Posted on June 30, 2017
Recently there was a wave of concern about how Blockfolio uses the information you enter into the app. We want to address this and provide more clarity about how we handle and use your data, and mention some improvements we are making.
We take the privacy of our users very seriously, and we want to assure all of you that your data is safe and secure.
Several recent blog posts and tweets have made claims that Blockfolio is “snooping” on its users, suggesting we are operating nefariously. Yes, data is transmitted between the app and our servers so that we can provide services, but there is no snooping.
There are also claims that users’ funds could be put at risk by using Blockfolio. We want to clarify that Blockfolio is not a wallet and the app does not hold any tokens for users, nor any keys. Of course, hackers can use social engineering in a multitude of ways to compromise your funds and you should always use best practices when doing anything cryptocurrency-related, including using Blockfolio.
A reddit poster pointed out that our API calls were not making use of HTTPS/SSL. We immediately checked, and unfortunately found this to be true. While we do use HTTPS on iOS, we somehow overlooked this on Android. Our Android codebase is being deprecated and we did not put the required focus on this during our recent rapid growth. There is no excuse; this was a mistake and not at all up to industry standards. We owe our Android users a big apology. This issue has now been corrected.
We recommend our Android users update as soon as possible to make use of HTTPS. The insecure system will remain up for a few more days to allows users time to update.
We associate your holdings, trades, price alerts, and other data with your device ID, which is associated with your physical device (for example, your phone or tablet). Device IDs are also required in order for us to send push notifications, such as when your price alerts are triggered. Holdings, trades, alerts, etc, are stored on both the device and our servers, and this data is referenced using this unique ID. This ID does not provide any personal information to Blockfolio, it’s just a random string of numbers and letters.
In fact, one of the biggest complaints we have from our users is that they lose all their Blockfolio data when they lose or replace their phones (and that’s because data is associated with a device ID and cannot be connected to a person).
In order to accommodate users who want to have the ability to back up, recover, and sync their portfolios, we are building features that will let users link accounts with an email address.
Accounts will also allow users to access a web-based version of Blockfolio that we are building, as well as sync with their portfolio on their mobile device and vice versa. We are implementing a client-side hashing technique which utilizes the user’s device ID and password, and which prevents Blockfolio from being able to associate portfolio data with an email address. These hashed values, not email addresses, will be used to sync portfolio data. This process will provide users of accounts with the same level of anonymity as users who do not use accounts, with respect to their portfolio data.
In order to provide better services and develop business products, we plan to analyze the data on our platform. To date, we have not made use of any of the data in any way. When we do, we will ensure the privacy of our users is a top priority.
There have been allegations that Blockfolio is using user data to front-run markets and profit from trading. This is simply false. Neither Blockfolio nor any partners are using the data in this way, nor do we ever intend to. Additionally, front running markets using user data would not be effective, because users enter trades after they're executed, not before. Blockfolio users are also free to enter fictitious holdings and trades, making this data unreliable. It would make far more sense to use publicly available trading data from every major exchange, which we already make available to all our users on the "Book" tab of every coin.
When we do begin to analyze non-personally identifiable data, examples of ways we might use it include:
We believe that the way we have architected Blockfolio provides excellent privacy for our users. But we will always strive to make it even better. As we continue to develop Blockfolio and improve it, we will be working to give users more options regarding how and where their data is stored.
We are taking this opportunity to do a security and privacy audit on our full codebase, and to look for other areas where we can make improvements.
We also would encourage any bloggers or members of the community who are writing reviews of Blockfolio to contact us directly through these channels so that we might have an opportunity to provide you with information.
-The Blockfolio Team