with much less balance data (I think rene proposed 2 bits)
  • ddos balance sharing nodes
  • Activate BIP 300, give up on lightning privacy, and use zside
  • Move more transactions into chaumian ledgers

you can check out the stats portal here: https://amboss.space/stats

How are the stats verified?

Could I claim that my channels are constantly in balance by providing fake stats?