Several outlets and crypto programmers have pointed out for a year or more that MetaMask, by default, broadcasts your Ethereum public key (address) to websites you visit. The assumption is that this is a privacy vulnerability – most sites have no need for such information,…
Several outlets and crypto programmers have pointed out for a year or more that MetaMask, by default, broadcasts your Ethereum public key (address) to websites you visit. The assumption is that this is a privacy vulnerability – most sites have no need for such information, after all.
The Next Web’s David Canellis writes:
“Sharing Ethereum addresses with any tracking service that requests it is certainly a little unsettling, but there are wider implications. Think of your Ethereum address as a unique identifier, you want to keep it separate from the rest of your online footprint at all times.”
I question this logic. Public addresses are public for a reason. Indeed, the information should only be available on request, which is why MetaMask created privacy mode. However, the actual next web – the blockchain-enabled internet – is going to require wallets like MetaMask, Shutter, and TronLink.
More and more websites are going to have uses for the data these extensions can provide. Public keys can be used for more than just sending money. Signatures can be granted. Do you know how you grant all those sits permission to store cookies by clicking a button? Compare that to a cryptographically secure signature, in a legal sense.
Personally, I look forward to the day that some form of cryptocurrency will be in use nearly everywhere I visit on the web. Not in a way that makes the web more expensive, but in a way that makes it more vibrant. We’re closer than you might think.
MetaMask critics don’t do much to justify why it’s such a bad thing if an advertiser knows your public address. Let’s consider the actual risks.
If you’re a public person, advertisers may be able to figure out who you are, and target ads at you. Or, worse, sell your data – complete with your MetaMask Ethereum activity – to interested parties.
Simply having MetaMask installed and activated already puts you in a certain bucket of targeted advertising. However, I’d assume that most people who would be concerned about their public address would already use an ad blocker. As much as I have a disdain for ad blocking, it’s exactly this type of invasive advertising it’s designed to prevent.
If you happen to have a lot of money in your wallet, and the tracker figures that out, they may know you’re more well-to-do, and target ads based on that. They might learn what kind of games and tokens you’re interested in, based on your holdings.
MetaMask also allows the integration of hardware wallets. A dedicated snoop might figure out a lot about your finances by studying your transaction history.
All of which presupposes that advertisers are tracking such information at this point. But Ethereum, like all of the blockchain ecosystem, is still a relatively small subset of the global internet.
In this space, we firmly believe that it’s one of the many technologies that will make up the next version of connected humans and devices. Instant, unmediated access to money and transactions will be a reality.
By the week, it seems like it will happen within my lifetime. I’m continually impressed at the freedom granted by these blockchains.
Freedom and privacy go hand in hand. However, as Canellis’ article points out, the main reason MetaMask doesn’t enable privacy mode by default is that it breaks some decentralized applications.
MetaMask integrated an update to limit “message broadcasting.” You can easily enable privacy mode by clicking the top-right icon and going into settings. The page looks like this:
I’ve enabled it for this article. But I don’t want to break the behavior of decentralized applications I use, so I’ll disable it now.
In general, I think it’s bad practice to use the same browser for dApps that you use for everything else, at least at this point. I use Firefox for everything, but when I want to use Tron or EOS or Ethereum on the web, I open up Chrome. You can have a separate profile in Chrome, allowing you to basically have a dApp browser.
As one of the first people to write on the subject noted:
“Instead, you should try to separate your web3 activity from the rest of your browsing activity. Chrome and Chromium browsers make it really easy to create separate browser profiles. These profiles keep almost everything about your browsing experience separate.”
If you’re upset about the privacy implications of MetaMask at this point, you have alternatives. Scatter and Scatter Desktop are extremely advanced options that allow you to use more than one blockchain.
Last modified: January 10, 2020 3:11 PM UTC