A recent privacy scandal has made waves throughout the web3 community as crypto giant ConsenSys updated its privacy policy, exposing that MetaMask has been gathering users’ IP and wallet addresses when the service is accessed through Infura.
MetaMask, the most popular wallet for EVM chains, and Infura, the world’s largest RPC provider, are owned by Ethereum titan ConsenSys. You add all this together, and you get the largest privacy scandal in crypto this year.
This type of monopolistic data harvesting by closed-source, black-box software is an issue which plagued Web 2.0 and was thought of as contrary to the ethos of crypto. But web3 seems to have inherited it all the same and all the way down to its most fundamental tool: the wallet.
But how much data is Infura or any RPC providers actually harvesting from users?
How bad is the state of privacy in web3?
Answering this is not entirely possible since all we know is that they are gathering IP and wallet addresses. Since Infura doesn’t publish its source code, it’s impossible for us to know exactly what they do and don’t store or what they may do with this information.
But while going down this rabbit hole, I managed to find DERP, a tool that exposes just what your RPC provider sees while connected to your wallet. Whether they store this information, we don’t know, but it’s a devastating insight into how bad privacy is in web3.
What is DERP?
DERP is an RPC proxy that live-streams the data your RPC provider requests through your wallet.
You simply switch your wallets network to one of DERP’s alternatives and it will route requests made by your wallet to an active browser session at derp.hoprnet.org
Now, this is somewhat hard to decipher beyond the fact that your device, IP address and wallet address are exposed, but it reveals a lot more than that when you break down the payloads.
What does it expose?
Swiss privacy project HOPR, who made DERP, have broken down the payloads for common wallet use cases, and the results are worse than I initially thought.
You’re bleeding data just by browsing DeFi services. Your RPC provider can see the products you’re viewing or browsing without making any transactions, as well as metadata exposing your identity. This comes with advanced MEV risks, one of which is explained here.
But the worst of all is that all of your MetaMask accounts are linked and exposed. Making multiple accounts does not make each of them separate and private. Anyone with access to your RPC calls can see who you are, what wallets you own and everything you do with these wallets. Even something as small as connecting your wallet to a web3 service or website is tracked and exposed.
The security and privacy MetaMask claims between wallet accounts are lost when it comes to what is visible to their sibling company Infura.
Privacy in web3 is a far cry from what it claims to be. We’ve mass imported the same issues we wanted to avoid in Web 2.0 and left all our data in the hands of centralised, closed-source, black-box software that we have to trust won’t be abused by these titans of industry.