MetaMask Privacy Is Worse Than It Looks
The latest update for ConsenSys’ Infura API tool has caused a big outcry in the Ethereum community. As was announced yesterday, Infura will start collecting and assigning IP and Ethereum addresses of MetaMask users with immediate effect.
ConsenSys had informed about this on November 23. However, in a blog post, the company downplayed the changes.
It said that only “clarity in relation to the information collected by Infura when users use Infura as their default RPC provider in MetaMask” was provided.
“The updates to the policy do not result in more intrusive data collection or data processing, and were not made in response to any regulatory changes or inquiries.
Our policy has always stated that certain information is automatically collected about how users use our Sites, and that this information may include IP addresses”, ConsenSys stated.
At the same time, ConsenSys emphasized that when users interact with Ethereum via Infura, for example by sending a transaction or requesting an account balance, the provider receives both the user’s IP and wallet address.
“This is not Infura-specific,” ConsenSys claimed and continued that it continues “to pursue technical solutions to minimize this exposure, including anonymization techniques.”
However, when users use your own Ethereum node or a third-party RPC provider with MetaMask, ConsenSys says that “neither Infura nor MetaMask will capture your IP address or Ethereum wallet address.”
Is The Privacy Update Even Worse For Ethereum And MetaMask Clients?
Remarkably, Infura is vital to the Ethereum blockchain. The tool is used by many other notable Web3 projects such as Polygon, Filecoin, Aragon, Gnosis and OpenZeppelin.
Adam Cochran, Partner at Cinneamhain Ventures commented that “the MetaMask stuff is worse than it even looked at first.”
Not just collecting data when you send a tx – the moment you unlock the wallet it records ALL your addresses under the same IP.
This database creates a MAJOR doxxing risk in the space. Time to ditch MM.
Cochran is referring to a tweet from Micha Zoltu, who wrote a bug report via GitHub. According to Zoltu, Infura captures more than ConsenSys admits. The tool collects the IP address as well as all accounts and all addresses as soon as the user unlocks the account.
“This is true also for other chains, as a user connecting to a test network or L2 via MM will also send the RPC provider for that chain all of their accounts rather than just the selected account,” Zoltu wrote on GitHub.
Bitcoin analyst Dylan LeClair commented via Twitter only “Probably nothing” and “Paying attention,” pointing out that Infura already made a controversial move against privacy in September when it blocked access to Tornado Cash.
LeClair also pointed to the fact that JPMorgan received a significant stake in the lucrative ConsenSys intellectual property (IP), particularly MetaMask and Infura, as a lawsuit against ConsenSys revealed this year.
At the time, a group of ConsenSys shareholders demanded a probe into a deal in which JPMorgan acquired a significant stake in Ethereum infrastructures Infura and MetaMask. It turned out that JP Morgan received a 10% stake. The deal was known as “Project North Star.”
At press, Ethereum (ETH) was trading at $1,183, bouncing of the support at $1,171.