Infura is to blame for MetaMask’s violation of the crypto spirit
Censorship resistance is the foundation of crypto, so for many cryptocurrency purists, the Nov. 23 announcement by ConsenSys, the New York-based company behind the leading Ethereum browser wallet, informing its 20 million MetaMask users that their IP and wallet addresses would be collected was simply a gross violation of the crypto spirit.
In the weeks that followed, ConsenSys first reacted by saying the data collected would only be retained for seven days and then that it had updated the MetaMask features to allow users to opt out of Infura. However, the question remains: Have they done enough to establish crypto resistance?
While many may be OK with MetaMask tracking users’ wallets and IP addresses, many more of us are not because blockchain is supposed to be about decentralization and giving people the power to control their data and their finances without intermediaries — such as banks and governments.
Related: Are we still mad at MetaMask and ConsenSys for snooping on us?
For the sake of a healthy debate, let’s say we are fine with MetaMask tracking users’ wallets and IP addresses in certain acceptable instances. Those reasons could be in the case of a malicious attack. The information gathered by the Infura protocol could help track down the criminals involved.
Perhaps, more importantly for ConsenSys, the “spying” could have more to do with official regulations, such as Know Your Customer laws, Anti-Money Laundering laws and financing terrorism.
However, the reasoning behind the decision to “spy” or end MetaMask user privacy features is highly concerning — and even a bit frightening — because it clearly contravenes the crypto spirit.
Control and ownership back to users
The crypto spirit centers on putting people back in control of their assets so they can do what they with them and when they wish and have ownership over their data so they can participate in the decentralized economy, such as the machine economy, by monetizing their information.
Infura is mainly to blame for violating the crypto spirit by tracking users’ IP and Ether (ETH) wallet addresses while advising MetaMask’s users to spin up a whole new Ethereum node or to use a different node provider if they are so concerned over lnfura’s intrusions.
So MetaMask says “Just don’t use Infura” – so let’s see how easy MetaMask makes it to “not use Infura”.
Part 1 – Installation:
The first two screens are straight forward here. They seem to provide a clear privacy policy, that’s good. pic.twitter.com/9HqLo4h18U
— Chase Wright (mysticryuujin.eth ) (@mysticryuujin) November 25, 2022
Suppose Infura (or any other API provider) holds users’ IP and ETH addresses. In that case, it can quickly locate the user’s home and tie it back to all the ETH assets and on-chain transactions users have made. That is quite scary.
Contradictory intrusions
That raised a fascinating debate among the crypto community. While the Ethereum blockchain provides censorship resistance, API providers such as Infura, which provide access to the Ethereum blockchain, are not obligated contradictorily to be censorship resistant.
That represents a considerable risk for users of MetaMask or, for that fact, any other wallet, such as these Ethereum API nodes, because it makes them vulnerable to censorship without any prior notification or warning.
Related: Coinbase is fighting back as the SEC closes in on Tornado Cash
And then came Alchemy and MyEtherWallet, which tried to “cash in on MetaMask users’ concerns,” only to surface as two crypto wallet solutions that also track user data.
It is true that anyone can send Bitcoin (BTC) to anyone — even if the police or government doesn’t approve. However, if BTC were not censorship-resistant, those authorities could seize or block that Bitcoin. Crypto was created with censorship resistance in mind because we need and cherish our right to privacy.
It is also ironic. Blockchain developers have racked their brains to design the chain to be censorship resistant. However, the API node provider “hijacks” the original intention and silently changes it, and all the while, the potential victims — users — are not informed of the modifications.
In light of Infura’s violations of the “crypto spirit,” here are two considerations.
Crypto enthusiasts should continue monitoring API providers and notifying communities when they behave unethically
- Monitoring from the public is required, as done by the two whistleblowers via their Twitter accounts.
- MetaMask and other wallets must inform users immediately and clarify the terms of their privacy. For example, they should tell users they are using Infura, which does not ensure their privacy 100%. That, arguably, was not done properly or in a sufficiently overt manner in November.
- Builders of decentralized applications (DApps) should be responsible for notifying people that an API node in use is not secure or censorship-resistant to raise awareness.
What type of technology can address this concern soundly?
- API node-as-a-service makes it simple for non-tech users to spin up API nodes for their wallets. That should be as easy for both users and developers alike as purchasing a VPN service.
- In math we trust. Technology always fights for freedom on behalf of people. Ethereum co-founder Vitalik Buterin recently posted an “Incomplete Guide to Stealth Addresses,” which does not require new technology. However, if implemented on Ethereum, they partially address the privacy violation concerns raised by Infura. People can still locate a user’s house using Infura, but not their on-chain transactions or assets.
Raullen Chai is the co-founder and CEO of IoTeX. He previously worked for companies including Google, Uber and Oracle. He holds a Ph.D. from the University of Waterloo, where his research focused on designing and analyzing lightweight ciphers and authentication protocols for the Internet of Things. At Google, he led security initiatives for its technical infrastructure, including the mitigation of SSL attacks, privacy-preserving SSL offloading and enabling certificate transparency for all Google services. He was also the founding engineer of Google Cloud Load Balancer.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.