ConsenSys faces backlash for collecting users’ data via MetaMask

In an update to its privacy policy, ConsenSys informed users that MetaMask collects their IP addresses and Ethereum wallet addresses via Infura RPC, sparking controversy in the crypto community.

ConsenSys, a software company that owns both MetaMask wallet and blockchain infrastructure provider Infura, announced new changes to its privacy policy, prompting an immediate backlash from its 20 million user base and crypto privacy advocates.

“When you use Infura as your default RPC provider in MetaMask, Infura will collect your IP address and your Ethereum wallet address when you send a transaction,” the new privacy policy reads. “However, if you’re using your own Ethereum node or a third-party RPC provider with MetaMask, then neither Infura nor MetaMask will collect your IP address or Ethereum wallet address.”

The acronym RPC stands for Remote Procedure Control, a software protocol that enables communication between blockchain nodes. As an infrastructure provider, Infura runs blockchain nodes on behalf of MetaMask users — when they make a transaction, it defaults to Infura, which in turn broadcasts it on the blockchain.

Since data is only collected via Infura, users concerned with their privacy might opt for alternative RPC providers, such as Alchemy, Moralis, Ankr, QuickNode, or Tatum. However, one should keep in mind that third-party services may collect sensitive information as well, so it’s always advised to read through their privacy policies — and monitor them for subsequent changes.

Obviously, the controversial update wasn’t met with enthusiasm from the crypto community — quite the contrary, many expressed their disapproval of ConsenSys’ decision, while some announced their departure from MetaMask in favor of safer alternatives.

“I don't think it's reasonable for people to get pissed at centralized infra providers collecting more data and potentially censoring. This tech was *always* geared toward running your own infra and we're gonna see that put to the test,” Gabriel Shapiro, general counsel at Delphi Labs, opined on Twitter, implying the growing need for self-hosting solutions.

“You can't expect people to potentially go to jail for you b/c you couldn't be bothered to gain the needed technical skills,” he added.

“There is nothing more important than consumer privacy, especially when it comes to your financial data - you have a right to be anonymous. Metamask has provided a great free service for a long time, but their decision to log IPs and tie it to transactions is unacceptable,” tweeted Adam Cochran of Synthetix and Yearn Finance.

Meanwhile, MetaMask founder Dan Finlay took off to Twitter to explain that the wallet never uses IP addresses, just stores them temporarily.

“I think we can get this fixed soon. We are not using IP addresses even if they are being temporarily stored, which they don't need to be, as we're not using them for anything,” he wrote.

“Yeah I don't think it'd be even proper for me to try to amplify a message undermining a legal policy. I'm personally saying I think we'll change this, I am personally saying I believe we are not using IPs, so I think this is plausible to correct soon. We'll just take the hit,” Finlay added.

Earlier this week, Uniswap also found itself under fire after announcing that it collects some user data to improve user experience. However, DEX’s privacy policy clearly states that it doesn’t collect personal information, such as names, emails, addresses, and IPs.

“That includes public on-chain data and limited off-chain data like device type, browser version, etc. Because Uniswap Labs does not collect personal data, any vendors we work with do not have any personal data either,” the blog post by Uniswap Labs affirmed.