Stronger privacy for invoice descriptions

[tiddymasher]

Is your feature request related to a problem? Please describe. When you pay invoice using an LN enabled exchange for actions such as locking in a trade or creating a trade, the invoice will sometimes indicate its from RoboSats and also has messaging exchanges can easily track, identifying users of RoboSats. This is a serious privacy concern for anyone who is looking to use RoboSats as a KYC offramp from a KYC'd exchange.

Example messaging includes "You paid RoboSats" and "This payment WILL FREEZE IN YOUR WALLET, check on the website if it was successful...(message continues)".

In both cases, an exchange such as Strike being used to pay an invoice will see this messaging on their end, and can easily identify KYC'd users who are attempting to use RoboSats in any capacity.

Describe the solution you'd like I understand the need for this messaging, it is very user friendly and describes the process. However, if you're an experienced user there should be an option to disable this messaging entirely or customize it. It would be great to have a toggle button that can be enabled/disabled that would remove all this messaging. Less noise makes it a little more difficult to easily identify a RoboSats invoice from a regular lighting invoice on a KYC exchange.

Describe alternatives you've considered As an alternative, it may be best to consider moving the messaging to be contained entirely within the RoboSats platform, displayed on a webpage somewhere. While a KYC exchange is one example, there are plenty scenarios where you would not want your wallet transaction descriptions to automatically be identifiable as originating from RoboSats.

Additional context I don't know how difficult of a feature this would be to implement, but if need be I would love to shift into actively building and contributing this feature myself to get it implemented. I would appreciate any guidance into getting started if no one else is able to take on the task. It is critical to always consider the privacy implications.

[Reckless-Satoshi]

Hey @tiddymasher thanks a lot for opening this issue and offering a hand!

Well, this discussion has already taken place, the work has been done and what you currently see live is the solution: see #168 and #210.

Stealth invoices are in fact now the default. Sender nodes will always know they are sending Sats to RoboSats, it is unavoidable: Bolt11 encodes for the Node ID of the receiver (RoboSats node). The current description is generic and does not add any new info that compromises the user. However it adds useful tips that are always nice for the new users and experienced alike. The only way to further improve privacy is to not use custodial solutions.

We could discuss though "description-less" invoices. I am not sure there is any privacy gain for them... maybe your wife checking your phone screen while you scroll your transactions :smile: (... a valid concern though!!)

[tiddymasher]

Yeah I understand at a certain point sender nodes can see where its going. I think my main point is to try and make it less noisy where possible with description-less invoices that way it isn't immediately obvious. Currently, most employees of a KYC exchange could identify robosats users at a glance, however the inner details of a LN invoice transaction are typically only accessible through the team responsible for operating and maintaining the LN node. If I had to have a conversation with customer service for example, I wouldn't want them to be able to easily identify "oh, this is a robosats invoice based on the description" because honestly, its not really for them to know.

It also sounds like maybe the best way to handle this if it is a concern would be to set up a node and open a private channel with Robosats - is that possible? Then the transaction flow could look something like use KYC exchange to fund node, and then use that node to pay invoices on Robosats.

Thanks for the links, I will check them out.

[Reckless-Satoshi]

most employees of a KYC exchange could identify robosats users at a glance

True that. Though it rather depends on how they parse the invoice info. I would take for granted they also have a field with the Alias of the node the transition goes to (RoboSats) and probably the route it took (all node alias hop by hop). It might be key to debug / help customers.

Again, the only way to actually be private is to do your own routing (do not use that service, but your own node).

An extra shower thought: It might be better that users are aware the invoice has explicit information about where they are sending Sats so they avoid using that custodial service. Rather than hide this inherent privacy flaw of bolt11 from the user eyes, but still leave them vulnerable to the third party service.

It also sounds like maybe the best way to handle this if it is a concern would be to set up a node and open a private channel with Robosats - is that possible?

Of course! But no need to go to that extend. One can use private wallets like Blixt or Phoenix (light mobile nodes). No direct channels with RoboSats are needed either. As long as only you have access to the invoice and you do your own routing it would be very private! More info about wallets in https://learn.robosats.com/docs/wallets

[lnproxy]

Could be a good idea to recommend that users of custodial KYC wallets wrap robosats invoices before paying them so that their custodians are not able to figure out that payments are going to robosats.

[Reckless-Satoshi]

Could be a good idea to recommend that users of custodial KYC wallets wrap robosats invoices before paying them so that their custodians are not able to figure out that payments are going to robosats.

One more reason for the built-in "use lnproxy" form. Is there a list of available lnproxy servers?

[lnproxy]

Not yet, the only one I know so far is mine: https://lnproxy.org. I know some people are trying it out and I'll publish a list as soon as possible.