Once they know where you live, you’re done.

With one simple update, the privacy of millions is suddenly at stake. It is that serious.

Even when you thought that Crypto couldn’t set another negative standard, we’ve just seen how a Crypto company has set yet another very dangerous precedent.

Infuriatingly, the perpetrators low-key “announced” the decision by updating their privacy policy agreement, but they are doing this knowing that 99% percent of their users won’t ever read the document.

They don’t want you to know because it will make millions of users like yourself run away.

As from now on, you should know that by using it you’re putting at stake your privacy.

Thus, what’s going on?

Well, in simple terms, MetaMask is no longer safe to use if you want to protect your privacy.

MetaMask, a story of success… for now

MetaMask is one of Crypto’s most successful products.

Created by ConsenSys, MetaMask is the main self-custody product in the market today for the Ethereum blockchain.

Moreover, MetaMask is the most used Crypto wallet for the Ethereum blockchain.

The problem?

Up until today, besides the known risks of using hot-storage solutions, MetaMask was one of the best options to participate in the Crypto economy while remaining in control of your cryptocurrencies and with all the privacy guarantees you need.

Until now.

But, before we comprehend where’s the problem and why MetaMask is no longer safe from a privacy standpoint, we need to understand…

What really is a “Crypto wallet”?

What is a Crypto wallet

In very simple terms, a Crypto wallet is software that allows you to interact with blockchain-based applications, also known as dApps.

Albeit the term ‘dApp’, from a front-end perspective, you access dApp interfaces the same way you do with any other web application, with your web browser.

The difference?

To use a blockchain-based application, in case you want to participate in the underlying economy, you need access to cryptocurrencies.

And a Crypto wallet allows you to store those cryptocurrencies and transact with them in said decentralized applications.

But why are web-based solutions like MetaMask so popular?

As cold storage wallets (much safer solutions that store your coins offline) aren’t as intuitive as a literal Chrome web extension that you install in seconds, using it is a no-brainer for someone with no technical background who’s starting in the industry, much like using centralized solutions like FTX… and we all know how that ended.

But why are people knowingly trading security for ease of use?

Because using blockchains is hard, really hard.

And MetaMask reduces the complexity gap so much that it’s irresistibly tempting to embrace.

Therefore, if MetaMask is obviously such a great product, what’s the deal?

As in almost any recent scandal in Crypto, the problem is simple, MetaMask is owned by a centralized company, a centralized company that has been forced to f*ck up its product badly.

But how?

MetaMask will now collect IP addresses. Yep, you read that right.

In the “super decentralized” world of blockchain, now using MetaMask’s default configuration will get you tracked, suddenly having all your transactions linked to your very own, easily traceable, IP address.

But have they f*cked up completely?

No, but almost.

Your IP address will only be tracked if you use the default RPC application, the ConsenSys-owned Infura.

But the problem here is the Keyword ‘default’.

As I described earlier, MetaMask users are mainly non-technical, which means that they won’t be using an alternative RPC application, let alone know what the f*ck is that.

Hence, to understand the extent of the ‘f*ck-up’ and how you can prevent it, we need to understand how MetaMask works behind closed doors.

MetaMask and RPC nodes

One of Crypto’s bottlenecks, without question, is node requirements and complexity.

But what is a node?

A node is the blockchain term for server; these elements are the quintessential piece in a blockchain network.

The sparsity of your node network determines how decentralized you are, and determining how decentralized your blockchain is, determines if the blockchain you’re using is actually legit or a pile of rubbish.

Sadly for Crypto, nodes are expensive to run and complex to set up. It’s simply not an option for a non-technical or without-millionaire-status type of user today.

Which is almost all of us, basically.

Actually, it’s neither a feasible option for even front-end blockchain developers, who simply want to focus on typing smart contracts and creating actual features for users to use.

And much in the same way that cloud computing allows companies to run their IT systems with almost zero effort, node providers like Infura eliminate the complexity of creating and running a node, becoming a super popular solution to get you going in Crypto.

But what is an RPC application?

An RPC (Remote Procedure Call) application like Infura is the element that allows any decentralized application, including MetaMask, to interact with a blockchain.

By providing you with an endpoint (a point of connection) it allows your application to perform actions on the blockchain. In other words, it’s what allows smart contracts and other elements to connect to a blockchain.

Technical note: If you’re familiar with IT systems, it’s basically the API that allows you to perform actions on the blockchain.

Addtionally, if you’re wondering why it’s an RPC-based API and not the common REST standard, it’s simply because RESTful APIs are resource-focused and ideal to perform CRUD requests, while RPC-based APIs are ideal for actions, a much more common need in blockchains.

Consequently, as these node providers are an essential element to communicate with a blockchain, they have immense power to collect user data, or even censor transactions.

So, the fact that Infura is owned by ConsenSys, means that they are much more likely to be pressured by regulators to collect user data and enforce KYC/AML regulations upon Crypto.

But changing your RPC application is not an option for someone who doesn’t even know what an RPC is, let alone an API.

And that’s where the problem resides, that ‘someone’ represents the majority of MetaMask users, which inevitably means that the majority of MetaMask customers will now be tracked without them even knowing.

Decentralized and private my ass.

Many foresaw we had this coming, but what can the Crypto industry do to prevent such attacks on privacy?

The answer is onions

All of Crypto’s other solutions rely, one way or another, on privacy.

But what does that mean?

It means that Crypto really won’t make it that far if we lose privacy, or if we lose anonymity.

But if you’re a common reader of my articles, I know what you’re thinking.

As I’m a great advocate for decentralization, you already have the answer to this issue.

Decentralized RPCs… right?

Using decentralized RPCs

Using decentralized RPCs wouldn’t necessarily solve the problem.

Yes, a DAO-ruled protocol is much harder to pressure by regulators, as there isn’t a single entity governing the actions of the RPC.

But as with many things in life, decentralization isn’t necessarily always the answer. We’ve already seen how Maker’s DAO is in a tumbling situation, to say the least.

DAOs make the underlying systems difficult to govern or predict, as there isn’t a single source for decision-making. And, as we’ve seen, DAOs are being put into question lately for their feasibility.

Doesn’t seem like the perfect option at this moment in time.

Luckily, some have outlined an alternative solution, network-layer anonymity.

The power of onions

Many are advocating for full-on security at the transaction level. Absolute zero-disclosure.

But, hold on a minute, we already have public-key data encryption, right?

We’re safe!

Well, no, we aren’t.

Because data encryption ensures confidentiality, in the sense that no one besides the receiver of the message will be able to see the message.

But the fact that your wallet made the transaction is visible and public.

What we are searching for is anonymity, and anonymity is a totally different thing, where no one can see that a wallet actually made a transaction.

The solution?

Onion routing.

Onion routing is a concept elaborated by the US Naval Research in the mid-1990s and used by popular security-focused web browsers like Tor, that allows for almost completely anonymous network communication.

The problem with this solution?

Regulators aren’t going to love it. A fully-anonymous transaction network will make detecting crime very, very hard. And that’s not an option, we can’t let criminals launder money that easily.

In my opinion, every time I have to deal with an event like this, almost always the answer is very clear to me.

Decentralization.

The complex world of decentralization

But not at the RPC level.

We shouldn’t be needing centralized RPCs to make Crypto work. We need to reduce node requirements, both at the economic and complexity levels, so that anyone, anywhere, can provide a node to the system.

With that, you kill two birds with one stone; we increase decentralization, making our network more secure, and we prevent the need for centralized RPCs, neglecting censorship and privacy attacks.

But is this feasible?

One way or another, this event just proves how hard is to create a fully-decentralized system.

In fact, it makes it almost an unfathomable achievement. And this potential unfeasibility begs the question:

If we fail to protect our privacy in Crypto, will Crypto still become the disruptor many claim it to be?

In my opinion, no, and this represents an extra nail in the coffin of Crypto if we don’t deal with it soon.

A final word

If you enjoyed this story subscribe to my newsletter, where I deep dive into complex innovation topics in a way that anyone can understand and leverage.