A few days ago, ConsenSys updated its Privacy Policy, in which there is a paragraph dedicated to the MetaMask wallet and the policy on login.
The MetaMask wallet and the new policy on login
MetaMask is by far one of the most widely used wallets for Ethereum in the world, with more than 21 million monthly active users, partly because it works with a browser extension that allows the crypto wallet to be easily and quickly linked to many websites.
ConsenSys Software Inc. is precisely the company that produces and releases this wallet, so its statements about it are official.
MetaMask allows users to store and manage their private keys, so it is a non-custodial wallet. It is obviously used to receive and send cryptocurrencies and Ethereum-based tokens, with the particularity that it can be easily connected to various decentralized websites and applications.
In this way, it not only makes it possible to perform transactions in a very simple way indeed, but also allows the websites and dApps themselves to authenticate the user on the smart contracts, albeit anonymously.
One of the criticisms that have always been leveled at this solution lies precisely in the management of user data.
Although in theory, the non-custodial wallet should leave the user in full and exclusive control of their data, ensuring a good level of privacy, in reality, it could potentially collect and share information with third parties that could make users identifiable.
The recording of IPs upon login using MetaMask wallet
Therefore, logging the user’s IP only increases criticism in this regard.
The paragraph in ConsenSys’ new privacy policy says that when using Infura as the default RPC provider in MetaMask, Infura will collect users’ IP addresses and Ethereum wallet addresses when sending a transaction.
Those who do not want this data collected are offered the option of using a third-party RPC provider, or their own Ethereum node. However, ConsenSys warns that other RPC providers also collect this information.
It is worth noting that the Infura RPC provider is developed by ConsenSys itself, and is the default provider in MetaMask.
So by default ConsenSys will collect the IP addresses of MetaMask users when they perform a transaction, offering as an alternative only the explicit choice of another RPC provider but without indicating which ones do not collect user IPs.
Other information collected
The new ConsenSys Privacy Policy page also lists other information that is collected, although this is listed in different paragraphs than the one dedicated to MetaMask.
Some of this information is directly and explicitly asked of the user, which may include first and last name, date of birth, mailing address, e-mail address, phone number, and so on.
Others, however, are collected by default when you use other ConsenSys services, like for example Codefi also collects your country and place of birth, nationality, social security number, employer, occupation, ID, and other information necessary to comply with anti-money laundering (AML) laws and KYC requirements.
However, ConsenSys on this page makes all this information public and overt, so that users can be well informed about what data they hand over to the company.
ConsenSys is for all intents and purposes a private company, founded in 2014 by Joseph Lubin, based in New York City. It has more than 500 employees, and no data on shareholder ownership or revenues are publicly available.
Infura
Wallets like MetaMask do not contain an Ethereum node inside them. So they need to connect with external nodes to function.
By default, the RPC (Remote Procedure Call) provider they use is Infura, which manages blockchain nodes instead. When someone makes a transaction on MetaMask, it connects to Infura, which transmits the transaction to the Ethereum blockchain. The connection is made through the “Remote Procedure Call,” which sends Infura all the data so it can transmit the transaction to the Ethereum network.
When installing MetaMask, the preset RPC provider is precisely Infura, so if the user does not change it their IP will be recorded when they send a transaction.
However, other RPC providers are also available to which users can connect MetaMask in order not to use Infura. However, caution must be exercised because it is not certain that other RPC providers are actually better.
The risks
The biggest risk at this point is that one’s on-chain transactions will be recognizable.
All on-chain transaction data on Ethereum is public, and in plain text, including the sender’s wallet address. However, it is anonymous data, from which it should be very difficult to trace the identity of the wallet owner.
On-chain IP recording reduces this difficulty, making it somewhat easier to eventually identify the owner.
Truth be told, ConsenSys has quite a bit of data to identify users, although with the simple use of MetaMask this identification might still be difficult. However, if other tools, such as Codefi, are also used, identification becomes much easier.
Nonetheless, the information collected by ConsenSys about its users is not made public, and only some anonymous data is recorded on the blockchain.
Finally, it should be added that in reality many users who wish to maintain a high level of anonymity already use tools to hide or change their IP, such as so-called VPNs, so even in the case where the RPC provider records this data, it is almost impossible to use it to identify the owner of the wallet.
Source: https://en.cryptonomist.ch/2022/11/25/metamask-wallet-ips-login/