ConsenSys Data Retention Update
We are committed to protecting the privacy of people who use our products so that they will not—and, ultimately, cannot—be betrayed by yet another centralized entity. We’ve spent the last week digging into some of the issues that were raised as a result of our recent update and have some important clarifications, updates, and commitments regarding our policies and products, namely that:
- We do not store wallet account address information when a MetaMask user makes a “read” request through Infura, for example in order to check their account balances within MetaMask. We therefore can never associate wallet account addresses to an internet protocol (IP) address based on this type of user activity;
- We collect wallet and IP address information in connection with “write” requests, also known as transactions, when MetaMask users broadcast transactions through Infura’s RPC endpoints. The purpose of this collection is to ensure successful transaction propagation, execution, and other important service functionality such as load balancing and DDoS protection, as provided by Infura;
- IP addresses and wallet address data relating to a transaction are not stored together or in a way that allows our systems to associate those two pieces of data;
We are also making some updates to MetaMask to reinforce our commitment to user choice. While Infura is the pre-loaded default RPC provider when users install MetaMask, sometimes a user wishes to designate an alternate third-party RPC or self-host their own node. From a privacy perspective, we caution that these alternatives may not actually provide more privacy; alternate RPC providers have different privacy policies and data practices, and self-hosting a node may make it even easier for people to associate your Ethereum accounts with your IP address. Nevertheless, there are many good reasons why users may want to use different RPC configurations, in particular hosting their own nodes, and we have always believed that part of the value we offer is in the user’s right to exit our offerings. In the spirit of locking the web open and in response to some valid user concerns regarding the effectiveness of the prior design for this RPC configuration flow, we are pushing updates to make clear that MetaMask is intended to be built to maximize user agency.
Over the next week, we are beginning to roll out a new advanced settings page that users will see when onboarding to MetaMask. This will give all new users an opportunity to choose their own RPC providers at on-boarding and to opt out of third-party services that are otherwise used to enhance the user experience. Ultimately, a user with the highest privacy requirements should be able to onboard to MetaMask without ever hitting a server they didn’t choose.
Further, we’ve identified the following issues as key open items our team is working on to further demonstrate our commitment to our users and we will provide updates as soon as possible:
- We are redesigning the process for adding different networks to better promote user agency, and, in particular, to improve the frictions that exist around adding custom RPC endpoints from the inability to add user-specified alternatives for certain networks caused by the design of EIP-3085: wallet_addEthereumChain and our prior preference to prioritize mitigating phishing risk during an era where adding custom networks easily was novel. Now that this area has evolved, we will redesign the experience.
- In some instances, when a site suggests a user connect to a given chain through MetaMask, that selection would erroneously override the user’s RPC settings and default back to Infura as provider. A user’s personal data provider preferences should not revert to the default without the user expressly making that change.
- We are revising the custom RPC selection interface to make it more user friendly. We previously showed a grey question mark next to custom added RPCs in order to caution users against rogue or unknown RPC risks. We think this was overly cautious and are not intending to scare anyone away from using their chosen provider.
Media contact: [email protected]