ConsenSys Wants Your IP Address, Crypto Wallet, Bank Account
ConsenSys has a new privacy policy, which states it collects IP addresses and other sensitive data for all MetaMask users relying on Infura
ConsenSys co-founder Joseph Lubin | Source: Collision.conf/"Collision 2018" (CC license)
ConsenSys, the Ethereum studio behind popular crypto infrastructure such as MetaMask and Infura, is now formally collecting IP and Ethereum wallet addresses of users.
The firm revised its privacy policy on Nov. 23 to notify MetaMask users that it would hoover up the data when using Infura as default Remote Procedure Call (RPC) provider.
Alongside IP and wallet addresses, ConsenSys says it collects usernames, passwords and gender information, as well as financial data such as asset holdings, bank account numbers and bank routing numbers (MetaMask supports Visa and Mastercard purchases for crypto).
But in cases where a user utilizes their own Ethereum node or a third-party RPC provider, then neither Infura nor MetaMask will collect IP and wallet addresses, ConsenSys said.
Infura is a primary node backbones of the Ethereum ecosystem, allowing Web3 developers to connect their apps to the Ethereum network via APIs and other tools. Its popularity has been a sticking point for decentralization purists for years.
ConsenSys formally acquired all of the rights to Infura in late 2019. MetaMask is one Web3 app that relies on Infura by default — it’s a self-custody crypto wallet allowing over 21 million monthly active users to interact with decentralized applications (dapps) on the Ethereum blockchain via their web browser.
ConsenSys’ update follows a similar move by decentralized exchange Uniswap, which recently said it collects some on-chain data to improve user experience.
Still, the decision to overtly declare data collection has attracted the ire of privacy-minded crypto folk, and has many wondering whether Web3 is any different from Web2’s data dragnet.
Privacy advocates suggest minimizing online footprints and massively reducing the amount of sensitive data shared with internet service providers.
ConsenSys’ didn’t initially state why it made the move, but some speculated that regulatory restrictions may be the reason. Infura dropped Tornado Cash as a client in the wake of US sanctions on the crypto mixer back in August.
Daniele Servadei, CEO of merchant tooling startup Sellix, reasoned that Consensys is required to keep the data due to the European Union’s General Data Protection Regulation (GDPR), or it’ll receive a huge fine.
“This news just shows how important it is to have a personal node for the crypto you want to use and why centralized services are bad,” Servadei told Blockworks. ConsenSys didn’t return Blockworks’ request for comment by press time.
ConsenSys later addressed the controversy in a blog post. “The updates to the policy do not result in more intrusive data collection or data processing, and were not made in response to any regulatory changes or inquiries,” the firm said.
IP address and wallet collection is not Infura-specific and consistent with how web architecture works, ConsenSys said, “though we continue to pursue technical solutions to minimize this exposure, including anonymization techniques.”
Decentralized Infura alternatives gain sudden interest
Other industry participants shared concern over whether ConsenSys could responsibly safeguard the data it collects. Rashid Ali, CEO of metaverse firm Exarta, asked: “Looking at the breaches happening every year, is data ever really safe with a centralized organization?”
With this in mind, there are Infura alternatives which, at this stage, don’t appear to collect sensitive user information.
Decentralized infrastructure provider Ankr saw its token jump as much as 23% after Consensys’ update. Another option is Alchemy, which doesn’t have a token. MetaMask has been expected to release one but hasn’t as yet.
In any case, this isn’t the first time ConsenSys and MetaMask have come under fire for deprioritizing user privacy.
In March 2019, MetaMask developers drew flak for opting to keep its “privacy mode” turned off by default. When the setting was inactive, MetaMask broadcasted Ethereum wallet addresses to every website users visited alongside all third party trackers.
Turning it on by default would’ve broken older dapps, MetaMask said at the time. The team made privacy mode standard about five months later.
Updated Nov. 25, 2022 at 3:04 am ET: Included ConsenSys’ blog post addressing the matter.
Get the news in your inbox. Explore Blockworks newsletters:
- The Breakdown: Decoding crypto and the markets. Daily.
- 0xResearch: Alpha in your inbox. Think like an analyst.
