The cryptocurrency community has a tendency to fixate on a new issue every few weeks and then promptly forget about it. The limited attention span of this community misses the ultimate resolution of important issues. Over the Thanksgiving holiday in November 2022, ConsenSys released a disclosure about a privacy policy affecting MetaMask users that sent “Crypto Twitter” into a firestorm. My first reaction was also negative.
That’s what a sly fox would say isn’t it? pic.twitter.com/PfKMTiNHoR
— J.W. Verret, JD, CPA/CVA (@JWVerret) November 25, 2022
The MetaMask browser extension wallet uses a node called Infura. That node is owned by ConsenSys, the same company that develops MetaMask. The press release reminded users that Infura collects the internet protocol (IP) addresses and wallet addresses of users who connect their MetaMask wallet to Infura. It also reminded them that MetaMask users don’t have to use Infura, which is only a default, and that MetaMask allows connection to other public node providers such as Alchemy or Ankr.
When you send or receive crypto, your wallet interacts with the blockchain. But wallets don’t download the blockchain; that’s too cumbersome for a wallet on your phone. Instead, when your crypto wallet sends a transaction, most wallets use a public node to request that new transactions be added to the blockchain via the mempool.
(You could set up your own node. In fact, for better privacy and speed, you probably should. More private nodes also mean a more decentralized network. But I’ve tried and I don’t have sufficient technical skills to do so. Maybe you will have better luck.)
Now, let’s remember that blockchains like Ethereum aren’t private. If you want privacy, you need to use a privacy coin like Monero (XMR), which leaks some information about the sender, or Zcash (ZEC)-shielded transactions, which leak no sender information. Or you need a privacy tool, but unfortunately, the government-sanctioned Tornado Cash was previously the most reliable privacy tool on Ethereum.
Regardless, if you are using a public node or any other central service to transact in crypto, you need to use a virtual private network (VPN) or Tor (easy to use with the Tor browser) to mask your internet service provider (ISP) address. Is anyone out there using Ledger Live to transact in crypto using your Ledger hardware device? Ledger Live tracks ISPs too, and apparently keeps that information for up to five years.
Privacy is a personal responsibility. No one will protect it for you. Crypto users need to learn to use privacy tools like VPNs, Tor, privacy coins, etc. The day will soon come when governments send blanket “John Doe summonses” to public node providers to get those ISPs, just like the Internal Revenue Service did to central crypto exchanges in the early days of crypto. And those intermediaries will undoubtedly comply.
There are legitimate reasons remote procedure call providers may want to retain ISP information. Some node users who are Infura clients may want ISPs tracked because it could help to hunt down hackers.
So, back to the question: Are we still mad at MetaMask? Foxes are known for being clever. However, less known is that they’re also loyal, as both males and females care for a tight-knit family unit. Was the MetaMask fox too clever, or was he loyal to core blockchain principles?
What sparked the outrage was public disclosure about changes to their privacy policy. Transparency is a good thing — or should be unless Crypto Twitter erupts violently in response to those disclosures. And they further refined their privacy policy in response to the criticism. Read the new Infura privacy policy for yourself here. It seems straightforward and attempts limited privacy protection.
Para los que se preocupan por su IP en MM recuerden que pueden cambiar el RPC de Infura en 4 pasos de la siguiente manera:
— . | (@ancestral_alien) November 25, 2022
Except you do, you have, you will always bc there is no way not to. Dont disrespect your users like that.
— Tay (@tayvano_) November 24, 2022
You send every users various onchain addreses, IPs, info to mewapi (you), blockchain info, moonbeam network, on and on.
The ONLY diff is that YOU blatantly lie abt it.
Infura competitors like Alchemy and MyEtherWallet took this opportunity to throw shade Infura’s way. One MetaMask developer hit back. Read Alchemy’s privacy policy, which uses legalese to reserve the right to collect and use data however Alchemy chooses. Alchemy’s privacy policy gets a negative recommendation from Chainlist for its poor privacy practices. Not cool.
In crypto, as with life, privacy is a personal right and responsibility. Energy spent on momentary outbursts is better spent learning about privacy technology to protect yourself.