“We are not using IP addresses even if they are being temporarily stored, which they don’t need to be, as we’re not using them for anything,” said Dan Finlay, MetaMask’s co-founder.
That follows GDPR related revelations by ConsenSys, MetaMask’s parent company, that Infura will collect your IP address and ethereum address, which in effect links one to the other.
Infura is a node infrastructure provider and acts as the default node of MetaMask. When those defaults are used therefore, MetaMask too will store your IP.
Micah Zoltu, an ethereum developer, says IPs are collected not just when you send a transaction, but also when you unlock – as in sign in to – MetaMask.
“As soon as you unlock your account, Infura will collect your IP address and all of your addresses. Also, when you connect a ledger it will send all of those addresses to Infura as well,” Zoltu said.
It’s just to batch requests, Finlay says, to render balances. “We are not doing anything malicious here, everyone is just projecting their worst fears,” he insists.
Finlay confirms that if another Remote Procedure Call (RPC) point is used, like your own node, then MetaMask does not collect IPs.
Running your own node however can be a clunky process that requires more storage than an ordinary computer might have, but storage is cheap and for anyone that really wants complete privacy, you can run a node on Raspberry Pi.
Or you can just run a VPN. For US cryptonians in particular, who are banned from some dapps and projects due to SEC restrictions, running a VPN should become common for general privacy.
Yet the majority will probably connect through their plain IP and through Infura rather than their own node. Finlay insists that even for those users the IP collection is accidental.
“Some software, including cloud infrastructure that we might use, may log by default without being obvious, so we need to disclaim that risk while we seek out and eliminate those,” he says. “Basically: assume if you hit a public server there’s a risk logs are happening, even accidentally.”
MyEtherWallet (MEW) however has come out to say they do not collect IP addresses, claiming “we have never, and will never collect identifiable information from our users.”
MEW seems to run its own node infrastructure and has a browser extension called Enkrypt.
The code for Enkrypt is open source, so you can verify they don’t actually collect data, but the node infrastructure MEW runs is obviously not open source, so you can’t be certain.
The best option therefore is to run a VPN or connect to your own node, with it long known that nodes can collect IPs which connect to it, with this MetaMask affair also not being a new state as Finlay says:
“We’re not [just] starting to [collect IPs], we’re actually trying to reduce any instances of cached PII. This was a GDPR compliance legal notice [that they collect IPs].”
This article has been originally published at: https://www.trustnodes.com/2022/11/25/metamask-admits-they-temporarily-store-ip-addresses