Controversy is growing as the MetaMask wallet revealed in a new privacy policy that it was collecting sensitive data on its users. Teams had to explain what was being done with the data, but that wasn’t enough to appease the community.
MetaMask and the data it collected
We reported yesterday that MetaMask would be collecting IP data from its users by default, via its parent company ConsenSys. A change that has sent the community into a tizzy, as the practices of crypto companies have come under particular scrutiny for weeks. To calm the situation, MetaMask issued a statement, explaining that this data was not used:
“Our policy has always explained that certain information is automatically collected about how users use our sites, including the fact that this information may include IP addresses. “
So nothing new for MetaMask, which explains that when users interact with blockchains via a third party, such as Infura, the latter collects both the IP address and the wallet address in order to provide the service. As a reminder, Infura is the service that connects the wallet to the browsers used with MetaMask.
Dan Finlay, one of the co-founders of MetaMask, also said that this could be “fixed” soon, while claiming that these IP addresses were only temporarily stored and not used:
I think we can get this fixed soon. We are not using IP addresses even if they are being temporarily stored, which they don’t need to be, as we’re not using them for anything.
– Dan Finlay (@danfinlay) November 24, 2022
User addresses linked to a single IP address
But that wasn’t enough to appease the community. Developer Micah Zoltu pointed out on Twitter that when users open MetaMask, Infura collects their IP address, as well as all associated wallet addresses. If a Ledger wallet is connected, the linked addresses will also be collected by Infura:
Their policy needs to be updated to say:
As soon as you unlock your account, Infura will collect your IP address and *all* of your addresses. Also, when you connect a ledger it will send all of those addresses to Infura as well.https://t.co/1MnmhKWp9i– Micah Zoltu (@MicahZoltu) November 24, 2022
What this means is that an IP address is linked to a group of addresses belonging to the same person. This effectively creates a particularly vulnerable database. As several commentators have pointed out, MetaMask does this for efficiency reasons: it allows only one query to be created in order to update the various balances on the addresses listed.
But does this justify potentially exposing users? That’s the question that is being asked. The community has made its distrust known. In the context of uncertainty following the FTX case, service providers are under particular scrutiny – and their actions analysed.
