The latest update to ConsenSys’ Infura API tool has caused an uproar in the Ethereum community. As announced yesterday, Infura will begin collecting and assigning IP and Ethereum addresses from MetaMask users with immediate effect.
ConsenSys informed of this on November 23. However, in a blog postthe company downplayed the changes.
He said that only “clarity regarding what information Infura collects when users use Infura as the default RPC provider in MetaMask” was provided.
“The policy updates do not result in more intrusive data collection or processing, and were not made in response to regulatory changes or inquiries.
Our policy has always stated that certain information is automatically collected about how users use our sites, and that information may include IP addresses,” ConsenSys said.
At the same time, ConsenSys pointed out that when users interact with Ethereum through Infura, for example by sending a transaction or requesting an account balance, the provider receives both the IP address and the wallet address of the ‘user.
“This is not specific to Infura,” ConsenSys asserted and went on to say that it continues to “investigate technical solutions to minimize this exposure, including anonymization techniques.”
However, when users use your own Ethereum node or a third-party RPC provider with MetaMask, ConsenSys states that “neither Infura nor MetaMask will capture your Ethereum IP address or wallet address.”
Is the privacy update even worse for Ethereum and MetaMask clients?
Remarkably, Infura is vital to the Ethereum blockchain. The tool is used by many other notable Web3s projects such as PolygonFilecoin, Aragon, Gnosis and OpenZeppelin.
Adam Cochran, Partner at Cinneamhain Ventures commented that “the MetaMask thing is worse than it first appeared.”
Not just collecting data when you send a tx – the moment you unlock the wallet it saves ALL your addresses under the same IP address.
This database creates a MAJOR doxxing risk in the space. It is time to abandon MM.
Cochran refers to a tweet from Micha Zoltu, which wrote a bug report via GitHub. According to Zoltu, Infura captures more than ConsenSys admits. The tool collects the IP address as well as all accounts and addresses as soon as the user unlocks the account.
“This is also true for other chains, as a user connecting to a testnet or L2 via MM will also send that chain’s RPC provider all of their accounts rather than just the selected account,” Zoltu wrote on GitHub. .
Bitcoin analyst Dylan LeClair commented via Twitter only “Probably nothing” and “Warning”, pointing out that Infura had already made a controversial decision against privacy in September by blocking access to Tornado Cash.
LeClair also pointed out that JP Morgan received a significant stake in the lucrative intellectual property (IP) of ConsenSys, specifically MetaMask and Infura, as a lawsuit against ConsenSys revealed this year.
At the time, a group of ConsenSys shareholders called for an investigation into a OK in which JPMorgan acquired a significant stake in Ethereum Infura and MetaMask frameworks. It turned out that JP Morgan received a 10% stake. The deal was known as “Project North Star”.
As of press, Ethereum (ETH) was trading at $1,183, rebounding from support at $1,171.