We recently updated the Consensys privacy policy hoping to clarify how two of our core products, MetaMask and Infura, interact from a data collection perspective when the Infura service is utilized as an RPC provider in MetaMask. These updates aimed to solely provide greater transparency on existing practices and did not describe a change in our business practices. The update ignited a variety of public and internal conversations around how we could better prioritize the privacy of MetaMask and Infura users.
We are committed to protecting the privacy of people who use our products so that they will not—and, ultimately, cannot—be betrayed by yet another centralized entity. We’ve spent the last week digging into some of the issues that were raised as a result of our recent update and have some important clarifications, updates, and commitments regarding our policies and products, namely that:
We do not store wallet account address information when a MetaMask user makes a “read” request through Infura, for example in order to check their account balances within MetaMask. We therefore can never associate wallet account addresses to an internet protocol (IP) address based on this type of user activity;
We collect wallet and IP address information in connection with “write” requests, also known as transactions, when MetaMask users broadcast transactions through Infura’s RPC endpoints. The purpose of this collection is to ensure successful transaction propagation, execution, and other important service functionality such as load balancing and DDoS protection, as provided by Infura;
IP addresses and wallet address data relating to a transaction are not stored together or in a way that allows our systems to associate those two pieces of data;
We retain and delete user data such as IP address and wallet address pursuant to our data retention policy. We are working on narrowing retention to 7 days and we will append these retention policies to our privacy policy in an upcoming update; and
We have never and will never sell any user data we collect. We use data strictly in adherence with the use limitations described in our privacy policy.
We are also making some updates to MetaMask to reinforce our commitment to user choice. While Infura is the pre-loaded default RPC provider when users install MetaMask, sometimes a user wishes to designate an alternate third-party RPC or self-host their own node. From a privacy perspective, we caution that these alternatives may not actually provide more privacy; alternate RPC providers have different privacy policies and data practices, and self-hosting a node may make it even easier for people to associate your Ethereum accounts with your IP address. Nevertheless, there are many good reasons why users may want to use different RPC configurations, in particular hosting their own nodes, and we have always believed that part of the value we offer is in the user’s right to exit our offerings. In the spirit of locking the web open and in response to some valid user concerns regarding the effectiveness of the prior design for this RPC configuration flow, we are pushing updates to make clear that MetaMask is intended to be built to maximize user agency.
Over the next week, we are beginning to roll out a new advanced settings page that users will see when onboarding to MetaMask. This will give all new users an opportunity to choose their own RPC providers at on-boarding and to opt out of third-party services that are otherwise used to enhance the user experience. Ultimately, a user with the highest privacy requirements should be able to onboard to MetaMask without ever hitting a server they didn’t choose.
Further, we’ve identified the following issues as key open items our team is working on to further demonstrate our commitment to our users and we will provide updates as soon as possible:
We are redesigning the process for adding different networks to better promote user agency, and, in particular, to improve the frictions that exist around adding custom RPC endpoints from the inability to add user-specified alternatives for certain networks caused by the design of EIP-3085: wallet_addEthereumChain and our prior preference to prioritize mitigating phishing risk during an era where adding custom networks easily was novel. Now that this area has evolved, we will redesign the experience.
In some instances, when a site suggests a user connect to a given chain through MetaMask, that selection would erroneously override the user’s RPC settings and default back to Infura as provider. A user’s personal data provider preferences should not revert to the default without the user expressly making that change.
We are revising the custom RPC selection interface to make it more user friendly. We previously showed a grey question mark next to custom added RPCs in order to caution users against rogue or unknown RPC risks. We think this was overly cautious and are not intending to scare anyone away from using their chosen provider.
We as a community have more work to do as we move toward greater empowerment and protection of end users and developers. We must continue to build higher quality tools and services that provide a wide spectrum of users the fullest and safest access to Web3. We often need to make difficult tradeoffs, typically prioritizing user security regarding fund loss, so your feedback is invaluable in helping us continually identify and improve our policies and how our products function. A vocal and passionate user base is a priceless gift for improving a product. Be on the lookout for the updates described in here, and for a more comprehensive redesign of our privacy policy in the coming weeks.
Media contact: [email protected]