Yes spark to spark payments are very bad.
Discussion
Also, one more thing: For the sake of argument, let's say Phoenix had surveillance power over its users, like LightSpark does.
Phoenix is still VASTLY superior to any service that uses Spark as a back end.
Phoenix runs one (1) out of 16,000 INTERCOMPATIBLE Lightning Nodes on the network, and one (1) out of hundreds of INTERCOMPATIBLE wallet services on the network.
the Lightning Network is DECENTRALIZED.
Anyone can spin up a Lightning Node. Anyone (with some tech skills) can build a wallet service.
If you are building technology to interact with Bitcoin, the only ethical way to do it is to use PUBLIC standards which are INTERCOMPATIBLE with other users, so you can help build a DECENTRALIZED system.
If you're not doing that, just use the Stripe API or something.
For anyone reading, we hope this has been an informative discussion.
In short, Spark payments have a few important privacy nuances. Transactions that stay entirely within Spark, Spark-to-Spark, aren’t private and reveal a link between users. When two Spark users pay each other over Lightning, the connection on a Spark explorer is obscured, but timing analysis can still expose the receiver. If you send from your Spark wallet to an external Lightning wallet, Spark only has the same level of visibility as any other LSP. When receiving from an external Lightning wallet into Spark, Spark similarly knows only what an LSP would about the sender. However, the receiver isn’t completely private either, timing attacks can reveal the receiving address and wallet balance, making it less private than a standard Lightning receive.
Let me translate, if I may:
"Spark payments have a few important privacy nuances."
Only use Blitz, or other Spark wallets, if you want your IP address to appear in David Marcus' personal database, along with your transaction history. Oh, and David loves to kill Palestinians. Does that bother you at all?
"timing analysis can still expose the receiver "
Noting "timing analysis" as a danger when you are using a fully centralized API run by LightSpark is like saying that a machine gun is dangerous because you might drop it on your foot. It's totally irresponsible to divert people with this.
"If you send from your Spark wallet to an external Lightning wallet, Spark only has the same level of visibility as any other LSP."
Fully incorrect. LSPs do NOT know the originator of a payment. Yes, they can see the entry node and exit node, but they do NOT know if the entry node is the actual "originator" or if the exit node is the actual "destination". Please educate yourself on how the Lightning Network works. The Lightning Network is DESIGNED for decentralization and privacy. Spark is not.