Bambu Slicer and its forks save information in "projects" in 3MF format. Included in each project file is a large amount of unnecessary metadata that can, under certain circumstances, tie them directly to a Bambu Lab account.
For this reason, **Bambu Slicer and Orca project files should not be redistributed**. They are still **safe for private use**.
See the Conclusion section if you're short on time or don't care for the details.
[TOC]
# Overview
This look at 3MF project files does not analyze them in-transit or as they sit on a Bambu printer. It is concerned solely with how they sit on a PC after being saved by the slicer (`File` -> `Save`) and potentially redistributed thereafter.
A 3MF project file is one of those file formats that's just a zip file with a bunch of data inside. An example project with a 3dbenchy in it might look something like this when extracted:
```
3dbenchy.3mf
├── 3D/
│ ├── Objects/
│ │ ├── 3dbenchy.stl_1.model
│ ├── _rels/
│ │ └── 3dmodel.model.rels
│ └── 3dmodel.model
├── Metadata/
│ ├── cut_information.xml
│ ├── model_settings.config
│ ├── pick_1.png
│ ├── plate_1.json
│ ├── plate_1.png
│ ├── project_settings.config
│ ├── slice_info.config
│ ├── top_1.png
├── _rels/
└── [Content_Types].xml
```
The file `3D/3dmodel.model` is an XML file containing metadata about the project. The following `metadata` tags within the root `model` tag are of interest:
* `Application` - The exact version of the slicer used. On Orca, this may be the dev branch of Bambu Slicer that they're currently based on
* `CreationDate` - The initial creation date of the file
* `ModificationDate` - The last modification date of the file
* `DesignerUserId` - The **Bambu Lab user ID** (which is an integer) of the user who created this project
The file `Metadata/slice_info.config` contains version information about the slicer used.
Additionally, some more benign info is included:
* Various images are included in the 3MF that correspond to renders of the build plates
* The file `[Content Types].xml` contains basic metadata about the type of file (3MF) and is held almost entirely constant
* Filenames of meshes are preserved, but not their paths of origin. This information is considered largely non-compromising, but the inclusion of filenames with characters that are illegal on certain filesystems (such as `:`) may fingerprint the author as running a non-Windows operating system. This information is readily presented in the slicer when a model is selected
# Risk Analysis
## Information Always Included
Information included in every 3MF constitutes a **minor fingerprinting risk**.
Regardless of circumstance, the fields `Application`, `CreationDate`, and `ModificationDate` are included in `3D/3dmodel.model`. The `Application` field is of only mild concern on its own, but contributes to a fingerprint, especially if the user is running a bleeding-edge build of a slicer, a niche fork of a slicer, or has vocally refused to update past a particular version.
The `CreationDate` and `ModificationDate` fields can be a concern if the 3MF's original file modification timestamp is known. Paired together and with multiple samples created at different times of day, the user's timezone could potentially be inferred. In addition to fingerprinting risk, this could be used to help deduce a user's country of origin and thus the local legality of their activities.
## Information Included if You're Signed In
Information included if you're signed in constitutes a **major privacy risk**.
If you have downloaded the Bambu network plug-in and have signed in, the field `DesignerUserId` is included with **every** 3MF you save and contains **your Bambu Lab user ID**.
Unprivileged users cannot resolve this ID into any compromising account information, but Bambu can, as well as any actors they could potentially cooperate with. Should Bambu suffer data leakage, this information could be available to unprivileged users.
Your Bambu Lab user ID is immediately correlated with your account's email address, its name, and your country of origin. An actor with access to Bambu's invoicing history (such as Bambu themselves) could also potentially correlate this account with a purchase order of a Bambu printer, which may include PII, shipping address, and partially-redacted payment information.
## Additional Concerns for MakerWorld Users
3MFs uploaded to MakerWorld contain even more metadata in `3D/3dmodel.model`:
* `Designer` - Your MakerWorld **username**
* `DesignRegion` - Your country of origin
* `Description` - The description of the MakerWorld release
Note that this information is only included when downloaded from MakerWorld. For this reason, if you intend to crosspost between the site and elsewhere, **never** download and share the MakerWorld 3MF. **Always** use a project file that has not seen the website.
Additionally, if you use the same Bambu account to create a project file for GunCAD while also using that Bambu account for benign things on MakerWorld, **the two activities could be correlated**. **Always** use a separate account for GunCAD activities.
# Response
Here's what you should do:
## Remove 3MF Project Files from Public Releases
If you have released a file with a 3MF in it:
* If you have a Bambu account, **redact the 3MF as soon as possible**; otherwise
* If you do not have a Bambu account, redacting the 3MF is still advisable, but not an immediate concern
### Exporting Meshes from Project Files
If you load the project file into the slicer, you can right-click it and export it to an STL. Doing so does not carry over any of the problematic metadata the project file contains, at least visibly.
As a note: meshes that were converted from STEP are original renders done by the slicer, but STLs imported into the project are simply copied into the 3MF and will be copied out unmodified.
## (No Longer Advised) Advanced Alternative: Redacting Metadata Manually
**NOTICE**: This method of redacting information from a 3MF still leaves you reliant on a file format in which information may still be easily smuggled in the future. In the general case, I would **highly advise** you remove 3MFs **entirely** from your releases. Only attempt this if you absolutely cannot go without them.
If you are so inclined, you can peer into the 3MF with an archiving tool (like 7zip), edit `3D/3dmodel.model`, and redact the `DesignerUserId` field. Verify that the 3MF loads successfully into your slicer before redistributing.
# Conclusion
**DO NOT** include Bambu Studio project files in your releases. Though they offer many benefits, such as preorienting meshes, painting supports, and including settings, the format contains way too much metadata for the risk to be worth it.
In layman's terms, the concerns are:
* If you sign into the slicer, **Bambu can unmask you** given just **one** project file
* If you post on MakerWorld under a Bambu account, do **not** use that same account for GunCAD
* Given enough of these project files, even if you're signed out, someone could potentially fingerprint you
None of these concerns are an issue if you're just using project files locally. **If you're just using them personally and not redistributing them, you're fine**. This is only a problem for devs.
Use referral code:
INDEX5
3D Print Freedom sells affordable, complete, quality parts kits. They are proud to support the community by contributing core design and code to the Index. They also publish the GunCAD Digest. Check them out for your next build!
Sponsored
Use referral code:
INDEX
Aves is your first stop for Glock parts, MAC uppers, and more, including SLS Nylon prints of community-designed furniture, like grips from Laff's Dynamics. Tell 'em the Index sent you for 10% off your order!
Sponsored
Use referral code:
INDEX
Head to MAF for chimes, build kits, merch, and more. Based in general and based in Florida, they're one of the best places to get kits for the SF5, Amigo Grande, and Plastikov v4. Go build your new favorite gun!
Sponsored
Use referral code:
INDEX
Ctrl+PEW is an established name in the community, with the best getting started guide, a blog where he talks about the latest cool releases, and a ton of sweet merch. Head over and grab a merit badge to go with your FGC-9!
Sponsored
The generous sponsor(s) above keep the Index running and help fund development. GunCAD Index may earn a commission based on sales made after clicking the above links or using any referral codes.
Twitter
Matrix
Source
GunCAD Index 1.1.9