December 14, 2022

WTF? MetaMask Is Collecting Your Data: What You Need To Know & Do About It

GM web3 explorers! 

Infura, the default blockchain access tool that ConsenSys uses in their popular crypto wallet, MetaMask, recently announced that they’d be collecting your data. 

But wait, isn’t web3 supposed to be about privacy and data ownership? 🤔

While these values are part of the web3 ethos, it doesn’t mean that every company in the space will follow them to a tee. It also doesn’t mean that all forms of data collection are bad, some data can improve application UX without storing sensitive information. 

So to get a clearer picture of what this announcement means, we invited Arthur Sabintsev, the Chief Operating Officer at Pocket Network, to this week’s DOer Spotlight. 

In this edition, we chat about: 

  • The role Infura and other RPC (don’t worry we’ll break this acronym down) providers play in web3 🔗

  • What Pocket Network is and how it’s different from Infura 💪

  • Why companies collect user data in the first place and what the future may hold for data privacy 👀

Let’s dive in! 


🤝 Together With Lens: The Evolution of Social Networking 👀


So What Happened and What Does It Mean for MetaMask Users?

A couple of weeks ago, ConsenSys (who owns Infura and MetaMask) announced that they’ll begin collecting user data through Infura, the default RPC provider for MetaMask.

This data may include:

  • Identity information, such as names and birth dates

  • Profile information, such as your username and interests

  • And financial data, such as transactions and payment details

This had Crypto Twitter up in arms since some core ethos’ of web3 include privacy and sovereignty. 😡

But before we dive into what this announcement means, here are a few definitions: 

  • Remote procedure call (RPC): An RPC is effectively a request from an application, such as a wallet, that says, “Hey I’m trying to read data from the Ethereum blockchain at this particular time.” 

  • Nodes: Nodes are essentially machines that stay up to date with the latest blockchain state. They keep a real-time worldwide copy of blockchain data. 

  • RPC provider: An RPC provider is the organization that maintains this “data highway” and allows users to interact with blockchains. You can think of RPC providers like the barista at Starbucks, but instead of serving coffee, they serve different types of information. We need these because it’s expensive, time-consuming, and difficult to set up blockchain nodes. 

  • RPC endpoint: An RPC endpoint is similar to a node’s address (the URL that applications use to request data). 

  • Logging practices: This refers to the collection of information whenever you interact with the internet. For example, if you visit Facebook, your internet browser will collect data that may include the device you used, what day it was, and more. These applications will then either discard or store the information. 

Now, data collection isn’t something new. Web2 tech companies have built their entire business models on logging information and selling that information to advertisers.

For example, Google collects our locations, and search history (deleted history as well), and can even build advertising profiles around our height, weight, income, and other private information.  

But many web3-natives believe that the space should be free of (or at least minimize) data collection—unless users themselves oblige.

So here’s what ConsenSys’ announcement means for MetaMask users. 

If you use MetaMask without changing any settings, it defaults to using the Infura gateway to connect to the Ethereum blockchain, meaning they can collect your IP and wallet address, and other personal information. 

So, like Google, Infura can begin creating user profiles that can include data, such as how much money you earn, potential hobbies and interests, and where you live. 

Depending on the state of your IP address, Infura may even be able to pinpoint your street! 😲

Now, Infura collecting user data isn’t automatically a bad thing and we’re not sure what they’re going to do with this data. They shared that they won’t be selling it (but anything can change in the future). 

Why Companies Collect User Data

This whole announcement begs the question, why do companies need to collect user data? 

For some, such as Facebook, it’s their main source of revenue since advertising contributes well over 90% of the company’s total revenue. 

But what about Infura? Their business model doesn’t rely on advertising! 

Well, this is speculation, but some potential reasons for Infura doing this could include: 

  • They’re anticipating upcoming compliance and regulation.

  • They could want to sell data in the future. 

  • Some governments might be asking for specific information as a follow-up to another issue.

  • They are using the data to improve their service.

Or maybe they’re just taking pre-emptive measures to protect themselves. 

A similar discussion was sparked when decentralized exchange, Uniswap, recently began collecting some off-chain data such as users’ device type or browser, saying that the move was aimed at improving user experience.

Uniswap said the data collection did not include other forms of personal information, such as the user’s first or last name, full address, date of birth, email address, or IP address.

Now, it’s common for apps to collect some data because organizations base their product updates on how people actually use it. So from Arthur’s point of view, he doesn’t see these companies collecting data as a bad thing in and of itself, and it’s a common practice when improving UX.

But when apps sell our data then that’s a different story. Even though these apps may not sell user data today, there’s always a chance that they could in the future. 

So as we build web3, we need to prioritize the tough conversations and encourage everybody in the space to be thoughtful about the decisions we make. 

Because right now, we’re building the infrastructure layer that everything else will use in the future. And when we get to that stage, changing course may be too late. 

Now, if you’re worried about your personal data, the good news is that using Infura (or other RPC providers that collect data) isn’t your only choice.

At Web3 Academy, we think it’s a good idea to protect your data privacy and if you agree, it’s pretty simple to make the switch to an RPC provider like Pocket Network

👉 Check out this quick video to learn how to decentralize your MetaMask wallet.


🟣 SOCIALS

Tweet of the Week


What Pocket Network Is and How It Differs From RPC Providers Like Infura

Pocket Network provides an RPC gateway—like Infura—but they facilitate data transactions without collecting user data.

Pocket Network consists of three organizations: 

  • Pocket Network Inc., a centralized company that’s building the Pocket Network L1 blockchain. 

  • The Pocket Network DAO which steers the organization through governance proposals.

  • The Pocket Network Foundation which acts out decisions from governance votes.

And in the interest of transparency, Pocket Portal (their API gateway) is centralized by Pocket Network. 

But as the RPC provider becomes more established, they plan to decentralize the blockchain fully in 2023 and become a public good. 

Now, the reason Pocket Network differs from other RPC providers is that when you enter Pocket’s gateway, they take your traffic and send it through a node that isn’t owned or operated by Pocket. 

Unlike other RPC providers (such as Quicknode, Moralis, Infura, etc.) who own all the nodes in their network, Pocket only owns a small share. 

Instead, they incentivize node runners to join the Pocket Network through token distributions based on the requests they process, helping to decentralize the blockchain.

So if you want to read data from Ethereum, you can use Pocket’s RPC endpoint to request it. Then Pocket’s gateway will randomly select a node that is somewhere close to you in the world (for speed and service quality) and deliver the data to you. 

And they do this without collecting sensitive information. For example, Pocket Network will use your IP address to find the closest node, but instead of storing this data, they eject it straight away. 

But why has Pocket Network gone down this route? 

The purpose of Pocket Network’s blockchain is to become base layer infrastructure—like the different protocols that run the internet that most people have never heard of. And they believe that all of these centralized RPC providers (Infura, Moralis, etc.) will eventually want to offload some or all of their traffic to Pocket’s decentralized network of providers. 

On top of this, they believe that as more people begin to value data privacy and sovereignty, decentralized RPC providers will become the norm. 

So how exactly does Pocket Network use and collect user data? 

What they do store is the node that interacted with the request and the region of the world that the request came from so that they can debug any issues that may come up. 

They also log the result of the request. Did it succeed or fail? If it failed, why? 

With this data, they can see, for example, that the nodes in Singapore are performing slowly. But Pocket won’t know if a specific IP address interacted with the node or anything specific about where a person’s request is coming from. 


🤝 Together with Unlock Protocol: Create Memberships and Subscription NFTs in Minutes!


The Future of Data Privacy in Web3 

Data privacy is one of the hottest topics at the moment because, since the beginning, web3-natives have always pushed for ownership over their own data. 

But as the industry grows and organizations aim to stay competitive, data collection is one of the most powerful ways to understand your user base. 

The question is where does the line get drawn between improving UX and protecting users? 

Arthur believes that there’s always going to be some level of data collection on the internet, but it’ll differ depending on who’s running the organization and where it’s located. For example, some of Arthur’s friends had to download a tracking app to be able to attend the World Cup in Qatar. 

So if someone starts a web3 company there, they may be required to collect data because of the government. 

Uniswap and Infura could have also been advised to start collecting user data because of their size. From the outside looking in, it’s difficult to tell. 

But what we do know is that Pocket Network doesn’t store potentially sensitive information because they’re not trying to upsell or resell users. They’re just trying to capture traffic and create a public good.

Regardless, we’re at an interesting inflection point where these foundational questions come up regarding the way we’re building this infrastructure. 

Where do you draw the line with personal data collection? Let us know in our Web3 Academy Discord server!


🟣 FOR THE DOERS

READ

Now that you know web3 companies can collect user data, find out if Web3 is Decentralized and Censorship Resistant.

FOLLOW

Ensure you don’t miss out on Raul’s shitposting by following Web3 Academy on Twitter!

WATCH

Make sure you check out this short video on Decentralizing Your MetaMask Wallet.